You can set the applied to setting for all firewall rules created though Service Composer to either Distributed Firewall or Policy's Security Groups. By default, the applied to is set to Distributed Firewall.

When Service Composer firewall rules have an applied to setting of distributed firewall, the rules are applied to all clusters on which distributed firewall is installed. If the firewall rules are set to apply to the policy's security groups, you have more granular control over the firewall rules, but may need multiple security policies or firewall rules to get the desired result.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Security > Service Composer.
  2. Click the Security Policies tab.
  3. To edit the global firewall settings:
    • In NSX 6.4.1 and later, next to Global Firewall Settings, click the edit (Edit) icon.
    • In NSX 6.4.0, next to Global Settings: Firewall Rules Applied To, click Edit.
  4. Select a default setting for Applied To and click OK. This value determines the vNICs on which the firewall rule will be applied.
    Option Description
    Distributed Firewall Firewall rules are applied to all clusters on which Distributed Firewall is installed.
    Policy's Security Groups Firewall rules are applied to security groups on which the security policy is applied.
    The default Applied To setting can also be viewed and changed via the API. See the NSX API Guide.

    Note that when using RDSH firewall rules the applied to setting is Distributed Firewall. Policy's Security Groups is not supported for the applied to setting for RDSH rules.

Example: Applied To Behavior

In this example scenario, your default firewall rule action with service any, is set to block. You have two security groups: web-servers and app-servers, which contain VMs. You create a security policy, allow-ssh-from-web, which contains the following firewall rule, and apply it to the security group app-servers.
  • Name: allow-ssh-from-web
  • Source: web-servers
  • Destination: Policy's Security Group
  • Service: ssh
  • Action: allow

If the firewall rule applies to Distributed Firewall, you will be able to ssh from a VM in the security group web-servers to a VM in the security group app-servers.

If the firewall rule applies to Policy's Security Group, you will not be able to ssh, as the traffic will be blocked from reaching the app servers. You will need to create an additional security policy to allow ssh to the app servers, and apply this policy to the security group web-servers.

  • Name: allow-ssh-to-app
  • Source: Policy's Security Group
  • Destination: app-servers
  • Service: ssh
  • Action: allow