# Using Distributed Firewall in a Data Center Group ## **Overview** HI GIO supports a distributed firewall service for data center groups. You create a single default security policy applied to the data center group. It can inspect every packet and frame coming to and leaving the VM regardless of the network topology. Packet inspection is done at the VM virtual NIC (vNIC) level, which enables access-control lists (ACLs) to be applied closest to the source.

## **Procedure** {% tabs %} {% tab title="I. Predefine Object" %} To create distributed firewall rules and add them to a data center group, you need to define some things: *Name*: Name for the rule. *Source*: **IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)** *Destination*: **IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)** *Application:* Select applications with port to apply rule **(1.5)** *Action*: **Allow**\\**Reject**\\**Drop** *IP Protocol:* **IPv4/IPv6** or **both** * **Add an IP Set to the Data Center Group:** IP sets are groups of IP addresses and networks to which the distributed firewall rules apply (as **Source** and **Destination**). Combining multiple objects into IP sets helps you reduce the total number of distributed firewall rules to be created **Step 1:** In the top navigation bar, click **Networking** and then click the **Data Center Groups** tab **Step 2:** Click the data center group name

**Step 3:** Under *Security*, click **IP Sets** **Step 4:** Click **New**. **Step 5:** Enter a meaningful **Name,** a **Description** for IP Sets **Step 6:** Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click **Add**. **Step 7:** To modify an existing IP address or range, click **Modify** and edit the value. **Step 8:** To confirm, click **Save**.

* **Create a Static Security Group:** Static security groups are data center group networks to which distributed firewall rules apply (as **Source** and **Destination**). Grouping networks helps you reduce the total number of distributed firewall rules that need to be created. **Step 1:** In the top navigation bar, click **Networking** and then click the **Data Center Groups** tab **Step 2:** Click the data center group name

**Step 3:** Under *Security*, click **Static Groups**. **Step 4:** Click **New**. **Step 5:** Enter a **Name**, a **Description** for the static group, and click **Save**.

The static security group will appear in the list. **Step 6:** Select the newly created static security group and click **Manage Members**.

**Step 7:** Select the data center group networks that you want to add to the static security group >> **Save**

* **Assign Security Tags to VM:** Security tags you create and assign to virtual machines help you define edge gateway and distributed firewall rules. **Step 1:** In the top navigation bar, click **Networking.** **Step 2:** Click **Security Tags**. **Step 3:** Click **Add Tag**. **Step 4:** Enter a **tag name**. **Step 5:** From the list of virtual machines in the organization, select the ones to assign the newly created tag. **Step 6:** Click **Save**.

* **Create a Dynamic Security Group:** You can define dynamic security groups of virtual machines based on specific criteria (**VM Name** or **Tag Name**) to which to apply distributed firewall rules. **Step 1:** In the top navigation bar, click **Networking** and then click the **Data Center Groups** tab **Step 2:** Click the data center group name

**Step 3:** Under *Security*, click **Dynamic Groups**. **Step 4:** Click **New**. **Step 5:** Enter a Name and a Description for the dynamic security group. **Step 6:** To create a **Criterion** for inclusion in the group, add up to **four rules** that apply to a VM Name or a VM security tag. * *VM Name:* a rule that applies to VM names containing or starting with a term you specify. * *VM tag:* a rule that applies to VM tags that **equal**, **contain**, **start with**, or **end with** a term you specify.

As figured out, I created 02 rules * *VM Name*: **Start With** “demo” * *VM Tag*: **Equals** “non-prd” (*That you created in **1.3**)* **Step 7:** Click **Save**. * **Add a Custom Application Port Profile:** You can use preconfigured and custom application port profiles to create distributed firewall rules. Application port profiles include a combination of a protocol and a port or a group of ports, used for firewall services. **Step 1:** In the top navigation bar, click **Networking** and then click the **Data Center Groups** tab **Step 2:** Click the **data center group name**

**Step 3:** Under *Security*, click **Application Port Profiles** **Step 4:** In the **Custom Applications** pane, click **New**. **Step 5:** Enter a **Name** and, a **Description** for the application port profile. **Step 6:** From the *Protocol* drop-down menu, select the protocol: **TCP**, **UDP**, **ICMPv4**, **ICMPv6** **Step 7:** Enter a port, or a range of ports, separated by a comma, and click **Save**.

{% endtab %} {% tab title="II. Add a Distributed Firewall Rule" %} We have predefined Objects in the previous. We will create the distributed firewall rules as below: 1. In the top navigation bar, click **Networking** and then click the **Data Center Groups** tab 2. Click the data center group name

3\. Click the **Distributed Firewall** tab on the left. 4\. Click **Edit Rules**. 5\. To add a firewall rule, click **New on Top**. **NOTE**: Each traffic session is checked against the top rule in the firewall table before moving down the\ subsequent rules in the table. The first rule in the table that matches the traffic parameters is\ enforced 6\. Configure the rule ***Name***: \[Name of rule] ***State***: \[Enable or disable rule by toggle] ***Applications***: Select default profiles or custom profiles that created in **1.5** ***Context**:* (Optional) Select context profile for the rule. ***Source**:* Select Any or Object created in ***1.1, 1.2, 1.3, 1.4*** ***Destination**:* Select Any or Object created in ***1.1, 1.2, 1.3, 1.4*** ***Action**:* **Allow**\\**Reject**\\**Drop** ***IP Protocol**:* **IPv4/IPv6** or **both** ***Logging**:* \[Enable or disable by toggle] enable to have the address translation performed by this rule logged

7\. Click **Save**. {% hint style="warning" %} Please do not remove the rules name starting with HIGIO (if any) {% endhint %} {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.higiocloud.vn/network/1.-working-with-network/using-distributed-firewall-in-a-data-center-group.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.