I want to add IP virtual firewall rule in Acronis Cloud Security. How do I do that?
To add IP virtual firewall rule, select one of the following entities from the object tree:
- All VMs default group to create a global IP virtual firewall rule that will apply to all the VMs. Global administrator is the only user that is able to perform this function.
- Previously created User Defined Security group. The IP virtual firewall rule will be created within this group.
- Previously created template under Templates entity. The IP virtual firewall rule will be created within this template.
- VM to create a local IP virtual firewall rule applicable to that VM only.
Select Rules menu from the main panel buttons:
Adding IP Rule:
Complete the required fields from the Common tab::
- Name - Enter the name that will help you identify the rule.
- Description - Enter the description for the rule (optional).
- Action - Select action for the rule to apply to corresponding network traffic. The following options are available for IP rule:
- allow – allow all packets including SPI.
- allow (no SPI) – allow direct packets only, SPI packets will be filtered.
- block – block all packets.
- Direction - Set the traffic direction for the target VM(s):
- any – to apply the rule in both directions.
- inbound – to apply the rule for inbound traffic only (SPI packets will be excluded if allow action is set).
- outbound – to apply the rule for outbound traffic only (SPI packets will be excluded if allow action is set).
Note: SPI packets are normally allowed through Acronis Cloud Security virtual firewall when certain network traffic is set to be passed through it. For example, the RDP inbound allowing rule on TCP port 3389 will let corresponding outbound SPI packets from TCP port 3389 to the remote private TCP port on the remote host that initiated the RDP session; this will be considered as an established TCP connection and will be displayed in the connections table for the target VM. In certain scenarios, the established TCP connection could be dropped due to timeout reason which could result in losing the existing session. To avoid such issues, you can use the allow (no SPI) action and set two separate rules for inbound and outbound traffic. For example:
- allow (no SPI), inbound, TCP local ports 3389, remote ports empty (any).
- allow (no SPI), outbound, TCP local ports 3389, remote ports empty (any).
Such sessions are not recognized by the Acronis Cloud Security virtual firewall as an established TCP connection and will not be displayed in the connections table for the target VM; however, the sessions will be allowed and will not be dropped due to timeout reason that could occur.
- Protocol - Select the protocol that is used to send the certain types of traffic. You have the following options:
- Any – any IP protocol.
- TCP – TCP protocol.
- UDP – UDP protocol.
- GRE – GRE protocol.
- ICMP or ICMPv6 – ICMP (ICMPv6) protocol. The following additional options are available for this protocols:
MESSAGE TYPES: Echo Reply – 0, Destination Unreachable – 3, Source Quench – 4, Redirect (change route) – 5, Echo Request – 8, Time Exceeded – 11, Parameter Problem – 12, Timestamp Reply – 14, Information Request – 15, Information Reply – 16, Address Mask Request – 17, Address Mask Reply – 18.
Enter the required number(s) seperated by commas (spaces will be added automatically). Leave the field empty to allow all types of ICMP messages. You can use the dialog box to select the applicable ICMP message types by clicking the Edit button next to the ICMP message types field:
Check the boxes for applicable ICMP message types (the Select All and Clear buttons will select all and clear all the selections) and then click OK. The selected types will appear in the ICMP message types field.
- Local Ports (if applicable) - Enter the local ports through which the traffic will flow. Empty field defaults to any local port.
- Remote Ports (if applicable) - Enter the remote ports through which the traffic will flow. Empty field defaults to any remote port.
- Remote IPs - Enter remote IP addresses to/from which the traffic is sent/received. Empty field defaults to any address.
- Remote VMs - Select remote virtual machines to/from which the traffic is sent/received. Empty field defaults to any remote VM.
- Remote MACs - Enter remote MAC addresses to/from which the traffic is sent/received. Empty field defaults to any address.
Fill out all the parameters on the Advanced tab:
- Address type - Select the address type to which the traffic is sent:
- Any - All address types will be considered by the rule.
- Broadcast - Only broadcast traffic will be considered by the rule. For example, the traffic that is sent to the IPv4 addresses like x.x.x.255 for the subnet mask like 255.255.255.0 (VLSM broadcast addresses are also considered, they depend on the subnet mask length each time).
- Unicast - Only traffic that is sent to a single receiver will be considered. For example, the one that is sent to the IPv4 single host address like 192.168.1.10 with the subnet mask of 255.255.255.0.
- Multicast - Only multi-recipient traffic will be considered. For example, in IPv4 the target addresses must be within the following range: 224.x.x.x – 239.x.x.x.
Note: Certain types of traffic are unicast, multicast or broadcast by their nature. For example, RDP connection on port 3389 is the unicast type. Link Local Multicast Name Resolution on port 5355 is the multicast type. You have to be aware of it when setting this parameter so that the rule applies correctly unless you choose to set it to Any.
- VLAN ID - Enter the VLAN number to add VLAN tagging option to the rule. The rule will apply to the packets with specified VLAN ID only. You have the following options to select from the list as well:
- Any (default option) – the rule will apply to any packet regardless of VLAN tagging.
- No – the rule will apply only to packets without VLAN tagging.
- Local Address - Enter the IP address or a subnet address using this notation: x.x.x.x/y.y.y.y, where x.x.x.x – network address in the decimal format; y.y.y.y – subnet mask in the decimal format, e.g., 192.168.0.0/255.255.255.0. When the local address is specified, local VM address that the rule is applied to will be checked to match it. If local VM address does not match the entered value, the traffic will be blocked. If the rule applies to multiple VMs that are in a different networks/subnets, the rule will only apply to the VM(s) with which local address matches to the IP address or subnet specified in the rule.
- Time frame - Specify the time/days in which the rule should be active. Time period will only apply if at least one day is selected.
- Mark the Authorization required option to enable authorization in the rule. If this option is enabled, the rule will only apply to authorized IP addresses.
Click OK for the IP virtual firewall rule to be created and added to the selected VM or a group.