Establishing Firewall Rules

Please check the Understanding Firewall Ports for the ArcSight Platform page to verify which ports need to be open on the firewall.

The firewall rules configured here will apply to all the subnets of the VPC, allowing or denying incoming or outgoing traffic, depending on your needs. For more information about rules see Use VPC firewall rules.

The command to create a rule is:

gcloud compute firewall-rules create <Rule_Name> -- --description="<Description>" --direction=INGRESS --priority=<PRIORITY> --network=<VPC_NETWORK_NAME> --action=ALLOW --rules=<PROTOCOL:PORT> --source-ranges=<SOURCE_IP_RANGE> --destination-ranges=<DESTINATION_IP_RANGE>

Where:

<Rule_Name> is the name of the firewall rule to be created

<DESCRIPTION> is an optional description of the rule

--direction can be either INGRESS, EGRESS, IN or OUT. If it's not specified, the default is to apply to incoming traffic only.

<PRIORITY> with an assumed value assumed of 1000 when not specified, it can be set as an integer between 0 and 65535.

<VPC_NETWORK_NAME> is the network to which this rule is attached

--action is either ALLOW or DENY the matching traffic. This is the action to be accomplished by the firewall rule

<PROTOCOL:PORT> is a list of protocols and ports which traffic will be controlled by the firewall rule

<SOURCE_IP_RANGE> is a list of IP address blocks allowed to make inbound connections to the instances on the network (as long as they match the firewall rule)

<DESTINATION_IP_RANGE> for traffic that has destination IP addresses listed here, the firewall rule will be applied

Management Subnet Setup: SSH and HTTP/HTTPS ports

The Management Subnet requires an SSH port open to the IP address ranges your deployment allows.

In the following example the SSH port is being open to all IP addresses (with the --source-ranges argument).

#Open SSH ports from the Internet to Management Subnet
gcloud compute --project=security-arcsight-nonprod firewall-rules create bastion-ssh --description="Allows SSH communication to the Management Subnet" --direction=INGRESS --priority=1010 --network=gcp-arcsight-test --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0 --destination-ranges=10.49.0.0/24

Using instead a list of comma separated IP ranges would limit the number of IP addresses allowed to make inbound connections, as in the next example:

#Open SSH ports from specific IPs to Management Subnet
gcloud compute --project=security-arcsight-nonprod firewall-rules create bastion-ssh --description="Allows SSH communication to the Management Subnet" --direction=INGRESS --priority=1010 --network=gcp-arcsight-test --action=ALLOW --rules=22 --source-ranges=1.1.1.1/32,2.2.2.0/24 --destination-ranges=10.49.0.0/24

While working from the bastion you will need to connect to various resources on the internet. Protocols and description for ports are shown in the following table

Port Protocol Allowed CIDR Description
80 TCP 0.0.0.0/0 HTTP
443 TCP 0.0.0.0/0 HTTPS

In the following example HTTP and HTTPS ports are open for the Management Subnet:

#Open HTTP and HTTPS ports from Management Subnet to the Internet
gcloud compute --project=security-arcsight-nonprod firewall-rules create bastion  --description="Allows access from the Management Subnet to internet on HTTP and HTTPS ports" --direction=EGRESS --priority=2000 --network=gcp-arcsight-test --action=ALLOW --rules=tcp:80,tcp:443 --source-ranges=10.49.0.0/24 --destination-ranges=0.0.0.0/0

Private Subnet Setup: own ports, SSH and HTTP/HTTPS ports

The Private Subnet requires rules to communicate with: its own ports, the Management Subnet (through SSH) and internet resources (HTTP/HTTPS).

Communicating between all nodes on the private subnet requires an ingress rule enabling all communication coming from the same IP range (--source-ranges and --destination-ranges). For example:

#Open ports from and to Private Subnet to Private Subnet
gcloud compute --project=security-arcsight-nonprod firewall-rules create private-to-private-ingress --description="Allows communication on all ports between nodes within Private Subnets" --direction=INGRESS --priority=1010 --network=gcp-arcsight-test --action=ALLOW --rules=all --source-ranges=10.1.0.0/24 --destination-ranges=10.1.0.0/24

In the following example the SSH port is being open to allow communication between the Management Subnet and the Private Subnet:

#Open SSH ports from Management Subnet to the Private Subnet
gcloud compute --project=security-arcsight-nonprod firewall-rules create bastion-ssh --description="Allows SSH communication to the Management Subnet" --direction=INGRESS --priority=1010 --network=gcp-arcsight-test --action=ALLOW --rules=tcp:22 --source-ranges=10.49.0.0/24 --destination-ranges=10.1.0.0/24

For retrieving external resources (such as for product images from the ECR, OS updates, OMT, and similar files), internal resources (those inside the private subnet) need to be able to connect to the internet using HTTP/HTTPS. For example:

#Open HTTP and HTTPS ports from Private Subnet to the Internet
gcloud compute --project=security-arcsight-nonprod firewall-rules create arcsight-suite-private-private-egress  --description="Allows access from the Private Subnets to internet on HTTP and HTTPS ports" --direction=EGRESS --priority=2010 --network=gcp-arcsight-test --action=ALLOW --rules=tcp:80,tcp:443 --source-ranges=10.1.0.0/24 --destination-ranges=0.0.0.0/0

Block all other communication attempts

An explicit deny rule to block all non-allowed communication must be created for both subnets, as in the example below:

#Creates an explicit rule that denies all non allowed inbound communication to the Management and Private subnet
gcloud compute --project=security-arcsight-nonprod firewall-rules create deny-all-ingress  --description="Deny all non allow ingress communication to the Private and Management network" --direction=INGRESS --priority=65535 --network=gcp-arcsight-test --action=DENY --rules=all --source-ranges=0.0.0.0/0 --destination-ranges=10.1.0.0/24,10.49.0.0/24
Remember to note down all incumbent configuration values in your Google Cloud worksheet