Using Distributed Firewall in a Data Center Group
Overview
HI GIO supports a distributed firewall service for data center groups. You create a single default security policy that is applied to the data center group.
It can inspect every packet and frame coming to and leaving the VM regardless of the network topology. Packet inspection is done at the VM virtual NIC (vNIC) level, which enables access-control lists (ACLs) to be applied closest to the source.
Procedure
I. Predefine Object
To create distributed firewall rules and add them to a data center group, you need to define some things:
Name: Name for the rule.
Source: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)
Destination: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)
Application: Select applications with port to apply rule (1.5)
Action: Allow\Reject\Drop
IP Protocol: IPv4/IPv6 or both
1.1 Add an IP Sets to Data Center Group:
IP sets are groups of IP addresses and networks to which the distributed firewall rules apply (as Source and Destination). Combining multiple objects into IP sets helps you to reduce the total number of distributed firewall rules to be created.
In the top navigation bar, click Networking and then click the Data Center Groups tab
2. Click the data center group name
3. Under Security, click IP Sets
4. Click New.
5. Enter a meaningful Name, a Description for IP Sets
6. Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click Add.
7. To modify an existing IP address or range, click Modify and edit the value.
8. To confirm, click Save.
1.2 Create a Static Security Group
Static security groups are groups of data center group networks to which distributed firewall rules apply (as Source and Destination). Grouping networks helps you to reduce the total number of distributed firewall rules to be created.
In the top navigation bar, click Networking and then click the Data Center Groups tab
2. Click the data center group name
3. Under Security, click Static Groups.
4. Click New.
5. Enter a Name, a Description for the static group, and click Save.
The static security group will appear in the list.
6. Select the newly created static security group and click Manage Members.
7. Select the data center group networks that you want to add to the static security group >> Save
1.3 Assign Security Tags to VM
Security tags that you create and assign to virtual machines help you to define edge gateway firewall rules and distributed firewall rules.
In the top navigation bar, click Networking.
Click Security Tags.
Click Add Tag.
Enter a tag name.
From the list of virtual machines in the organization, select the ones to which to assign the newly created tag.
Click Save.
1.4 Create a Dynamic Security Group
You can define dynamic security groups of virtual machines based on specific criteria (VM Name or Tag Name) to which to apply distributed firewall rules.
In the top navigation bar, click Networking and then click the Data Center Groups tab
2. Click the data center group name
3. Under Security, click Dynamic Groups.
4. Click New.
5. Enter a Name, a Description for the dynamic security group.
6. To create a Criterion for inclusion in the group, add up to four rules that apply either to a VM Name or to a VM security tag.
VM Name: a rule that applies to VM names which contain or start with a term that you specify.
VM tag: a rule that applies to VM tags which equal, contain, start with, or end with a term that you specify.
As figure out, I created 02 rules
VM Name: Start With “demo”
VM Tag: Equals “non-prd” (That you created in 1.3)
7. Click Save.
1.5 Add a Custom Application Port Profile
To create distributed firewall rules, you can use preconfigured application port profiles and custom application port profiles.
Application port profiles include a combination of a protocol and a port, or a group of ports, that is used for firewall services.
In the top navigation bar, click Networking and then click the Data Center Groups tab
Click the data center group name
3. Under Security, click Application Port Profiles
4. In the Custom Applications pane, click New.
5. Enter a Name and, a Description for the application port profile.
6. From the Protocol drop-down menu, select the protocol: TCP, UDP, ICMPv4, ICMPv6
7. Enter a port, or a range of ports, separated by a comma, and click Save.
II. Add a Distributed Firewall Rule
We have predefined Objects in previous. We will create the distributed firewall rules as below:
In the top navigation bar, click Networking and then click the Data Center Groups tab
2. Click the data center group name
3. Click the Distributed Firewall tab on the left.
4. Click Edit Rules.
5. To add a firewall rule, click New on Top.
NOTE: Each traffic session is checked against the top rule in the firewall table before moving down the
subsequent rules in the table. The first rule in the table that matches the traffic parameters is
enforced
6. Configure the rule
Name: [Name of rule]
State: [Enable or disable rule by toggle]
Applications: Select default profiles or custom profiles that created in 1.5
Context: (Optional) Select context profile for the rule.
Source: Select Any or Object created in 1.1, 1.2, 1.3, 1.4
Destination: Select Any or Object created in 1.1, 1.2, 1.3, 1.4
Action: Allow\Reject\Drop
IP Protocol: IPv4/IPv6 or both
Logging: [Enable or disable by toggle] enable to have the address translation performed by this rule logged
7. Click Save.
Note: Please do not remove rules name starting with HIGIO- (if any)