Default Rules; Layer 4 Rules And Layer 2/Layer 3 Rules; Hierarchy Of Zones Firewall Rules; Planning Zones Firewall Rule Enforcement - VMware VSHIELD APP 1.0.0 UPDATE 1 Admin Manual

vShield Administration Guide

Default Rules

By default, Zones Firewall enforces a set of rules allowing traffic to pass through all vShield Zones instances.
These rules appear in the Default Rules section of the Zones Firewall table. The default rules cannot be deleted
or added to. However, you can change the Action element of each rule from Allow to Deny.

Layer 4 Rules and Layer 2/Layer 3 Rules

Zones Firewall offers two sets of configurable rules: L4 (Layer 4) rules and L2/L3 (Layer 2/Layer 3) rules. Layers
refer to layers of the Open Systems Interconnection (OSI) Reference Model.
Layer 4 rules govern TCP and UDP transport of Layer 7, or application-specific, traffic. Layer 2/Layer 3 rules
monitor traffic from ICMP, ARP, and other Layer 2 and Layer 3 protocols. You can configure Layer 2/Layer 3
rules at the datacenter level only. By default, all Layer4 and Layer 2/Layer 3 traffic is allowed to pass.

Hierarchy of Zones Firewall Rules

Each vShield Zones instance enforces Zones Firewall rules in top-to-bottom ordering. A vShield Zones
instance checks each traffic session against the top rule in the Zones Firewall table before moving down the
subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced.
Zones Firewall rules are enforced in the following hierarchy:
1 Data Center High Precedence Rules
2 Cluster Level Rules
3 Data Center Low Precedence Rules (seen as Rules below this level have lower precedence than cluster
level rules when a datacenter resource is selected)
4 Secure Port Group Rules
5 Default Rules
Zones Firewall offers container-level and custom priority precedence configurations:

Container-level precedence refers to recognizing the datacenter level as being higher in priority than the
cluster level. When a rule is configured at the datacenter level, the rule is inherited by all clusters and
vShield agents therein. A cluster-level rule is only applied to the vShield Zones instances within the
cluster.

Custom priority precedence refers to the option of assigning high or low precedence to rules at the
datacenter level. High precedence rules work as noted in the container-level precedence description. Low
precedence rules include the Default Rules and the configuration of Data Center Low Precedence rules.
This flexibility allows you to recognize multiple layers of applied precedence.
At the cluster level, you configure rules that apply to all vShield Zones instances within the cluster.
Because Data Center High Precedence Rules are above Cluster Level Rules, ensure your Cluster Level
Rules are not in conflict with Data Center High Precedence Rules.

Planning Zones Firewall Rule Enforcement

Using Zones Firewall, you can configure allow and deny rules based on your network policy. The following
examples represent two common firewall policies:

Allow all traffic by default. You keep the default allow all rules and add deny rules based on Flow
Monitoring data or manual App Firewall configuration. In this scenario, if a session does not match any
of the deny rules, the vShield App allows the traffic to pass.

Deny all traffic by default.You can change the Action status of the default rules from Allow to Deny, and
add allow rules explicitly for specific systems and applications. In this scenario, if a session does not
match any of the allow rules, the vShield App drops the session before it reaches its destination. If you
change all of the default rules to deny any traffic, the vShield App drops all incoming and outgoing traffic.
26 VMware, Inc.