- 23 May 2022
- 2 Minutes to read
Set up a Firewall
- Updated on 23 May 2022
- 2 Minutes to read
Here we'll show how to set up Xelon HQ Firewall service, forwarding rules, and how to connect to your firewall device.
Much like a fire-resistant wall helps keep fire from spreading in a building, a Firewall oversees the traffic to prevent unauthorized access to the network. To achieve the highest possible level of security, you can:
- Configure inbound rules (access from WAN to your internal device)
- Configure outbound rules (access from your internal device to WAN)
- Manage Source Ports and Destination Ports range
Xelon HQ platform allows you to segment your internal servers and networks in various ways. One of the easiest is a ready-to-use Firewall Service that can be installed in a few simple steps.
Set up your Firewall
- Go to Networking > Firewalls tab > Create Firewall button.
- Enter Firewall's display name and select the related organization. For Kubernetes Firewall, select the device to apply it to.
- Adjust Network and IP settings according to your needs. You can either select an existing Dedicated WAN Network if you have assigned one, or assign a Public IP from a Shared Pool. For Internal Network menu, select the network you want to connect on LAN side, and chose an IP address for your firewall.
- You can deploy your Firewall and set up Inbound and Outbound rules later.
Set up an Inbound rule
Inbound rules provide access from the internet right to your server. Let's say you have a server that should be accessible via port 443. Proper Inbound rule configuration should look like this:
Sources: All IP's
Destination: Your web server entity or IP address
Port range: 443
Set up an Outbound rule
If you create an Inbound rule to connect from WAN to your server on port 443, you don't need to configure an outbound rule for the same traffic to get back to the initiator. The firewall automatically allows TCP traffic to traverse the firewall.
Outbound Rules manage the traffic origin from your internal servers going to the Internet. For security reasons, we highly recommend restricting traffic to only the services you need.
For example, if your device doesn't host a mail server, do not allow port 25 to communicate with the outside world.
For Linux & Windows Mail Servers, set outbound rules for Port 25, 587 (TLS), 465 (SSL) to send emails. For other Linux & Windows Servers, set outbound rules for Port 80 and 443 to download updates.
Manage and access your Firewall
After the provisioning, you can access your Firewall by clicking on it. At the top of the dashboard, you'll see the configuration of your Firewall. Use the External IP to connect with your internal services. For example, if you have configured an Inbound rule for port 443 to access your internal web server, open your browser and follow the
https://<EXTERNAL_IP> link to access your web server.
Beyond configuring Inbound and Outbound rules, you can also manage IPsec rules for your Firewall. Learn more about setting them up here.