You can create distributed and gateway firewall rules from the Global Manager with global, regional or local spans.
- Consistent security policy across your deployments managed using NSX Federation.
- Effective disaster recovery ensuring continuity of established security framework.
- Extension of network and security framework to another location if you are running out of compute resources in one location.
Distributed and gateway firewall policies and rules created from the Global Manager, are synced to Local Managers and appear in the Local Managers with a icon. You can edit rules created from the Global Manager only from the Global Manager. They cannot be edited from Local Managers.
In NSX 4.0.1.1 and later, distributed firewall is activated and deactivated with one button at the Global Manager level. Change of distributed firewall enforcement is reported at a Global Manager level, and cannot be overridden on the Local Manager level. To activate distributed firewall on the Global Manager, navigate to , and toggle the Distributed Services Status switch.
NSX Federation of Distributed Firewall (DFW) Policies and Rules
Use this example to understand the supported firewall workflows:
- In the example, the Global Manager has three Local Managers registered with it, named: Location1, Location2 and Location3.
- The Global Manager auto-creates the following regions:
- Global
- Location1
- Location2
- Location3
- You create a customized region named: Region1 that includes Local Managers Location2 and Location3.
- You create the following groups:
- Group1: Region Global.
- Group2: Region Location1.
- Group3: Region Location2.
- Group4: Region Location3.
- Group5: Region Region1.
DFW Policies and Rules
The following use cases are supported:
- Group Span: You can create groups in the Global Manager with a global, local or regional span. See Create Groups from Global Manager.
- Dynamic Groups: You can create groups based on dynamic criteria, such as tags.
- DFW Policy Span: DFW policies can be applied to a global, regional or local span.
- DFW Rule's Source and Destination Groups: Either all the groups in the source field or all the groups in the destination field must match the DFW policy's span. The system auto-creates groups in locations that are outside the policy's span.Refer to the table for examples of valid and invalid source and destination groups in DFW rules:
Table 1. Valid Source and Destination for a DFW rule based on the DFW Policy's Span DFW Policy Span (Applied To) Scenarios supported in DFW rules GlobalFrom the example, this region contains the following groups: - Group1
For a DFW policy with the span of Global region, all groups are allowed in the DFW rule's source and destination. Following are some typical scenarios that are supported, using our example: - Source: Group2; Destination Group3
- Source: Group3; Destination Group4
- Source: Group4; Destination: Any
- Source: Group1; Destination Group2.
Location1 : auto-created region for the Local Manager in location 1. From the example, this region contains the following groups: - Group2
For a DFW policy with the span of one location: Location1 in this example, either the source or the destination group for the DFW rule must belong to Location1.The following scenarios are supported: - Source: Group2; Destination Group2
- Source: Group3; Destination Group2.
- Source: Group2; Destination Group4.
- Source Group1; Destination Group2.
The following is an example of unsupported group selections for this policy span. Both the source and the destination groups are outside the policy's span:- Source Group5; Destination Group3.
- Source Group1; Destination Group3.
Region1 : user-created region that spans Location2 and Location3. From the example, this region contains the following groups: - Group5
For a DFW policy with the span of a user-created region: Region1 in this example, either the source or the destination group for the DFW rule must contain locations that belong to Region1.
The following scenarios are supported:- Source: Group5; Destination Group2.
- Source: Group2; Destination Group5.
- Source: Group2; Destination Group3.
- Source: Group3; Destination Group4.
- Source: Any ;Destination: Group5
- Source Group4; Destination Any
The following is an example of unsupported group selections for this policy span. Both the source and the destination groups are outside the policy's span:- Source Group2; Destination Group2.
- Source Group1; Destination Group2.
- Source Group1; Destination Group1.
- If a group contains segments, the span of the DFW policy must be greater than or equal to the span of the segment. For example, if you have a group containing a segment whose span is Location1, the DFW policy cannot be applied to region Region1 because it only contains Location2 and Location3.
NSX Federation of Gateway Firewall Policies and Rules
Gateway Firewall Rule's Span (Applied To) | Applies to |
---|---|
Apply rule to gateway | The rule applies to all interfaces attached to this gateway, in all locations that this gateway is stretched to. |
Select a location and then select Apply rule to all Entities. | The rule applies only to the selected location. |
Select a location and then select interfaces from that location. Repeat for other locations, selecting interfaces for each location that you want to apply the rule to. | The rule applies only to the selected interfaces. |