NSX – Configure Universal firewall rules

Fourth item in Objective 6.3 – Configure and Manage Universal Logical Security Objects, again quite a quick one to step through the process of creating a Universal Firewall Rules.

Distributed Firewall in a cross-vCenter NSX environment allows centralized management of rules that apply to all vCenter Servers in your environment. It supports cross-vCenter vMotion which enables you to move workloads or virtual machines from one vCenter Server to another and seamlessly extends your software defined datacenter security.

As your datacenter needs scale out, the existing vCenter Server may not scale to the same level. This may require you to move a set of applications to newer hosts that are managed by a different vCenter Server. Or you may need to move applications from staging to production in an environment where staging servers are managed by one vCenter Server and production servers are managed by a different vCenter Server. Distributed Firewall supports these cross-vCenter vMotion scenarios by replicating firewall policies that you define for the primary NSX Manager on up to seven secondary NSX Managers.

From the primary NSX Manager you can create a distributed firewall rule section that is marked for universal synchronization. You can create one universal L2 rule section and one universal L3 rule section. These sections and their rules are synchronized to all secondary NSX Managers in your environment. Rules in other sections remain local to the appropriate NSX Manager.

The following Distributed Firewall features are not supported in a cross-vCenter NSX environment:

  • Exclude list
  • SpoofGuard
  • Flow monitoring for aggregate flows
  • Network service insertion
  • Edge Firewall

Service Composer does not support universal synchronization, so you cannot use it to create distributed firewall rules in the universal section.

1. Log into the vSphere client and navigate to Networking and Security, then Firewall, General Tab and then either click the New Section Button (Folder with the small green plus) to create a new firewall section or the larger green plus to create a firewall rule within an existing section:

2. I’m going to create a new section called vCrooky and ticked the box to mark this section for Universal Synchronisation:

3. Now to create a firewall rule within this section (I’ve created a Allow Any Any which is obviously not a great idea!):

4. Remember and click Publish and your rules are now live. I’ll switch over to the secondary NSX Manager to ensure the universal rule is publish across the environments:

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.