A security policy is a set of Guest Introspection, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.

Before you begin

Ensure that:

  • the required VMware built in services (such as Distributed Firewall, Data Security, and Guest Introspection) are installed.

  • the required partner services have been registered with NSX Manager.

  • the desired default applied to value is set for Service Composer firewall rules. See Edit Service Composer Firewall Applied To Setting.

Procedure

  1. Log in to the vSphere Web Client.
  2. Click Networking & Security and then click Service Composer.
  3. Click the Security Policies tab.
  4. Click the Create Security Policy (add) icon.
  5. In the Add Security Policy dialog box, type a name for the security policy.
  6. Type a description for the security policy.

    NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.

    Security policies are applied according to their weight - a policy with the higher weight has precedence over a policy with a lower weight.

  7. Select Inherit security policy from specified policy if you want the policy that you are creating to receive services from another security policy. Select the parent policy.

    All services from the parent policy are inherited by the new policy.

  8. Click Next.
  9. In the Guest Introspection Services page, click the Add Guest Introspection Service (Add icon) icon.
    1. In the Add Guest Introspection Service dialog box, type a name and description for the service.
    2. Specify whether you want to apply the service or block it.

      When you inherit a security policy, you may choose to block a service from the parent policy.

      If you apply a service, you must select a service and service profile. If you block a service, you must select the type of service to block.

    3. If you chose to block the service, select the type of service.

      If you select Data Security, you must have a data security policy in place. See Data Security.

    4. If you chose to apply the Guest Introspection service, select the service name.

      The default service profile for the selected service is displayed, which includes information about the service functionality types supported by the associated vendor template.

    5. In State, specify whether you want to enable the selected Guest Introspection service or disable it.

      You can add Guest Introspection services as placeholders for services to be enabled at a later time. This is especially useful for cases where services need to be applied on-demand (for example, new applications).

    6. Select whether the Guest Introspection service is to be enforced (i.e. it cannot be overridden). If the selected service profile supports multiple service functionality types, then this is set to Enforce by default and cannot be changed.

      If you enforce an Guest Introspection service in a security policy, other policies that inherit this security policy would require that this policy be applied before the other child policies. If this service is not enforced, an inheritance selection would add the parent policy after the child policies are applied.

    7. Click OK.

    You can add additional Guest Introspection services by following the above steps. You can manage the Guest Introspection services through the icons above the service table.

    You can export or copy the services on this page by clicking the export icon on the bottom right side of the Guest Introspection Services page.

  10. Click Next.
  11. On the Firewall page, click the Add Firewall Rule (Add icon) icon.

    Here, you are defining firewall rules for the security groups(s) that this security policy will be applied to.

    1. Type a name and description for the firewall rule you are adding.
    2. Select Allow or Block to indicate whether the rule needs to allow or block traffic to the selected destination.
    3. Select the source for the rule. By default, the rule applies to traffic coming from the security groups to which this policy gets applied to. To change the default source, click Change and select the appropriate security groups.
    4. Select the destination for the rule.
      Note:

      Either the Source or Destination (or both) must be security groups to which this policy gets applied to.

      Say you create a rule with the default Source, specify the Destination as Payroll, and select Negate Destination. You then apply this security policy to security group Engineering . This would result in Engineering being able to access everything except for the Payroll server.

    5. Select the services and/or service groups to which the rule applies to.
    6. Select Enabled or Disabled to specify the rule state.
    7. Select Log to log sessions matching this rule.

      Enabling logging may affect performance.

    8. Click OK.

    You can add additional firewall rules by following the above steps. You can manage the firewall rules through the icons above the firewall table.

    You can export or copy the rules on this page by clicking the export icon on the bottom right side of the Firewall page.

    The firewall rules you add here are displayed on the Firewall table. VMware recommends that you do not edit Service Composer rules in the firewall table. If you must do so for an emergency troubleshooting, you must re-synchronize Service Composer rules with firewall rules by selecting Synchronize Firewall Rules from the Actions menu in the Security Policies tab.

  12. Click Next.

    The Network Introspection Services page displays NetX services that you have integrated with your VMware virtual environment.

  13. Click the Add Network Introspection Service (Add icon) icon.
    1. In the Add Network Introspection Service dialog box, type a name and description for the service you are adding.
    2. Select whether or not to redirect to service.
    3. Select the service name and profile.
    4. Select the source and destination
    5. Select the network service that you want to add..

      You can make additional selections based on the service you selected.

    6. Select whether to enable or disable the service.
    7. Select Log to log sessions matching this rule.
    8. Click OK.

    You can add additional network introspection services by following the above steps. You can manage the network introspection services through the icons above the service table.

    You can export or copy the services on this page by clicking the export icon on the bottom right side of the Network Introspection Service page.

    Note:

    Bindings created manually for the Service Profiles used in Service Composer policies will be overwritten.

  14. Click Finish.

    The security policy is added to the policies table. You can click the policy name and select the appropriate tab to view a summary of the services associated with the policy, view service errors, or edit a service.

What to do next

Map the security policy to a security group.