Managing Your Firewalls
Once you have completed one or more firewall policies and assigned them to server groups, you can use the Halo portal to manage them.
- You can verify that every protected server in your cloud has a functioning firewall that is appropriate for its server group. You can view detailed firewall status for any server. You can also perform server administration—adding or deleting servers, moving them among server groups and so on. (Halo server administration is documented in the Halo Operations Guide.)
- You can create new firewall policies and delete unwanted ones. You can also modify a policy, which will automatically update the firewalls on all servers in the groups that the policy is assigned to.
- You can also set up an alerting capability that will notify you whenever an unauthorized change is made to a firewall on any of your protected servers.
View Your Firewall Dashboard
To view the high-level firewall status of all your servers at a glance, go to Servers > Firewall Management in the Halo portal (or click the CloudPassage icon at the page top). If necessary, click the Firewall icon ( ) to ensure that the Firewall Management page of the Dashboard appears.
From the server group list, select one of your groups or select All Servers. View the list of servers, optionally changing the sorting of the list by clicking a column heading.
For any server in the list, note its firewall status (active or not), and the name of the firewall policy (if any) that is assigned to that server's server group. Click the name of a firewall policy to view its details on the Edit Firewall page.
You also can perform several server actions from the Actions drop-down list. For details about those actions and about agent status, see this section of the Halo Operations Guide.
View a Server's Firewall Status and Summary
If you click the name of a server in the list on the Firewall Dashboard page, the Server Summary page for that server appears.
The Firewall Management section of the Server Summary page includes firewall status, time since installation, time since the agent last checked the firewall for unauthorized changes, and a link to the server's firewall policy.
At the top of the Server Summary page, you can see additional information about the server and its Halo agent, and the server group that it belongs to. The Server Summary page is described more fully in this section of Halo Issues, Events, and Alerts.
If, instead of clicking the server name on the Dashboard page, you click the server's Firewall Status icon (such as ), the Firewall Management page for that server appears.
Like the Server Summary page, this page page includes information about the server's group and firewall policy, firewall status and time of last check. Also, clicking the server's name in the breadcrumb trail at the top of the page displays the Server Summary page.
Update Firewall Policies
Making changes to your firewall policies is simple, and updating all of your servers' firewalls with those changes is completely automatic.
- In the Halo portal, go to Policies > Firewall Policies and click the name of the policy that you want to change. That policy's Edit Policy page appears.
- Activate or de-activate rules, re-arrange rules, add or delete rules, or change rule attributes as you need to, just as described in Create and Assign a Firewall Policy and in Troubleshooting Firewalls. Change the logging settings for the policy (Windows) or for individual rules (Linux). You can even change the policy's name or description.
- Add, clone, or delete entire policies, if you wish. If you attempt to delete a policy that is assigned to a server group, you must first accept a confirmation dialog stating that the group's servers will be left without an assigned firewall.
- You can also change the server-group assignment of a firewall policy, if needed. (You accomplish that by editing the affected server group details, not by editing the firewall policy.)
Whatever changes you make, within a few minutes of when you save them Halo will transmit the updates to all servers in all affected server groups. Also, any server that comes online subsequently in any of those groups will receive the group's latest updated firewall.
Set Up Firewall Events and Alerts
You can configure Halo to send you or other users an email alert notification whenever any of your protected servers' firewalls are modified outside of Halo. By enabling this feature, you can have immediate knowledge of any potentially malicious alterations to the firewalls.
1. Create and assign an alert profile
Halo uses alert profiles assigned to a server group to determine who should receive alerts from that group. You create profiles in the portal and then you assign them to groups.
Note: You do not have to perform this step if you are a Halo registered user and you want alerts to go only to you. Halo automatically creates a default alert profile for every registered user and assigns it by default to every server group. Complete this step if you want to send alerts to a different email address or to multiple users.
- In the Halo portal, go to Policies > Alert Profiles and click Add New Alert Profile.
- Enter a name and optional description for the profile, specify "Instant" or some other value for the frequency, and then select one or more of your company's Halo users to receive alerts. Also specify whether each user should receive all alerts or just a subset based on event criticality. Then click Save.
- Now assign the profile to a server group: on the Halo Dashboard page, click the name of the server group you want to assign the profile to, then click Edit Details below the name. On the Edit Group Details page, select the name of your alert profile from the Alert Profiles drop-down list. Then click Save.
Your designated users will receive an email when a security event that fits your settings occurs.
2. Create and assign a special-events policy
- In the Halo portal, go to Policies > Special Events Policies and click Add New Special Events Policy.
- Enter a name and optional description for the policy. Then select, from the available set of security events, the specific events that you want this policy to monitor. For firewall alerting, select the Server firewall modified event and flag it as Critical and Generate an alert.
- Click Save to save the policy. Then assign it to your server group: go the portal Dashboard page, click Edit Details for your server group, and select your policy from the Special Events Policy drop-down list. Then click Save.
Security-event logging and alerting for firewall modifications are now set up for your server group.
3. Respond to a "firewall changed" alert.
Every 15 minutes, Halo scans each of your servers to detect unauthorized changes (changes to a host's firewall that were made outside of Halo). If such a modification occurs to the firewall of one of your protected servers, you can find out about it in either of these ways:
- Go to your email inbox. A notification from CloudPassage should be there, describing the firewall-change event.
- In the Halo portal, go to Servers > Security Events History, set the Event type filter to "Server firewall modified", and click Filter. A description of the event should appear on the page.
For more information about security events, alerts, special-events policies, and the Security Events History page, see the "Issues and Events" section of the Halo Operations Guide.
// <![CDATA[ var pdfTitle="Workload Firewall Management"; var pdfURL="http://www.cloudpassage.com/document_images/firewall/firewall_management.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>