Creating a firewall policy and assigning it to a LIF
Default firewall policies are assigned to each LIF when you create the LIF. In many cases, the default firewall settings work well and you do not need to change them. If you want to change the network services or IP addresses that can access a LIF, you can create a custom firewall policy and assign it to the LIF.
About this task
You cannot create a firewall policy with the policy name data , intercluster , cluster , or mgmt .
These values are reserved for the system-defined firewall policies.
You cannot set or modify a firewall policy for cluster LIFs.
The firewall policy for cluster LIFs is set to 0.0.0.0/0 for all services types.
If you need to modify or remove services, you must delete the existing firewall policy and create a new policy.
If IPv6 is enabled on the cluster, you can create firewall policies with IPv6 addresses.
After IPv6 is enabled, data and mgmt firewall policies include ::/0, the IPv6 wildcard, in their list of accepted addresses.
When using ThinkSystem Storage Manager for DM Series to configure data protection functionality across clusters, you must ensure that the intercluster LIF IP addresses are included in the allowed list, and that HTTPS service is allowed on both the intercluster LIFs and on your company-owned firewalls.
By default, the intercluster firewall policy allows access from all IP addresses (0.0.0.0/0) and enables HTTPS, NDMP, and NDMPS services. If you modify this default policy, or if you create your own firewall policy for intercluster LIFs, you must add each intercluster LIF IP address to the allowed list and enable HTTPS service.
Starting with ONTAP 9.6, the HTTPS and SSH firewall services are not supported.
In ONTAP 9.6, the management-https and management-ssh LIF services are available for HTTPS and SSH management access.
Example of creating a firewall policy and applying it to a LIF
The following command creates a firewall policy named data_http that enables HTTP and HTTPS protocol access from IP addresses on the 10.10 subnet, applies that policy to the LIF named data1 on SVM vs1, and then shows all of the firewall policies on the cluster:
cluster-1::> system services firewall policy create -vserver vs1 -policy data_http -service http -allow-list 10.10.0.0/16
cluster-1::> system services firewall policy create -vserver vs1 -policy data_http -service https -allow-list 10.10.0.0/16
cluster-1::> system services firewall policy show
Vserver Policy Service Allowed
------- ------------ ---------- -------------------
cluster-1
data
dns 0.0.0.0/0
ndmp 0.0.0.0/0
ndmps 0.0.0.0/0
cluster-1
intercluster
https 0.0.0.0/0
ndmp 0.0.0.0/0
ndmps 0.0.0.0/0
cluster-1
mgmt
dns 0.0.0.0/0
http 0.0.0.0/0
https 0.0.0.0/0
ndmp 0.0.0.0/0
ndmps 0.0.0.0/0
ntp 0.0.0.0/0
snmp 0.0.0.0/0
ssh 0.0.0.0/0
<strong className="ph b">vs1
data_http
http 10.10.0.0/16
https 10.10.0.0/16</strong>
cluster-1::> network interface modify -vserver vs1 -lif data1 -firewall-policy data_http
cluster-1::> network interface show -fields firewall-policy
vserver lif firewall-policy
------- -------------------- ---------------
Cluster node1_clus_1
Cluster node1_clus_2
Cluster node2_clus_1
Cluster node2_clus_2
cluster-1 cluster_mgmt mgmt
cluster-1 node1_mgmt1 mgmt
cluster-1 node2_mgmt1 mgmt
vs1 data1 data_http
vs3 data2 data