4.3. Firewall(Brocade 5600 vRouter) : End of Sales 1st of July, 2017¶
Important
As of July 1, 2017, we will stop new sales of Firewall(Brocade 5600 vRouter) (vFW hereafter)
Please use Managed Firewall after EOL of Firewall (Brocade 5600 vRouter)</p>
Furthermore, customers currently using vFW can continue to use it.
4.3.1. Overview¶
4.3.1.1. Overview¶
This menu, Firewall (Brocade 5600 vRouter), provides a virtual server installed Brocade 5600 vRouter.
Creating, configuring and deleting Firewall (Brocade 5600 vRouter) are completely automated. Customers are able to utilize them on-demand.
4.3.1.2. Features¶
The following are features of Firewall (Brocade 5600 vRouter) menu:
Offering Brocade 5600 vRouter’s functions as much as possible
Brocade 5600 vRouter enables almost all functions of Brocade 5600 vRouter to Customers, as such it provides high performance network functions as well as cutting-edge routing functions.
Automated Provisioning with SDN technology
Provisioning Firewall (Brocade 5600 vRouter) is automated with SDN technology, which enables customers to utilize flexible resources without any complicated operations.
Flexible network architecture in combination with Logical Network
Customers can use Firewall (Brocade 5600 vRouter) for various purposes, depending on their Network topologies, for example: configuring as a Internet border router, segregating DMZ from internal segments to keep security level, as well as setting up to connect to “Multi-Cloud Connect” service for controlling the access from VPN.
4.3.1.3. Definition of Terms¶
Customer Portal/API: Portal/API provided by Service Provider
Brocade 5600 vRouter Portal/API/CLI: Portal/API/CLI provided as a standard function of Brocade 5600 vRouter
4.3.2. Available Functions¶
4.3.2.1. List of Functions¶
The following are functions available in this menu.This menu provide Portal/API/CLI for using each function.
No. |
Function |
Details |
Method of Operation |
| 1 | Instance Control Function |
Provide functions such as creation, deletion of the firewall (Brocade 5600 vRouter), plan change and reboot, password reset and so on. |
Customer Portal/API |
| 2 | Network Function |
Provide the function to connect / disconnect Firewall (Brocade 5600 vRouter) to Logical Network. |
Customer Portal/API |
| 3 | Network Configuration for VRRP Function |
Provide the function to register / clear the virtual address and VRID when redundantly configuring Firewall (Brocade 5600 vRouter) with the VRRP protocol |
Customer Portal/API |
| 4 | Firewall Function |
Offer the Brocade 5600 vRouter control panel to customers and provide most of the Firewall functionality of Brocade 5600 vRouter. |
Brocade 5600 vRouter Portal/API/CLI |
4.3.2.2. Description of Functions¶
1.Instance Control Function¶
Create Firewall (Brocade 5600 vRouter)
Customer can create a new Firewall (Brocade 5600 vRouter) on Customers’ own via Customer Portal/API.
They can assign the following parameters while creating a Firewall (Brocade 5600 vRouter):
Configurable Information |
Details |
Name |
Specify name of Firewall (Brocade 5600 vRouter) |
Details |
Specify description of Firewall (Brocade 5600 vRouter) |
Plan |
Specify a plan of Firewall (Brocade 5600 vRouter) |
Zone/Group |
Specify a Zone / Group where Firewall (Brocade 5600 vRouter) is accommodated |
Default Gateway |
Specify the Default Gateway of Firewall (Brocade 5600 vRouter) |
Note
Customers can connect Brocade 5600 vRouter to Logical Network from Connect Firewall (Brocade 5600 vRouter) Interface.
Modify Firewall (Brocade 5600 vRouter)
Customer can modify a new Firewall (Brocade 5600 vRouter) on Customers’ own via Customer Portal/API.
They can assign the following parameters while editing a Firewall (Brocade 5600 vRouter):
Configurable Information |
Details |
Name |
Specify name of Firewall (Brocade 5600 vRouter) |
Details |
Specify description of Firewall (Brocade 5600 vRouter) |
Firewall Plan |
Specify plan for Firewall (Brocade 5600 vRouter). Plan can be changed. |
Default Gateway |
Specify the Default Gateway of Firewall (Brocade 5600 vRouter) |
Note
- In Firewall (Brocade 5600 vRouter), the number of interface is different for each plan. Please refer to Plan list.
- For changing the plan by reducing the number of interfaces, it is necessary to disconnect the interface of the slot number that is not supported by the Firewall(Brocade 5600 vRouter) after the change in advance from Logical Network.For example, if you want to change the plan from 8 interfaces to 4 interfaces, it is necessary to disconnect the interfaces of the slot number 5 to 8 (4 slots) in advance from Logical Network.
- If there is a change plan to increase the number of interfaces, or if there is no change of the number of interfaces before and after the change plan, it is not necessary to disconnect the interface from Logical Network in advance.
- Please note that if you implement the change plan, Firewall (Brocade 5600 vRouter) will restart.
Reboot Firewall (Brocade 5600 vRouter)
Customers can reboot the subscribed Firewall (Brocade 5600 vRouter) via Customer Portal/API.
Reset Password of Firewall (Brocade 5600 vRouter) Account
Reset password of Customers’ account for accessing to Firewall (Brocade 5600 vRouter) via Brocade 5600 vRouter Portal/API.
Important
Password reset of the firewall (Brocade 5600 vRouter) can only be performed with respect to the initial account (user-admin, user-read).
When resetting the password of the account that was created by the customers, please be sure to reset the password via Brocade 5600 vRouter Portal/API/CLI.
Delete Firewall (Brocade 5600 vRouter)
Customers can delete subscribed Firewall (Brocade 5600 vRouter) via Customer Portal/API.
View Firewall (Brocade 5600 vRouter) Information
Customers can view Firewall (Brocade 5600 vRouter)’s information on Customers’ own via Customer Portal/API.
Category |
Available Information |
Details |
Common |
Name |
View name of Firewall (Brocade 5600 vRouter) |
Common |
ID | View ID of Firewall (Brocade 5600 vRouter) |
Common |
Details |
View descriptions of Firewall (Brocade 5600 vRouter) |
Common |
Zone/Group |
View Zone/Group where Firewall (Brocade 5600 vRouter) is accommodated |
Common |
Default Gateway |
View default gateway of Firewall (Brocade 5600 vRouter) |
Common |
Status |
View operation status of Firewall (Brocade 5600 vRouter) |
Plan |
Name |
View plan name |
Plan |
ID | View plan ID |
Plan |
Details |
View plan description |
Plan |
Vendor |
View plan vendor |
Plan |
Version |
View plan version |
Interface |
Name |
View interface name of Firewall (Brocade 5600 vRouter) |
Interface |
ID | View interface ID of Firewall (Brocade 5600 vRouter) |
Interface |
Details |
View interface description of Firewall (Brocade 5600 vRouter) |
Interface |
Slot Number |
View interface slot number of Firewall (Brocade 5600 vRouter) |
Interface |
Status |
View operation status of Firewall (Brocade 5600 vRouter)’s interface |
Interface |
Logical Network |
View ID of Logical Network connected to Firewall (Brocade 5600 vRouter)’s interface |
Interface |
IP Address |
View IP address of Firewall (Brocade 5600 vRouter) interface |
2.Network Function¶
Connect Firewall (Brocade 5600 vRouter) Interface
Customers can connect the interface of the subscribed Firewall (Brocade 5600 vRouter) to Logical Network via Customer Portal/API.
Following parameters can be set when connecting the interface of Firewall (Brocade 5600 vRouter).
Configurable Information |
Details |
Logical Network |
Specify a destination Logical Network |
IP Address |
Assign IP address for Firewall (Brocade 5600 vRouter) interface.
In case Customers does not designate IP address, it will be automatically assigned from the IP Address Pool of Logical Network.
The IP address mentioned above will be assigned to Firewall (Brocade 5600 vRouter) as the static IP address.
|
Note
The IP address specified above is the access point to Brocade 5600 vRouter Portal/API/CLI.
Customers need to prepare Logical Network to connect with Firewall (Brocade 5600 vRouter) and its Subnet in advance.
Firewall (Brocade 5600 vRouter) can connect to the Logical Network (Data Plane) only. It cannot connect to the Logical Network (Storage Plane).
Customers are advised that the Firewall (Brocade 5600 vRouter) is rebooted when they connect to the interface.
Customers are advised that the MAC address is changed once interface is connected.
Modify Firewall (Brocade 5600 vRouter) Interface
Customers can modify interface of contracted Firewall (Brocade 5600 vRouter) via Customer Portal/API.
Following parameters can be set when editing interface of Firewall (Brocade 5600 vRouter).
Configurable Information |
Details |
Details |
Specify a description of interface |
Disconnect Firewall (Brocade 5600 vRouter) Interface
Customers can disconnect subscribed Firewall (Brocade 5600 vRouter) interface from Logical Network via Customer Portal/API.
Following parameters can be viewed when disconnecting Firewall (Brocade 5600 vRouter) Interface.
Available Informations |
Details |
Logical Network |
View Logical Network to be detached. |
IP Address |
View IP address of Firewall (Brocade 5600 vRouter) Interface |
Important
Customers are advised that the Firewall (Brocade 5600 vRouter) is rebooted once the interface is disconnected.
Customers are advised that the Load Balancer (NetScaler VPX) is rebooted once the interface is disconnected.
Network Configuration for VRRP Function¶
Register Network Configuration for VRRP of Firewall (Brocade 5600 vRouter)
Customers can register the network configuration for VRRP of subscribed Firewall (Brocade 5600 vRouter) via Customer Portal/API.
Following parameters can be specified when registering the network configuration for VRRP of Firewall (Brocade 5600 vRouter).
Configurable Information |
Details |
Subnet |
Specify the Subnet of Logical Network to connect. |
Virtual IP Address |
Specify the virtual IP address for VRRP. |
| VRID | Specify the VRRP group identifier. |
Important
This configuration is required for each Firewall configuring VRRP.
In order to perform the communication using the VRRP, after carrying out this setting, customer needs to do the VRRP set in Brocade 5600 vRouter Portal/API/CLI.
For one interface, please set only one pair of virtual IP address and VRID set in Register Network Configuration for VRRP via Customer Portal/API. Setting multiple pairs does not work properly.
Clear Network Configuration for VRRP of Firewall (Brocade 5600 vRouter)
Customers can clear the network configuration for VRRP of subscribed Firewall (Brocade 5600 vRouter) via Customer Portal/API.
Following parameters can be viewed when clearing the network configuration for VRRP of Firewall (Brocade 5600 vRouter).
Available Informations |
Details |
Virtual IP Address |
Specify the virtual IP address for VRRP. |
| VRID | Specify the VRRP group identifier. |
Important
This configuration is required for each Firewall configuring VRRP.
In addition to this configuration, it is mandatory to clear VRRP configuration via Brocade 5600 vRouter Portal/API/CLI.
4.Firewall Function¶
Function Overview
Firewall (Brocade 5600 vRouter) provides firewall function by provisioning Brocade 5600 vRouter on Virtual Server.
Customer can set up and use the firewall function via Brocade 5600 vRouter Portal/API/CLI.
Partial functions of the Brocade 5600 vRouter are restricted to realize the functions provided via Customer Portal/API. For details, please see the “Restrictions” section.
Example of setting the function verified by Service Provider(https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/index.html) and usage models verified by Service Provider(https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html) are posted in the tutorial.
For other functions with Brocade Brocade 5600 vRouter Portal/API/CLI, please refer to the Broccade documentation (https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/guide.html) Please check as a reference.
When the virtual server infrastructure has failed, by the HA function of the virtual server, it will be automatically accommodate changes to other normal server. (For details about the Virtual server and the HA functions, please refer to the Service Description of Virtual Server.)
Provided Version
In the firewall (Brocade 5600 vRouter), the version information provided is as follows.
| No | Provided Version |
Improved content |
| 1 | 3.5R6S3 | |
| 2 | 4.2R1S1 |
|
| 3 | 5.2R4 |
|
Note
In 5.2R4, the operating specifications of the option to enable packet filtering function statefully in Firewall (global-state-policy) have been changed.
Please refer to Brocade Technical Bulletin (Version5.2R4) (https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/guide.html) for the change contents.
4.3.3. Service Plan¶
4.3.3.1. Menu¶
This menu provides following plans:
Plan |
CPU | MEM | DISK | Number of Interfaces |
| 2CPU-8GB-4IF | 2 | 8(GB) | 4(GB) | 4 |
| 4CPU-16GB-8IF | 4 | 16(GB) | 4(GB) | 8 |
4.3.3.2. Subscription Method¶
The type of application is as follows. It should be noted, by the following application, that the billing amount is subject to change.
Subscription Type |
Subscription Method |
Offered Date |
Create Firewall (Brocade 5600 vRouter) |
Customers’ operation via Customer Portal/API |
Instant Offering |
Changing Plan of the firewall (Brocade 5600 vRouter) |
Customers’ operation via Customer Portal/API |
Instant Offering |
Delete Firewall (Brocade 5600 vRouter) |
Customers’ operation via Customer Portal/API |
Instant Offering |
4.3.3.3. Important Notes of Subscription¶
The upper limit, the lower limit, the sales unit, per 1 tenant of the firewall (Brocade 5600 vRouter) are as follows.
Uppermost Maximum |
Lowermost Minimum |
Unit for Sale |
| 16 | 0 | 1 |
4.3.4. Terms and Conditions¶
4.3.4.1. Conditions for Usage with Other Menus¶
There is no specific conditions. Customers may subscribe this menu in combination with all the menus of Enterprise Cloud 2.0.
4.3.5. Pricing¶
4.3.5.2. Monthly Fee¶
Monthly fee is applied for this menu
Monthly fee applied for this menu is per-minute-basis with capped pricing per month.
4.3.6. Quality of Service¶
4.3.6.1. Support Coverage¶
Virtual Server, Brocade 5600 vRouter and Customer Portal/API is supported in this menu.
For inquiries about functions to operate with Customer Portal/API, Service Provider support the setting method.
- Inquiries about function to operate with Brocade 5600 vRouter Portal/API/CLI
Example of setting the function verified by Service Provider(https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/index.html) and usage models verified by Service Provider(https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html) are supported by Service Provider free of charge.
With regard to the functions that Service Provider have not verified, for customers who applied for the advanced plan (charged) Service Provider can escalate vendors and confirm them. However, in this case Service Provider will exclude inquiries about technical support such as architecture and design support, performance tuning of customer environment, verification of applications individually introduced by customers. Please refer to Service Description of Support for the specification details about the advanced plan.
Service Provider will support at the time of breakdown such as when the function Customer used can not be used.
4.3.6.2. Quality of Operation¶
Quality of this menu’s Operations corresponds to that of standardized regulations which Service Provider defines thereof in details.
4.3.7. Restrictions¶
Note
Setting method and performance information are posted, so please be sure to check the tutorial.
Providing Method
This menu provides Brocade 5600 vRouter installed on Virtual Server.
Maximum of 16 Firewall (Brocade 5600 vRouter)s are available for 1 tenant.
Provide Customer Portal/API for implementing creation, deletion, plan change, reboot, password reset, interface connection, VRRP communication setting etc. of Firewall (Brocade 5600 vRouter). Provide Brocade 5600 vRouter Portal/API/CLI for implementing Brocade 5600 vRouter configuration.
Partial functions of the Brocade 5600 vRouter are restricted to realize the functions provided via Customer Portal/API. For details, please see the “Restrictions” section.
Filtering rules are not set by default. From a point of view of security, please only connect to the private network and set filtering rules before connecting to the Internet .
Please note that if you implement the change plan, Firewall (Brocade 5600 vRouter) will restart.
Example of setting the function verified by Service Provider(https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/index.html) and usage models verified by Service Provider(https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html) are posted in the tutorial.
On Brocade 5600 vRouter Portal, some settings that can be set by the CLI can not be done. Please change the setting by CLI operation.
For other functions with Brocade Brocade 5600 vRouter Portal/API/CLI, please refer to the Broccade documentation (https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/guide.html) Please check as a reference.
Interface related
In this menu, the number of interfaces differs for each plan. Please check the plan list for the number of available interfaces.
To connect the interface of Firewall (Brocade 5600 vRouter) to Logical Network , please refer to “Connect Firewall (Brocade 5600 vRouter) Interface” and execute via Customer Portal/API.
Customers need to prepare Logical Network and Subnet to connect with Firewall (Brocade 5600 vRouter) in advance.
Firewall (Brocade 5600 vRouter) can only connect to Logical Network (Data Plane) . It cannot connect to Logical Network (Storage Plane).
Firewall (Brocade 5600 vRouter) is rebooted when customers connect / disconnect the interface. If necessary, please save the configuration file before connecting / disconnecting the interface.
Customers are advised that the MAC address is changed once interface is connected / disconnected.
Enabling / Disabling of the interface can not be set via Brocade 5600 vRouter Portal/API/CLI and Customer Portal/API.
In case of changing the plan to reduce the number of interfaces, it is necessary to disconnect the interface of the slot number that is not supported by the plan after the change from the Logical Network in advance . For example, if you want to change the plan from 8 interfaces to 4 interfaces, it is necessary to disconnect the interfaces of the slot number 5 to 8 (4 slots) from the Logical Network in advance.
In case of changing the plan to increase the number of interfaces, or changing the plan with no change of the number of interface, it is not necessary to disconnect the interface from the Logical Network in advance.
This operation may take about 10 minutes.
In this operation, please specify a value that does not overlap with the IP address range used inside the firewall for the specified IP address range. If duplicate values are specified, the operation may be an error and re-creation of the firewall may be necessary.
MTU size supports up to 1500 bytes.
Address/Routing related
Please set the IP address of the interface in “Connect Firewall (Brocade 5600 vRouter) Interface” of Customer Portal/API. IP address for the interface can not directly be set via Brocade 5600 vRouter Portal/API/CLI.
The IP address specified via Customer Portal/API is the access point to Brocade 5600 vRouter Portal/API/CLI.
Please set the default gateway in “Modify Firewall (Brocade 5600 vRouter)” of Customer Portal/API. Default gateway can not be set via Brocade 5600 vRouter Portal/API/CLI.
VRRP related
In this menu, VRRP can be used as a redundancy protocol.
When using VRRP, please make DHCP function (address setting function) of the Logical Network to be connected “valid”. When the DHCP function is “invalid”, the ARP request is executed at the source address of 0.0.0.0 on ECL2.0 Network. In this case, it is confirmed that some appliances do not reply ARP.
For VRRP setting, you need to do the VRRP setting from Brocade 5600 vRouter Portal/API/CLI after “Register Network Configuration for VRRP of Firewall” from Customer Portal/API. Set the same value for parameters such as VRID.
For VRID(VRRP group ID), please specify a value that does not overlap in the same segment.
For one interface, please set only one pair of virtual IP address and VRID set in Register Network Configuration for VRRP via Customer Portal/API. Setting multiple pairs does not work properly.
With the initial setting of VRRP’s advertise interval, it is confirmed that VRRP communication rarely becomes unstable on ECL2.0 Network.It is recommended to set 20 sec or more (Detection will be done when Hello Packet is not received for 3 consecutive times). To change this setting, please change from Firewall on the Backup side. Changing from the Master side will change the Hello packet transmission interval to the Backup side, so the Backup side will also be promoted to Master and both devices may become Master.
Asymmetric communication is not supported in this service. When using VRRP with multiple interfaces, please synchronize the switching of VRRP with sync-group setting.
VRRP setting is required for each Firewall (Brocade 5600 vRouter) configuring VRRP.
Account related
When customers change their password of account, please do so via Brocade 5600 vRouter Portal/API/CLI.
Resetting passwords for Firewall (Brocade 5600 vRouter) is executable only with initial account (i.e., user-admin., user-read).
Customers are not allowed to modify the default settings on groups.
Customers are not allowed to create any new additional group.
Customers can freely create accounts belonging to one of the following two groups.
Intended Users |
Group |
Initial Default Account Name in Creation |
Details |
Administrator |
admin | user-admin | -Firewall function reference / create / modify / delete permissions
-With access right to the Brocade 5600 vRotuer portal (GUI)
|
Viewer |
operator | user-read | -Reference authority of the firewall function
-Brocade 5600 vRotuer portal (GUI) without access permission
|
Management Communication related
Customers can not shut down Firewall (Brocade 5600 vRouter) via Brocade 5600 vRouter Portal/API/CLI and Customer Portal/API.
Customers are not allowed to disable the services (ssh, https, snmp), needed for the access via Brocade 5600 vRouter Portal/API/CLI. Customer are not allowed to configure the listen-address of ssh/https/snmp services either.
Version upgrade for
Separately, a contract with the new version of the firewall (Brocade 5600 vRouter) has to be made, and customers need to switch from the old version Firewall (Brocade 5600 vRouter) to the new version Firewall (Brocade 5600 vRouter) .
Log related
It is confirmed that communication will be affected if traffic volume increases when acquiring logs on a packet basis such as packet filtering.
When using the Log option, please keep the log acquisition target to the minimum necessary.
Reference Performance Information
Performance measurement result of Firewall (Brocade 5600 vRouter) is posted in the tutorial.
The maximum value in each performance item is measured and not all the maximum values of each performance item are measured at the same time.
Please note that this verification result is a reference value, it does not guaranteed performance.