Firewall Network (FireNet) Advanced Config¶
Firewall Network (FireNet) Advanced Config applies to both AWS TGW based FireNet and Aviatrix Transit FireNet.
For questions about FireNet, check out FireNet FAQ. For questions on FireNet workflow, check out FireNet Workflow
For questions about Aviatrix Transit FireNet, check out Transit FireNet FAQ. For questions on Aviatrix FireNet workflow, check out Transit FireNet Workflow
Traffic Inspection¶
You can enable and disable traffic inspection. When traffic inspection is disabled, FireNet gateway loops back all packets.
Egress through Firewall¶
This is to enable Internet bound egress traffic for inspection.
To configure, go to Controller -> Firewall Network -> Advanced. Select one firewall domain, click the 3-dots skewer to the detail page. At Egress through Firewall, click Enable.
Fail Close¶
Fail Close feature applies to the scenario where there are no firewalls attached to the FireNet gateways. Fail Close is disabled by default.
When Fail Close is disabled, east-west traffic that requires inspection can pass through the FireNet gateways without having any attached firewalls, making the FireNet gateway behave as a lookback interface. This is useful as it allows you to isolate and test network connectivity during troubleshooting.
When Fail Close is disabled, FireNet gateway drops all traffic when there are no firewalls attached to the FireNet gateways.
Network List Excluded From East-West Inspection¶
By default, FireNet inspects all East-West (VPC to VPC) traffic but you may have an instance in the VPC which you do not want to be inspected. For example, the Aviatrix Controller deployed in the Shared Service VPC to be excluded from inspection while Shared Service VPC traffic is inspected. This improves the Controller reachability by not subjecting the Controller access to unintentional firewall policy errors.
Put the CIDRs in the field “Network List Excluded From East-West Inspection” to exclude from being inspected by the firewall.
Note
- Maximum 20 CIDRs coma-separated are supported.
- CIDRs are excluded from East-West inspections only.
- In Transit FireNet, if Egress inspection is enabled, all the Egress traffic will get inspected by the firewall even for the CIDRs excluded for East-West inspection.
Firewall Hashing¶
- Firewall Network solution supports two hashing types:
- Five-tuple and
- Two-tuple.
By default, AWS TGW based FireNet and Aviatrix Transit FireNet use 5-tuple hashing algorithm (source IP, source port, destination IP, destination port and protocol type) to load balance the traffic across different firewall. However, user has an option to select two-tuple (source IP and destination IP) hashing algorithm to map traffic to the available firewalls.
Keep Alive via Firewall Lan Interface¶
For AWS, LAN or Management interface can be used for firewall health check and failure detection.
By default, Aviatrix Controller check the firewall’s health by pinging the firewall’s management IP address. Starting 6.0, firewall instance’s health can also be checked by pinging its LAN interface from the connecting Aviatrix FireNet gateway. This is an alternative approach which improves firewall failure detection time and detection accuracy.
The mechanism is that the FireNet gateway pings the firewall instance’s LAN interface every 5 seconds with a ping time out of 20ms. If the first ping times out, it immediately pings again. Two consecutive ping failures indicates the firewall is in down state and it is detached from the FireNet gateway pool. The ping functions continues and it detects the firewall instance has come up by successful pings, it is attached back to the FireNet gateway pool.
With LAN interface pinging, the firewall instance fail over time is reduced.
The following details describe how to enable ping on the firewall instance LAN interface.
Step 1: Enable ICMP on Firewall Devices¶
Palo Alto Network¶
Go to Network -> Network Profiles -> Interface Mgmt, create profile to allow ping
Next, Go to Network -> Interfaces, select “Ethernet 1/2”, go to Advanced tab -> Management Profile and select the profile just created in above step
Commit changes
Panoroma¶
Configure stack similar to Palo Alto Network shown above.
Check Point¶
Go to SmartConsole -> Global Properties -> Firewall -> Accept ICMP requests.
Fortigate (Fortinet) ~~~~~~~~~~~~~~~~~~~~~~~~~~`
Go to Network -> Interfaces -> Edit Interface -> Check “PING” box
Step 2: Configure Aviatrix Controller¶
Go to Firewall Network –> Advanced –> Click the 3 vertical dots as shown below:
The expanded view shows the firewall deployed by the Aviatrix controller and towards the end of screen shot, one can enable/disable LAN side Health Check.
Step 3: Verify LAN Side ICMP Health Check¶
In this example, AWS and Check Point used to demonstrate the functionality as shown below:
Go to Check Point logs and Monitoring section, notice that the ICMP health check is initiated every 5 second from the Aviatrix Transit FireNet gateways. The 5 second setting is the default and cannot be changed.