A security policy is a set of Endpoint, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.

Ensure that:

the required VMware built in services (such as Distributed Firewall, Data Security, and Endpoint) are installed. See NSX Installation and Upgrade Guide.

the required partner services have been registered with NSX Manager. See Register a Partner Solution Manually.

1

Log in to the vSphere Web Client.

2

Click Networking & Security and then click Service Composer.

3

Click the Security Policies tab.

4

Click the Create Security Policy (add) icon.

5

In the Add Security Policy dialog box, type a name for the security policy.

6

Type a description for the security policy.

NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.

Security policies are applied according to their weight - a policy with the higher weight has precedence over a policy with a lower weight.

7

Select Inherit security policy from specified policy if you want the policy that you are creating to receive services from another security policy. Select the parent policy.

All services from the parent policy are inherited by the new policy.

8

Click Next.

9

In the Endpoint Services page, click the Add Endpoint Service (Add icon) icon.

a

In the Add Endpoint Service dialog box, type a name and description for the service.

b

Specify whether you want to apply the service or block it.

When you inherit a security policy, you may choose to block a service from the parent policy.

c

Select the type of service.

If you select Data Security, you must have a data security policy in place. See Data Security.

d

If you chose to apply the Endpoint service, select the service name and service configuration.

Service configuration refers to vendor templates. These configurations are defined in third party consoles and are registered along with partner services. Tagging and untagging of virtual machines depends on the service configuration selected for the security policy.

e

In State, specify whether you want to enable the selected Endpoint service or disable it.

You can add Endpoint services as placeholders for services to be enabled at a later time. This is especially useful for cases where services need to be applied on-demand (for example, new applications).

f

Select whether the Endpoint service is to be enforced (i.e. it cannot be overridden).

If you enforce an Endpoint service in a security policy, other policies that inherit this security policy would require that this policy be applied before the other child policies. If this service is not enforced, an inheritance selection would add the parent policy after the child policies are applied.

g

Click OK.

You can add additional Endpoint services by following the above steps. You can manage the Endpoint services through the icons above the service table.

You can export or copy the services on this page by clicking the export icon on the bottom right side of the Endpoint Services page.

10

Click Next.

11

On the Firewall page, click the Add Firewall Rule (Add icon) icon.

Here, you are defining firewall rules for the security groups(s) that this security policy will be applied to.

a

Type a name and description for the firewall rule you are adding.

b

Select Allow or Block to indicate whether the rule needs to allow or block traffic to the selected destination.

c

Select the source for the rule. By default, the rule applies to traffic coming from the security groups to which this policy gets applied to. To change the default source, click Change and select the appropriate security groups.

d

Select the destination for the rule.

Note

Either the Source or Destination (or both) must be security groups to which this policy gets applied to.

Say you create a rule with the default Source, specify the Destination as Payroll, and select Negate Destination. You then apply this security policy to security group Engineering . This would result in Engineering being able to access everything except for the Payroll server.

e

Select the services and/or service groups to which the rule applies to.

f

Select Enabled or Disabled to specify the rule state.

g

Select Log to log sessions matching this rule.

Enabling logging may affect performance.

h

Click OK.

You can add additional firewall rules by following the above steps. You can manage the firewall rules through the icons above the firewall table.

You can export or copy the rules on this page by clicking the export icon on the bottom right side of the Firewall page.

The firewall rules you add here are displayed on the Firewall table. VMware recommends that you do not edit Service Composer rules in the firewall table. If you must do so for an emergency troubleshooting, you must re-synchronize Service Composer rules with firewall rules by selecting Synchronize Firewall Rules from the Actions menu in the Security Policies tab.

12

Click Next.

The Network Introspection Services page displays NetX services that you have integrated with your VMware virtual environment. See Register a Partner Solution Manually.

13

Click the Add Network Introspection Service (Add icon) icon.

a

In the Add Network Introspection Service dialog box, type a name and description for the service you are adding.

b

Select whether or not to redirect to service.

c

Select the service name and profile.

d

Select the source and destination

e

Select the protocol.

You can specify the protocol type, source port advanced options, and destination port.

f

Select whether to enable or disable the service.

g

Select Log to log sessions matching this rule.

h

Click OK.

You can add additional network introspection services by following the above steps. You can manage the network introspection services through the icons above the service table.

You can export or copy the services on this page by clicking the export icon on the bottom right side of the Network Introspection Service page.

14

Click Finish.

The security policy is added to the policies table. You can click the policy name and select the appropriate tab to view a summary of the services associated with the policy, view service errors, or edit a service.

Map the security policy to a security group.