Skip to content

Firewall Change Requests

jbrown-xentity edited this page Apr 26, 2022 · 9 revisions

For all apps, there is usually an ingress and an egress. See each repo for what ingress systems may be in place, but all apps should use the https://github.com/GSA/cg-egress-proxy for egress...

Deprecated content, no longer relevant

Refer to our firewall rules request form for an overview. Knowing the existing Data.gov subnets can be useful.

  1. Go to https://servicedesk.gsa.gov
  2. Go to Order Something
  3. Select Firewall Change Request (FCR)
  4. For System POC, choose Hyon
  5. For Service/Staff Office, choose "Federal Acquisition Services"
  6. For Fisma System, choose "FAS Cloud Service (FCS)". ISSO and ISSM should auto populate.
  7. Fill out the details and click "Add"

Firewall Change Request (FCR) Form

The FCR has approval workflows built in, which include a supervisor as well as ISSO contact that will need to approve the ticket.

In the "additional comments" section, add a note that these are Trend Micro rules which requires some special handling on the SecOps side.

Understanding Firewall Tiers

As for APP --> APP and WEB --> APP, that's terminology used to represent the tiers. Usually (there are rare exceptions) that there are 3 tiers, which are WEB, APP, and DB. They flow of access is usually (again there are rare exceptions) from WEB --> APP --> DB as well as laterally from WEB --> WEB, APP--> APP, and DB --> DB. So, essentially, WEB can make a connection to WEB or APP, APP can make a connection to APP or DB, and DB can only make a connection to DB. WEB typically doesn't talk directly to DB (has to go to APP first) and traffic can't flow backward (i.e. APP cannot make a connection to WEB nor can DB make a connection to APP or WEB).

Example

tcp/8983 is not part of the WEB -> APP rules, the FCR would look like:

SOURCE: 10.xxx.x.xxx, 10.xxx.x.xxx, 10.xxx.x.xx
DESTINATION: 10.xxx.x.xxx
SERVICE: tcp/8983
Clone this wiki locally