- When you start using vFirewall, it reads the packets that pass through the vFirewall, judges the contents, and dynamically opens and closes the ports. It is effective as a tasteful packet inspection feature that blocks unauthorized access.You cannot disable this feature.
- It is absolutely necessary to have a contract for either vFirewall or Integrated Network Appliance for one Enterprise Cloud Service. However, customer cannot have a contract for both.
- vFirewall can connect to the Internet, VPN, and Server Segment.
- vFirewall is constructed of redundant physical devices (equipment and lines).
5.7.1. Available Features¶
|Routing Feature||A feature that connects to Internet Transit, VPN Transit and Server Segment, and performs the routing among them.|
|Firewall Feature||A feature that provides a dedicated vFirewall to the Customer inside the environment provided by Enterprise Cloud.|
|Packet Filtering Feature||A feature that sets whether IP communication is allowed or denied, among the routings that can be used by the routing feature.|
|NAT/NAPT Feature||A feature that translates IP addresses and ports among Internet Transit, VPN Transit and Server Segment.|
|Providing the log dedicated portal*||Log dedicated portal provides the features for displaying the log, saving and downloading the log file.|
- Saitama No.1 Data Center: after July 6th, 2015
- Kansai1/Kansai1a Data Center: afiter September 20th, 2016
|Device||Allocable IP Addresses|
|Internet Transit||Selected from Global IP Addresses that are ordered separately|
|VPN Transit||Selected from your VPN IP Address block (called “IP address block for VPN transit” below)|
|vFirewall||NTT Communications selects two IP addresses from the IP address block for VPN transit (*)|
|Virtual Network Interface for connecting to a Server Segment (called the “network interface on the Server Segment-side” below)||Two are selected from the available IP addresses in Server Segment. (*)|
- You can specify the IP address on the Server Segment-side network interface only when the Server Segment is created based on the application form.If IP addresses have not been specified, they will be allocated automatically.
- You cannot change the IP addresses that are allocated to the Server Segment-side network interface.
- If you do not configure Server Segment-side network interface, the corresponding Server Segments will not be connected with vFirewall. If you do not connect the Server Segment to vFirewall, NTT Communications cannot perform Ping monitoring on any device connected to that Server Segment.
5.7.2. Routing Feature¶
- Network Address
- Output Interface
- If you use Internet Connectivity and VPN Connectivity in combination, direct back and forth communication between the Internet and VPN via vFirewall will not be possible.
- The routing that uses the same interface for input interface and output interface is not possible.
5.7.3. Firewall Feature¶
|Item||Performance (maximum value)||Remarks|
|Traffic Processing Capacity||40 Mbps||The processing capacity for transferring IP packets received into vFirewall (incoming packets from vLoad Balancer are excluded)|
|Number of concurrent sessions||10,000*||The number of TCP/UDP sessions that can be held simultaneously inside vFirewall|
|Number of filter rule settings||30||-|
|Number of IP address group settings||5||
If there is one vFirewall resource, the maximum value is 10.
If vFirewall resources have been added, the maximum value for “Number of IP Address Group Settings” for the additional vFirewall resource is 5.
|Number of service group settings||5||
If there is one vFirewall resource, the maximum value is 10.
If vFirewall resources have been added, the maximum value for “Number of Service Groups” for the additional vFirewall resource is 5.
|Number of routing settings||5||-|
|IP address group settings||
You can group IP addresses.
The set IP Address Group can be used for, Packet Filtering setting.
|Service group settings||
You can group TCP/UDP ports and ICMP Types.
You can use the set service groups with packet filtering settings.
|Lower Limit||Upper Limit||Application Unit|
|vFirewall resources||1||50 (*)||1|
5.7.4. Packet Filtering Feature¶
Select any of the following as the network interface of vFirewall that implements packet filtering.
|Source IP Address||Specifies a source IP address or IP address group for IP packets.|
|Source Service||Specifies the TCP/UDP ports, ICMP type, or service group as the source service for IP packets.|
|Destination IP Address||Specifies a destination IP address or IP address group for IP packets.|
|Destination Service||Specifies the TCP/UDP ports, ICMP type, or service group as the destination service for IP packets.|
|Actions||Specifies whether to allow or deny the passage of IP packets that match the conditions set by the above-mentioned items.|
- Even if you start using vFirewall, filter rules will not be set automatically. In this case, all packets will be denied. In order to allow communication, after starting to use vFirewall, please set filter rules at your discretion from the Customer Portal.
5.7.5. NAT/NAPT Feature¶
You can translate IP addresses either 1 to 1 or 1 to N.
The IP addresses that can be set to NAT/NAPT differ depending on the network that executes NAT/NAPT.
- Global IP Address that is not allocated to Internet GW in global IP addresses that are used for Internet Connectivity
- Unused IP address from the IP address block that is allocated to VPN Transit
- Any IP address in the IP address block allocated to the Server Segment
If using the VPN connectivity supporting the Customer Portal, the number of NAT rules in which the IP address assigned to VPN transit can be used and set is one.
5.7.6. Features that the log dedicated portal provides¶
|Displaying the log||Filtering log of vFirewall is displayed on the log dedicated portal. The latest log can be displayed by updating the browser. The log for a maximum of 500 lines appears.|
|Saving the log file||One uncompressed log file including the log displayed on the screen is saved. If the size of this file reaches 5MB, the file is automatically compressed and saved in zip format as another file. A maximum of 60 log files are saved.|
|Downloading the log file||The saved log file can be downloaded on customer environment from the portal.|
|Changing the password||It is possible to change the account password for the log dedicated portal.|
5.7.7. Important Points¶
- NTT Communications may change vFirewall settings in order to perform maintenance and monitoring. You cannot change or delete the settings that are set by NTT Communications.
- Communication interruptions might occur when you change vFirewall settings from the Customer Portal.
- It is necessary to access to the log dedicated portal by using the Web browser via Internet. Environment that is accessible to Internet needs to be prepared separately.
- It is possible to view and download the filter log of vFirewall. Log for other menu and operation log of customer portal, etc. are not provided.
- Browsers recommended for using the log dedicated portal are as follows.
- Mozilla Firefox 38.0
- Google Chrome 43.0.2357
- Features are provided by using Syslog. Although the design sufficient for acquiring the log is adopted, log may be damaged due to rapid increase on the shared environment, etc. Furthermore, the log related to operation of the platform by us is not displayed.
- Inquiries regarding contents of the log and analysis of log are not supported. Unprocessed logs of the following equipment are displayed and saved. Refer to the information disclosed by suppliers of equipment.
- Cisco ASA 5500
- SLA is not provided.
- One log dedicated portal account (login ID and password) is provided. Two or more accounts cannot be used. Furthermore, if an account is used by multiple data centers, one account is allocated for each data center.
- If you forget the password for the account, please contact our support desk.
- Log is automatically compressed and saved every 5MB. Log files cannot be saved at any time. Please note that log capacity and number of log files may increase rapidly due to rapid increase of communications.
- Logs that are compressed and saved as a log file cannot be referred on the dedicated portal. Download and refer the saved log.
- A maximum of 60 log files are stored. If more than 60 files are stored, files are automatically deleted sequentially from the oldest file. Furthermore, arbitrary log file cannot be deleted.
- Note that the deleted log file cannot be restored.