The following terms are used throughout distributed firewall.
Construct | Definition |
---|---|
Policy | A security policy includes various security elements including firewall rules and service configurations. Policy was previously called a firewall section. |
Rule | A set of parameters with which flows are evaluated against, and define which actions will be taken upon a match. Rules include parameters such as source and destination, service, context profile , logging, and tags. |
Group | Groups include different objects that are added both statically and dynamically, and can be used as the source and destination field of a firewall rule. Groups can be configured to contain a combination of virtual machines, IP sets, MAC sets, logical ports, logical switches, AD user groups, and other nested groups. Dynamic inclusion of groups can be based on tag, machine name, OS name, or computer name. When you create a group, you must include a domain that it belongs to, and by default this is the default domain. Groups were previously called NSGroup or security group. |
Service | Defines a combination or port and protocol. Used to classify traffic based on port and protocol. Pre-defined services and user-defined services can be used in firewall rules. |
Context Profile | Defines context aware attributes including APP-ID and domain name. Also includes sub attributes such as application version, or cipher set. Firewall rules can include a context profile to enable Layer-7 firewall rules. |