Layer 7 App IDs are used in creating context profiles with distributed firewall rules. For gateway firewall rules, Layer 7 App IDs are used in creating context profiles or an L7 access profile.

NSX provides built in App IDs for common infrastructure and enterprise applications. App IDs include versions (SSL/TLS and CIFS/SMB) and Cipher Suite (SSL/TLS). For distributed firewall, App IDs are used in rules through context profiles, and can be combined with FQDN allowlisting and denylisting.

Note:
  • Gateway firewall rules do not support the use of FQDN attributes or other sub attributes in context profiles.
  • Context profiles are not supported on tier-0 gateway firewall policy.
Supported App IDs and FQDNs:
  • For FQDN, users need to configure a high priority rule with a DNS App ID for the specified DNS servers on port 53.
  • SYSLOG App ID is detected only on standard ports.
Design Guidelines for Context Profiles:
  • For performance and security reasons, a single context profile including a single App ID should be combined with the corresponding port(s) defined in the L4 service field.
  • A single distributed firewall rule containing multiple ports defined in the L4 service field is supported only with a single context profile, where the context profile contains the corresponding App IDs to the defined ports in the L4 service field.
  • In specific rare uses cases where multiple context profiles per firewall rule are required and the above mentioned implications are evaluated, the L4 service field supports the configuration with ANY.

Procedure

  1. Create a custom context profile: Profiles.
  2. Use the context profile in a distributed firewall rule, or a gateway firewall rule: Add a Distributed Firewall or Add a Gateway Firewall Policy and Rule.