Firewalls
Xelon HQ firewalls provide stateful packet inspection to control traffic flowing to and from your virtual infrastructure. Define inbound and outbound rules based on protocol, source, destination, and port to secure your workloads.
Firewalls are managed from the Firewalls sub-tab within the Networking page. Navigate to Virtual Datacenter > Networking and click the Firewalls tab.
Creating a Firewall
Navigate to Virtual Datacenter > Networking, then click the Firewalls tab. Click Create Firewall. Provide a name and select the network(s) the firewall will protect. The firewall is provisioned with default deny-all rules.
Firewall Rules
Firewall rules define which traffic is allowed or denied. Rules are evaluated in order from top to bottom. The first matching rule is applied.
Adding a Rule
Click Add a Rule in either the Inbound Rules or Outbound Rules section. Configure the following parameters:
| Parameter | Description | Example |
|---|---|---|
| Sources (inbound) / Destination (outbound) | IP addresses or CIDR ranges. Supports multiple entries and "All IP's" (0.0.0.0/0). |
10.0.1.0/24, 0.0.0.0/0 |
| Destination (inbound) / Sources (outbound) | Select a device from the network or enter an IP address. | A VM or IP on the firewall's network |
| Service | Predefined service type that automatically sets the protocol and port. | HTTP, HTTPS, SSH, Custom |
| Protocol | The transport protocol to match. | TCP, UDP, ICMP |
| VM Port or Range (inbound) / Destination Port or Range (outbound) | Port or port range on the destination. Supports single ports, ranges, and comma-separated values. | 443, 8000-9000 |
| External Port or Range (inbound only) | External-facing port or port range for inbound NAT rules. | 443, 8000-9000 |
Editing a Rule
Click the edit icon next to an existing rule to modify its parameters. Rules can also be reordered by dragging them to change evaluation priority.
Deleting a Rule
Click the delete icon next to a rule and confirm the deletion. The change takes effect immediately.
Rules are processed top-to-bottom. Place more specific rules above general rules. A broad deny-all rule at the top will block all traffic regardless of rules below it.
IPSec VPN
Xelon HQ firewalls support IPSec VPN tunnels for secure site-to-site connectivity between your Xelon HQ infrastructure and external networks.
Creating an IPSec Rule
From the firewall details page, click Add new IPsec rule at the bottom of the page. Enable the rule using the toggle switch, then configure the following parameters:
| Parameter | Description |
|---|---|
| Mode Type | Tunnel or Transport mode. |
| Remote Gateway | Public IP address of the remote VPN endpoint. |
| Remote Network | CIDR block of the remote network to reach through the tunnel. |
| Local Network | CIDR block of the local network accessible through the tunnel. |
| Pre-Shared Key | The shared secret used for tunnel authentication. |
| Phase 1 (IKE V2) | Encryption algorithm, hash algorithm, DH group, and lifetime settings. |
| Phase 2 | Encryption algorithm, hash algorithm, PFS group, and lifetime settings. |
Viewing IPSec Logs
When an IPSec rule is active, click Show logs on the IPSec rule card to view connection logs. Logs include connection attempts, established tunnels, and error messages.
Rebooting a Firewall
If a firewall becomes unresponsive, you can reboot it from the firewall details page by clicking Reboot. Active connections are dropped during the reboot and re-established once the firewall is back online.
Deleting a Firewall
To delete a firewall, navigate to its details page and click Delete. Confirm the action when prompted.
Deleting a firewall removes all rules and VPN tunnels. Resources previously protected by the firewall will be exposed. Ensure alternative security measures are in place before deleting.
Firewall Monitoring
The firewall detail page displays monitoring charts in the right column alongside the firewall information card. Monitoring requires the allow_view_firewall_monitoring permission.
Two charts are shown:
- CPU usage — Tracks the firewall's processor utilization over time.
- Network traffic — Shows inbound and outbound throughput.
Available time ranges are: 8 days, 5 days, 1 day, 12 hours, and 1 hour. Monitoring is always displayed when the permission is granted — there is no separate toggle to enable or disable it.
Firewall monitoring uses the same metrics component as device monitoring, providing a consistent experience across the platform.
Best Practices
- Default deny: Start with deny-all rules and explicitly allow only the traffic you need.
- Least privilege: Restrict source and destination to the narrowest CIDR ranges possible.
- Separate concerns: Use dedicated firewalls for different network segments (e.g., web tier, database tier).
- Document rules: Use descriptive names for rules so their purpose is clear to your team.
- Review regularly: Audit firewall rules periodically and remove rules that are no longer needed.
- VPN security: Use strong pre-shared keys and prefer IKEv2 with modern encryption algorithms.