A security policy is a set of Endpoint, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.
NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.
Security policies are applied according to their weight – a policy with the higher weight has precedence over a policy with a lower weight.
1. Log in to the vSphere Web Client.
2. Click Networking & Security and then click Service Composer.
3. Click the Security Policies tab.
4. Click the Create Security Policy icon.
5. In the Add Security Policy dialog box, type a name for the security policy.
6. Type a description for the security policy.
7. Select Inherit security policy from specified policy if you want the policy that you are creating to receive services from another security policy. Select the parent policy. All services from the parent policy are inherited by the new policy.
8. Click Next.
9. In the Guest Introspection Services page, click the Add Endpoint Service icon.
a. In the Add Endpoint Service dialog box, type a name and description for the service.
b. Specify whether you want to apply the service or block it. When you inherit a security policy, you may choose to block a service from the parent policy.
c. Select the type of service.
d. If you chose to apply the Endpoint service, select the service name and service configuration.
Service Profile refers to vendor templates. These profiles are defined in third party consoles and are registered along with partner services. Tagging and untagging of virtual machines depends on the service configuration selected for the security policy.
e. In State, specify whether you want to enable the selected Endpoint service or disable it.
f. Select whether the Endpoint service is to be enforced (i.e. it cannot be overridden). If you enforce an Endpoint service in a security policy, other policies that inherit this security policy would require that this policy be applied before the other child policies. If this service is not enforced, an inheritance selection would add the parent policy after the child policies are applied.
g. Click OK.
You can add additional services by following the above steps. You can manage the Endpoint services through the icons above the service table.
You can export or copy the services on this page by clicking the icon on the bottom right side of the Endpoint Services page.
10. Click Next.
11. On the Firewall page, click the Add Firewall Rule icon. Here, you are defining firewall rules for the security groups(s) that this security policy will be applied to.
a. Type a name and description for the firewall rule you are adding.
b. Select Allow or Block to indicate whether the rule needs to allow or block traffic to the selected destination.
c. Select the source for the rule. By default, the rule applies to traffic coming from the security groups to which this policy gets applied to. To change the default source, click Change and select the appropriate security groups.
d. Select the destination for the rule.
Note – Either the Source or Destination (or both) must be security groups to which this policy gets applied to.
Say you create a rule with the default Source, specify the Destination as Payroll, and select Negate Destination. You then apply this security policy to security group Engineering . This would result in Engineering being able to access everything except for the Payroll server.
e. Select the services and/or service groups to which the rule applies to.
f. Select Enabled or Disabled to specify the rule state.
g. Select Log to log sessions matching this rule. Enabling logging may affect performance.
h. Click OK.
You can add additional firewall rules by following the above steps. You can manage the firewall rules through the icons above the firewall table
12. Click Next. The Network Introspection Services page displays NetX services that you have integrated with your VMware virtual environment.
13. Click the Add Network Introspection Service icon.
a. In the Add Network Introspection Service dialog box, type a name and description for the service you are adding.
b. Select whether or not to redirect to service.
c. Select the service name and profile.
d. Select the source and destination
e. Select the protocol. You can specify the protocol type, source port advanced options, and destination port.
f. Select whether to enable or disable the service.
g. Select Log to log sessions matching this rule.
h. Click OK.
14. Click Finish.
The security policy is added to the policies table. You can click the policy name and select the appropriate tab to view a summary of the services associated with the policy, view service errors, or edit a service.