You can create distributed and gateway firewall rules from the Global Manager with global, regional or local spans.

Distributed and gateway firewall policies and rules created from the Global Manager are synced to Local Managers and appear in the Local Managers with a GM icon. You can edit rules created from the Global Manager only from the Global Manager. They cannot be edited from Local Managers.

Federation of Distributed Firewall (DFW) Policies and Rules

Use this example to understand the supported firewall workflows:

  • In the example, the Global Manager has three Local Managers registered with it, named: Location1, Location2 and Location3.
  • The Global Manager auto-creates the following regions:
    • Global
    • Location1
    • Location2
    • Location3
  • You create a customized region named: Region1 that includes Local Managers Location2 and Location3.
  • You create the following groups:
    • Group1: Region Global.
    • Group2: Region Location1.
    • Group3: Region Location2.
    • Group4: Region Location3.
    • Group5: Region Region1.

DFW Policies and Rules in NSX-T Data Center 3.0.1

The following use cases are supported:

  • Group Span: You can create groups in the Global Manager with a global, local or regional span. See Create Groups from Global Manager.
  • Dynamic Groups: You can create groups based on dynamic criteria, such as tags.
  • DFW Policy Span: DFW policies can be applied to a global, regional or local span.
  • DFW Rule's Source and Destination Groups: Either all the groups in the source field or all the groups in the destination field must match the DFW policy's span. The system auto-creates groups in locations that are outside the policy's span.

    Refer to the table for examples of valid and invalid source and destination groups in DFW rules:
    Table 1. Valid Source and Destination for a DFW rule based on the DFW Policy's Span in 3.0.1
    DFW Policy Span (Applied To) Scenarios supported in DFW rules in version 3.0.1.
    Global

    From the example, this region contains the following groups:
    • Group1
    For a DFW policy with the span of Global region, all groups are allowed in the DFW rule's source and destination. Following are some typical scenarios that are supported, using our example:
    • Source: Group2; Destination Group3
    • Source: Group3; Destination Group4
    • Source: Group4; Destination: Any
    • Source: Group1; Destination Group2.
    Location1 : auto-created region for the Local Manager in location 1.

    From the example, this region contains the following groups:
    • Group2
    For a DFW policy with the span of one location: Location1 in this example, either the source or the destination group for the DFW rule must belong to Location1.

    The following scenarios are supported:
    • Source: Group2; Destination Group2
    • Source: Group3; Destination Group2.
    • Source: Group2; Destination Group4.
    • Source Group1; Destination Group2.
    The following is an example of unsupported group selections for this policy span. Both the source and the destination groups are outside the policy's span:
    • Source Group5; Destination Group3.
    • Source Group1; Destination Group3.
    Region1 : user-created region that spans Location2 and Location3.

    From the example, this region contains the following groups:
    • Group5

    For a DFW policy with the span of a user-created region: Region1 in this example, either the source or the destination group for the DFW rule must contain locations that belong to Region1.

    The following scenarios are supported:
    • Source: Group5; Destination Group2.
    • Source: Group2; Destination Group5.
    • Source: Group2; Destination Group3.
    • Source: Group3; Destination Group4.
    • Source: Any ;Destination: Group5
    • Source Group4; Destination Any
    The following is an example of unsupported group selections for this policy span. Both the source and the destination groups are outside the policy's span:
    • Source Group2; Destination Group2.
    • Source Group1; Destination Group2.
    • Source Group1; Destination Group1.
  • If a group contains segments, the span of the DFW policy must be greater than or equal to the span of the segment. For example, if you have a group containing a segment whose span is Location1, the DFW policy cannot be applied to region Region1 because it only contains Location2 and Location3.

DFW Policies and Rules in NSX-T Data Center 3.0.0

  • Group Span: You can create groups in the Global Manager with a global, local or regional span. See Create Groups from Global Manager.
  • Dynamic Groups: You can create groups based on dynamic criteria, such as tags.
  • DFW Policy Span: DFW policies can be applied to a global, regional, or local span as well.
  • DFW Rule's Source and Destination Groups: All the groups in the source field and all the groups in the destination field must match the DFW policy's span.
    Refer to the table to understand how the span of the policy determines what source and destination groups are valid in a DFW rule.
    Table 2. Valid Source and Destination for a DFW rule based on the DFW Policy's Span in 3.0.0
    DFW Policy Span (Applied To) Source and Destination Groups supported in DFW Rules in version 3.0.0.
    Global.

    From the example, this region contains the following groups:
    • Group1
    For a DFW policy spanned to the Global region, you can select either the keyword Any or a Global group in the source and destination for a DFW rule:
    For example,
    • Source: Group1; Destination: Group1.
    • Source: Group1; DestinationAny
    • Source: Any ; Destination: Group1.
    • Source: Any ; Destination Any
    Caution: Other rule configurations can be created, but are not supported, for example: .
    • Source: Group2; Destination: Group3
    • Source: Group4; Destination: Group1
    Location1 : auto-created region for the Local Manager in location 1.

    From the example, this region contains the following groups:
    • Group2
    For a DFW policy spanned to the region for one location: Location1 in this example, both the source and destination groups must belong to this region.
    For example, these rules are supported:
    • Source: Group2; Destination: Group2
    Caution: Other rule configurations can be created, but are not supported, for example: .
    • Source: Group2; Destination: Group3
    • Source: Group4; Destination: Group2
    Region1 : customized region that spans Location2 and Location3.

    From the example, this region contains the following groups:
    • Group5

    For a DFW policy with a span to a customized region: Region1 in this example, both the source and destination groups must belong to this region.

    For example, these rule are supported:
    • Source: Group5; Destination: Group5.
    • Source: Group5; Destination: Any.
    • Source: Any ;Destination: Group5.
    Caution: Other rule configurations can be created, but are not supported, for example: .
    • Source: Group2 and Destination: Group3
    • Source: Group2; Destination: Group4
    • Source: Group3; Destination: Group2
    • Source: Group4; Destination: Group2
  • If a group contains segments, the span of the DFW policy must be greater than or equal to the span of the segment. For example, if you have a group containing a segment whose span is Location1, the DFW policy cannot be applied to region Region1 because it only contains Location2 and Location3.

Federation of Gateway Firewall Policies and Rules

Gateway firewall rules can be applied to all the locations included in the gateway's span, or all interfaces of a particular location, or specific interfaces of one or more locations.
Note: The span of the source and destination groups for gateway firewall rules must be the same as or a subset of the gateway's span on which you are creating the rule.
Table 3. Span Options for Gateway Firewall Rules
Gateway Firewall Rule's Span (Applied To) Applies to
Apply rule to gateway The rule applies to all interfaces attached to this gateway, in all locations that this gateway is stretched to.
Select a location and then select Apply rule to all Entities. The rule applies only to the selected location.
Select a location and then select interfaces from that location. Repeat for other locations, selecting interfaces for each location that you want to apply the rule to. The rule applies only to the selected interfaces.