NSX-T Data Center uses firewall rules to specify traffic handling in and out of the network.
Firewall offers multiple sets of configurable rules: Layer 3 rules (General tab) and Layer 2 rules (Ethernet tab). Layer 2 firewall rules are processed before Layer 3 rules and if allowed in the Layer 2 rules will then be processed by the Layer 3 rules. You can configure an exclusion list that contains logical switches, logical ports, or groups that are to be excluded from firewall enforcement.
Firewall Rules are enforced as follows:
- Rules are processed in top-to-bottom ordering.
- Each packet is checked against the top rule in the rule table before moving down the subsequent rules in the table.
- The first rule in the table that matches the traffic parameters is enforced.
No subsequent rules can be enforced as the search is then terminated for that packet. Because of this behavior, it is always recommended to put the most granular policies at the top of the rule table. This will ensure they will be enforced before more specific rules.
Property | Description |
---|---|
Name | Name of the firewall rule. |
ID | Unique system generated ID for each rule. |
Source | The source of the rule can be either an IP or MAC address or an object other than an IP address. The source will match any if not defined. Both IPv4 and IPv6 are supported for source or destination range. |
Destination | The destination IP or MAC address/netmask of the connection that is affected by the rule. The destination will match any if not defined. Both IPv4 and IPv6 are supported for source or destination range. |
Service | The service can be a predefined port protocol combination for L3. For L2 it can be ether-type. For both L2 and L3 you can manually define a new service or service group. The service will match any, if it is not specified. |
Applied To | Defines the scope at which this rule is applicable. If not defined the scope will be all logical ports. If you have added "applied to" in a section it will overwrite the rule. |
Log | Logging can be turned off or on. Logs are stored at /var/log/dfwpktlogs.log file on ESX and KVM hosts. |
Action | The action applied by the rule can be Allow, Drop, or Reject. The default is Allow. |
IP Protocol | The options are IPv4, IPv6, and IPv4_IPv6. The default is IPv4_IPv6. To access this property, click the Advanced Settings icon. |
Direction | The options are In, Out, and In/Out. The default is In/Out. This field refers to the direction of traffic from the point of view of the destination object. In means that only traffic to the object is checked, Out means that only traffic from the object is checked, and In/Out means traffic in both directions is checked. To access this property, click the Advanced Settings icon. |
Rule Tags | Tags that have been added to the rule. To access this property, click the Advanced Settings icon. |
Flow Statistics | Read-only field that displays the byte, packet count, and sessions. To access this property, click the graph icon. |