Using Distributed Firewall in a Data Center Group

To create distributed firewall rules and add them to a data center group, you need to define some things:

Name: Name for the rule.

Source: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

Destination: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)

Application: Select applications with port to apply rule (1.5)

Action: Allow\Reject\Drop

IP Protocol: IPv4/IPv6 or both

• Add an IP Set to the Data Center Group:

IP sets are groups of IP addresses and networks to which the distributed firewall rules apply (as Source and Destination). Combining multiple objects into IP sets helps you reduce the total number of distributed firewall rules to be created

Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab

Step 2: Click the data center group name

Step 3: Under Security, click IP Sets

Step 4: Click New.

Step 5: Enter a meaningful Name, a Description for IP Sets

Step 6: Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click Add.

Step 7: To modify an existing IP address or range, click Modify and edit the value.

Step 8: To confirm, click Save.

• Create a Static Security Group:

Static security groups are data center group networks to which distributed firewall rules apply (as Source and Destination). Grouping networks helps you reduce the total number of distributed firewall rules that need to be created.

Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab

Step 2: Click the data center group name

Step 3: Under Security, click Static Groups.

Step 4: Click New.

Step 5: Enter a Name, a Description for the static group, and click Save.

The static security group will appear in the list.

Step 6: Select the newly created static security group and click Manage Members.

Step 7: Select the data center group networks that you want to add to the static security group >> Save

• Assign Security Tags to VM:

Security tags you create and assign to virtual machines help you define edge gateway and distributed firewall rules.

Step 1: In the top navigation bar, click Networking.

Step 2: Click Security Tags.

Step 3: Click Add Tag.

Step 4: Enter a tag name.

Step 5: From the list of virtual machines in the organization, select the ones to assign the newly created tag.

Step 6: Click Save.

• Create a Dynamic Security Group:

You can define dynamic security groups of virtual machines based on specific criteria (VM Name or Tag Name) to which to apply distributed firewall rules.

Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab

Step 2: Click the data center group name

Step 3: Under Security, click Dynamic Groups.

Step 4: Click New.

Step 5: Enter a Name and a Description for the dynamic security group.

Step 6: To create a Criterion for inclusion in the group, add up to four rules that apply to a VM Name or a VM security tag.

• VM Name: a rule that applies to VM names containing or starting with a term you specify.

• VM tag: a rule that applies to VM tags that equal, contain, start with, or end with a term you specify.

As figured out, I created 02 rules

• VM Name: Start With “demo”

• VM Tag: Equals “non-prd” (That you created in 1.3)

Step 7: Click Save.

• Add a Custom Application Port Profile:

You can use preconfigured and custom application port profiles to create distributed firewall rules.

Application port profiles include a combination of a protocol and a port or a group of ports, used for firewall services.

Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab

Step 2: Click the data center group name

Step 3: Under Security, click Application Port Profiles

Step 4: In the Custom Applications pane, click New.

Step 5: Enter a Name and, a Description for the application port profile.

Step 6: From the Protocol drop-down menu, select the protocol: TCP, UDP, ICMPv4, ICMPv6

Step 7: Enter a port, or a range of ports, separated by a comma, and click Save.