Layer 7 App IDs are used in creating context profiles with distributed firewall rules. For gateway firewall rules, Layer 7 App IDs are used in creating context profiles or an L7 access profile.
NSX provides built in App IDs for common infrastructure and enterprise applications. App IDs include versions (SSL/TLS and CIFS/SMB) and Cipher Suite (SSL/TLS). For distributed firewall, App IDs are used in rules through context profiles, and can be combined with FQDN allowlisting and denylisting.
Note:
- Gateway firewall rules do not support the use of FQDN attributes or other sub attributes in context profiles.
- Context profiles are not supported on tier-0 gateway firewall policy.
Supported App IDs and FQDNs:
- For FQDN, users need to configure a high priority rule with a DNS App ID for the specified DNS servers on port 53.
- SYSLOG App ID is detected only on standard ports.
Design Guidelines for Context Profiles:
- For performance and security reasons, a single context profile including a single App ID should be combined with the corresponding port(s) defined in the L4 service field.
- A single distributed firewall rule containing multiple ports defined in the L4 service field is supported only with a single context profile, where the context profile contains the corresponding App IDs to the defined ports in the L4 service field.
- In specific rare uses cases where multiple context profiles per firewall rule are required and the above mentioned implications are evaluated, the L4 service field supports the configuration with ANY.
Procedure
- Create a custom context profile: Profiles.
- Use the context profile in a distributed firewall rule, or a gateway firewall rule: Add a Distributed Firewall or Add a Gateway Firewall Policy and Rule.