Your Browser is Out of Date

Nytro.ai uses technology that works best in other browsers.
For a full experience use one of the browsers below
PowerScale: Network Design Considerations
Executive summary Network architecture design Latency, bandwidth, and throughput Ethernet flow control SyncIQ considerations Quality of Service (QoS) Software-Defined Networking PowerScale OneFS ports SmartConnect considerations Ethernet, MTU, and IP overhead Access Zones best practices Source-Based Routing considerations Isilon 6th generation 1 GbE interfaces Intelligent Platform Management Interface IPv6 OneFS host-based firewall
OneFS host-based firewall
Introduction
Architecture
Configuration
STIG security profile
IPv6
FTP
User configurable ports
Source-Based Routing
Network troubleshooting Appendix A: Supported network optics and transceivers Appendix B: Technical support and resources

Configuration

Configuration

  • The OneFS host-based firewall is disabled by default for brownfield and greenfield clusters running OneFS Release 9.5.0.0. An administrator with the ISI_PRIV_FIREWALL privilege can enable the feature. By default, the ISI_PRIV_FIREWALL privilege is assigned to SystemAdmin with write permission and to AuditAdmin with read permission.

    Note: As a best practice, rather than creating a new firewall policy from scratch, it is recommended to use the default policies as a baseline of threat protection for OneFS services. An option to clone policies is available. When the default policy is cloned, administrators can add additional rules specific to the environment. Also note that changes made to a firewall policy take place immediately. To avoid accidental misconfigurations, it is advised always to make changes by cloning a firewall policy, editing the cloned policy, then reconfiguring pools to the new policy.

    Both the CLI and WebUI support the configuration for the OneFS host-based firewall. See the appropriate following section for the configuration steps.

    CLI

    You can configure the OneFS host-based firewall in the CLI by using the isi network firewall commands. List the current firewall settings by using the isi network firewall settings view command.

    Note: Enabling the firewall automatically applies the default firewall policies. As explained in the Architecture section, the default firewall policies enforce the port numbers and protocols required for OneFS services, as listed in the Security Configuration Guide, found under the respective OneFS software release at OneFS Info Hubs. Before enabling the firewall, ensure that the default port numbers and protocols do not conflict with any custom port or protocol configuration.

    Enable the OneFS host-based firewall with the isi network firewall settings modify --enabled true command. To create a firewall policy and rules, do the following:

    1. Before creating custom firewall rules, clone the default firewall policy with the isi network firewall policies clone command. If necessary, you can create a new firewall policy with the isi network firewall policies create command, although the default policy provides a baseline of threat protection.
    1. When the firewall policy is cloned or created, you can add rules to the policy with the isi network firewall rules create command.
    2. Apply a firewall policy to pools and subnets using the isi network firewall policies modify command and the add-pools or add-subnets options.

    To prevent accidentally modifying active firewall policies and rules, the CLI requires a --live parameter to be specified when modifying an in-use firewall policy or rule. (Providing the --live parameter when modifying an inactive firewall policy or rule is considered an error.)

    WebUI

    The WebUI configuration for the host-based firewall is located under Cluster Management > Firewall Configuration, as shown here.

    TableDescription automatically generated

    Figure 31.    WebUI firewall configuration

    If the firewall is not yet configured, a banner directs the user to the “Settings” tab.

    Note: Enabling the firewall automatically applies the default firewall policies. As explained in the Architecture section, the default firewall policies enforce the port numbers and protocols required for OneFS services, as listed in the Security Configuration Guide, found under the respective OneFS software release at OneFS Info Hubs. Before enabling the firewall, ensure that the default port numbers and protocols do not conflict with any custom port or protocol configuration.

    To enable the firewall, navigate to the Settings tab and enable the “Firewall policies on the cluster” toggle as shown in the following figure.

    Graphical user interface, applicationDescription automatically generated

    Figure 32.    Enabling firewall

    To create a firewall policy and rules, do the following:

    1. Before creating custom firewall rules, clone the default firewall policy by selecting the Firewall Policies tab under Cluster Management > Firewall Configuration. Next, under More Actions, select Clone Policy for the associated policy. From the Clone Policy window, specify a policy name and description as shown here.

    A picture containing applicationDescription automatically generated

    Figure 33.    Clone Policy window

    1. When the firewall policy is cloned or created, you can add rules to the policy by clicking the down arrow for the new policy and clicking Add Rule. From the Add Rule window, specify the firewall rule as shown here.

    Graphical user interface, text, application, emailDescription automatically generated

    Figure 34.    Add Rule window

    1. When a firewall policy is ready to be implemented, navigate to Cluster Management > Network Configuration. Select the appropriate pool, click Edit, and select the appropriate policy from the Firewall policy drop-down, as shown here. Click Save Changes to save the selection.

    Graphical user interface, text, application, emailDescription automatically generated

    Figure 35.    Firewall policy to pool assignment

    Troubleshooting and logs

    To troubleshoot the firewall feature, more information is available in the following logs:

    • /var/log/isi_firewall_d.log – Contains information about the firewall daemon
    • /var/log/isi_papi_d.log – Contains information for all PAPI handlers, but also includes firewall handlers.
    • isi_gconfig -t firewall – This command displays the firewall configuration.