Security in Federation

You can create distributed and gateway firewall rules from the Global Manager with global, regional or local spans.

Distributed and gateway firewall policies and rules created from the Global Manager are synced to Local Managers and appear in the Local Managers with a icon. You can edit rules created from the Global Manager only from the Global Manager. They cannot be edited from Local Managers.

Federation of Distributed Firewall (DFW) Policies and Rules

Use this example to understand the supported firewall workflows:

In the example, the Global Manager has three Local Managers registered with it, named: Location1, Location2 and Location3.
The Global Manager auto-creates the following regions:
- Global
- Location1
- Location2
- Location3
You create a customized region named: Region1 that includes Local Managers Location2 and Location3.
You create the following groups:
- Group1: Region Global.
- Group2: Region Location1.
- Group3: Region Location2.
- Group4: Region Location3.
- Group5: Region Region1.

DFW Policies and Rules in NSX-T Data Center 3.0.1

The following use cases are supported:

Group Span: You can create groups in the Global Manager with a global, local or regional span. See Create Groups from Global Manager.
Dynamic Groups: You can create groups based on dynamic criteria, such as tags.
DFW Policy Span: DFW policies can be applied to a global, regional or local span.

DFW Rule's Source and Destination Groups: Either all the groups in the source field or all the groups in the destination field must match the DFW policy's span. The system auto-creates groups in locations that are outside the policy's span.

Refer to the table for examples of valid and invalid source and destination groups in DFW rules:

Table 1. Valid Source and Destination for a DFW rule based on the DFW Policy's Span in 3.0.1
DFW Policy Span (Applied To)	Scenarios supported in DFW rules in version 3.0.1.
`Global` From the example, this region contains the following groups: `Group1`	For a DFW policy with the span of `Global` region, all groups are allowed in the DFW rule's source and destination. Following are some typical scenarios that are supported, using our example: Source: `Group2`; Destination `Group3` Source: `Group3`; Destination `Group4` Source: `Group4`; Destination: `Any` Source: `Group1`; Destination `Group2`.
`Location1` : auto-created region for the Local Manager in location 1. From the example, this region contains the following groups: `Group2`	For a DFW policy with the span of one location: `Location1` in this example, either the source or the destination group for the DFW rule must belong to `Location1`. The following scenarios are supported: Source: `Group2`; Destination `Group2` Source: `Group3`; Destination `Group2`. Source: `Group2`; Destination `Group4`. Source `Group1`; Destination `Group2`. The following is an example of unsupported group selections for this policy span. Both the source and the destination groups are outside the policy's span: Source `Group5`; Destination `Group3`. Source `Group1`; Destination `Group3`.
`Region1` : user-created region that spans `Location2` and `Location3`. From the example, this region contains the following groups: `Group5`	For a DFW policy with the span of a user-created region: `Region1` in this example, either the source or the destination group for the DFW rule must contain locations that belong to `Region1`. The following scenarios are supported: Source: `Group5`; Destination `Group2`. Source: `Group2`; Destination `Group5`. Source: `Group2`; Destination `Group3`. Source: `Group3`; Destination `Group4`. Source: `Any` ;Destination: `Group5` Source `Group4`; Destination `Any` The following is an example of unsupported group selections for this policy span. Both the source and the destination groups are outside the policy's span: Source `Group2`; Destination `Group2`. Source `Group1`; Destination `Group2`. Source `Group1`; Destination `Group1`.

If a group contains segments, the span of the DFW policy must be greater than or equal to the span of the segment. For example, if you have a group containing a segment whose span is Location1, the DFW policy cannot be applied to region Region1 because it only contains Location2 and Location3.

DFW Policies and Rules in NSX-T Data Center 3.0.0

Group Span: You can create groups in the Global Manager with a global, local or regional span. See Create Groups from Global Manager.
Dynamic Groups: You can create groups based on dynamic criteria, such as tags.
DFW Policy Span: DFW policies can be applied to a global, regional, or local span as well.

DFW Rule's Source and Destination Groups: All the groups in the source field and all the groups in the destination field must match the DFW policy's span.

Refer to the table to understand how the span of the policy determines what source and destination groups are valid in a DFW rule.

Table 2. Valid Source and Destination for a DFW rule based on the DFW Policy's Span in 3.0.0
DFW Policy Span (Applied To)	Source and Destination Groups supported in DFW Rules in version 3.0.0.
`Global`. From the example, this region contains the following groups: `Group1`	For a DFW policy spanned to the `Global` region, you can select either the keyword Any or a Global group in the source and destination for a DFW rule: For example, Source: `Group1`; Destination: `Group1`. Source: `Group1`; Destination`Any` Source: `Any` ; Destination: `Group1`. Source: `Any` ; Destination `Any` Caution: Other rule configurations can be created, but are not supported, for example: . Source: `Group2`; Destination: `Group3` Source: `Group4`; Destination: `Group1`
`Location1` : auto-created region for the Local Manager in location 1. From the example, this region contains the following groups: `Group2`	For a DFW policy spanned to the region for one location: `Location1` in this example, both the source and destination groups must belong to this region. For example, these rules are supported: Source: `Group2`; Destination: `Group2` Caution: Other rule configurations can be created, but are not supported, for example: . Source: `Group2`; Destination: `Group3` Source: `Group4`; Destination: `Group2`
`Region1` : customized region that spans `Location2` and `Location3`. From the example, this region contains the following groups: `Group5`	For a DFW policy with a span to a customized region: `Region1` in this example, both the source and destination groups must belong to this region. For example, these rule are supported: Source: `Group5`; Destination: `Group5`. Source: `Group5`; Destination: `Any`. Source: `Any` ;Destination: `Group5`. Caution: Other rule configurations can be created, but are not supported, for example: . Source: `Group2` and Destination: `Group3` Source: `Group2`; Destination: `Group4` Source: `Group3`; Destination: `Group2` Source: `Group4`; Destination: `Group2`

If a group contains segments, the span of the DFW policy must be greater than or equal to the span of the segment. For example, if you have a group containing a segment whose span is Location1, the DFW policy cannot be applied to region Region1 because it only contains Location2 and Location3.

Federation of Gateway Firewall Policies and Rules

Gateway firewall rules can be applied to all the locations included in the gateway's span, or all interfaces of a particular location, or specific interfaces of one or more locations.

Note: The span of the source and destination groups for gateway firewall rules must be the same as or a subset of the gateway's span on which you are creating the rule.

Table 3. Span Options for Gateway Firewall Rules
Gateway Firewall Rule's Span (Applied To)	Applies to
Apply rule to gateway	The rule applies to all interfaces attached to this gateway, in all locations that this gateway is stretched to.
Select a location and then select Apply rule to all Entities.	The rule applies only to the selected location.
Select a location and then select interfaces from that location. Repeat for other locations, selecting interfaces for each location that you want to apply the rule to.	The rule applies only to the selected interfaces.