You are on page 1of 11

Using the MyRackspace Firewall Manager

Using the MyRackspace Firewall Manager


The Firewall Manager application is an upgraded version of the Firewall Control Panel, which provides our customers the ability to view and edit their firewall configurations. Please note that the Firewall Manager is available for all Cisco PIX and ASA firewalls with the exception of Cisco PIX 515/525/535 URFO and firewalls in a High Availability configuration. This tool allows you to do the following on the firewalls inbound access control list:
Add permit policies Add and delete IPs to be denied by means of a Blacklist Add and delete IPs from address sets prefixed with fwcpDelete single deny policies Add comments (notes) to a permit policy, deny policy, IPs in the Blacklist, and IPs in an address set prefixed with fwcpView and export (.csv) changes that occurred on the firewall Export (.csv) the firewalls inbound access list

Firewall User Agreement


Rackspace requires each user who wishes to modify a firewall configuration (must have the Edit or Admin permission on a firewall) to accept the Firewall User Agreement terms per firewall, every three months. When the terms are accepted, the user and the Primary Contact on the account will receive a confirmation email. If the user chooses not to accept the agreement, they will only be able to view their firewall configuration. Example 1.1 A user who has the Edit or Admin permission on a firewall will be prompted by the Firewall User Agreement banner.

Example 1.2 Each user, who wishes to modify a firewall configuration, will need to accept the Firewall User Agreement terms.

Generated by Clearspace on 2011-07-16-05:00 1

Using the MyRackspace Firewall Manager

Access Control List


Access Control Lists for Firewalls describe the behavior that a specific firewall should take when presented with a request to a specific device (or range of IPs) from a specific device (or range of IPs) using a specific protocol. The Firewall Manager only allows the user to manage the firewalls inbound traffic.

Protocol
You can select the IP (all ports), TCP (single port), or UDP (single port) protocol from the drop down menu. Below is a description for each possible selection.
IP (all ports): Creating an IP policy will make all ports and services on your server available from the IP address or address range supplied. This will give the supplied IP address or range of addresses complete access through the firewall. You will not be able to specify a port number if this protocol is selected. TCP (single port): This must be paired with select ports (see Port section for more information). UDP (single port): This must be paired with select ports (see Port section for more information).

Example 2.1 A protocol can be selected from a dropdown menu.

Generated by Clearspace on 2011-07-16-05:00 2

Using the MyRackspace Firewall Manager

Source IP Address
The source IP is the IP of the visiting client. Its the IP address that you wish to allow through the firewall for a given destination port or service.
Enter IP: Text field that allows you to enter a specific IP address. Any IP: Allows traffic from any source IP address through the firewall. Get My Current IP: Automagically retrieves your clients IP address.

NOTE: These are the client IP addresses that you want to allow your server to serve. Source IP is often set to Any IP Address for services like web services. However, for services such as FTP and email access-type services, Source IP is often limited to just a few client IPs. Example 3.1 You can enter an IP address, select the option of Any IP Address, or Get my current IP.

Netmask (Source and Destination)


A netmask can be selected if an IP address was entered in the IP Address field. The default option is /32 (255.255.255.255). Netmasks are listed in both Classless Inter-Domain Routing (CIDR) notation (or slash notation) and IP format. Here is a breakdown of the ranges allowed:

Example 4.1 Source and Destination Netmask drop down menu.

Generated by Clearspace on 2011-07-16-05:00 3

Using the MyRackspace Firewall Manager

Destination IP Address
The Destination IP address is the target IP that resides on the server behind the firewall (please see Source IP Address section for available options). You can enter an IP address, select Any IP Address, or select an IP from the menu, which includes the primary and secondary IP addresses of the devices behind the firewall. (New Feature: Searching by device name is now available) Example 5.1 You can enter an IP, select Any IP Address, select an IP from the drop down menu, or select Get my current IP.

Destination Port
If youve selected either the TCP or UDP protocol, you can enter a port number or select from the menu of common ports. Ports that are accepted include 1 to 65535. Certain port and protocol combinations are not permitted, which are listed below:
Port 21 and UDP Port 22 and UDP Port 25 and UDP Port 69 and TCP

Generated by Clearspace on 2011-07-16-05:00 4

Using the MyRackspace Firewall Manager

Port 80 and UDP Port 110 and UDP Port 115 and UDP Port 443 and UDP

Example 6.1 This is the drop down menu of common ports.

Adding a Permit Policy


Example 7.1 Open a single port to all server IPs for a specific IP address. In this example, a policy was added to allow Alternate SMTP (Port 587) mail traffic through the firewall from the IP address 207.250.49.146.

Example 7.2 Adding an Admin IP. In this example, the protocol was changed to IP (all ports). When this protocol is selected, a port number cannot be entered or selected.

Generated by Clearspace on 2011-07-16-05:00 5

Using the MyRackspace Firewall Manager

Copying Policies
You can copy an existing policy by clicking on the Copy icon. The form fields will fill where possible and you can modify the policy before adding it. Policies that you cannot copy include single deny policies, policies that reference an address set, and locked policies. They will not have a copy icon on the screen. Example 8.1 You can copy an existing policy by clicking on the Copy icon.

Deleting Policies
The Firewall Manager also allows you to delete permit policies and single deny policies. To remove a policy, click the checkbox and click the Delete Selected Policies button on the side bar. Any number of policies may be selected and deleted at one time. Some policies will not have a checkbox, which indicate that they cannot be deleted. These policies allow Rackspace Support Technicians and specific systems to access your server. Example 9.1 You can select to delete a single, multiple or all policies.

Generated by Clearspace on 2011-07-16-05:00 6

Using the MyRackspace Firewall Manager

NOTE: For Cisco PIX and ASA firewalls, access list hit counts are used for determining policy usage. Any policy that has a hit count of zero is considered as unused. The access list hit counts can be viewed under the Hit Count column (see Example 9.1). The access list hit counts are reset whenever the firewall is restarted.

Adding a Comment to a Permit/Deny Policy


Example 10.1 You can add/modify or delete a comment to a permit or deny policy after it has been added to the configuration.

Address Sets (Listed as Object Groups on the previous version)


If a network address set is prefixed with, fwcp-, you will be able to add and delete IPs from the set; otherwise the address set will have view-only access. The address set must contain at least one IP at all times. Updates to address sets will appear in the change log. Example 11.1 You can manage editable address sets prefixed with fwcp- by clicking on the hyperlink.

Example 11.2 Once clicked, the manage address set modal will appear. Adding and deleting addresses within the address set as well as comments can be managed from this window. NOTE: In order for changes to be written to the firewall, please click on Commit Changes.

Generated by Clearspace on 2011-07-16-05:00 7

Using the MyRackspace Firewall Manager

Example 11.3 You can view non-editable address sets by clicking on the hyperlink or opening the disclosure.

Example 11.4 Once clicked, this menu will able for viewing a non-editable address set.

Generated by Clearspace on 2011-07-16-05:00 8

Using the MyRackspace Firewall Manager

Blacklist (Listed as the FWCP-Customer-Deny Object Group on previous version)


The purpose of the blacklist is to provide a central area for source IPs that you would like to deny access. You can add and delete host IPs and IP Ranges from the Manage Blacklist menu. All IPs listed on the older version were migrated to this Blacklist. Updates to the Blacklist will be logged in the change log. Example 12.1 Access the Blacklist from side bar navigation. (Customers with view-only permissions will have a View Blacklist option.)

Example 12.2 Adding and deleting IPs within the Blacklist as well as comments can be managed on this menu.

Generated by Clearspace on 2011-07-16-05:00 9

Using the MyRackspace Firewall Manager

Change Log
The Change Log contains information of certain events that took place on the firewall. It lists the type of event that took place, the category of the change, the change details, the user who made the change, and the date the change was made. It can be accessed by clicking on the Change Log tab. Changes made directly in the firewall will not be displayed in the Change Log. Example 13.1 The Change Log tracks details about each change made in the Firewall Manager with the exception of comments.

Generated by Clearspace on 2011-07-16-05:00 10

Using the MyRackspace Firewall Manager

Static NATs (network address translations)


Example 14.1 Static NATs tab displays the Public IP Address, the Private IP that the Public IP is translated to, and the associated Private IP Netmask.

NOTE: If the device is a Cisco ASA using iOS 8.3 or higher, we cannot display the static NATs. This is because the statics are formatted differently in this version. We will be working to support iOS 8.3 in a future version of the Firewall Manager.

Generated by Clearspace on 2011-07-16-05:00 11