Identity firewall enables configuration of distributed firewall rules based on Active Directory user group.
Identity firewall enables configuration of distributed firewall rules based on Active Directory user group. User context is processed at the source. IDFW must know which virtual desktop an Active Directory user logs onto in order to apply firewall rules. User identity can be used as a source in firewall rules - not a destination. There are two methods for logon detection:
- Guest Introspection (GI)
- Event log scraping
Block Rule Configuration with Guest Introspection
- Enable Identity Firewall. Go to .
- Once IDFW is enabled, there is the option to enable it over specific clusters or over all stand alone hosts. For this example, we will enable IDFW on the compute cluster.
- Add an Active Directory domain by navigating to . The users or groups from the AD will be used in the source field of a firewall rule.
- Create a group by navigating to Add Group. For this example, we'll create a group called Developers, with members from the AD group. This group will be used in the source field of the firewall rule. and click
- Create an IDFW policy to block SSH traffic for users that belong to the Developers AD group. Rule Definition : If <Any user in the Developers AD group> access <any destination on TCP 22 / SSH>, it will be rejected. Create a firewall rule with the Developers group as the Source, and action as Reject.
Rule Name Source Destination Services Context Profiles Applied To Action Block SSH for Developers Developers Any SSH DFW Reject
Allow Rule Configuration with Guest Introspection
- Enable Identity Firewall. Go to .
- Once IDFW is enabled, there is the option to enable it over specific clusters or over all stand alone hosts. For this example, we will enable IDFW on the compute cluster.
- Add an Active Directory domain by navigating to . The users or groups from the AD will be used in the source field of a firewall rule.
- Create a group by navigating to Add Group. For this example, we'll create a group called NSX, with Active Directory group members. This group will be used in the source field of the firewall rule. and click
- Create a dynamic security group named Web based on VM name criteria.
- Create two firewall rules: one that allows traffic from a group of users to a destination, and one that blocks all other users to the same destination. In the example below, the first rule, named IDFW Rule, has the group NSX as the source, with the firewall rule applied to the VM where the users log in. This firewall rule is not applied to the members of the group Web because IDFW user context is processed at the source. The second firewall rule below Drops users from all other sources.
Rule Name Source Destination Services Context Profiles Applied To Action IDFW Rule NSX Web HTTPS None user-vm-01 Allow Deny Everything Any Any Any None user-vm-01 Drop
Allow/Deny Rule Configuration with Event Log Scraping
- Prerequisite - Physical workload should be prepared as an NSX transport node first. With this approach we can make a physical server as part of NSX inventory, and once it is part of NSX inventory, we can use it in the "Applied To" field of DFW. See "Preparing Physical Servers as NSX Transport Nodes" in the NSX Installation Guide.
- Enable Identity Firewall. Go to .
- Once IDFW is enabled, there is the option to enable it over specific clusters or over all stand alone hosts. For this example, we will enable IDFW on the compute cluster.
- Add an Active Directory domain by navigating to Event Log Sever to your IDFW active directory . The users or groups from the AD will be used in the source field of a firewall rule. . Configure an
- Turn on event log scraping by navigating to When using event log scraping, ensure that NTP is correctly configured across all devices. Event log scraping enables IDFW for physical devices. Event log scraping can be used for virtual machines, however guest introspection will take precedence over event log scraping.
- Create a group by navigating to Add Group. This group will be used in the source field of the firewall rule. and click
- Create a dynamic security group named Web based on VM name criteria.
- Create two firewall rules: one that allows traffic from a group of users to a destination, and one that blocks all other users to the same destination. In the example below, the first rule, named IDFW Rule, has the group NSX as the source, with the firewall rule applied to the JS-Physical where the users log in. This firewall rule is not applied to the members of the group Web because IDFW user context is processed at the source. The second firewall rule below Drops users from all other sources.
Rule Name Source Destination Services Context Profiles Applied To Action IDFW Rule NSX Web HTTPS None JS- Physical Allow Deny Everything Any Any None None JS- Physical Drop