Distributed firewall rules apply at the VM (vNIC) level and control East-West traffic within the SDDC.
All traffic attempting to pass through the distributed firewall is subjected to the rules in the order shown in the rules table, beginning at the top. A packet allowed by the first rule is passed on to the second rule, and so on through subsequent rules until the packet is dropped, rejected, or hits the default rule, which allows all traffic.
Distributed firewall rules are grouped into policies. Policies are organized by category. Each category has an evaluation precedence. Rules in a category that has a higher precedence are evaluated before rules in category that has a lower precedence.
Table 1.
Distributed Firewall Rule Categories
Category Evaluation Precedence |
Category Name |
Description |
1 |
Ethernet |
Applied to all layer 2 SDDC network traffic.
Note: Rules in this category require MAC addresses as sources and destinations. IP addresses are accepted but ignored.
|
2 |
Emergency |
Used for quarantine and allow rules. |
3 |
Infrastructure |
Define access to shared services. Global rules, AD, DNS, NTP, DHCP, backup, management servers. |
4 |
Environment |
Rules between security zones such as production zones, development zones, or zones dedicated to specific business purposes. |
5 |
Application |
Rules between applications, application tiers, or microservices. |
See
Security Terminology in the
NSX Data Center Administration Guide for more information about Distributed Firewall terminology.
Prerequisites
Distributed firewall rules require inventory groups as sources and destinations and must be applied to a service, which can be a predefined service or a custom service that you define for your SDDC. You can create these groups and services while you are creating a rule, but it can speed up the process if you take care of some of this beforehand. See Working With Inventory Groups.
Procedure
- With CloudAdmin privileges, log in to NSX Manager.
- Open the Distributed Firewall page.
Click
Category Specific Rules and select a category to view and modify policies and rules in that category, or click
All Rules to view (but not modify) rules in all policies and categories.
- (Optional) Change the default connectivity strategy.
The Distributed Firewall includes default rules that apply to all layer 2 and layer 3 traffic. These rules are evaluated after all other rules in their category, and allow traffic that doesn't match a preceding rule to pass through the firewall. You can change either or both of these rules to be more restrictive, but you cannot disable either rule.
- To change the Default Layer2 Rule, expand the Default Layer2 Section in the Ethernet category and change the Action on that rule to Drop.
- To change the Default Layer3 Rule, expand the Default Layer3 Section in the Application category and change the Action on that rule to Drop or Reject.
Click
PUBLISH to update the rule.
- To add a policy, open the appropriate category, click ADD POLICY and give the new policy a Name.
A new policy is added at the top of the policy list for its category. To add a policy before or after an existing policy, click the vertical ellipsis button at the beginning of the policy row to open the policy settings menu, then click Add Policy Above or Add Policy Below.
By default, the Applied To column is set to DFW, and the rule is applied to all workloads. You can also apply the rule or policy to selected groups. Applied To defines the scope of enforcement per rule, and is used mainly for optimization of host resource consumption. It helps in defining a targeted policy for specific zones and tenants, without interfering with other policy defined for other tenants and zones.
Note: Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the
Applied To text box.
- To add a rule, select a policy, click ADD RULE, and give the rule a Name.
- Enter the parameters for the new rule.
Parameters are initialized to their default values (for example,
All for
Sources and
Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon (
) to open a parameter-specific editor.
Option |
Description |
Sources |
Click Any in the Sources column and select an inventory group for source network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE. |
Destinations |
Click Any in the Destinations column and select an inventory group for destination network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE. |
Services |
Click Any in the Services column and select a service from the list. Click SAVE. |
Applied To |
The rule inherits its Applied To value from the containing policy. |
Action |
- Select Allow to allow all L2 and L3 traffic to pass through the firewall.
- Select Drop to drop packets that match any specified Sources, Destinations, and Services. This is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
- Select Reject to reject packets that match any specified Sources, Destinations, and Services. This action returns a "destination unreachable message" to the sender. For TCP packets, the response includes a TCP
RST message. For UDP, ICMP and other protocols, the response includes an "administratively prohibited" code (9 or 10). The sender is notified immediately (without any re-tries) when connection cannot be established.
|
The new rule is enabled by default. Slide the toggle to the left to disable it.
- (Optional) Configure advanced settings.
To change the directionality or logging behavior of the rule, click the gear icon
to open the
Settings page.
-
Direction
-
By default, this value is
In/Out and applies the rule to all sources and destinations. You can change this to
In to apply the rule only to incoming traffic from a source, or
Out to apply it only to outgoing traffic to a destination. Changing this value can cause asymmetric routing and other traffic anomalies, so be sure you understand the likely outcome for all sources and destinations before you change the default value for
Direction.
-
Logging
-
Logging for a new rule is disabled by default. Slide the toggle to the right to enable logging of rule actions.
- Click PUBLISH to create the rule.
The system gives the new rule an integer ID value, which is used to identify the rule in log entries it generates.
What to do next
You can take any or all of these optional actions with an existing firewall rule.
-
Click the gear icon to view or modify rule logging settings. Log entries are sent to the VMwarevRealize Log Insight Cloud Service. See Using vRealize Log Insight Cloud in the VMware Cloud on AWS Operations Guide.
-
Click the graph icon
to view Rule Hits and Flow statistics for the rule.
Table 2.
Rule Hits Statistics
Popularity Index |
Number of times the rule was triggered in the past 24 hours. |
Hit Count |
Number of times the rule was triggered since it was created. |
Table 3.
Flow Statistics
Packet Count |
Total packet flow through this rule. |
Byte Count |
Total byte flow through this rule. |
Statistics start accumulating as soon as the rule is enabled.
- Reorder firewall rules.
A rule created from the ADD NEW RULE button is placed at the top of the list of rules in the policy. Firewall rules in each policy are applied in order from top to bottom. To change the position of a rule in the list, select it and drag it to a new position. Click PUBLISH to publish the change.