Saturday 20 January 2018

NSX Layer 7 Application aware Distributed Firewall

NSX 6.4 was released on Thursday 11th January with some awesome new features which includes the ability to allow or block traffic based on application context.  The full release notes for NSX 6.4 can be found here.

So, let's test the new application aware context feature of the distributed firewall.  I've got a test VM called WEB01 with an IP address of which I can currently SSH to successfully over TCP/22:

I've created a new DFW rule to block traffic from ANY to ANY and the service as SSH (TCP/22):

I can now no longer access WEB01 from anywhere:

However, if I was to change the port the SSH daemon running on WEB01 was listening on from TCP/22 to TCP/8080 and restart the SSH daemon I can successfully SSH back into WEB01:

With NSX 6.4 and the new application context firewall rules we can modify the rule to block the SSH application rather than TCP/22.  These are available from the service list and are prefixed with APP_:

Now if I try and connect again to WEB01 over TCP/8080 or TCP/22 traffic is blocked:

The full list of layer 7 protocols that are currently supported in NSX 6.4 are:

No comments:

Post a Comment