Groups include different objects that are added both statically and dynamically and can be used as the source and destination field of a firewall rule.
A single ID based group can be used within a firewall rule. If IP and ID based groups are needed at the source, create two separate firewall rules.
- Select from the navigation panel.
- Click ADD GROUP.
- Enter a group name.
- (Required) Choose a domain from the drop-down menu, or use the default domain. A domain is a logical construct representing a security zone and all rules and groups. The default domain represents the entire NSX environment.
Note that the domain object is an experimental feature in NSX-T Data Center 2.4 but is not available in NSX-T Data Center 2.4.1. In NSX-T Data Center 2.4.1 it is not necessary to create any domain.
- (Optional) Click Set Members.
For each membership criterion, you can specify up to five rules, which are combined with the logical AND operator. The available member criterion can apply to the following:
- Logical Port - can specify a tag and optional scope.
- Logical Switch - can specify a tag and optional scope.
- Virtual Machine - can specify a name, tag, computer OS name, or computer name that equals, contains, starts with, ends with, or does not equal a particular string.
- Transport Node - can specify a node type that equals an edge node or a host node.
- (Optional) Click Members to select members.
The available member types are:
- Segment Port
- Virtual Network Interface
- Virtual Machine
- Click IP/MAC Addresses to add IP and MAC addresses as group members.
- Click AD Groups to add Active Directory Groups. Groups with Active Directory members can be used to in the source or destination field of a distributed firewall rule for Identity Firewall, for and must be the only members in the group. For example, there cannot be an group with both ADGroup and IPSet together as members.
- Click Apply
Groups are listed, with an option to view members and where the group is used.