Objective 7.1 – Configure and Administer Logical Firewall Services

Knowledge

  • Add/Edit/Delete an Edge Firewall rule
    7.1.Edge Firewall

    • Add:
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the Firewall tab.
      • Do one of the following.
      • To add a rule at a specific place in the firewall table
        • Select a rule.
        • In the No. column, click the Pencil icon and select Add Above or Add Below.
        • A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.
      • To add a rule by copying a rule
        • Select a rule.
        • Click the Copy icon.
        • Select a rule.
        • In the No. column, click and select Paste Above or Paste Below.
      • To add a rule anywhere in the firewall table
        • Click the Add “+” icon.
        • A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.The new rule is enabled by default.
        • Point to the Name cell of the new rule and click [+]
        • Type a name for the new rule.
        • Point to the Source cell of the new rule and click [+] or [IP]
        • If you clicked [IP], type an IP address.
          • Select an object from the drop-down and then make the appropriate selections. If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column.
          • Click OK
      • Point to the Destination cell of the new rule and click [+] or [IP].
        • Select an object from the drop-down and then make the appropriate selections. If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic going to any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column.
        • Click OK.
      • Point to the Service cell of the new rule and click [+] or [∩]
        • If you clicked [+] , select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column.
        • If you clicked [∩] , select a protocol. You can specify the source port by clicking the arrow next to Advance options. VMware recommends that you avoid specifying the source port from release 5.1 onwards. Instead, you can create a service for a protocol-port combination.NOTE NSX Edge only supports services defined with L3 protocols
      • Point to the Action cell of the new rule and click [+]
        • Click Deny to block traffic from or to the specified source and destination.
        • Click Log to log all sessions matching this rule. Enabling logging can affect performance.
        • Type comments if required.
        • Click [>] next to Advance options.
        • To apply the rule to the translated IP address and services for a NAT rule, select Translated IP for Match on.
        • Click Enable Rule Direction and select Incoming or Outgoing. VMware does not recommend specifying the direction for firewall rules.
        • Click OK
      • Click Publish Changes to push the new rule to the NSX Edge instance.
    • Edit:
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click the Firewall tab.
      • Select the rule to edit
        NOTE You cannot change an auto-generated rule or the default rule, except for changing the Action on the default rule.
      • Make the desired changes and click OK.
      • Click Publish Changes.
    • Delete:
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click the Firewall tab.
      • Select the rule to delete
        NOTE You cannot delete an auto-generated rule or the default rule.
      • Click Delete “X” and click OK.
      • Click Publish Changes.
  • Configure Source/Destination/Service/Action rule components
    • Configure Source:
      • Point to the Source cell of the rule and click [+] or [IP]
      • If you clicked [IP], type an IP address.
        • Select an object from the drop-down and then make the appropriate selections. If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column.
        • Click OK
    • Configure Destination:
      • Point to the Destination cell of the rule and click [+] or [IP].
        • Select an object from the drop-down and then make the appropriate selections. If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic going to any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column.
        • Click OK.
    • Configure Service:
      • Point to the Service cell of the rule and click [+] or [∩]
        • If you clicked [+] , select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column. For more information on creating a new service, see “Create a Service,” on page 30.
        • If you clicked [∩] , select a protocol. You can specify the source port by clicking the arrow next to Advance options. VMware recommends that you avoid specifying the source port from release 5.1 onwards. Instead, you can create a service for a protocol-port combination.NOTE NSX Edge only supports services defined with L3 protocols.
    • Configure Action:
      • Point to the Action cell of the rule and click [+]
      • Click Deny to block traffic from or to the specified source and destination.
      • Click Log to log all sessions matching this rule. Enabling logging can affect performance.
      • Type comments if required.
      • Click [>] next to Advance options.
      • To apply the rule to the translated IP address and services for a NAT rule, select Translated IP for Match on.
      • Click Enable Rule Direction and select Incoming or Outgoing. VMware does not recommend specifying the direction for firewall rules.
      • Click OK
    • Click Publish Changes to push the updated rule to the NSX Edge instance.
  • Change the order of an Edge Firewall rule
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Edges.
    • Double-click an NSX Edge.
    • Click the Monitor tab and then click the Firewall tab.
    • Select the rule for which you want to change the priority.
      NOTE You cannot change the priority of auto-generated rules or the default rule.
    • Click the “Move Up” or “Move Down” icon.
    • Click OK.
    • Click Publish Changes.
  • Change the priority of an Edge Firewall rule
    • Changing the priority means the same thing as changing the order.

Tools

NSX Administration Guide
vSphere Web Client

Advertisements

One thought on “Objective 7.1 – Configure and Administer Logical Firewall Services

  1. Pingback: VMware VCP-NV NSX Study Resources | darrylcauldwell.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s