East-West Security Policy Best Practice Guide

Set up East-West policy to allow devices cloaked by Airwall Gateways to communicate with uncloaked network resources. You may want to do this if you are not ready or do not want to put the network resource behind a Airwall Gateway, or if you are unable to run an Airwall Linux Agent on it. When you set up the overlays following this guide, the East-West traffic is isolated to the appropriate overlay networks and clearly indicates which resources are available for East-West communication.

Before you begin

Check the following requirements before setting up an East-West security policy.

Supported Versions
v2.2.1 Conductors and Airwall Gateways
Supported Airwall Gateways
Physical and virtual Airwall Gateways
CAUTION: Do not attempt to set up an East-West security policy on any cloud Airwall Gateway deployments. It breaks the cloud access and cloud route insertion for the cloud Airwall Gateway.
Supported Roles
System administrator, or a network administrator with access to the Airwall Gateways and overlays involved in the configuration.

Setting up an East-West security policy

To set up east-west security policy, complete the following steps:

  1. Physically or virtually connect the underlay Port Group to the unprotected network, and the Overlay Port Group to the protected network.
  2. Create an additional Overlay Port Group (called a Bypass Port Group) to access the unprotected network resource.
  3. Add the network resources as local devices on the Airwall Gateway.
  4. Create device groups to manage permissions.
  5. Add a bypass overlay to connect and set trust between the protected and unprotected device groups.

These steps are outlined in more detail below.

Connect the Networks to the Underlay and Overlay port groups

Connect the networks you want to use to the Underlay and Overlay port groups on the Airwall Gateway.

Create a Bypass Port Group

Set up an additional Overlay Port Group (called the Bypass Port Group) to provide access to the unprotected resources.

  1. On the page for the Airwall Gateway, open the Ports tab.
  2. Select Edit Settings in the upper right.
  3. Click the + that appears beside Port groups.
  4. In the New Port Group, select Overlay group from the dropdown box.
  5. Click the down arrow by the new port group to open its settings.
  6. Change the name from Port Group x to Bypass Port Group.
  7. Assign the appropriate interface to the Overlay (usually Port 3).
  8. By IP addresses, click the +.
  9. Enter an available IP address for this Overlay in the unprotected subnet.
    Note: Make sure this is an available IP address and includes the appropriate Subnet Mask.
  10. Enter the IP of the gateway of the unprotected network resource.
    Note: If you are working with unprotected resources that are not in the same VLAN/Subnet, also check the Enable source NAT box.
  11. At the top of the Ports tab, click Update Settings.
You’ve finished creating the Bypass Port Group and are ready to add the network resources as devices.

Adding the network resources as devices on the Airwall Gateway

The Network Resources that the protected devices need to reach must be listed as Local Devices to the Airwall Gateway, just like the protected devices are.

Adding protected network resources as local devices

Repeat these steps for all Protected Network Resources you want to include.
  1. In the Conductor, go to the Airwall Gateway that has the devices for which you want to create an East-West security policy.
  2. Go to Local Devices > Configuration and under Local devices, select + Add device.
  3. On the Add Device page:
    1. In Overlay device IP, enter the IP Address for the protected network resource.
    2. In Name, enter a name for the network device.
  4. Select Create.

Adding unprotected network resources as local devices

Repeat these steps for all Unprotected Network Resources you want to include.
  1. Go to Local Devices > Configuration and under Local devices, select + Add.
  2. On the Add Device page:
    1. In Overlay device IP, enter the IP Address for the protected network resource.
    2. In Name, enter a name for the network device.
  3. Set the Port Group affinity to the Bypass Port Group you created earlier, and then click Create.

You’ve now finished adding the network resources as devices on the Airwall Gateway and are ready to create device groups.

Creating Device Groups to Manage Permissions

To make management easier, and the permissions more explicit, you now organize the network resources using Device Groups.

Creating a Device Group for protected devices

  1. Go to Devices > Device groups.
  2. Select + New Group.
  3. Give the group a name, such as “Protected Devices," add a description and tags, if desired, and then select Create.
  4. On the device group page, next to Add devices, enter text to search on or select the +, and add the protected devices to the group.

Creating a Device Group for unprotected resources

  1. Go to Devices > Device groups.
  2. Select + New Group.
  3. Give the group a name, such as “Network resources," add a description and tags, if desired, and then select Create.
  4. On the device group page, next to Add devices, enter text to search on or select the +, and add the unprotected resources to the group.

Adding a Bypass Overlay to Connect the Protected and Unprotected device groups

  1. Go to Overlays, select + New overlay network, and then select Next for manual configuration.
  2. Name the overlay “Bypass”, fill in description and network editors, if desired, and then select Finish.
  3. On the Bypass overlay page, open the Devices tab on the right, and next to Add devices, select the +.
  4. On the Add Devices page, select Device groups, check the Protected Devices and the Network Resources device groups you created earlier, and then select Add devices.
  5. On the Bypass overlay page, on the trust graph, select Edit trust and drag a line between the two device groups to set trust between them.
    If you are seeing the overlay page Advanced view, under Trust, fill in the Trust button for both device names to set trust between the groups.

    For more help in setting device trust, see Adding and removing device trust.

Additional Considerations

Review these considerations if you are connecting to the Internet, or if you are setting this up on VMware.

Using East-West over the Internet

Important: If you are going to have the East-West connect to the Internet, and set up a 0.0.0.0/0 local device, this can collide with your local DHCP settings if there are any on the unprotected network.

Setting up East-West security policy over VMware

If you are setting this up in VMware, you need to set up VMware Port groups as well as Airwall Gateway Port groups with settings of Allow Promiscuous and Forged Transmit on the VMware port groups. For more details, see Set up a virtual Airwall Gateway in VMware ESX/ESXi.