Objective 7.1 – Configure and administer Logical Firewall services

Principles

  • Add/Edit/Delete an Edge Firewall rule
  • Configure Source/Destination/Service/Action rule components
  • Compare and contrast between Edge Rule Types (Pre-Rules/Internal/User Rules/Default Rules)
  • Change the order of an Edge User Firewall rule
  • Demonstrate how to configure an Edge Firewall Pre-Rule
  • Understand the limitations of ECMP and Edge Firewall Policy

References

  1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

  1. Securing VMWare NSX

https://communities.vmware.com/servlet/JiveServlet/downloadBody/27674-102-4-37245/Securing%20of%20NSX_vSphere.pdf

Add/Edit/Delete an Edge Firewall rule

  • Manage -> Firewall
  • DLR Firewall Rules applied to the Control VM only – they are not in the data plane
    • Use DFW to secure DLR E-W traffic
    • Use Edge Firewall for N/S (depending on topology)
  • Default rule can be set to Accept or Deny
  • Rules can separately be configured to Log in the “Action” column
  • Rules can be copied

Configure Source/Destination/Service/Action rule components

  • Source:
    • Can multiple include vNIC, IP Address (or group)
    • vNic Group:
      • Can be defined for Source or Destination
      • “vse” refers to traffic generated by the Edge itself e.g. Routing, Logging
      • “internal” and “external” applies to any traffic from an Internal or Uplink Interfaces and us automatically updated as interfaces are configured on the Edge
      • “internal” interface rules do not work on a DLR
  • Destination:
    • Can multiple include vNIC, IP Address (or group)
  • Service:
    • Select from pre-defined Services/Service Groups or define a custom one
    • Services/IP Sets/Service Groups defined on an Edge (Manage -> Grouping Objects) are local to that Edge
    • Globally defined Services/Groups/IP Sets in NSX Manager are available to all Edges
  • Action:
    • Accept: Allow traffic
    • Deny: Block traffic
    • Reject: Send TCP RST (reset) or ICMP unreachable
  • Advanced Options
    • Match on: Translated or Original (default). Translated matched rule on the translated IP or a NAT rule
    • Enable Rule Direction: inbound/outbound

Compare and contrast between Edge Rule Types (Pre-Rules/Internal/User Rules/Default Rules)

Pre-rules

  • Defined in Distributed Firewall and “Applied To” set to an NSX Edge
  • Applied to NSX Edge as a Pre-Rule
  • Can be used to centrally manage Edge Firewall Rules for common services

Internal

Internal or “auto-plumb” rules are generated by the Edge automatically to control traffic flow for Edge services e.g. SSL VPN

User/Default Rules

  • User rules are those configured directly on an NSX Edge e.g. ICMP below
  • These rules appear between any pre, internal and the Default rule
  • The Default rule can be modified but always appears at the end of the rule base and cannot be removed

Change the order of an Edge User Firewall rule

  • Use the “move” icons to move a rule up or down in the list

  • Only applicable to User rules – Default and internal rules cannot be moved

Demonstrate how to configure an Edge Firewall Pre Rule

  • Add the rule to the Distributed Firewall and set “Applied To” to an Edge

Understand the limitations of ECMP and Edge Firewall Policy

  • Edge Firewall should not be enabled on an Edge running ECMP because it affects stateful services
  • Edge Firewall can be configured on a DLR running ECMP because it applies to the management plane only