A vFirewall is a set of filtering rules. vFirewalls protect VMs from attacks to improve security and high availability of data center VMs.
A vFirewall uses a connection status-based detection mechanism. A firewall identifies all packets transmitted on a connection between two peers as a traffic flow. For new application connections, the firewall checks its rules, allows the connections permitted by the rules, and generates a status table that contains status information about the connections. Subsequent packets of the connections are permitted as long as they match the status table.
The system supports the following vFirewall types:
Allowlist firewall—Permits traffic that matches its rules and drops other traffic.
Denylist firewall—Drops traffic that matches its rules and permits other traffic.
The system supports rules for TCP, UDP, and ICMP, as well as common application protocols such as DNS, HTTP, HTTPS, IMAP, IMAPS, LDAP, MS SQL, MYSQL, POP3, POP3S, RDP, SMTP, SMTPS, and SSH.
The system provides the following firewall rule types:
Ingress rule—Limits connections initiated from a remote site.
Egress rule—Limits connections initiated by VMs.
For application protocols, the default direction of rules is ingress.
vFirewalls and ACLs are mutually exclusive. If both a vFirewall and an ACL are configured for a VM, the vFirewall takes effect.
By default, a vFirewall permits all DHCP connections. To filter the DHCP packets of VMs, configure ACLs for the VM.
vFirewalls being used by VMs cannot be deleted.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Add.
Enter a name and a description for the vFirewall.
Select a firewall type.
Click Add Rule.
To add a rule and return to the Add Virtual Firewall dialog box, configure the rule, and then click OK. To add rules in bulk, configure each rule, click Append, and then click OK after you add all desired rules.
Click OK.
You can import a vFirewall from a vFirewall configuration file that has been exported from the system if you mistakenly delete the original vFirewall on the system or want to fast create a vFirewall. You can import a vFirewall to the cloud management platform that exports the vFirewall configuration file or another cloud management platform. After you import a vFirewall, you can edit or delete its rules. The name of the vFirewall must be unique in the local cloud management platform.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Import, and select a JSON file that contains vFirewall settings. To obtain such a JSON file, use the vFirewall export function.
Enter a name and a description for the vFirewall.
Select a firewall type.
Click Add Rule.
To add a rule and return to the Import Virtual Firewall dialog box, configure the rule, and then click OK. To add rules in bulk, configure each rule, click Append, and then click OK after you add all desired rules.
Click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Edit in the Actions columns for a vFirewall.
Enter a description for the vFirewall.
Manage the rules of the firewall:
To add a rule, click Add.
To edit a rule, click Edit for a rule.
To delete a rule, click Delete for a rule.
Click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Delete in the Actions columns for a vFirewall.
In the dialog box that opens, click OK.
You can export a vFirewall to a JSON file for backup or to synchronize the vFirewall to another cloud management platform. You can import the JSON file to the cloud management platform that exports it or another cloud management platform.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Export in the Actions columns for a vFirewall.
Click OK to confirm the export operation.
Select a storage path for the JSON file, and then click Save.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Attach VMs in the Actions columns for a vFirewall.
Select VMs, and then click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Detach VMs in the Actions columns for a vFirewall.
Select VMs, and then click OK.
Perform this task to create a vFirewall based on an existing one. The new vFirewall must use a unique name on the management platform. You can edit or delete rules for the new vFirewall, but you cannot edit the firewall type for the new firewall.
On the top navigation bar, click Services.
From the left navigation pane, select Security > vFirewalls.
Click Copy in the Actions columns for a vFirewall.
Enter a name and a description for the vFirewall.
Click Add Rule.
To add a rule and return to the Copy Virtual Firewall dialog box, configure the rule, and then click OK. To add rules in bulk, configure each rule, click Append, and then click OK after you add all desired rules.
Click OK.
vFirewall list
Firewall Type: Select the type of the vFirewall. Options include Allowlist and Denylist. An allowlist firewall permits traffic that matches its rules and drops all the other traffic. A denylist firewall drops traffic that matches its rules and permits all the other traffic.
When you configure an allowlist vFirewall, two default egress rules exist to permit all traffic from the VM to the remote site. If IPv6 is disabled for VMs, only the IPv4 egress rule exists. By default, all traffic from the remote site to the VM is denied. To permit specific traffic from the remote site to the VM, configure ingress rules as needed. To control traffic from the VM to the remote site, delete the two default egress rules and configure egress rules as needed.
When you configure a denylist vFirewall, no default rules exist and all packets are permitted. To deny specific traffic from the remote site to the VM, configure ingress rules as needed. To deny specific traffic from the VM to the remote site, configure egress rules as needed.
Rules
Direction: Select the direction of connections. Ingress indicates connections initiated from a remote site. Egress indicates connections initiated by VMs.
IP Protocol: Select a protocol for which the vFirewall implements traffic control. Any represents all protocols.
Port/Type-Code: Select a TCP or UDP port number, or select an ICMP type code.
Remote CIDR: Enter a remote site IP address. 0.0.0.0/0 represents any IPv4 address. ::/0 represents any IPv6 address.
Rule parameters
Direction: Select the direction of connections. Ingress indicates connections initiated from a remote site. Egress indicates connections initiated by VMs.
Port: Enter semicolon-separated port numbers or port ranges in the format of start port number-end port number, 1;2-3;4 for example. You cannot enter identical port numbers or port ranges, and the port numbers and port ranges must be in ascending order. The system generates a rule for each port number or port range. If the direction is ingress, the port number is the VM port that the remote site visits. If the direction is egress, the port number is the remote site port that VMs visit. This parameter is required if Custom TCP Rule or Custom UDP Rule is selected.
Type: Select an ICMP type. This parameter is required if Custom ICMP Rule is selected.
Code: Select an ICMP code. This parameter is required if Custom ICMP Rule is selected.
IP Protocol: Select a protocol for which the vFirewall implements traffic control. This parameter is required if Other Rules is selected.
IP Type: Select an IP packet type. Options include IPv4 and IPv6.
Remote IP Address: Enter semicolon-separated IPv4 or IPv6 addresses of remote sites, such as 23.2.2.2;5.5.5.5 and 20:ef::;21:ef::90/64. If you do not enter an IP address, the rule matches any IP address.
Subnet Mask: Enter a subnet mask for an IPv4 remote site address.