Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

Manage Firewall Rules

Last update September 12, 2018

The Manage Firewall Rules task is used to manage the firewall rules that are used to control traffic flow into the CA API Gateway. You can create, clone, edit, or remove a rule.

This topic also describes how to create rules to allow the Gateway to accept traffic on lower port numbers (such as 80 or 443). This ability is not enabled by default in the factory configuration of the Gateway. 

Using a Software Gateway?

This topic applies only to the Appliance Gateways. For Software Gateways, you manage firewall settings on the host computer. Ensure that the firewall on the host computer allows traffic on all the ports listed in Manage Firewall Rules. For a list of the ports required, consult the file <Gateway_home>/var/firewall_rules on the Gateway. This file is a standard Linux firewall configuration file that can be used to automatically adjust the firewall, if you are using the Linux RHEL version of the Gateway.

Contents:

Using the Manage Firewall Rules Task

To manage firewall rules

  1. In the Policy Manager, select [Tasks] > Transports > Manage Listen Ports from the Main Menu (on the browser client, from the Manage menu). Select Manage Firewall Rules button. The Manage Firewall Rules dialog appears. 
  2. The following table describes each column (these are set in the firewall rule properties):

    Column

    Description

    Enabled

    Indicates whether the rule is enabled or not.

    Name

    The "friendly" name that is given to the rule. This name is used only for logging and display purposes.

    Protocol

    Select the transport protocol that is associated with the rule from the drop-down list. The following protocols are available:

    • TCP
    • UDP
    • ICMP (This protocol is only available via the Advanced Properties settings.)

    Interface

    Lists the interfaces that are bound by the rule.

    Port

    The port number that is associated with the rule. The port number must be between 1 and 65535 (inclusive).

    Action

    This is the rule action. See Manage Interfaces for details.

  3. Select a task to perform:

    To...

    Do this...

    Add a new firewall rule

    1. Click [Create].
    2. Complete the Firewall Rule Properties.

    Clone an existing firewall rule

    1. Select the rule to clone.
    2. Click [Clone].
    3.  Edit the Firewall Rule Properties as required.

    Remove a firewall rule

    1. Select the rule to remove.
    2. Click [Remove].
    3. Click [Yes] to confirm removal of the rule.

    View or edit the properties of a firewall rule

    1. Select the rule to view.
    2. Click [Properties].
    3.  Edit the Firewall Rule Properties as required.

    Create an advanced firewall rule

    1. Click [Advanced Create].
    2. Click [OK]. View Firewall Rule Properties for details.

    Advanced Properties

    1. Select the rule to view.
    2. Click [Advanced Properties]. View Firewall Rule Properties for details.

    Restore Defaults

    Click [Restore Defaults] to restore to the default firewall rules of the Gateway appliance. All custom rules are removed.

    Reorder the list of rules

    Select a firewall rule and then click [Move Up] or [Move Down] to reorder the list of rules. The rules within each action type (Accept/Redirect/Drop) will be applied sequentially, in a top-to-bottom order. Moving the rule to the top will execute it first in the action group. Moving the rule down will make it apply later in that action group.

  4. Click [Close] to exit the dialog box.


Configuring the Gateway for Ports 80 and 443

Ports 80 and 443 are standard ports numbers for HTTP and HTTPS, but the Gateway does not accept traffic on these ports by default. The factory configuration of the Gateway uses port 8080 (for HTTP) and 8443/9443 (for HTTPS). Typically a load balancer in front of the Gateway accepts traffic on port 80 or 443 and then forwards this traffic over 8080 or 8443. When a load balancer is not possible in the workflow, you can configure the Gateway to accept the traffic itself.

To configure the Gateway to use port 80 and 443, or any low number port:

  1. Run [Manage Firewall Rules] as described above.
  2. Click Create.
  3. Complete the Simple Firewall Rules Properties as follows:
    • Rule Name: Enter a name for this rule (for example, "Sample HTTPS Redirect")
    • Enable: Select this check box.
    • Rule Action: Redirect
    • Interface: Normally All is used, but you can assign this rule to a specific interface
    • Protocol: tcp
    • From Port: Enter the port that the Gateway listens to (for example, "443")
    • To Port: Enter the port to which traffic is redirected to (for example, "8443")
  4. Click OK to save the new firewall rule.
  5. Click Close to exit Manage Firewall Rule. The new rule takes effect immediately, with no Gateway restart required.


Was this helpful?

Please log in to post comments.