Citrix Systems 4.2 manual IP Forwarding and Firewalling, Egress Firewall Rules in an Advanced Zone

Chapter 16. Managing Networks and Traffic

5. Click the IP address you want to work with.

The button toggles between Enable and Disable, depending on whether static NAT is currently enabled for the IP address.

7.If you are enabling static NAT, a dialog appears where you can choose the destination VM and click Apply.

16.21. IP Forwarding and Firewalling

By default, all incoming traffic to the public IP address is rejected. All outgoing traffic from the guests is also blocked by default.

To allow outgoing traffic, follow the procedure in Section 16.21.1, “Egress Firewall Rules in an Advanced Zone”.

To allow incoming traffic, users may set up firewall rules and/or port forwarding rules. For example, you can use a firewall rule to open a range of ports on the public IP address, such as 33 through 44. Then use port forwarding rules to direct traffic from individual ports within that range to specific ports on user VMs. For example, one port forwarding rule could route incoming traffic on the public IP's port 33 to port 100 on one user VM's private IP. For more information, seeSection 16.21.2, “Firewall Rules” and Section 16.21.3, “Port Forwarding”.

16.21.1. Egress Firewall Rules in an Advanced Zone

The egress traffic originates from a private network to a public network, such as the Internet. By default, the egress traffic is blocked in default network offerings, so no outgoing traffic is allowed from a guest network to the Internet. However, you can control the egress traffic in an Advanced zone by creating egress firewall rules. When an egress firewall rule is applied, the traffic specific to the rule is allowed and the remaining traffic is blocked. When all the firewall rules are removed the default policy, Block, is applied.

16.21.1.1. Prerequisites and Guidelines

Consider the following scenarios to apply egress firewall rules:

•Egress firewall rules are supported on Juniper SRX and virtual router.

•The egress firewall rules are not supported on shared networks.

•Allow the egress traffic from specified source CIDR. The Source CIDR is part of guest network CIDR.

•Allow the egress traffic with protocol TCP,UDP,ICMP, or ALL.

•Allow the egress traffic with protocol and destination port range. The port range is specified for TCP, UDP or for ICMP type and code.

•The default policy is Allow for the new network offerings, whereas on upgrade existing network offerings with firewall service providers will have the default egress policy Deny.

16.21.1.2. Configuring an Egress Firewall Rule

1. Log in to the CloudPlatform UI as an administrator or end user.

186