Configure and Administer Firewall Services on an NSX Edge

 

Create Modify and Delete an Edge Firewall rule in NSX

 
Both the Edge Firewall and the Distributed Firewall are really awesome features of NSX. The Edge Services Gateway is more of a border firewall as the function of this edge device is north and south traffic (perimeter of datacenter) while the Distributed router focuses on East-West traffic (within the datacenter). I will cover the distributed firewall in the next section, but the Distributed Firewall policies are pushed to the ESXi host which allows the firewall to function before the traffic enters the virtual switch. As I will mention below, you can specify the source or destination of the traffic ranging from a single VM, to an entire datacenter, or even specify dynamic security groups of objects based on security tags, OS type, or even VM name.
 
Step 1. Open the vSphere Web Client and Navigate to Networking & Security -> NSX Edges and then double click on the Edge Device in which you would like to add a firewall rule
 
1
 
Step 2. Click on Manage -> Firewall
 
2
 
Step 3. Click on the + sign to add a new Firewall Rule You will notice a blank line is created and highlighted. Click the + sign inside of the Name box to add a name for this rule
 
4
 
Note: To modify a rule, click in the rule box and change the value, to delete a rule click on the rule and then click the Red X.
 

Configure Source/Destination/Service/Action rule components

 
Step 4. Specify a Source. You can either provide an IP address by clicking the IP sign inside the source box, or you can click on + sign to specify objects. I will specify an Object.
 
6
 
Step 5. Choose the Source that you would like the apply the firewall rule, there are many options here ranging from a single virtual machine or an entire cluster or even specific security groups. Security Groups are probably my favorite thing because they can be set dynamically by tags or VM names, for more information on creating security groups, please click here. I have selected a dynamic security group called Web Tier, which has two members that are virtual machines. Note: You can also create new groups from this menu.
 
7
 
Step 6. Double Click the Object, or select the Right Arrow to move the object to Select Objects, then hit OK
 
8
 
Step 7. Follow the same steps to add a Destination to the rule.
 
9
 
Step 8. Select a Service for the firewall rule. You can either specify a Protocol and Ports a predefined Service by NSX, or create a new Service. There are quite a few predefined services, so use the search box to confirm one isn’t already there before creating a new service.
 
10
 
11
 
An example of a the Add Service page is below. You specify the Protocol and any other options associated with the protocol, for example, Source and Destination Ports
 
13
 
Step 9. Finally, specify if you want to Accept, Reject, or Deny the traffic as well as if you want to Log the Action
 
12
 
Step 10. Once your rule is created, click on Publish
 

Modify the order/priority of Firewall rules

 
Step 11. The rules are processed from the top down. If you need change the priority of the rules, you can simply click the rule, then hit either Move Rule Up or Move Rule Down
 
14
 

2 Comments

  1. Rajeev -  February 13, 2016 - 4:37 am 408

    Hi Sean

    I need to your inputs in answering the below question which i have been asked.

    We are deploying NSX in our environment & we are more focused on the NSX Micro segmentation using distributed firewall.
    The question is since we are moving from the physical firewall to virtual firewall how can i measure the performance or throughput of the NSX distributed firewall.
    How can i check & ensure that the firewall firewall is not affecting the performance ?
    How can i compare its performance with the actual physical firewall ?

    Reply
    • Sean Whitney -  February 13, 2016 - 7:45 am 413

      Hi Rajeev,

      Th throughput of the Distributed firewall is close to line rate because it runs through the ESXi kernel. Meaning each host can have a DFW firewall rate of almost 20GB/s (Maybe around 19.5GB/s). Every single host that you add will increase the total firewall capacity allowing you to scale out as your environment grows. This is what makes the NSX DFW so great, by the time you reach a compute limit on an ESXi host and add another, you get more firewall capacity. Traditional firewalls that run at 100 GB can be very costly, but if you have 5 ESXi hosts, you have same capacity for a lot cheaper.

      Sean

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top