Creating local rules for cluster members

In our last post we talked about how to use the Firewall Builder cluster feature to create a single firewall ruleset that gets installed on multiple servers. This is great if all your servers should be running exactly the same firewall rules, but what if some of the servers also need to have their own unique rules?

Firewall Builder lets you define multiple firewall policies, so you can have a server running a policy configured as part of the cluster and then the same server can also run its own local firewall policies. What you end up with is a cascading chain of firewalls similar to the diagram below.



You can control the order that the firewall policies are evaluated and you can name them to match their function. You can find the complete configuration details in our latest cookbook article:

Cookbook: Creating Local Firewall Rules for a Cluster Member

Managing a single firewall policy for multiple servers

We are always looking for creative ways to use Firewall Builder's technology to simplify firewall management. One challenge we hear from users quite often is how to efficiently manage firewall rules for a large number of servers performing the same function. For example, you might have a group of servers acting as web front ends and each of these servers needs to have the exact same policy as all the other web front end servers.

While you could create each server in Firewall Builder and copy-and-paste rules between the servers this is time consuming and it is easy to make a mistake. We have come up with a solution for this problem using Firewall Builder's cluster feature that allows you to define a master firewall policy and apply it to all the members of the cluster. This means that when you need to update a rule that affects multiple servers you only need to make the change in a single firewall policy and then compile and install it on all the cluster members.

During the compile process Firewall builder "localizes" the master rule for each server the policy is being installed on, so things like interface IP addresses are automatically updated to match each individual server the firewall rules will be deployed on. Check out the complete instructions in our latest Cookbook recipe in the Users Guide:

Using clusters to manage firewall policies on multiple servers

Quick Tip: Using Groups to Tame Access List Rules

Firewall Builder has a convenient feature called rule groups that help make managing access lists rules easier. Just create a rule group for each interface and direction combination on the router and organize your rules in these groups. You can find detailed instructions for setting up rules groups for managing router access lists on our website here:

Quick Tip: Using Groups to Manage Router ACLs

Router ACL Management Simplified

If you are responsible for managing Cisco router access lists then you know that they can be a pain to manage. Check out the latest Getting Started Guide that explains how to use Firewall Builder to simplify router ACL management.

Getting Started: Configuring Cisco Router ACL

We are collecting ideas for how-to guides and tips & tricks articles, so if there is a topic you would like to see covered please leave us a comment.