NSX Application Rule Manager

Application Rule Manager is a new feature in NSX 6.3 that allows you to quickly microsegment out application workloads with the distributed firewall. Through the tool you can quickly create both Security Groups and DFW rules after viewing the live flow analysis.
To get started, navigate to the Flow Monitoring section in the web client, and then click on the Application Rule Manager tab.

Click on Start New Session. Provide a Session Name, and then select the Virtual Machines (and their vNICs) that you would like to monitor for flows. You can select up to 30 vNICs in a given session, and can also run up to five sessions simultaneously. Click OK once you have selected the objects. Note: Prerequisites include: VMs cannot be part of the exclusion list, VMware tools installed on Windows VMs, DFW cannot be blocking any flows for the selected VMs.

The data will begin collection and the Source and Flows will begin to increment live. Once you believe you have the necessary flows gathered for the application, click on Stop.

Next, click on Analyze.
From the View Flows tab you will see the Direction, Source, Destination, and Service(s). There are two different views for this tab, Processed View, and Consolidated View. The consolidated view removes duplicate flows. Clicking the gear icon allows you several options including, but not limited to, create new SG , add to existing security group, new IP set, or existing IP set. It’s also possible to change to any if it’s a web server or has lots of N-S traffic.

Let’s create 3 security groups for the Web Servers, Application Servers, and the DB servers. It does make you define the membership on your own, but allows you to do it on the fly instead of have to switch to the Service Composer pane.

I now have my VMs grouped into SG as shown below. I left the remaining IPs which are my Edge Uplinks and DLR IP addresses.

Next, we need to define the Service. If you click on the links under Service the port and protocol will be displayed. In this case, TCP port 80 is shown, including all of the default services for the DFW. The Resolve Services button will allow the selection of a service from the predefined list. It’s also possible to create a new service if Application Rule Manager doesn’t pick any resolved services due to custom application ports. I have resolved my two ports to HTTP and MySQL.


We can now create firewall rules. Selecting either one, or multiple flow records, click on the Actions Gear and then Create Firewall Rule. I would select one or two close rules at the same time, otherwise it will group all of objects into one single source/destination, meaning more traffic will be allowed than should be. Note: By default the scope of the firewall is the vNICs on the virtual machine.

Click on the Firewall Rules tab to see the new rules that you created. You can further customize or edit the rules from this pane if needed; once you are ready to implement the rules, click on Publish. Select a Section Name, and where to place the firewall section.

The rules should now be published in the DFW. Navigate to the Firewall section of NSX to confirm!

Application Rule Manager should make it much easier to segment out the workloads of specific applications. It is not designed to be able to analyze all the flows and recommend firewall rules, if you want to a tool like that, I suggest vRealize Network Insight. Instead, it’s used for the microsegmentation on an Application by Application basis. As mentioned, it can analyze up to five different sessions with up to 30 vNICs in each session, allowing you to quickly and efficiently create Distributed firewall rules on individual applications. I know several customer’s have been looking forward to this type of native feature in NSX, and our engineering team has delivered!

Posted by:

Sean Whitney

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top