Security in NSX Federation

You can create distributed and gateway firewall rules from the Global Manager with global, regional or local spans.

NSX Federation security provides the following benefits:

Consistent security policy across your deployments managed using NSX Federation.
Effective disaster recovery ensuring continuity of established security framework.
Extension of network and security framework to another location if you are running out of compute resources in one location.

Distributed and gateway firewall policies and rules created from the Global Manager, are synced to Local Managers and appear in the Local Managers with a icon. You can edit rules created from the Global Manager only from the Global Manager. They cannot be edited from Local Managers.

In NSX 4.0.1.1 and later, distributed firewall is activated and deactivated with one button at the Global Manager level. Change of distributed firewall enforcement is reported at a Global Manager level, and cannot be overridden on the Local Manager level. To activate distributed firewall on the Global Manager, navigate to Security > Distributed Firewall > Actions > General Settings , and toggle the Distributed Services Status switch.

NSX Federation of Distributed Firewall (DFW) Policies and Rules

Use this example to understand the supported firewall workflows:

In the example, the Global Manager has three Local Managers registered with it, named: Location1, Location2 and Location3.
The Global Manager auto-creates the following regions:
- Global
- Location1
- Location2
- Location3
You create a customized region named: Region1 that includes Local Managers Location2 and Location3.
You create the following groups:
- Group1: Region Global.
- Group2: Region Location1.
- Group3: Region Location2.
- Group4: Region Location3.
- Group5: Region Region1.

DFW Policies and Rules

The following use cases are supported:

Group Span: You can create groups in the Global Manager with a global, local or regional span. See Create Groups from Global Manager.
Dynamic Groups: You can create groups based on dynamic criteria, such as tags.
DFW Policy Span: DFW policies can be applied to a global, regional or local span.

DFW Rule's Source and Destination Groups: Either all the groups in the source field or all the groups in the destination field must match the DFW policy's span. The system auto-creates groups in locations that are outside the policy's span.

Refer to the table for examples of valid and invalid source and destination groups in DFW rules:

Table 1. Valid Source and Destination for a DFW rule based on the DFW Policy's Span
DFW Policy Span (Applied To)	Scenarios supported in DFW rules
`Global`From the example, this region contains the following groups: `Group1`	For a DFW policy with the span of `Global` region, all groups are allowed in the DFW rule's source and destination. Following are some typical scenarios that are supported, using our example: Source: `Group2`; Destination `Group3` Source: `Group3`; Destination `Group4` Source: `Group4`; Destination: `Any` Source: `Group1`; Destination `Group2`.
`Location1` : auto-created region for the Local Manager in location 1. From the example, this region contains the following groups: `Group2`	For a DFW policy with the span of one location: `Location1` in this example, either the source or the destination group for the DFW rule must belong to `Location1`. The following scenarios are supported: Source: `Group2`; Destination `Group2` Source: `Group3`; Destination `Group2`. Source: `Group2`; Destination `Group4`. Source `Group1`; Destination `Group2`. The following is an example of unsupported group selections for this policy span. Both the source and the destination groups are outside the policy's span: Source `Group5`; Destination `Group3`. Source `Group1`; Destination `Group3`.
`Region1` : user-created region that spans `Location2` and `Location3`. From the example, this region contains the following groups: `Group5`	For a DFW policy with the span of a user-created region: `Region1` in this example, either the source or the destination group for the DFW rule must contain locations that belong to `Region1`. The following scenarios are supported: Source: `Group5`; Destination `Group2`. Source: `Group2`; Destination `Group5`. Source: `Group2`; Destination `Group3`. Source: `Group3`; Destination `Group4`. Source: `Any` ;Destination: `Group5` Source `Group4`; Destination `Any` The following is an example of unsupported group selections for this policy span. Both the source and the destination groups are outside the policy's span: Source `Group2`; Destination `Group2`. Source `Group1`; Destination `Group2`. Source `Group1`; Destination `Group1`.

If a group contains segments, the span of the DFW policy must be greater than or equal to the span of the segment. For example, if you have a group containing a segment whose span is Location1, the DFW policy cannot be applied to region Region1 because it only contains Location2 and Location3.

NSX Federation of Gateway Firewall Policies and Rules

Gateway firewall rules can be applied to all the locations included in the gateway's span, or all interfaces of a particular location, or specific interfaces of one or more locations.

Note: The span of the source and destination groups for gateway firewall rules must be the same as or a subset of the gateway's span on which you are creating the rule.

Table 2. Span Options for Gateway Firewall Rules
Gateway Firewall Rule's Span (Applied To)	Applies to
Apply rule to gateway	The rule applies to all interfaces attached to this gateway, in all locations that this gateway is stretched to.
Select a location and then select Apply rule to all Entities.	The rule applies only to the selected location.
Select a location and then select interfaces from that location. Repeat for other locations, selecting interfaces for each location that you want to apply the rule to.	The rule applies only to the selected interfaces.