How to's
      Back to home
      1. Xelon Docs
      2. Networking
      3. How to's

      Set up a Firewall

      Here we'll show how to set up Xelon HQ Firewall service, forwarding rules, and how to connect to your firewall device.

      image.png

      Much like a fire-resistant wall helps keep fire from spreading in a building, a Firewall oversees the traffic to prevent unauthorized access to the network. To achieve the highest possible level of security, you can:

      • Configure inbound rules (access from WAN to your internal device)
      • Configure outbound rules (access from your internal device to WAN)
      • Manage Source Ports and Destination Ports range

      Xelon HQ platform allows you to segment your internal servers and networks in various ways. One of the easiest is a ready-to-use Firewall Service that can be installed in a few simple steps.

      Set up your Firewall

      firewall wizard.png

      1. Go to Networking > Firewalls tab > Create Firewall button.
      2. Enter Firewall's display name and select the related organization. For Kubernetes Firewall, select the device to apply it to.
      3. Adjust Network and IP settings according to your needs. You can either select an existing Dedicated WAN Network if you have assigned one, or assign a Public IP from a Shared Pool. For Internal Network menu, select the network you want to connect on LAN side, and chose an IP address for your firewall.
      4. You can deploy your Firewall and set up Inbound and Outbound rules later.

      Set up an Inbound rule

      Inbound rules provide access from the internet right to your server. Let's say you have a server that should be accessible via port 443. Proper Inbound rule configuration should look like this:

      Sources: All IP's
      Destination: Your web server entity or IP address
      Service: https
      Protocol: TCP
      Port range: 443

      inbound img.png

      Set up an Outbound rule

       

      If you create an Inbound rule to connect from WAN to your server on port 443, you don't need to configure an outbound rule for the same traffic to get back to the initiator. The firewall automatically allows TCP traffic to traverse the firewall.

      Outbound Rules manage the traffic origin from your internal servers going to the Internet. For security reasons, we highly recommend restricting traffic to only the services you need.

      For example, if your device doesn't host a mail server, do not allow port 25 to communicate with the outside world.

      Best Practices

      outbound img.png

      For Linux & Windows Mail Servers, set outbound rules for Port 25, 587 (TLS), 465 (SSL) to send emails. For other Linux & Windows Servers, set outbound rules for Port 80 and 443 to download updates.

      Manage and access your Firewall

      After the provisioning, you can access your Firewall by clicking on it. At the top of the dashboard, you'll see the configuration of your Firewall. Use the External IP to connect with your internal services. For example, if you have configured an Inbound rule for port 443 to access your internal web server, open your browser and follow the https://<EXTERNAL_IP> link to access your web server.

      Beyond configuring Inbound and Outbound rules, you can also manage IPsec rules for your Firewall. Learn more about setting them up here.