Enabling Firewall on HyperScale X Reference Architecture

Firewall can be enabled and the required ports automatically opened on the HyperScale nodes.

Firewall configuration divides the network into zones. A zone is a group of interfaces and services that share common rules to establish a secure boundary within the network and implement access control between the nodes. When you enable firewall, the CS registration and data protection interfaces are added to the default 'blocked' zone and the storage pool interface is added to a private 'cv_storage_ zone' in the firewall configuration.

Before You Begin

HyperScale X Reference Architecture security features, which includes Enabling Firewall and Restricting Root Access requires the following minimum version in the CommServe server and the HyperScale MediaAgent:

  • Commvault V11 Feature Release 28 , with Maintenance Release 11.28.19 or later

Procedure

  1. Set the MediaAgents associated with the cluster on Maintenance mode.

    For more information, see Setting the MediaAgent on Maintenance Mode.

  2. Login to any one of the nodes in the storage pool.

    Note

    Firewall can be enabled on all the nodes in the storage pool from any one of the nodes. (It is not necessary to repeat the following steps from each node.)

  3. Navigate the following folder:

    # cd /opt/commvault/MediaAgent/task_manager
  4. Run the following script:

    # ./cvmanager.py -t Configure_Firewall

    This will enable the necessary ports needed for the cluster, depending on your environment. For more information on the required ports, see Firewall Port Requirements.

  5. A prompt to configure SSH service only on the private (storage pool) interface is displayed. By default, the SSH service is enabled between the nodes in the blocked and the private storage zones. If you want to disallow the SSH service on the blocked zone and enable SSH only on the private zone, type Yes,and then press Enter. If no change required, type no, and then press Enter.

    WARNING: Disallowing SSH from public (CS Registration) interfaces will disconnect and disallow any SSH sessions that are from nodes outside the cluster
    Configure SSH only for private (storage pool) interface (yes/no): yes

    Note

    When you allow SSH service only on the private zone, the rich rules are applied automatically to enable SSH access between the nodes within the HyperScale cluster on the cv_storage_zone.

  6. Verify that the firewall is enabled using the following command:

    # firewall-cmd --state

    This should display the state as running.

  7. Verify that the MediaAgent services are running using the following command:

    # commvault list

    For more information on managing the MediaAgent services, see Commands to Control Services on UNIX Clients.

  8. Check readiness of the MediaAgents in the HyperScale nodes to make sure that it is ready.

    For more information, see Checking Readiness.

  9. Turn off the maintenance mode on MediaAgents associated with the cluster.

    For more information, see Setting the MediaAgent on Maintenance Mode.

Result

Firewall will be enabled in all the nodes in the storage pool.

Securing HyperScale X Nodes

Loading...