Perform this task to create an allowlist or denylist virtual firewall.
When you configure an allowlist virtual firewall, one egress rule is associated to permit all traffic from the VM to the remote site. To permit specific traffic from the remote site to the VM, configure ingress rules as needed. To control traffic from the VM to the remote site, delete the two default egress rules and configure egress rules as needed.
When you configure a denylist virtual firewall, no default rules exist and all packets are permitted. To deny specific traffic from the remote site to the VM, configure ingress rules as needed. To deny specific traffic from the VM to the remote site, configure egress rules as needed.
From the left navigation pane, select Policies > Security Policies > Virtual Firewalls.
Click Create.
Select the firewall type. Options are allowlist and denylist. Packets are permitted if they match allowlist firewall rules and dropped otherwise. Packets are dropped if they match denylist firewall rules and permitted otherwise.
On the Rules tab, click Create to add a rule for the virtual firewall. Configure the parameters.
Click OK. The created rules are displayed on the rules list of the virtual firewall.
Click OK.
Direction: Select the direction of connections that the rule applies to. Ingress indicates connections initiated by a remote site. Egress indicates connections initiated by a VM.
Port: Specify a port number. If the direction is ingress, the port number is the VM port that the remote site visits. If the direction is egress, the port number is the remote site port that VMs visit. This parameter is required if Custom TCP Rule or Custom UDP Rule is selected.
Type: Select an ICMP type. This parameter is required if Custom ICMP Rule is selected.
Code: Select an ICMP code. This parameter is required if Custom ICMP Rule is selected.
IP Protocol: Select a protocol for which the virtual firewall implements traffic control. This parameter is required if Others is selected.
IP Type: Select an IP type, including IPv4 and IPv6. This field is available only when VM (Desktop) Virtual IPv6 Address Management is enabled.
Remote IP Address: Enter the IPv4 address of the remote site. If you do not enter an IP address, the rule matches any IP address.
Subnet Mask/Network Prefix: If the IP type is IPv4, enter the subnet mask for the IPv4 remote site address. If the IP type is IPv6, enter the network prefix of the IPv6 remote site address.
Direction: Direction of connections that the rule applies to. Ingress indicates connections initiated by a remote site. Egress indicates connections initiated by a VM.
IP Protocol: Protocol for which the virtual firewall implements traffic control. Any represents all protocols.
Port/Type-Code: TCP or UDP port number or ICMP type code.
Remote CIDR: Remote site IP address. 0.0.0.0/0 represents any IPv4 address