Skip to content

Manage Security Policies

Security Policy Capabilities

  • Automatic Protection: Every n2x.io subnet comes with a built-in security policy that acts like a distributed firewall-as-a-service (FWaaS). This firewall automatically protects every node connected to the subnet.

  • Default Security & Customization: Each security policy has a default action (allow or deny traffic) and a set of customizable filters that function like firewall rules.

  • Zero-Trust by Default: When creating a new subnet, we recommend a default policy of "deny" (DROP) to align with a zero-trust security model. However, we allow you to choose "allow" (ACCEPT) for easier initial setup.

  • Granular Control with Firewall Rules: You can define firewall rules within your subnet's security policy to control traffic flow. Each rule has a unique priority level, with lower numbers taking effect first.

  • Default Rule as a Safety Net: If your security policy has no rules defined, or no rule matches incoming traffic, a default rule takes over. This default rule acts as a final safety measure to determine how to handle the traffic.

  • Flexible Addressing: Our network filters support both IPv4 and IPv6 addresses, giving you control over both modern and legacy network protocols.

Modify the default Security Policy

Warning

Only Account Administrators or Admin Users can manage security policies.

The default security policy can be modified either using the webUI or CLI (n2xctl).

In the navigation menu on the left, click Network Topology and follow these steps:

Security Policy tab.

  1. Select the Subnet that you want to update.
  2. Select the Security Policy tab.
  3. Choose either ACCEPT or DENY in the Default Policy rule.

Use the following command to update a subnet's default security policy:

n2xctl subnet update

Select the Tenant, Network and Subnet, and select the Default Security Policy to apply the subnet:

$ n2xctl subnet update
n2xctl v0.0.3-20240725171430+88c4863--go1.22.5

n2xctl is a CLI to control the n2x SASE platform.

Find more information at https://n2x.io/docs

ยป Tenant: [demo] Demo tenant
ยป Network: [net-172-16] demo network
ยป Subnet: [subnet-172-16-15] Services
ยป Subnet Description: Services
ยป Default Security Policy: ACCEPT
                                                        โ”€โ”€โ”€โ”€โ”€ Subnet Details โ‰ก
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Subnet Information
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Tenant ID   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx    
Network ID  net-172-16                              
Subnet ID   subnet-172-16-15                        
Description Services                                

IP Address Management (IPAM)
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

Network CIDR                172.16.0.0/16   
Subnet CIDR                 172.16.15.0/24  
IPv4 Addresses Available    252             
IPv4 Addresses Leased       2               

IPv4 Address    IPv6 Address        Endpoint                         
------------------------------------------------------------------------
172.16.15.160   fd77:f:ac10:fa0:1:: k8s:default:nginx-service-2         
172.16.15.106   fd77:f:ac10:f6a:1:: nginx-depl-585b788df7-2fgzr.d...    

Security Policy
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

Default Policy  [ACCEPT]    

Index   Source  Destination Port/Proto  Policy  
-----   ------  ----------- ----------  ------  

Add a Firewall Rule in a Subnet's Security Policy

Warning

Only Account Administrators or Admin Users can manage security policies.

Tip

You always must create a firewall rule in the security policy associated with the subnet where the target IP addresses reside.

You can add a new firewall rule for your subnet's security policy using either the n2x.io webUI or CLI (n2xctl).

In the navigation menu on the left, click Network Topology and select the Subnet that you want to update. Select the Security Policy tab and follow these steps:

Add Firewall Rule form.

  1. Click on the Add Firewall Rule button.
  2. Add the index number of the policy. It must be a unique positive integer.
  3. Inform the CIDR for the Source IP Net.
  4. Inform the CIDR for the Destination IP Net. The destination IP should be on the subnet where the rule is being created.
  5. Inform the destination port.
  6. Inform the protocol. You can choose between ANY, TCP, UDP, ICMPv4 and ICMPv6.
  7. Choose ACCEPT or DENY for this rule.
  8. Add a description.
  9. Click on the Submit button.

After submitting the policy, you can see the new policy in the list:

Example Firewall Rule.

Use the following command to add a firewall rule to subnet's security policy:

n2xctl policy add-rule

Select the Tenant, Network, Subnet and follow these steps:

  1. Add index number of policy. It must be a unique positive integer.
  2. Add a description.
  3. Select the CIDR for the Source IP Net.
  4. Select the CIDR for the Destination IP Net. The destination IP should be on the subnet where the rule is being created.
  5. Choose Protocol between ANY, TCP, UDP, ICMPv4 and ICMPv6.
  6. Fill the destination port.
  7. Choose ACCEPT or DENY for Security Policy
$ n2xctl policy add-rule 
n2xctl v0.0.3-20240725171430+88c4863--go1.22.5

n2xctl is a CLI to control the n2x SASE platform.

Find more information at https://n2x.io/docs

ยป Tenant: [demo] Demo tenant
ยป Network: [net-172-16] demo network
ยป Subnet: [subnet-172-16-0] Users
ยป Policy Index: 1
ยป Description (optional): Disable SSH access from the services subnet.
ยป Protocol: IPv4
ยป Select Source: IPNet CIDR
ยป Source IPv4 CIDR: 172.16.15.0/24
ยป Select Destination: IPNet CIDR
ยป Destination IPv4 CIDR: 172.16.0.0/24
ยป Protocol: TCP
ยป Destination Port: 22
ยป Security Policy: DROP
                                               โ”€โ”€โ”€โ”€โ”€ Security Policy Details โ‰ก
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Security Policy
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Tenant ID   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx    
Network ID  net-172-16                              
Subnet ID   subnet-172-16-0                         
Description Users                                   
Subnet CIDR 172.16.0.0/24                           
Default Policy  [ACCEPT]    

Index   Source          Destination     Port/Proto  Policy  
-----   ------          -----------     ----------  ------  
0       172.16.15.0/24  172.16.0.0/24   22/TCP      [DROP]  

Modify a Firewall Rule in a Subnet's Security Policy

Warning

Only Account Administrators or Admin Users can manage security policies.

You can modify a firewall rule in a subnet's security policy either using the n2x.io webUI or CLI (n2xctl):

In the navigation menu on the left, click Network Topology and select the Subnet that you want to update. Select the Security Policy tab and follow these steps:

Modify Distributted Firewall Policy.

  1. Click on the icon next to the rule.
  2. Update the rule with the new information.
  3. Click on the Save button.

Use the following command to modify a firewall rule in a subnet's security policy:

n2xctl policy edit-rule

Select the Tenant, Network, Subnet and follow these steps:

  1. In the list of firewall rules, choose the rule you want to modify by its index number.
  2. Update the description.
  3. Update the CIDR for the Source IP Net.
  4. Update the CIDR for the Destination IP Net.
  5. Choose Protocol between ANY, TCP, UDP, ICMPv4 and ICMPv6.
  6. Update the destination port.
  7. Choose ACCEPT or DENY for Security Policy
$ n2xctl policy edit-rule
n2xctl v0.0.3-20240725171430+88c4863--go1.22.5

n2xctl is a CLI to control the n2x SASE platform.

Find more information at https://n2x.io/docs

ยป Tenant: [demo] Demo tenant
ยป Network: [net-172-16] demo network
ยป Subnet: [subnet-172-16-0] Users
ยป Network Filter 0: src 172.16.15.0/24 | dst 172.16.0.0/24 | 22/TCP | DROP
ยป Description (optional): Enable SSH access from the services subnet.
ยป Protocol: IPv4
ยป Select Source: IPNet CIDR
ยป Source IPv4 CIDR: 172.16.15.0/24
ยป Select Destination: IPNet CIDR
ยป Destination IPv4 CIDR: 172.16.0.0/24
ยป Protocol: TCP
ยป Destination Port: 22
ยป Security Policy: ACCEPT
                                               โ”€โ”€โ”€โ”€โ”€ Security Policy Details โ‰ก
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Security Policy
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Tenant ID   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx    
Network ID  net-172-16                              
Subnet ID   subnet-172-16-0                         
Description Users                                   
Subnet CIDR 172.16.0.0/24                           
Default Policy  [ACCEPT]    

Index   Source          Destination     Port/Proto  Policy      
-----   ------          -----------     ----------  ------      
0       172.16.15.0/24  172.16.0.0/24   22/TCP      [ACCEPT]    

Delete a Firewall Rule from a Subnet's Security Policy

Warning

Only Account Administrators or Admin Users can manage security policies.

You can delete a firewall rule from a subnet's security policy either using the n2x.io webUI or CLI (n2xctl):

In the navigation menu on the left, click Network Topology and select the Subnet that you want to delete. Select the Security Policy tab and follow these steps:

Delete Distributted Firewall Policy.

  1. Click on the icon next to the rule.
  2. Confirm deletion.

Use the following command to delete a firewall rule from a subnet's security policy:

n2xctl policy delete-rule

Select the Tenant, Network, Subnet and in the list of firewall rules, choose the rule you want to delete by its index number.

$ n2xctl policy delete-rule
n2xctl v0.0.3-20240725171430+88c4863--go1.22.5

n2xctl is a CLI to control the n2x SASE platform.

Find more information at https://n2x.io/docs

ยป Tenant: [demo] Demo tenant
ยป Network: [net-172-16] demo network
ยป Subnet: [subnet-172-16-0] Users
ยป Network Filter 1: src 172.16.15.0/24 | dst 172.16.0.0/24 | 22/TCP | DROP
                                               โ”€โ”€โ”€โ”€โ”€ Security Policy Details โ‰ก
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Security Policy
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Tenant ID   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx    
Network ID  net-172-16                              
Subnet ID   subnet-172-16-0                         
Description Users                                   
Subnet CIDR 172.16.0.0/24                           
Default Policy  [ACCEPT]    

Index   Source          Destination     Port/Proto  Policy  
-----   ------          -----------     ----------  ------  

Troubleshoot Security Policy

To troubleshoot a connection and review the firewall logs, take these steps:

Firewall Logs Example.

  1. Locate the target node of the failing connection.
  2. Open it on the webUI and select Networking and Firewall Log tabs.
  3. If required, click on the Reload button to update the data.

Tip

Review the Security Policy on the node's subnet and make the required changes to correct the issue.