Configure east-west and north-south firewall policies under predefined categories for your environment.

Distributed Firewall (east-west) and Gateway Firewall (north-south) offer multiple sets of configurable rules divided by categories. You can configure an exclusion list that contains logical switches, logical ports, or groups, to be excluded from firewall enforcement.

Security policies are enforced as follows:

  • Rules are processed in categories, left to right.
  • Rules are processed in top-to-bottom ordering.
  • Each packet is checked against the top rule in the rule table before moving down the subsequent rules in the table.
  • The first rule in the table that matches the traffic parameters is enforced.

No subsequent rules can be enforced as the search is then terminated for that packet. Because of this behavior, it is always recommended to put the most granular policies at the top of the rule table. This ensures they will be enforced before more generic rules.

Whether an east-west or north-south firewall fails close or fails open upon failure depends on the last rule in the firewall. To ensure that a firewall fails close upon failure, configure the last rule to reject or drop all packets.