VMware Networking Community
satuu
Contributor
Contributor
‎03-08-2018 08:42 PM
Jump to solution

Firewall default rule question

question,

If you do not use the following default rule, is it OK to delete it ?

・Default Rule NDP

・Default Rule DHCP

Also, what is the reason why these are registered as default rules ?

0 Kudos
1 Solution

Accepted Solutions
cnrz
Expert
Expert
‎03-12-2018 07:19 PM
Jump to solution

This could be to make initial usability easier, because Ipv6 Arp ndp and Dhcp are two fundamental protocols that could be needed for the infrastructure to work. If by default disabled, troubleshooting arp and dhcp would be difficult.  If  these protocols are not to be used (no ipv6 and no Vms needing dynamic IP addressing by dhcp)  and observed no problems after disabling, it could be ok to delete and reconfigure if needed later. The first versions of NSX, the default permit rule was default deny rule, which is zero trust allowing only the traffic needed by the Application and denying any other traffic, which is again could be last step to make the this rule deny after sandboxing each application SGs.  Even  if the Application dependencies are known very good before starting the implementation of dFW rules, starting with default deny rule for a production environment is exceptional and not recommended, although last step is always to make this rule deny as it allows traffic not denied explicitly.

Again during installation, there is no need for firewall rules for NSX Management and control plane components such as NSX Manager, Controller VMs, by default they are allowed although in theory since they have their own vNICs, dFW could be configured. vCenter is recommended to be exluded from the firewall rules by adding to the exclusion list

View solution in original post

0 Kudos
3 Replies
cnrz
Expert
Expert
‎03-09-2018 06:39 AM
Jump to solution

NDP for IPv6 is similar to Arp in IPv4, and Dhcp is for VMs that could require dynamic IP addreesses. If not needed, these rules could not be used or disabled and observed for some duration

Default L2 or L3 rules could be edited but cannot be deleted:

Edit the Default Distributed Firewall Rule

traffic that does not match any of the user-defined firewall rules.

About this task

The default firewall rules apply to traffic that does not match any of the user-defined firewall rules. The default Layer 3 rule is under the General tab and the default Layer 2 rule is under the Ethernet tab.

The default firewall rules allow all L3 and L2 traffic to pass through all prepared clusters in your infrastructure. The default rule is always at the bottom of the rules table and cannot be deleted. However, you can change the Actionelement of the rule from Allow to Drop or Reject (not recommended), and indicate whether traffic for that rule should be logged.

The default Layer 3 firewall rule applies to all traffic, including DHCP. If you change the Action to Drop or Reject, DHCP traffic will be blocked. You will need to create a rule to allow DHCP traffic.

0 Kudos
satuu
Contributor
Contributor
‎03-11-2018 09:26 PM
Jump to solution

Thank you for your reply,

I know that the "default rule" can not be deleted.

But, "Default Rule NDP" and "Default Rule DHCP" can be deleted.

Why are these registered as Default Rules ?

0 Kudos
cnrz
Expert
Expert
‎03-12-2018 07:19 PM
Jump to solution

This could be to make initial usability easier, because Ipv6 Arp ndp and Dhcp are two fundamental protocols that could be needed for the infrastructure to work. If by default disabled, troubleshooting arp and dhcp would be difficult.  If  these protocols are not to be used (no ipv6 and no Vms needing dynamic IP addressing by dhcp)  and observed no problems after disabling, it could be ok to delete and reconfigure if needed later. The first versions of NSX, the default permit rule was default deny rule, which is zero trust allowing only the traffic needed by the Application and denying any other traffic, which is again could be last step to make the this rule deny after sandboxing each application SGs.  Even  if the Application dependencies are known very good before starting the implementation of dFW rules, starting with default deny rule for a production environment is exceptional and not recommended, although last step is always to make this rule deny as it allows traffic not denied explicitly.

Again during installation, there is no need for firewall rules for NSX Management and control plane components such as NSX Manager, Controller VMs, by default they are allowed although in theory since they have their own vNICs, dFW could be configured. vCenter is recommended to be exluded from the firewall rules by adding to the exclusion list

0 Kudos