Customers can configure and manage the Enhanced Firewall Services (EFS) using the Firewall functionality in VMware SASE Orchestrator.

Before You Begin

For the EFS feature to work:
  • Ensure the Edge version is upgraded to 5.2.0.0.
  • Ensure the EFS feature is activated at the Enterprise level. Contact your Operator if you would want the EFS feature to be activated. An Operator can activate the EFS feature from the SD-WAN > Global Settings > Customer Configuration > SD-WAN Settings > Feature Access UI page.

Configure EFS Rule Settings at the Profile Level

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles. The Profiles page displays the existing Profiles.
  2. To configure a Profile Firewall, click the link to the Profile and then click the Firewall tab. Alternatively, you can also click the View link in the Firewall column of the Profile.
  3. The Firewall page appears.
  4. Turn ON the Enhanced Firewall Services toggle button to activate the EFS feature for all Edges associated with the Profile. By default, this feature is not activated.
  5. Under Firewall Rules, you can create a new EFS rule or modify an existing firewall rule for EFS settings.
    • To create a new EFS rule:
      1. Click the + New Rule button.
      2. In the Rule Name text box, enter a unique name for the Rule. To create a firewall rule from an existing rule, select the rule to be duplicated from the Duplicate Rule drop-down menu.
      3. Configure the Match conditions and Firewall Actions to be performed when the traffic matches the defined match criteria. For more information, see Configure Firewall Rule.
      4. Select the IDS/IPS checkbox and activate either IDS or IPS toggle to create the Firewall. When user activates only IPS, IDS will be automatically activated. EFS engine inspects traffic sent/received through the Edges and matches content against signatures configured in the EFS engine.
        Note: EFS can be activated in the rule only if the Firewall action is Allow. If the Firewall action is anything other than Allow, EFS will be deactivated.
        • Intrusion Detection System - When IDS is activated on Edges, the Edges detect if the traffic flow is malicious or not based on certain signatures configured in the engine. If attack is detected, the EFS engine generates an alert and sends the alert message to SASE Orchestrator/Syslog Server if Firewall logging is activated in Orchestrator, and will not drop any packets.
        • Intrusion Prevention System - When IPS is activated on Edges, the Edges detect if the traffic flow is malicious or not based on certain signatures configured in the engine. If attack is detected, the EFS engine generates an alert and blocks the traffic flow to the client only if the signature rule has action as "Reject", matched by the malicious traffic. If the action in the signature rule is "Alert", the traffic will be allowed without dropping any packets even if you configure IPS.
        Note: VMware recommends customer to not activate VNF when IDS/IPS is activated on Edges.
      5. To send the EFS logs to Orchestrator, turn on the Capture EFS Log toggle button.
        Note: For an Edge to send the Firewall logs to Orchestrator, ensure that the “Enable Firewall Logging to Orchestrator” customer capability is activated at the Customer level under “Global Settings” UI page. Customers must contact your Operator if you would want the Firewall Logging feature to be activated.
      6. Click Create.
    • To modify an existing firewall rule for EFS settings:
      1. Under the Firewall Rules area of the Profile Firewall page, click the link under the Rule name column of an existing firewall to be modified.
      2. Modify the IDS/IPS settings and click Edit.
  6. Click Save Changes.

Configure EFS Rule Settings at the Edge Level

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Edges. The Edges page displays the existing Edges.
  2. To configure an Edge, click the link to the Edge or click the View link in the Firewall column of the Edge.
  3. Click the Firewall tab.
  4. To override the inherited EFS settings for a specific Edge, select the Override checkbox and turn on the toggle button next to the Enhanced Firewall Services UI label.
  5. Under Firewall Rules area of the Edge Firewall page, you can create a new EFS rule or override the inherited EFS rule settings for the Edge. Follow the procedure as described in the Step 5 of the Configure EFS Rule Settings at the Profile Level section.
  6. After you have overridden the EFS rule settings, click Save Changes.

Note: Firewall rules of the existing Edges that are not upgraded to the 5.2.0 release will not have any impact when you activate the EFS service at the global setting level or per rule level with IDS/IPS.