A vFirewall is a set of filtering rules. vFirewalls protect VMs from attacks to improve security and high availability of data center VMs.
A vFirewall uses a connection status-based detection mechanism. A firewall identifies all packets transmitted on a connection between two peers as a traffic flow. For new application connections, the firewall checks its rules, allows the connections permitted by the rules, and generates a status table that contains status information about the connections. Subsequent packets of the connections are permitted as long as they match the status table.
The system supports the following vFirewall types:
Allowlist firewall—Permits traffic that matches its rules and drops other traffic.
Denylist firewall—Drops traffic that matches its rules and permits other traffic.
The system supports rules for TCP, UDP, and ICMP, as well as common application protocols such as DNS, HTTP, HTTPS, IMAP, IMAPS, LDAP, MS SQL, MYSQL, POP3, POP3S, RDP, SMTP, SMTPS, and SSH.
The system provides the following firewall rule types:
Ingress rule—Limits connections initiated from a remote site.
Egress rule—Limits connections initiated by VMs.
For application protocols, the default direction of rules is ingress.
vFirewalls and ACLs are mutually exclusive. If both a vFirewall and an ACL are configured for a VM, the vFirewall takes effect.
By default, a vFirewall permits all DHCP connections. To filter the DHCP packets of VMs, configure ACLs for the VM.
vFirewalls being used by VMs cannot be deleted.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Add.
Enter a name and a description for the vFirewall.
Select a firewall type.
Click Add, configure the rule, and then click OK.
Click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Edit in the Actions columns for a vFirewall.
Enter a description for the vFirewall.
Manage the rules of the firewall:
To add a rule, click Add.
To edit a rule, click Edit for a rule.
To delete a rule, click Delete for a rule.
Click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Delete in the Actions columns for a vFirewall.
In the dialog box that opens, click OK.
vFirewall list
Firewall Type: Select the type of the vFirewall. Options include Allowlist and Denylist. An allowlist firewall permits traffic that matches its rules and drops all the other traffic. A denylist firewall drops traffic that matches its rules and permits all the other traffic.
When you configure an allowlist vFirewall, two default egress rules exist to permit all traffic from the VM to the remote site. If IPv6 is disabled for VMs, only the IPv4 egress rule exists. By default, all traffic from the remote site to the VM is denied. To permit specific traffic from the remote site to the VM, configure ingress rules as needed. To control traffic from the VM to the remote site, delete the two default egress rules and configure egress rules as needed.
When you configure a denylist vFirewall, no default rules exist and all packets are permitted. To deny specific traffic from the remote site to the VM, configure ingress rules as needed. To deny specific traffic from the VM to the remote site, configure egress rules as needed.
Rules
Direction: Select the direction of connections. Ingress indicates connections initiated from a remote site. Egress indicates connections initiated by VMs.
IP Protocol: Select a protocol for which the vFirewall implements traffic control. Any represents all protocols.
Port/Type-Code: Select a TCP or UDP port number, or select an ICMP type code.
Remote CIDR: Enter a remote site IP address. 0.0.0.0/0 represents any IPv4 address. ::/0 represents any IPv6 address.
Rule parameters
Direction: Select the direction of connections. Ingress indicates connections initiated from a remote site. Egress indicates connections initiated by VMs.
Port: Enter semicolon-separated port numbers or port ranges in the format of start port number-end port number, 1;2-3;4 for example. You cannot enter identical port numbers or port ranges, and the port numbers and port ranges must be in ascending order. The system generates a rule for each port number or port range. If the direction is ingress, the port number is the VM port that the remote site visits. If the direction is egress, the port number is the remote site port that VMs visit. This parameter is required if Custom TCP Rule or Custom UDP Rule is selected.
Type: Select an ICMP type. This parameter is required if Custom ICMP Rule is selected.
Code: Select an ICMP code. This parameter is required if Custom ICMP Rule is selected.
IP Protocol: Select a protocol for which the vFirewall implements traffic control. This parameter is required if Other Rules is selected.
IP Type: Select an IP packet type. Options include IPv4 and IPv6.
Remote IP Address: Enter semicolon-separated IPv4 or IPv6 addresses of the remote sites, such as 23.2.2.2;5.5.5.5 and 20:ef::;21:ef::90/64. If you do not enter an IP address, the rule matches any IP address.
Subnet Mask: Enter a subnet mask for an IPv4 remote site address.