Firewalls
Xelon HQ firewalls provide stateful packet inspection to control traffic flowing to and from your virtual infrastructure. Define inbound and outbound rules based on protocol, source, destination, and port to secure your workloads.
Firewalls are managed from the Firewalls sub-tab within the Networking page. Navigate to Virtual Datacenter > Networking and click the Firewalls tab.
Creating a Firewall
Navigate to Virtual Datacenter > Networking, then click the Firewalls tab. Click Create Firewall. Provide a name and select the network(s) the firewall will protect. The firewall is provisioned with NAT/masquerade for its protected network plus any inbound or outbound rules you define. The platform does not write explicit deny-all rules, so unmatched traffic is governed by the base firewall appliance's default policy. To get a deny-by-default posture, add your own deny rules at the appliance level.
Firewall Rules
Firewall rules are direction-based allow rules. Each rule specifies a direction (inbound or outbound), a protocol, port(s), and source/destination IPs, and traffic matching any rule for its direction is permitted. Rules are not ranked: there is no per-rule priority, no configurable top-to-bottom evaluation order, and no deny rule type.
Adding a Rule
Click Add a Rule in either the Inbound Rules or Outbound Rules section. Configure the following parameters:
| Parameter | Description | Example |
|---|---|---|
| Sources (inbound) / Destination (outbound) | IP addresses or CIDR ranges. Supports multiple entries and "All IP's" (0.0.0.0/0). |
10.0.1.0/24, 0.0.0.0/0 |
| Destination (inbound) / Sources (outbound) | Select a device from the network or enter an IP address. | A VM or IP on the firewall's network |
| Service | Predefined service type that automatically sets the protocol and port. | HTTP, HTTPS, SSH, MySQL, Custom |
| Protocol | The transport protocol to match. | TCP, UDP, ICMP |
| VM Port or Range (inbound) / Destination Port or Range (outbound) | Port or port range on the destination. Accepts a single port or a single range. Comma-separated lists of ports are not allowed. | 443, 8000-9000 |
| External Port or Range (inbound only) | External-facing port or port range for inbound NAT rules. | 443, 8000-9000 |
Editing a Rule
Click the edit icon next to an existing rule to modify its parameters. Rules cannot be reordered — evaluation order is not customer-configurable in the panel.
Deleting a Rule
Click the delete icon next to a rule and confirm the deletion. The change takes effect immediately.
Firewall rules only permit traffic — there is no deny rule type and no rule ordering. Each rule simply allows the traffic it matches for its direction; any traffic not matched by a rule is not forwarded.
IPSec VPN
Xelon HQ firewalls support IPSec VPN tunnels for secure site-to-site connectivity between your Xelon HQ infrastructure and external networks.
Creating an IPSec Rule
From the firewall details page, click Add new IPsec rule at the bottom of the page. Enable the rule using the toggle switch, then configure the following parameters:
| Parameter | Description |
|---|---|
| Mode Type | Tunnel or Transport mode. |
| Remote Gateway | Public IP address of the remote VPN endpoint. |
| Remote Network | CIDR block of the remote network to reach through the tunnel. |
| Local Network | CIDR block of the local network accessible through the tunnel. |
| Pre-Shared Key | The shared secret used for tunnel authentication. |
| Phase 1 (IKE V2) | Encryption algorithm, hash algorithm, DH group, and lifetime settings. |
| Phase 2 | Encryption algorithm, hash algorithm, PFS group, and lifetime settings. |
Viewing IPSec Logs
When an IPSec rule is active, click Show logs on the IPSec rule card to view connection logs. Logs include connection attempts, established tunnels, and error messages.
Rebooting a Firewall
If a firewall becomes unresponsive, you can reboot it from the firewall details page by clicking Reboot. Active connections are dropped during the reboot and re-established once the firewall is back online.
Deleting a Firewall
To delete a firewall, navigate to its details page and click Delete. Confirm the action when prompted.
Deleting a firewall removes all rules and VPN tunnels. Resources previously protected by the firewall will be exposed. Ensure alternative security measures are in place before deleting.
Firewall Monitoring
The firewall detail page displays monitoring charts in the right column alongside the firewall information card. Monitoring requires the allow_view_firewall_monitoring permission.
Two charts are shown:
- CPU usage — Tracks the firewall's processor utilization over time.
- Network traffic — Shows inbound and outbound throughput.
Available time ranges are: 8 days, 5 days, 1 day, 12 hours, and 1 hour. Monitoring is always displayed when the permission is granted — there is no separate toggle to enable or disable it.
Firewall monitoring uses the same metrics component as device monitoring, providing a consistent experience across the platform.
Best Practices
- Default deny: The firewall is allow-only — any traffic not matched by a rule is already not forwarded, so simply define explicit inbound and outbound rules for the traffic you want to permit. There is no separate deny rule action to create.
- Least privilege: Restrict source and destination to the narrowest CIDR ranges possible.
- Separate concerns: Use dedicated firewalls for different network segments (e.g., web tier, database tier).
- Document rules: Use descriptive names for rules so their purpose is clear to your team.
- Review regularly: Audit firewall rules periodically and remove rules that are no longer needed.
- VPN security: All IPSec tunnels use IKE V2 (the IKE version is fixed and not selectable). Choose a strong pre-shared key and select modern algorithms from the available options, e.g. AES 256bit encryption, SHA 256 or higher for hashing, and a strong DH/PFS group.