# Using Edge Gateway Firewall ## **Overview** An edge gateway firewall monitors North-South traffic to provide perimeter security functionality, including firewall, Network Address Translation (NAT), and site-to-site IPSec and SSL VPN functionality. Firewall rules to apply to an edge gateway firewall to protect the virtual machines in an organization's virtual data center from outside network traffic ## **Procedure** {% tabs %} {% tab title="I. Predefine Object" %} To create firewall rules and add them to an edge gateway, you need to define some things: *Name*: Name for the rule. *Source*: **IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)** *Destination*: **IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)** *Application:* Select applications with port to apply rule **(1.5)** *Action*: **Allow**\\**Reject**\\**Drop** *IP Protocol:* **IPv4/IPv6** or **both** * **Add an IP Set:** **Step 1:** IP sets are groups of IP addresses and networks to which the firewall rules apply (as **Source** and **Destination**). **Step 2:** In the top navigation bar, click **Networking** and click **Edge Gateways**. **Step 3:** Select the edge gateway that you want to edit

**Step 4:** Under *Security*, click **IP Sets** **Step 5:** Click **New**. **Step 6:** Enter a meaningful **Name,** and a **Description** for IP Sets **Step 7:** Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click **Add**. **Step 8:** To modify an existing IP address or range, click **Modify** and edit the value. **Step 9:** To confirm, click **Save**.

{% hint style="warning" %} Please do not remove IP Sets name starting with HIGIO- (if any) {% endhint %} * **Create a Static Security Group:** Static security groups are data center group networks to which distributed firewall rules apply (as **Source** and **Destination**). Grouping networks helps you reduce the number of distributed firewall rules that need to be created. **Step 1:** In the top navigation bar, click **Networking** and click **Edge Gateways**. **Step 2:** Select the edge gateway that you want to edit

**Step 3:** Under *Security*, click **Static Groups**. **Step 4:** click **New**. **Step 5:** Enter a **Name and** a **Description** for the static group, and click **Save**.

The static security group will appear in the list. **Step 6:** Select the newly created static security group and click **Manage Members**.

**Step 7:** Select the data center group networks that you want to add to the static security group >> **Save**

* **Assign Security Tags to VM:** Security tags you create and assign to virtual machines help you define edge gateway and distributed firewall rules. **Step 1:** In the top navigation bar, click **Networking.** **Step 2:** Click **Security Tags**. **Step 3:** Click **Add Tag**. **Step 4:** Enter a **tag name**. **Step 5:** From the list of virtual machines in the organization, select the ones to assign the newly created tag. **Step 6:** Click **Save**.

* **Create a Dynamic Security Group:** You can define dynamic security groups of virtual machines based on specific criteria (**VM Name** or **Tag Name**) to which firewall rules should be applied. **Step 1:** In the top navigation bar, click **Networking** and **Edge Gateways**. **Step 2:** Select the edge gateway that you want to edit

**Step 3**: Under *Security*, click **Dynamic Groups**. **Step 4:** Click **New**. **Step 5:** Enter a **Name and** a **Description** for the dynamic security group. **Step 6:** To create a **Criterion** for inclusion in the group, add up to **four rules** that apply to a VM Name **or** a VM security tag. * *VM Name:* a rule that applies to VM names containing or starting with a term you specify. * *VM tag:* a rule that applies to VM tags that **equal**, **contain**, **start with**, or **end with** a term you specify.

As figured out, I created 02 rules * *VM Name*: **Start With** “demo” * *VM Tag*: **Equals** “non-prd” (*That you created in **1.3**)* **Step 7**: Click **Save**. **Add a Custom Application Port Profile:** You can use preconfigured and custom application port profiles to create firewall rules. Application port profiles include a combination of a protocol and a port or a group of ports used for firewall services. **Step 1:** In the top navigation bar, click **Networking** and click **Edge Gateways**. **Step 2:** Select the edge gateway that you want to edit

**Step 3:** Under *Security*, click **Application Port Profiles** **Step 4:** In the **Custom Applications** pane, click **New**. **Step 5:** Enter a **Name** and a **Description** for the application port profile. **Step 6:** From the *Protocol* drop-down menu, select the protocol: **TCP**, **UDP**, **ICMPv4**, **ICMPv6** **Step 7:** Enter a port or a range of ports, separated by a comma, and click **Save**.

{% endtab %} {% tab title="II. Add an Edge Gateway Firewall Rule" %} We have predefined Objects in the previous. We will create the edge gateway firewall rule as below: **Step 1:** In the top navigation bar, click **Networking** and click **Edge Gateways** **Step 2:** Select the edge gateway.

**Step 3:** Select **Firewall** under Services on the left. **Step 4:** Click **Edit Rules**. **Step 5:** To add a firewall rule, click **New on Top**. {% hint style="warning" %} Each traffic session is checked against the top rule in the firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced. {% endhint %} **Step 6:** Configure the rule ***Name***: \[Name of rule] ***State***: \[Enable or disable rule by toggle] ***Applications***: Select default profiles or custom profiles that created in **1.5** ***Source**:* Select Any or Object created in ***1.1, 1.2, 1.3, 1.4*** ***Destination**:* Select Any or Object created in ***1.1, 1.2, 1.3, 1.4*** ***Action**:* **Allow**\\**Reject**\\**Drop** ***IP*** ***Protocol**:* **IPv4/IPv6** or **both** ***Logging**:* \[Enable or disable by toggle] enable to have the address translation performed by this rule logged

**Step 7:** Click **Save**. After creating the firewall rules, they appear in the Edge Gateway Firewall Rules list. You can move up, down, edit, or delete the rules as needed. {% hint style="warning" %} Please do not remove the rules name starting with HIGIO- (if any) {% endhint %} {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.higiocloud.vn/network/1.-working-with-network/using-edge-gateway-firewall.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.