The NSX Advanced Firewall service enables your SDDC to use advanced NSX features.

The NSX Advanced Firewall service is included in VMware Cloud on AWS. This service includes:

To activate the NSX Advanced Firewall service in your SDDC, open the Integrated Services tab and click ACTIVATE on the NSX Advanced Firewall card. After the service is activated, NSX advanced security features become available in our SDDC.

You can find detailed documentation for all of these features in the NSX Product Documentation. There are a few operational differences between how the features work on on-premises NSX and how they work in VMware Cloud on AWS . For example, most of the procedures in the NSX Product Documentation include a step telling you to log in with admin privileges to an NSX Manager. This step isn't needed in VMware Cloud on AWS since clicking OPEN NSX MANAGER or opening the Networking & Security tab gives you admin access to the NSX manager in your SDDC. Other differences are listed in the following sections.

Using Context Profiles in the SDDC

Click Inventory > Context Profiles. You can specify a context profile in a distributed firewall rule by updating the value in the Profiles column of the Distributed Firewall grid. For more information, see Layer 7 Firewall Rule Workflow in the NSX Product Documentation.

In VMware Cloud on AWS, context profiles are supported only for use with Distributed Firewall rules. They cannot be used with MGW or CGW firewall rules.

Using Identity Firewall in the SDDC

Click the System > Identity Firewall AD to add an SDDC Active Directory domain so that you can create user-based Identity firewall rules. When using this feature in VMware Cloud on AWS, keep these operational differences in mind:
Enable the feature for one or more SDDC clusters
Before you can use this feature, you have to take the "Configure Identity Firewall settings" step in Manage Distributed Firewall Rules to enable the feature and apply it to one or more SDDC clusters.
Create a firewall rule to allow Active Directory access
If you're using Active Directory, you'll also need to create a Management Gateway Firewall rule to allow NSX to access the Active Directory server you want to use. This feature doesn’t work if access to Active Directory is interrupted in your SDDC, so it’s important to make sure that the firewall rule you create here remains valid in the face of changes to the Active Directory server. For more information, see Add an Active Directory in the NSX Product Documentation.
Logging
In VMware Cloud on AWS, events generated by this feature are logged to VMware Aria Operations for Logs.

Using Distributed FQDN Filtering in the SDDC

In VMware Cloud on AWS, NSX FQDN filtering is supported only for use with Distributed Firewall rules. It cannot be used with MGW or CGW firewall rules. To use this feature, start by adding a DNS snooping rule, described in Filtering Specific Domains (FQDN/URLs), as the first rule in the policy. You must also enable the predefined FQDNfiltering-spoofguard-profile segment profile for all segments on which you want to support FQDN filtering. See Create or Modify a Network Segment for information about applying a segment profile to an SDDC network segment.

Using Distributed IDS/IPS in the SDDC

Activation of the NSX Advanced Firewall service begins a limited free trial of the NSX Distributed IDS/IPS feature. After the trial period expires, distributed IDS/IPS becomes available by subscription or on demand. Click Security > Distributed IDS/IPS. For more information, see Distributed IDS/IPS in the NSX Product Documentation.

When using this feature in VMware Cloud on AWS, keep these operational differences in mind:
Per-Cluster enablement
To use this feature, enable it on one or more SDDC clusters. On the Distributed IDS/IPS page, click the Settings tab, then select one or more clusters under Enable Intrusion Detection and Prevention for Cluster(s). Because vMotion does not currently check the IDS/IPS -enablement status of a cluster before migrating VMs, we recommend enabling this feature on all clusters so that migration does not affect the application of IDS/IPS to any workload VM.
No access to hosts
Because VMware Cloud on AWS does not allow you to access SDDC hosts, you cannot Verify Distributed IDS Status on Host.
Logging
In VMware Cloud on AWS, events generated by this feature are logged to VMware Aria Operations for Logs.

Deactivating the NSX Advanced Firewall Service

Before you can deactivate the NSX Advanced Firewall service, you must remove all firewall rules that reference service features. This includes:
  • All distributed firewall rules that include a context profile
  • All distributed IDS/IPS rules and profiles
  • All identity-based firewall rules
After you have removed these objects, you can deactivate the service:
  1. Open the Integrated Services tab in your SDDC.
  2. On the NSX Advanced Firewall card, click ACTIONS > Deactivate.
  3. Review the list of objects that must be removed prior to deactivation. When you are sure that the objects have been removed, click CONFIRM DEACTIVATION.
Billing for the service stops as soon as deactivation is completed.