A security policy is a set of Guest Introspection, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.

Prerequisites

Ensure that:
  • the required VMware built in services (such as Distributed Firewall, and Guest Introspection) are installed.
  • the required partner services have been registered with NSX Manager.
  • the desired default applied to value is set for Service Composer firewall rules. See Edit Service Composer Firewall Applied To Setting.

If you are creating a security policy framework for Identity Firewall for RDSH:

  • Active Directory Server must be integrated with NSX Manager.
  • Hosts must have DFW enabled and be upgraded to NSX 6.4.0.
  • Guest machines must run updated VMware Tools.
  • The version of the GI SVM must be 6.4 or later.
  • The rule must be created in a new section of Firewall Rules.
  • The rule must have Enable User Identity at Source selected.
  • The Applied to field is not supported for rules for remote desktop access.
  • ICMP is not supported for IDFW for RDSH.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Security > Service Composer.
  2. Click the Security Policies tab.
  3. To create new security policy:
    • In NSX 6.4.1 and later, click Add.
    • In NSX 6.4.0, click the Create Security Policy (add) icon.
  4. In the Create Security Policy or New Security Policy dialog box, type a name for the security policy.
  5. Type a description for the security policy. The description must not exceed 255 characters.
    NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.

    Security policies are applied according to their weight - a policy with the higher weight has precedence over a policy with a lower weight.

  6. Select Inherit security policy if you want the policy that you are creating to receive services from another security policy. Select the parent policy.
    All services from the parent policy are inherited by the new policy.
  7. Click Next.
  8. In the Guest Introspection Services page, click Add or the Add Guest Introspection Service (Add icon) icon.
    1. In the Add Guest Introspection Service dialog box, type a name and description for the service.
    2. Specify whether you want to apply the service or block it.
      When you inherit a security policy, you may choose to block a service from the parent policy.

      If you apply a service, you must select a service and service profile. If you block a service, you must select the type of service to block.

    3. If you chose to block the service, select the type of service.
    4. If you chose to apply the Guest Introspection service, select the service name.
      The default service profile for the selected service is displayed, which includes information about the service functionality types supported by the associated vendor template.
    5. In State, specify whether you want to enable the selected Guest Introspection service or disable it.

      You can add Guest Introspection services as placeholders for services to be enabled at a later time. This is especially useful for cases where services need to be applied on-demand (for example, new applications).

    6. Select whether the Guest Introspection service is to be enforced (i.e. it cannot be overridden). If the selected service profile supports multiple service functionality types, then this is set to Enforce by default and cannot be changed.

      If you enforce a Guest Introspection service in a security policy, other policies that inherit this security policy would require that this policy be applied before the other child policies. If this service is not enforced, an inheritance selection would add the parent policy after the child policies are applied.

    7. Click OK.
    You can add additional Guest Introspection services by following the above steps. You can manage the Guest Introspection services through the icons above the service table.

    In NSX 6.4.0, you can export or copy the services on this page by clicking the export icon on the bottom right side of the Guest Introspection Services page.

  9. Click Next.
  10. On the Firewall page, you are defining firewall rules for the security groups(s) that this security policy will be applied to.

    When creating a security policy for Identity Firewall for RDSH, Enable User Identity at Source must be checked. Note that this disables the enable stateless firewall option because the TCP connection state is tracked for identifying the context. This flag cannot be changed while the policy is being updated. Once a security policy is created with Enable User Identity at Source inheritance is not supported.

    1. Click the checkbox to enable the following optional parameters:
      Option Description
      Enable User Identity at Source

      When using Identity Firewall for RDSH, Enable User Identity at Source must be checked. Note that this disables the enable stateless firewall option because the TCP connection state is tracked for identifying the context.

      Enable TCP Strict Enables you to set TCP strict for each firewall section.
      Enable Stateless Firewall Enables stateless firewall for each firewall section.
    2. Click Add, or the Add Firewall Rule (Add icon) icon.
    3. Type a name and description for the firewall rule you are adding.
    4. Select Allow, Block, or Reject to indicate whether the rule needs to allow, block, or reject traffic to the selected destination.
    5. Select the source for the rule. By default, the rule applies to traffic coming from the security groups to which this policy gets applied to. To change the default source, click Select or Change and select the appropriate security groups.
    6. Select the destination for the rule.
      Note: Either the Source or Destination (or both) must be security groups to which this policy gets applied to.
      Say you create a rule with the default Source, specify the Destination as Payroll, and select Negate Destination. You then apply this security policy to security group Engineering. This would result in Engineering being able to access everything except for the Payroll server.
    7. Select the services and/or service groups to which the rule applies to.
    8. Select Enabled or Disabled to specify the rule state.
    9. Select Log to log sessions matching this rule.
      Enabling logging may affect performance.
    10. Enter the text that you want to add in the Tag text box while adding or editing the firewall rule.
    11. Click OK.
    You can add additional firewall rules by following the above steps. You can manage the firewall rules through the icons above the firewall table.

    In NSX 6.4.0, you can export or copy the rules on this page by clicking the export icon on the bottom right side of the Firewall page.

    The firewall rules you add here are displayed on the Firewall table. VMware recommends that you do not edit Service Composer rules in the firewall table. If you must do so for an emergency troubleshooting, you must re-synchronize Service Composer rules with firewall rules as follows:
    • In NSX 6.4.1 and later, select Synchronize on the Security Policies tab.
    • In NSX 6.4.0, select the Synchronize Firewall Rules from the Actions menu on the Security Policies tab.
  11. Click Next.
    The Network Introspection Services page displays NetX services that you have integrated with your VMware virtual environment.
  12. Click the checkbox to enable the following optional parameters:
    Option Description
    Enable TCP Strict Enables you to set TCP strict for each firewall section.
    Enable Stateless Firewall Enables stateless firewall for each firewall section.
  13. Click Add, or the Add Network Introspection Service (Add icon) icon.
    1. Enter a name and description for the service you are adding.
    2. Select whether or not to redirect to service.
    3. Select the service name and profile.
    4. Select the source and destination
    5. Select the network service that you want to add.
      You can make additional selections based on the service you selected.
    6. Select whether to enable or disable the service.
    7. Select Log to log sessions matching this rule.
    8. Enter the text that you want to add in the Tag text box.
    9. Click OK.
    You can add additional network introspection services by following the above steps. You can manage the network introspection services through the icons above the service table.

    In NSX 6.4.0, you can export or copy the services on this page by clicking the export icon on the bottom right side of the Network Introspection Service page.

    Note: Bindings created manually for the Service Profiles used in Service Composer policies will be overwritten.
  14. Click Finish.
    The security policy is added to the policies table. You can click the policy name and select the appropriate tab to view a summary of the services associated with the policy, view service errors, or edit a service.

What to do next

Map the security policy to a security group.