The distributed firewall is one of the key features of VMware NSX-T. This article will show you how to add NSX-T distributed firewall rules using the NSX-T Manager user interface.
Distributed firewall rules are applied at the VM (vNIC) level and control East-West traffic within the SDDC. Traffic attempting to pass through the dfw
is subject to the rules that have been defined. The firewall rules are grouped into policies, which in turn belong to a category.
To get started with creating a new rule, log into an NSX manager using an account with admin privileges. Once logged in, navigate to Security | Distributed Firewall. Once on the DFW screen, ensure you are in the correct pre-defined firewall rule category. I am going to create a rule to allow port 80 to my web server virtual machine, so will ensure I have the Application category selected:
Add an NSX-T Distributed Firewall Policy
Now, we can create a new policy, which will contain the new rule. To do so, click Add Policy, then give it a name:
Click the gear icon next to the policy to look at the advanced policy settings. I will keep the defaults in this example – you can read about these policy settings here.
Note, you should now have one unpublished change. Click Publish.
Add an NSX-T Distributed Firewall Rule
With the new policy selected (checked), click the Add Rule button, which should now be available:
Next, give the rule a name, then configure the source and destination. For my rule I have used IP addresses, using 192.168.0.0/24
as the source, and 192.168.0.23
as the destination, as I wanted to use a straight forward example. Alternatively you can use groups.
With the source and destination set, next edit the services:
I want to allow traffic to reach port 80 on my web server, so have selected the HTTP service. Finally, in the action column select what you want the rule to do. I have set it to Allow
the specified traffic:
Click the gear
icon to look at the advanced settings. Here you can configure Logging, Traffic Direction, IP Protocol and Log Label. As before, I have kept the default settings in this example. Once ready, click Publish
to publish the new distributed firewall rule. After a short while you should see that the rule has been published successfully.
This was a simple example of how to create a NSX-T distributed firewall rule. Always check out the official documentation for a more detailed explanation before making any production changes!