University-Wide Firewall (a.k.a., NGFW)

General Info

If you would like to request your department network to be placed behind the University Firewall (a.k.a., “NGFW”), please follow this link: https://infosec.engin.umich.edu/firewall-rule-change-request-ngfw/

Information about Next Generation Firewall (NGFW)

• NGFW – Demo Video https://www.paloaltonetworks.com/resources/demos/ngfw-demo
• Info on the 7000 Series https://www.paloaltonetworks.com/resources/datasheets/pa-7000-series
• For those who manage the firewall
  • Training https://www.paloaltonetworks.com/services/education/digital-learning
    • Requires registering an account.
    • Recommend EDU-110, but only modules on
      • Security and NAT policies
      • App-ID
      • Content-ID
      • URL Filtering
      • Monitoring and Reporting

Rule Change Request

Example Firewall Request Change for a web server: source (the Internet) > destination (internal web server IP, 10.1.2.3) > protocol (TCP) > ports (80 and 443) > action (allow or deny)

If you receive a call please email [email protected] and/or [email protected] during normal business hours to ensure they have received the request and are aware of the urgency.

Note: Generally all requests will be ‘allow’ requests as firewalls block everything by default. Block requests to remove/modify existing allow rules are possible in certain situations, however. Also, almost all UM firewalls allow full outbound now so generally only the destination firewall is filtering and no rules need to be added anywhere to allow a given source outbound. There is now a service catalog option under IT Service Request called Firewall Change Request. The form will also be available to customers without ServiceLink access under the U-M Virtual Firewall page and the MiWorkspace page on the IT Services Portal.

*Once the template is applied and an initial save has been done, you can click the “Create Catalog Order” button to move into the workflow. IF the change needs to be implemented immediately contact 4Help after submitting the form.

If you need to request a change to the firewall policy (‘Ruleset’) for one of your Unit’s networks, please provide the following information about what change needs to be made (see below minimum).

A basic firewall rule requires five main pieces of information:

1. the source (hosts and/or networks)
2. destination (hosts and/or networks)
3. protocol (TCP, UDP, etc.)
4. port(s) (22, 80, 443, etc.)
5. action (allow or deny?)

You can email [email protected] and [email protected] during normal business hours OR use this TDx URL for Rule change requests.