VMware Networking Community
kwg66
Hot Shot
Hot Shot
Jump to solution

Looking for some configuration expertise for NSX DFW fire rules

IS it possible in NSX DFW to leave everything open to an object, but only lock down access to a specfic port to a specific IP range?    All I need to do is lock down client access to vCenter so it restricts access from a specific IP range, nothing else,  I don't want to have to open up rules for everything else vCenter does.  

Is this possible?  and if yes, can you share an example of how this would be done? 

Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
bayupw
Leadership
Leadership
Jump to solution

Is the vCenter a Virtual Machine?

vCenter (if it is a VM) is normally excluded from DFW so we do not lock ourselves out from the vCenter

Exclude Virtual Machines from Firewall Protection

VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.

vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues.

However, if you want NSX DFW to protect vCenter you can do that as long as the vSphere cluster hosting the vCenter VM is prepared for NSX.

You would also need to allow any other object to communicate to the vCenter such as range of ESXi host management IP, range of other management VM that need access to the vCenter

See these 2 KBs

Network ports required to access vCenter Server, ESXi, and ESX hosts (1012382) | VMware KB

Network Port requirements for VMware NSX for vSphere 6.x (2079386) | VMware KB

The steps would be something like below:

1. Create an IP Set for the IP range for example 192.168.1.0/24

2. Create an IP Set for the IP range of ESXi host management IP and other management VM that need access to the vCenter

3. (Optional if you are going to use Service Composer) create a Security Group to include the newly created IP Sets - the specific IP range that need access to vCenter, ESXi host, other management VM.

4. (Optional if you are gointg to use Service Composer) create a Security Group to include the vCenter VM

5. Create a rule to Allow from the created IP Sets to vCenter VM on Any Services (or from IP Sets Security Group to vCenter Security Group)

6. Create a rule below rule created in step #5 to Allow from Any to vCenter VM on Any services. Set the rule to Log and monitor this rule from syslog or Flow Monitoring and see if you missed any IP or object to be included in rule created in step #5. Once you happy, set this rule to Block.

If somehow you created wrong rule and got yourself locked out from vCenter, follow this KB vCenter Server access is blocked after creating a Deny All rule in DFW (2079620) | VMware KB or this blog NSX for vSphere: recovering from Distributed Firewall vCenter lock-out | Telecom Occasionally and start again

If you are using vCenter Server Appliance (vCSA) you can also create this firewall rule from the vCSA and only restrict access from specific IP range to access the vCSA.

VMware vSphere 6.5 Documentation Library-Edit the Firewall Settings of the vCenter Server Appliance

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

View solution in original post

Reply
0 Kudos
7 Replies
bayupw
Leadership
Leadership
Jump to solution

Is the vCenter a Virtual Machine?

vCenter (if it is a VM) is normally excluded from DFW so we do not lock ourselves out from the vCenter

Exclude Virtual Machines from Firewall Protection

VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.

vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues.

However, if you want NSX DFW to protect vCenter you can do that as long as the vSphere cluster hosting the vCenter VM is prepared for NSX.

You would also need to allow any other object to communicate to the vCenter such as range of ESXi host management IP, range of other management VM that need access to the vCenter

See these 2 KBs

Network ports required to access vCenter Server, ESXi, and ESX hosts (1012382) | VMware KB

Network Port requirements for VMware NSX for vSphere 6.x (2079386) | VMware KB

The steps would be something like below:

1. Create an IP Set for the IP range for example 192.168.1.0/24

2. Create an IP Set for the IP range of ESXi host management IP and other management VM that need access to the vCenter

3. (Optional if you are going to use Service Composer) create a Security Group to include the newly created IP Sets - the specific IP range that need access to vCenter, ESXi host, other management VM.

4. (Optional if you are gointg to use Service Composer) create a Security Group to include the vCenter VM

5. Create a rule to Allow from the created IP Sets to vCenter VM on Any Services (or from IP Sets Security Group to vCenter Security Group)

6. Create a rule below rule created in step #5 to Allow from Any to vCenter VM on Any services. Set the rule to Log and monitor this rule from syslog or Flow Monitoring and see if you missed any IP or object to be included in rule created in step #5. Once you happy, set this rule to Block.

If somehow you created wrong rule and got yourself locked out from vCenter, follow this KB vCenter Server access is blocked after creating a Deny All rule in DFW (2079620) | VMware KB or this blog NSX for vSphere: recovering from Distributed Firewall vCenter lock-out | Telecom Occasionally and start again

If you are using vCenter Server Appliance (vCSA) you can also create this firewall rule from the vCSA and only restrict access from specific IP range to access the vCSA.

VMware vSphere 6.5 Documentation Library-Edit the Firewall Settings of the vCenter Server Appliance

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
Jump to solution

@Bayu   -   thanks for your reply.

Yes, vCenter is a VM, we have 3 total that need protection, and all 3 can be migrated into our NSX cluster.

I realize that I will need to open IP ranges to our hosts, but the problem isn't that, its all the other tools out there that communicate to these vCenters, its a lot of stuff, e.g.   AD, backup, monitoring and automation, and more..

I was really looking to see if I can simply lock down access to ports 80, 443, and 9443 to a specific ip range and leave everything else open without having to define everything under the sun..   perhaps this is naïve of me to think this can be accomplished, but this is what I'm asking.  

IF this can't be done, then I will need to identify everything that is communicating with vCenter and open the appropriate ports and IPs.. lots of work..

Let me know what your final thoughts are before I wrap this up.

Thanks

Reply
0 Kudos
bayupw
Leadership
Leadership
Jump to solution

Would below two rules work for you?

#1 Create rule to Allow from the specific IP range to vCenter VM on ports 80, 443, 9443

#2 Create rule below #1 to Block from the specific IP range to vCenter VM on any Services

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
Jump to solution

@Bayu -    so now you are sending me in the right direction.    I new this could be done without having to focus in on every single IP, IP range, and ports in use for everything out there on the wire that needs access to vCenter.   If this was a PCI lockdown I would want this.  but at this time all I need to do is lock down client access. 

Now that you've jarred by brain I see that its about the hierarchy.   Can the top level rule be a 'wide open' rule, then underneath simply create a rule that locks down access to the specific ports 80, 443, 9443 (and 903 too)  from the specific IP range?

1)   Rule 1, allow access to all from any

2)   Rule 2, allow access to 80, 443, 9443, 903 from IP range X

Would rule # 2 work to override rule #1 and keep the client access restricted to IP range X?  while still allowing all other access to services as normal? 

Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
Jump to solution

to make a correction, I believe 903 isn't needed to vCenter, but rather just to the host for remote console..   the v5.5 and v6 documentation doesn't list port used by VI client because VMware expects people to use the web client.. ugly..  but I do see in KB where older versions the VI client talks to vCenter on 443..

Reply
0 Kudos
bayupw
Leadership
Leadership
Jump to solution

Hi Ken,

Firewall evaluate rules from top to bottom and and once it hit a rule it won't be checking any other rule in the bottom of it.

So the allow access to all from any need to be in the bottom so the specific IP range can be blocked.

something like below.

Rule#1 Allow from the specific IP range to vCenter VM on ports 80, 443, 9443

Rule#2 Block from the specific IP range to vCenter VM on any Services

Rule#3 Allow from Any to All

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
Jump to solution

Thanks, I'm deploying a test vCenter in my lab now that I can put this to the test and will follow up on this post later in the day to award the points. 

Reply
0 Kudos