Hi everyone,
I am setting up the distributed firewall and I am having problems with an object that defines the internet (public networks).
We have created a P2P network between T0 and our firewall, all traffic not known with 0.0.0.0 is sent to the firewall.
The last DFW rule will be a deny any but first we will put the any-> internet rule.
But how can we define this internet object?
Has anyone done similar configurations?
An object with all public networks?
thank you in advance
Angelo
Hi,
You would define that as a complement of your networks in IPv4 space. Think about a box filled with all IPv4 addresses. Draw a circle around the addresses you have in your intranet. What then remains outside of the circle is the internet.
In a firewall rule use a negation option. So, place your intranet addresses in the destination field and select negate selection. Now you got a complement.
Hello Perttu,
thanks for your reply can you send me a screenshot or instructions to configure the use of a "deny option" in DFW?
Hi,
It's not a deny option. It is a negate option. Negate means same as placing word not before the sentence.
Think about logical proposition:
- Address x belongs to set Y. (Sentence is true, if x belongs to set Y, like address 10.1.2.3 belongs to network 10.0.0.0/8, it is not true for e.g. address 8.8.8.8)
Now if we negate the sentence above:
- Not (Address x belongs to set Y) = Address x does not belong to set Y. (Sentence is true, if x does not belong to set Y, like address 8.8.8.8 does not belong to network 10.0.0.0/8).
Here is a screenshot from NSX-T manager (Policy mode/DFW/Edit rule destination)
Thanks for sharing.
Thx for support Perttu