Smart Assist Network Engineer Training Text
JA

Chapter 7: Practical Firewall Design

Palo Alto Networks

Palo Alto Networks (a leading next-generation FW vendor)

Fortinet

Fortinet (FortiGate)

Cisco ASA 5510 Firewall

Example of a firewall appliance (Cisco ASA 5510)
Appearance of an enterprise firewall used in hospital networks

7.1 FQDN-Based vs. IP-Based Allow Rules

Two Allow Methods

There are broadly two methods for allowing outbound traffic through a firewall.

MethodConfiguration ExampleCharacteristics
IP-based allowDestination: 52.194.10.20Allows traffic only to a specific IP address
FQDN-based allowDestination: smartassist.example.comSpecifies by domain name; automatically allows IPs resolved via DNS

Why FQDN-Based Allow Rules Are Recommended for AWS

With AWS services, IP addresses can change dynamically for the following reasons:

  • Load balancer scaling: IPs are added or changed in response to load
  • Failover during outages: Traffic may switch to a different IP address
  • Maintenance: IP changes due to AWS infrastructure updates
Problem with IP-Based Allow Rules FW Allow: Dest: 52.194.10.20 OK AWS IP Change: 52.194.10.20 → 52.194.10.21 FW Allow: Dest: 52.194.10.21 Not Allowed → Connection Lost FQDN-Based Allow Rules FW Allow: Dest: smartassist.example.com Auto-allows IPs from DNS resolution AWS IP Change: DNS response changes FW auto-follows Connection Maintained With FQDN-based rules, changes in IP are followed automatically → no connection interruption

When FQDN-Based Allow Rules Cannot Be Used

Older firewall appliances may not support FQDN-based allow rules. The following workarounds are available in such cases.

WorkaroundDescription
Allow by IP rangeAllow a broad range using AWS IP ranges (publicly available information)
Periodic IP verificationPeriodically check the FQDN's IP address and update FW rules if it changes
Route through a proxyPerform FQDN-based control on the proxy server and only allow the proxy on the FW
Practical workarounds when FQDN is not supported on older firewalls

This situation actually comes up quite often in the field. You may encounter older firewalls (such as Cisco ASA 5500 series with legacy firmware) that do not support FQDN-based allow rules. Do not panic when this happens.

The most practical approach is to switch to routing through a proxy. On the FW side, only allow the proxy server's IP, and let the proxy handle FQDN-based control. If no proxy is available, use nslookup to check the current IP and submit the request, but make sure to inform the hospital's IT administrator that the IP may change. If you stay silent about it, traffic will suddenly stop when the IP changes, causing a major incident.

7.2 Port Opening Principles

Principle of Least Privilege

Firewall port openings should be designed based on the principle of allowing only the minimum necessary traffic.

Ports Required for Smart Assist

ProtocolPortDirectionPurpose
TCP443OutboundHTTPS communication (data send/receive)
UDP53OutboundDNS name resolution (when using FQDN)

Firewall Rule Design Example

# Smart Assist Traffic Allow Rules

Rule 1: HTTPS Traffic
  Source:      192.168.10.50/32  (Smart Assist PC)
  Destination: smartassist.example.com
  Protocol:    TCP
  Dest Port:   443
  Action:      ALLOW

Rule 2: DNS Traffic (for direct DNS)
  Source:      192.168.10.50/32  (Smart Assist PC)
  Destination: Hospital Internal DNS Server
  Protocol:    UDP
  Dest Port:   53
  Action:      ALLOW

Default Rule:
  Source:      *
  Destination: *
  Protocol:    *
  Dest Port:   *
  Action:      DENY

Configurations You Must Never Use

Configuration ExampleProblem
Destination: ANY, Port: ANYAllows all outbound traffic
Destination: ANY, Port: 443Enables access to any HTTPS site
Source: ANYAllows traffic from devices other than the Smart Assist PC
"Let's just open everything for testing" — never do this

You might be tempted to suggest to the hospital IT administrator: "Let's open everything for the connectivity test first, then tighten it later." I understand the temptation. But you must absolutely never do this.

There are two reasons. First, at a hospital that has passed a security review, "opening everything, even temporarily" will destroy trust. Second, there is a high risk that "tightening later" never actually happens and the system goes live with wide-open rules. Closing a hole after it has been opened is far harder than configuring it properly from the start.

Always configure with least privilege from the beginning, and if traffic does not pass, troubleshoot to identify the cause. Follow this order without exception.

7.3 Considerations for Proxy Environments

Traffic Flow Through a Proxy

In a proxy environment, the Smart Assist PC communicates through the proxy server rather than directly through the firewall.

Direct Communication Smart Assist PC Firewall AWS Via Proxy Smart Assist PC Proxy Server Firewall AWS

Required Settings for Proxy Environments

Setting LocationConfiguration
Smart Assist PCConfigure the proxy server address and port number
Proxy serverAdd Smart Assist's destination FQDN to the whitelist
FirewallAllow 443/tcp outbound traffic from the proxy server

Proxy Configuration on the Smart Assist PC

# Setting via environment variables
HTTPS_PROXY=http://proxy.hospital.local:8080

# Setting via application configuration
Proxy Host: proxy.hospital.local
Proxy Port: 8080

Handling Authenticated Proxies

With an authenticated proxy, authentication credentials must be sent with each communication.

Item to VerifyDetails
Authentication methodBasic authentication, NTLM authentication, Kerberos authentication, etc.
Service accountWhether a dedicated account is needed for always-on services
Password change policyWhether periodic password changes will affect Smart Assist communications
Service account issues in authenticated proxy environments

The biggest pitfall at hospitals with authenticated proxies is the service account issue. In environments where individual AD accounts are used for authentication, the question arises: "Whose account should Smart Assist use for proxy authentication?"

There are three things to verify in advance:

  • Can a dedicated service account (AD account) be created specifically for the Smart Assist PC?
  • What is the password expiration policy for that account? (If it expires every 90 days, communications will periodically stop)
  • Is an authentication bypass list available (a setting that allows certain IPs to skip proxy authentication)?

The easiest option is the authentication bypass list. If the Smart Assist PC's IP address is registered on it, the authentication problem goes away entirely.

7.4 Impact of SSL Inspection

What Is SSL Inspection?

SSL inspection (also called SSL/TLS inspection or HTTPS inspection) is a feature where the firewall or proxy decrypts and inspects the contents of encrypted HTTPS traffic.

How It Works

Without SSL Inspection PC TLS (AWS certificate) AWS * The PC directly validates the AWS server certificate With SSL Inspection PC TLS (FW cert) FW / Proxy TLS (AWS cert) AWS * The certificate received by the PC is a "replacement certificate" issued by the FW/Proxy

Impact on Smart Assist

ImpactDescription
Certificate errorCommunication fails if the Smart Assist PC does not trust the FW's certificate
Certificate pinningIf the application expects a specific certificate, it will reject the replacement certificate
Performance degradationCommunication speed may decrease due to the processing overhead of decryption and re-encryption

Remediation Methods

MethodDescription
Exclusion settingExclude the Smart Assist destination FQDN from SSL inspection targets
CA certificate installationInstall the CA certificate issued by the FW/Proxy on the Smart Assist PC

In most cases, the exclusion setting is the simplest and most reliable approach.

How to write an SSL inspection exclusion request

Simply saying "Please exclude us from SSL inspection" will make the hospital IT administrator uneasy. The key when submitting an exclusion request is to also explain why it is safe to grant the exclusion.

Points to include in the request:

  • FQDNs to exclude: *.arkray-smartassist.com and the S3 FQDN (specify explicitly)
  • Reason for exclusion: The system cannot function in an inspection environment due to certificate pinning
  • Basis for safety: The destination is exclusively our company-managed AWS environment, traffic is already encrypted with TLS 1.2, and a WAF is filtering malicious requests

Providing three or more reasons why the exclusion is safe will generally get the request approved.

7.5 How to Write a Firewall Allow Request

Information to Include in Hospital Requests

Firewall allow requests must contain all the information the hospital IT department needs to make a decision, without excess or omission.

Request Template

Firewall Allow Request Form
Date of Request
YYYY-MM-DD
Applicant
[Organization] [Department] [Contact Person]
Target System
System Name: Smart Assist
Purpose: Remote classification support for urine sediment images
Communication Requirements
ItemDetails
Source192.168.10.50 (Smart Assist PC)
Destinationsmartassist.example.com
Port443/tcp (HTTPS)
Traffic DirectionOutbound Only
EncryptionTLS 1.2 or higher
Data Being Transmitted
  • Anonymized specimen IDs
  • Microscope images (formed elements)
  • Automated classification results (confidence scores)
* No personally identifiable information (PII/PHI) such as patient names or dates of birth is included
Communication Security
  • All communications are encrypted with HTTPS (TLS 1.2 or higher)
  • Communications are always initiated from the hospital PC (Outbound Only)
  • No new inbound connections from the cloud to the hospital network will occur
  • The destination is limited to specific FQDNs on AWS
Supplementary Materials
  • Communication sequence diagram (Appendix 1)
  • Security design document (Appendix 2)

7.6 How to Explain to Hospital IT

Fundamental Principles of Explanation

PrincipleDescription
Anticipate the other party's concernsExplain security concerns and countermeasures before being asked
Do not overuse technical jargonUse necessary technical terms but always provide explanations
Use diagramsAlways illustrate communication flows and network architecture with diagrams
Provide evidenceInstead of saying "It's safe," explain technically "why it is safe"
Welcome questionsTreat questions as opportunities to build trust

Recommended Explanation Flow

OrderContentPurpose
1Explain the business purpose of Smart AssistHelp them understand why this communication is necessary
2Show the communication flow diagramVisualize what data flows where
3Clearly state what data is transmittedConfirm that no personal information is included
4Explain that traffic is Outbound OnlyProvide an answer to their primary concern
5Present a specific firewall configuration proposalProvide a concrete, implementable plan
6Explain the scope of impact during failuresClarify what happens in the worst-case scenario
7Q&A sessionCarefully address concerns

Explanation Patterns to Avoid

Bad ExampleReason
"It's safe because it's in the cloud"No supporting evidence
"There are no technical issues"Technical issues are not the only thing they are worried about
"It's running fine at other hospitals"Their hospital's policies may not be the same
"Please ask the technical team for details"This destroys trust

Note (International Context): The firewall allow request template presented in this chapter follows a standard format for Japanese hospital IT departments. In the United States, the request process is typically based on vendor security questionnaires (SIG: Standardized Information Gathering, CAIQ: Consensus Assessment Initiative Questionnaire) or HIPAA Security Risk Assessments. In the EU, a DPIA (Data Protection Impact Assessment) under GDPR Article 35 and consultation with a DPO (Data Protection Officer) are often required. Regardless of region, the fundamentals remain the same: visualize the communication flow, clearly state what data is transmitted, and provide technical evidence that traffic is Outbound Only.

7.7 Reading the Documentation: FW Allow FQDN List (Actual Configuration Values)

Overview of the Documentation

The Network Explanatory Materials contain a list of specific FQDNs and ports that need to be allowed on the firewall. Field engineers use this list to present specific FW configuration proposals to hospital IT administrators.

Smart Assist Communications (Required)

CategoryFQDNProtocolPort
Smart Assist*.arkray-smartassist.comHTTPS443
Smart Assist (S3)remote-us1pdv2-bucket-measure-info.s3.us-east-1.amazonaws.comHTTPS443

Time Synchronization (NTP)

CategoryFQDNProtocolPort
NTPntp.nict.jpUDP/TCP123
NTP*.pool.ntp.orgUDP/TCP123
NTPtime.windows.comUDP/TCP123

Security Software Updates

CategoryFQDNProtocolPort
McAfee Updateupdate.nai.comHTTPS443
McAfee Updatedownload.mcafee.comHTTPS443
McAfee Updateupdates.mcafee.comHTTPS443
McAfee Updategti.mcafee.comHTTPS443
McAfee Updatecloud.gti.mcafee.comHTTPS443
McAfee Updatecrl.trustwave.comHTTPS443

Windows Update

CategoryKey FQDNs (Excerpt)ProtocolPort
Windows Updatewindowsupdate.microsoft.comHTTPS443
Windows Update*.windowsupdate.microsoft.comHTTPS443
Windows Updateupdate.microsoft.comHTTPS443
Windows Update*.update.microsoft.comHTTPS443
Windows Updatedownload.microsoft.comHTTPS443
Windows Update*.download.microsoft.comHTTPS443
Windows Updatedl.delivery.mp.microsoft.comHTTPS443
Windows Updatesettings-win.data.microsoft.comHTTPS443

Note: Refer to the Network Explanatory Materials for the complete list of Windows Update FQDNs. The above is an excerpt of the major ones.

When Using the VPN Connection Option (Option 2)

When the VPN connection option is selected, only the FQDN allow rules for Smart Assist communications are needed (NTP, McAfee, and Windows Update will route through the VPN).

CategoryFQDNProtocolPort
Smart Assist*.arkray-smartassist.comHTTPS443
Smart Assist (S3)remote-us1pdv2-bucket-measure-info.s3.us-east-1.amazonaws.comHTTPS443
AWS Client VPNProvided via configuration file

Key Points for Field Engineers

  1. Wildcard (*) allow rules: Wildcard specifications such as *.arkray-smartassist.com may not be supported by some FW appliances. In that case, allow specific subdomains individually
  2. S3 FQDN: The direct access URL for S3 buckets is a long FQDN that includes region information. Make sure to copy it exactly
  3. Importance of NTP: If time synchronization fails, TLS certificate validation may also fail (see Chapter 10 for certificate expiration troubleshooting)
  4. Phased allow approach: It is also effective to first allow only the two Smart Assist communication entries, test connectivity, then add NTP and update-related entries
Expanding wildcard FQDNs individually when they are rejected

Cases where the wildcard specification *.arkray-smartassist.com is rejected by the FW are actually fairly common. This happens especially with older firmware on Palo Alto or FortiGate appliances, or at hospitals whose policies prohibit wildcard rules.

When this happens, do not panic. Expand the actually used subdomains individually and submit them in the request. The specific subdomains are listed in the Network Explanatory Materials. First check that document, then list out the required FQDNs individually for your request.

Do not forget the S3 FQDN either. remote-us1pdv2-bucket-measure-info.s3.us-east-1.amazonaws.com is long, so copying and pasting is mandatory (typing it manually will result in a typo 100% of the time).

In the next chapter, we will understand the basic structure of AWS, the cloud infrastructure behind Smart Assist.