Identity firewall enables configuration of distributed firewall rules based on Active Directory user group.

Identity firewall enables configuration of distributed firewall rules based on Active Directory user group. User context is processed at the source. IDFW must know which virtual desktop an Active Directory user logs onto in order to apply firewall rules. User identity can be used as a source in firewall rules - not a destination. There are two methods for logon detection:
  • Guest Introspection (GI)
  • Event log scraping

Block Rule Configuration with Guest Introspection

  • Enable Identity Firewall. Go to Security > Distributed Firewall > Settings > Identity Firewall Settings.
  • Once IDFW is enabled, there is the option to enable it over specific clusters or over all stand alone hosts. For this example, we will enable IDFW on the compute cluster.
  • Add an Active Directory domain by navigating to System > Identity Firewall AD. The users or groups from the AD will be used in the source field of a firewall rule.
  • Create a group by navigating to Inventory > Groups and click Add Group. For this example, we'll create a group called Developers, with members from the AD group. This group will be used in the source field of the firewall rule.
  • Create an IDFW policy to block SSH traffic for users that belong to the Developers AD group. Rule Definition : If <Any user in the Developers AD group> access <any destination on TCP 22 / SSH>, it will be rejected. Create a firewall rule with the Developers group as the Source, and action as Reject.
    Rule Name Source Destination Services Context Profiles Applied To Action
    Block SSH for Developers Developers Any SSH DFW Reject

Allow Rule Configuration with Guest Introspection

  • Enable Identity Firewall. Go to Security > Distributed Firewall > Settings > Identity Firewall Settings.
  • Once IDFW is enabled, there is the option to enable it over specific clusters or over all stand alone hosts. For this example, we will enable IDFW on the compute cluster.
  • Add an Active Directory domain by navigating to System > Identity Firewall AD. The users or groups from the AD will be used in the source field of a firewall rule.
  • Create a group by navigating to Inventory > Groups and click Add Group. For this example, we'll create a group called NSX, with Active Directory group members. This group will be used in the source field of the firewall rule.
  • Create a dynamic security group named Web based on VM name criteria.
  • Create two firewall rules: one that allows traffic from a group of users to a destination, and one that blocks all other users to the same destination. In the example below, the first rule, named IDFW Rule, has the group NSX as the source, with the firewall rule applied to the VM where the users log in. This firewall rule is not applied to the members of the group Web because IDFW user context is processed at the source. The second firewall rule below Drops users from all other sources.
    Rule Name Source Destination Services Context Profiles Applied To Action
    IDFW Rule NSX Web HTTPS None user-vm-01 Allow
    Deny Everything Any Any Any None user-vm-01 Drop

Allow/Deny Rule Configuration with Event Log Scraping

  • Prerequisite - Physical workload should be prepared as an NSX transport node first. With this approach we can make a physical server as part of NSX inventory, and once it is part of NSX inventory, we can use it in the "Applied To" field of DFW. See "Preparing Physical Servers as NSX Transport Nodes" in the NSX Installation Guide.
  • Enable Identity Firewall. Go to Security > Distributed Firewall > Settings > Identity Firewall Settings.
  • Once IDFW is enabled, there is the option to enable it over specific clusters or over all stand alone hosts. For this example, we will enable IDFW on the compute cluster.
  • Add an Active Directory domain by navigating to System > Identity Firewall AD. Configure an Event Log Sever to your IDFW active directory . The users or groups from the AD will be used in the source field of a firewall rule.
  • Turn on event log scraping by navigating to Security > General settings > Identity Firewall Event Log Sources > .When using event log scraping, ensure that NTP is correctly configured across all devices. Event log scraping enables IDFW for physical devices. Event log scraping can be used for virtual machines, however guest introspection will take precedence over event log scraping.
  • Create a group by navigating to Inventory > Groups and click Add Group. This group will be used in the source field of the firewall rule.
  • Create a dynamic security group named Web based on VM name criteria.
  • Create two firewall rules: one that allows traffic from a group of users to a destination, and one that blocks all other users to the same destination. In the example below, the first rule, named IDFW Rule, has the group NSX as the source, with the firewall rule applied to the JS-Physical where the users log in. This firewall rule is not applied to the members of the group Web because IDFW user context is processed at the source. The second firewall rule below Drops users from all other sources.
    Rule Name Source Destination Services Context Profiles Applied To Action
    IDFW Rule NSX Web HTTPS None JS- Physical Allow
    Deny Everything Any Any None None JS- Physical Drop