Managed Firewall¶
Overview¶
Overview¶
Features¶
Firewall Functions (Controlling access)
IDS / IPS Functions (with Defensive anti-unauthorized access detections and control)[#]_
Anti-viral Functions (Anti-viral infections)
Web-Filtering Functions (Filtering URLs of web-transmissions)
Anti-Spam Functions (Judging and / Removing Spams)
[1] | IDS; i.e., Intrusion Detection System
IPS; i.e., Intrusion Prevention System
|
Available Functions¶
List of Available Functions¶
No. | Functions |
Overviews |
---|---|---|
1 | **Firewall |
This function is where Customers can defend themselves against the traffic based upon the controlled firewall parameters of their policies. |
2 | Network |
This function is where the “Device” is connected to the Logical Network and / or routed to the transmitters. |
3 | Other Functions |
The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the “Device” and assign the time zone for the log content recorded within the “Device” itself. |
4 | Security Incident Report |
This function is what the “Device” self-analyzes and reports any security incident(s) occurring within itself once there is any information that determines the “Device” received hostile incoming transmissions. |
5 | Control Panel |
This function is where the “Device” is set and recognize the subscriptions being created or added through Security Control Panel in Enterprise Cloud 2.0 Portal. |
Descriptions of Each Function¶
Functions |
Overviews |
---|---|
Firewall |
This function, based upon the Firewall policies in values and regulations, undertakes “stateful packet inspection”[2] in process of traffic which passes through the “Device” . |
NAT/NAPT [3] | NAT / NAPT function is to transform the IP Address or Port number(s) which pass through the “Device” . |
[2] | Stateful inspection will inspect to determine if it allows or disallow a passer-by packets (through the “Device” ) by monitoring the status of passer-by packets. Usually the packets will be allowed to come passing back through if it is allowed on the way to. |
[3] | NAT stands for Network Address Translation.
NAPT stands for Network Address Port Translation.
|
Functions |
Overviews |
---|---|
Input Interface |
Specify the interface that control the communication that comes into the device |
Source Address |
Specify the source address (address objects, selected from the address group) |
Output Interface |
Specify the interface that control the communication that goes out from the device |
Destination address type |
Specify the type of destination address
|
Destination address |
Specify the destination address (selected from the object that you specified in the destination address type) |
Service |
Specify the communication services that control (selected service objects, from the service group) |
Action |
It specifies the action for communication that meets the policy
|
NAT | Mode specified in the case of utilizing the Source NAT
|
Log | It specifies whether to retrieve log when communication is consistent with the policy |
Note
In HA configuration, following IP addresses configured to Interfaces cannot be used for Source NAT.
Real IP Address of each devices
Virtual IP Address (IP Address of VRRP)
Name of Objects |
Overviews |
---|---|
Address Object |
Define the address utilized here at Firewall Policy functions. |
Address Group |
Defined so as to put together multiple address objects; thereby one (1) group is handled at one (1) Firewall Policy. |
NAT Object |
Define NAT, the Source NAT object to be used for NAPT configuration, the Destination NAT object |
Service Object |
Servicing object defines the service to utilize in Firewall Policy. |
Service Group |
Multiple of servicing objects are defined to put together as one (1) to be handled at one (1) Firewall Policy. |
Functions |
Overviews |
---|---|
Interface |
This function is where Interface of the “Device” will be set and then it will be connected to logical network. |
Routing |
Routing function is where static routes and default gateway is being set and transmission is being routed with. |
Note
It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.
The “Device” will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.
In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the “Device” , the Customers (and the end users) are noted that they are required to reboot the “Device” and the interface MAC address will be automatically changed.
MTU size of the interface can be changed in the range of 100 to 1500 bytes. The default value is 1500 bytes.
Functions |
Overviews |
---|---|
Sys log transmission |
Sys log server where the Customers manage is receiving logs obtained at the “Device” |
Time Zone Assignment |
Time stamp recorded as to the timetable log on the “Device” will be assigned. |
Note
There is only one (1) settable destination for syslog transmission.
If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.
Functions |
Overviews |
---|---|
Create Report |
Device logs will be automatically analyzed and “Security Incident Report” will be generated after recognizing detected threat(s). |
Publish Report |
This is the function where “Security Incident Report” is relayed and transmitted to the destination of the report recipient by registering a destination of a notification email via Enterprise Cloud 2.0 Portal. |
Notify Report |
When a “Security Incident Report” is generated, the notification of “Security Incident Report” will be informed through Enterprise Cloud 2.0 Portal. |
Functions |
Overviews |
---|---|
Device | The Device Name if there is any |
Reference | Automatically granted ID |
Severity | Severity in degree of the recognized threat |
Date and Time | The date and time of detection –and date and time of last detection– of the reported threat being reported |
Description | Description of the details of the recognized threat |
Recommendation/Action | Recommended measures and the further action(s) against the threat |
Signature, DNS |
Name of signature and DNS’s information, etc. that was identified from the detections of threat |
Note
All “Security Incidents” are reported in English.
Functions |
Overviews |
---|---|
Order |
Customers can subscribe the Security Menu |
Operation |
Customers can either manage and / or set the created “Device” |
Functions |
Overviews |
---|---|
Add Device |
Customers can either create a new or add a “Device” |
Change |
Created “Device” Menu and / or Plan will be changed to update the settings details |
Delete Device |
Created “Device” can be deleted to be eliminated from the operation |
Functions |
Overviews |
---|---|
Device KPI |
Resource status (such as CPU and memory) and traffics will be viewed. |
Network Management |
Interface of the “Device” will be set here (and then connected to logical network). |
Device Management |
Settings related to firewall functions, network-based functions (such as routing), and other functions will be set here. |
Log Analysis |
Customers can download to obtain the data by CSV file after assigning search details by conditions tags. |
Incident Reports | Security Incident Report is published. |
Customer Profile |
Customers can register the contents of Security Incident Report’s email destinations. |
Information |
Any notable information will be relayed. |
Note
In the log analysis, the period for search and inspect the logs is as follow:
Detailed logs over the obtained portal Firewall Function: 1 week (7 days).
In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.
Menu¶
Plan¶
Plan |
vCPU | Memory |
Disk |
Interface |
Plan |
---|---|---|---|---|---|
(Number) |
(GB) |
(GB) |
(Maximum) |
||
2CPU-4GB | 2 | 4 | 2 | 7 | Deploy Singular |
8CPU-12GB | 8 | 12 | 2 | 7 | Deploy Singular |
2CPU-4GB(HA) | 2 | 4 | 2 | 7 | <HA Configuration> |
8CPU-12GB(HA) |
8 | 12 | 2 | 7 | <HA Configuration> |
Subscriptions Methods¶
Subscription Types |
Details |
Subscriptions Methods |
Delivery Timing |
---|---|---|---|
Add Device |
Create the Device |
Customers can start subscribing via Enterprise Cloud 2.0 Portal |
Immediately |
Change |
Change the Device Plan; Modify Menus to change settings |
Same as the above |
Immediately |
Delete Device |
Delete the Device |
Same as the above |
Immediately |
Note
Number of the executable “Device” for one (1) “order” is just one (1). Therefore, if in any event Customers wish to make multiple orders for the “Device”, Customers are advised that each order process has to go through once for every “Device” Customers wish to subscribe. The Order screen has to proceed for each and every “Device” every time.
Plan can be changed within the same menu:
- 2CPU-4GB → 8CPU-12GB
- 8CPU-12GB → 2CPU-4GB
Following plan changes with changing configurations, such as changing from a Single Configuration Plan to a HA Configuration Plan, is not possible.
- 2CPU-4GB or 8CPU-12GB → 2CPU-4GB(HA)or 8CPU-12GB(HA)
2CPU-4GB(HA)or 8CPU-12GB(HA)→ 2CPU-4GB or 8CPU-12GB
At such change of Plan, Customers are noted that the “Device” has to reboot.
This Menu is possible to shift from one with Managed Firewall to the one with Managed UTM.
When the Customers so wish to turn their menu from the one with Managed Firewall to one with Managed UTM, such change can proceed to undergo without reboot.
Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating “Device”, changing Plans and so forth.
Restrictions In Subscriptions¶
Sales Unit |
Uppermost |
Lowermost |
---|---|---|
1 | No Limit |
0 |
Conditions With Usage¶
Conditions With Usage¶
Conditions of Usage in Combination with Other Services¶
Pricing¶
Initial Fee¶
Monthly Fees¶
Qualities of Service¶
Support Coverage¶
Operations¶
Functions |
Overviews |
---|---|
Applies security patches |
Depends upon how much the operation affects to the application of such (including updating versions in maintenance works, etc) |
Life Cycle Management of the Products |
Proceeds with the updated versions in operations |
Monitoring / Maintenance |
Proceeds to accommodate with the this function’s monitoring operation and opening support venues to implement repairs |
SLA¶
Restrictions¶
The following IP address, interface, routing, address objects, Destination NAT, Source NAT, etc cannot be used. By using these IP addresses, it may not operate normally.
- Link local address: 169.254.0.0/16
- ISP shared address: 100.64.0.0/10
Dynamic Routing Function is not provisioned in this menu.
Bandwidth Controlling Function is not provisioned in this menu.
API is not configured. All maneuvers will take place in operations with Enterprise Cloud 2.0 Portal’s Security Control Panel.
When the infrastructure is deployed singularly thus not supported dually, Customers are advised that interruptions in transmissions will occur at such time as software updates or maintenance, planned work required for some sort of repairs. Such planned works will be scheduled by preliminarily informing the Customers (and due end-users) to set up such schedules although the plan is not negotiable for adjusting schedules.
Abnormality of packets and / or unauthorized packets which violate protocols in verified use of packets such as TCP / UDP / IP will be lead to systematic judgment where authorized packet usage is hereby defined as artificially breached. Customers are advised strongly that packets with such an irregular form or unauthorized protocols therefore will be duly destroyed with the Enterprise Cloud 2.0 regular functions. Following is the exemplar cases of the above:
IP header is intermittently cut off in the middle;
Port number is valued null (0);
TCP flag pair turns out to be abnormally irregular;
Unauthorized capsular processing of unauthorized packet(s).
Integrity, consistency, and / or compatibility to what due usage Customers are expected to utilize with this menu’s functions will not be guaranteed by any of this service provider or the program per se which the sales associate personnel in charge from Service Provider offered to Customers.
Service Provider is required to provide the following information to the “Devices’” developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which Service Provider did not intend to. The following information is going to be relayed to the system developer and front-end seller:
Setting details and data obtained at such time the menu is provisioned.
Managed details within such information relates to this provisioned menu.