You can edit the default firewall settings that apply to traffic that does not match any of the user-defined firewall rules.

About this task

Default firewall settings apply to traffic that does not match any of the user-defined firewall rules. The Distributed Firewall default rule is displayed on the centralized firewall user interface. The default Layer 3 rule is show under the General Tab and the default Layer 2 rule is shown under the Ethernet tab.

The default Distributed Firewall rules allows all L3 and L2 traffic to pass through all prepared clusters in your infrastructure. The default rule is always at the bottom of the rules table and cannot be deleted or added to. However, you can change the Action element of the rule from Allow to Drop or Reject (not recommended), and indicate whether traffic for that rule should be logged.

Procedure

  1. Click Firewall.

    The General Firewall screen appears.

  2. Ensure that you are in the General tab to edit the default L3 rule. Click the Ethernet tab to edit an L2 rule.
  3. Under the Action column, expand the section and select one of the options:
    • Allow - Allows all L3 or L2 traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.

    • Drop - Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.

    • Reject - Rejects packets with the specified source, destination, and protocol. Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. One benefit of using Reject is that the sending application is notified after only one attempt that the connection cannot be established.

    Note:

    Selecting Reject as the action for the default rule is not recommended.

  4. Under the Log column, expand the section and select either Yes to enable logging, or No, to disable logging. You can also write notes here. Note that selecting Yes, logs all sessions matching this rule. Enabling logging can affect performance.
  5. Click Save and confirm your changes.