Search FAQs
How do I configure APC Network Management Card's Firewall?
Product Line:
Network Management Card 2 (NMC2) - AP9630/AP9630CH, AP9631/AP9631CH, AP9635/AP9635CH
Network Management Card 3 (NMC3) - AP9640, AP9641
Environment:
Network Management Card-enabled devices with a firewall feature
Network Management Card devices with a firewall feature
Cause:
A network management card's firewall feature needs to be configured according to the customer's requirement.
Resolution:
This article serves as a supplementary document to help users configure the firewall feature of their NMC in addition to the NMC’s user’s manual (see pages 47-to 49) and other support documents that discuss this topic.
The configuration instructions were broken down and simplified to make it easier for the users to understand how the NMC firewall works.
Please be advised that Schneider Electric strongly recommends that the NMCs should not be exposed to the public Internet and should be deployed behind an appropriate Stateful Packet Inspection (SPI) firewall. The firewall feature of the NMC does not replace this.
Pick the firewall approach that best suits your configuration.
The two possible firewall configurations are as follows:
Whitelist
Blacklist
Choosing the closest syntax to edit
Once the customer has decided which of the two firewall configurations fits them, they will have to define the "lower-numbered priorities, based on their preference. It is good practice to download a copy of the example.fwl file as this contains a basic syntax of each priority and some real-life firewall priority samples that can be used as a guide in defining our preferred priorities.
The example.fwl file suggests that if you want to let anyone in your network telnet to your NMC (192.168.9.108) and create a firewall log for it, you can use the syntax below:
Using the syntax above, you can slightly modify this depending on your goal. If you want to deny telnet access (instead of allowing) you can change the word to discard instead. The idea is to get the closest priority sample to what you want to use to minimize editing.
If you want to allow SSH access instead of telnet, you can change the port from 23 to 22 gives SSH access to the NMC.
Note: Telnet and SSH can be disabled directly from the card, should the customer want these protocols to be unavailable. These are just used as samples to better describe how the priorities are edited.
Repeat this step until all the higher priorities are filled.
Saving the edited .fwl file and uploading it to the NMC
Once you have completed the list of priorities for your firewall, save the edited .fwl file under a different name so you can go back to the original file for the syntax samples if needed. After saving the file, log in to your NMC web interface, and go to Configuration->Security-> Firewall-> Load Policy.
In the Firewall File page, click the choose file button and navigate your way to the location of the firewall file that you saved earlier to select it. Once the file is selected, click the “Apply” button to upload the firewall file.
Checking the firewall policies for errors
After the firewall file is uploaded, go to Configuration->Security-> Firewall-> Create/Edit Firewall Policy. From the drop-down menu select the policy name that you have uploaded and click the edit policy button, so you can check if the policy that you have uploaded matches the file that you have uploaded.
If you still want to add another priority to the list, you can click the Add rule button and fill up the necessary fields for the new priority. Just make sure that the lowest priority defined is the rule that either allows or denies all other traffic not mentioned in the higher priorities in the list.
Testing the firewall
After the policies are finalized, go to Configuration->Security-> Firewall->Test to test the NMC by activating the firewall within a specified time and revert to its normal settings after the time elapses. This allows the user to experience how the firewall works once active to ensure that it works as expected.
Activating and Enabling the Firewall
After the firewall has been tested and confirmed to work as expected, go to Configuration->Security-> Firewall->Active Policy. Once you are on the Firewall Policy page, select the firewall that you have tested from the drop-down menu and click apply.
Once applied go to Configuration->Security-> Firewall-> Configuration. Once you are on the Firewall Configuration page, ensure that the firewall file that you have applied earlier appears on the page, and then click the checkbox for enabling before hitting the Apply button to save the changes.
Network Management Card 2 (NMC2) - AP9630/AP9630CH, AP9631/AP9631CH, AP9635/AP9635CH
Network Management Card 3 (NMC3) - AP9640, AP9641
Environment:
Network Management Card-enabled devices with a firewall feature
Network Management Card devices with a firewall feature
Cause:
A network management card's firewall feature needs to be configured according to the customer's requirement.
Resolution:
This article serves as a supplementary document to help users configure the firewall feature of their NMC in addition to the NMC’s user’s manual (see pages 47-to 49) and other support documents that discuss this topic.
The configuration instructions were broken down and simplified to make it easier for the users to understand how the NMC firewall works.
Please be advised that Schneider Electric strongly recommends that the NMCs should not be exposed to the public Internet and should be deployed behind an appropriate Stateful Packet Inspection (SPI) firewall. The firewall feature of the NMC does not replace this.
Pick the firewall approach that best suits your configuration.
The two possible firewall configurations are as follows:
- White List - Allowed network traffic is defined in the earlier policies, and everything else is denied.
- Black List - Denied network traffic is defined in the earlier policies, and everything else is allowed.
Whitelist
priority 10, destination host 10.10.10.44 port 161, source host any, protocol udp, action allow priority 20, destination host 10.10.10.44, source subnet 10.10.10.0/24, protocol any, action allow priority 50, destination host 10.10.10.44, source range 10.10.11.146 10.10.11.147, protocol tcp, action allow priority 250, destination host any, source host any, protocol any, action discard
Blacklist
priority 10, destination host 10.10.10.44 port 161, source host any, protocol udp, action discard priority 30, destination host 10.10.10.44, source subnet 10.10.13.0/24, protocol any, action discard priority 50, destination host 10.10.10.44, source range 10.10.11.146 10.10.11.147, protocol tcp, action discard priority 250, destination host any, source host any, protocol any, action allow
Choosing the closest syntax to edit
Once the customer has decided which of the two firewall configurations fits them, they will have to define the "lower-numbered priorities, based on their preference. It is good practice to download a copy of the example.fwl file as this contains a basic syntax of each priority and some real-life firewall priority samples that can be used as a guide in defining our preferred priorities.
The example.fwl file suggests that if you want to let anyone in your network telnet to your NMC (192.168.9.108) and create a firewall log for it, you can use the syntax below:
priority 50, destination host 192.168.9.108 port 23, source any, protocol tcp, action allow log
Using the syntax above, you can slightly modify this depending on your goal. If you want to deny telnet access (instead of allowing) you can change the word to discard instead. The idea is to get the closest priority sample to what you want to use to minimize editing.
If you want to allow SSH access instead of telnet, you can change the port from 23 to 22 gives SSH access to the NMC.
priority 50, destination host 192.168.9.108 port 22, source any, protocol tcp, action allow log
Note: Telnet and SSH can be disabled directly from the card, should the customer want these protocols to be unavailable. These are just used as samples to better describe how the priorities are edited.
Repeat this step until all the higher priorities are filled.
Saving the edited .fwl file and uploading it to the NMC
Once you have completed the list of priorities for your firewall, save the edited .fwl file under a different name so you can go back to the original file for the syntax samples if needed. After saving the file, log in to your NMC web interface, and go to Configuration->Security-> Firewall-> Load Policy.
In the Firewall File page, click the choose file button and navigate your way to the location of the firewall file that you saved earlier to select it. Once the file is selected, click the “Apply” button to upload the firewall file.
Checking the firewall policies for errors
After the firewall file is uploaded, go to Configuration->Security-> Firewall-> Create/Edit Firewall Policy. From the drop-down menu select the policy name that you have uploaded and click the edit policy button, so you can check if the policy that you have uploaded matches the file that you have uploaded.
If you still want to add another priority to the list, you can click the Add rule button and fill up the necessary fields for the new priority. Just make sure that the lowest priority defined is the rule that either allows or denies all other traffic not mentioned in the higher priorities in the list.
Testing the firewall
After the policies are finalized, go to Configuration->Security-> Firewall->Test to test the NMC by activating the firewall within a specified time and revert to its normal settings after the time elapses. This allows the user to experience how the firewall works once active to ensure that it works as expected.
Activating and Enabling the Firewall
After the firewall has been tested and confirmed to work as expected, go to Configuration->Security-> Firewall->Active Policy. Once you are on the Firewall Policy page, select the firewall that you have tested from the drop-down menu and click apply.
Once applied go to Configuration->Security-> Firewall-> Configuration. Once you are on the Firewall Configuration page, ensure that the firewall file that you have applied earlier appears on the page, and then click the checkbox for enabling before hitting the Apply button to save the changes.
Released for:APC Croatia
