Taikun Logo

Taikun OCP Guide

Table of Contents

Firewall-as-a-Service (FWaaS) v2 scenario


Firewall v2 has no support for OVN currently.

Enable FWaaS v2

  1. Enable the FWaaS plug-in in the
    /etc/neutron/neutron.conf file:

    service_plugins = firewall_v2
    # ...
    service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
    agent_version = v2
    driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
    enabled = True


    On Ubuntu and Centos, modify the [fwaas] section in the
    /etc/neutron/fwaas_driver.ini file instead of

  2. Configure the FWaaS plugin for the L3 agent.

    In the AGENT section of l3_agent.ini, make
    sure the FWaaS v2 extension is loaded:

    extensions = fwaas_v2
  3. Configure the ML2 plugin agent extension.

    Add the following statements to ml2_conf.ini, this file
    is usually located at

    extensions = fwaas_v2
    firewall_l2_driver = noop
  4. Create the required tables in the database:

    # neutron-db-manage --subproject neutron-fwaas upgrade head
  5. Restart the neutron-l3-agent,
    neutron-openvswitch-agent and neutron-server
    services to apply the settings.

Firewall-as-a-Service v2

Create the firewall rules and create a policy that contains them.
Then, create a firewall that applies the policy.

  1. Create a firewall rule:

    $ openstack firewall group rule create --protocol {tcp,udp,icmp,any} \
      --source-ip-address SOURCE_IP_ADDRESS \
      --destination-ip-address DESTINATION_IP_ADDRESS \
      --source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
      --action {allow,deny,reject}

    The Networking client requires a protocol value. If the rule is
    protocol agnostic, you can use the any value.


    When the source or destination IP address are not of the same IP
    version (for example, IPv6), the command returns an error.

  2. Create a firewall policy:

    $ openstack firewall group policy create --firewall-rule \
      "FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy

    Separate firewall rule IDs or names with spaces. The order in which
    you specify the rules is important.

    You can create a firewall policy without any rules and add rules
    later, as follows:

    • To add multiple rules, use the update operation.
    • To add a single rule, use the insert-rule operation.

    For more details, see Networking
    command-line client
    in the OpenStack Command-Line Interface


    FWaaS always adds a default deny all rule at the lowest
    precedence of each policy. Consequently, a firewall policy with no rules
    blocks all traffic by default.

  3. Create a firewall group:

    $ openstack firewall group create --ingress-firewall-policy \
      "FIREWALL_POLICY_IDS_OR_NAMES" --egress-firewall-policy \

    Separate firewall policy IDs or names with spaces. The direction in
    which you specify the policies is important.


    The firewall remains in PENDING_CREATE state until you create a
    Networking router and attach an interface to it.


Explore Taikun CloudWorks in 2 Minutes!