This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

How-to guides

Users can create a Firewall service by entering required information and selecting detailed options through the Samsung Cloud Platform Console.

Creating a Firewall

You can create and use a Firewall service through the Samsung Cloud Platform Console.

Notice

The Firewall service must be set to Use in the prerequisite service of Networking to be created. Firewalls set to use can be checked on the Firewall list.

  • Firewall cannot be created separately like other services on the Samsung Cloud Platform Console.

To set up Firewall use, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.

  2. On the Service Home page, click the prerequisite service to create. You will be redirected to the service creation page.

    • Create VPC: Set up Firewall use for Internet Gateway and Transit Gateway of VPC service.
      • When creating VPC’s Internet Gateway service, set the Use Firewall item to Use. For detailed instructions, refer to Creating Internet Gateway.
      • Create VPC’s Transit Gateway service and apply for the Uplink Firewall associated service. For detailed instructions, refer to Creating Transit Gateway.
    • Create Direct Connet: Set the Use Firewall item to Use when creating the Direct Connet service. For detailed instructions, refer to Creating Direct Connect.
    • Create Load Balancer: Set the Use Firewall item to Use when creating the Load Balancer service. For detailed instructions, refer to Creating Load Balancer.

  3. When the prerequisite service creation is complete, check whether the Firewall resource is displayed on the Firewall List.

Checking Firewall Detailed Information

For the Firewall service, you can view and modify the entire resource list and detailed information from the resource management menu.

To check Firewall detailed information, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
  2. On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
    • On the Firewall List page, you can check the following information.
      DivisionDescription
      Firewall NameAutomatically created in Firewall prerequisite service type_Firewall format
      Firewall DivisionFirewall prerequisite service type (Internet Gateway, Direct Connect, Load Balancer)
      SizeFirewall size selected by user
      VPC NameVPC name connected to Firewall
      Connection NameAutomatically created in prerequisite service name using Firewall_Firewall format
      Number of RulesNumber of rules in use in the Firewall
      Use StatusWhether Firewall is used (activated) or not used (deactivated)
      • If not used, Any Allow rule is applied and no billing is charged for Firewall
      StatusDisplays Firewall status
      • Click the More button to set Use/Not Use
      Table. Firewall resource list items
  3. On the Firewall List page, click the resource for which you want to check detailed information. You will be redirected to the Firewall Details page.
    • The Firewall Details page displays status information and additional feature information, and consists of tabs for Detailed Information, Rules, Tags, Operation History.
      DivisionDescription
      Service StatusDisplays Firewall status
      • Creating: Creating
      • Active: Operating
      • Editing: Changing
      • Deploying: Deployment complete
      • Deleting: Deleting
      • Error: Error occurred
      Table. Firewall status information

Detailed Information

On the Firewall List page, you can check the detailed information of the selected resource and modify the information if necessary.

DivisionDescription
ServiceService name
Resource TypeResource type
SRNUnique resource ID in Samsung Cloud Platform
Resource NameResource name
Resource IDUnique resource ID in the service
CreatorUser who created the service
Creation DateDate and time when the service was created
ModifierUser who modified the service information
Modification DateDate and time when the service information was modified
Firewall NameAutomatically created as resource name_Firewall_connection name
Firewall IDUnique resource ID in the service
Firewall DivisionFirewall prerequisite service type (Internet Gateway, Direct Connect, Load Balancer)
SizeFirewall size selected by user
  • Click the Edit icon to change settings
Firewall Rule Count/QuotaRule quota and number of rules in use for the Firewall
VPC NameVPC name connected to Firewall
  • Click VPC name to move to details page
VPC IDVPC ID connected to Firewall
Connection NameAutomatically created as {Firewall prerequisite service name_Firewall}
  • Click connection name to move to details page
Log Storage StatusWhether to store Firewall logs
  • Use: Store logs
  • Not Use: Do not store logs
  • Click the Edit icon to change settings
Table. Firewall detailed information

Rules

On the Firewall List page, you can check the rule list of the selected resource and add, modify, or delete rules.

DivisionDescription
Excel DownloadDownload the currently entered rule list as an Excel (*.xlsx) file
Detailed SearchSearch for rules matching conditions set by the user
  • Supports string partial match (LIKE) search
Modify RuleModify and delete rules displayed in the rule list
  • Click the button to move to the rule modification page
Add RuleAdd a new Firewall rule
  • Click the button to move to the rule addition page
OrderDisplays rule order, applied Top down according to rule order
Rule IDUnique ID value for the rule
  • Click rule ID to check rule detailed information in a popup window
Rule IndexUnique Index value for the rule, used for log analysis
Source AddressSource address added to the rule
Destination AddressDestination address added to the rule, displayed as IP address according to the entered rule
ServiceProtocol and destination port
ActionTraffic Allow/Deny distinction due to rule
  • Allow: Allow traffic if matches rule
  • Deny: Block traffic if matches rule
DirectionAccess direction of traffic based on Firewall
  • Inbound: External → Internal
  • Outbound: Internal → External
Active StatusDisplays whether the rule is active, rule does not operate if in inactive state
StatusDisplays rule status
Table. Firewall rule list detailed information

Tags

On the Firewall List page, you can check the tag information of the selected resource, and add, change, or delete tags.

DivisionDescription
Tag ListTag list
  • You can check Key, Value information of tags
  • Up to 50 tags can be added per resource
  • When entering tags, search and select from the list of previously created Keys and Values
Table. Firewall tag tab items

Operation History

On the Firewall List page, you can check the operation history of the selected resource.

DivisionDescription
Operation History ListResource change history
  • Check operation date and time, resource name, operation details, operation result, operator information
  • Click the button to perform detailed search
Table. Firewall operation history tab detailed information items

Managing Firewall Rules

You can add, modify, or delete Firewall rules.

Caution
  • Rules can be added or modified only when the Firewall status is Active.
  • Rules cannot be added if there is no status view permission for the prerequisite service.
Note
  • The firewall periodically caches Domain rules registered by the user and retains IP information for a certain period.
  • If the caching result of the registered Domain rule does not match the user’s IP, communication may be restricted.

Creating Rules

You can add Firewall rule information by directly entering it on the Rules tab.

To add a Firewall rule, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
  2. On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
  3. On the Firewall List page, click the resource to which you want to add rules. You will be redirected to the Firewall Details page.
  4. On the Firewall Details page, click the Rules tab. You will be redirected to the Rules tab page.
  5. On the Rules tab, click the Add Rule button. You will be redirected to the Add Rule page.
  6. Enter the required information on the Direct Input tab page.
  7. Check the added rule and click the Complete button.
Caution
If you move to another page without clicking the Confirm button after entering content on the add rule page, all entered items will be initialized, so please be careful.
DivisionRequiredDescription
Rule PositionRequiredSpecify the position of the rule to create
Rule ID to CopyOptionalEnter the Firewall rule ID to copy and click the Search button to select
Source AddressRequiredSource address to add to the rule
  • Can enter multiple addresses up to 128 at once using Comma (,), range (-) in CIDR (IP/Subnet Mask) format
Destination AddressRequiredSelect the type of destination address to add to the rule
  • Select IP: Can enter multiple addresses up to 128 at once using Comma (,), range (-) in CIDR (IP/Subnet Mask) format
  • Select Domain: Can enter up to 128 full domain names in FQDN format at once using Comma (,)
  • Type items vary depending on the selected destination address format
TypeRequiredSelect the protocol type to apply the rule
  • Select Destination Port/Type: Select protocol type
  • Internet Protocol: Enter protocol number, can enter up to 128
  • All: Select destination port/Type, protocol to the entire range, meaning all ports for all protocols
Type > ProtocolRequiredSelect the detailed protocol of the type
  • Select the protocol desired by the user among TCP, UDP, ICMP, input items vary depending on the selected protocol
  • When selecting ICMP in protocol, can set ICMP Type
    • Select frequently used Type items such as Echo among values defined as ICMP Type
    • Click the Add button to add input value
  • When selecting TCP/UDP in protocol, can select allowed ports such as SSH, HTTP, TELENET
    • When entering directly, can enter values from 1 to 65,535, can enter up to 128 at once using Comma (,), range (-)
    • Click the Add button to add input value
  • When selecting Internet Protocol in type, enter protocol number within 1 ~ 254
ActionRequiredDistinguish traffic allow/block due to rule
  • Allow: Allow traffic if matches rule
  • Deny: Block traffic if matches rule
DirectionRequiredAccess direction of traffic based on Firewall
  • Inbound: External → Internal
  • Outbound: Internal → External
DescriptionOptionalAdditional description written by the user
Added Rule-Check list of entered rules
  • Move Up: Move selected rule up
  • Move Down: Move selected rule down
  • Delete: Delete selected rule
Table. Firewall rule add > direct input tab items

Creating Rules in Batch

To add multiple Firewall rules at once, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
  2. On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
  3. On the Firewall List page, click the resource to which you want to add rules. You will be redirected to the Firewall Details page.
  4. On the Firewall Details page, click the Rules tab. You will be redirected to the Rules tab page.
  5. On the Rules tab, click the Add Rule button. You will be redirected to the Add Rule page.
  6. On the Add Rule page, click the Batch Input Rules tab.
  7. Select Rule Position. If you do not select a position, it will be added to the last order of the rules.
  8. On Select File, click the Download Form button. The batch input rule Excel file will be downloaded.
  9. Enter rule information in the batch input rule Excel file and save it.
  10. On Select File, click Attach File to attach the created Excel file and click Add.
    • If the attached Excel file format is different from the registration form or the file is encrypted, it cannot be uploaded.
    • The maximum number of batch registration rules that can be uploaded at once is 100. If the maximum registration rule count is exceeded, it cannot be uploaded.
    • If the maximum rule count set according to the firewall size is exceeded, the file cannot be uploaded.
  11. Check whether the entered rules are displayed on the Added Rules list and adjust the order.
  12. Check the added rules and click the Complete button.

Modifying Rules

You can select a Firewall rule to check and modify rule information.

To modify a Firewall rule, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.

  2. On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.

  3. On the Firewall List page, click the resource for which you want to modify rules. You will be redirected to the Firewall Details page.

  4. On the Firewall Details page, click the Rules tab. You will be redirected to the Rules tab page.

  5. On the Rules tab, click the Modify Rule button. You will be redirected to the Modify Rule page.

    • On the rule modification page, you can set the following items:
      • Activate: Activates the selected rule.
      • Deactivate: Deactivates the selected rule. Deactivated rules are not applied to the prerequisite service.
      • Delete: Deletes the selected rule. When you click delete, it is displayed as Delete Scheduled status in the changes.
      • Cancel Delete: If in delete scheduled status, you can cancel the rule deletion.

  6. On the Modify Rule page, click the Edit button for the item to modify. The Modify Rule popup window will open.

  7. In the Modify Rule popup window, enter the item to modify and click the Confirm button.

    DivisionRequiredDescription
    Order-Order of the rule, order can be changed by clicking Move Up/Move Down in the added rule list
    Rule ID-Unique ID value for the rule, cannot be changed
    Rule Index-Unique Index value for the rule, can be used for log analysis
    Source AddressRequiredSource address registered in the rule
    • Can change by entering multiple addresses up to 128 at once using Comma (,), range (-) in CIDR (IP/Subnet Mask) format
    Destination AddressRequiredDestination address to add to the rule
    • Can change by entering multiple addresses up to 128 at once using Comma (,), range (-) in CIDR (IP/Subnet Mask) format
    TypeRequiredSet protocol type according to the selected destination address item
    ActionRequiredCan change traffic Allow/Deny distinction due to rule
    • Allow: Allow traffic if matches rule
    • Deny: Block traffic if matches rule
    DirectionRequiredCan change access direction of traffic based on Firewall registered in the rule
    • Inbound: External → Internal
    • Outbound: Internal → External
    Rule PositionRequiredCan change rule position
    Active StatusRequiredWhether the rule is active, rule does not operate if in inactive state
    Status-Status value for the rule
    DescriptionOptionalAdditional description written by the user
    Table. Firewall rule modification detailed items

  8. Check the modified rule and click the Complete button.

Deleting Rules

Caution
Can only delete when Firewall is in Active status and rule is in Active, Error status.

To delete a Firewall rule, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
  2. On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
  3. On the Firewall List page, click the resource for which you want to modify rules. You will be redirected to the Firewall Details page.
  4. On the Firewall Details page, click the Rules tab. You will be redirected to the Rules tab page.
  5. On the Rules tab, click the Modify Rule button. You will be redirected to the Modify Rule page.
  6. On the Modify Rule page, select the rule to delete and click the Delete button.
    • When the deletion request is completed, it is displayed as Delete Scheduled in the changes item.
    • You can cancel rule deletion by clicking Cancel Delete.
  7. On the Modify Rule page, click the Complete button.

Managing Firewall Resources

You can modify the Firewall size and change the log use settings.

Modifying Firewall Size

To modify the Firewall size, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
  2. On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
  3. On the Firewall List page, click the resource to modify. You will be redirected to the Firewall Details page.
  4. On the Firewall Details page, click the Edit icon for Size. You will be redirected to the Modify Size popup window.
  5. In the Modify Size popup window, select the size to modify and click the Confirm button.
Note

Firewall size is provided as Extra Small (rule quota 5) by default, and you can add Firewall rules by changing the Firewall size to use them. In Nuri SCP, the project/region selection distinction has disappeared, so we comment out the following statement. (25.01.24)

  • Firewall fees are charged based on Firewall service size and traffic throughput.

Using Log Storage

Note

To store Firewall logs, you must first create a bucket in Object Storage to store logs, set the bucket as the log storage in Firewall Logging, and then set log storage in Firewall details to store Firewall logs in the Object Storage bucket.

  • Log storage settings can be checked in Firewall Logging. For more information, refer to Firewall Logging.
  • If log storage is set, Object Storage fees for log storage are charged.

To use Firewall log storage, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Service Home page.
  2. On the Service Home page, click the Firewall menu. You will be redirected to the Firewall List page.
  3. On the Firewall List page, click the resource (Firewall) to use log storage. You will be redirected to the Firewall Details page.
  4. On the Firewall Details page, click the Edit icon for Log Storage Status. You will be redirected to the Modify Log Storage Status popup window.
  5. In the Modify Log Storage Status popup window, select Use for log storage and click the Confirm button.
Caution
If log storage is not set in Firewall Logging, you cannot set log storage Use.

Setting Log Storage to Not Use

To set Firewall log storage to not use, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Service Home page.
  2. On the Service Home page, click the Firewall menu. You will be redirected to the Firewall List page.
  3. On the Firewall List page, click the resource (Firewall) to set log storage to not use. You will be redirected to the Firewall Details page.
  4. Click the Modify Log Storage Status button. You will be redirected to the Modify Log Storage Status popup window.
  5. In the Modify Log Storage Status popup window, deselect Use for log storage and click the Confirm button.
  6. Check the message in the Notification popup window and click the Confirm button.
Caution
If you disable log storage, log storage for the service is stopped and tracking management through log analysis is not possible in case of a security incident.

Setting Firewall to Not Use

The Firewall service cannot be deleted separately. When you delete the prerequisite service, the connected Firewall is also deleted. If you want to maintain the prerequisite service and not use the Firewall, you can change the Firewall to not use status on the Firewall list page.

Caution
  • If you change the Firewall to not use status, all previously registered rules will be deleted.
  • If the connected Firewall has rules when deleting the prerequisite service, you cannot delete it. Delete the Firewall rules before deleting the prerequisite service.

To set Firewall to not use, follow these steps:

  1. Click the All Services > Networking > Firewall menu. You will be redirected to the Service Home page.
  2. On the Service Home page, click the Firewall menu. You will be redirected to the Firewall List page.
  3. On the Firewall List page, click More > Not Use for the resource to switch to not use.
  4. When the use status change is complete, check whether the resource’s use status has changed to not use on the Firewall List page.

1 - Firewall Logging

To store Firewall logs, you must first create a bucket in Object Storage to store the logs, set the bucket as the log storage in Firewall Logging, and then set log storage on the Firewall Details page to store Firewall logs in the Object Storage bucket.

To store Firewall logs, set up according to the following order:

  1. To store firewall logs, you can create a bucket in Object Storage or use an already created bucket. To create a bucket, refer to Creating Object Storage.
  2. To set the bucket as the log storage in Firewall Logging, refer to Using Firewall Logging Log Storage.
  3. To set log storage status to Use in Firewall details, refer to Using Firewall Log Storage.

Setting Up Firewall Logging Log Storage

To set the Firewall log storage status to Use, you must first set the log storage in Firewall Logging.

Note
To set Firewall Logging log storage, you need an Object Storage bucket for log storage. First, create a bucket in the Object Storage service. For more information, refer to Creating Object Storage.

To set up Firewall Logging log storage, follow these steps:

  1. Click the All Services > Management > Network Logging > Firewall Logging menu. You will be redirected to the Firewall Logging List page.
  2. On the Firewall Logging List page, click the Log Storage Settings button at the top. You will be redirected to the Log Storage Settings popup window.
  3. In the Log Storage Settings popup window, select the Log Storage Bucket. When you select a bucket, the Log Storage Path is displayed.
  4. In the Log Storage Settings popup window, check the Log Storage Bucket and Log Storage Path, and then click the Confirm button.
  5. Check the message in the Notification popup window and click the Confirm button.
Notice
After setting up the Firewall Logging log storage, you must set log storage status to Use on the Firewall Details page to start log storage. For more information, refer to Using Firewall Log Storage.

Viewing Firewall Logging List

When you set the Firewall Logging log storage bucket, you can view the Firewall Logging list.

To view the Firewall Logging list, follow these steps:

  1. Click the All Services > Management > Network Logging > Firewall Logging menu. You will be redirected to the Firewall Logging List page.
  2. On the Firewall Logging List page, check the resources in use and log storage targets.
    DivisionDescription
    Resource IDFirewall ID
    Storage TargetFirewall name
    Storage Registration DateFirewall log storage registration date
    Table. Firewall Logging list items
Note
After setting up the Firewall Logging log storage, you must set log storage status to Use in Firewall details to start log storage. For more information, refer to Using Firewall Log Storage.

Checking Firewall Logging Detailed Content

Refer to the following content to check the detailed content of stored logs.

Stored log example: 2024-10-11T11:23:43,deny,0,17,4.1.1.100,45499,192.168.10.10,53

DivisionDescription
2024-10-11T11:23:43Date and time when the log occurred (2024-10-11, 11:23:43)
denyAction (deny / accept)
0Firewall Rule ID (Policy ID) where the log occurred
17IP Protocol ID
  • 1: ICMP
  • 6: TCP
  • 17: UDP
4.1.1.100Source IP
45499Source Port
192.168.10.10Destination IP
53Destination Port
Table. Log detailed information items

Setting Firewall Logging Log Storage to Not Use

You can set the log storage in Firewall Logging to not use.

To set Firewall Logging log storage to not use, follow these steps:

  1. Click the All Services > Management > Network Logging > Firewall Logging menu. You will be redirected to the Firewall Logging List page.
  2. On the Firewall Logging List page, click the Log Storage Settings button at the top. You will be redirected to the Log Storage Settings popup window.
  3. In the Log Storage Settings popup window, select Not Use for the Log Storage Bucket and click the Confirm button.
Note
  • Log storage settings can be changed when there is no log storage target.
  • To change the log storage bucket, first change the setting to not use. Then you can change it by setting it to use again.