Skip to main content

Set Distributed Firewall

Everoute provides three distributed firewall security policies: global network security policy, security policy, and virtual machine quarantine policy.

  • Global Network Security Policy: It is applied to all virtual machines managed by the Everoute service and includes the global default policy and the global whitelist. The global whitelist is intended for avoiding security policies affecting services deployed outside the data center such as the bastion host service.
  • Security Policy: It is applied to the labeled virtual machines managed by the Everoute service. If you set a security policy for virtual machines, they will only be allowed to communicate with the whitelist.
  • Virtual Machine Quarantine Policy: It is applied to a single virtual machine. You can quarantine a virtual machine when it gets infected by a virus or needs to be debugged.

Policy Priority

The three security policies are prioritized as follows:

Virtual Machine Quarantine > Security Policy > Global Default Policy

Set English Labels for Virtual Machines

Everoute identifies groups of virtual machines according to their labels and dynamically generates security rules for them. Therefore, before setting security policies, set specific English labels for virtual machines.

  1. In the Label Management page, click Create Label. You should see a pop-up Create Label dialog box.
  2. Enter a label name and set the value if needed. Then click Create.
  3. In the CloudTower homepage, click Cluster to select the cluster associated with the Everoute Service. Then in the cluster page, click VM to get the virtual machine list. Select the virtual machine for which you would like to set the security policy. Click ..., then select Edit Label.
  4. In the pop-up Edit Label dialog box, attach a label to the virtual machine.

Set Global Network Security Policy

The global network security policy includes Global Default Policy and Global Whitelist.

  • Global Default Policy: It takes effect for virtual machines when they have no security policy set or are not in quarantine.
  • Global Whitelist: It is used for ensuring communication between the virtual machines within the data center and services deployed outside the data center such as the bastion host, without affecting existing security policies except for virtual machine quarantine.

Initial Settings

In the "Deploy Everoute in SMTX OS Cluster" section, you need to set up the security policies as the initial settings. You can refer to the following section to change policy settings.

Change Settings

To change the global network security policy:

  1. In the Network and Security page, click Operation and Management. In the Everoute Service list, select the Everoute service for which you want to change the global policy.

  2. In the Global Network Security Policy dialog box, select Allow Communication or Reject Communication for the global default policy, and enable or disable the global whitelist. Then click Save.

Set Security Policy

The security policy identifies groups of virtual machines according to labels and dynamically generates security rules for them, thereby controlling network connectivity between groups of virtual machines and enhancing security within the data center.

  • If multiple policies are applied to the virtual machine and those policies are contradictory, traffic will pass as long as one policy allows traffic to pass through the virtual machine.
  • If the policy object communication is set as Not Allowed but the ingress or the egress traffic of the policy object is set as All Allowed, the virtual machines within the policy object group will be able to communicate with each other.
  • The egress and ingress traffic of the policy object cannot be selected as All Allowed simultaneously.

Create Security Policy

  1. In the Network and Security page, select Security Policy. Then click Create Policy in the upper right corner of the page. You should see the Create Network Security Policy dialog box.

  2. Fill in basic information about the policy, including its name and description. Then select the Everoute service to which it belongs. Click Next.

    Once done, the security policy will be applied to the cluster with which this Everoute service is associated.

  3. Click Add Policy Object.

    1. Enter the label matching the policy object or select the policy object in the dropdown box. Only English labels are allowed.
    2. Allow the policy object communication or not.

  4. Set the ingress traffic whitelist for the policy object.

    • If All Allowed is selected, the policy object will receive all traffic.

    • If you need to specify ingress traffic, select Whitelist Only. Click Add Whitelist to add the virtual machine whitelist or the IP whitelist.

      WhitelistNote
      Virtual Machine Whitelist Set the whitelist by entering the virtual machine label and specify the protocols and corresponding ports allowed by Everoute. If Everoute has no protocol restrictions, select Any Protocol.
      IP WhitelistSet the whitelist by entering the IP address or by using CIDR blocks and specify protocols and corresponding ports allowed by Everoute. If Everoute has no protocol restrictions, select Any Protocol.

  5. Refer to Step 4 to set the egress traffic whitelist for the policy object.

  6. Click Create.

Edit Security Policy

In the Security Policy page, click Security Policy to see the policies you created. To edit or delete a policy, click ... .

Edit Virtual Machine Quarantine Policy

The virtual machine quarantine policy includes Strict Quarantine and Forensic Quarantine.

  • Strict Quarantine: In this mode, the virtual machine will reject all ingress and egress traffic. This quarantine mode can help avoid virus spreading in the internal environment and reduce the impact on the normal operation of the system.
  • Forensic Quarantine: In this mode, the virtual machine is only allowed to communicate with the whitelist. You can set the ingress and egress traffic whitelist for the virtual machine separately.

Quarantine Virtual Machine

  1. In the SMTX OS (ELF) cluster page, click VM to access the virtual machine list.
  2. Select the virtual machine for quarantine. In the virtual machine panel, select Network Security, then click Quarantine to set the quarantine policy.

Edit Quarantine Policy

You can edit the quarantine policy or stop quarantining a virtual machine in its virtual machine panel. Alternatively, you can check the quarantined virtual machines and perform the above actions in the Network and Security page.