Add a Firewall Rule - vshield Administration Guide

You can add a firewall rule at various container (datacenter, virtual wire, port group with independent namespace) levels. Adding multiple objects per rule at the source and destination levels helps you reduce the total number of firewall rules to be created.

Procedure

1 In the vSphere Client, select a datacenter, virtual wire, or port group with an independent namespace.

Firewall Rule Level Method

Datacenter a Go to Inventory > Hosts and Clusters.

b Select a datacenter. c Click the vShield tab.

Virtual wire a Go to Inventory > Hosts and Clusters and select the Network Virtualization tab.

b Click the Networks tab.

c In the Name column, click the virtual wire for which you want to add a rule.

d Click the Security tab.

Port group with an independent namespace

a Go to Inventory > Networking.

b Select a Port group with an independent namespace. c Click the vShield tab.

2 Click the App Firewall tab. For a virtual wire, ensure that you are in the Firewall tab.

3 Ensure that you are in the General tab to add an L3 rule. click the Ethernet tab to add an L2 rule. 4 Do one of the following.

n To add a rule at a specific place in the firewall table, follow the steps below.

a Select a rule.

b _{In the No. column, click and select Add Above or Add Below.}

n To add a rule by copying a rule, follow the steps below.

a Select a rule.

b _{Click the Copy (} _{) icon.} c Select a rule.

d _{In the No. column, click and select Paste Above or Paste Below.}

u _{Click the Add (} _{) icon.}

A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

5 _{Point to the Name cell of the new rule and click .} 6 Type a name for the new rule.

7 _{Point to the Source cell of the new rule and click .}

a In View, select a container from which the communication originated. Objects for the selected container are displayed.

Select one or more objects and click .

You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see

“Grouping Objects,” on page 30.

c To specify a source port, click Advance options and type the port number or range. d Select Negate Source to exclude this source port from the rule.

Option Result

Negate Source selected Rule applied to traffic coming from all sources except for the source you specified in Step 7c.

Negate Source not selected Rule applies to traffic coming from the source you specified in Step 7c.

e Click OK.

8 _{Point to the Destination cell of the new rule and click .}

a In View, select a container which the communication is targeting. Objects for the selected container are displayed.

Select one or more objects and click .

You can create a new security group or IPSet. Once you create the new object, it is added to the destination column by default. For information on creating a new security group or IPSet, see

“Grouping Objects,” on page 30.

c To specify a destination port, click Advance options and type the port number or range. d Select Negate Destination to exclude this destination port from the rule.

Option Rule Applied To

Negate Destination selected Traffic going to all destinations except for the destination you specified in Step 8c.

Negate Destination not selected Traffic going to the destination you specified in Step 8c.

e Click OK.

9 _{Point to the Action cell of the new rule and click .}

a Click Block to block traffic from or to the specified source and destination. b Click Log to log all sessions matching this rule.

Enabling logging can affect performance. c Type comments if required.

d Click OK.

10 Click Publish Changes to push the new rule to all vShield App instances.

What to do next

Disable a rule by clicking or enable a rule by clicking .

Display additional columns in the rule table by clicking and selecting the appropriate columns.

Column Name Information Displayed

Rule ID Unique system generated ID for each rule Log Traffic for this rule is being logged or not Stats

Clicking shows the traffic affected by this rule (number of sessions, traffic packets, and size) Comments Comments for the rule

n Search for rules by typing text in the Search field.

Delete a Firewall Rule

You can delete firewall rules that you created, but not the default rule. Procedure

1 Do one of the following.

Firewall Rule Level Method

Datacenter a In the vSphere client, Go to Inventory > Hosts and Clusters.

b Select a datacenter. c Click the vShield tab. d Click the App Firewall tab.

Virtual wire a Go to Inventory > Hosts and Clusters and select the Network

Virtualization tab. b Click the Networks tab.

c In the Name column, click the virtual wire for which you want to add a rule.

d Click the Security tab.

e Ensure that you are in the Firewall tab.

Port group with an independent namespace

a In the vSphere client, Go to Inventory > Networking. b Select a Port group with an independent namespace. c Click the vShield tab.

d Click the App Firewall tab.

2 Click a rule.

In document vshield Administration Guide (Page 169-173)