VMware Networking Community
YDN66
Enthusiast
Enthusiast
‎03-21-2019 11:35 PM
Jump to solution

on NSX 6.3.x - when to use Control VM Firewall on DLR? Does the default rule any-any DENY affects data communication ?

on NSX 6.3.x - when to use Control VM Firewall on DLR? Does the default rule any-any DENY affects data communication ?

We have DFW used to segment application groups?

0 Kudos
1 Solution

Accepted Solutions
mauricioamorim
VMware Employee
VMware Employee
‎03-22-2019 07:07 AM
Jump to solution

The DFW runs on every ESXi host. The rules for this firewall are configured on the Firewall section and applies to traffic to the VMs according to the configured rules.

The DLR firewall (NSX Edges -> Logical Router - Firewall) applies only to traffic to and from the DLR Control VM itself. It does not affect VM traffic on ESXi hosts. Usually you don't mess with this, as necessary rules are auto-generated.

There is no hierarchy here, as they are applied to different places.

This article might help you understand: http://www.routetocloud.com/2014/06/nsx-distributed-logical-router/#DLR_Control_VM_Firewall

View solution in original post

0 Kudos
4 Replies
mauricioamorim
VMware Employee
VMware Employee
‎03-22-2019 05:26 AM
Jump to solution

I am not really sure I understood your question. The control VM has no relationship with DFW. It is used for dynamic routing so DLRs can form a neighbor relationship with the ESG.

If you're asking about the firewall tab that is shown on the DLR, that firewall affects traffic to/from the DLR itself. Rules needed by the system are auto-generated (check settings->configuration in your DLR to se that auto-generate rules is enabled).

0 Kudos
YDN66
Enthusiast
Enthusiast
‎03-22-2019 06:28 AM
Jump to solution

Apologies for not making it very clear!!

Are "DLR firewall"  and DFW (Distributed firewall) are two different firewalls in terms of function? Do they over-lap?

How will rule behave? Is there a hierarchy ?

any to any Allowedto DFW  &

any to any Allow (specific to DLR firewall)

0 Kudos
mauricioamorim
VMware Employee
VMware Employee
‎03-22-2019 07:07 AM
Jump to solution

The DFW runs on every ESXi host. The rules for this firewall are configured on the Firewall section and applies to traffic to the VMs according to the configured rules.

The DLR firewall (NSX Edges -> Logical Router - Firewall) applies only to traffic to and from the DLR Control VM itself. It does not affect VM traffic on ESXi hosts. Usually you don't mess with this, as necessary rules are auto-generated.

There is no hierarchy here, as they are applied to different places.

This article might help you understand: http://www.routetocloud.com/2014/06/nsx-distributed-logical-router/#DLR_Control_VM_Firewall

0 Kudos
YDN66
Enthusiast
Enthusiast
‎03-22-2019 07:12 AM
Jump to solution

Thank you so much! It is really helpful!!

0 Kudos