When an NSX project is realized successfully, the system creates default gateway firewall and distributed firewall rules to govern the default behavior of the north-south traffic and east-west traffic for the workloads in the NSX project.

Overview

The firewall rules in a project apply only to the VMs in the project. That is, VMs that are connected to the segments in the project. The firewall rules in a project do not impact workloads outside the project.

In the following subsections, the term "base license" refers to any of the following two licenses:

  • NSX Networking for VMware Cloud Foundation
  • Solution License for VCF
Distributed Firewall

The base license entitles the system to only the NSX networking features. You cannot configure the distributed firewall security feature. To add or edit distributed firewall rules in an NSX project, you must apply an appropriate security license in the system.

If a security license is not applied, the system-created default distributed firewall rules are not activated in the project. The default firewall rules exist in the project, but they are inactive in the project. You cannot edit the default firewall rules and neither you can activate them in the project.

Gateway Firewall

The base license entitles the system to add or edit only stateless gateway firewall rules in the project. To add or edit stateful gateway firewall and stateless gateway firewall rules in a project, you must apply an appropriate security license in the system.

The default gateway firewall policy in a project is a stateful policy. When a security license is not applied in the system, you can edit only the rule action of the stateful gateway firewall rule. No other edits are allowed in the default rule. You cannot change the state of the default gateway firewall policy from stateful to stateless.

Default DFW Rules in a Project

The default distributed firewall (DFW) policy appears at the bottom of the policy list in the Application firewall category. The default policy defines the behavior for VMs within the project if no other rules are encountered.

The following naming convention is used to identify the default DFW policy in a project:

PROJECT-<Project_Name>-Default Layer 3 section

Project_Name is replaced with the actual value in your system.

For example, the following screen capture shows the default DFW policy rules in a project.


This screen capture is described in the surrounding text.

As seen in this screen capture, the default policy is applied to DFW, and it contains the following firewall rules:

  • Rule 1002 allows IPv6-ICMP traffic.
  • Rule 1003 allows communication to the DHCPv4 client and server.
  • Rule 1004 allows communication to the DHCPv6 client and server. (Introduced in NSX 4.1.1)
  • Rule 1005 allows communication between workload VMs within the project.
  • Rule 1006 drops all other communication that does not match any of the above rules.

The default DFW policy ensures that VMs within a project can only reach other VMs in the same project, including the DHCP server. Communication with VMs outside the project is blocked. The VMs that are connected to the segments inside the project cannot ping their default gateway, by default. If such a communication is required, you must add new rules or modify existing rules in the default DFW policy.

User-created DFW Rules in a Project

The Infrastructure, Environment, and Application DFW firewall categories are supported for projects within the organization. Inside each firewall category, the DFW rules are enforced in the following order of precedence:
  1. DFW rules in the default space (highest precedence)
  2. DFW rules in the project
  3. E-W firewall rules in the NSX VPCs within the project (lowest precedence)

The DFW rules in the default space can extend to a project.

Note: The DFW rules in the default space apply to every VM in the NSX deployment, including the VMs in the projects. However, you can restrict the scope of the rules in the default space by selecting the Groups option from the Applied To setting in the UI.

For instance, you can choose to apply the rules to the project default group (PROJECT-<Project_Name>-default). The project default group contains only the workload VMs of a project.

DFW rules inside a project can access the following groups:
  • Groups that are created in the project.
  • Groups that are shared with the project.

Groups that are shared with the projects can be used only in the Source or Destination fields of the firewall rules, and not in the Applied To field of the firewall rules.

If NSX VPCs are added in a project, the system-created default groups in NSX VPCs can be used in the Source, Destination, and Applied To fields of the project firewall rules. However, the user-created groups in NSX VPCs cannot be used in project firewall rules.

Adding DFW Policy in a Project

The UI workflow for adding a DFW policy in a project remains the same as it currently exists for adding policies in the Default view (default space) of your NSX deployment.

The only difference is that in the UI, you must first select a project from the project switcher drop-down menu on the application bar at the top, and then navigate to Security > Distributed Firewall to add DFW policies in that selected project.

Default Gateway Firewall Rule in a Project

The default gateway firewall policy of a project is a stateful policy, which contains a single firewall rule, as shown in the following screen capture.


This image is described in the surrounding text.

The default rule allows all traffic through the project gateway firewall, by default. You can modify only the rule action of this default rule. All other fields in this rule are not editable.

As mentioned earlier in the Overview section of this documentation, the base license entitles the system to add or edit only stateless gateway firewall rules in a project. To add or edit both stateful gateway firewall and stateless gateway firewall rules in a project, you must apply an appropriate security license in the system.

Adding Gateway Firewall Policy in a Project

The UI workflow for adding a gateway firewall policy in a project remains the same as it currently exists for adding gateway firewall policies in the Default view (default space) of your NSX deployment.

The only difference is that in the UI, you must first select a project from the project switcher drop-down menu on the application bar at the top, and then navigate to Security > Gateway Firewall > Gateway Specific Rules to add gateway firewall policies on the selected project tier-1 gateway.