Context-aware firewall is intended specifically for EAST-WEST cases and not for general Web browsing classification. Applications can be limited to specific applications used in the data center such as SSH, FTP, TFTP, SQL, DNS, PCoIP, and so on.

Following are few uses cases for a context-aware firewall:

  • Use Case 1: Don, the IT director of a team instructs his NSX administrator to restrict ALL HTTP traffic for a particular VM. Don wants to restrict this traffic irrespective of the port it comes from.
  • Use Case 2: Robert, the IT lead of a team wants to restrict the HTTP traffic to a particular VM on the condition that the traffic does not come from TCP port 8080.
  • Use Case 3: Now that there is a context-aware firewall, it can be extended to identity-based logins as well, such that an Active Directory user when logged into his virtual desktop, will only be able to access HTTP requests from port 8080. A manager wants his employee John to be able to access HTTP only from port 8080, and only when John is logged in to the Active Directory.

Scenario 1: Allow Web Traffic on a Specific Port

You want to allow Web traffic only on port 80.

To create a context-aware firewall rule, perform the following steps:

  1. Add a new firewall rule section, if required.
  2. Create a firewall rule, say HTTP to Web Server.
  3. Select the required Web server as the Destination.
  4. Create a service for application identification with the following parameters:
    Parameter Option
    Layer Layer7
    App ID HTTP
    Protocol TCP
    Destination port 80
  5. Change the default firewall rule to Block.
  6. Publish the changes.

With the context-aware firewall rule, only traffic that is allowed is Web traffic on port 80.

Scenario 2: Allow SSH Traffic on Any Port

You want to allow SSH traffic on any port.

Perform the following steps to create context-aware firewall rule:

  1. Add a new firewall rule section, if required.
  2. Create a firewall rule, say SSH to SSH Server.
  3. Select the required SSH server as the Destination.
  4. Create a service for application identification with the following parameters:
    Parameter Option
    Layer Layer7
    App ID SSH
    Protocol TCP
    Destination Port Keep the text box blank
  5. Change the default firewall rule to Block.
  6. Publish the changes.

With the context-aware firewall rule, only traffic that is allowed is SSH traffic on any port.

Example

For detailed steps on creating a context-aware firewall rule by using the vSphere Web Client, see Example: Create a Context-Aware Firewall Rule.