Anda di halaman 1dari 24

Add firewall access as follows:

Source
Mandatory for GCP only

Exactly one of the following depending on


environment:
ON PREM :
- IP address/IP subnet range
- CSM/FMC source object name
GCP : GCP Project name
- GCP source IP subnet and VM
instance network tag name
- GCP source IP address(s) and
VM instance network tag name

Note : For examples on how to fill out this


form , please see the "Examples" tab in this
worksheet
Start here→ 10.9.64.149
10.9.64.150
10.9.64.138
10.9.64.152
10.93.8.170
10.9.64.141
10.93.8.152
10.93.8.153
10.93.8.154
10.93.8.155
10.9.64.1
10.9.64.6
10.9.64.17
10.9.64.7
10.93.8.1
10.93.8.2
10.93.8.7
10.93.8.8
10.93.8.5
10.93.8.6
10.9.64.120
10.9.64.121
10.9.64.122
10.9.64.123
10.9.64.145
10.9.64.146
10.9.64.147
10.9.64.148
10.212.74.7
10.212.74.6
10.216.74.4
10.212.74.13
10.212.74.4
10.216.74.11
10.212.74.10
10.216.74.13
10.216.74.1
10.212.74.14
10.216.74.17
10.212.74.19
10.216.74.16
10.216.74.14
10.212.74.17
10.216.74.9
10.212.74.12
10.216.74.2
10.216.74.3
10.212.74.3
10.216.74.10
10.212.74.11
10.212.74.15
10.212.74.2
10.216.74.15
10.216.74.18
10.216.74.19
10.216.74.6
10.212.74.8
10.216.74.7
10.212.74.1
10.216.74.8
10.212.74.16
10.212.74.5
10.212.74.18
10.216.74.12
10.216.74.5
10.212.74.9
10.6.16.57
10.6.16.59
10.220.6.193
10.220.6.195

10.210.180.81
NA

10.210.180.81
10.210.180.81
Firewall Request Form
All fields are required, as noted

Destination
Mandatory for GCP only Mandatory for GCP only

Exactly one of the following depending on


environment:
ON PREM :
- IP address/IP subnet range
- CSM/FMC source object name
GCP VPC name GCP : GCP Project name
- GCP target IP subnet and VM
instance network tag name
- GCP target IP address(s) and
VM instance network tag name

10.210.180.81
NA
NA

10.210.180.81
10.9.64.149
10.9.64.150
10.9.64.138
10.9.64.152
10.93.8.170
10.9.64.141
10.93.8.152
10.93.8.153
10.93.8.154
NA 10.93.8.155
10.9.64.1
10.9.64.6
10.9.64.17
10.9.64.7
10.93.8.1
10.93.8.2
10.93.8.7
10.93.8.8
10.93.8.5
10.93.8.6
10.9.64.120
10.9.64.121
10.9.64.122
10.9.64.123
10.9.64.145
10.9.64.146
10.9.64.147
10.9.64.148
10.212.74.7
10.212.74.6
10.216.74.4
10.212.74.13
10.212.74.4
10.216.74.11
10.212.74.10
10.216.74.13
10.216.74.1
10.212.74.14
10.216.74.17
10.212.74.19
10.216.74.16
10.216.74.14
10.212.74.17
10.216.74.9
10.212.74.12
10.216.74.2
10.216.74.3
10.212.74.3
10.216.74.10
10.212.74.11
10.212.74.15
10.212.74.2
10.216.74.15
10.216.74.18
10.216.74.19
10.216.74.6
10.212.74.8
10.216.74.7
10.212.74.1
10.216.74.8
10.212.74.16
10.212.74.5
10.212.74.18
10.216.74.12
10.216.74.5
10.212.74.9
10.6.16.57
10.6.16.59
10.220.6.193
10.220.6.195
t Form
as noted

Other Mandatory Fields


Mandatory for GCP only

Protocol/port
or network Description/Reason
Expiration
GCP VPC name protocol object (What is the access for and
Date
name why is the access needed)

NA
NA
NA
NA
NA
NA
TCP : NA
7891,7898,8001-
NA
8005
NA
To monitor Wallet Production
UDP : 7891-
NA Application Servers using ND NA
7892,8001-8005
appliance NA
NA
http/https ports : NA
80, 443, NA
NA
NA
NA

NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
To monitor Wallet Production NA
Application Servers using ND
appliance NA
NA
NA
NA
TCP : NA
NA 7891,7898,8001-
NA
8005
NA
UDP : 7891- NA
7892,8001-8005 NA
NA
NA
http/https ports :
80, 443, NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA

NA
NA
NA
NA
NA
NA
TCP : NA
7891,7898,8001- NA
8005
NA
To monitor wallet Production
UDP : 7891- Application Servers using ND NA
7892,8001-8005 appliance NA
NA
http/https
ports:80, 443 NA
NA
NA
NA
NA

NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
TCP :
7891,7898,8001- NA
8005 NA
NA
UDP : 7891- To monitor wallet Production NA
7892,8001-8005 Application Servers using ND
appliance
http/https
ports:80, 443
TCP :
7891,7898,8001-
8005

UDP : 7891- To monitor wallet Production


7892,8001-8005 Application Servers using ND
NA
appliance
NA
http/https NA
ports:80, 443
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
NA
s

Kohl's owner group

CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team

CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team

CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team

CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
CP team
Add firewall access as follows:
Source
Mandatory for GCP only

Exactly one of the following depending


on environment:
ON PREM :
- IP address/IP subnet range
- CSM/FMC source object name
GCP : GCP Project name
- GCP source IP subnet and VM
instance network tag name
- GCP source IP address(s) and
VM instance network tag name

Google Cloud(All subnets in a → 10.206.96.0/25 kohls-cavisson-prd


VPC) to Kohl's OnPrem 10.206.224.0/25

Google Cloud(Project A) to Google → 10.206.96.0/25, 10.206.224.20


kohls-cavisson-prd
Cloud(Project B) (Network tag : cavisson-netstorm)

Google Cloud (source tags) to → 10.206.96.0/25 kohls-cavisson-prd


Kohl's OnPrem (Network tag : cavisson-netstorm)

Google Cloud to Google Cloud


(source and target tags) when the → 10.206.96.10,10.206.96.20 kohls-cavisson-prd
(Network tag : cavisson-netstorm)
project and VPC is the same

35.193.5.238
Google Cloud External IP access → (Network tag : kdxstress-blue-kdxsftp- kohls-kdx-hle
to Public IP (source tag required)
prod)

Google Cloud Openshift Project to 10.186.0.0/23


another GCP Project(source & → 10.190.0.0/23 kohls-openshift-lle
target tag required) (Network tag : paas-openshift-app)

OnPrem access to Google Cloud


Openshift Project(target tag → 10.0.0.0/8
required)

10.100.145.0/24
Multiple source networks to a →
single destination address/port. 10.100.132.0/24
10.100.134.0/24
Access to or from ranges of IP → 10.1.45.13-10.1.45.15
addresses.

Access using registered object


names from CSM (Cisco Security → GRP-PKY-Z1S-ATG-APP
GRP-SCS-Z1S-ATG-APP
Manager).

A bidirectional opening between a 10.2.225.0/26


network (clients) and two TSM
servers. This type of rule is used →
only where either side has the 10.1.42.197
need to ORIGINATE a connection. 10.1.42.198

A single source network to 10.100.152.0/24


multiple destination networks on →
the same group of destination
protocols/ports.

A single host to a single IP → 10.1.250.37


address.

A single network to a mail server. → 10.25.0.0/16


Firewall Request Examples

Destination
andatory for GCP only Mandatory for GCP only

Exactly one of the following depending


on environment:
ON PREM :
- IP address/IP subnet range
- CSM/FMC source object name
GCP VPC name GCP : GCP Project name GCP VPC name
- GCP target IP subnet and VM
instance network tag name
- GCP target IP address(s) and
VM instance network tag name

cavisson-prd 10.8.23.103

10.207.146.0/24
cavisson-prd kohls-mobile-prod mobile-prod-east1
(Network tag : mob-east)

cavisson-prd
10.8.23.103

10.206.224.0/25
cavisson-prd kohls-cavisson-prd cavisson-prd
(Network tag : https-servers)

kdx-hle-central 65.206.3.78

10.184.106.0/24
openshift-lle 10.188.60.0/24 kohls-cpe-prd cpe-prd
(Network tag : iaas-mysql)

10.184.106.0/24
10.188.60.0/24 kohls-cpe-prd cpe-prd
Network tag(cpe-ssh)

10.1.80.244
10.210.147.2-10.210.147.5

Ecom-Kiosk-Hosts

10.1.42.197
10.1.42.198
a blank line seperates rules
10.2.225.0/26

10.8.225.0/25
10.1.80.0/25
10.2.226.0/25

128.121.47.114

10.1.11.130
s

Other Mandatory Fields

Protocol/port Description/Reason
or network (What is the access for Expiration
Kohl's owner group
protocol object and why is the access Date
name needed)

tcp/22 GCP Cavisson SSH access to


n/a #Dev-Ecomm-DevOps

Cavisson NetStorm to
HTTPS 1/1/2018 #Dev-Ecomm-DevOps
Mobile prod servers

#Dev-Ecomm-DevOps
tcp/22 SSH access to GDC jump bon/a

Cavisson access to
http
Cavisson webserver for 1/1/2018 #Dev-Ecomm-DevOps
https
peak testing

http GCP MDX sftp connectivity


1/1/2018 #Dev-Ecomm-DevOps
https to Harte hanks vendor

Firewall port for Openshift to


TCP/3306 access n/a KT-Cloud Solutions-TEST
MySQL DB

OnPrem to Openshift
TCP/22 n/a KT-Cloud Solutions-TEST
access for SSH

Web access to AJB


tcp/80 n/a Total Value Services - Ecom
application
SSH SSH access to LLE servers n/a
IT-Network

HTTP
SSH and web access from
HTTPS n/a #Dev-Ecomm-DevOps
ATG Stress nodes
SSH

tcp/1500-1503 TSM Backups n/a SAN - Level 3


tcp/1580-1583

tcp/1500-1503 TSM Backups n/a SAN - Level 3


tcp/1580-1583

SSH Support access into DMZs fr 12/1/2010 IT-Network


tcp/5900
HTTPS

Corporate Planning and


HTTPS ESI HVAC Reporting Server An/a
Facilities Services

Access from all SA users to


SMTP n/a Development - Collaboration
mail server
Network Object Group Name(For CSM/FMC only) IP address(s)/IP ranges
Service Object Group Name(For CSM/FMC only) Service_name/Protocol/Port