You add firewall rules at the global scope. Using the Applied To field, you can then narrow down the scope at which you want to apply the rule. The firewall allows you to add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.

Configuring the firewall to establish Trust Groups is possible only when you have the vCloud Air Dedicated Cloud subscription service.

1

From the Dashboard tab in the vCloud Air Web UI, click the virtual data center to configure a Trust Groups firewall rule.

The Virtual Data Center Details page appears.

2

Click the Gateways tab > Manage in vCloud Director.

vCloud Director opens in a new browser tab and displays the Administration page for the gateways in the selected virtual data center.

3

Under Cloud Resources in the left navigation panel, click Virtual Datacenters.

The page refreshes and displays the virtual data center in the table.

4

Select the virtual data center, right-click and select Manage Firewall.

The vCloud Security Services page appears.

5

Select the type of rule you want to create. You have the option to create a general rule or an Ethernet rule.

To add an L3 rule, click the General tab. To add an L2 rule, click the Ethernet tab.

6

Expand the section where you want to add a rule.

By default, the edge gateway is provisioned with the section Default Section Layer3.

7

To add a rule at a specific place in the firewall table, in the No. column, click edit and select Add Above or Add Below.

A new any any allow rule is added above or below the selected rule. When the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

8

Point to the Name cell, click edit and enter a name.

9

Point to the Source cell and perform one of the following options:

Option

Description

Click IP

Type the source IP address. The Trust Groups firewall supports IPv4 format only.

Click edit

To specify the source as an object other than a specific IP address:

a

Select one or more objects and click add.

You can create a new IP Set. Once you create the new object, it is added to the source column by default.

b

To exclude a source from the rule, click Advance options.

c

Select Negate Source to exclude this source from the rule.

When Negate Source is selected, the rule is applied to traffic coming from all sources except for the source you specified in the previous step.

When Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.

d

Click OK.

10

Point to the Destination cell and perform one of the following options:

Option

Description

Click IP

Type the destination IP address. The Trust Groups firewall supports IPv4 format only.

Click edit

To specify destination as an object other than a specific IP address:

a

Select one or more objects and click add.

You can create a new IP Set. Once you create the new object, it is added to the Destination column by default.

b

To exclude a destination port, click Advance options.

c

Select Negate Destination to exclude this destination from the rule.

When Negate Destination is selected, the rule is applied to traffic going to all destinations except for the destination you specified in the previous step.

When Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.

d

Click OK.

11

Point to the Service cell of the new rule and perform one of the following options:

Option

Description

Click port

To specify the service as a port–protocol combination:

a

Select the service protocol.

Note

The Trust Groups firewall supports Application Level Gateway (ALG) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC.

b

Type the port number and click OK.

Click edit

To select a pre-defined service or service group, or define a new one:

a

Select one or more objects and click add.

You can create a new service or service group. Once you create the new object, it is added to the Selected Objects column by default.

b

Click OK.

Note

To protect your network from ACK or SYN floods, set the service to TCP-all_ports or UDP-all_ports and set the action to Block for the default rule.

12

Point to the Action cell, click edit to configure the action for the rule, and click OK.

Action

Results in

Accept

Allows traffic from or to the specified sources, destinations, and services.

Deny

Blocks traffic from or to the specified sources, destinations, and services.

Reject

Sends a reject message for unaccepted packets.

RST packets are sent for TCP connections.

ICMP messages with administratively prohibited codes are sent for UDP, ICMP, and other IP connections.

Log

Logs all sessions matching this rule. Enabling logging can affect performance.

Do not log

Does not log sessions.

Advanced options > Match on Translated

Applies the rule to the translated IP address and services for a NAT rule.

Enable Rule Direction

Indicates whether the rule is incoming or outgoing.

VMware does not recommend specifying the direction for Trust Groups firewall rules.

13

Point to the Applied To cell, click edit to define the scope at which this rule is applicable, then click OK.

To apply a rule to

Do this

All edge gateways in your environment

Select Apply this rule on all Edge gateways. After you click OK, the Applied To column for this rule displays All Edges.

When the option for all edge gateways in the virtual data center is selected, the Applied To column displays Any.

One or more data centers, edge gateways, networks, or virtual machines

1

In Container type, select the appropriate object.

2

In the Available list, select one or more objects and click add.

Note

When the rule contains virtual machines in the source and destination fields, you must add both the source and destination virtual machines to Applied To for the rule to work correctly.

14

Click Publish Changes.