Distributed firewall rules apply at the VM level and control East-West traffic within the SDDC.

All traffic attempting to pass through the firewall is subjected to the rules in the order shown in the rules table, beginning at the top and proceeding to the rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet. The default firewall rules apply to traffic that does not match any of the user-defined firewall rules, and allows all L3 and L2 traffic.
Note: The default L3 firewall rule applies to all traffic, including DHCP. If you change the Action in this rule to Drop or Reject, DHCP traffic is blocked.

Prerequisites

Verify that multiple security groups and services are configured. See Add or Modify an Inventory Group and Add a Custom Service.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Select Networking & Security > Distributed Firewall.
  3. If you are an NSX Administrator, you can edit an existing section to add, remove, or reorder rules.
    To create a new section, click ADD NEW SECTION and give the section a Name.
    Option Description
    Emergency Rules Applies to temporary rules needed in emergency situations.

    For example, block traffic to a Web server due to malicious content.

    Infrastructure Rules Applies to infrastructure rules only.

    Such as, ESXi, vCenter Server or connectivity to on-premise data center.

    Environment Rules Applies to broad groups.

    Such as, setting rules so that the production environment cannot reach the test enviroment.

    Application Rules Applies to specific application rules.
    Default Rules The default rules allows all traffic.
  4. To add a rule to a new or existing section, select the section and click ADD NEW RULE.
  5. Enter the parameters for the new rule.
    Option Description
    Name Give the rule a descriptive name.
    Sources Click Set Source and select an inventory group for source network traffic, or click CREATE NEW GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Destinations Click Set Destination and select an inventory group for destination network traffic, or click CREATE NEW GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Services Select a service from the drop-down list, or select Any if you want the rule to apply to any protocol or port. Click SAVE.
    Action
    • Select Allow to allow all L2 and L3 traffic to pass through the firewall.
    • Select Drop to drop packets with the specified source, destination, and service protocol. Drop is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject packets with the specified source, destination, and service protocol. Reject action returns a "destination unreachable message" to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. One benefit of using Reject is that the sending application is notified after only one attempt that the connection cannot be established.
    Logging Enable or disable packet logging for this firewall rule. If enabled, the packet logs are forwarded to the Log Intelligence service. To access the logs, visit the Log Intelligence service console.
  6. Click PUBLISH.