VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configure Security Settings for NSX Edge Nodes by Using the User Interface

You perform the procedure in NSX to configure traffic logging for Gateway Firewall rules, publish any firewall policy/rule changes, deny traffic by default, flood protection profile, ingress filters, restrict traffic and disable Internet Control Message Protocol (ICMP) unreachable notifications, mask replies, redirects on the external interfaces. Configure the settings for all NSX edge instances in your VMware Cloud Foundation environment.
  1. In a Web browser, log in to the NSX Manager cluster as an administrator by using the user interface.
  2. VMW-NSX-01429
    ,
    VMW-NSX-01514
     Configure the NSX Gateway Firewall on the tier-0 and tier-1 gateways to generate traffic log entries.
    If the tier-0 gateway is deployed in an active/active high availability mode and no stateless rules exist, this configuration is not applicable.
    1. On the main navigation bar, click
      Security
      .
    2. In the left pane, navigate to
      Policy Management
      Gateway Firewall
      /
    3. Click the
      Gateway specific rules
       tab.
    4. From the
      Gateway
       drop-down menu, select the respective gateway.
    5. For each tier-0 gateway and for each rule with logging disabled, click the gear icon, activate the
      Logging
       toggle, and click
      Apply
      .
    6. On the
      Gateway Firewall
       page, click
      Publish
      .
    7. Repeat the procedure for each tier-1 gateway and for each rule with deactivated logging.
  3. VMW-NSX-01431
    ,
    VMW-NSX-01432
     Configure the NSX Gateway Firewall on the tier-0 and tier-1 gateways to deny network traffic by default and allow network traffic by exception.
    1. On the main navigation bar, click
      Security
      .
    2. In the left pane, navigate to
      Policy Management
      Gateway Firewall
      .
    3. Click the
      Gateway specific rules
       tab.
    4. From the
      Gateway
       drop-down menu, select the respective gateway.
    5. Expand the default policy, and from the
      Actions
       drop-down menu, select
      Reject
       or
      Drop
      .
    6. On the
      Gateway Firewall
       page, click
      Publish
      .
    7. Repeat the procedure for each tier-1 gateway.
  4. VMW-NSX-01437
     Configure the multicast NSX tier-0 gateway to deactivate Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
    1. Navigate to
      Networking
      Connectivity
      Tier-0 Gateways
       and expand the target Tier-0 gateway.
    2. Expand
      Interfaces and GRE Tunnels
      , click on the number of
      External and Service interfaces
       present to open the interfaces dialog, and then select "Edit" on the target interface.
    3. Expand "Multicast", change PIM to "Deactivated", and then click "Save".
  5. VMW-NSX-01438
     Remove inactive interfaces on an NSX Tier-0 gateway.
    1. Navigate to
      Networking
      Connectivity
      Tier-0 Gateways
       and expand the target Tier-0 gateway.
    2. Expand
      Interfaces and GRE Tunnels
      , click on the number of "External and Service interfaces" present to open the interfaces dialog, and then select "Edit" on the target interface.
    3. Select "Delete" on the unneeded interface, and then click "Delete" again to confirm.
  6. VMW-NSX-01442
     Disconnect inactive linked segments for NSX Tier-1 gateways.
    1. Navigate to
      Neteworking
      Connectivity
      Segments
      and edit the target segment.
    2. Under Connected Gateway, change to "None" and click "Save.
      The stale linked segment can also be deleted if there are no active workloads attached to it.
    3. Naviate to
      Networking
      Connectivity
      Tier-1 Gateways
       and edit the target Tier-1 Gateway.
    4. Expand Service Interfaces and click on the number to view the Service Interfaces.
    5. On the stale service interface, select
      Delete
       and click
      Delete
       again to confirm.
  7. VMW-NSX-01453
    ,
    VMW-NSX-01515
     Configure flood protection profiles on the NSX Gateway Firewall for the tier-0 and tier-1 gateways to protect against Denial of Service (DDoS) attacks.
    If the tier-0 gateway is deployed in an active/active high availability mode and no stateless rules exist, this configuration is not applicable.
    1. On the main navigation bar, click
      Security
      .
    2. In the left pane, navigate to
      Settings
      General Settings
      .
    3. Click the
      Firewall
      Flood Protection
       under
      General Security Settings
       tab.
    4. Fom the
      Add profile
       drop-down menu, select
      Add Edge Gateway profile
      .
    5. Enter a name and specify appropriate values for the following:
      TCP half open connection limit
      ,
      UDP active flow limit
      ,
      ICMP active flow limit
      , and
      Other active connection limit
      .
    6. Configure the
      Applied to
       field to contain the tier-0 gateways, and then click
      Save
      .
    7. Repeat this step for the tier-1 gateway and set
      Applied to
       to contain the tier-1 gateways.
  8. VMW-NSX-01460
     To protect against route table flooding and prefix de-aggregation attacks, configure the NSX tier-0 gateway to use maximum prefixes.
    1. On the main navigation bar, click
      Networking
      .
    2. In the left pane, navigate to
      Connectivity
      Tier-0 gateways
      .
    3. Expand the NSX tier-0 gateway.
    4. Expand the
      BGP
       section and click
      BGP neighbors
      .
    5. In the
      Set BGP neighbors
       dialog box, click the vertical ellipsis and click
      Edit
       for the first neighbor.
    6. Click the number in the
      Route filter
       column.
    7. To configure the maximum routes value, specific to your environment, in the
      Set route filter
       dialog box, click the vertical ellipsis menu and click
      Edit
      .
    8. Repeat the step to configure all neighbors.
  9. VMW-NSX-01494
    ,
    VMW-NSX-01495
    ,
    VMW-NSX-01496
     Configure the NSX tier-0 gateway to have Internet Control Message Protocol (ICMP) unreachable notifications, mask replies, and disable redirects on all external interfaces.
    If the tier-0 gateway is deployed in an active/active high availability mode and no stateless rules exist, this configuration is not applicable.
    NSX does not come with a pre-configured service for ICMP mask replies. You may need to create this service.
    1. On the main navigation bar, click
      Security
      .
    2. In the left pane, navigate to
      Policy Management
      Gateway Firewall
      .
    3. Click the
      All shared rules
       tab.
    4. Click
      Add rule
       (Add a policy first if needed) and, in the
      Services
       column, click the
      Edit
       button.
    5. On the
      Set services
       dialog box, on the
      Services
       tab, select the
      ICMP destination unreachable
       service, and click
      Apply
      .
    6. Click the
      Settings
       icon for the newly added rule and, on the
      Settings
       dialog box, activate the
      Logging
       toggle.
    7. In the
      Applied to
       column, click the
      Edit
       icon.
    8. In the
      Applied to
       dialog box, select the target NSX tier-0 gateway and click
      Apply
      .
    9. On the
      Gateway Firewall
       page, click
      Publish
      .
    10. Repeat the procedure for the
      ICMP mask replies
       and
      ICMP redirect
      services.
    A rule can also be created under Gateway Specific Rules to meet this requirement.
  10. VMW-NSX-01532
     NSX Tier-1 Gateway Firewall must be configured to inspect traffic at the application layer.
    1. On the main navigation bar, click
      Security
      .
    2. In the left pane, navigate to
      Policy Management
      Gateway Firewall
       and select
      Gateway Specific Rules
      .
    3. From the Gateway drop down choose
      Tier-1 Gateway
    4. For each rule that should have a Context Profile enabled, click the penci icon in the
      Profiles
       column. and select
      Context profile
       under
      Select profile
       dialog box.
    5. Select an existing Context Profile or create a custom one then click
      Apply
      .
    6. After all the changes are made, click
      Publish
      .
    Not all App IDs will be suitable for use in all cases and should be evaluated in each environment before use.
    A list of App IDs for application layer rules is available here: https://docs.vmware.com/en/NSX-Application-IDs/index.html
  11. VMW-NSX-01469
     Unicast Reverse Path Forwarding (uRPF) must be enabled on the NSX Tier-0 Gateway
    1. On the main navigation bar, click
      Networking
      .
    2. In the left pane, navigate to
      Connectivity
      Tier-0 gateways
      .
    3. Expand the NSX tier-0 gateway.
    4. Expand the
      Interfaces and GRE Tunnels
       section and click the number of
      External and Service Interfaces
      .
    5. In the
      Set Interfaces
       dialog box, click the vertical ellipsis and click
      Edit
       for the first interface.
    6. From the drop-down set the
      URPF Mode
       to
      Strict
       and then click
      Save
      .
    7. Repeat the step to configure all interfaces.
  12. VMW-NSX-01459
    VMW-NSX-01470
     The NSX Tier-0 Gateway router must be configured to use encryption for BGP routing protocol authentication and use a unique password for each autonomous system (AS) that it peers with.
    1. On the main navigation bar, click
      Networking
      .
    2. In the left pane, navigate to
      Connectivity
      Tier-0 gateways
      .
    3. Expand the NSX tier-0 gateway.
    4. Expand the
      BGP
       section and click the number next to
      BGP neighbors
      .
    5. In the
      Set BGP neighbors
       dialog box, click the vertical ellipsis and click
      Edit
       for the first neighbor.
    6. Under
      Timers and Password
      , enter a unique password of up to 20 characters that is different from other autonomous systems and then click
      Save
      .
    7. Repeat the step to configure all neighbors.
  13. VMW-NSX-01536
     The NSX Tier-0 Gateway router must be configured to use encryption for OSPF routing protocol authentication.
    1. On the main navigation bar, click
      Networking
      .
    2. In the left pane, navigate to
      Connectivity
      Tier-0 gateways
      .
    3. Expand the NSX tier-0 gateway.
    4. Expand the
      OSPF
       section and click number next to
      Area Definition
      .
    5. In the
      Set Area Definition
       dialog box, click the vertical ellipsis and click
      Edit
       for the first Area definition.
    6. Change the
      Authentication
       drop-down to MD5 and enter a Key ID and password and then click
      Save
      .
    7. Repeat the step to configure all Area definitions.
    The MD5 password can have a maximum of 16 characters.

Content feedback and comments