4.3. Firewall(Brocade 5600 vRouter) : End of Sales 1st of July, 2017

Important

  • As of July 1, 2017, we will stop new sales of Firewall(Brocade 5600 vRouter) (vFW hereafter)

  • Please use Managed Firewall after EOL of Firewall (Brocade 5600 vRouter)</p>

  • Furthermore, customers currently using vFW can continue to use it.

4.3.1. Overview

4.3.1.1. Overview

  • This menu, Firewall (Brocade 5600 vRouter), provides a virtual server installed Brocade 5600 vRouter.

  • Creating, configuring and deleting Firewall (Brocade 5600 vRouter) are completely automated. Customers are able to utilize them on-demand.

4.3.1.2. Features

The following are features of Firewall (Brocade 5600 vRouter) menu:

  • Offering Brocade 5600 vRouter’s functions as much as possible

    • Brocade 5600 vRouter enables almost all functions of Brocade 5600 vRouter to Customers, as such it provides high performance network functions as well as cutting-edge routing functions.

  • Automated Provisioning with SDN technology

    • Provisioning Firewall (Brocade 5600 vRouter) is automated with SDN technology, which enables customers to utilize flexible resources without any complicated operations.

  • Flexible network architecture in combination with Logical Network

    • Customers can use Firewall (Brocade 5600 vRouter) for various purposes, depending on their Network topologies, for example: configuring as a Internet border router, segregating DMZ from internal segments to keep security level, as well as setting up to connect to “Multi-Cloud Connect” service for controlling the access from VPN.

4.3.1.3. Definition of Terms

  • Customer Portal/API: Portal/API provided by NTT Com

  • Brocade 5600 vRouter Portal/API/CLI: Portal/API/CLI provided as a standard function of Brocade 5600 vRouter

4.3.2. Available Functions

4.3.2.1. List of Functions

  • The following are functions available in this menu.This menu provide Portal/API/CLI for using each function.

No.

Function

Details

Method of Operation

1

Instance Control Function

Provide functions such as creation, deletion of the firewall (Brocade 5600 vRouter), plan change and reboot, password reset and so on.

Customer Portal/API

2

Network Function

Provide the function to connect / disconnect Firewall (Brocade 5600 vRouter) to Logical Network.

Customer Portal/API

3

Network Configuration for VRRP Function

Provide the function to register / clear the virtual address and VRID when redundantly configuring Firewall (Brocade 5600 vRouter) with the VRRP protocol

Customer Portal/API

4

Firewall Function

Offer the Brocade 5600 vRouter control panel to customers and provide most of the Firewall functionality of Brocade 5600 vRouter.

Brocade 5600 vRouter Portal/API/CLI


4.3.2.2. Description of Functions

1.Instance Control Function

Create Firewall (Brocade 5600 vRouter)

  • Customer can create a new Firewall (Brocade 5600 vRouter) on Customers’ own via Customer Portal/API.

  • They can assign the following parameters while creating a Firewall (Brocade 5600 vRouter):

Configurable Information

Details

Name

Specify name of Firewall (Brocade 5600 vRouter)

Details

Specify description of Firewall (Brocade 5600 vRouter)

Plan

Specify a plan of Firewall (Brocade 5600 vRouter)

Zone/Group

Specify a Zone / Group where Firewall (Brocade 5600 vRouter) is accommodated

Default Gateway

Specify the Default Gateway of Firewall (Brocade 5600 vRouter)

Note

Customers can connect Brocade 5600 vRouter to Logical Network from Connect Firewall (Brocade 5600 vRouter) Interface.


Modify Firewall (Brocade 5600 vRouter)

  • Customer can modify a new Firewall (Brocade 5600 vRouter) on Customers’ own via Customer Portal/API.

  • They can assign the following parameters while editing a Firewall (Brocade 5600 vRouter):

Configurable Information

Details

Name

Specify name of Firewall (Brocade 5600 vRouter)

Details

Specify description of Firewall (Brocade 5600 vRouter)

Firewall Plan

Specify plan for Firewall (Brocade 5600 vRouter). Plan can be changed.

Default Gateway

Specify the Default Gateway of Firewall (Brocade 5600 vRouter)

Note

  • In Firewall (Brocade 5600 vRouter), the number of interface is different for each plan. Please refer to Plan list.
  • For changing the plan by reducing the number of interfaces, it is necessary to disconnect the interface of the slot number that is not supported by the Firewall(Brocade 5600 vRouter) after the change in advance from Logical Network.
    For example, if you want to change the plan from 8 interfaces to 4 interfaces, it is necessary to disconnect the interfaces of the slot number 5 to 8 (4 slots) in advance from Logical Network.
  • If there is a change plan to increase the number of interfaces, or if there is no change of the number of interfaces before and after the change plan, it is not necessary to disconnect the interface from Logical Network in advance.
  • Please note that if you implement the change plan, Firewall (Brocade 5600 vRouter) will restart.

Reboot Firewall (Brocade 5600 vRouter)

  • Customers can reboot the subscribed Firewall (Brocade 5600 vRouter) via Customer Portal/API.

Reset Password of Firewall (Brocade 5600 vRouter) Account

  • Reset password of Customers’ account for accessing to Firewall (Brocade 5600 vRouter) via Brocade 5600 vRouter Portal/API.

Important

  • Password reset of the firewall (Brocade 5600 vRouter) can only be performed with respect to the initial account (user-admin, user-read).

  • When resetting the password of the account that was created by the customers, please be sure to reset the password via Brocade 5600 vRouter Portal/API/CLI.

Delete Firewall (Brocade 5600 vRouter)

  • Customers can delete subscribed Firewall (Brocade 5600 vRouter) via Customer Portal/API.

View Firewall (Brocade 5600 vRouter) Information

  • Customers can view Firewall (Brocade 5600 vRouter)’s information on Customers’ own via Customer Portal/API.

Category

Available Information

Details

Common

Name

View name of Firewall (Brocade 5600 vRouter)

Common

ID

View ID of Firewall (Brocade 5600 vRouter)

Common

Details

View descriptions of Firewall (Brocade 5600 vRouter)

Common

Zone/Group

View Zone/Group where Firewall (Brocade 5600 vRouter) is accommodated

Common

Default Gateway

View default gateway of Firewall (Brocade 5600 vRouter)

Common

Status

View operation status of Firewall (Brocade 5600 vRouter)

Plan

Name

View plan name

Plan

ID

View plan ID

Plan

Details

View plan description

Plan

Vendor

View plan vendor

Plan

Version

View plan version

Interface

Name

View interface name of Firewall (Brocade 5600 vRouter)

Interface

ID

View interface ID of Firewall (Brocade 5600 vRouter)

Interface

Details

View interface description of Firewall (Brocade 5600 vRouter)

Interface

Slot Number

View interface slot number of Firewall (Brocade 5600 vRouter)

Interface

Status

View operation status of Firewall (Brocade 5600 vRouter)’s interface

Interface

Logical Network

View ID of Logical Network connected to Firewall (Brocade 5600 vRouter)’s interface

Interface

IP Address

View IP address of Firewall (Brocade 5600 vRouter) interface


2.Network Function

Connect Firewall (Brocade 5600 vRouter) Interface

  • Customers can connect the interface of the subscribed Firewall (Brocade 5600 vRouter) to Logical Network via Customer Portal/API.

  • Following parameters can be set when connecting the interface of Firewall (Brocade 5600 vRouter).

Configurable Information

Details

Logical Network

Specify a destination Logical Network

IP Address

Assign IP address for Firewall (Brocade 5600 vRouter) interface.
In case Customers does not designate IP address, it will be automatically assigned from the IP Address Pool of Logical Network.
The IP address mentioned above will be assigned to Firewall (Brocade 5600 vRouter) as the static IP address.

Note

  • The IP address specified above is the access point to Brocade 5600 vRouter Portal/API/CLI.

  • Customers need to prepare Logical Network to connect with Firewall (Brocade 5600 vRouter) and its Subnet in advance.

  • Firewall (Brocade 5600 vRouter) can connect to the Logical Network (Data Plane) only. It cannot connect to the Logical Network (Storage Plane).

  • Customers are advised that the Firewall (Brocade 5600 vRouter) is rebooted when they connect to the interface.

  • Customers are advised that the MAC address is changed once interface is connected.


Modify Firewall (Brocade 5600 vRouter) Interface

  • Customers can modify interface of contracted Firewall (Brocade 5600 vRouter) via Customer Portal/API.

  • Following parameters can be set when editing interface of Firewall (Brocade 5600 vRouter).

Configurable Information

Details

Details

Specify a description of interface


Disconnect Firewall (Brocade 5600 vRouter) Interface

  • Customers can disconnect subscribed Firewall (Brocade 5600 vRouter) interface from Logical Network via Customer Portal/API.

  • Following parameters can be viewed when disconnecting Firewall (Brocade 5600 vRouter) Interface.

Available Informations

Details

Logical Network

View Logical Network to be detached.

IP Address

View IP address of Firewall (Brocade 5600 vRouter) Interface

Important

  • Customers are advised that the Firewall (Brocade 5600 vRouter) is rebooted once the interface is disconnected.

  • Customers are advised that the Load Balancer (NetScaler VPX) is rebooted once the interface is disconnected.


Network Configuration for VRRP Function

Register Network Configuration for VRRP of Firewall (Brocade 5600 vRouter)

  • Customers can register the network configuration for VRRP of subscribed Firewall (Brocade 5600 vRouter) via Customer Portal/API.

  • Following parameters can be specified when registering the network configuration for VRRP of Firewall (Brocade 5600 vRouter).

Configurable Information

Details

Subnet

Specify the Subnet of Logical Network to connect.

Virtual IP Address

Specify the virtual IP address for VRRP.

VRID

Specify the VRRP group identifier.

Important

  • This configuration is required for each Firewall configuring VRRP.

  • In order to perform the communication using the VRRP, after carrying out this setting, customer needs to do the VRRP set in Brocade 5600 vRouter Portal/API/CLI.

  • For one interface, please set only one pair of virtual IP address and VRID set in Register Network Configuration for VRRP via Customer Portal/API. Setting multiple pairs does not work properly.


Clear Network Configuration for VRRP of Firewall (Brocade 5600 vRouter)

  • Customers can clear the network configuration for VRRP of subscribed Firewall (Brocade 5600 vRouter) via Customer Portal/API.

  • Following parameters can be viewed when clearing the network configuration for VRRP of Firewall (Brocade 5600 vRouter).

Available Informations

Details

Virtual IP Address

Specify the virtual IP address for VRRP.

VRID

Specify the VRRP group identifier.

Important

  • This configuration is required for each Firewall configuring VRRP.

  • In addition to this configuration, it is mandatory to clear VRRP configuration via Brocade 5600 vRouter Portal/API/CLI.


4.Firewall Function

Function Overview

  • Firewall (Brocade 5600 vRouter) provides firewall function by provisioning Brocade 5600 vRouter on Virtual Server.

  • Customer can set up and use the firewall function via Brocade 5600 vRouter Portal/API/CLI.

  • Partial functions of the Brocade 5600 vRouter are restricted to realize the functions provided via Customer Portal/API. For details, please see the “Restrictions” section.

  • Example of setting the function verified by NTTCom(https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/index.html) and usage models verified by NTTCom(https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html) are posted in the tutorial.

  • For other functions with Brocade Brocade 5600 vRouter Portal/API/CLI, please refer to the Broccade documentation (https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/guide.html) Please check as a reference.

  • When the virtual server infrastructure has failed, by the HA function of the virtual server, it will be automatically accommodate changes to other normal server. (For details about the Virtual server and the HA functions, please refer to the Service Description of Virtual Server.)

Provided Version

  • In the firewall (Brocade 5600 vRouter), the version information provided is as follows.

No

Provided Version

Improved content

1 3.5R6S3  
2 4.2R1S1
  • In 3.5R6S3, messages exceeding 200 lines per 5 seconds are discarded in Syslog transfer, but this event is resolved in 4.2R1S1.

  • Regarding the event that the firewall becomes an error when operating the customer portal, the stability of the system is improved in 4.2 R1S1, and the occurrence frequency is reduced.

3 5.2R4
  • The event that the SNMP process terminated abnormally and the Firewall (Brocade 5600 vRouter) status is stopped has been resolved.

  • Packet capture function is available in 5.2R4.

  • The problem of SNMP Trap at the time of VRRP switching has been resolved.

  • VRRP VIP can be specified as the IP address terminating IPSec.

  • The event that Firewall (Brocade 5600 vRouter) became unstable when 48 or more accounts are registered at the same time has been resolved.

Note


4.3.3. Service Plan

4.3.3.1. Menu

  • This menu provides following plans:

Plan

CPU MEM DISK

Number of Interfaces

2CPU-8GB-4IF 2 8(GB) 4(GB) 4
4CPU-16GB-8IF 4 16(GB) 4(GB) 8

4.3.3.2. Subscription Method

  • The type of application is as follows. It should be noted, by the following application, that the billing amount is subject to change.

Subscription Type

Subscription Method

Offered Date

Create Firewall (Brocade 5600 vRouter)

Customers’ operation via Customer Portal/API

Instant Offering

Changing Plan of the firewall (Brocade 5600 vRouter)

Customers’ operation via Customer Portal/API

Instant Offering

Delete Firewall (Brocade 5600 vRouter)

Customers’ operation via Customer Portal/API

Instant Offering


4.3.3.3. Important Notes of Subscription

  • The upper limit, the lower limit, the sales unit, per 1 tenant of the firewall (Brocade 5600 vRouter) are as follows.

Uppermost Maximum

Lowermost Minimum

Unit for Sale

16 0 1

4.3.4. Terms and Conditions

4.3.4.1. Conditions for Usage with Other Menus

  • There is no specific conditions. Customers may subscribe this menu in combination with all the menus of Enterprise Cloud 2.0.


4.3.4.2. Minimum Contract Period

  • There is no minimum contract period.


4.3.5. Pricing

4.3.5.1. Initial Fee

  • There is no initial fee.


4.3.5.2. Monthly Fee

  • Monthly fee is applied for this menu

  • Monthly fee applied for this menu is per-minute-basis with capped pricing per month.


4.3.6. Quality of Service

4.3.6.1. Support Coverage

  • Virtual Server, Brocade 5600 vRouter and Customer Portal/API is supported in this menu.

  • For inquiries about functions to operate with Customer Portal/API, NTT Com support the setting method.

  • Inquiries about function to operate with Brocade 5600 vRouter Portal/API/CLI
    • Example of setting the function verified by NTTCom(https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/index.html) and usage models verified by NTTCom(https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html) are supported by NTTCom free of charge.

    • With regard to the functions that NTT Com have not verified, for customers who applied for the advanced plan (charged) NTT Com can escalate vendors and confirm them. However, in this case NTT Com will exclude inquiries about technical support such as architecture and design support, performance tuning of customer environment, verification of applications individually introduced by customers. Please refer to Service Description of Support for the specification details about the advanced plan.

  • NTT Com will support at the time of breakdown such as when the function Customer used can not be used.

4.3.6.2. Quality of Operation

  • Quality of this menu’s Operations corresponds to that of standardized regulations which NTTCom defines thereof in details.


4.3.6.3. SLA

  • The SLA of this menu is based on the standardized SLA for Enterprise Cloud 2.0.


4.3.7. Restrictions

Note

  • Setting method and performance information are posted, so please be sure to check the tutorial.

Providing Method

  • This menu provides Brocade 5600 vRouter installed on Virtual Server.

  • Maximum of 16 Firewall (Brocade 5600 vRouter)s are available for 1 tenant.

  • Provide Customer Portal/API for implementing creation, deletion, plan change, reboot, password reset, interface connection, VRRP communication setting etc. of Firewall (Brocade 5600 vRouter). Provide Brocade 5600 vRouter Portal/API/CLI for implementing Brocade 5600 vRouter configuration.

  • Partial functions of the Brocade 5600 vRouter are restricted to realize the functions provided via Customer Portal/API. For details, please see the “Restrictions” section.

  • Filtering rules are not set by default. From a point of view of security, please only connect to the private network and set filtering rules before connecting to the Internet .

  • Please note that if you implement the change plan, Firewall (Brocade 5600 vRouter) will restart.

  • Example of setting the function verified by NTTCom(https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/index.html) and usage models verified by NTTCom(https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html) are posted in the tutorial.

  • On Brocade 5600 vRouter Portal, some settings that can be set by the CLI can not be done. Please change the setting by CLI operation.

  • For other functions with Brocade Brocade 5600 vRouter Portal/API/CLI, please refer to the Broccade documentation (https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/guide.html) Please check as a reference.

Interface related

  • In this menu, the number of interfaces differs for each plan. Please check the plan list for the number of available interfaces.

  • To connect the interface of Firewall (Brocade 5600 vRouter) to Logical Network , please refer to “Connect Firewall (Brocade 5600 vRouter) Interface” and execute via Customer Portal/API.

  • Customers need to prepare Logical Network and Subnet to connect with Firewall (Brocade 5600 vRouter) in advance.

  • Firewall (Brocade 5600 vRouter) can only connect to Logical Network (Data Plane) . It cannot connect to Logical Network (Storage Plane).

  • Firewall (Brocade 5600 vRouter) is rebooted when customers connect / disconnect the interface. If necessary, please save the configuration file before connecting / disconnecting the interface.

  • Customers are advised that the MAC address is changed once interface is connected / disconnected.

  • Enabling / Disabling of the interface can not be set via Brocade 5600 vRouter Portal/API/CLI and Customer Portal/API.

  • In case of changing the plan to reduce the number of interfaces, it is necessary to disconnect the interface of the slot number that is not supported by the plan after the change from the Logical Network in advance . For example, if you want to change the plan from 8 interfaces to 4 interfaces, it is necessary to disconnect the interfaces of the slot number 5 to 8 (4 slots) from the Logical Network in advance.

  • In case of changing the plan to increase the number of interfaces, or changing the plan with no change of the number of interface, it is not necessary to disconnect the interface from the Logical Network in advance.

  • This operation may take about 10 minutes.

  • In this operation, please specify a value that does not overlap with the IP address range used inside the firewall for the specified IP address range. If duplicate values are specified, the operation may be an error and re-creation of the firewall may be necessary.

  • MTU size supports up to 1500 bytes.

Address/Routing related

  • Please set the IP address of the interface in “Connect Firewall (Brocade 5600 vRouter) Interface” of Customer Portal/API. IP address for the interface can not directly be set via Brocade 5600 vRouter Portal/API/CLI.

  • The IP address specified via Customer Portal/API is the access point to Brocade 5600 vRouter Portal/API/CLI.

  • Please set the default gateway in “Modify Firewall (Brocade 5600 vRouter)” of Customer Portal/API. Default gateway can not be set via Brocade 5600 vRouter Portal/API/CLI.

VRRP related

  • In this menu, VRRP can be used as a redundancy protocol.

  • When using VRRP, please make DHCP function (address setting function) of the Logical Network to be connected “valid”. When the DHCP function is “invalid”, the ARP request is executed at the source address of 0.0.0.0 on ECL2.0 Network. In this case, it is confirmed that some appliances do not reply ARP.

  • For VRRP setting, you need to do the VRRP setting from Brocade 5600 vRouter Portal/API/CLI after “Register Network Configuration for VRRP of Firewall” from Customer Portal/API. Set the same value for parameters such as VRID.

  • For VRID(VRRP group ID), please specify a value that does not overlap in the same segment.

  • For one interface, please set only one pair of virtual IP address and VRID set in Register Network Configuration for VRRP via Customer Portal/API. Setting multiple pairs does not work properly.

  • With the initial setting of VRRP’s advertise interval, it is confirmed that VRRP communication rarely becomes unstable on ECL2.0 Network.It is recommended to set 20 sec or more (Detection will be done when Hello Packet is not received for 3 consecutive times). To change this setting, please change from Firewall on the Backup side. Changing from the Master side will change the Hello packet transmission interval to the Backup side, so the Backup side will also be promoted to Master and both devices may become Master.

  • Asymmetric communication is not supported in this service. When using VRRP with multiple interfaces, please synchronize the switching of VRRP with sync-group setting.

  • VRRP setting is required for each Firewall (Brocade 5600 vRouter) configuring VRRP.

Account related

  • When customers change their password of account, please do so via Brocade 5600 vRouter Portal/API/CLI.

  • Resetting passwords for Firewall (Brocade 5600 vRouter) is executable only with initial account (i.e., user-admin., user-read).

  • Customers are not allowed to modify the default settings on groups.

  • Customers are not allowed to create any new additional group.

  • Customers can freely create accounts belonging to one of the following two groups.

Intended Users

Group

Initial Default Account Name in Creation

Details

Administrator

admin user-admin
-Firewall function reference / create / modify / delete permissions
-With access right to the Brocade 5600 vRotuer portal (GUI)

Viewer

operator user-read
-Reference authority of the firewall function
-Brocade 5600 vRotuer portal (GUI) without access permission

Management Communication related

  • Customers can not shut down Firewall (Brocade 5600 vRouter) via Brocade 5600 vRouter Portal/API/CLI and Customer Portal/API.

  • Customers are not allowed to disable the services (ssh, https, snmp), needed for the access via Brocade 5600 vRouter Portal/API/CLI. Customer are not allowed to configure the listen-address of ssh/https/snmp services either.

Version upgrade for

  • Separately, a contract with the new version of the firewall (Brocade 5600 vRouter) has to be made, and customers need to switch from the old version Firewall (Brocade 5600 vRouter) to the new version Firewall (Brocade 5600 vRouter) .

Log related

  • It is confirmed that communication will be affected if traffic volume increases when acquiring logs on a packet basis such as packet filtering.

  • When using the Log option, please keep the log acquisition target to the minimum necessary.

Reference Performance Information

  • Performance measurement result of Firewall (Brocade 5600 vRouter) is posted in the tutorial.

  • The maximum value in each performance item is measured and not all the maximum values of each performance item are measured at the same time.

  • Please note that this verification result is a reference value, it does not guaranteed performance.