Create a virtual firewall

On the top navigation bar, click System, and then select Security Management > Virtual Firewalls from the navigation pane.

Click Add. In the dialog box that opens, enter the virtual firewall name and select a virtual firewall type.

Figure-1 Creating a virtual firewall

Parameter	Description
Type	Select a virtual firewall type. Options include Whitelist and Blacklist. Packets that match the rules of a whitelist virtual firewall are permitted and other packets are dropped. Packets that match the rules of a blacklist virtual firewall are dropped and other packets are permitted. When you configure a whitelist virtual firewall, two default egress rules exist to permit all traffic from the VM to the remote site. To permit specific traffic from the remote site to the VM, configure ingress rules as needed. To control traffic from the VM to the remote site, delete the two default egress rules and configure egress rules as needed. When you configure a blacklist virtual firewall, no default rules exist and all packets are permitted. To deny specific traffic from the remote site to the VM, configure ingress rules as needed. To deny specific traffic from the VM to the remote site, configure egress rules as needed.

Parameter

Description

Type

Select a virtual firewall type. Options include Whitelist and Blacklist. Packets that match the rules of a whitelist virtual firewall are permitted and other packets are dropped. Packets that match the rules of a blacklist virtual firewall are dropped and other packets are permitted.

When you configure a whitelist virtual firewall, two default egress rules exist to permit all traffic from the VM to the remote site. To permit specific traffic from the remote site to the VM, configure ingress rules as needed. To control traffic from the VM to the remote site, delete the two default egress rules and configure egress rules as needed.

When you configure a blacklist virtual firewall, no default rules exist and all packets are permitted. To deny specific traffic from the remote site to the VM, configure ingress rules as needed. To deny specific traffic from the VM to the remote site, configure egress rules as needed.

On the page for adding a firewall, click Add Rule. In the dialog box that opens, select a rule type and direction, specify a port, peer IP address and subnet mask, and then click OK.

Figure-2 Adding a rule

Parameter	Description
Direction	Specify the direction of connections that the rule applies to. Ingress indicates connections initiated by a remote site. Egress indicates connections initiated by a VM.
Start Port/End Port	Specify a port number range. If the direction is ingress, the port number range is the VM ports that the remote site visits. If the direction is egress, the port number range is the remote site ports that VMs visit. This parameter is required if Custom TCP Rule or Custom UDP Rule is selected..
Type	Select an ICMP packet type. This parameter is required if Custom ICMP Rule is selected.
Code	Select an ICMP code. This parameter is required if Custom ICMP Rule is selected.
IP Protocol	Select a protocol for which the virtual firewall implements traffic control. This parameter is required if Other Rule is selected.
IP Type	Select an IP packet type. Options include IPv4 and IPv6.This parameter is required if VM IPv6 address management is enabled.
Remote IP Address	Enter semicolon-separated IPv4 or IPv6 addresses of remote sites, such as 1.1.1.1;12.3.3.3/16 and 20:ef::;21:ef::90/64. If you do not configure this parameter, the default value (0.0.0.0 for IPv4 and :: for IPv6) is used, and the rule matches all IPv4 or IPv6 address.