Skip to content

Notes about setting up microsegmentation policies for IBM AIX 7.2

IBM AIX Asset Type

  • IBM AIX Asset Type: By default, 12Port Horizon includes an initially hidden asset type for IBM AIX, which represents an IBM AIX host with user and password access. This asset type encompasses all necessary tasks for microsegmentation and network monitoring on an AIX host.

Tagging and Policy Application

  • Tagging with Component :: Server :: Linux: If you tag an IBM AIX asset with the Component :: Server :: Linux tag, it will automatically apply the default Management Server policy. This policy provisions a rule that grants management access to the AIX host.

  • Tagging with Component :: Server :: AIX: Alternatively, you can tag the AIX asset with the Component :: Server :: AIX tag and create a management access policy specifically for AIX, similar to the one provided for Linux servers. However, there is no functional advantage to this approach over using the default Linux policy, other than avoiding the Linux tag on AIX servers, which may be preferred by some users for organizational clarity.

Policy and Network Management

  • Network and Policy Management: The process for monitoring network state, publishing policies, enforcing policies, resetting to the original state, enabling or disabling firewall logging, and handling service requests is the same for IBM AIX assets as it is for any other asset type.

Firewall Management

  • IBM AIX Firewall: The IBM AIX 7.2 distribution typically includes a firewall system by default. If it is not already installed, it should be manually installed. Below is a concise guide on managing the IBM AIX firewall, with examples and references to the relevant commands.

  • https://developer.ibm.com/articles/au-aixfiltering/


IBM AIX Firewall Commands

Check if the Firewall System is Enabled
By default, the IBM AIX 7.2 firewall system is not enabled. To check if the firewall is enabled, run:

sudo lsdev -l ipsec_v4

If the firewall is enabled, the output should show:

ipsec_v4 Available  IP Version 4 Security Extension

Note: v4 refers to the component version, not to the IP protocol. The system supports both IPv4 and IPv6.


Enabling the Firewall
If the firewall is not enabled, you can enable it using the graphical configuration tool. Refer to the IBM guide above, specifically the "Implementation – Setting up rules" chapter, for detailed step-by-step instructions. Alternatively, you can use the following command to start the graphical tool:

smitty ipsec4


List Existing Firewall Rules
To view existing firewall rules for IPv4 and IPv6, use the following commands:

sudo lsfilt -v 4
sudo lsfilt -v 6


Default Firewall Rule
Both the IPv4 and IPv6 channels have a default rule (number 0) that cannot be deleted but can be modified to either permit or deny traffic. You can also enable logging for this rule. Horizon uses this rule to block or allow all traffic and to enable firewall logging.


Enabling Firewall Logging
The firewall logging subsystem must be configured to enable logging. This is done via the "Enable Logging" script, as described in the "Implementation – Setting up logging" section of the documentation above.

To start logging after configuration, use:

sudo mkfilt -g start

... To stop logging, use the following command (which is also executed by the "Disable Firewall Logging" script):

sudo mkfilt -g stop


Configuring Logging for a Rule
The firewall logging will not record data unless specific rules are configured to log data. To enable logging for a rule, the following command is used (the example below enables logging for rule 0 in IPv4):

sudo chfilt -v 4 -n 0 -l Y

To disable logging for the rule, replace -l Y with -l N.


Accessing the Firewall Log
The firewall logs are stored in the file /var/adm/ipsec.log. Connection detection scripts read from this log and reset it after processing.


Log Rotation and Compression
If the log file grows too large, a system deployment script will rotate and compress the log. This script should run automatically via a cron job (every 1 hour or 10 minutes, depending on server load). The compressed log is stored in /var/adm/ipsec1.log, and the Connection detection scripts also read from this file.

The log rotation script is located at:

$HOME/web/webapps/ztna/WEB-INF/scripts/aix-rotate-fw-logs.sh


Reloading the Firewall After Rule Changes
After modifying any rule in v4 or v6 channel, including the changes in logging, action, direction, source or destination addresses or ports, adding or removing any rule, the firewall system should be reloaded. To do so, run:

sudo /usr/sbin/mkfilt -u


Disabling the Firewall While Preserving Rules
To temporarily disable the firewall while keeping all the existing rules, use:

sudo /usr/sbin/mkfilt -d

To re-enable the firewall and restore the rules, use the previous command with -u.