Firewall rule table implements the NSX Security policy which you can create using the NSX Manager GUI or the REST API framework.
- VM Inventory Collection: You can identify and organize a list of all hosted virtualized workloads on the NSX-T transport nodes. The inventory is dynamically collected and saved by NSX Manager as the nodes – ESXi or KVM that are added as NSX-T transport nodes. You can view a list of inventories by navigating to the menu.
- Tag: NSX-T allows to tag virtual machine, segment, and segment-port. To tag each of these objects, go to the relevant object page or go to . Objects can have one or more tags. For example, a VM can have Tag = PROD, Tag = HR-APP or Tag = WEB-Tier.
- Group Workloads: You can use the NSX-T logical grouping construct with dynamic or static membership criteria based on VM name, tags, segment, segment port, IPs, or other attributes.
- Define Security Policy: You can define the security policy using the distributed firewall rule table available at . You can organize the policy based on pre-defined categories like ethernet, emergency, infrastructure, environment, and application.
For details, see NSX-T Data Center Administration Guide.
Add Tags
You can select existing tags that are available in the inventory or create new tags to add to an object.
Procedure
Add Groups
Groups include different objects that are added both statically and dynamically and can be used as the source and destination of a firewall rule.
Procedure
Distributed Firewall Policy
Distributed firewall comes with predefined categories for firewall rules. Categories allow you to organize security policies.
Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated top down.
Ethernet We recommend you include Layer 2 rules for this category. |
Emergency We recommend you include quarantine and allow rules for this category. |
Infrastructure We recommend you include rules which define access to shared services for this category. For example:
|
Environment We recommend you include rules between zones for this category. For example:
|
Application We recommend you include rules between:
|
Add a Distributed Firewall Policy
Distributed firewall monitors all the East-West traffic on your virtual machines.
Procedure
Add Distributed IDS/IPS Policy
IDS/IPS rules are created in the same manner as distributed firewall (DFW) rules. First, create an IDS policy, and then create rules for this policy.
Procedure
Gateway Firewall Policy
You can configure gateway firewall by adding rules under a firewall policy section that belongs to a predefined category.