EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

LAB NSX Edge Service Gateway Firewall Configuration

LAB NSX Edge Service Gateway Firewall Configuration

Posted on Jan 17, 2020 (0)

NSX Edge Service Gateway Firewall Configuration

Task:

  • Create Rule name DCLessons FW Rule with source 192.168.110.10 and destination Web_Tier_Logical_Switch with action Reject
  • Test the FW rule
  • Again Change the action to Accept and again test the traffic from 192.168.110.10
  • Delete the Rule just created.

Solution:

The NSX Edge Firewall monitors North-South traffic to provide perimeter security capabilities. Whereas NSX Distributed Firewall, where policy is applied at the virtual NIC of every VM.

When rules are created in the NSX Firewall user interface that are applicable to an NSX Edge Gateway, they are displayed on the Edge in read-only mode. When rules exist in multiple locations, they are displayed and enforced in the following order:

  1. User-defined rules from the Firewall user interface (Read only).
  2. Auto-configured rules (automatically created rules that enable control traffic for Edge services).
  3. User-defined rules on NSX Edge Firewall user interface.
  4. Default rule.

Solution: Follow the following steps:

  1. Click Home
  2. Click Networking & Security.
  3. Click NSX Edges.
  4. Double-click Perimeter Gateway-01.

  1. Click Manage.
  2. Click Firewall.
  3. Click to select Default Rule.
  4. Click the pencil icon under the Action column.
  5. Select Deny in the Action field.

Don’t revert the changes as we are not going to changes in FW rule configuration.

Adding Edge Services Gateway Firewall Rule

We will add a new edge firewall rule to block the Control Center's access to the Customer DB Application.

  1. Click Green Plus icon to add a new firewall rule.
  2. Hover mouse over the upper right corner of the Name column and click the pencil icon.
  3. Enter Main Console FW Rule as the Rule Name.
  4. Click OK.

Hover mouse in the upper right corner of the Source column and click Pencil icon.

  1. Click Object Type drop down menu and select IP Sets.
  2. Click New IP Set... hyperlink.
  3. Enter Main Console as the Name.
  4. Enter 192.168.110.10 as the IP address.
  5. Click OK.

Select IP Sets from the Object Type list.

  1. Click to select Main Console from the list of Available Objects.
  2. Click the right arrow. This will move the object to the list of Selected Objects.
  3. Confirm Main Console is in the list of Selected Objects and click OK.

Hover mouse in the upper right corner of the Destination column and click Pencil icon.

  1. Select Logical Switch from the Object Type list.
  2. Click to select Web_Tier_Logical_Switch from the list of Available Objects.
  3. Click the right arrow. This will move the object to the list of Selected Objects.
  4. Confirm Web_Tier_Logical_Switch is in the list of Selected Objects and click OK.

  1. Click the pencil icon under the Action column.
  2. Select Reject in the Action field.
  3. Click OK.

The reason Reject was chosen instead of Deny was to expedite the failure of the web server in the following steps. If Deny is selected, the flow is dropped and will eventually time out. Because Reject is chosen above, an ICMP message is sent to the Main Console when a connection attempt is made

Click Publish Changes to update the configuration on Perimeter-Gateway-01 (NSX Edge).

Test New Firewall Rule

Now that we have configured a new FW rule that will block the Control Center from accessing the Web Tier logical switch, let's run a quick test:

  1. Open a new browser tab.
  2. Click the Customer DB App bookmark.

Return to vSphere Web Client browser tab.

  1. Click the pencil icon under the Action column of the Main Console FW Rule.
  2. Select Accept in the Action field.
  3. Click OK.

Click Publish Changes to update the configuration on Perimeter-Gateway-01 (NSX Edge).

Return to Customer DB App browser tab.

  1. Click Refresh icon.

Since the Main Console FW rule has been changed to "Accept", the Main Console can now access the Customer DB App.

Delete Main Console FW Rule 

  1. Click to select the Main Console FW Rule.
  2. Click the Red X to delete the selected firewall rule.
  3. Click OK to confirm.

Click Publish Changes to update the configuration on Perimeter-Gateway-01 (NSX Edge).

In this lab, we learned to modify an existing Edge Services Gateway Firewall rule, and to configure a new Edge Services Gateway Firewall rule that blocks external access to the Customer DB App.


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.