Re: NSXT | Internet Object

techzenit · ‎05-17-2022

Hi everyone,
I am setting up the distributed firewall and I am having problems with an object that defines the internet (public networks).

We have created a P2P network between T0 and our firewall, all traffic not known with 0.0.0.0 is sent to the firewall.

The last DFW rule will be a deny any but first we will put the any-> internet rule.

But how can we define this internet object?
Has anyone done similar configurations?
An object with all public networks?

thank you in advance

Angelo

Perttu · ‎05-17-2022

Hi,

You would define that as a complement of your networks in IPv4 space. Think about a box filled with all IPv4 addresses. Draw a circle around the addresses you have in your intranet. What then remains outside of the circle is the internet.

In a firewall rule use a negation option. So, place your intranet addresses in the destination field and select negate selection. Now you got a complement.

techzenit · ‎05-17-2022

Hello Perttu,
thanks for your reply can you send me a screenshot or instructions to configure the use of a "deny option" in DFW?

Perttu · ‎05-18-2022

Hi,

It's not a deny option. It is a negate option. Negate means same as placing word not before the sentence.

Think about logical proposition:
- Address x belongs to set Y. (Sentence is true, if x belongs to set Y, like address 10.1.2.3 belongs to network 10.0.0.0/8, it is not true for e.g. address 8.8.8.8)

Now if we negate the sentence above:
- Not (Address x belongs to set Y) = Address x does not belong to set Y. (Sentence is true, if x does not belong to set Y, like address 8.8.8.8 does not belong to network 10.0.0.0/8).

Here is a screenshot from NSX-T manager (Policy mode/DFW/Edit rule destination)

anilspp · ‎05-19-2022

Thanks for sharing.

techzenit · ‎05-20-2022

Thx for support Perttu

All

NSXT | Internet Object