#ONTAP 9 Firewall Policy

Hello,

I am currently configuring our NetApps to be DISA STIG compliant, but am stuck on a few things. One item specifically relates to firewall policy. It states that if ONTAP is not configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, this is a finding. Currently, when running "system services firewall policy show" it does show a few things, however under the “Allowed” column we have “0.0.0.0/0” listed. Am I correct to assume this means that all IP addresses are able to access via that specific firewall policy? How would I go about configuring this correctly, and how do I know what ports/protocols/services are necessary? Thanks in advance for any guidance.

The stig is being updated to remove/disregard firewall policies. They are deprecated and will be removed in a soon to be future release of ONTAP. They have been merged into service-policies.

do you know if there is any official communication from NetApp about that which i could show to our security team?

V-246946 provides instructions for locating and updating the service policies. The way I handle it is to get a list of all the LIFs with fields= service-policy, address, and netmask-length. Then, for each SVM/vserver assigned LIF service-policy I update the service-allowed-addresses for each service. Note that the 'data-protocol-services' do not allow IP filtering rules.

https://kb.netapp.com/onprem/ontap/os/Unable_to_create_a_service_policy_to_limit_data_access_using_the_allowed-addresses_option

"ONTAP is unable to perform packet filtering based on the source address for data protocols and vServer Cluster / default-cluster Service Policy. A physical or virtual firewall should be used if packet filtering for data protocols is needed."

Haven't heard about the vulnerability check being removed but DISA doesn't do anything fast 🙃

unfortunately, there's no "deny", just allow, btw... i'd love to see a first match deny rule possibility

You can have multiple allows though:
(From the network interface service-policy add-service man page)
-allowed-addresses <IP Address/Mask>,…​

Advanced mode option

the deny is much easier than many allows with ever-decreasing netmasks to deny, for example, a few IP's ...