Distributed firewall monitors all the East-West traffic on your virtual machines.
The procedure in this topic explains the workflow for adding firewall policies that are applied to the NSX Distributed Firewall or to specific groups with NSX-managed objects.
If your
NSX environment has
Antrea containers registered to it, you can create Distributed Firewall policies and apply them to
Antrea container clusters. For more information, see:
Note:
NSX does not support mixing the rules created with
NSX-managed objects and with
Antrea container cluster objects in the same Distributed Firewall policy. In other words, the firewall rules that you apply to
NSX Distributed Firewall and to
Antrea container clusters must be in separate policies.
Prerequisites
If you are creating rules for Identity Firewall, first create a group with Active Directory members. To view supported protocols for IDFW, see
Identity Firewall Supported Configurations. When creating a DFW rule using guest instrospection, make sure that the
Applied to field applies to the destination group.
Note: For Identity Firewall rule enforcement, Windows Time service should be
on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a logout when group membership is modified. This behavior is a limitation of Active Directory.
Note that if you are using a combination of Layer 7 and ICMP, or any other protocols you need to put the Layer 7 firewall rules last. Any rules after a Layer 7 any/any rule will not be executed.
For Federation-specific details on distributed firewall policy and rule creation, see Create DFW Policies and Rules from Global Manager.