Rbv1
Contributor
Contributor

Nsxt DFW allow all northbound traffic

Hello,

We are designing nsxt firewall environment and would like to implement zero trust / microsegmentation.  Because we use physical perimeter firewalls we allow all traffic through nsxt gateway firewalls.  But when we enable micro segmentation on dfw No northbound traffic is allowed anymore. Could someone please point us out how to allow all northbound traffic for dfw! Thanks in advance!

Labels (2)
Tags (2)
0 Kudos
2 Replies
RaymundoEC
VMware Employee
VMware Employee

N-S traffic is the one that will enter thru the EDGES, in terms of rules you need to verify if you are using a deny to all other traffic this depends on your approach so to make it simple VM1 ->VM2  will have a rule of deny/allow traffic on DFW but if this VM1 needs to reach something outside the overlay if this is the case or the vSphere environment (scope of the DFW) then you will have a DFW rule as well, also check that EDGES doe not have any FW active.

 

my 2 cents .

+vRay
0 Kudos
CyberNils
Hot Shot
Hot Shot

Not sure if this is the smartest approach, but perhaps you could create a Group containing all your local IP ranges, then create a Rule to allow traffic to this Group and choose to Negate Selections? This means that it allows traffic to any IP except for your local ones which you already have created Allow rules for. Note that I have not tested this in production so use at your own risk.



Nils Kristiansen
https://cybernils.net/
0 Kudos