Blog

Halo Firewall Overview

We’ve put together a brief overview video to show you how to use the Halo Firewall to secure your cloud servers – written instructions and advanced tips also included below.

Setting up a firewall policy consists of two parts: configuring the policy, and applying it to a group of servers.

Configuring a new firewall policy

From your dashboard, click on Policies –> Firewall Policies, and click Add New Firewall Policy.  The CloudPassage firewall UI allows you to easily configure host-based firewall rules on your servers.  For example, to set up a rule to allow secure shell access to the servers protected by this policy, make an interface selection from the drop-down menu labeled Interface, select a permitted source, and select a service (such as SSH) from the services menu.  If you’d like to log the traffic allowed in by this rule, check the box labeled Log next to the rule. These log events will go to the default log location on your server.

You can create IP zones by going to the destination menu and clicking Add New. You can create an IP zone using IP addresses and CIDR subnets.  We provide a Subnet Mask Calculator for your convenience.  After click Create, I can re-use this IPzone across policies.

** Note: If you would like to use the Halo Firewall to configure a rule for a GhostPorts key, those instructions can be found here.

You can also specify a custom network service-permitted, by going to the Services menu and clicking Add New.  Give your custom network service a name and specify protocol and ports.  You can use this custom network service across policies as well. If you ever want to see the Networks Services, Network Interfaces, and IP Zones available in those drop down menus, you can get to any of those through these links above the policy list.

Remember that once you apply a firewall policy to a group of servers, the existing rules on your servers’ current host-based firewalls will be deleted; therefore, if you have existing firewall rules, you should add those to the Halo firewall policy before you apply it to the group.

Once you’re happy with your policy, click Apply.  Note that the firewall policy is not affecting any servers unless you apply the policy to a specific server group.

Applying a firewall policy to a group of servers

Click on Servers to return to your dashboard.  If you have not yet created a server group, do so now. (Creating a Server Group)

Click on the server group’s name, click Edit Details, set your firewall policy in the drop-down menu, and click “Save”.  This is the point where Halo takes over your firewall configuration – the Halo daemon will automatically activate your host-based firewall if it is not already running.  Again, existing rules will be deleted, so if you have existing firewall rules, you should add those to the Halo firewall policy before you apply it. As always, we recommend experimenting on non-production systems.

The policy will be applied to all servers in this group.  It will take a minute or two before the change is implemented and the firewall status icons reflect the new firewall configuration on your servers. Once the firewall status displays as Active, you know that your servers’ firewalls are configured.

Any new server that is put in that web server’s group automatically takes on the firewall policy assigned to the group. Also, it is very easy to manage your firewalls when they are protecting your servers – simply edit the firewall policy, click Apply and the changes will be updated on every server in the server group protected by that firewall policy within a minute or two.

If you’d like to see the new configuration of your iptables on a linux server like the one in this example, use the command

iptables -L -n

Advanced tips:

Using GhostPorts

API Overview – includes example of updating firewall rule using API

Related Posts