With time windows, security administrators can restrict traffic from a source or to a destination, for a specific time period.

Time-based rules are available for distributed and gateway firewalls on ESXi hosts. Time windows apply to a firewall policy section, and all the rules in it. Each firewall policy section can have one time window. The same time window can be applied to more than one policy section. If you want the same rule applied on different days or different times for different sites, you must create more than one policy section. Time-based rules are available for distributed and gateway firewalls on ESXi hosts.

In NSX 4.0.1.1 and later, time-based rules are supported on both Local Managers and Global Managers in NSX Federation. Time can be specified in UTC for all sites, or time can be specified per local time zone. If you want the same rule applied on different days or different times for different sites, you must create more than one policy section.

Prerequisites

Network Time Protocol (NTP) is an Internet protocol used for clock synchronization between computer clients and servers. NTP service must be running on each transport node when using time-based rule publishing.

If a time-zone is changed on the edge transport node after the node is deployed, reload the edge node or restart the data plane for time-based gateway firewall policy to take effect.

For details see Configuring NTP on Appliances and Transport Nodes.

Procedure

  1. Navigate to Security > Distributed Firewall.
  2. Click the clock icon on the firewall policy you want to have a time window.
    A time window appears.
  3. Click Add New Time Window and enter a name.
  4. Select a time zone: UTC (Coordinated Universal Time), or the local time of the transport node. Distributed firewall only supports UTC with NTP service enabled, a change of time zone configuration is not supported.
  5. Select the frequency of the time window - Weekly or One time.
  6. Select the days of the week that the time window takes effect.
    NSX supports configuring weekly UTC time-windows for the local time-zone, when the entire time-window for the local time-zone is within the same day as the UTC time-zone. For example, you cannot configure a time window in UTC for a 7am-7pm PDT, which maps to UTC 2pm-2am of the next day.
  7. Select the beginning and ending dates for the time window, and the times the window will be in effect.
  8. Click Save.
  9. Click the check box next to the policy section you want to have a time window. Then click the clock icon.
  10. Select the time window you want to apply, and click Apply.
  11. Click Publish. The clock icon for the section turns green.

    For the first publication of a time-based rule, the time is taken, and rule enforcement begins at less than 2 minutes. After the rules are deployed, enforcement as per time window, is instantaneous.