I want to add ARP/L2 virtual firewall rule in Acronis Cloud Security. How do I do that?
To add ARP/L2 virtual firewall rule, select one of the following entities from the object tree:
- All VMs default group to create a global ARP/L2 virtual firewall rule that will apply to all the VMs. Please note that the allow Any L2 rule is recommended for All VMs default group unless there is an intention to specifically control L2 (Layer 2) traffic. Global administrator is the only user that is able to perform this function.
- Previously created User Defined Security Group. The ARP/L2 virtual firewall rule will be created within this group.
- Previously created template under Templates entity. The ARP/L2 virtual firewall rule will be created within this template.
- VM level to create a local ARP/L2 virtual firewall rule that is applicable to that VM only.
Select Rules menu from the main panel buttons:
Adding ARP/L2 rule:
Complete the required fields from the Common tab:
- Name - Enter the name that will help you identify the rule.
- Description - Enter the description for the rule (optional).
- Action - Select either allow or block action to apply to corresponding network traffic.
- Direction - Set the traffic direction for the target VM(s):
- any – to apply the rule in both directions.
- inbound – to apply the rule for inbound traffic only.
- outbound – to apply the rule for outbound traffic only.
- Frame type (hex) - Enter the frame type to identify L2 protocol. By default there are two values available from the list: ARP (0806) and RARP (0835). Type the required number for the L2 protocol. Additionally, ARP protocol will let you limit the rule action to the remote IP address(es) that has been specified.
- Remote IPs - Using spaces and comma as delimiters, enter the remote IP address(es) to/from which the ARP traffic is sent/received. Leaving the field empty defaults to any IP address. This option is applicable to ARP traffic only. For the majority of the L2 protocols, for example, for PPPoE protocol, this option is not applicable and will be disabled.
- Remote VMs - Select the remote VM(s) to/from which the traffic is sent/received. Empty field defaults to any remote VM(s). This option is applicable to ARP traffic only. For the majority of the L2 protocols, for example, for PPPoE protocol, this option is not applicable and will be disabled.
To select remote VM(s) from a list, check the box to the right of the name field and check the VM(s) you want to add. Click OK.
- Remote MACs - Enter remote MAC addresses to/from which the ARP/L2 traffic is sent/received. Empty field defaults to any MAC address.
Complete the required fields in the Advanced tab:
- Packet type - Select the address type:
- Any - rule will apply to any MAC address type.
- Broadcast - rule will apply to broadcast MACs only (FF:FF:FF:FF:FF:FF).
- Unicast - rule will apply to unicast MACs only.
- Multicast - rule will apply to multicast MACs only (0x:01:00:5E:00:00:xx).
- VLAN ID - Enter the VLAN number to add VLAN tagging option to the rule. This rule will apply to the frames with specified VLAN ID only. You have the following options to select from the list:
- Any (default option) – rule will apply to all frames regardless of VLAN tagging.
- No – rule will apply only to frames without VLAN tagging.
- Local Address - Enter the IP address or a subnet address using this notation: x.x.x.x/y.y.y.y, where x.x.x.x – network address in the decimal format; y.y.y.y – subnet mask in the decimal format, i.e., 192.168.0.0/255.255.255.0. When the IP address is specified, local VM address that the rule is applied to will be checked to match it. If the local VM address does not match the entered value, then the traffic will be blocked. Since ARP/L2 rule usually applies to multiple VM(s) or a group, it is important to have all the VM(s) in the same subnet to be able to use this function properly. If you chose to enter a subnet address instead of a single IP address, then the ARP/L2 rule applies to all the VMs with the local address in this subnet. If the VMs are in a different network/subnet, then the ARP/L2 rule will only apply to the VM(s) when the local address matches the IP address or subnet specified in the rule.
- Time frame - Specify the time/days in a week in which the rule should be active. Time period will only apply if at least one day is selected.
Click OK for the ARP/L2 virtual firewall rule to be created and added to the selected VM or a group.