Generic Upstream Firewall Guide

for integrating with the nile service block (nsb) 1\ prerequisites requirement description four /30 subnets required to establish four routed point to point interfaces from the nsb to the firewall (two per nsb gateway) static or dynamic routing choose either static routes with ecmp or ospf, depending on your firewall capabilities internet uplinks one or two wan facing interfaces with static default routes toward the isp 2\ interface configuration configure four layer 3 point to point interfaces using /30 subnets between the nsb and the firewall example interface mapping nsb gateway firewall interface subnet (/30) gw 1 eth1/1 172 16 7 0/30 gw 2 eth1/2 172 16 7 4/30 gw 1 eth1/3 172 16 7 8/30 gw 2 eth1/4 172 16 7 12/30 each interface should be configured as layer 3 with static ips assigned from the /30 ranges 3\ routing configuration option 1 static routing with ecmp use ecmp by configuring multiple static routes to the same subnet , one for each nsb uplink plaintextcopyeditset route 172 16 8 0/21 next hop 172 16 7 1 set route 172 16 8 0/21 next hop 172 16 7 5 set route 172 16 8 0/21 next hop 172 16 7 9 set route 172 16 8 0/21 next hop 172 16 7 13 the /21 subnet aggregates all nsb, sensor, and client subnets defined in the nile portal ecmp should be enabled (if required) in the firewall’s routing engine to allow load sharing across the four next hops also, configure default routes to the isp(s) plaintextcopyeditset route 0 0 0 0/0 next hop \<isp1 gw> metric 10 set route 0 0 0 0/0 next hop \<isp2 gw> metric 100 option 2 ospf routing enable ospf on all four nsb uplink interfaces , and configure the firewall as follows plaintextcopyeditrouter ospf 1 router id 10 10 10 1 default information originate network 172 16 7 0 0 0 0 3 area 0 network 172 16 7 4 0 0 0 3 area 0 network 172 16 7 8 0 0 0 3 area 0 network 172 16 7 12 0 0 0 3 area 0 ensure default information originate is present to advertise default route to nsb all subnets behind the nsb (client, sensor, nsb) will be reachable via ospf learned paths 🔒 4 firewall rules create explicit firewall policies for traffic between nsb and external/internal zones rule type from zone to zone action nsb to internet nsb internet allow internet to nsb internet nsb allow (only if hosting services) nat nsb internet source nat using public ip (if required) example nat configuration source nsb subnet destination internet nat mode dynamic ip & port (using wan interface ip) 🌐 5 firewall port requirements ensure the following outbound ports are open from the nsb to the internet service cloud protocol/port destination https nile global cloud (u1 / aws) tcp 443 u1 nilesecure com, ne u1 nile global cloud, nilesw us west 2 s3 us west 2 amazonaws com, nile prod us west 2 s3 us west 2 amazonaws com https nile ksa cloud (m1 / gcp) tcp 443 ne m1 nile global cloud, m1 nilesecure com, storage googleapis com dns both udp 53 8 8 8 8, 8 8 4 4 (or your internal dns servers) ntp both udp 123 time google com, pool ntp org radius both udp 1812, 1813 your radius servers dhcp both udp 67, 68 your dhcp servers nile guest service both udp 6081 required for nile guest service (guestpop) if enabled 📌 final checklist all four nsb to firewall interfaces are configured with /30 ips static or ospf routes to the nsb, sensor, and client subnets are configured default route(s) to isp configured firewall rules allow bidirectional traffic between nsb and internet zones nat applied for outbound access from the nsb subnet required ports opened for nile to communicate with cloud and identity services