Confirm your Network Settings

Check that your network is set up to start deploying the Airwall Solution.

Your existing network is the underlay network, made up of your existing private networks and the Internet. It is any network that you connect an Airwall Edge Service to, and any network used to communicate between other Airwall Edge Services in your Airwall deployment. For Airwall to work correctly, all components must be able to communicate with each other from where they are installed.

The Conductor

The Conductor is the central management dashboard for all Airwall Edge Services. It tells the Airwall Edge Services how to contact one another and enforces policies on the protected network – allowing or preventing communication between devices. It also manages licensing and provides diagnostic tools.

Your Conductor can be either virtual or physical and can be configured in a high-availability (HA) pair. It passes no protected network traffic and does not communicate with the HIP protocol.

The Conductor must have at least two network interfaces. The recommended configuration is as follows:
Port 1
Connect to the Internet, either directly or with port forwarding.
Port 2
Connect to your Local Area Network (underlay)
For the Conductor to work, it must be able to listen on the following ports:
TCP 8096 (MAP)
This is the port in which Airwall Edge Services communicate with the Conductor.
TCP 443 (HTTPS)
This is the port in which the Conductor Management can be accessed.

Airwall Edge Services

An Airwall Edge Service carries out or facilitates the connectivity between two connecting devices.

An Airwall Gateway is a network appliance that allows Ethernet devices to be added to the protected network (Overlay). It connects to a Conductor via a Metadata Access Point (MAP) for policy and peer addresses, and it connects to peer Airwall Edge Services to establish secure tunnels between locations.

An Airwall Gateway can be either virtual or physical and can be configured in an HA pair. It passes traffic between devices over a HIP tunnel.

An Airwall Gateway must have at least two network interfaces. The recommended configuration is as follows:
Port 1
Connect to the Local Area Network (Underlay). Must be able to reach the Conductor and other Airwall Edge Services.
Port 2
Protected Device Network (Overlay). Must be able to reach the devices to add to the overlay.

It is possible to connect Ports 1 & 2 to the same network and provide existing device access to the Overlay, without isolating the protected devices inside of a separate network segment.

For the Airwall Gateway to work, it must have outbound connectivity on the following ports:
TCP 8096 (MAP)
Must have outbound connectivity to MAP to the Conductor.
UDP 10500 (HIP)
Must have outbound connectivity to HIP and to any other Airwall Edge Service it is a must to communicate with.
At least one Airwall Gateway on one end of a tunnel must also be able to listen on the following port:
UDP 10500 (HIP)
Must have outbound connectivity to HIP and to any other Airwall Edge Service it is a must to communicate with.

Alternately, if Airwall Edge Services cannot be configured to listen for incoming connections, you can employ an Airwall Relay to get around a network address translation (NAT).

Airwall Relays

An Airwall Relay is, typically, a virtual cloud-hosted appliance, running the Airwall Gateway 300v VM. It is able to listen for HIP traffic, allowing Airwall Gateways behind firewalls and routers to establish a tunnel between each other even when NATed.

For the Airwall Relay to work, it must have outbound connectivity on the following ports:
TCP 8096 (MAP)
Must have outbound connectivity to MAP to the Conductor.
UDP 10500 (HIP)
Must have outbound connectivity to HIP and to any other Airwall Edge Service it is a must to communicate with.
It must also be able to listen on the following port:
UDP 10500 (HIP)
This is the port, in which Airwall Edge Services communicate with the Conductor.

Airwall Relays are still considered a type of Airwall Edge Service, but they serve a special role. Any Airwall Gateway - physical or virtual - can be turned into an Airwall Relay. Once configured as an Airwall Relay, it is not advisable to add any devices to it, but instead use it exclusively to bridge Airwall Edge Services that are not able to listen for incoming connections.

Changing network ports

You can change the MAP and HIP ports from their defaults of 8096 and 10500 in the Conductor. This will change the settings for all Airwall Gateways connected to that Conductor.

These settings rarely need to be adjusted. When they are, it is either to get around some immutable firewall settings or to add extra security by using atypical ports.

Note: If you change the MAP port, you will need to manually reconfigure all Airwall Edge Services to point to the Conductor with the new port. This might involve traveling to remote sites and putting devices into diagnostic mode, so adjust this setting carefully.

If you change the Airwall Edge Service port, the change takes effect on all Airwall Edge Services connected to the Conductor, so make certain that they have the proper outbound connectivity and port forwarding configured before adjusting this setting.

To change the default ports:

  1. In the Conductor, go to Settings.
  2. Find the Advanced section near the bottom of the Settings page. Next to Global HIPservice settings, click Edit Settings.
  3. Under Port settings, change the default ports, and click Save.

HIP and MAP Diagrams

Below are some diagrams illustrating successful and unsuccessful MAP and HIP configurations:

Figure 1. HIP configurations


Figure 2. MAP configurations


Check Your Underlay Settings

Check the following settings to confirm they are set for the new ports:

Firewalls
If a firewall is enabled between the Conductor and Airwall Edge Services in the solution, you must open the required firewall ports.
DHCP and DNS
If you prefer to configure your Conductor with a hostname or assign Airwall Edge Services IP addresses using DHCP, confirm that the underlay's DHCP and DNS settings are configured to support it.
Private Network Conductor
If the Conductor is located in a private network, either a firewall or router must provide a static public IP address so the Conductor can be reached by Airwall Edge Services outside the private network.
Private Network Airwall Gateway
If Airwall Edge Services located in a private network need to be accessed by Airwall Gateways outside the private network, a firewall or router must provide a static public IP address so the Airwall Edge Services can communicate.