Configuring firewall for secure zones
Available in Classic
Q. What is the Secure Zone Firewall service of NAVER Cloud Platform?
- Secure Zone Firewall provides a feature through which you can set firewall policies that allow access control to the instances created in Secure Zone.
Q. How do I use Secure Zone Firewall?
- Agree to Secure Zone's Terms of Service
- Request Secure Zone Firewall subscription
- Request Cloud Log Analytics subscription and link log storage
- Create Secure Zone VM
- Create Secure Zone policies and address group
- View Secure Zone Firewall network usage
- View Secure Zone Firewall logs
Q. Can I access the Secure Zone VM without using Secure Zone Firewall?
- All external communications to the Secure Zone are blocked. Only internal access is allowed.
- The only way to access the Secure Zone VM is by creating policies in Secure Zone Firewall that allow communications between general zones or SSL VPN and the Secure Zone.
Q. In which zones can I set policies for access to the Secure Zone VM?
- You can set policies for private access between all zones in Ncloud except for incoming traffic to SSL VPN and Secure Zone.
Q. What is a policy?
- It is a security policy that allows or blocks communications for a specific protocol and port between the defined source IP and destination IP.
Q. What is an address group?
- It is an object that allows you to group your VMs so that they can be used in policies.
Q. What is a log?
- It is a traffic log that records attempts at access the Secure Zone according to the firewall policies of Secure Zone Firewall. You can also search or view the logs in Cloud Log Analytics.
Q. Can I download the data as an Excel file?
- You can download the search results as an Excel file.
- Note that you can only download the search results shown on the page, not the entire data.
① After accessing the console, click Security > Secure Zone > Secure Zone Firewall.
② Click [Create firewall] on the Secure Zone Firewall page.
③ Select the zone you want to create.
④ Select the product in the section of your choice, between the Standard and Advanced firewall.
- Select the Advanced product if you wish to use the private subnet IP in the Secure Zone.
- To use the Advanced product, you must be using the product created in the corresponding zone on the private subnet product.
⑤ Select Cloud Log Analytics (CLA) on Link log storage. (Required)
- This pop-up window is not displayed if you have signed up for Cloud Log Analytics already.
⑥ Click the [Request Cloud Log Analytics subscription] button to sign up for Cloud Log Analytics.
- If you select the Policy, Address Group, or Network Usage menu before signing up, then you will be redirected to the subscription page of Secure Zone Firewall.
① Select and go to the menu that you wish to work with on the firewall created in each zone. (Policy/Address Group/Network Usage/Log)
① Go to Security > Secure Zone > Secure Zone Firewall > Policy and click the + [Create policy] button.
- Name: Policy name
- Description: Policy description
- Source IP: Customer’s own VM, private LB, or SSL VPN
- Destination IP: Customer’s own VM
- Protocol: TCP/UDP/ICMP
- Port: Destination port (0 - 65,535)
- Action: Allow/Deny
Either the source IP or destination IP is required for the Secure Zone.
② Fill in the required fields and click the [Save] button to create a policy.
① Go to Security > Secure Zone > Secure Zone Firewall > Policy and click the name of the policy you wish to change.
② Edit the fields and click [Save] to change the policy.
③ Select a policy and click the up and down buttons to adjust the priority of policies.
① Go to Security > Secure Zone > Secure Zone Firewall > Policy, select multiple combo boxes of the policies you wish to delete, then click the [Delete policy] button for deletion.
② Or go to Security > Secure Zone > Secure Zone Firewall > Policy, select the name of the policy you wish to delete, then click the [Delete] button.
It is all Deny by default if you do not set a policy on the firewall. Logs are generated when traffic is blocked by the default policy due to the absence of policies. If there are many unauthorized access attempts, then the size of logs can increase significantly, taking up a large amount of the Cloud Log Analytics storage capacity.
① You can enable or disable default Deny logging to enable or disable logs that correspond to the default Deny policy.
- Default: Enable (logs enabled)
① Go to Security > Secure Zone > Secure Zone Firewall > Address Group and click the [+ Create address group] button.
② Select multiple addresses and click the [Save] button to create an address group.
① Go to Security > Secure Zone > Secure Zone Firewall > Address Group and click the name of the address group you wish to change.
② Edit the fields and click the [Save] button to change the address group.
① Go to Security > Secure Zone > Secure Zone Firewall > Address Group, select multiple address groups you wish to delete, then click the [Delete address group] button.
② Check the address groups to delete and click the [Confirm] button for deletion.
① Go to Security > Secure Zone > Secure Zone Firewall > Network Usage to view peak traffic usage by hour.
- You can select the period you want to view. (Maximum period settings: 1 month)
Receive time: Can search by date range (retention period and size depend on the service policies of Cloud Log Analytics)
Source IP: Customer’s own VM, private LB, or SSL VPN
Destination IP: Customer’s own VM
Port: Destination port search (0 - 65,535)
- accept: for the end of non-TCP traffic // Refers to a pass for non-TCP (except for ICMP, UDP, and TCP)
- deny: for traffic blocked by a firewall policy // Blocked by policy
- close: for the end of TCP session closed with a FIN/FIN-ACK/RST // Refers to Allow, and is a normal shutdown by FIN or RST
- timeout: for the end of a TCP session which is closed because it was idle. // Left when access has been allowed but eventually blocked due to timeout, and also when TCP SYN is sent but no response is returned from the remote end
- ip-conn: for IP connection failed for the session (host is not reachable) // When access has been allowed but ended because FortiGate did not receive any reply packets, and when there is an ICMP or a UDP request but no reply
Policy: Name of the policy for which the corresponding log is hit
Enable or disable default Deny policy logs
- You can move to the firewall settings currently created by selecting the select box located at the top of each feature menu.
- To control the access of the Secure Zone and general zones using Secure Zone Firewall policies, you must have the same ACG settings and register the following rules for each VM and SSL VPN. (Required)
Categorized as admin and user permissions, the following permissions are granted:
- Permissions for viewing objects in the Secure Zone Firewall, as well as creating, deleting, and changing policies and address groups, are given.
- Permissions for viewing objects in the Secure Zone Firewall are given.
① To grant Secure Zone Firewall permissions to a specific user, first select the Sub Account service.
② Select the sub account to which you wish to grant Secure Zone Firewall permissions.
③ Click the [Add] button for policies on the sub account details page.
④ Among the selected sub account's policies, select either the NCP_SECURE_ZONE_FIREWALL_MANAGER or NCP_SECURE_ZONE_FIREWALL_VIEWER policy that you wish to grant, then add the corresponding permissions.
① Go to Security > Secure Zone > Secure Zone Firewall and select the firewall you wish to terminate among the firewalls in use
- If you select a Standard firewall and an Advanced firewall exists in the same zone, then you must terminate the Advanced firewall as well.
- NAS between public zone and Secure Zone: Although usage can be shared, it is recommended that you not save personal information on NAS as it does not go through the firewall section.