[T&C] Firewall with Application Visibility using Thunder CFW
siddharthaa
Member ✭
Thunder CFW offers Gi LAN services consolidation to combine L4–L7 functions, including CGNAT, stateful firewall, and application visibility to integrate greater efficiencies on the Gi LAN.
In this article, we will look at how you can configure Thunder CFW for application-level visibility.
First, make sure you have the add-on license for application visibility on the Thunder device:
CFW-GIFW#sh license-info ------------------------------------------------------------------------------------ Enabled Licenses Expiry Date (UTC) Notes ------------------------------------------------------------------------------------ QOSMOS 27-November-2021
Then configure the Thunder device to download application protocol signatures:
To enable application-level visibility for the traffic, configure a firewall rule-set with the command “track-application” under a firewall rule:
visibility monitor traffic service mon-topk sources ! ip dns primary 8.8.4.4 ! ip dns secondary 9.9.9.9 ! partition P1 id 1 application-type cgnv6 ! hostname CFW-GIFW ! timezone America/Los_Angeles ! ntp server pool.ntp.org ! glm use-mgmt-port glm enable-requests ! interface management ip address <thunder-mgmt-ip> ip default-gateway <default gateway> enable ! zone Private interface ethernet 1 ! zone Public interface ethernet 2 ! automatic-update use-mgmt-port ! automatic-update app-fw schedule daily 8:0 ! acos-events logdb enable-cgn ! logging syslog information ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! rule-set FWPOLICY1 rule deny-tcp action deny log source ipv4-address any source zone any dest ipv4-address 11.1.1.0/24 dest zone any service tcp application any rule deny-icmp action deny log source ipv4-address any source zone any dest ipv4-address 11.1.1.0/24 dest zone any service icmp application any rule deny-udp source ipv4-address any source zone any dest ipv4-address 11.1.1.0/24 dest zone any service udp application any rule reset-hosts action reset log source ipv4-address any source zone any dest ipv4-address 12.1.1.0/24 dest zone any service any application any rule 100.64.10.0 action permit forward log source ipv4-address 100.64.10.0/24 source zone any dest ipv4-address any dest zone any service any application any track-application rule 100.64.12.0 action permit forward log source ipv4-address 100.64.12.0/24 source zone any dest ipv4-address any dest zone any service any application any track-application rule cgn action permit cgnv6 log source ipv4-address any source zone Private dest ipv4-address any dest zone Public service any application any track-application ! fw local-logging ! fw server FW-LOG 100.64.14.253 port 514 udp ! fw service-group SG-FW-LOG udp member FW-LOG 514 ! fw template logging FW-LOG-TEMPLATE service-group SG-FW-LOG ! fw logging FW-LOG-TEMPLATE ! fw active-rule-set FWPOLICY1
Note that “track-application” has been configured under permit rules but not under deny rules. If you try to do so, you will see the following configuration guideline:
CFW-GIFW(config-rule set:FWPOLICY1-rule:deny-...)#track-application ERROR: track-application can't be set if no application criteria and action is not PERMIT
To view application analytics on the Thunder CFW GUI, navigate to:
Security > Firewall > Dashboard:
Note: By default, local log for the firewall is disabled.
Use the following command to enable local log as shown in the above config:
fw local-logging
This command is required if you want to view application analytics on the Thunder CFW web GUI.