Skip navigation
Share This:

Introduction

 

Currently when CLM 3.1 adds inbound or outbound firewall rules via BMC Network Automation web services API they can specify only one destination port to allow or deny access. For specifying multiple destination ports to allow or deny access to, CLM should specify one firewall rule per destination port. Since all the firewalls we support (Cisco ASA/FWSM/PIX, Fortigate, Juniper, ASA100v, Checkpoint, VSG, VShieldApp, IOS, PaloAlto) has option for specifying port ranges it would be ideal if CLM specifies port low, port high. The port range support we implement for low level firewall rules would additionally be re-used by high level path rules.

How to specify port ranges

 

Support for specifying port ranges is available starting CLM 4.0. Here is a screenshot from CLM UI

 

FirewallRule.png

 

The following link explains how to specify a single port or range of ports.

https://docs.bmc.com/docs/display/public/clm40/Creating+and+editing+firewall+rules#Creatingandeditingfirewallrules-Toaddafirewallrule

Firewall Rule Sorting using port ranges

 

In BNA we sort order sensitive rules if global property vdcFirewallRuleSortingEnabled is set to true. Firewall sorting is turned on by default.

Two rules are order sensitive if sources and destination of two rules are contained within each other and one being a permit rule and other being a deny rule. For e.g.

R1 = permit tcp 10.1.1.0/24 12.1.1.0/24 eq 8080

R2 = deny   tcp 10.1.1.1 12.1.1.1 eq 8080

Here the source and destination of R2 is completely contained within R1. Therefore we can say

R2 < R1, i.e. when we sort these rules R2 should appear before R1.

‘<’ means preceeds.

We now handle order sensitive rules as below

  1. More specific subnets or host takes precedence irrespective of port range.
  2. If subnets or hosts match more specific port takes precedence.

#1 More specific subnet/host precedence

R1 permit tcp 10.1.1.1 12.1.1.1 range 8000 9000

R2 deny   tcp 10.1.1.0/24 12.1.1.0/24 eq 8080

Result : R1 < R2 since R1 defines specific host.

R1 permit tcp 10.1.1.0/24 12.1.1.0/24 eq 8080

R2 deny   ip 10.1.1.1 12.1.1.1

Result : R2 < R1 since R2 defines specific host.

#2 More specific port takes precedence

R1 permit tcp 10.1.1.0/24 12.1.1.0/24 range 8000 9000

R2 deny   tcp 10.1.1.0/24 12.1.1.0/24 eq 8080

Result : R2 < R1 since R2 defines specific destination port.

#3 If two ports or port ranges are unique they appear in sorted order.

R1 permit tcp 10.1.1.0/24 12.1.1.0/24 eq 8090

R2 deny   tcp 10.1.1.0/24 12.1.1.0/24 eq 8080

Result : R2 < R1 since R2 has lower value for destination port

More links to documentation on FirewallRule sorting

https://docs.bmc.com/docs/display/public/bna85/_Sorting+rules+for+firewalls

 

Here is link to CLM 4.1

https://docs.bmc.com/docs/display/public/clm41/Creating+and+editing+firewall+rules?src=search&src=search

Filter Blog

By date:
By tag: