A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined firewall rules.

About this task

Firewall rules are added at the NSX Manager scope. Using the Applied To field, you can then narrow down the scope at which you want to apply the rule. You can add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.

Note:

By default, a rule matches on the default of any source, destination, and service rule elements, matching all interfaces and traffic directions. If you want to restrict the effect of the rule to particular interfaces or traffic directions, you must specify the restriction in the rule.

Prerequisites

To use a group of addresses, first manually associate the IP and MAC address of each VM with their logical switch.

Procedure

  1. Select Firewall in the navigation panel.
  2. Click the General tab for L3 rules or the Ethernet tab for L2 rules.
  3. Click an existing section or rule.
  4. Click Add Rule on the menu bar and select Add Rule Above or Add Rule Below, or click the menu icon in the first column of a rule and select Add Rule Above or Add Rule Below.

    A new row appears to define a firewall rule.

    Note:

    For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.

  5. In the Name column, click the pencil icon. Enter the rule name in the Edit Name dialog box.

    A rule appears with the specified name.

  6. Point to the Sources cell of the new rule, click the pencil icon, and select the source of the rule. The source will match any if not defined. The Edit Sources dialog box appears.
    Note:

    When creating a new firewall rule, you can drag and drop objects to use for the Source, Destination, Service, and Applied To fields, instead of selecting these each time. This can help to speed up the rule creation process, especially when the same objects are often reused.

    In order to do this, click Objects in the left hand corner of the firewall rules window, select the object type from the list, then drag and drop the object you need into the right field that is, Sources in your firewall rule.

    Table 1. Edit Sources window

    Option

    Description

    IP Address or MAC Address

    Enter multiple IP or MAC addresses in a comma-separated list. The list can contain up to 255 characters. Both IPv4 and IPv6 formats are supported.

    Objects

    Click the arrow and select the Object.

    1. Select IP Set, Logical Port, Logical Switch, or NS Group.

      Available objects for the selected container are displayed.

    2. Select one or more objects and click the arrow. To select all of the available objects click the checkbox next to Available, then click the arrow.

    3. The objects move to the selected column.

    4. Click OK.

  7. Point to the Destinations cell of the new rule. The destination will match any if not defined. The Edit Destinations dialog box appears.
    Table 2. Edit Destinations window

    Option

    Description

    IP Address or MAC address

    You can enter multiple IP or MAC addresses in a comma-separated list. The list can contain up to 255 characters. Both IPv4 and IPv6 formats are supported.

    Objects

    Click the arrow and select the Object.

    1. You can select IP Set, Logical Port, Logical Switch, or NS Group.

      Available objects for the selected container are displayed.

    2. Select one or more objects and click the arrow. To select all of the available objects click the checkbox next to Available, then click the arrow.

    3. The objects move to the selected column.

    4. Click OK.

  8. Point to the Service cell of the new rule. The service will match any if not defined.

    The Edit Services dialog box appears. The list already displays many predefined services, but you are not limited to these choices.

  9. To select a predefined service, select one of more available objects, then click the arrow. Click OK.
  10. To define a new service, click Create New NSService. The NSService dialog box appears.

    Option

    Description

    Name

    Name the new service.

    Description

    Describe the new service.

    Type of Service

    • ALG

    • ICMP

    • IP

    • L4 Port Set

    • IGMP

    Protocol

    Select one of the available protocols.

    Source Ports

    Enter the source port.

    Destination Ports

    Select the destination port.

    Group existing services

    Click the radio button to add an existing group service.

  11. Point to the Action cell, and click the pencil icon. This parameter is required. The Edit Action dialog box appears.

    Option

    Description

    Allow

    Allows all L3 or L2 traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present

    Drop

    Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.

    Reject

    Rejects packets with the specified source, destination, and protocol. Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. One benefit of using Reject is that the sending application is notified after only one attempt that the connection cannot be established.

  12. Point to the Applied To cell, and click the pencil icon.

    The Edit Applied To dialog box appears.

  13. Select one or more objects.

    The types of object are logical ports, logical switches, and NSGroups. If you select an NSGroup, it must contain one or more logical switches or logical ports. If the NSGroup contains only IP sets or MAC sets, it will be ignored.

  14. Click OK.
  15. Point to the Log cell, and click the pencil icon. Logging is turned off by default. Select either Yes to enable logging, or No, to disable logging. Logs are stored at /var/log/dfwpktlogs.log file on ESX and KVM hosts. You can also write notes here. Note that selecting Yes, logs all sessions matching this rule. Enabling logging can affect performance.
  16. For your rule or rules to take effect, click Save.

    You can add multiple rules before clicking Save.