You can select a default connectivity strategy to enforce your security model.

The default connectivity strategy creates either an allow-all (blacklist) or deny-all (whitelist) firewall policy on top of the other firewall rules you create, instead of having to modifying individual rules. To set a default connectivity strategy, go to Distributed Firewall. At the top of the page, click the connectivity status to select another option.

Firewall policy and rules must have already been created to change the default selected connectivity strategy, and have it to go into effect immediately. If no policy or rules are created, the default connectivity strategy remains until a ploicy and rules are created.

The following options are available:

  • Blacklist (with or without logging): This is the default option and creates an allow-all rule on the DFW.
  • Whitelist (with or without logging): Creates a deny-all traffic firewall rule. Only communication from sites or applications that have been defined in firewall rules is allowed, and all other communication is denied access, including DHCP traffic.
  • None: Select this option to disable both blacklisting or whitelisting of firewall rules. This is useful if you have a set of rules already configured using previous versions of NSX-T Data Center.