NSX-T Distributed Firewall – Part 2

In the first part of NSX-T Distributed Firewall, I explained the importance of embracing NSX-T DFW. In this post, I review how you can create and apply firewall rules to implement Micro-segmentation. To create firewall rules, first you need to define a Policy section which basically contains one or more firewall rules. A policy in NSX-T DFW can be defined as stateful or stateless. In the case of being stateless, you need to define the rules in both directions. Otherwise, the reverse traffic is not allowed to pass. On the other hand, in the default stateful mode, when you define a rule it will apply bidirectionally.

Then you need to define the rules under the policy section which evaluates the criteria of a traffic flow. DFW rules determine whether the traffic should pass or get dropped based on the protocol and ports.

To create the firewall rule, you need to determine the source, destination, service and action. To specify source and destination you can use IP address, Mac Address or groups. A group could contain an IP address, VM, Segment, Segment port, Active directory user/groups or even a physical server. Moreover, you can dynamically define criteria for the group including VM names, Tags, machine names, Operating System or Computer names.

To determine which port and protocol in the rule should be allowed or dropped, in the Service section you can choose the designated port/protocol.

In the applied to the section you can determine the scope of applying the rule and it’s recommended to define the target of policy to a specific tenant or zone. Due to the reason applied a rule to an attribute not only can utilize the resources of ESXi with a better performance. But only it can only affect a specific zone and not all other tenants.

Lastly, you need to specify if you want to Allow the traffic or Drop. In general, there are two approaches to this matter.

Whitelisting means you have an explicit Deny all at the end of rules and you only specify which traffics are allowed to pass. Blacklisting means all traffic is allowed to pass and you specify what is not allowed or get dropped.

If you want to learn further, you can watch the video on how to implement NSX-T DFW and Micro-segmentation. In this video, I have explained how you can create Groups, Policy and firewall rules in NSX-T.

Leave a Reply

Your email address will not be published. Required fields are marked *