Manage Security Policies
Security Policy Capabilities
-
Automatic Protection: Every n2x.io subnet comes with a built-in security policy that acts like a distributed firewall-as-a-service (FWaaS). This firewall automatically protects every
node
connected to the subnet. -
Default Security & Customization: Each security policy has a default action (allow or deny traffic) and a set of customizable filters that function like firewall rules.
-
Zero-Trust by Default: When creating a new subnet, we recommend a default policy of "deny" (
DROP
) to align with a zero-trust security model. However, we allow you to choose "allow" (ACCEPT
) for easier initial setup. -
Granular Control with Firewall Rules: You can define firewall rules within your subnet's security policy to control traffic flow. Each rule has a unique priority level, with lower numbers taking effect first.
-
Default Rule as a Safety Net: If your security policy has no rules defined, or no rule matches incoming traffic, a default rule takes over. This default rule acts as a final safety measure to determine how to handle the traffic.
-
Flexible Addressing: Our network filters support both
IPv4
andIPv6
addresses, giving you control over both modern and legacy network protocols.
Modify the default Security Policy
Warning
Only Account Administrators or Admin Users can manage security policies.
The default security policy can be modified either using the webUI or CLI (n2xctl).
In the navigation menu on the left, click Network Topology
and follow these steps:
- Select the
Subnet
that you want to update. - Select the
Security Policy
tab. - Choose either
ACCEPT
orDENY
in theDefault Policy
rule.
Use the following command to update a subnet's default security policy:
n2xctl subnet update
Select the Tenant
, Network
and Subnet
, and select the Default Security Policy
to apply the subnet:
$ n2xctl subnet update
n2xctl v0.0.3-20240725171430+88c4863--go1.22.5
n2xctl is a CLI to control the n2x SASE platform.
Find more information at https://n2x.io/docs
ยป Tenant: [demo] Demo tenant
ยป Network: [net-172-16] demo network
ยป Subnet: [subnet-172-16-15] Services
ยป Subnet Description: Services
ยป Default Security Policy: ACCEPT
โโโโโ Subnet Details โก
โโโโโโโโโโโโโโโโโโ
Subnet Information
โโโโโโโโโโโโโโโโโโ
Tenant ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Network ID net-172-16
Subnet ID subnet-172-16-15
Description Services
IP Address Management (IPAM)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Network CIDR 172.16.0.0/16
Subnet CIDR 172.16.15.0/24
IPv4 Addresses Available 252
IPv4 Addresses Leased 2
IPv4 Address IPv6 Address Endpoint
------------------------------------------------------------------------
172.16.15.160 fd77:f:ac10:fa0:1:: k8s:default:nginx-service-2
172.16.15.106 fd77:f:ac10:f6a:1:: nginx-depl-585b788df7-2fgzr.d...
Security Policy
โโโโโโโโโโโโโโโ
Default Policy [ACCEPT]
Index Source Destination Port/Proto Policy
----- ------ ----------- ---------- ------
Add a Firewall Rule in a Subnet's Security Policy
Warning
Only Account Administrators or Admin Users can manage security policies.
Tip
You always must create a firewall rule in the security policy associated with the subnet where the target IP addresses reside.
You can add a new firewall rule for your subnet's security policy using either the n2x.io webUI or CLI (n2xctl).
In the navigation menu on the left, click Network Topology
and select the Subnet
that you want to update. Select the Security Policy
tab and follow these steps:
- Click on the
Add Firewall Rule
button. - Add the index number of the policy. It must be a unique positive integer.
- Inform the CIDR for the Source IP Net.
- Inform the CIDR for the Destination IP Net. The destination IP should be on the subnet where the rule is being created.
- Inform the destination port.
- Inform the protocol. You can choose between
ANY
,TCP
,UDP
,ICMPv4
andICMPv6
. - Choose
ACCEPT
orDENY
for this rule. - Add a description.
- Click on the
Submit
button.
After submitting the policy, you can see the new policy in the list:
Use the following command to add a firewall rule to subnet's security policy:
n2xctl policy add-rule
Select the Tenant
, Network
, Subnet
and follow these steps:
- Add index number of policy. It must be a unique positive integer.
- Add a description.
- Select the CIDR for the Source IP Net.
- Select the CIDR for the Destination IP Net. The destination IP should be on the subnet where the rule is being created.
- Choose Protocol between
ANY
,TCP
,UDP
,ICMPv4
andICMPv6
. - Fill the destination port.
- Choose
ACCEPT
orDENY
forSecurity Policy
$ n2xctl policy add-rule
n2xctl v0.0.3-20240725171430+88c4863--go1.22.5
n2xctl is a CLI to control the n2x SASE platform.
Find more information at https://n2x.io/docs
ยป Tenant: [demo] Demo tenant
ยป Network: [net-172-16] demo network
ยป Subnet: [subnet-172-16-0] Users
ยป Policy Index: 1
ยป Description (optional): Disable SSH access from the services subnet.
ยป Protocol: IPv4
ยป Select Source: IPNet CIDR
ยป Source IPv4 CIDR: 172.16.15.0/24
ยป Select Destination: IPNet CIDR
ยป Destination IPv4 CIDR: 172.16.0.0/24
ยป Protocol: TCP
ยป Destination Port: 22
ยป Security Policy: DROP
โโโโโ Security Policy Details โก
โโโโโโโโโโโโโโโ
Security Policy
โโโโโโโโโโโโโโโ
Tenant ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Network ID net-172-16
Subnet ID subnet-172-16-0
Description Users
Subnet CIDR 172.16.0.0/24
Default Policy [ACCEPT]
Index Source Destination Port/Proto Policy
----- ------ ----------- ---------- ------
0 172.16.15.0/24 172.16.0.0/24 22/TCP [DROP]
Modify a Firewall Rule in a Subnet's Security Policy
Warning
Only Account Administrators or Admin Users can manage security policies.
You can modify a firewall rule in a subnet's security policy either using the n2x.io webUI or CLI (n2xctl):
In the navigation menu on the left, click Network Topology
and select the Subnet
that you want to update. Select the Security Policy
tab and follow these steps:
- Click on the icon next to the rule.
- Update the rule with the new information.
- Click on the
Save
button.
Use the following command to modify a firewall rule in a subnet's security policy:
n2xctl policy edit-rule
Select the Tenant
, Network
, Subnet
and follow these steps:
- In the list of firewall rules, choose the rule you want to modify by its index number.
- Update the description.
- Update the CIDR for the Source IP Net.
- Update the CIDR for the Destination IP Net.
- Choose Protocol between
ANY
,TCP
,UDP
,ICMPv4
andICMPv6
. - Update the destination port.
- Choose
ACCEPT
orDENY
forSecurity Policy
$ n2xctl policy edit-rule
n2xctl v0.0.3-20240725171430+88c4863--go1.22.5
n2xctl is a CLI to control the n2x SASE platform.
Find more information at https://n2x.io/docs
ยป Tenant: [demo] Demo tenant
ยป Network: [net-172-16] demo network
ยป Subnet: [subnet-172-16-0] Users
ยป Network Filter 0: src 172.16.15.0/24 | dst 172.16.0.0/24 | 22/TCP | DROP
ยป Description (optional): Enable SSH access from the services subnet.
ยป Protocol: IPv4
ยป Select Source: IPNet CIDR
ยป Source IPv4 CIDR: 172.16.15.0/24
ยป Select Destination: IPNet CIDR
ยป Destination IPv4 CIDR: 172.16.0.0/24
ยป Protocol: TCP
ยป Destination Port: 22
ยป Security Policy: ACCEPT
โโโโโ Security Policy Details โก
โโโโโโโโโโโโโโโ
Security Policy
โโโโโโโโโโโโโโโ
Tenant ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Network ID net-172-16
Subnet ID subnet-172-16-0
Description Users
Subnet CIDR 172.16.0.0/24
Default Policy [ACCEPT]
Index Source Destination Port/Proto Policy
----- ------ ----------- ---------- ------
0 172.16.15.0/24 172.16.0.0/24 22/TCP [ACCEPT]
Delete a Firewall Rule from a Subnet's Security Policy
Warning
Only Account Administrators or Admin Users can manage security policies.
You can delete a firewall rule from a subnet's security policy either using the n2x.io webUI or CLI (n2xctl):
In the navigation menu on the left, click Network Topology
and select the Subnet
that you want to delete. Select the Security Policy
tab and follow these steps:
- Click on the icon next to the rule.
- Confirm deletion.
Use the following command to delete a firewall rule from a subnet's security policy:
n2xctl policy delete-rule
Select the Tenant
, Network
, Subnet
and in the list of firewall rules, choose the rule you want to delete by its index number
.
$ n2xctl policy delete-rule
n2xctl v0.0.3-20240725171430+88c4863--go1.22.5
n2xctl is a CLI to control the n2x SASE platform.
Find more information at https://n2x.io/docs
ยป Tenant: [demo] Demo tenant
ยป Network: [net-172-16] demo network
ยป Subnet: [subnet-172-16-0] Users
ยป Network Filter 1: src 172.16.15.0/24 | dst 172.16.0.0/24 | 22/TCP | DROP
โโโโโ Security Policy Details โก
โโโโโโโโโโโโโโโ
Security Policy
โโโโโโโโโโโโโโโ
Tenant ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Network ID net-172-16
Subnet ID subnet-172-16-0
Description Users
Subnet CIDR 172.16.0.0/24
Default Policy [ACCEPT]
Index Source Destination Port/Proto Policy
----- ------ ----------- ---------- ------
Troubleshoot Security Policy
To troubleshoot a connection and review the firewall logs, take these steps:
- Locate the target node of the failing connection.
- Open it on the webUI and select
Networking
andFirewall Log
tabs. - If required, click on the
Reload
button to update the data.
Tip
Review the Security Policy on the node's subnet and make the required changes to correct the issue.