Configure host firewall settings

A host firewall enables you to view the services used by a host and the port numbers for the services and set the IP addresses that are allowed to access specific port numbers. It can effectively control network access and prevent unauthorized access and attacks to protect hosts. On the System > Stateful Failover > Firewall Configuration page, you can configure host firewall settings for the primary and backup nodes in a centralized manner.

A host firewall provides the following features:

• Displaying the services running on a host and the port numbers for the services, and the IP addresses allowed to access the services.

• Setting a list of IP addresses allowed to access specific ports on a host. For example, you can configure 192.168.1.100/16 to access the SSH service with port number 22 on a host. You can set a list of allowed IP addresses for each port number. For example, you can allow 192.168.1.200/16 and 192.168.1.201/16 to access the virtualization Web service with a port number of 80 on the host, and allow 172.16.1.100/16 to access the HTTPS service with a port number of 8443 on the host.

Restrictions and guidelines

• If an IP address can access CVM through HTTPS, it can still access the VNC Web service even if it is not in the allowed IP address list for the VNC Web service.

• The firewall feature is not available for hosts that use software versions E073x and E076x.

• A host firewall only identifies and limits the incoming traffic of hosts.

• Deleting a host also deletes the firewall configuration for that host. After you change the IP address of a host from the XConsole of that host, you must restart that host to update the firewall configuration. If you fail to do so, the original allowed IP addresses will remain in the allowed IP address list for all ports.

• If a stateful failover system is deployed, you must make sure port 22 of the quorum node is reachable to the other nodes. The host firewall configuration in stateful failover management takes effect only on the primary and backup nodes and does not take effect on the quorum node.

• After a host is restored after stateful failover, you must click Synchronize in the firewall configuration in stateful failover management to synchronize the firewall configuration.

• To avoid affecting features running on the system, use the following table when you set the list of allowed IP addresses.

Feature	Description	Recommended operations
Stateful failover	If a list of allowed IP addresses has been set for the SSH service when you set up a stateful failover system, you must allow all IP addresses and make sure the quorum node is reachable to the primary and backup nodes through SSH.	Allow all IP addresses and then set up a stateful failover system.
CloudOS, UIS Cloud, or third-party interoperation	To interoperate CAS with CloudOS, UIS Cloud, or third-party software such as AnyBackup of Aishu, Runstor, Qianxin, and AsiaInfo, allow relevant IP addresses to access ports such as HTTP services.	Open all ports to IP addresses related to CloudOS, UIS Cloud, or third-party software.
Adding an external platform	Port 8080 or 8443 is required when the CAS system is added as an external platform.	Open ports 8080 and 8443.
Bare metal management	Copying files from a CVM host to a bare metal server requires using the SCP service.	Open port 22.
Site disaster recovery	Site disaster recovery requires use of ports 8080 and 8443 for the protected site and the recovery site.	Open ports 8080 and 8443.
Anti-virus	Same as CloudOS, UIS Cloud, or third-party interoperation.	Same as CloudOS, UIS Cloud, or third-party interoperation.
Cloud rainbow	Site incorporation and VM migration require use of ports 8080, 8443, and 22.	Open ports 8080, 8443, and 22.
VM migration	VM migration requires use of ports 8080, 8443, and 22.	Open ports 8080, 8443, and 22.
Log backup.	Log backup requires use of port 22 on the destination.	Open port 22.
Data backup on a remote server in backup management	Data backup requires use of port 22 on the destination.	Open port 22.

 

View firewall settings for a host

1. On the top navigation bar, click System.

2. From the left navigation pane, select Stateful Failover.

3. Click the Firewall Configuration button. All firewall policies for the current hosts are displayed.

Edit firewall settings for a host

1. On the top navigation bar, click System.

2. From the left navigation pane, select Stateful Failover.

3. Click the Firewall Configuration button.

4. Click Edit in the Actions column for a service.

5. To allow all IP addresses, select Allow Access from Any IP address. To allow only one or multiple specified IP addresses, clear this option, and enter an IP address or a comma-separated list of IP addresses, for example, 1.1.1.1,12.3.0.0/16,1:1:1:1:1:1:1:1/64.

Synchronize firewall settings for a host

1. On the top navigation bar, click System.

2. From the left navigation pane, select Stateful Failover.

3. Click the Firewall Configuration button.

If firewall configuration must be synchronized, the Synchronize button will appear in the upper left corner of the pop-up window. Click this button to synchronize the firewall configuration.