Managed Firewall Version1¶
・ As of December 6, 2020, we will stop accepting device additions and plan changes.
・ Support will end on December 31, 2021.
・ Please use Version Upgrade function to upgrade to Version 2 by the end of support.
About This Menu¶
Overview¶
Managed Firewall provides Customers with firewall functions which Customers can utilize within their Tenant(s) for Enterprise 2.0.
Managed Firewall can be connected to Logical Network within the Tenant(s) and Customers are able to utilize their own controlling parameters at their inter-logical network transmission so that they are the only controllers of their own network.
(NOTE: Hereinafter, Managed Firewall is referred to as "this Menu" and the equipment that provides the features is referred to as "device".)
Features¶
This menu has following features:
Reliable and secure operation by security managed service
The Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.
** Menu can be changed to security function **
This menu can be changed to the Managed UTM menu with added security functions. Managed UTM provides all-in-one security functions necessary to protect the customer environment from various security threats such as unauthorized access, virus infection, unnecessary web access, and spam mail.
Firewall function (Access control/IPSecVPN)
● IDS/IPS function for protection and detection from fraudulent access [1] .
● Anti-Virus function for Protection from Virus.
● Web Filter function for Filtering of Web communication based on URL.
● Spam Filter function for determination of Spam mail.
[1] IDS; i.e., Intrusion Detection System
IPS; i.e., Intrusion Prevention System
Immediate provision by self-operation · Immediate setting change
Customer can immediately leverage this menu by operation Security Control Panel through Enterprise Cloud 2.0 Portal. Configuration change is immediately reflected by Security Control Panel.
Customers can use the necessary resources without initial investment and minimum usage period, without owning assets, and can constitute a secure environment tailored to the customer's business environment.
Available Functions¶
List of Available Functions¶
This menu provides following functions;
| 1.Firewall | Traffic control function based on firewall policy which customer configures. |
| 2.Network | This function is where the "Device" is connected to the Logical Network and / or routed to the transmitters. |
| 3.IPsecVPN | This function creates a tunnel encrypted with IPsec and realizes secure communication between multiple bases. |
| 4.Other Functions | The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the "Device" and assign the time zone for the log content recorded within the "Device" themselves. |
| 5.Security Incident Report | This function is what the "Device" self-analyzes and reports any security incident(s) occurring within themselves once there is any information that determines the "Device" received hostile incoming transmissions. |
| 6.Control Panel Functions | Ability to set up applications and devices from Security Control Panel of Enterprise Cloud 2.0 Portal |
| 7.Version Upgrade | Function to upgrade from Managed FW / UTM / WAF Version 1 to Managed FW / UTM / WAF Version 2 |
Description of Respective Functions¶
1.Firewall¶
Customers are provided with the following functions with this menu:
Firewall | Traffic control function by Stateful inspection [2] based on configured firewall policy to a traffic through the device. |
NAT / NAPT [3] | NAT / NAPT function is to transform the IP Address or Port number(s) which pass through the "Device" . |
| [2] | Stateful inspection will inspect to determine if it allows or disallow a passer-by packets (through the "Device" ) by monitoring the status of passer-by packets. Usually the packets will be allowed to come passing back through if it is allowed on the way to. |
| [3] | NAT stands for Network Address Translation. NAPT stands for Network Address Port Translation |
2.Network¶
Network provides the following functions.
Interface | This function is where Interface of the “Device” will be set and then it will be connected to logical network. |
Routing | Routing function is where static routes and default gateway is being set and transmission is being routed with. |
Note
It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.
The "Device" will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.
In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the "Device" , the Customers (and the end users) are noted that they are required to reboot the "Device" and the interface MAC address will be automatically changed.
MTU size of the interface can be changed in the range of 100 to 1500 bytes. The default value is 1500 bytes.
In the case of HA plan, when customer applys address range of connected segment, which is connected to interface, to NAT/NAPT, Please configure Proxy ARP.
3.IPsecVPN¶
IPsecVPN provides the following functions.
IPsecVPN | IPsecVPN function defines authentication, encryption method and connection destination IP address and creates a tunnel to the opposite network. |
Routing | Routing function sets up and routes static routes to the tunnel interface. |
Access Control | Access control function controls traffic passing through the tunnel based on policy which customer configures. |
| NAT/NAPT | NAT/NAPT function converts IP address of traffic passing through the tunnel and port number. |
Note
In the HA configuration plan, the IPsecVPN function can not be used. This function is available only in a single configuration plan.
IPsecVPN function provided by this service is IPsecVPN connection between Managed Firewall / UTM. Connection with other VPN devices is not supported.
The specifications of the IPsec VPN function are as follows.
Authentication method | Pre-shared key (PSK) |
Encryption algorithm | AES-128 / AES-192 / AES-256 |
Authentication (hash function) | SHA-256 / SHA-384 / SHA-512 |
DH Group | 14 / 15 / 16 / 17 / 18 /19 / 20 / 21 |
Number of tunnels that can be created | Maximum 15 (per 1 Managed Firewall) |
4.Other Functions¶
Other Functions provide the following functions.
Sys log transmission | Sys log server where the Customers manage is receiving logs obtained at the "Device" |
Time Zone Assignment | Time stamp recorded as to the timetable log on the "Device" will be assigned. |
Device Config Export | Export items set on the device to the document. |
Note
There is only one (1) settable destination for syslog transmission.
If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.
Traffic logs and Security detection logs, which are configured to obtain logs on firewall policy, are sent by syslog.
5.Security Incident Report¶
Security Incident Report provides the following functions.
Create Report | Device logs will be automatically analyzed and "Security Incident Report" will be generated after recognizing detected threat(s). |
Publish Report | Security Incident Report is shown on Security Control Panel through Enterprise Cloud 2.0 Portal. |
Notify Report | When Security Incident Report is generated, E-mail notification will be sent by registering mail address on Security Control Panel. |
● Security Incident Report
Following titles will be included within the "Security Incident Report":
Device | The Device Name if there is any |
Reference | Automatically granted ID |
Severity | Severity in degree of the recognized threat |
Date and Time | The date and time of detection --and date and time of last detection-- of the reported threat being reported |
| Description | Description of the details of the recognized threat |
Recommendation/Action | Recommended measures and the further action(s) against the threat |
Signature, DNS | Name of signature and DNS's information, etc. that was identified from the detections of threat |
Note
Analyzed log is limited by firewall policy which the device obtains logs.
All "Security Incidents" are reported in English.
When customer leverages this menu and other menu as like Managed UTM Version1 or Managed WAF Version1 on one tenant, Security Incident Report by correlation analysis of each device log is generated. So each Security Incident Report is not generated for each menu and device.
6.Control Panel Functions¶
For Control Panel Functions, the following operations are possible.
For details, see the Enterprise Cloud 2.0 tutorial.
Order | Customers can subscribe the Security Menu |
Operation | Customers can either manage and / or set the created "Device" |
● Order
Following actions are processable from the Order Panel:
Add Device | Customers can either create a new or add a "Device" |
Change | Created "Device" Menu and / or Plan will be changed to update the settings details |
Delete Device | Created "Device" can be deleted to be eliminated from the operation |
Version upgrade | It is possible to upgrade from Managed Firewall Version1 to Managed Firewall Version2 . |
● Operation
Following actions are operable from the Operations Panel:
Device KPI | Resource status (such as CPU and memory) and traffics will be viewed. |
Network Management | Interface of the "Device" will be set here (and then connected to logical network). |
Device Management | Configuration is available for Firewall function and the other functions. |
Log Analysis | Customers can download to obtain the data by CSV file after assigning search details by conditions tags. |
Incident Reports | The Security Incident Report will be posted. |
Customer Profile | Customers can register mail notification destination for Security Incident Report. |
Document | Customers can download the CSV file output by the Device Config Export. |
Information | Any notable information will be relayed. |
Note
To indicate log analysis target and analyzed Security Incident Report, it is necessary to configure which logs are obtained for each Firewall Policy.
In log analysis, confirmable and searchable period of logs is below. It does not ensure integrity of obtained logs.
Log acquired by firewall function (traffic log): 7 days
In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.
7.Version Upgrade¶
Version Upgrade provides the following features:
This function allows customers using Managed FW/UTM/WAF Version1 to migrate to Managed FW/UTM/WAF Version2 by applying for migration on the portal.
Menu¶
Plan¶
This menu provisions the following Plans:
2CPU-4GB | 2 | 4 | 2 | 7 | Deploy Singular |
8CPU-12GB | 8 | 12 | 2 | 7 | Deploy Singular |
| 2CPU-4GB(HA) | 2 | 4 | 2 | 7 | High Availability (Redundancy) |
8CPU-12GB(HA) | 8 | 12 | 2 | 7 | High Availability (Redundancy) |
Subscriptions Method¶
Customers with Enterprise Cloud 2.0 can basically request to subscribe this menu.
Subscriptions types, Subscription methods and Delivery are as follows:
Add Device | Create the Device | Subscription by customer on security control panel. | Immediate |
Change | Change the "Device" Plan; Modify Menus to change settings | Same as the above. | Same as the above. |
Delete Device | Delete the Device | Same as the above. | Same as the above. |
Version upgrade | Version upgrade of device | Same as the above. | Same as the above. |
Note
Number of the executable "Device" for one (1) "order" is just one (1). Therefore, if in any event Customers wish to make multiple orders for the "Device", Customers are advised that each order process has to go through once for every "Device" Customers wish to subscribe. The Order screen has to proceed for each and every "Device" every time.
Plan change about all of patterns is available in same Configuration Plan.
- 2CPU-4GB → 8CPU-12GB ○
- 8CPU-12GB → 2CPU-4GB ○
Following plan changes with changing configurations, such as changing from a Single Configuration Plan to a HA Configuration Plan, is not possible.
Single Configuration Plan to HA Configuration Plan: N/A
HA Configuration Plan to Single Configuration Plan: N/A
At such change of Plan, Customers are noted that the "Device" has to reboot.
Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating "Device", changing Plans and so forth.
At creating device, selectable zone and group are different by region. Detail information is described on Region/Zone/Group in service description.
If you want to migrate from the old version to another plan of the new version, please change the plan after migrating to the new version with the same plan.
Example: If you want to change from version 1 Managed Firewall (2CPU-4GB) to version 2 Managed Firewall (8CPU-12GB)
1.Upgrade from version1 Managed Firewall (2CPU-4GB) to version2 Managed Firewall (2CPU-4GB).
2.Plan change from version2 Managed Firewall (2CPU-4GB) to version2 Managed Firewall (8CPU-12GB).
Restrictions¶
Following are the sales unit, the number of uppermost maximum and lowermost minimum units.
| 1 | No limit | 0 |
Terms And Conditions¶
Terms And Conditions¶
<Singular Configuration> For singular deployment, logical network should be placed two (2) or more. Customers are required to configure each separate logical networks to manage the receiving ends and transmitting ends. (In essence Customers are hereby advised that they are unable to deploy what they call a "one-arm" setup.) |
<HA Configuration> In the case of HA configuration, logical network requires four or more. Requirement of logical network which deals with customer traffic is more than 2 NW same as single Configuration Plan. In addition, 2 logical network is necessary to hook up 2 devices for HA Configuration Plan. (In essence Customers are hereby advised that they are unable to deploy what they call a "one-arm" setup.) Note
|
Note
When customer uses VRRP for the opposite device, customer needs to select a different VRRP ID.
Conditions of Use in Combination with Other Services¶
This menu does not specifically limit as with combined usage with any other services.
Minimum Use Period¶
This menu does not require minimum usage period.
Pricing¶
Initial Fee¶
This menu is offered at no charge no matter what Plan, subscriptions are being made.
Monthly Fee¶
This menu, regardless of the use of time, has a monthly fixed fee.
In the same device, if there is a change of the plan or menu in the middle of the month, then the new one is compared with the monthly fee according to the plan or the menu that was available in that month, to apply the highest rate as a monthly fee.
Quality of Menu¶
Support Coverage¶
All functions and facilities provided in this menu are within the support range.
However, designing using this menu is not supported.
Operations¶
This menu is subject to the operational quality, which has been defined by the standard in Enterprise Cloud 2.0.
Furthermore, this menu is implementable as qualified operation of the following self-managed services:
Applies security patches | Apply the security patch depending on the degree of influence (Equivalent process as version up operation) |
Life Cycle Management of the Products | Proceeds with the updated versions in operations |
Monitoring / Maintenance | Operation monitoring and failure countermeasure implementation of this device |
SLA¶
SLA of this menu conforms to SLA defined as standard in Enterprise Cloud 2.0.
Restrictions¶
Restrictions of this menu are following;
When customer leverage VRRP, VPPR ID configuration of logical network has restriction below.
In the case of HA configuration, please make sure that the VRRP ID on the same network such as the logical network to which this menu connects and colocation connection (CIC) and Enterprise Cloud 1.0 connection (EIC) do not overlap.
In HA Configuration Plan, Please enable DHCP of logical network dealing with customer’s communication.
Below IP address is not available for Interface, Routing, Address object, Destination NAT and Source NAT. When these IP addresses is used, This menu cannot correctly work.
Please design the IP address in the logical network to which this menu is connected at your own risk. Please be careful not to duplicate the IP address etc assigned to this menu.
Please create Firewall Policy after Object configuration is saved and completed.
Violation packet to TCP/UDP/IP protocol and abnormal packet are dropped by standard function regardless customer configuration. Example is below.
IP header is intermittently cut off in the middle;
Port number is valued null (0);
TCP flag pair turns out to be abnormally irregular;
Unauthorized capsular processing of unauthorized packet(s).
Dynamic Routing Function is not provisioned in this menu.
Bandwidth Controlling Function is not provisioned in this menu.
During maintenance work related to the device, communication will be interrupted in the case of a single configuration. In the case of HA configuration, the effect is about the same as the switching time at the time of failure. We will carry out the work after notifying in advance, but the work date and time cannot be adjusted.
Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer's purpose of use.
NTT Com as a service provider is required to provide the following information to the "Devices'" developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which NTT Com did not intend to. The following information is going to be relayed to the system developer and front-end seller:
Setting details and data obtained at such time the menu is provisioned.
Managed details within such information relates to this provisioned menu.
Below port is not available for this menu. This menu may not work, when below port is used.
- TCP/2000, TCP/5060
There is a guideline for the upper limit of performance values. See (Reference) Performance measurement results of Managed FW / UTM .