Configurar el NSX Edge Firewall (EN)
creating firewall rules
Last updated 25th November 2021
Objective
The NSX firewall service restricts or allows network traffic based on rules applied to network nodes or groups.
This guide explain how to create rules.
Requirements
- being an administrative contact of your Hosted Private Cloud infrastructure to receive login credentials
- a user account with access to vSphere as well as the specific rights for NSX (created in the OVHcloud Control Panel)
- a deployed NSX Edge Services Gateway
Instructions
Interface access
In the vSphere interface menu, go to the Networking and Security dashboard.
On the left side, navigate to the NSX Edges section then click on the appliance you're setting up.
The Firewall tab shows the status with a simple button to stop or start the service.
Any change made will need to be published to be validated, so you will not shut down the service at the single push of a button.
Firewall Rules
The basics of a firewall rule is to manage identified service(s) from specified source(s) to specified destination(s).
Click on + Add Rule.
The new rule shows with:
- An activation slider
- A selection box for specific actions (order change, deletion...)
- Name
- ID
- Type
- Source
- Destination
- Service
- Action
- Log slider
- Advanced settings
By default, rules have Any as source and destination, meaning it encompasses all traffic. To avoid security issues, it is best practices to avoid broad targets.
Name the rule by clicking the Name field. ID and Type fields are automatically populated.
Source
The source field defines the origin of the traffic.
Hover over the field and click on the pencil icon. You can add objects and/or IP addresses as needed.
If "Negate Source" is turned on, the rule is applied to all sources except for the sources selected.
Click Save when ready.
Destination
The destination field defines the target of the traffic.
Hover over the field and click on the pencil icon. You have the same choices for destination as you had for source.
If "Negate Source" is turned on, the rule is applied to all destinations except for the destinations selected.
Click Save when ready.
Service
The service field defines the type of traffic aimed at.
Hover over the field and click on the pencil icon. You have the choice between using existing services and groups or add raw ports/protocols.
Clicking on an existing service or group will show you a description with the ports and protocols involved.
Click Save when ready.
Action
The action field defines how to handle the traffic.
You have three possible options to choose from:
- Accept: The traffic will go through.
- Deny: The traffic will be blocked with no further communication.
- Reject: The traffic will be blocked and a "port unreachable" message will be sent to the source.
Log
The log slider allows you to keep a journal of events on the rule.
Advanced Settings
Aside from a comments section and a statistics section, the advanced settings section allows you to define if the target traffic is inbound, outbound or both. In case of NAT traffic, you can choose if the rule applies to the original or translated source.
Rules priorities
Once the rule is set up, you see it in the list. The number of the rule in the list defines its priority.
Rules are applied from top to bottom.
The first rule that matches the traffic overrides all the other rules below.
That means that in the case of conflicting rules, the rule with the highest priority (lowest number) will be applied.
You can modify the rule order by selecting a rule and using the up and down arrows.
Publishing rules
No creation/modification of a rule will be registered until you click the Publish button.
Go further
Join our community of users on https://community.ovh.com/en/.
¿Le ha resultado útil esta guía?
Si lo desea, también puede enviarnos sus sugerencias para ayudarnos a mejorar nuestra documentación.
Imágenes, contenido, estructura...: ayúdenos a mejorar nuestra documentación con sus sugerencias.
No podemos tratar sus solicitudes de asistencia a través de este formulario. Para ello, haga clic en "Crear un tíquet" .
¡Gracias! Tendremos en cuenta su opinión.