5.7. vFirewall¶
vFirewall is a service that, as a firewall feature, mainly provides routing, packet filtering, and NAT/NAPT features. vFirewall provides you with a dedicated vFirewall.
You can change parameters from the Customer Portal.
Important
- When you start using vFirewall, it reads the packets that pass through the vFirewall, judges the contents, and dynamically opens and closes the ports. It is effective as a tasteful packet inspection feature that blocks unauthorized access.You cannot disable this feature.
Note
- It is absolutely necessary to have a contract for either vFirewall or Integrated Network Appliance for one Enterprise Cloud Service. However, customer cannot have a contract for both.
- vFirewall can connect to the Internet, VPN, and Server Segment.
- vFirewall is constructed of redundant physical devices (equipment and lines).
5.7.1. Available Features¶
You can use the following features in vFirewall.
| Feature | Overview |
| Routing Feature | A feature that connects to Internet Transit, VPN Transit and Server Segment, and performs the routing among them. |
| Firewall Feature | A feature that provides a dedicated vFirewall to the Customer inside the environment provided by Enterprise Cloud. |
| Packet Filtering Feature | A feature that sets whether IP communication is allowed or denied, among the routings that can be used by the routing feature. |
| NAT/NAPT Feature | A feature that translates IP addresses and ports among Internet Transit, VPN Transit and Server Segment. |
| Providing the log dedicated portal* | Log dedicated portal provides the features for displaying the log, saving and downloading the log file. |
* The portal is provided at Saitama No.1 and Kansai1/Kansai1a and Yokohama No.1 Data Center. Application is required for issuing the account for the log dedicated portal. However, customers who newly applied for Enterprise Cloud listed date below do not need to apply for the portal because the account is issued when opening the service.
- Saitama No.1 Data Center: after July 6th, 2015
- Kansai1/Kansai1a Data Center: afiter September 20th, 2016
The IP addresses used by vFirewall are shown below.
| Device | Allocable IP Addresses |
| Internet Transit | Selected from Global IP Addresses that are ordered separately |
| VPN Transit | Selected from your VPN IP Address block (called “IP address block for VPN transit” below) |
| vFirewall | NTT Communications selects two IP addresses from the IP address block for VPN transit (*) |
| Virtual Network Interface for connecting to a Server Segment (called the “network interface on the Server Segment-side” below) | Two are selected from the available IP addresses in Server Segment. (*) |
* Because it is configured in an active/standby structure, an active device uses one IP Address and a standby device uses one IP Address.
Important
- You can specify the IP address on the Server Segment-side network interface only when the Server Segment is created based on the application form.If IP addresses have not been specified, they will be allocated automatically.
- You cannot change the IP addresses that are allocated to the Server Segment-side network interface.
Note
- If you do not configure Server Segment-side network interface, the corresponding Server Segments will not be connected with vFirewall. If you do not connect the Server Segment to vFirewall, NTT Communications cannot perform Ping monitoring on any device connected to that Server Segment.
5.7.2. Routing Feature¶
When Internet Connectivity and VPN Connectivity are in use, vFirewall will be connected with each network and Server Segment.
This feature performs routing between each network and Server Segment.
You can also set static routing to the vFirewall.
For each routing setting, the routing conditions that can be set are shown below.
- Network Address
- Gateway
- Output Interface
Note
- If you use Internet Connectivity and VPN Connectivity in combination, direct back and forth communication between the Internet and VPN via vFirewall will not be possible.
- The routing that uses the same interface for input interface and output interface is not possible.
5.7.3. Firewall Feature¶
You can specify the performance provided by vFirewall using the vFirewall resource value.
The performance of one vFirewall resource is shown below. You can change the resource value from the Customer Portal.
| Item | Performance (maximum value) | Remarks |
| Traffic Processing Capacity | 40 Mbps | The processing capacity for transferring IP packets received into vFirewall (incoming packets from vLoad Balancer are excluded) |
| Number of concurrent sessions | 10,000* | The number of TCP/UDP sessions that can be held simultaneously inside vFirewall |
| Number of filter rule settings | 30 | - |
| Number of IP address group settings | 5 | If there is one vFirewall resource, the maximum value is 10.
If vFirewall resources have been added, the maximum value for “Number of IP Address Group Settings” for the additional vFirewall resource is 5.
|
| Number of service group settings | 5 | If there is one vFirewall resource, the maximum value is 10.
If vFirewall resources have been added, the maximum value for “Number of Service Groups” for the additional vFirewall resource is 5.
|
| Number of routing settings | 5 | - |
* The number of NAPT sessions per 1 resource is different depending on the starting date of service or changing of vFirewall resource. If there is inconvenience in 2,500 NAPT sessions, please send inquiry to the help desk.
Before 4/15/2015:2,500 sessions
After 4/16/2015:10,000 sessions
In order to improve the convenience of setting vFirewall from the Customer Portal, features to set IP address groups and service groups are provided.
| Item | Overview |
| IP address group settings | You can group IP addresses.
The set IP Address Group can be used for, Packet Filtering setting.
|
| Service group settings | You can group TCP/UDP ports and ICMP Types.
You can use the set service groups with packet filtering settings.
|
You can add and reduce usable vFirewall resources, within the following range.
| Lower Limit | Upper Limit | Application Unit | |
| vFirewall resources | 1 | 50 (*) | 1 |
* The maximum value that can be set using the Customer Portal is 10. Please contact us separately if you would like 11 or more vFirewall resources.
5.7.4. Packet Filtering Feature¶
A feature that specifies IP Packet filter conditions (packet filtering policy) for vFirewall. It can allow or deny the passage of IP packets that match the filter conditions.
You can specify the following conditions for each filter rule as IP packet filter conditions to apply to packet filtering.
| Item | Overview |
| Interface | Select any of the following as the network interface of vFirewall that implements packet filtering.
|
| Source IP Address | Specifies a source IP address or IP address group for IP packets. |
| Source Service | Specifies the TCP/UDP ports, ICMP type, or service group as the source service for IP packets. |
| Destination IP Address | Specifies a destination IP address or IP address group for IP packets. |
| Destination Service | Specifies the TCP/UDP ports, ICMP type, or service group as the destination service for IP packets. |
| Actions | Specifies whether to allow or deny the passage of IP packets that match the conditions set by the above-mentioned items. |
Important
- Even if you start using vFirewall, filter rules will not be set automatically. In this case, all packets will be denied. In order to allow communication, after starting to use vFirewall, please set filter rules at your discretion from the Customer Portal.
5.7.5. NAT/NAPT Feature¶
For vFirewall, you can set IP Address Translation and IP Address Port Translation (called “NAT/NAPT” below) rules between Internet Transit, VPN Transit and Server Segment.
The maximum number of NAT/NAPT setting rules that can be set for a single vFirewall is 256.
Note
You can translate IP addresses either 1 to 1 or 1 to N.
The IP addresses that can be set to NAT/NAPT differ depending on the network that executes NAT/NAPT.
Internet Transit
- Global IP Address that is not allocated to Internet GW in global IP addresses that are used for Internet Connectivity
VPN Transit
- Unused IP address from the IP address block that is allocated to VPN Transit
Server Segment
- Any IP address in the IP address block allocated to the Server Segment
If using the VPN connectivity supporting the Customer Portal, the number of NAT rules in which the IP address assigned to VPN transit can be used and set is one.
5.7.6. Features that the log dedicated portal provides¶
Account for the log dedicated portal is provided. It is possible to view and download the filter log by logging in to the portal.
Following features are provided.
| Feature | Item |
| Displaying the log | Filtering log of vFirewall is displayed on the log dedicated portal. The latest log can be displayed by updating the browser. The log for a maximum of 500 lines appears. |
| Saving the log file | One uncompressed log file including the log displayed on the screen is saved. If the size of this file reaches 5MB, the file is automatically compressed and saved in zip format as another file. A maximum of 60 log files are saved. |
| Downloading the log file | The saved log file can be downloaded on customer environment from the portal. |
| Changing the password | It is possible to change the account password for the log dedicated portal. |
5.7.7. Important Points¶
- NTT Communications may change vFirewall settings in order to perform maintenance and monitoring. You cannot change or delete the settings that are set by NTT Communications.
- Communication interruptions might occur when you change vFirewall settings from the Customer Portal.
- It is necessary to access to the log dedicated portal by using the Web browser via Internet. Environment that is accessible to Internet needs to be prepared separately.
- It is possible to view and download the filter log of vFirewall. Log for other menu and operation log of customer portal, etc. are not provided.
- Browsers recommended for using the log dedicated portal are as follows.
- Mozilla Firefox 38.0
- Google Chrome 43.0.2357
- Features are provided by using Syslog. Although the design sufficient for acquiring the log is adopted, log may be damaged due to rapid increase on the shared environment, etc. Furthermore, the log related to operation of the platform by us is not displayed.
- Inquiries regarding contents of the log and analysis of log are not supported. Unprocessed logs of the following equipment are displayed and saved. Refer to the information disclosed by suppliers of equipment.
- Cisco ASA 5500
- SLA is not provided.
- One log dedicated portal account (login ID and password) is provided. Two or more accounts cannot be used. Furthermore, if an account is used by multiple data centers, one account is allocated for each data center.
- If you forget the password for the account, please contact our support desk.
- Log is automatically compressed and saved every 5MB. Log files cannot be saved at any time. Please note that log capacity and number of log files may increase rapidly due to rapid increase of communications.
- Logs that are compressed and saved as a log file cannot be referred on the dedicated portal. Download and refer the saved log.
- A maximum of 60 log files are stored. If more than 60 files are stored, files are automatically deleted sequentially from the oldest file. Furthermore, arbitrary log file cannot be deleted.
- Note that the deleted log file cannot be restored.