Part 5: VMWare NSX-T Distributed firewall configuration
Contents of the Post
Create Segments Groups
First create segments groups for all web and app VM’s. the firewall policies will be applied as per the groups.
Click on inventory – groups – add
Provide name – click on set members
click on add criteria : vm – Name – contains – web – if needed other criteria can be added by clicking on + sign
Criteria can be created based on tags as well . review and click finish
all the web-servers will list automatically
segment ports for those VM’s are below.
Similarly create one group for app VM’s also and verify as shown below.
Create Distributed firewall rules
Click on Security – Distributed firewall – Category specific – application – Add policy
Provide name and select policy and click add rule
provide rule name – source – destination – services
select all details and action ( drop or allow) as needed. My case web-web traffic blocked.
similarly create all necessary rules – web- app only specific services and others block – click publish in the end
Test Distributed firewall
Once the rule is applied instantly the traffic is blocked as shown below.
Allow , drop and reject are the actions available
we can enable or disable specific rule as shown below…
click on logging settings as shown below.
In line with PCI DSS requirement, a Firewall rule review need to be conducted every half year. Can you please help me with best practices for DFW – firewall rule review process?