Last updated on 1st December 2021
Objective
As does the NSX Edge Firewall, the distibuted firewall restricts or allows network traffic based on rules applied to network nodes or groups.
The distributed firewall optimizes traffic and bandwidth consumption by applying rules to packets before they are sent to the Edge firewall.
This guide explains how to create rules.
Requirements
- being an administrative contact of your Hosted Private Cloud infrastructure to receive login credentials
- a user account with access to vSphere as well as the specific rights for NSX (created in the OVHcloud Control Panel)
Instructions
Interface access
In the vSphere interface menu, go to the Networking and Security dashboard.
On the left side, navigate to the Firewall section.
The distributed Firewall allows for:
Generalrules (layer 3 and up)Ethernetrules (layer 2)Partner Servicesrules (requires integration of third party products)
Priorities
Before creating rules, it is important to understand how and when they will be applied.
The Distributed Firewall has three layers ot priority:
- Types
- Sections
- Rules
Types
The type of rules/sections is defined by the layer it will apply on.
Layer 2 rules will be applied before Layer 3 and up.
That means that Ethernet rules will have a higher priority than General ones.
Sections
Sections are rules folders that allow better segmentation and easier management.
Sections are applied from top to bottom.
That means that in the case of conflicting rules in different sections, the rule within the section with the highest priority will be applied.
Rules
Rules manage identified service(s) from specified source(s) to specified destination(s).
Rules are applied from top to bottom.
The first rule that matches the traffic overrides all the other rules below.
That means that in the case of conflicting rules within a section, the rule with the highest priority (lowest number) will be applied.
Order
You can add rules and sections in any tabs of the firewall.
You can modify the rule/section order by selecting a rule/section and using the up and down arrows.
Firewall Rules
Click on + Add Rule.
The new rule shows with:
- An activation slider
- A selection box for specific actions (order change, deletion...)
- Name
- ID
- Source
- Destination
- Service
- Applied To
- Action
- Log slider
- Advanced settings
By default, rules have Any as source and destination, meaning it encompasses all traffic. To avoid security issues, it is best practices to avoid broad targets.
Name
Name the rule by clicking the Name field. The ID field will be automatically populated.
Source
The source field defines the origin of the traffic.
Hover over the field and click on the pencil icon. You can add objects and/or IP addresses as needed.
If "Negate Source" is turned on, the rule is applied to all sources except for the sources selected.
Click Save when ready.
Destination
The destination field defines the target of the traffic.
Hover over the field and click on the pencil icon. You have the same choices for destination as you had for source.
If "Negate Source" is turned on, the rule is applied to all destinations except for the destinations selected.
Click Save when ready.
Service
The service field defines the type of traffic aimed at.
Hover over the field and click on the pencil icon. You have the choice between using existing services and groups or adding raw ports/protocols.
Clicking on an existing service or group will show you a description of the ports and protocols involved.
Click Save when ready.
Applied To
The applied to field defines the scope of the rule.
Hover over the field and click on the pencil icon.
By default, the rule is set to apply to all clusters on which Distributed Firewall is installed, which means it will apply to all VMs.
You can add all Edge gateways or specific objects available in the list.
Click Save when ready.
Action
The action field defines how to handle the traffic.
You have three possible options to choose from:
- Allow: The traffic will go through.
- Block: The traffic will be blocked with no further communication.
- Reject: The traffic will be blocked and a "port unreachable" message will be sent to the source.
Log
The log slider allows you to keep a journal of events on the rule.
Advanced Settings
Aside from a comments section and a statistics section, the advanced settings section allows you to define if the target traffic is inbound, outbound or both and if you want to target IPv4, IPv6 or both.
Click Save when ready.
Publishing rules
No creation/modification of a rule/section will be registered until you click the Publish button.
Go further
Join our community of users on https://community.ovh.com/en/.
Questa documentazione ti è stata utile?
Prima di inviare la valutazione, proponici dei suggerimenti per migliorare la documentazione.
Immagini, contenuti, struttura... Spiegaci perché, così possiamo migliorarla insieme!
Le richieste di assistenza non sono gestite con questo form. Se ti serve supporto, utilizza il form "Crea un ticket" .
Grazie per averci inviato il tuo feedback.