Managing NSX Data Center for vSphere Distributed Firewall Rules Using the VMware Cloud Director Tenant Portal

As described in the NSX Data Center for vSphere documentation, default firewall settings apply to traffic that does not match any of the user-defined firewall rules. In the VMware Cloud Director Tenant Portal, the default distributed firewall rule is labeled Default Allow Rule.

The distributed firewall capability must be enabled on an organization virtual data center before you can manage the distributed firewall settings using the VMware Cloud Director Tenant Portal.

The default distributed firewall rule is configured to allow all layer 3 and layer 2 traffic to pass through the organization virtual data center. This setting is indicated by the Allow set in the Action column in the user interface. The default rule is always at the bottom of the rules table.

Important: You cannot delete or modify the default distributed firewall rules.

Add a Distributed Firewall Rule by Using Your VMware Cloud Director Tenant Portal

By using the VMware Cloud Director Tenant Portal, you first add a distributed firewall rule to the scope of the organization virtual data center. Then you can narrow down the scope at which you want to apply the rule. The distributed firewall allows you to add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.

For information about the predefined services and service groups that you can use in a rule, see View Services Available for Firewall Rules by Using Your VMware Cloud Director Tenant Portal and View Service Groups Available for Firewall Rules by Using Your VMware Cloud Director Tenant Portal.

Prerequisites

Enable the Distributed Firewall on an Organization Virtual Data Center Backed by NSX Data Center for vSphere in the VMware Cloud Director Tenant Portal
If you want to use an IP set as a source or destination in a rule, Create an IP Set for Use in Firewall Rules and DHCP Relay Configuration by Using Your VMware Cloud Director Tenant Portal.
If you want to use a MAC set as a source or destination in a rule, Create a MAC Set for Use in Firewall Rules by Using Your VMware Cloud Director Tenant Portal.
If you want to use a Security group as a source or destination in a rule, Create a Security Group by Using Your VMware Cloud Director Tenant Portal.

Procedure

On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
Select the security services VDC network for which you want to modify firewall rules, and click Configure Services.
The Security Services screen displays.
Select the type of rule you want to create. You have the option to create a general rule or an Ethernet rule.
Layer 3 (L3) rules are configured on the General tab. Layer 2 (L2) rules are configured on the Ethernet tab.
To add a rule below an existing rule in the firewall table, click in the existing row and then click the Create () button.
A row for the new rule is added below the selected rule, and is assigned any destination, any service, and the Allow action by default. When the system-defined Default Allow rule is the only rule in the firewall table, the new rule is added above the default rule.
Click in the Name cell and type in a name.

Click in the Source cell and use the now visible icons to select a source to add to the rule:

Action	Description
Click the IP icon	Applicable for rules defined on the General tab. Enter the source value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword `any`. The distributed firewall supports IPv4 format only.
Click the + icon	Use the + icon to specify the source as an object other than a specific IP address: Use the Select objects window to add objects that match your selections and click Keep to add them to the rule. To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule. When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window

Action

Description

Click the IP icon

Applicable for rules defined on the General tab.

Enter the source value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The distributed firewall supports IPv4 format only.

Click the + icon

Use the + icon to specify the source as an object other than a specific IP address:

Use the Select objects window to add objects that match your selections and click Keep to add them to the rule.
To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.

When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window

Click in the Destination cell and perform one of the following actions:

Action	Description
Click the IP icon	Applicable for rules defined on the General tab. Enter the destination value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword `any`. The distributed firewall supports IPv4 format only.
Click the + icon	Use the + icon to specify the source as an object other than a specific IP address: Use the Select objects window to add objects that match your selections and click Keep to add them to the rule. To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule. When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window

Action

Description

Click the IP icon

Applicable for rules defined on the General tab.

Enter the destination value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The distributed firewall supports IPv4 format only.

Click the + icon

Use the + icon to specify the source as an object other than a specific IP address:

Use the Select objects window to add objects that match your selections and click Keep to add them to the rule.
To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.

Click in the Service cell of the new rule and perform one of the following actions:

Action	Description
Click the IP icon	To specify the service as a port–protocol combination: Select the service protocol. Enter the port numbers for the source and destination ports, or specify `any`, and click Keep.
Click the + icon	To select a pre-defined service or service group, or define a new one: Select one or more objects and add them to the filter. Click Keep.

In the Action cell of the new rule, configure the action for the rule.

Option	Description
Allow	Allows traffic from or to the specified sources, destinations, and services.
Deny	Blocks traffic from or to the specified sources, destinations, and services.

In the Direction cell of the new rule, select whether the rule applies to incoming traffic, outgoing traffic, or both.
If this is a rule on the General tab, in the Packet Type cell of the new rule, select a packet type of Any, IPV4, or IPV6.
Select the Applied To cell, and use the + icon to define the object scope to which this rule is applicable.
When the rule contains virtual machines in the Source and Destination cells, you must add both the source and destination virtual machines to the rule's Applied To for the rule to work correctly.
Important: IP address groups (IP sets), MAC address groups (MAC sets), and security groups containing either IP sets or MAC sets are not valid input parameters.
Click Save Changes.

Edit a Distributed Firewall Rule by Using Your VMware Cloud Director Tenant Portal

In a VMware Cloud Director environment, to modify an existing distributed firewall rule of an organization virtual data center, use the Distributed Firewall screen.

For details about the available settings for the various cells of a rule, see Add a Distributed Firewall Rule by Using Your VMware Cloud Director Tenant Portal.

Procedure

On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
Select the security services VDC network for which you want to modify firewall rules, and click Configure Services.
The Security Services screen displays.
Perform any of the following actions to manage the distributed firewall rules:
- Deactivate a rule by clicking the green check mark in its No. cell.
  The green check mark turns to a red deactivated icon. If the rule is deactivated and you want to activate the rule, click the red deactivated icon.
- Edit a rule name by double-clicking in its Name cell and enter the new name.
- Modify the settings for a rule, such as the source or action settings, by selecting the appropriate cell and using the displayed controls.
- Delete a rule by selecting it and clicking the Delete button located above the rules table.
- Move a rule up or down in the rules table by selecting the rule and clicking the up and down arrow buttons located above the rules table.
Click Save Changes.