Authentication OIDC Authentication VNS3 Licensing Access Management Clientpack Generation Installing HTTPS Firewall 2.0 Firewall AWS Specific features Firewall FWSets VNS3 Variables VNS3 Router IPsec Configuration IPsec Parameters VNS3 Peering Mesh Setting Topology Name VNS3 Overlay Network Snapshot Management VNS3 Event Alerting Network Address Translation Traffic inspection SNMP Support VNS3 BGP Configuration Guide Remote Support Resetting VNS3 Upgrading VNS3 Release Notes VNS3 EOL Policy and Milestones IPSec Connection Checklist VNS3 Known Issues VNS3 Specifications VNS3 VPN Client tools VNS3 Control Center VNS3 setup

Firewall FWSets

Sets

Firewall sets or FWSets are sets of objects such as IPs or ports that can be used for matching traffic to rules. These allow for faster traffic matching for your rules and provide an easy and efficient way to group people, machines or services. FWsets are unique by the name and cannot have spaces. You can also use variables in your FWSet entries. FWsets can optionally be sync’d to peered VNS3 controllers.

FWSet data resource:

• name - this is unique (case insensitive)
• description (optional)
• sync_mesh (optional, default false)
• a list of entries
  • entry
  • comment (optional)

Using in a rule

To use in a rule as either a source or destination, you may use it as a variable or as the fwset name directly:

Matching a set against source of traffic

INPUT -s ${fwset_myfwset} -j ACCEPT or INPUT -s name_of_fwset -j ACCEPT

Matching a set against destination of traffic

INPUT -d ${fwset_myfwset} -j ACCEPT or INPUT -d name_of_fwset -j ACCEPT

Set Types

• Subnet/IP - entries are valid IP addresses or CIDRs (type hash:net)
• Ports - entries should be valid port numbers (type bitmap:port)
• List - this type allows you to create a set of sets. This type should only include the names of other sets (type list:set)
• Service - the service type allows for IP, port and (optionally) protocol matching. For example: 3.3.3.3,tcp:80 or 3.3.3.3,80 (type hash:ip,port)
• DNS - not editable - this set type requires a valid domain as the “target”. The set will be automatically updated every 90 seconds
• Clientpack Tag Group - not editable - this type allows users to create fwsets for clientpack groups by tag. For instance, all clientpacks that have the tag “type=person”

Syncing FWSet

FWSets can be sync’d across VNS3 peers (starting in VNS3 6.2):

• Creating a sync’d FWSet - when checking “Mesh Sync” for an fwset, that fwset will be sync’d over the peering mesh to other controllers. This may take a few seconds.
• Deleting a sync’d FWSet - this will delete the fwset on all peered controllers. If you would like to only delete the FWSet on a single controller, make sure to uncheck “Mesh Sync” on that controller before deleting
• Desync a sync’d FWSet - when unchecking “Sync” for an fwset you have the option of deleting the FWSet on all peers or not. To delete the FWSet on all peers, you must confirm via the modal OR pass desync: true to the API call for updating the FWSet

API

The API provides the following endpoints for interacting with fwsets:

FWsets collection: /api/v2/firewall/fwsets

Supported methods

• GET for reading all fwsets
• POST for creating new fwset

FWset resource: /api/v2/firewall/fwsets/:name(?osview=true)

Supported methods

• GET for reading fwset data and entries. OS view will return fwset entries returned from OS call.
• PUT for overwrite all entries or updating description (cannot edit name after creation)
• DELETE to delete entire fwset

FWset entries subcollection: /api/v2/firewall/fwsets/:name/entries

Supported methods

• POST for inserting
• DELETE to delete fwset entry. Expects JSON body: Payload: {"entry": "54.43.12.1"}

GET /api/v2/firewall/fwsets

{
    "response": [
        {
            "name": "App-Ports",
            "description": "",
            "created_at": "2021-11-30T20:03:25.845Z",
            "updated_at": "2021-11-30T20:03:25.845Z",
            "sync_mesh": false,
            "entries": [
                "6001",
                "7001"
            ],
            "size": 2,
            "type": "port"
        },
        {
            "name": "IP-Blacklist",
            "description": "A blacklist of known nefarious IPs",
            "created_at": "2021-12-01T22:35:47.103Z",
            "updated_at": "2021-12-01T22:35:47.103Z",
            "sync_mesh": true,
            "entries": [
                "174.120.121.4",
                "11.212.34.11",
                "54.43.12.1"
            ],
            "size": 3,
            "type": "net"
        },
        {
            "id": 4,
            "name": "google",
            "description": "",
            "created_at": "2023-09-18T16:47:22.591Z",
            "updated_at": "2023-09-18T16:47:22.591Z",
            "target": "google.com",
            "sync_mesh": false,
            "entries": [
                {
                "entry": "172.253.63.138",
                "comment": "",
                "entry_resolved": "172.253.63.138",
                "last_resolved": "2023-09-18T16:47:22.997Z",
                "created_at": "2023-09-18T16:47:23.062Z"
                },
                {
                "entry": "172.253.63.102",
                "comment": "",
                "entry_resolved": "172.253.63.102",
                "last_resolved": "2023-09-18T16:47:22.997Z",
                "created_at": "2023-09-18T16:47:23.071Z"
                },
                {
                "entry": "172.253.63.101",
                "comment": "",
                "entry_resolved": "172.253.63.101",
                "last_resolved": "2023-09-18T16:47:22.997Z",
                "created_at": "2023-09-18T16:47:23.084Z"
                }
            ],
            "size": 3,
            "type": "dns",
            "variable": "fwset_google"
        }
    ]
}