About ServiceNow Firewall Rules. What is a firewall rule? In short, it’s a way to restrict access to certain websites or applications, such as Facebook, Instagram, and Snapchat.
A firewall ruleset defines the types of traffic allowed through the network. For example, you may want to allow only HTTP traffic (web browsing) through the firewall, but block other types of traffic (e.g., FTP). There are several ways to create firewall rules, and each has its own pros and cons.
This article discusses the best methods for creating firewall rules.
Built-in Firewall Rules in NSX
The built-in firewall rules in NSX are easy to configure and use. This method leverages ESXi’s existing VM-VM firewall rules by permitting or denying traffic between the VMs. The downside to this approach is that it’s a static solution, so you have to manually create each firewall rule and the system only monitors one direction of traffic.
There are two options for creating a firewall rule:
a. Create a VM-VM firewall rule from the Networking & Security tab of the NSX Manager:
b. Create a VM-VM firewall rule from the vSphere Client:
Firewall Rules in Security Groups
In AWS, a security group is to define which incoming and outgoing ports are open or blocked on an instance. Security groups are applied to instances when they are created and can be modified only if the instance is stopped.
In other words, security groups don’t work like an NSX firewall, which allows traffic through at all times, regardless of whether there is an active session established or not. Security groups work more like a traditional firewall, where traffic is blocked until it’s allowed by an inbound rule (port). Once the port has been opened by an inbound rule, then outbound traffic may pass through as well (port).
The advantage of using Security Groups is that you don’t have to create any rules – you only have to open ports you need for application access. The disadvantage is that you have to open each port individually and can end up with lots of open ports depending on how many applications your instances need access to.
AWS Internal Load Balancer (ELB) Inbound Rules
The Internal ELB ruleset lets you define which internal TCP/UDP port(s) can be accessed from the internet and which IP address(es) they can be accessed from (Global and Regional). These rules work similar to an external load balancer but are only accessible from within AWS.
You cannot select individual instances within the internal load balancer network; instead, all instances must be statically included or excluded from the ELB ruleset. Also, remember that all instances must be either part of or excluded from the Internal ELB – there is no option for partial inclusion/exclusion like there is with the External ELB.
Firewall Rules from the Web Console
Firewall rules from the web console are easy to manage, but it’s a slow process.
1: Go to the Security Services page and find Firewall in the list of services. Click the Edit link for Firewall.
Step
2: In the Firewall Rules section, click New Firewall Rule to open a dialog box. At this point, you can create either an Outbound or Inbound rule.
3: Give your rule a descriptive name and select an applicable policy.
4: Choose a protocol (TCP or UDP) and enter the range of ports that you want to open. For example, if you only want to allow web browsing through the firewall, enter 80 (HTTP) in both fields.
5: Click Save at the bottom of the screen and your firewall rule is saved.
The pros and con
The pros of using firewall rules from the web console are that it is easy to use and you don’t need any extra software or licenses. Additionally, you can use this method for multiple firewalls at once, so if you have several firewalls in a high availability configuration, this method is more efficient than others for managing rulesets among them.
The main con of using firewall rules from within the console is that it is slow; it takes several minutes for a new rule to take effect after creation from within the console itself.