Manage virtual firewalls

A virtual firewall is a set of filtering rules. Virtual firewalls protect VMs from attacks to improve the security and reliability of VMs in data centers.

Virtual firewalls use microsegmentation to control communication between VMs. By configuring access control rules, you can specify the VMs that a VM can and cannot access.

A virtual firewall uses a connection state-based detection mechanism. A firewall identifies all packets transmitted on a connection between two peers as a traffic flow. For new application connections, the firewall checks its rules, allows the connections permitted by the rules, and generates a state table that contains state information about the connections. Subsequent packets of the connections are permitted as long as they match the state table.

The system supports the following virtual firewall types:

• Whitelist firewall—Permits traffic that matches its rules and drops other traffic.

• Blacklist firewall—Drops traffic that matches its rules and permits other traffic.

The system supports rules for TCP, UDP, and ICMP, as well as common application protocols such as DNS, HTTP, HTTPS, IMAP, IMAPS, LDAP, MS SQL, MYSQL, POP3, POP3S, RDP, SMTP, SMTPS, and SSH.

The system provides the following firewall rule types:

• Ingress rule—Applies to connections initiated by a remote site.

• Egress rule—Applies to connections initiated by a VM.

For application protocols, the default direction of rules is ingress.

Restrictions and guidelines

• Virtual firewalls and ACLs are mutually exclusive. If both a virtual firewall and an ACL are configured for a VM, the virtual firewall takes effect.

• Virtual firewalls being used by VMs cannot be deleted.

Add a virtual firewall

1. On the top navigation bar, click System, and then select Security Management > Virtual Firewalls from the navigation pane.

2. Click Add.

3. Configure the virtual firewall parameters as described in "Parameters."

4. Click OK.

Edit a virtual firewall

1. On the top navigation bar, click System, and then select Security Management > Virtual Firewalls from the navigation pane.

2. Click the Edit icon  for a virtual firewall.

3. Edit the virtual firewall parameters as described in "Parameters."

4. Click OK.

Delete a virtual firewall

1. On the top navigation bar, click System, and then select Security Management > Virtual Firewalls from the navigation pane.

2. Click the Delete icon  for a virtual firewall.

3. In the dialog box that opens, click OK.

Parameters

Virtual firewall:

• Type: Select a virtual firewall type. Options include Whitelist and Blacklist. Packets that match the rules of a whitelist virtual firewall are permitted and other packets are dropped. Packets that match the rules of a blacklist virtual firewall are dropped and other packets are permitted.

• When you configure a whitelist virtual firewall, two default egress rules exist to permit all traffic from the VM to the remote site. To permit specific traffic from the remote site to the VM, configure ingress rules as needed. To control traffic from the VM to the remote site, delete the two default egress rules and configure egress rules as needed.

• When you configure a blacklist virtual firewall, no default rules exist and all packets are permitted. To deny specific traffic from the remote site to the VM, configure ingress rules as needed. To deny specific traffic from the VM to the remote site, configure egress rules as needed.

Rule list:

• Direction: Direction of connections that the rule applies to. Ingress indicates connections initiated by a remote site. Egress indicates connections initiated by a VM.

• IP Protocol: Protocol for which the virtual firewall implements traffic control. Any represents all protocols.

• Port/Type-Code: TCP or UDP port number or ICMP type code.

• Remote CIDR: Remote site IP address. 0.0.0.0/0 represents any IPv4 address. ::/0 represents any IPv6 address.

Add or edit a rule:

• Direction: Select the direction of connections that the rule applies to. Ingress indicates connections initiated by a remote site. Egress indicates connections initiated by a VM.

• Start Port/End Port: Specify a port number range. If the direction is ingress, the port number range is the VM ports that the remote site visits. If the direction is egress, the port number range is the remote site ports that VMs visit. This parameter is required if Custom TCP Rule or Custom UDP Rule is selected.

• Type: Select an ICMP type. This parameter is required if Custom ICMP Rule is selected.

• Code: Select an ICMP code. This parameter is required if Custom ICMP Rule is selected.

• IP Protocol: Select a protocol for which the virtual firewall implements traffic control. This parameter is required if Others is selected.

• IP Type: Select an IP packet type. Options include IPv4 and IPv6.

• Remote IP Address: Enter the IPv4 or IPv6 address of the remote site. If you do not enter an IP address, the rule matches any IP address.

• Subnet Mask: Enter the subnet mask for the IPv4 remote site address.

• Network Prefix: Enter the network prefix for the IPv6 remote site address.