Writing Distributed Firewall Rules

Writing Distributed Firewall Rules

Abstract

VMWare NSX-V Distributed Firewall controls traffic in and out of each vNIC individually to distribute firewall functionality across all applicable vNICs.

 What is an “applicable vNIC”?  As you create rules (shown below) and include IP addresses, any NIC that is assigned that IP address gets automatically included.  This way, you do not need to include or exclude NICs from the firewall rules manually.

Type of Policy

First, you’ll need to decide which type of policy you want to craft your rules around.  The two main types are:

1. Zero Trust:   By default, deny all traffic.   Then, explicitly allow expected traffic.   The “catch-all” rule would be a deny, matching all traffic that didn’t match any configured rules.
2. Blacklisting:   By default, allow all traffic.   Then, explicitly deny forbidden traffic.   The “catch-all” rule would be an allow, matching all traffic that didn’t match any configured rules.

IP Sets

You can define IP sets in your EEC tenant as follows.  Once logged in, go to:

Networking -> Security -> and click the radio button next to “Security Services for <vDC Name>” -> Configure Services ->  Grouping Objects ->  IP Sets

An IP set can contain a single CIDR (192.168.4.0/24) or multiple (192.168.5.0/24, 192.168.42.5/32, etc…) and is given a Name and Description.  The description field is not required, but if you create many IP Sets, it may help you remember what each one is for.

Once your IP Set(s) are defined (and you can always go back to them), you can head over to the Distributed Firewall configuration to start building those.

Configuring Rules

From IP Sets, click on Distributed Firewall à General at the top of the same pop-up window.  If you’re coming from your vDC and not the IP Sets page, the full path is:

Networking -> Security -> and click the radio button next to “Security Services for <vDC Name>” -> Configure Services -> Distributed Firewall -> General.

Rules are evaluated top-down.  Here are the purposes of each category in the rule list:

• No: The order in which this rule will be evaluated against traffic
• Name: Human-readable labeling for this rule
• Source: Can either be an IP address or an IP Set.  Do not use security tags or other objects.  On Zerto failover they will break the DFW
• Destination: Can either be an IP address or an IP Set.
• Service: Can be pre-defined VMWare services, or custom services as defined by:
  • Protocol: TCP, UDP, ICMP
  • Source Port: Any, Port Number
  • Destination Port: Any, Port Number
• Action: Deny, Allow
• Direction:
  • In: Traffic going into the vNIC, that is, just before hitting the VM
  • Out: Traffic leaving the vNIC, this is, just after being generated by the VM
  • In/Out: Both directions
• Packet Type: Select IPv4 as IPv6 is not supported in EEC
• Applied To: Always make sure this is set to the current Org vDC name, and no other object type (do not set to the Edge, or behavior may be inconsistent/unexpected).  Click the “+” in this box, and on the popup, under “Browse objects of type:” select “Org Vdcs” to be given the correct option.
• Enable Logging: Do not check on default rules as this may degrade performance.  Note that this is best utilized during a support case with Expedient, as these logs are only viewable by Expedient support staff.

Multi-vDC Considerations

If you’d like these rules to be applied to multiple vDCs (you may have Production and Disaster Recovery vDCs, or in some cases, multiple segregated vDCs), the above sections IP Sets and Configuring Rules must be followed for each vDC.  These rules do not copy over between vDCs.

Questions?  Require further assistance?

Please open a support ticket and a member of our Operations Support Center will assist you.