Add an access-list rule with Firewall Manager v2
Firewall Manager v2 is a tool within the MyRackspace Portal that allows you to manage your Cisco firewall.
This article describes how to add an access-list rule using Firewall Manager v2.
To learn more about the tool, see Firewall Manager v2.
Why use access-lists?
Access control lists (ACLs), or access-lists, enable Cisco firewalls to filter traffic. The security of your Rackspace environment begins at your Cisco firewall. Misconfigurations in network access policies on your firewall can lead to unwanted network exposure and potential compromise.
The access-lists control the traffic that attempts to enter the internal networks from an external, unsecured network. If access-lists are not used, the Cisco firewall's default security policy of security-levels is active, which does not provide the highest level of network security.
An access control entry (ACE) is an individual entry in an ACL. ACEs are referred to as rules in Firewall Manager v2. The Cisco firewall allows you to configure only one access-list per interface per direction. This access-list can contain as many ACEs, or rules, as necessary.
For more information about how to view, modify, or delete access-lists, see the following articles:
Access-list best practices
To remain secure and follow compliance requirements, use the following best practices and recommendations:
-
Be as specific as possible when setting up ACLs. Minimize the size of the source and destination traffic in your access-list rules when possible.
-
Do not define the destination as any (your entire Rackspace environment) when only one destination server needs to be accessed.
-
Do not allow traffic from any source to any destination of the IP, TCP, or UDP protocols. Allowing traffic to these destinations effectively turns your security platform into a router because it will not block any packets from reaching any destination in your environment over those protocols.
-
Do not allow all traffic to a destination or group of destinations. (Do not use permit ip any [host] or permit ip any [object-group]).
-
Do not open the following ports globally: 22 - SSH, 1433 - Microsoft SQL, 3306 - MySQL, and 3389 - RDP.
Add an access-list rule
Note: Cisco firewalls execute access-list rules in order from first to last, based on the line number. If a customer request matches a rule, Cisco firewalls stop processing the request and performs the action.
-
Access Firewall Manager v2 by following the steps in the Firewall Manager v2 article.
-
In the navigation pane on the left side of the panel, click the firewall for which you want to see access-list rules.
-
Under Rules, click All Rules.
-
In the navigation pane on the left side of the panel, click the firewall for which you want to add an access-list rules.
-
Click Add Rule.
A series of pages appear in which you define the rule.
-
On the Details page, provide the following information and click Next:
-
Rule List: Select the access-list to which you want to add the rule
-
Name: Provide a descriptive name for the rule. This field is required. The name is stored in Firewall Manager v2 only and is used for your documentation and auditing purposes.
-
Rule Type: Specify whether the rule allows (permits) traffic or blocks (denies) traffic.
-
-
On the Traffic coming from page, select one of the following options for incoming traffic, provide the necessary information, and then click Next:
-
A single IP: Enter a host IP address or search for a device number.
-
A CIDR IP: Define a subnet range.
-
A group of IPs: This is the recommended option. Select an existing object-group. If you need to create a new object-group first, see Firewall Manager v2 object-groups.
-
Any IP: This option defines the source as any. Before choosing this option, refer to the best practices section in the Firewall Manager v2 access-list theory and best practices article.
-
-
On the Traffic going to, select one of the options for outgoing traffic, provide the necessary information, and then click Next. The options are the same as those shown for incoming traffic.
-
On the Using protocol page, select the protocol and the port option, and then click Next:
-
For the protocol, select TCP, UDP, or IP. IP is the entire IP suite, which includes all TCP and UDP ports plus many more. Use caution when specifying the protocol.
-
The same options provided on preceding pages for IP addresses are provided here for ports. Use extreme caution if you select any for the port, which is typically not a good security decision.
-
-
Click Add to Firewall.
Firewall Manager v2 interacts with your firewall and adds the configuration. This typically takes about 30 seconds, depending on the size of your firewall's configuration.
The new access-list rule is added to the end of the access-list. If you need to change the execution order of the rule, follow the steps in [Modify an access-list's execution order]((/support/how-to/modify-an-access-lists-execution-order-with-firewall-manager-v2).
Related articles
Updated about 1 year ago