So, let's test the new application aware context feature of the distributed firewall. I've got a test VM called WEB01 with an IP address of 192.168.1.11 which I can currently SSH to successfully over TCP/22:
I've created a new DFW rule to block traffic from ANY to ANY and the service as SSH (TCP/22):
I can now no longer access WEB01 from anywhere:
However, if I was to change the port the SSH daemon running on WEB01 was listening on from TCP/22 to TCP/8080 and restart the SSH daemon I can successfully SSH back into WEB01:
With NSX 6.4 and the new application context firewall rules we can modify the rule to block the SSH application rather than TCP/22. These are available from the service list and are prefixed with APP_:
Now if I try and connect again to WEB01 over TCP/8080 or TCP/22 traffic is blocked:
The full list of layer 7 protocols that are currently supported in NSX 6.4 are:
No comments:
Post a Comment