Objective 7.2 – Configure Distributed Firewall Services

Knowledge

  • Differentiate between Layer 2 and Layer 3 rules
    • Layer 2 rules are between VMs on the same logical switch, and are based on the contents of the Ethernet packet header rather than the IP packet header. Packets are filtered based on the MAC address, rather than the IP address. L2 rules are mapped to L2 OSI model: only MAC addresses can be used in the source and destination fields – and only L2 protocols can be used in the service fields (like ARP for instance).
    • Layer 3 rules are between IP addresses or IP address ranges. Packets are filtered on the IP header and potentially also the TCP or UDP header. L3/L4 rules are mapped to L3/L4 OSI model: policy rules can be written using IP addresses and TCP/UDP ports.
      It is important to remember that L2 rules are always enforced before L3/L4 rules. As a concrete example, if the L2 default policy rule is modified to ‘block’, then all L3/L4 traffic will be blocked as well by DFW (no more ping work for example)
  • Differentiate between entity-based and identity-based rules
    • Entity based rules are based on VMware vCenter objects like datacenters and clusters and virtual machine names; network constructs like IP or IPSet addresses, VLAN (DVS port-groups), VXLAN (logical switches), security groups.
    • Identity based rules are based on user or group identity from Active Directory. Administrators can enforce access control based on the user’s group membership as defined in the enterprise Active Directory. Here are some scenarios where identity-based firewall rules can be used:
      • User accessing virtual applications using a laptop or mobile device where AD is used for user authentication
      • User accessing virtual applications using VDI infrastructure where the virtual machines are Microsoft Windows based
  • Identify firewall rule entities
    • VMware vCenter objects like datacenters and clusters and virtual machine names;
    • Network constructs like IP or IPSet addresses, VLAN (DVS port-groups), VXLAN (logical switches), security groups.
  • Explain rule processing order
    • L2 rules are always enforced before L3/L4 rules
    • User-defined pre rules have the highest priority and are enforced in top-to-bottom ordering with a per-virtual NIC level precedence.
    • Next Auto-plumbed rules.
    • Then Local rules defined at an NSX Edge level.
    • Then Service Composer rules – a separate section for each policy. You cannot edit these rules in the Firewall table, but you can add rules at the top of a security policy firewall rules section. If you do so, you must re-synchronize the rules in Service Composer. For more information, see Service Composer.
    • Finally Default Distributed Firewall rule
  • Explain rule segregation
    • You can add a section to segregate firewall rules. For example, you might want to have the rules for sales and engineering departments in separate sections.
  • Add/Delete a Distributed Firewall rule
    • Add:
      • In the vSphere Web Client, navigate to Networking & Security > Firewall.
      • Ensure that you are in the General tab to add an L3 rule. Click the Ethernet tab to add an L2 rule.
      • In the section in which you add a rule, click Add rule (add icon) icon.
      • A new any any allow rule is added at the top of the section. If the system-defined rule is the only rule in the section, the new rule is added above the default rule.
      • If you want to add a rule at a specific place in a section, select a rule. In the No. column, click edit and select Add Above or Add Below.
      • Point to the Name cell of the new rule and click [+]
      • Type a name for the new rule.
      • Point to the Source cell of the new rule and click [+] or [IP]
      • If you clicked [IP], select the IP address format (IPv4/v6) and type an IP address.
      • To specify source as an object other than a specific IP address.
        • In View, select a container from which the communication originated. Objects for the selected container are displayed.
        • Select one or more objects and click You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see Network and Security Objects.
        • To specify a source port, click Advance options and type the port number or range.
        • Select Negate Source to exclude this source port from the rule. If Negate Source is selected, the rule applied to traffic coming from all sources except for the source you specified in the previous step. If Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.
      • Click OK.
    • Point to the Destination cell of the new rule and click [+] or [IP].
      •  If you clicked [IP], select the IP address format (IPv4/v6) and type an IP address.
      • To specify destination as an object other than a specific IP address.
        • In View, select a container which the communication is targeting Objects for the selected container are displayed.
        • Select one or more objects and click You can create a new security group or IPSet. Once you create the new object, it is added to the Destination column by default. For information on creating a new security group or IPSet, see Network and Security Objects.
        • To specify a destination port, click Advance options and type the port number or range.
        • Select Negate Destination to exclude this destination port from the rule. If Negate Destination is selected, the rule applied to traffic going to all destinations except the destination you specified in the previous step. If Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.
      • Click OK.
    • Point to the Service cell of the new rule and click [+] or [∩]
      • If you clicked [+] , select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column. Click OK
      • If you clicked [∩] , select the service protocol. Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC. Type the port number and click OK
    • Point to the Action cell of the new rule and click [+] Make appropriate selections as described in the list below and click OK.
      • Allow Allows traffic from or to the specified source(s), destination(s), and service(s).
      • Block Blocks traffic from or to the specified source(s), destination(s), and service(s).
      • Reject Sends reject message for unaccepted packets. RST packets are sent for TCP connections. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections.
      • Log Logs all sessions matching this rule. Enabling logging can affect performance.
      • Do not log Does not log sessions.
    • Click Publish Changes to push the new rule to the NSX Edge instance.
  • Configure Source/Destination/Service/Action rule components
    • Point to the Source cell of the rule and click [+] or [IP]
      • If you clicked [IP], select the IP address format (IPv4/v6) and type an IP address.
      • To specify source as an object other than a specific IP address.
        • In View, select a container from which the communication originated. Objects for the selected container are displayed.
        • Select one or more objects and click Add. You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see Network and Security Objects.
        • To specify a source port, click Advance options and type the port number or range.
        • Select Negate Source to exclude this source port from the rule. If Negate Source is selected, the rule applied to traffic coming from all sources except for the source you specified in the previous step. If Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.
        • Click OK.
    • Point to the Destination cell of the rule and click [+] or [IP].
      • If you clicked [IP], select the IP address format (IPv4/v6) and type an IP address.
      • To specify destination as an object other than a specific IP address.
        • In View, select a container which the communication is targeting Objects for the selected container are displayed.
        • Select one or more objects and click You can create a new security group or IPSet. Once you create the new object, it is added to the Destination column by default. For information on creating a new security group or IPSet, see Network and Security Objects.
        • To specify a destination port, click Advance options and type the port number or range.
        • Select Negate Destination to exclude this destination port from the rule. If Negate Destination is selected, the rule applied to traffic going to all destinations except the destination you specified in the previous step. If Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.
        • Click OK.
    • Point to the Service cell of the rule and click [+] or [∩]
      • If you clicked [+] , select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column. Click OK
      • If you clicked [∩] , select the service protocol. Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC. Type the port number and click OK
    • Point to the Action cell of the rule and click [+] Make appropriate selections as described in the list below and click OK.
      • Allow
        Allows traffic from or to the specified source(s), destination(s), and service(s).
      • Block
        Blocks traffic from or to the specified source(s), destination(s), and service(s).
      • Reject
        Sends reject message for unaccepted packets. RST packets are sent for TCP connections. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections.
      • Log
        Logs all sessions matching this rule. Enabling logging can affect performance.
      • Do not log
        Does not log sessions.
  • Change the order of a Distributed Firewall rule
    • In the vSphere Web Client, navigate to Networking & Security > Firewall.
    • Select the rule that you want to move.
    • Click the Move rule up or Move rule down icon.
    • Click Publish Changes.
  • Add/Merge/Delete a Distributed Firewall rule section
    • Add:
      • In the vSphere Web Client, navigate to Networking & Security > Firewall.Ensure that you are in the General tab to add a section for L3 rules. Click the Ethernet tab to add a section for L2 rules.
      • Click the Add Section icon.
      • Type a name for the section and specify the position for the new section. Section names must be unique within NSX Manager.
      • Click OK.
    • Merge:
      • In the vSphere Web Client, navigate to Networking & Security > Firewall.
      • For the section you want to merge, click the Merge icon and specify whether you want to merge this section with the section above or below.
      • Rules from both sections are merged. The new section keeps the name of the section with which the other section is merged.
      • Click Publish Changes.
    • Delete:
      • In the vSphere Web Client, navigate to Networking & Security > Firewall.
      • Ensure that you are in the General tab to delete a section for L3 rules. Click the Ethernet tab to delete a section for L2 rules.
      • Click the Delete section (X) icon for the section you want to delete.
      • Click OK and then click Publish Changes.
        The section, as well as all rules in that section, is deleted.
  • Determine publishing requirements for rules in a given NSX implementation
    • The Applied To column can be used to define the scope of rule publishing User can decide to publish policy rule to all clusters where DFW was enabled or restrict publication to a specific object as listed below:
      • Cluster
        Selecting Cluster will push the rule down to all VM/vNIC on the ESXi cluster.
      • Datacenter
        Selecting Datacenter will push the rule down to all VM/vNIC on the Datacenter.
      • Distributed Port Group
        Selecting DVS port-group will push the rule down to all VM/vNIC on the Datacenter.
      • Host
        Selecting Host will push the rule down to all VM/vNIC on the ESXi host.
      • Legacy port group
        Selecting Legacy port group will push the rule down to all VM/vNIC on the VSS port-group.
      • Logical Switch
        Selecting Logical Switch will push the rule down to all VM/vNIC connected on this Logical Switch (or VXLAN) segment .
      • Security Group
        Selecting Security Group will push the rule down to all VM/vNIC defined within the Security Group.
      • Virtual Machine
        Selecting Virtual Machine will push the rule down to all vNIC of this VM.
      • vNIC
        Selecting vNIC will push the rule down to this particular vNIC instance.
  • Import/Export Distributed Firewall Configuration
    • Import
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click Firewall.
      • Click the Firewall tab.
      • Click the Saved Configurations tab.
      • Click the Import configuration icon.
      • Click Browse and select the file containing the configuration that you want to import.Rules are imported based on the rule names. During the import, Firewall ensures that each object referenced in the rule exists in your environment. If an object is not found, the rule is marked as invalid.
        If a rule referenced a dynamic security group, the dynamic security group is created in NSX Manager during the import.
    • Export
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click Firewall.
      • Click the Export configuration icon.
      • To save the firewall configuration as an XML file, click Download.
      • Select the directory where you want to save the file and click Save.
        Your firewall configuration (both L2 and L3) is saved in the specified directory.
  • Load Distributed Firewall configuration
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click Firewall.
    • Ensure that you are in the General tab to load an L3 firewall configuration. Click the Ethernet tab to load an L2 firewall configuration.
    • Click the Load configuration icon.
    • Select the configuration to load and click OK.
      The current configuration is replaced by the selected configuration.
  • Determine need for excluding virtual machines from distributed firewall protection
    • You can exclude a set of virtual machines from firewall protection. If a virtual machine has multiple vNICs, all of them are excluded from protection.
    • NSX Manager and service virtual machines are automatically excluded from firewall protection. In addition, you should exclude the vCenter server and partner service virtual machines to allow traffic to flow freely.
    • Excluding virtual machines from firewall protection is useful for instances where vCenter Server resides in the same cluster where firewall is being utilized. After enabling this feature, no traffic from excluded virtual machines will go through the Firewall.
      NOTE vCenter Server can be moved to a cluster that is protected by firewall, but it must already exist in the exclusion list to avoid any connection issues.
  • Configure and manage SpoofGuard
    • Create a SpoofGuard policy
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click SpoofGuard.
      • Click the Add icon.
      • Type a name for the policy.
      • Select Enabled or Disabled to indicate whether the policy is enabled.
      • For Operation Mode, select one of the following:
        • Automatically Trust IP Assignments on Their First Use Select this option to trust all IP assignments upon initial registration with the NSX Manager.
        • Manually Inspect and Approve All IP Assignments Before Use Select this option to require manual approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.
      • Click “Allow local address as valid address in this namespace” to allow local IP addresses in your setup. When you power on a virtual machine but it is unable to connect to the DHCP server, a local IP address is assigned to it. This local IP address is considered valid only if the SpoofGuard mode is set to Allow local address as valid address in this namespace. Otherwise, the local IP address is ignored.
      • Click Next.
      • To specify the scope for the policy, click Add and select the networks, distributed port groups, or
      • logical switches that this policy should apply to.
        A port group or logical switch can belong to only one SpoofGuard policy.
      • Click OK and then click Finish.
    • Approve IP addresses
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click SpoofGuard.
      • Select a policy.
        Policy details are displayed below the policy table.
      • In View, click one of the option links.
        • Active Virtual NICs
          List of all validated IP addresses
        • Active Virtual NICs Since Last Published
          List of IP addresses that have been validated since the policy was last updated
        • Virtual NICs IP Required Approval
          IP address changes that require approval before traffic can flow to or from these virtual machines
        • Virtual NICs with Duplicate IP
          IP addresses that are duplicates of an existing assigned IP address within the selected datacenter
        • Inactive Virtual NICs
          List of IP addresses where the current IP address does not match the published IP address
        • Unpublished Virtual NICs IP
          List of virtual machines for which you have edited the IP address assignment but have not yet published
      • Do one of the following.
        • To approve a single IP address, click Approve next to the IP address.
        • To approve multiple IP addresses, select the appropriate vNICs and then click Approve Detected IP(s).
    • Edit/Clear IP addresses
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click SpoofGuard.
      • Select a policy.
        Policy details are displayed below the policy table.
      • In View, click one of the option links.
        • Active Virtual NICs
          List of all validated IP addresses
        • Active Virtual NICs Since Last Published
          List of IP addresses that have been validated since the policy was last updated
        • Virtual NICs IP Required Approval
          IP address changes that require approval before traffic can flow to or from these virtual machines
        • Virtual NICs with Duplicate IP
          IP addresses that are duplicates of an existing assigned IP address within the selected datacenter
        • Inactive Virtual NICs
          List of IP addresses where the current IP address does not match the published IP address
        • Unpublished Virtual NICs
          IP List of virtual machines for which you have edited the IP address assignment but have not yet published
      • To Edit, for the appropriate vNIC, click the Edit icon and make appropriate changes.
      • To clear a single IP address, click Clear next to the IP address.
      • To clear multiple IP addresses, select the appropriate vNICs and then click “Clear Approved IP(s)”.
      • Click OK.

Tools

  • NSX Administration Guide
  • vSphere Web Client
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s