You add firewall rules at the global scope. You can then narrow down the scope (datacenter, cluster, distributed virtual port group, network, virtual machine, vNIC, or virtual wire) at which you want to apply the rule. Firewall allows you to add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.
Prerequisites
If you are adding an identity based firewall rule, ensure that:
n One or more domains have been registered with NSX Manager. NSX Manager gets group and user
information as well as the relationship between them from each domain that it is registered with. See
“Register a Windows Domain with NSX Manager,” on page 154.
n A security group based on Active Directory objects has been created which can be used as the source or
destination of the rule. See “Create a Security Group,” on page 30.
Procedure
1 Log in to the vSphere Web Client.
2 Click Networking & Security and then click Firewall.
4 In the section that you add a rule, click Add rule ( ) icon.
A new any any allow rule is added at the top of the section. If the system defined rule is the only rule in the section, the new rule is added above the default rule.
If you want to add a rule at a specific place in a section, select a rule. In the No. column, click and select Add Above or Add Below.
5 Point to the Name cell of the new rule and click . 6 Type a name for the new rule.
7 Point to the Source cell of the new rule.
Option Description
Click To specify source as an IP address.
a Select the IP address format.
Firewall supports both IPv4 and IPv6 formats. b Type the IP address.
Click To specify source as an object other than a specific IP address.
a In View, select a container from which the communication originated. Objects for the selected container are displayed.
b
Select one or more objects and click .
You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see Chapter 3, “Grouping Objects,” on page 27.
c To specify a source port, click Advance options and type the port number or range.
d Select Negate Source to exclude this source port from the rule. If Negate Source is selected, the rule applied to traffic coming from all sources except for the source you specified in the previous step. If Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.
e Click OK.
8 Point to the Destination cell of the new rule.
Option Description
Click To specify destination as an IP address.
a Select the IP address format.
Firewall supports both IPv4 and IPv6 formats. b Type the IP address.
Click To specify destination as an object other than a specific IP address.
a In View, select a container which the communication is targeting. Objects for the selected container are displayed.
b
Select one or more objects and click .
You can create a new security group or IPSet. Once you create the new object, it is added to the Destination column by default. For
information on creating a new security group or IPSet, see Chapter 3, “Grouping Objects,” on page 27.
c To specify a destination port, click Advance options and type the port number or range.
d Select Negate Destination to exclude this source port from the rule. If Negate Destination is selected, the rule applied to traffic going to all destinations except for the destination you specified in the previous step.
If Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.
9 Point to the Service cell of the new rule.
Option Description
Click To specify service as a port protocol combination.
a Select the service protocol.
Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN- RPC.
b Type the port number and click OK.
Click To select a pre-defined service/service group or define a new one.
a
Select one or more objects and click .
You can create a new service or service group. Once you create the new object, it is added to the Destination column by default. b Click OK.
In order to protect your network from ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule. For information on modifying the default rule, see “Edit the Default Distributed Firewall Rule,” on page 56.
10 Point to the Action cell of the new rule and click .
a Click Block to block traffic from or to the specified source and destination. b Click Log to log all sessions matching this rule.
Enabling logging can affect performance. c Type comments if required.
d Click OK. 11
To define the scope at which this rule is applicable, click and select Applied To. a Point to the Applied To cell of the new rule and click .
b In View, select a container. The containers you can select in this field are: datacenter, cluster, distributed virtual port group, network, virtual machine, vNIC, and virtual wire.
c
Select one or more objects and click . d Click OK.
If the rule contains virtual machines/vNICS in the source and destination fields, you must add both the source and destination virtual machines/vNICS to Applied To for the rule to work correctly.
12 Click Publish Changes to push the new rule.
What to do next
n Disable a rule by clicking or enable a rule by clicking . n
Display additional columns in the rule table by clicking and selecting the appropriate columns. Column Name Information Displayed
Rule ID Unique system generated ID for each rule Log Traffic for this rule is being logged or not
Column Name Information Displayed
Stats
Clicking shows the traffic related to this rule (traffic packets and size) Comments Comments for the rule
n Search for rules by typing text in the Search field.
n Merge sections by clicking the Merge section icon and selecting Merge with above section or Merge
with below section.