Configure firewall policies for LIFs
Contributors
Download PDF of this page
Setting up a firewall enhances the security of the cluster and helps prevent unauthorized access to the storage system. By default, the firewall service allows remote systems access to a specific set of default services for data, management, and intercluster LIFs.
Firewall policies can be used to control access to management service protocols such as SSH, HTTP, HTTPS, Telnet, NTP, NDMP, NDMPS, RSH, DNS, or SNMP. Firewall policies cannot be set for data protocols such as NFS or SMB.
You can manage firewall service and policies in the following ways:
-
Enabling or disabling firewall service
-
Displaying the current firewall service configuration
-
Creating a new firewall policy with the specified policy name and network services
-
Applying a firewall policy to a logical interface
-
Creating a new firewall policy that is an exact copy of an existing policy
You can use this to make a policy with similar characteristics within the same SVM, or to copy the policy to a different SVM.
-
Displaying information about firewall policies
-
Modifying the IP addresses and netmasks that are used by a firewall policy
-
Deleting a firewall policy that is not being used by a LIF
Firewall policies and LIFs
LIF firewall policies are used to restrict access to the cluster over each LIF. You need to understand how the default firewall policy affects system access over each type of LIF, and how you can customize a firewall policy to increase or decrease security over a LIF.
When configuring a LIF using the network interface create
or network interface modify
command, the value specified for the -firewall-policy
parameter determines the service protocols and IP addresses that are allowed access to the LIF.
In many cases you can accept the default firewall policy value. In other cases, you might need to restrict access to certain IP addresses and certain management service protocols. The available management service protocols include SSH, HTTP, HTTPS, Telnet, NTP, NDMP, NDMPS, RSH, DNS, and SNMP.
The firewall policy for all cluster LIFs defaults to ""
and cannot be modified.
The following table describes the default firewall policies that are assigned to each LIF, depending on their role, when you create the LIF :
Firewall policy | Default service protocols | Default access | LIFs applied to |
---|---|---|---|
mgmt |
dns, http, https, ndmp, ndmps, ntp, snmp, ssh |
Any address (0.0.0.0/0) |
Cluster management, SVM management, and node management LIFs |
mgmt-nfs |
dns, http, https, ndmp, ndmps, ntp, portmap, snmp, ssh |
Any address (0.0.0.0/0) |
Data LIFs that also support SVM management access |
intercluster |
https, ndmp, ndmps |
Any address (0.0.0.0/0) |
All intercluster LIFs |
data |
dns, ndmp, ndmps, portmap |
Any address (0.0.0.0/0) |
All data LIFs |
Portmap service configuration
The portmap service maps RPC services to the ports on which they listen.
The portmap service is managed automatically.
-
The portmap port is opened automatically for all LIFs that support the NFS service.
Create a firewall policy and assigning it to a LIF
Default firewall policies are assigned to each LIF when you create the LIF. In many cases, the default firewall settings work well and you do not need to change them. If you want to change the network services or IP addresses that can access a LIF, you can create a custom firewall policy and assign it to the LIF.
About this task
-
You cannot create a firewall policy with the
policy
namedata
,intercluster
,cluster
, ormgmt
.These values are reserved for the system-defined firewall policies.
-
You cannot set or modify a firewall policy for cluster LIFs.
The firewall policy for cluster LIFs is set to 0.0.0.0/0 for all services types.
-
If you need to modify or remove services, you must delete the existing firewall policy and create a new policy.
-
If IPv6 is enabled on the cluster, you can create firewall policies with IPv6 addresses.
After IPv6 is enabled,
data
andmgmt
firewall policies include ::/0, the IPv6 wildcard, in their list of accepted addresses. -
When using ONTAP System Manager to configure data protection functionality across clusters, you must ensure that the intercluster LIF IP addresses are included in the allowed list, and that HTTPS service is allowed on both the intercluster LIFs and on your company-owned firewalls.
By default, the
intercluster
firewall policy allows access from all IP addresses (0.0.0.0/0) and enables HTTPS, NDMP, and NDMPS services. If you modify this default policy, or if you create your own firewall policy for intercluster LIFs, you must add each intercluster LIF IP address to the allowed list and enable HTTPS service. -
The HTTPS and SSH firewall services are not supported.
-
The
management-https
andmanagement-ssh
LIF services are available for HTTPS and SSH management access.
Steps
-
Create a firewall policy that will be available to the LIFs on a specific SVM:
system services firewall policy create -vserver vserver_name -policy policy_name -service network_service -allow-list ip_address/mask
You can use this command multiple times to add more than one network service and list of allowed IP addresses for each service in the firewall policy.
-
Verify that the policy was added correctly by using the
system services firewall policy show
command. -
Apply the firewall policy to a LIF:
network interface modify -vserver vserver_name -lif lif_name -firewall-policy policy_name
-
Verify that the policy was added correctly to the LIF by using the
network interface show -fields firewall-policy
command.
Example of creating a firewall policy and applying it to a LIF
The following command creates a firewall policy named data_http that enables HTTP and HTTPS protocol access from IP addresses on the 10.10 subnet, applies that policy to the LIF named data1 on SVM vs1, and then shows all of the firewall policies on the cluster:
system services firewall policy create -vserver vs1 -policy data_http -service http - allow-list 10.10.0.0/16
system services firewall policy show Vserver Policy Service Allowed ------- ------------ ---------- ------------------- cluster-1 data dns 0.0.0.0/0 ndmp 0.0.0.0/0 ndmps 0.0.0.0/0 cluster-1 intercluster https 0.0.0.0/0 ndmp 0.0.0.0/0 ndmps 0.0.0.0/0 cluster-1 mgmt dns 0.0.0.0/0 http 0.0.0.0/0 https 0.0.0.0/0 ndmp 0.0.0.0/0 ndmps 0.0.0.0/0 ntp 0.0.0.0/0 snmp 0.0.0.0/0 ssh 0.0.0.0/0 vs1 data_http http 10.10.0.0/16 https 10.10.0.0/16 network interface modify -vserver vs1 -lif data1 -firewall-policy data_http network interface show -fields firewall-policy vserver lif firewall-policy ------- -------------------- --------------- Cluster node1_clus_1 Cluster node1_clus_2 Cluster node2_clus_1 Cluster node2_clus_2 cluster-1 cluster_mgmt mgmt cluster-1 node1_mgmt1 mgmt cluster-1 node2_mgmt1 mgmt vs1 data1 data_http vs3 data2 data