Principles
- Add/Edit/Delete an Edge Firewall rule
- Configure Source/Destination/Service/Action rule components
- Compare and contrast between Edge Rule Types (Pre-Rules/Internal/User Rules/Default Rules)
- Change the order of an Edge User Firewall rule
- Demonstrate how to configure an Edge Firewall Pre-Rule
- Understand the limitations of ECMP and Edge Firewall Policy
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- Securing VMWare NSX
Add/Edit/Delete an Edge Firewall rule
- Manage -> Firewall
- DLR Firewall Rules applied to the Control VM only – they are not in the data plane
- Use DFW to secure DLR E-W traffic
- Use Edge Firewall for N/S (depending on topology)
- Default rule can be set to Accept or Deny
- Rules can separately be configured to Log in the “Action” column
- Rules can be copied
Configure Source/Destination/Service/Action rule components
- Source:
- Can multiple include vNIC, IP Address (or group)
- vNic Group:
- Can be defined for Source or Destination
- “vse” refers to traffic generated by the Edge itself e.g. Routing, Logging
- “internal” and “external” applies to any traffic from an Internal or Uplink Interfaces and us automatically updated as interfaces are configured on the Edge
- “internal” interface rules do not work on a DLR
- Destination:
- Can multiple include vNIC, IP Address (or group)
- Service:
- Select from pre-defined Services/Service Groups or define a custom one
- Services/IP Sets/Service Groups defined on an Edge (Manage -> Grouping Objects) are local to that Edge
- Globally defined Services/Groups/IP Sets in NSX Manager are available to all Edges
- Action:
- Accept: Allow traffic
- Deny: Block traffic
- Reject: Send TCP RST (reset) or ICMP unreachable
- Advanced Options
- Match on: Translated or Original (default). Translated matched rule on the translated IP or a NAT rule
- Enable Rule Direction: inbound/outbound
Compare and contrast between Edge Rule Types (Pre-Rules/Internal/User Rules/Default Rules)
Pre-rules
- Defined in Distributed Firewall and “Applied To” set to an NSX Edge
- Applied to NSX Edge as a Pre-Rule
- Can be used to centrally manage Edge Firewall Rules for common services
Internal
Internal or “auto-plumb” rules are generated by the Edge automatically to control traffic flow for Edge services e.g. SSL VPN
User/Default Rules
- User rules are those configured directly on an NSX Edge e.g. ICMP below
- These rules appear between any pre, internal and the Default rule
- The Default rule can be modified but always appears at the end of the rule base and cannot be removed
Change the order of an Edge User Firewall rule
- Use the “move” icons to move a rule up or down in the list
- Only applicable to User rules – Default and internal rules cannot be moved
Demonstrate how to configure an Edge Firewall Pre Rule
- Add the rule to the Distributed Firewall and set “Applied To” to an Edge
Understand the limitations of ECMP and Edge Firewall Policy
- Edge Firewall should not be enabled on an Edge running ECMP because it affects stateful services
- Edge Firewall can be configured on a DLR running ECMP because it applies to the management plane only