VMware Networking Community
Nane76
Contributor
Contributor
‎02-07-2020 04:30 AM
Jump to solution

NSX-T Simplified UI (Policy API) Distributed Firewall Category - purpose?

NSX-T 2.5.0

DFW = NSX-T Distributed Firewall in Simplified UI

The DFW rulebase (rules) are partitioned into Categories (Ethernet, Emergency, Infrastructure, Environment, Application).

Why is it?

What is purpose?

What is advantage, usage?

It looks like the separation looks only as a cosmetic folders and actually it is still linear rulebase read from top to down (category left to right).

As it is seen in Advanced UI FW resultant rulebase.

Is there any real technical purpose that the categories have been defined?

Or vice versa, is it any problem or limitation or processing change when you move rules from Infrastructure and Environment to bottom of Emergency category?

Note: Why I solve it! First I would like to know the technical background and second because of following issue: PKS Kubernetes Network Policy and NSX-T Firewall rules sequence problem

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
mauricioamorim
VMware Employee
VMware Employee
‎02-07-2020 06:25 AM
Jump to solution

Configuring the DFW involves planning and designing for use considering best practices. With this in mind VMware came up with a Security Rule Model that helps achieve an optimal micro-segmentation strategy that includes the mentioned categories. This was made to help customers organize their rules in sections so they have an optimized use of the DFW. In the end rules are just sequential, but a good strategy makes better use of the DFW.

This is documented in the Reference Design Guide available in VMware® NSX-T Reference Design on section 5.4.

View solution in original post

0 Kudos
2 Replies
mauricioamorim
VMware Employee
VMware Employee
‎02-07-2020 06:25 AM
Jump to solution

Configuring the DFW involves planning and designing for use considering best practices. With this in mind VMware came up with a Security Rule Model that helps achieve an optimal micro-segmentation strategy that includes the mentioned categories. This was made to help customers organize their rules in sections so they have an optimized use of the DFW. In the end rules are just sequential, but a good strategy makes better use of the DFW.

This is documented in the Reference Design Guide available in VMware® NSX-T Reference Design on section 5.4.

0 Kudos
Nane76
Contributor
Contributor
‎02-10-2020 07:34 AM
Jump to solution

OK.

So I understand following results:

  • From technical perspective of rulebase processing the categories are only cosmetic folders.
  • When you place all Infrastructure and Environment rules to the Emergency category the processing of the rulbase should be technically still the same.

The strategy is clear, right, usable, logical, ... . I use this model as well. And guide really can help.

Thank you.

0 Kudos