Configura il firewall distribuito NSX (EN)

Last updated on 1st December 2021

Objective

As does the NSX Edge Firewall, the distibuted firewall restricts or allows network traffic based on rules applied to network nodes or groups.

The distributed firewall optimizes traffic and bandwidth consumption by applying rules to packets before they are sent to the Edge firewall.

This guide explains how to create rules.

Requirements

Instructions

Interface access

In the vSphere interface menu, go to the Networking and Security dashboard.

Menu

On the left side, navigate to the Firewall section.

FW

The distributed Firewall allows for:

  • General rules (layer 3 and up)
  • Ethernet rules (layer 2)
  • Partner Services rules (requires integration of third party products)

FW

Priorities

Before creating rules, it is important to understand how and when they will be applied.
The Distributed Firewall has three layers ot priority:

  • Types
  • Sections
  • Rules

Types

The type of rules/sections is defined by the layer it will apply on.
Layer 2 rules will be applied before Layer 3 and up.
That means that Ethernet rules will have a higher priority than General ones.

Sections

Sections are rules folders that allow better segmentation and easier management.
Sections are applied from top to bottom.
That means that in the case of conflicting rules in different sections, the rule within the section with the highest priority will be applied.

Rules

Rules manage identified service(s) from specified source(s) to specified destination(s).
Rules are applied from top to bottom.
The first rule that matches the traffic overrides all the other rules below.
That means that in the case of conflicting rules within a section, the rule with the highest priority (lowest number) will be applied.

Order

You can add rules and sections in any tabs of the firewall.
You can modify the rule/section order by selecting a rule/section and using the up and down arrows.

Order

Firewall Rules

Click on + Add Rule.

The new rule shows with:

  • An activation slider
  • A selection box for specific actions (order change, deletion...)
  • Name
  • ID
  • Source
  • Destination
  • Service
  • Applied To
  • Action
  • Log slider
  • Advanced settings

Rule

By default, rules have Any as source and destination, meaning it encompasses all traffic. To avoid security issues, it is best practices to avoid broad targets.

Name

Name the rule by clicking the Name field. The ID field will be automatically populated.

Source

The source field defines the origin of the traffic.

Hover over the field and click on the pencil icon. You can add objects and/or IP addresses as needed.

If "Negate Source" is turned on, the rule is applied to all sources except for the sources selected.

Click Save when ready.

Source

Source

Destination

The destination field defines the target of the traffic.

Hover over the field and click on the pencil icon. You have the same choices for destination as you had for source.

If "Negate Source" is turned on, the rule is applied to all destinations except for the destinations selected.

Click Save when ready.

Destination

Destination

Service

The service field defines the type of traffic aimed at.

Hover over the field and click on the pencil icon. You have the choice between using existing services and groups or adding raw ports/protocols.

Clicking on an existing service or group will show you a description of the ports and protocols involved.

Click Save when ready.

Service

Service

Service

Applied To

The applied to field defines the scope of the rule.

Hover over the field and click on the pencil icon.
By default, the rule is set to apply to all clusters on which Distributed Firewall is installed, which means it will apply to all VMs.
You can add all Edge gateways or specific objects available in the list.

Click Save when ready.

Applied

Action

The action field defines how to handle the traffic.

You have three possible options to choose from:

  • Allow: The traffic will go through.
  • Block: The traffic will be blocked with no further communication.
  • Reject: The traffic will be blocked and a "port unreachable" message will be sent to the source.

Action

Log

The log slider allows you to keep a journal of events on the rule.

Advanced Settings

Aside from a comments section and a statistics section, the advanced settings section allows you to define if the target traffic is inbound, outbound or both and if you want to target IPv4, IPv6 or both.

Click Save when ready.

Advanced

Publishing rules

No creation/modification of a rule/section will be registered until you click the Publish button.

Publish

Go further

Join our community of users on https://community.ovh.com/en/.


Questa documentazione ti è stata utile?

Prima di inviare la valutazione, proponici dei suggerimenti per migliorare la documentazione.

Immagini, contenuti, struttura... Spiegaci perché, così possiamo migliorarla insieme!

Le richieste di assistenza non sono gestite con questo form. Se ti serve supporto, utilizza il form "Crea un ticket" .

Grazie per averci inviato il tuo feedback.


Potrebbero interessarti anche...

OVHcloud Community

Accedi al tuo spazio nella Community Fai domande, cerca informazioni, pubblica contenuti e interagisci con gli altri membri della Community OVHcloud

Discuss with the OVHcloud community

Conformemente alla Direttiva 2006/112/CE e successive modifiche, a partire dal 01/01/2015 i prezzi IVA inclusa possono variare in base al Paese di residenza del cliente
(i prezzi IVA inclusa pubblicati includono di default l'aliquota IVA attualmente in vigore in Italia).