Using Distributed Firewall in a Data Center Group

To create distributed firewall rules and add them to a data center group, you need to define some things:

Name: Name for the rule.

Source: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

Destination: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

Application: Select applications with port to apply rule (1.5)

Action: Allow\Reject\Drop

IP Protocol: IPv4/IPv6 or both

• Add an IP Set to the Data Center Group:

IP sets are groups of IP addresses and networks to which the distributed firewall rules apply (as Source and Destination). Combining multiple objects into IP sets helps you reduce the total number of distributed firewall rules to be created.

1. In the top navigation bar, click Networking and then click the Data Center Groups tab

2. Click the data center group name

Open

3. Under Security, click IP Sets

4. Click New.

5. Enter a meaningful Name, a Description for IP Sets

6. Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click Add.

7. To modify an existing IP address or range, click Modify and edit the value.

8. To confirm, click Save.

• Create a Static Security Group:

Static security groups are groups of data center group networks to which distributed firewall rules apply (as Source and Destination). Grouping networks helps you to reduce the total number of distributed firewall rules to be created.

1. In the top navigation bar, click Networking and then click the Data Center Groups tab

2. Click the data center group name

3. Under Security, click Static Groups.

4. Click New.

5. Enter a Name, a Description for the static group, and click Save.

The static security group will appear in the list.

6. Select the newly created static security group and click Manage Members.

7. Select the data center group networks that you want to add to the static security group >> Save

• Assign Security Tags to VM:

Security tags you create and assign to virtual machines help you define edge gateway and distributed firewall rules.

1. In the top navigation bar, click Networking.

2. Click Security Tags.

3. Click Add Tag.

4. Enter a tag name.

5. From the list of virtual machines in the organization, select the ones to which to assign the newly created tag.

6. Click Save.

• Create a Dynamic Security Group:

You can define dynamic security groups of virtual machines based on specific criteria (VM Name or Tag Name) to which to apply distributed firewall rules.

1. In the top navigation bar, click Networking and then click the Data Center Groups tab

2. Click the data center group name

3. Under Security, click Dynamic Groups.

4. Click New.

5. Enter a Name, a Description for the dynamic security group.

6. To create a Criterion for inclusion in the group, add up to four rules that apply either to a VM Name or to a VM security tag.

• VM Name: a rule that applies to VM names which contain or start with a term that you specify.

• VM tag: a rule that applies to VM tags which equal, contain, start with, or end with a term that you specify.

As figured out, I created 02 rules

• VM Name: Start With “demo”

• VM Tag: Equals “non-prd” (That you created in 1.3)

7. Click Save.

• Add a Custom Application Port Profile:

You can use preconfigured and custom application port profiles to create distributed firewall rules.

Application port profiles include a combination of a protocol and a port or a group of ports, used for firewall services. 

1. In the top navigation bar, click Networking and then click the Data Center Groups tab

2. Click the data center group name

3. Under Security, click Application Port Profiles

4. In the Custom Applications pane, click New.

5. Enter a Name and, a Description for the application port profile.

6. From the Protocol drop-down menu, select the protocol: TCP, UDP, ICMPv4, ICMPv6

7. Enter a port, or a range of ports, separated by a comma, and click Save.

We have predefined Objects in the previous. We will create the distributed firewall rules as below:

1. In the top navigation bar, click Networking and then click the Data Center Groups tab

2. Click the data center group name

3. Click the Distributed Firewall tab on the left.

4. Click Edit Rules.

5. To add a firewall rule, click New on Top.

NOTE: Each traffic session is checked against the top rule in the firewall table before moving down the
subsequent rules in the table. The first rule in the table that matches the traffic parameters is
enforced

6. Configure the rule

Name: [Name of rule]

State: [Enable or disable rule by toggle]

Applications: Select default profiles or custom profiles that created in 1.5

Context: (Optional) Select context profile for the rule.

Source: Select Any or Object created in 1.1, 1.2, 1.3, 1.4

Destination: Select Any or Object created in 1.1, 1.2, 1.3, 1.4

Action: Allow\Reject\Drop

IP Protocol: IPv4/IPv6 or both

Logging: [Enable or disable by toggle] enable to have the address translation performed by this rule logged

7. Click Save.