VMware NSX Firewall Policies
The NSX Distributed firewall is a stateful firewall, meaning it monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
A flow is identified by the following:
Source address
Source port
Destination address
Destination port
Protocol
Lets consider following topology:
Source: 172.16.70.11
Destination: 172.16.60.20
Now by default NSX Distributed firewall allows all the traffic. Im creating a rule to block above traffic.
Firewall source/destinations can be defined in following ways:
1)Cluster
2)Datacenter
3)IP Sets
4)Logical Switch
5)Port Group
6)Distributed Virtual Port Group
Security Groups:
1)Dynamic Inclusion:
Example: Computer OS name, Computer Name, VM Name, Security TAG.
2)Static Inclusion/Exclusion:
Example:Cluster,Datacenter,IP Sets,Logical Switch,AD Groups,MAC Sets,DVS Port Groups,vNIC.
From NSX 6.1 onwards we have a new feature called "Partner Security Services"
here we can redirect the policy to 3rd party firewalls like PaloAlto.
In our example Im using source as Static Inclusion(Logical Switch Name) and destination as Static Inclusion(IP sets)
Before Block Rule : -
Im able to access the webserver as shown below:
Create Source, here Im using Logical switch name:Windows_Tier as my source address.
Any VM which is connected to this logical switch will be acting as my source.
Following are the list of object Types we can use, here Im using IPSETS as my destination
Create New IP set as my destination IP address in format <IP address/subnetmask> or range
After creating IP sets, select and bring it to right side and click on SAVE.
Below is the Rule created with source as Logical switch: Windows_Tier and destination address: 172.16.60.20 with service: https and Action:BLOCK
After Enabling the Block Rule:
A flow is identified by the following:
Source address
Source port
Destination address
Destination port
Protocol
Lets consider following topology:
Source: 172.16.70.11
Destination: 172.16.60.20
Now by default NSX Distributed firewall allows all the traffic. Im creating a rule to block above traffic.
Firewall source/destinations can be defined in following ways:
1)Cluster
2)Datacenter
3)IP Sets
4)Logical Switch
5)Port Group
6)Distributed Virtual Port Group
Security Groups:
1)Dynamic Inclusion:
Example: Computer OS name, Computer Name, VM Name, Security TAG.
2)Static Inclusion/Exclusion:
Example:Cluster,Datacenter,IP Sets,Logical Switch,AD Groups,MAC Sets,DVS Port Groups,vNIC.
From NSX 6.1 onwards we have a new feature called "Partner Security Services"
here we can redirect the policy to 3rd party firewalls like PaloAlto.
In our example Im using source as Static Inclusion(Logical Switch Name) and destination as Static Inclusion(IP sets)
Before Block Rule : -
Im able to access the webserver as shown below:
Create Source, here Im using Logical switch name:Windows_Tier as my source address.
Any VM which is connected to this logical switch will be acting as my source.
Following are the list of object Types we can use, here Im using IPSETS as my destination
Create New IP set as my destination IP address in format <IP address/subnetmask> or range
After creating IP sets, select and bring it to right side and click on SAVE.
Below is the Rule created with source as Logical switch: Windows_Tier and destination address: 172.16.60.20 with service: https and Action:BLOCK
After Enabling the Block Rule:
Only HTTPS is blocked, however ping/icmp traffic is still allowed.
creativity of writer is purely impressive. It has touched to the level of expertise with his writing. Everything is up to the mark. Written perfectly and I can use such information for my coming assignment. Sneaker proxy