Distributed firewall rules apply at the VM (vNIC) level and control East-West traffic within the SDDC.

All traffic attempting to pass through the distributed firewall is subjected to the rules in the order shown in the rules table, beginning at the top. A packet allowed by the first rule is passed on to the second rule, and so on through subsequent rules until the packet is dropped, rejected, or hits the default rule, which allows all traffic.

Attention:

In SDDC version 1.20, 1.20v2, or 1.20v3 a Distributed Firewall Rule that has a context profile with FQDN attributes can trigger a PSOD failure if it receives a CNAME record in a response from the DNS server. See VMware Knowledge Base article 91654 for details.

Distributed firewall rules are grouped into policies. Policies are organized by category. Each category has an evaluation precedence. Rules in a category that has a higher precedence are evaluated before rules in category that has a lower precedence.
Table 1. Distributed Firewall Rule Categories
Category Evaluation Precedence Category Name Description
1 Ethernet Applied to all layer 2 SDDC network traffic.
Note: Rules in this category require MAC addresses as sources and destinations. IP addresses are accepted but ignored.
2 Emergency Used for quarantine and allow rules.
3 Infrastructure Define access to shared services. Global rules, AD, DNS, NTP, DHCP, backup, management servers.
4 Environment Rules between security zones such as production zones, development zones, or zones dedicated to specific business purposes.
5 Application Rules between applications, application tiers, or microservices.
See Security Terminology in the NSX Data Center Administration Guide for more information about Distributed Firewall terminology.

Prerequisites

Distributed firewall rules require inventory groups as sources and destinations and must be applied to a service, which can be a predefined service or a custom service that you define for your SDDC. You can create these groups and services while you are creating a rule, but it can speed up the process if you take care of some of this beforehand. See Working With Inventory Groups.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow.
  4. Open the Distributed Firewall page.
    Click Category Specific Rules and select a category to view and modify policies and rules in that category, or click All Rules to view (but not modify) rules in all policies and categories.
  5. (Optional) Change the default connectivity strategy.
    The Distributed Firewall includes default rules that apply to all layer 2 and layer 3 traffic. These rules are evaluated after all other rules in their category, and allow traffic that doesn't match a preceding rule to pass through the firewall. You can change either or both of these rules to be more restrictive, but you cannot disable either rule.
    • To change the Default Layer2 Rule, expand the Default Layer2 Section in the Ethernet category and change the Action on that rule to Drop.
    • To change the Default Layer3 Rule, expand the Default Layer3 Section in the Application category and change the Action on that rule to Drop or Reject.
    Click PUBLISH to update the rule.
  6. To add a policy, open the appropriate category, click ADD POLICY and give the new policy a Name.

    A new policy is added at the top of the policy list for its category. To add a policy before or after an existing policy, click the vertical ellipsis button at the beginning of the policy row to open the policy settings menu, then click Add Policy Above or Add Policy Below.

    By default, the Applied To column is set to DFW, and the rule is applied to all workloads. You can also apply the rule or policy to selected groups. Applied To defines the scope of enforcement per rule, and is used mainly for optimization of host resource consumption. It helps in defining a targeted policy for specific zones and tenants, without interfering with other policy defined for other tenants and zones.

    Note: Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied To text box.
  7. To add a rule, select a policy, click ADD RULE, and give the rule a Name.
  8. Enter the parameters for the new rule.
    Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon ( pencil icon) to open a parameter-specific editor.
    Option Description
    Sources Click Any in the Sources column and select an inventory group for source network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Destinations Click Any in the Destinations column and select an inventory group for destination network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Services Click Any in the Services column and select a service from the list. Click SAVE.
    Context Profiles This option is available if you have enabled NSX Advanced Firewall features. See About VMware vDefend Firewall Features for more information.
    Applied To The rule inherits its Applied To value from the containing policy.
    Action
    • Select Allow to allow all L2 and L3 traffic to pass through the firewall.
    • Select Drop to drop packets that match any specified Sources, Destinations, and Services. This is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject packets that match any specified Sources, Destinations, and Services. This action returns a "destination unreachable message" to the sender. For TCP packets, the response includes a TCP RST message. For UDP, ICMP and other protocols, the response includes an "administratively prohibited" code (9 or 10). The sender is notified immediately (without any re-tries) when connection cannot be established.
    The new rule is enabled by default. Slide the toggle to the left to disable it.
  9. (Optional) Configure advanced settings.
    To change the directionality or logging behavior of the rule, click the gear icon to open the Settings page.
    Direction
    By default, this value is In/Out and applies the rule to all sources and destinations. You can change this to In to apply the rule only to incoming traffic from a source, or Out to apply it only to outgoing traffic to a destination. Changing this value can cause asymmetric routing and other traffic anomalies, so be sure you understand the likely outcome for all sources and destinations before you change the default value for Direction.
    Logging
    Logging for a new rule is disabled by default. Slide the toggle to the right to enable logging of rule actions.
  10. Click PUBLISH to create the rule.

    The system gives the new rule an integer ID value, which is used to identify the rule in log entries it generates.

What to do next

You can take any or all of these optional actions with an existing firewall rule.

  • Click the gear icon cog icon to view or modify rule logging settings. Log entries are sent to the VMware VMware Aria Operations for Logs Service. See Using VMware Aria Operations for Logs in the VMware Cloud on AWS Operations Guide.

  • Click the graph icon graph icon to view Rule Hits and Flow statistics for the rule.
    Table 2. Rule Hits Statistics
    Popularity Index Number of times the rule was triggered in the past 24 hours.
    Hit Count Number of times the rule was triggered since it was created.
    Table 3. Flow Statistics
    Packet Count Total packet flow through this rule.
    Byte Count Total byte flow through this rule.
    Statistics start accumulating as soon as the rule is enabled.
  • Reorder firewall rules.

    A rule created from the ADD NEW RULE button is placed at the top of the list of rules in the policy. Firewall rules in each policy are applied in order from top to bottom. To change the position of a rule in the list, select it and drag it to a new position. Click PUBLISH to publish the change.