You perform the procedure in NSX-T Data Center to configure traffic logging for Gateway Firewall rules, publish any firewall policy/rule changes, deny traffic by default, flood protection profile, ingress filters, restrict traffic and disable Internet Control Message Protocol (ICMP) unreachable notifications, mask replies, redirects on the external interfaces. Configure the settings for all NSX-T edge instances in your VMware Cloud Foundation environment.

Procedure

  1. In a Web browser, log in to the NSX Manager cluster as an administrator by using the user interface.
  2. VMW-NSXT-01428, VMW-NSXT-01513 Ensure that the NSX-T Gateway Firewall on the tier-0 and tier-1 gateways does not have any unpublished firewall policies or rules.
    1. On the main navigation bar, click Security.
    2. In the left pane, navigate to North South security > Gateway Firewall/
    3. Click the Gateway specific rules tab.
    4. From the Gateway drop-down menu, select the respective gateway.
    5. For each tier-0 gateway with unpublished changes, review any unpublished changes and click either Revert or Publish.
    6. Repeat the procedure for each tier-1 gateway with unpublished changes.
  3. VMW-NSXT-01429, VMW-NSXT-01514 Configure the NSX-T Gateway Firewall on the tier-0 and tier-1 gateways to generate traffic log entries.
    Note:

    If the tier-0 gateway is deployed in an active/active high availability mode and no stateless rules exist, this configuration is not applicable.

    1. On the main navigation bar, click Security.
    2. In the left pane, navigate to North South security > Gateway Firewall/
    3. Click the Gateway specific rules tab.
    4. From the Gateway drop-down menu, select the respective gateway.
    5. For each tier-0 gateway and for each rule with logging disabled, click the gear icon, activate the Logging toggle, and click Apply.
    6. On the Gateway Firewall page, click Publish.
    7. Repeat the procedure for each tier-1 gateway and for each rule with deactivated logging.
  4. VMW-NSXT-01431, VMW-NSXT-01432 Configure the NSX-T Gateway Firewall on the tier-0 and tier-1 gateways to deny network traffic by default and allow network traffic by exception.
    1. On the main navigation bar, click Security.
    2. In the left pane, navigate to North South security > Gateway Firewall/
    3. Click the Gateway specific rules tab.
    4. From the Gateway drop-down menu, select the respective gateway.
    5. Expand the default policy, and from the Actions drop-down menu, select Reject.
    6. On the Gateway Firewall page, click Publish.
    7. Repeat the procedure for each tier-1 gateway.
  5. VMW-NSXT-01453, VMW-NSXT-01515 Configure flood protection profiles on the NSX-T Gateway Firewall for the tier-0 and tier-1 gateways to protect against Denial of Service (DDoS) attacks.
    Note:

    If the tier-0 gateway is deployed in an active/active high availability mode and no stateless rules exist, this configuration is not applicable.

    1. On the main navigation bar, click Security.
    2. In the left pane, navigate to Settings > General Settings.
    3. Click the Firewall > Flood Protection under General Security Settings tab.
    4. Fom the Add profile drop-down menu, select Add Edge Gateway profile.
    5. Enter a name and specify appropriate values for the following: TCP half open connection limit, UDP active flow limit, ICMP active flow limit, and Other active connection limit.
    6. Activate SYN cache and RST spoofing.
    7. Configure the Applied to field to contain the tier-0 gateways, and then click Save.
    8. Repeat this step for the tier-1 gateway and set Applied to to contain the tier-1 gateways.
  6. VMW-NSXT-01455, VMW-NSXT-01510 Create a spoof guard segment profile with port binding activated and apply the profile to all the segments.
    1. On the main navigation bar, click Networking.
    2. In the left pane, navigate to Connectivity > Segments.
    3. Click the Segment profiles tab.
    4. From the Add segment profile drop-down menu, select Spoof guard.
    5. Enter a name for the profile, activate Port bindings toggle switch, and click Save.
    6. Click the Segments tab.
    7. Next to the segment you want to configure, click the vertical ellipsis and click Edit.
    8. Expand the Segment profiles section, from the Spoof guard drop-down menu, select the newly created spoof guard segment profile, click Save, and click Close editing.
    9. Repeat this step for the remaining configured segments.
  7. VMW-NSXT-01456, VMW-NSXT-01464 Configure ingress filters for inbound traffic through any active external interface on the NSX-T tier-0 and tier-1 Gateway Firewall.
    Note:

    If the tier-0 gateway is deployed in an active/active high availability mode and no stateless rules exist, this configuration is not applicable.

    1. On the main navigation bar, click Security.
    2. In the left pane, navigate to North South security > Gateway firewall.
    3. Click the Gateway specific rules tab.
    4. From the Gateway drop-down menu, select the target NSX-T tier-0 gateway.
    5. For any rules that have individual interfaces specified in the Applied to field, in the Applied to column, click Edit and deselect the interfaces, leaving only the NSX-T gateway object type selected.
    6. Click Apply and click Publish.
    7. Repeat this step for all NSX-T tier-1 gateways.
  8. VMW-NSXT-01460 To protect against route table flooding and prefix de-aggregation attacks, configure the NSX-T tier-0 gateway to use maximum prefixes.
    1. On the main navigation bar, click Networking.
    2. In the left pane, navigate to Connectivity > Tier-0 gateways.
    3. Expand the NSX-T tier-0 gateway.
    4. Expand the BGP section and click BGP neighbors.
    5. In the Set BGP neighbors dialog box, click the vertical ellipsis and click Edit for the first neighbor.
    6. Click the number in the Route filter column.
    7. To configure the maximum routes value, specific to your environment, in the Set route filter dialog box, click the vertical ellipsis menu and click Edit.
    8. Repeat the step to configure all neighbors.
  9. VMW-NSXT-01493 Configure the NSX-T tier-0 gateway to restrict traffic destined to itself.
    1. On the main navigation bar, click Security.
    2. In the left pane, navigate to North South security > Gateway Firewall.
    3. Click the Gateway specific rules tab.
    4. From the Gateway drop-down menu, select the NSX-T tier-0 gateway.
    5. Click Add rule and, in the Destination column, click the Edit button.
    6. On the Set destination dialog box, select all IP addresses for external interfaces, and click Apply.
    7. On the Gateway Firewall page, in the Action column for the new rule, from the Action drop-down menu, select Drop or Reject.
    8. Click the Settings icon and, on the Settings dialog box, activate the Logging toggle.
    9. In the Applied to column, click the Edit icon.
    10. In the Applied to dialog box, select the target NSX-T tier-0 gateway and click Apply.
    11. On the Gateway Firewall page, click Publish.
    12. If necessary, you can configure additional rules to allow traffic to external interface IP addresses and place them above this rule.
  10. VMW-NSXT-01494, VMW-NSXT-01495, VMW-NSXT-01496 Configure the NSX-T tier-0 gateway to have Internet Control Message Protocol (ICMP) unreachable notifications, mask replies, and disable redirects on all external interfaces.
    Note:

    If the tier-0 gateway is deployed in an active/active high availability mode and no stateless rules exist, this configuration is not applicable.

    NSX-T Data Center does not come with a pre-configured service for ICMP mask replies. You may need to create this service.

    1. On the main navigation bar, click Security.
    2. In the left pane, navigate to North South security > Gateway Firewall.
    3. Click the All shared rules tab.
    4. From the Gateway drop-down menu, select the NSX-T tier-0 gateway.
    5. Click Add rule and, in the Services column, click the Edit button.
    6. On the Set services dialog box, on the Services tab, select the ICMP destination unreachable service, and click Apply.
    7. On the Gateway Firewall page, click the Settings icon and, on the Settings dialog box, activate the Logging toggle.
    8. In the Applied to column, click the Edit icon.
    9. In the Applied to dialog box, select the target NSX-T tier-0 gateway and click Apply.
    10. On the Gateway Firewall page, click Publish.
    11. Repeat the procedure for the ICMP mask replies and ICMP redirectservices.