Dude Where’s my Firewall? ONTAP Logical Interface (LIF) Service Policies

When upgrading ONTAP to 9.5 and later, you may have noticed some firewall policies are gone. Rest assured they are there and in a better method called LIF Service Policies. The firewall policies are translated to Logical Interface (LIF) service policies which are more granular per interface (IP address). Additionally, starting with ONTAP 9.6, LIF roles are deprecated and replaced with LIF Service Policies for protocols. Service Policies automatically replace and are translated from formerly used firewall rules and LIF roles.

The examples below will set access to allow only the 192.168.150.0/24 network using service policies. You can granularly set policies per LIF, but in the examples below, we will set the same policy. The service policies will be set on an ONTAP 9.8 cluster named cmode-prod management interfaces, and we will also set service policies on NAS and iSCSI SAN data LIFs on Storage Virtual Machines (SVMs) named source_ntfs and san1. The NAS and SAN examples will also show how service policies interact with data protocols which can have overlapping effects. Always check the NetApp Docs site at https://www.netapp.com/support-and-training/documentation/ for additional information on command syntax.

Additional Information

  • Service Policies on LIFs were introduced in ONTAP 9.5 with some firewall protocols, but not inclusive of SSH and HTTPS
  • Service Policies migrated additional firewall rules in ONTAP 9.6  including SSH and HTTPS
  • ONTAP 9.5 and lower, SSH and HTTPS are shown and set in the firewall
    • system services firewall policy
  • ONTAP 9.6 and higher, SSH and HTTPS are shown and set with the commands below, then the service policy is applied to individual LIFs.
    • network interface service show
    • network interface service-policy show
  • The Service Processor (SP/BMC) allow firewall is handled with a separate mechanism and the method is also shown below

Cluster Management Interface Service Policies

Show the Firewall Policies and LIF Service Policies

system services firewall show

The firewall is enabled by default with no logging

system services firewall policy show

Note the remaining protocols in the system firewall: dns, http, ndmp, ndmps, ntp and snmp

network interface service show

network interface service-policy show -vserver cmode-prod

Note the default policies and the mapping to the service

Create a clone of “default-management” and modify the clone leaving the default service-policy unchanged. We will then add the management services only allowing the 192.168.150.0/24 subnet. By cloning, we copy over the five management services that we can then modify.

network interface show -fields network interface show -vserver cmode-prod -fields service-policy,services

network interface service-policy clone -vserver cmode-prod -policy default-management -target-vserver cmode-prod -target-policy secure-management

network interface service-policy modify-service -vserver cmode-prod -policy secure-management -service management-core -allowed-addresses 192.168.150.0/24

network interface service-policy modify-service -vserver cmode-prod -policy secure-management -service management-autosupport -allowed-addresses 192.168.150.0/24

network interface service-policy modify-service -vserver cmode-prod -policy secure-management -service management-ssh -allowed-addresses 192.168.150.0/24

network interface service-policy modify-service -vserver cmode-prod -policy secure-management -service management-https -allowed-addresses 192.168.150.0/24

network interface service-policy show -vserver cmode-prod

ems was left at the 0.0.0.0/0 default

Assign the policy to the LIFs (key step) for the cluster and node management LIFs – Note that you could have a different service policy per LIF or even additional cluster and node management LIFs on different networks. You can also apply a different service policy to the intercluster (SnapMirror/FabricPool/FlexCache) LIFs, but we will leave those the system default, open to all networks.

network interface modify -vserver cmode-prod -lif cluster_mgmt -service-policy secure-management

network interface modify -vserver cmode-prod -lif cmode-prod-01_mgmt1 -service-policy secure-management

network interface modify -vserver cmode-prod -lif cmode-prod-02_mgmt1 -service-policy secure-management

network interface show -vserver cmode-prod -fields service-policy,services

Cluster and node management LIFs now are assigned the secure LIF Service Policy

Service-Processor (SP/BMC) Firewall Allow Addresses to Enforce the same rules as the management LIFs.

service-processor ssh show

service-processor ssh add-allowed-addresses 192.168.150.0/24

service-processor ssh show

NAS Interface Service Policies

  • If you need to secure the SMB protocol to a specific network, then service policies add this feature that was not available prior for the protocol.
  • NFS export policy rules allow for specific networks and hosts separate from LIF service policies.
  • If you want to ensure that a data LIF is only serving data local on a subnet, you could use this method to ensure there is no routing to an SMB share or NFS export.
  • Note that there may be additional troubleshooting with NFS exports. For example, an nfs export policy rule may allow a subnet not allowed in the service policy.

network interface service-policy show -vserver source_ntfs

Note the data SVM Service Policies and Services

network interface show -vserver source_ntfs -fields service-policy,services

Create a new data service policy allowing only the 192.168.150.0/0 subnet

network interface service-policy create -policy source_ntfs-secure-data-files -allowed-addresses 192.168.150.0/0 -vserver source_ntfs -services data-cifs,data-core,data-flexcache,data-nfs,data-fpolicy-client

network interface service-policy show -vserver source_ntfs

Apply the service policies to the data LIFs

network interface modify -vserver source_ntfs -lif lif* -service-policy source_ntfs-secure-data-files

network interface show -vserver source_ntfs -fields service-policy,services

iSCSI SAN Interface Service Policies

  • Note that adding a service policy for an iSCSI data LIF affects access with other existing methods.
  • There are five methods in ONTAP that can restrict access to iSCSI LUNs. LUN access issues could be from one to all five of these mechanisms which all can interact together.
    • This is outside of the scope of this blog, but the five methods are listed below. Please comment if there are other methods in ONTAP you have found.

1. LUN mapping to igroups (lun masking)
The Initiator groups will mask the LUN to allowed hosts (iqns)

lun mapping show

2. Selective LUN Mapping (reporting-nodes to ha-pairs)
Enabled by default for ha-pairs (LUNs are available on 2-nodes only in the cluster)

lun mapping show -vserver san1 -fields reporting-nodes

3. Igroup binding to Portsets (port masking)
igroups bound to portsets will limit LIFs allowed to export a LUN
This can work with SLM where specific ports on an ha-pair are used

lun portset show

4. LIF Service Policies (firewall) at the network interface will limit hosts or subnets
LIF Service Policies below

network interface service-policy show

5. iSCSI Access Lists (SendTargets filter)
The iSCSI host SendTargets command can be filtered to a subset of LIFs

iscsi interface accesslist show

Show the Service Policies for the SAN SVM

network interface service-policy show -vserver san1

network interface show -vserver san1 -fields service-policy,services

Note the data SVM Service Policies and Services

Create new service policies allowing only the 192.168.150.0/0 subnet for the SVM management and data LIFs

network interface service-policy create -policy san1-secure-management -allowed-addresses 192.168.150.0/0 -vserver san1 -services data-core,management-ssh,management-https

network interface service-policy create -policy san1-secure-data-blocks -allowed-addresses 192.168.150.0/0 -vserver san1 -services data-core,data-iscsi

network interface service-policy show -vserver san1

Apply the service policies to the management and data LIFs

network interface modify -vserver san1 -lif san1_mgmt -service-policy san1-secure-management

network interface modify -vserver san1 -lif san1_lif* -service-policy san1-secure-data-blocks

network interface show -vserver san1 -fields service-policy,services

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s