Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

To create a routing policy, do the following:

  1. In the Cloud Services Portal, click Manage > Service Edge > Policies > Routing Policies.
  2. Click Create.
  3. On the Add New Routing Policy dialog, do the following:
    • Name: Enter a name for the policy. Create a name that does not exceed 64 characters in length. Use numbers, any special characters, uppercase and lowercase letters, and even spaces. Start and end a name with any character but not a space. Leading and trailing spaces will be trimmed off automatically.
    • Description: Enter a description of the policy.
    • Priority: Enter a number from 1 to 65. This is the priority in which the system processes the rule. The lower the number, the higher the priority. To achieve the protection you want for your cloud infrastructure, be sure to assign the correct priority to each routing policy.

      To avoid unexpected behavior, do not create rules that are conflicting or have the same priorities. For example, if you create a rule that allows access to facebook.com, assign the rule a priority of 10, create a rule that denies access to facebook.com, and assign the second rule a priority of 10, then the system will process the rules in an undefined manner.

    4. You can create dynamic routing tables by adding routing rules. This will allow BloxOne Service Edge to process routing priorities according to your configuration. 

Note

Routing options primarily comprise gateway rules and port-forwarding rules. When configuring security rules for your service edges, consider NAT rules, port-forwarding rules, and routing rules; this will ensure that the rules complement each other and will help prevent conflicts among them.

  5. To create a routing rule, do the following:

  • Navigate to the Routing Rules tab > Add Rule drop-down.
    • Choose one of the following:
      • New Rule: Choose this to create a brand new rule. See more details below. 
      • Copy Rule: Copy an existing rule to add it to the respective policy.
        1. Click Add
        2. Select or search for the policy that contains the specific rule.
        3. Select the rule and click Add.
        4. Add more rules to the respective policy, or click Save to continue.
    • To create a New Rule, specify the following:
      • Rule Name: Enter a name for the rule. Create a name that does not exceed 64 characters in length. Use numbers, any special characters, uppercase and lowercase letters, and even spaces. Start and end a name with any character but not a space. Leading and trailing spaces will be trimmed off automatically. 
      • Egress: From the drop-down menu, select the interface from which the outgoing traffic originates. 
        • Network Interface: Define the interface from which the outgoing traffic will originate. Choose one of the following from the drop-down list:  
          • Network Interface: Type LAN or WAN in the first box. If you type LAN, the outgoing traffic will originate from your private LAN. If you type WAN, the outgoing traffic will originate from the WAN.
          • Next Hop: Enter a valid IP address for the next closest router to which data packets will be routed. 
        • Tunnel Interface: A tunnel interface defines the device that is set up for tunnels in the routing VPN.
          • From the Select List drop-down, choose an already created edge that is part of the VPN topology.
        • Third Party Tunnel

          To avoid unexpected behavior, do not create rules that are conflicting or have the same priorities. For example, if you create a rule that routes facebook.com traffic to egress interface-tunnel1, assign the rule a priority of 10, create a rule to route facebook.com traffic to egress interface-tunnel2, and assign it a priority of 10, the system will process the rules in an undefined manner.
    • Expand the Sources section, and choose one of the following:
      • Network: Choose this to add a specific network object or network object group that you have already configured. Click Add, and choose one of the following from the drop-down list TYPE:
        • ANY: No IP address is specified, so any address or device can be the source.
        • IP: Specify the source by entering a specific IP address in the VALUE field.
        • Address Object Groups: From the VALUE list, select the address object that you have already configured.
      • User Groups: Choose this to add user groups that you have already configured. 
        • Expand the Identity Object Groups section and specify the following: 
          • AVAILABLE IDENTITY OBJECT GROUPS: Select the available identity object groups that you want to add, and then use the right arrow to move them to the SELECTED IDENTITY OBJECT GROUPS section. To move all identity object groups, use the double arrows. To remove a selected identity object group, click X next to it in the SELECTED IDENTITY OBJECT GROUPS table. To remove all selected identity object groups, click the  icon.
        • Expand the User Groups section, click Add, and specify the following: 
          • Select the applicable user groups from the list. When you add a user group, all users in the group are subject to the configuration you make to this routing rule.
            Note that you can also select an individual user rather than an entire user group. For a user to appear in the User Group list, use your third-party IDP to configure the user as a group and to give it a unique name. For example, to add Raj, who is in the Engineering department, create a user group called Raj-Eng and include only Raj in the group.

      • Tags: Choose this to add tags that you have already configured for BloxOne DDI IPAM resources. Supported resources are IP Space, Address Block, Subnet, Range, Fixed Address, and IPv4 Reservation. You can then reference these resources in the rule, in the form of tags or as a direct resource object. For more information, see Managing Tags and About BloxOne DDI.
        • Click Add, and specify the following:
          • KEY: From the drop-down menu, choose the configured tag you want to add. All available tags are displayed in the menu.
          • VALUE: From the drop-down menu, choose the value that corresponds to the selected tag. All available values are displayed in the menu.
            To add more tags to the rule, click Add again.

    • Expand the Destinations section, and choose one of the following:
      • Network: Choose this to add a network or network object that you have already configured. Click Add, and specify the following: 
        • TYPE: Choose one of the following from the drop-down list:
          • ANY: No IP address is specified, so any address or device can be a destination.
          • IP: To specify the destination, enter an IP address in the VALUE field.
          • Address Object Groups: From the VALUE list, select the address object that you have already configured. Alternatively, click Search and enter a value to search for a specific address object.
          • FQDN: Select this destination type to configure an FQDN for your firewall rule. For example, select it to allow a particular user group to access www.facebook.com.
          • Wildcard FQDN: Select this destination type to configure a Wildcard FQDN for your firewall rule. For example, select it to allow a particular user group to access *.yahoo.com.
      • Websites & Apps
        • Applications: Choose this to add an application or applications to the routing rule. All available applications are grouped in categories within the AVAILABLE section. You can use the arrow key to move a specific application or category of applications to the SELECTED section. The configuration of your routing rule applies to all selected applications.
      • Tags: Choose this to add tags that you have already configured for BloxOne DDI IPAM resources. Supported resources are IP Space, Address Block, Subnet, Range, Fixed Address, and IPv4 Reservation. You can then reference these resources in the rule, in the form of tags, or as a direct resource object. For more information, see Managing Tags and About BloxOne DDI.
        • Click Add and specify the following:
          • KEY: From the drop-down menu, choose the configured tag you want to add. All available tags are displayed in the menu.
          • VALUE: From the drop-down menu, choose the value that corresponds to the selected tag. All available values are displayed in the menu.
            To add more tags to the rule, click Add again.

    • Expand the Services section, and do the following: 
      • Service Groups: Choose this and specify the following:
        • AVAILABLE SERVICE GROUPS: Select the available service groups that you want to add, and then use the right arrow to move them to the SELECTED SERVICE GROUPS section. To move all service groups, use the double arrows. To remove a selected service group, click X next to it in the SELECTED SERVICE GROUPS table. To remove all selected service groups, click the  icon.
      • Service Parameters: Choose this, click Add, and specify the following:
        • PROTOCOL: Choose one of the following from the drop-down list:
          • TCP: The Transmission Control Protocol complements the Internal Protocol (IP) and provides an ordered and error-checked delivery of data among applications on devices that communicate through an IP network. Be sure to select a TCP Flag.
          • UDP: The User Datagram Protocol is an Internet Protocol that provides (1) checksums for data integrity and (2) port numbers for addressing different functions at the source and destination. Be sure to select a UDP Flag.
          • IP: Internet Protocol is the principal communication protocol that delivers data packets from source to destination, based solely on the IP addresses in the packets' headers.
          • ICMP: Routers and other network devices use the Internet Control Message Protocol to send operational information and error messages that indicate success or failure during communication between devices and IP addresses. Be sure to select an ICMP Flag.
        • SOURCE PORT: Enter a number from 1 to 65535, or type ANY.
        • DESTINATION PORT: Enter a number from 1 to 65535, or type ANY.
        • PROTOCOL FLAG: Depending on the chosen protocol, specify the following:
          • NONE:
          • INCOMING:
          • OUTGOING
          • ICMP FLAG: If you chose ICMP as the PROTOCOL, choose one of the following parameters to specify the type of ICMP traffic you want to track for this firewall rule:
            • NONE: No ICMP flag is specified. Include all outgoing and incoming traffic that uses the ICMP protocol for communication.
            • INBOUND_TTL: Include incoming traffic that exceeds the TTL (time to live) or has the "time exceeded in transit" message.
            • INBOUND_REDIRECT: Include incoming traffic that has the "out-of-band" message for redirecting traffic to another system.
            • OUTBOUND_PING: Include outgoing ICMP echo requests from the source port.
            • ICMP_INBOUND_ALL: Include all incoming traffic from the destination port.
            • ICMP_OUTBOUND_ALL: Include all outgoing traffic from the source port.
            • ICMP_INBOUND_PING: Include incoming ICMP echo responses from the destination port.
      • Click Expand All to view additional details of the rules and Collapse All to hide them.
      • Click Save.

6. Click Save & Close.

  • No labels