LogoLogo
HI GIO User Guide EN
HI GIO User Guide EN
  • HI GIO Cloud Help Center
    • HI GIO Cloud Website
    • HI GIO Cloud Sales Portfolio
  • COMPUTE
    • 1. Working with VM
      • Create a New Virtual Machine from ISO
      • Create a Virtual Machine from a Template
      • Install VMware Tools in a Virtual Machine
      • View VM
      • Performing Power Operations on Virtual Machines
      • Editing the properties of a new VM
      • Create VM's Template
      • Force change root/administrator's password
      • Safely remove Disk in Windows OS
    • 2. Working with vAPP
      • Create a vAPP
      • Start and Stop Order of Virtual Machines in a vApp
    • 3. HI GIO Auto Scale
    • 4. HI GIO API
      • API creates VM from Template
      • API reconfigures VM's Disk
      • API reconfigures VM's Networks
      • API token login
      • API reconfigures VM's Memory
      • API reconfigures VM's CPU
      • API power on/off VM
    • 5. HI GIO KMS Service
    • 6. Encryption Management Service
  • HI GIO S3 STORAGE
    • Login to HI GIO S3 Storage Portal
    • How to get the S3 Key
    • Mount HI GIO S3 Storage into Windows
    • Bucket Management
      • How to create the new Bucket
      • Setup Public or Private ACL for Bucket
      • Versioning
      • Lifecycle Rule
      • Bucket Policy
    • Management File, Folder
      • Create the Folder
      • Upload Folder/File
      • Download Folder/Files
      • Get the link Download of Files
      • File Versioning
    • Connect S3 Services with Veeam Backup
      • Connect HI GIO S3 with Veeam Backup
    • Backup DATA from NAS to HI GIO S3 Service
      • Backup Data from Synology NAS with ClouSync
      • Backup Data from Synology NAS with Hyper Backup
    • S3 Data Encryption – SSE-C and SSE-S3
  • BACK-UP AS A SERVICE
    • 1. HI GIO BaaS
      • BaaS Support Matrix
      • Install Veeam Agent for Linux
      • Install Veeam Agent for Windows
      • Update Veeam Service Provider Console Management Agent v.7 & Backup Agent v.6
      • Create backup job on Linux OS via Veeam agent console
      • Create backup job on Windows OS via Veeam agent console
      • Create backup job for Linux via Portal
      • Create backup job for Windows via Portal
      • Restore Linux VM on HIGIO Cloud via Media file (ISO file)
      • Restore Windows VM on HI GIO Cloud via Media file (ISO file)
      • How to configure receive Alarm from BaaS
      • Workaround
        • Veeam Agent Installation for CentOS 9 Stream
        • Veeam Agent Installation for CentOS 8 Stream
        • Veeam Agent Installation for RHEL 9.2
    • 2. HI GIO Backup
      • Restore Entire VM via vCD's portal
      • Instant Recovery
    • 3. HI GIO M365 BaaS
  • HI GIO DRaaS
    • How To Install vCDA On-Premises appliance
    • How To Use vCDA On-Premises
    • Stretching layer 2 networks for HI GIO's DRaaS
      • Preparing the configure
      • Deploy NSX Autonomous Edge (on-premises site)
      • Register & configure the Networks of the NSX Autonomous Edge On-Premises
      • Create a L2 VPN server session (HI GIO site).
      • Create a L2 VPN - Client session (on-premises site)
      • (Optional) Deploy the secondary NSX Autonomous Edge in HA mode (on-premises site)
    • FAILOVER SCENARIO
      • ENVIRONMENT
      • FAILOVER
        • Step 1: Create a protection job (from on-premises site)
        • Step 2: Configure the Network Settings for On-Premises to Cloud Replications
        • Step 3P - Partial failover VMs (VM - APP1) from on-premise site to HI GIO site
        • Step 3F - Full failover vAPP1 (VM - APP1 & VM - DB1) from on-premise site to HI GIO
        • Step 4: Reverse replication of the VM from HI GIO Cloud to On-Premises
        • Step 5: Migrate the VMs back from HI GIO Cloud to On-Premises
        • Step 6: Reprotect the VMs from On-Premises to HI GIO Cloud
        • FAQs
  • NETWORK
    • 1. Working with Network
      • Working with Organization VDC Networks
      • How to create NAT rules on Edge Gateway
      • Using Edge Gateway Firewall
      • Using Distributed Firewall in a Data Center Group
    • 2. VPN
      • IPSec parameters
      • IPSec VPN
      • IPSec Remote Access VPN Clients on Windows
    • 3. Load Balancer
      • Import SSL Certificate
      • Create Pools on Load Balancing
      • Create Virtual Service (VS) on Load Balancing
      • Open Firewall Rule To Public Service To Internet
      • Monitor Traffic Analytics
      • How to Use WAF on HI GIO Portal
  • MANAGEMENT
    • 1. IAM Portal
      • Activate HI GIO - IAM account
      • HI GIO Portal – Tenant User Guide
      • Setup Password Lifetime
      • Setup Passkey
      • HI GIO's VM monitoring
      • HI GIO's Monitoring Alert - Email notification channel
      • HI GIO's Monitoring Alert - Telegram notification channel
    • 2. Create a Catalog
  • HI GIO Kubernetes
    • 1. Steps To Create Kubernetes Cluster on HI GIO Portal
    • 2. How to resize Kubernetes Cluster on HI GIO portal
    • 3. Extending disk size for nodes in Kubernetes Cluster on HI GIO Portal
    • 4. How to upgrade Kubernetes Cluster in HI GIO Portal
    • 05. Deploy demo app with persistence volume and publish app via ingress controller
    • 06. How to configure HI GIO Kunernetes cluster autoscale
Powered by GitBook
On this page
  • Overview
  • Procedure
Export as PDF
  1. NETWORK
  2. 1. Working with Network

Using Distributed Firewall in a Data Center Group

PreviousUsing Edge Gateway FirewallNext2. VPN

Last updated 4 months ago

Overview

HI GIO supports a distributed firewall service for data center groups. You create a single default security policy applied to the data center group.

It can inspect every packet and frame coming to and leaving the VM regardless of the network topology. Packet inspection is done at the VM virtual NIC (vNIC) level, which enables access-control lists (ACLs) to be applied closest to the source.

Procedure

To create distributed firewall rules and add them to a data center group, you need to define some things:

Name: Name for the rule.

Source: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

Destination: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

Application: Select applications with port to apply rule (1.5)

Action: Allow\Reject\Drop

IP Protocol: IPv4/IPv6 or both

  • Add an IP Set to the Data Center Group:

IP sets are groups of IP addresses and networks to which the distributed firewall rules apply (as Source and Destination). Combining multiple objects into IP sets helps you reduce the total number of distributed firewall rules to be created

Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab

Step 2: Click the data center group name

Step 3: Under Security, click IP Sets

Step 4: Click New.

Step 5: Enter a meaningful Name, a Description for IP Sets

Step 6: Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click Add.

Step 7: To modify an existing IP address or range, click Modify and edit the value.

Step 8: To confirm, click Save.

  • Create a Static Security Group:

Static security groups are data center group networks to which distributed firewall rules apply (as Source and Destination). Grouping networks helps you reduce the total number of distributed firewall rules that need to be created.

Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab

Step 2: Click the data center group name

Step 3: Under Security, click Static Groups.

Step 4: Click New.

Step 5: Enter a Name, a Description for the static group, and click Save.

The static security group will appear in the list.

Step 6: Select the newly created static security group and click Manage Members.

Step 7: Select the data center group networks that you want to add to the static security group >> Save

  • Assign Security Tags to VM:

Security tags you create and assign to virtual machines help you define edge gateway and distributed firewall rules.

Step 1: In the top navigation bar, click Networking.

Step 2: Click Security Tags.

Step 3: Click Add Tag.

Step 4: Enter a tag name.

Step 5: From the list of virtual machines in the organization, select the ones to assign the newly created tag.

Step 6: Click Save.

  • Create a Dynamic Security Group:

You can define dynamic security groups of virtual machines based on specific criteria (VM Name or Tag Name) to which to apply distributed firewall rules.

Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab

Step 2: Click the data center group name

Step 3: Under Security, click Dynamic Groups.

Step 4: Click New.

Step 5: Enter a Name and a Description for the dynamic security group.

Step 6: To create a Criterion for inclusion in the group, add up to four rules that apply to a VM Name or a VM security tag.

  • VM Name: a rule that applies to VM names containing or starting with a term you specify.

  • VM tag: a rule that applies to VM tags that equal, contain, start with, or end with a term you specify.

As figured out, I created 02 rules

  • VM Name: Start With “demo”

  • VM Tag: Equals “non-prd” (That you created in 1.3)

Step 7: Click Save.

  • Add a Custom Application Port Profile:

You can use preconfigured and custom application port profiles to create distributed firewall rules.

Application port profiles include a combination of a protocol and a port or a group of ports, used for firewall services.

Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab

Step 2: Click the data center group name

Step 3: Under Security, click Application Port Profiles

Step 4: In the Custom Applications pane, click New.

Step 5: Enter a Name and, a Description for the application port profile.

Step 6: From the Protocol drop-down menu, select the protocol: TCP, UDP, ICMPv4, ICMPv6

Step 7: Enter a port, or a range of ports, separated by a comma, and click Save.

We have predefined Objects in the previous. We will create the distributed firewall rules as below:

  1. In the top navigation bar, click Networking and then click the Data Center Groups tab

  2. Click the data center group name

3. Click the Distributed Firewall tab on the left.

4. Click Edit Rules.

5. To add a firewall rule, click New on Top.

NOTE: Each traffic session is checked against the top rule in the firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced

6. Configure the rule

Name: [Name of rule]

State: [Enable or disable rule by toggle]

Applications: Select default profiles or custom profiles that created in 1.5

Context: (Optional) Select context profile for the rule.

Source: Select Any or Object created in 1.1, 1.2, 1.3, 1.4

Destination: Select Any or Object created in 1.1, 1.2, 1.3, 1.4

Action: Allow\Reject\Drop

IP Protocol: IPv4/IPv6 or both

Logging: [Enable or disable by toggle] enable to have the address translation performed by this rule logged

7. Click Save.

Please do not remove the rules name starting with HIGIO (if any)