[T&C] Firewall with Application Visibility using Thunder CFW

siddharthaa

Thunder CFW offers Gi LAN services consolidation to combine L4–L7 functions, including CGNAT, stateful firewall, and application visibility to integrate greater efficiencies on the Gi LAN.

In this article, we will look at how you can configure Thunder CFW for application-level visibility. 

First, make sure you have the add-on license for application visibility on the Thunder device:

CFW-GIFW#sh license-info
 
------------------------------------------------------------------------------------
Enabled Licenses         Expiry Date (UTC)               Notes
------------------------------------------------------------------------------------
 
QOSMOS                   27-November-2021

Then configure the Thunder device to download application protocol signatures:

To enable application-level visibility for the traffic, configure a firewall rule-set with the command “track-application” under a firewall rule:

visibility
 monitor traffic service
   mon-topk sources
!
ip dns primary 8.8.4.4
!
ip dns secondary 9.9.9.9
!
partition P1 id 1 application-type cgnv6
!
hostname CFW-GIFW
!
timezone America/Los_Angeles
!
ntp server pool.ntp.org
!
glm use-mgmt-port
glm enable-requests
!
interface management
 ip address <thunder-mgmt-ip>
 ip default-gateway <default gateway>
 enable
!
zone Private
 interface ethernet 1
!
zone Public
 interface ethernet 2
!
automatic-update use-mgmt-port
!
automatic-update app-fw schedule daily 8:0
!
acos-events logdb enable-cgn
!
logging syslog information
!
sflow setting local-collection
!
sflow collector ip 127.0.0.1 6343
!
!
rule-set FWPOLICY1
 rule deny-tcp
   action deny log
   source ipv4-address any
   source zone any
   dest ipv4-address 11.1.1.0/24
   dest zone any
   service tcp
   application any
 rule deny-icmp
   action deny log
   source ipv4-address any
   source zone any
   dest ipv4-address 11.1.1.0/24
   dest zone any
   service icmp
   application any
 rule deny-udp
   source ipv4-address any
   source zone any
   dest ipv4-address 11.1.1.0/24
   dest zone any
   service udp
   application any
 rule reset-hosts
   action reset log
   source ipv4-address any
   source zone any
   dest ipv4-address 12.1.1.0/24
   dest zone any
   service any
   application any
 rule 100.64.10.0
   action permit forward log
   source ipv4-address 100.64.10.0/24
   source zone any
   dest ipv4-address any
   dest zone any
   service any
   application any
   track-application
 rule 100.64.12.0
   action permit forward log
   source ipv4-address 100.64.12.0/24
   source zone any
   dest ipv4-address any
   dest zone any
   service any
   application any
   track-application
 rule cgn
   action permit cgnv6 log
   source ipv4-address any
   source zone Private
   dest ipv4-address any
   dest zone Public
   service any
   application any
   track-application
!
fw local-logging
!
fw server FW-LOG 100.64.14.253
 port 514 udp
!
fw service-group SG-FW-LOG udp
 member FW-LOG 514
!
fw template logging FW-LOG-TEMPLATE
 service-group SG-FW-LOG
!
fw logging FW-LOG-TEMPLATE
!
fw active-rule-set FWPOLICY1

Note that “track-application” has been configured under permit rules but not under deny rules. If you try to do so, you will see the following configuration guideline:

CFW-GIFW(config-rule set:FWPOLICY1-rule:deny-...)#track-application
ERROR: track-application can't be set if no application criteria and action is not PERMIT

To view application analytics on the Thunder CFW GUI, navigate to:

Security > Firewall > Dashboard:

Note: By default, local log for the firewall is disabled.

Use the following command to enable local log as shown in the above config:

fw local-logging 

This command is required if you want to view application analytics on the Thunder CFW web GUI.