In a cross-vCenter NSX environment, universal rules refer to the distributed firewall rules defined on the primary NSX Manager in the universal rules section. These rules are replicated on all secondary NSX Managers in your environment, which enables you to maintain a consistent firewall policy across vCenter boundaries. Edge firewall rules are not supported for vMotion between multiple vCenter Servers.

About this task

The primary NSX Manager can contain multiple universal sections for universal L2 rules and multiple universal sections for universal L3 rules. Universal sections are on top of all local and service composer sections. Universal sections and universal rules can be viewed but not edited on the secondary NSX Managers. The placement of the universal section with respect to the local section does not interfere with rule precedence.

Table 1. Objects supported for universal firewall rules

Source and Destination

Applied To

Service

  • universal MAC set

  • universal IP set

  • universal security group, which can contain a universal security tag, an IP set, MAC set, or universal security group

  • universal logical switch

  • universal security group, which can contain a universal security tag, IP set, MAC set, or universal security group

  • universal logical switch

  • Distributed Firewall - applies rules on all clusters on which Distributed Firewall is installed

  • pre-created universal services and service groups

  • user created universal services and services groups

Note that other vCenter objects are not supported for universal rules.

Prerequisites

You must create a universal rule section before you can create universal rules. See Add a Firewall Rule Section.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Firewall.
  2. In NSX Manager, ensure that the primary NSX Manager is selected.

    Universal rules can only be added on the primary NSX Manager.

  3. Ensure that you are in the General tab to add an L3 universal rule. Click the Ethernet tab to add an L2 universal rule.
  4. In the universal section click the Add rule (add icon) icon and then click Publish Changes.

    A new any any allow rule is added at the top of the universal section.

  5. Point to the Name cell of the new rule and click . Type a name for the rule.
  6. Point to the Source cell of the new rule. Additional icons are displayed as described in the table below.

    Option

    Description

    Click IP

    To specify source as an IP address.

    1. Select the IP address format.

      Firewall supports both IPv4 and IPv6 formats.

    2. Type the IP address.

    Click

    To specify a universal IPSet, MACSet, or security group as the source.

    1. In Object Type, select a container from which the communication originated.

      Objects for the selected container are displayed.

    2. Select one or more objects and click add.

      You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see Network and Security Objects.

    3. To exclude a source from the rule, click Advanced options.

    4. Select Negate Source to exclude this source from the rule.

      If Negate Source is selected, the rule is applied to traffic coming from all sources except for the source you specified in the previous step.

      If Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.

    5. Click OK.

  7. Point to the Destination cell of the new rule. Additional icons are displayed as described in the table below.

    Option

    Description

    Click IP

    To specify destination as an IP address.

    1. Select the IP address format.

      Firewall supports both IPv4 and IPv6 formats.

    2. Type the IP address.

    Click

    To specify a universal IPSet, MACSet, or security group as the destination.

    1. In Object Type, select a container which the communication is targeting.

      Objects for the selected container are displayed.

    2. Select one or more objects and click add.

      You can create a new security group or IPSet. Once you create the new object, it is added to the Destination column by default. For information on creating a new security group or IPSet, see Network and Security Objects.

    3. To exclude a destination from the rule, click Advanced options.

    4. Select Negate Destination to exclude this destination from the rule.

      If Negate Destination is selected, the rule is applied to traffic going to all destinations except for the destination you specified in the previous step.

      If Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.

    5. Click OK.

  8. Point to the Service cell of the new rule. Additional icons are displayed as described in the table below.

    Option

    Description

    Click port

    To specify a service as a port protocol combination.

    1. Select the service protocol.

      Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC.

    2. Type the port number and click OK.

    Click

    To select a pre-defined universal service/universal service group or define a new one.

    1. Select one or more objects and click add.

      You can create a new service or service group. Once you create the new object, it is added to the Selected Objects column by default.

    2. Click OK.

    In order to protect your network from ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule. For information on modifying the default rule, see Edit the Default Distributed Firewall Rule.

  9. Point to the Action cell of the new rule and click . Make appropriate selections as described in the table below and click OK.

    Action

    Results in

    Allow

    Allows traffic from or to the specified source(s), destination(s), and service(s).

    Block

    Blocks traffic from or to the specified source(s), destination(s), and service(s).

    Reject

    Sends reject message for unaccepted packets.

    RST packets are sent for TCP connections.

    ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections.

    Log

    Logs all sessions matching this rule. Enabling logging can affect performance.

    Do not log

    Does not log sessions.

  10. In Applied To cell, either accept the default setting, Distributed Firewall, to apply the rule on all clusters with Distributed Firewall enabled, or click the edit icon to select the universal logical switches on which the rule is to be applied to.
  11. Click Publish Changes.

Results

The universal rule is replicated on all secondary NSX Managers. The Rule ID stays the same across all NSX instances. To display the Rule ID, click select columns and then click Rule ID.

Universal rules can be edited on the primary NSX Manager and are read only on secondary NSX Managers.

Firewall rules with Universal Section Layer3 and Default Section Layer3:

Firewall Rules

What to do next

  • Disable a rule by clicking disable in the No. column, or enable a rule by clicking enable rule.

  • Display additional columns in the rule table by clicking select columns and selecting the appropriate columns.

    Column Name

    Information Displayed

    Rule ID

    Unique system generated ID for each rule

    Log

    Traffic for this rule is being logged or not

    Stats

    Clicking stats shows the traffic related to this rule (traffic packets and size)

    Comments

    Comments for the rule

  • Search for rules by typing text in the Search field.

  • Move a rule up or down in the Firewall table.