The following terms are used throughout distributed firewall.
Construct | Definition |
---|---|
Applied-To | Defines the scope of enforcement per policy, and is used mainly for optimization of resources on ESXi hosts. It helps in defining a targeted policy for specific zones, tenants or applications, without interfering with other policy defined for other applications, tenants and zones. Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied To text box. |
Context Profile | Defines context aware attributes including APP-ID and domain name. Also includes sub attributes such as application version, or cipher set. Firewall rules can include a context profile to enable Layer-7 firewall rules. |
Firewall Categories | NSX processes firewall rules for both distributed and gateway firewalls through five categories: Ethernet, Emergency, Infrastructure, Environment and Application. Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated top down. |
Firewall Draft | A draft is a complete distributed firewall configuration with policy sections and rules. Drafts can be auto saved or manually saved, and immediately published or saved for publishing at a later date. |
Group | Groups include different objects that are added both statically and dynamically, and can be used as the source and destination field of a firewall rule. Groups can be configured to contain a combination of virtual machines, IP sets, MAC sets, logical ports, logical switches, AD user groups, and other nested groups. Dynamic inclusion of groups can be based on tag, machine name, OS name, or computer name. When you create a group, you must include a domain that it belongs to, and by default this is the default domain. Groups were previously called NSGroup or security group. |
Redirection Policy | Ensures that traffic classified for a specific service chain is redirected to that service chain. It is based on traffic patterns that match NSX security group and a service chain. All traffic matching the pattern is redirected along the service chain. |
Rule | A set of parameters with which flows are evaluated against, and define which actions will be taken upon a match. Rules include parameters such as source and destination, service, context profile , logging, and tags. |
Service | Defines a combination of port and protocol. Used to classify traffic based on port and protocol. Pre-defined services and user-defined services can be used in firewall rules. |
Service Chain | a logical sequence of service profiles defined by an administrator. Service profiles introspect network traffic in the order defined in the service chain. For example, the first service profile is firewall, second service profile is monitor, and so on. Service chains can specify different sequence of service profiles for different directions of traffic (egress/ingress). |
Policy | A security policy includes various security elements including firewall rules and service configurations. Policy was previously called a firewall section. |