The schema for distributed firewall configuration has a data structure containing global properties that apply to the firewall and these sections:

layer3Sections which contains Layer 3 rules (Array)

layer2Sections which contains Layer 2 rules (Array)

Note

Configuring the distributed firewall is possible only when you have the vCloud Air Dedicated Cloud subscription service.

A firewall section is the smallest unit of configuration which can be updated independently. You can use sections to group logical rules based on Applied To or for a specific use case.

For an overview of the distributed firewall, see Firewall for Trust Groups in the vCloud Air Advanced Networking Services Guide. [In the vCloud Air Advanced Networking Services Guide, the distributed firewall feature is referred to as the firewall for Trust Groups.]

In the Advanced Networking Services Web UI, Layer 3 (L3) rules appear on the General tab and Layer 2 (L2) rules appear on the Ethernet tab.

Layer 2 firewall rules are processed before Layer 3 rules.

For an example of the schema for the distributed firewall, see Example: Request and Response to Get Distributed Firewall Configuration.

GLOBAL PROPERTIES FOR THE FIREWALL

Element

Type

Required

Description

timestamp

Number

Yes

The time the firewall was last modified

contextId

String

Yes

A read-only field

provisioned

Boolean

No

generationNumber

String

No

A read-only field

Required when submitting a PUT request to update the firewall.

Data Structure and Elements of the Sections

Each section (layer3Sections and layer2Sections) of the distributed firewall has the same data structure:

General elements

rules (Array) 

properties
destinations
services
type
managedBy
direction
packetType
ruleDisabled

The following components of the rules can consist of a single object or an array of objects:

Source

Destination

Applied To List

FIREWALL SECTION — GENERAL PROPERTIES (properties)

Element

Type

Required

Description

id

Number

Yes

The ID for the distributed firewall

Note

The system will auto-generate an ID for the firewall; do not change it.

name

String

Yes

The firewall name

description

String

No

The firewall description

generationNumber

String

Yes

A read-only field

Required when submitting a PUT request to update the firewall.

timestamp

Number

Yes

Indicates the last time that the firewall was modified

position

Integer

No

A read-only field

modified

Boolean

No

Indicates whether the firewall was modified

contextId

String

Yes

A read-only field

managedBy

String

No

Indicates whether the firewall is a local firewall that you created or the central firewall used by the system

Rules Data Structure and Elements

The properties for a rule consist of several general elements and two objects — appliedToList and sources.

RULES PROPERTIES — GENERAL (rules – Array)

Element

Type

Required

Description

name

String

Yes

The name for the rule

id

Number

Yes

The ID for the rule

Note

Leave this element empty when creating a rule by using the PUT method. The system will auto-generate an ID for the rule.

disabled

Boolean

No

Enables or disables the rule

By default, enabled is set to true.

action

String

No

Sets one of the following actions:

allow – allows traffic to the specified sources, destinations, or services

deny – blocks traffic from the specified sources, destinations, or services

reject – sends reject messages for unaccepted packets (RST for TCP connections, and ICMP for UDP and other IP connections)

By default, the action is set to deny.

logged

Boolean

No

Enables logging for the rule

By default, logged is set to false.

notes

String

No

Provides additional information about the rule

You can create firewall rules that apply globally, and then narrow the scope at which you want to apply the rule by using the Applied To List.

RULES PROPERTIES — APPLIED TO LIST (appliedToList – Array)

Element

Type

Required

Description

name

String

No

The name of the entity that the applied to list controls

For example, if you set VirtualMachine for the type, specify which virtual machine by setting the virtual machine name (marketing-west-linux).

value

String

No

Identifies what the type applies to

For example, if you set VirtualMachine for the type, specify which virtual machine by setting the virtual machine ID (a9648d0a-e549-31f0-8a6c-270f18990d0e).

If necessary, submit a GET request to the object to obtain the object ID.

type

String

No

Specifies what the Applied To List controls

Set one of the following values (unless you set the type by using an ipSetValue):

Datacenter

VirtualMachine

Vnic

Network

IPSet

isValid

Boolean

No

Whether the applied to value specified is a valid object

When false, indicates that the applied to element was deleted.

ipSetValue

String

No

Specifies that the rule applies to an IP Set that you have not previously created

LEAD IN

RULES PROPERTIES — SECTION ID

Element

Type

Required

Description

sectionId

String

Yes

Specifies the section ID

The system auto-generates this value for the rule.

The section ID of the rule matches the section in which the rule is included.

You can specify the source as an object or a specific IP address (ipSetValue ).

RULES PROPERTIES — SOURCES (sources)

Element

Type

Required

Description

excluded

Boolean

No

Excludes a source from the rule

SOURCE LIST (sourceList – Array)

name

String

No

The name of the source that the rules applies to

For example, if you set Datacenter for the type, specify which data center by setting its name (org-101-vdc-1).

value

String

No

Identifies what the type applies to

For example, if you set Datacenter for the type, specify the data center ID (72977cd-2de6-4fda-a706-0f8d48ce1377).

If necessary, submit a GET request to the object to obtain the object ID.

type

String

No

Specifies what the source controls

Set the type to one of the required values (unless you set the type by using an ipSetValue):

Datacenter

VirtualMachine

Vnic

Network

IPSet

isValid

Boolean

No

Whether the source value specified is a valid object

When false, indicates that the source was deleted.

ipSetValue

String

No

Specifies that the rule source is an IP Set that you have not previously created

You can specify the destination as an object or a specific IP address (ipSetValue ).

RULES — DESTINATIONS (destinations)

Element

Type

Required

Description

excluded

Boolean

No

Excludes a destination from the rule

DESTINATION LIST (destinationList – Array)

name

String

No

The name of the destination that the rules applies to; for example, if you set Datacenter for the type, specify which data center by setting its name (org-101-vdc-1)

value

String

No

Identifies what the type applies to; for example, if you set Datacenter for the type, specify the data center ID (72977cd-2de6-4fda-a706-0f8d48ce1377)

If necessary, submit a GET request to the object to obtain the object ID.

type

String

No

Specifies what the destination controls

Set the type to one of the required values (unless you set the type by using an ipSetValue):

Datacenter

VirtualMachine

Vnic

Network

IPSet

isValid

Boolean

No

Whether the destination value specified is a valid object

When false, indicates that the destination was deleted.

ipSetValue

String

No

Specifies that the rule destination is an IP set that you have not previously created

Specify the service as a port–protocol combination. You can set a pre-defined service or service group, or define a new one.

RULES — SERVICES (services | serviceList – Array)

Element

Type

Required

Description

name

String

No

The name of the service to which the rule applies; for example SSH if you are specifying this application for the service

value

String

No

The ID for what is specified for the service

Identifies what the type applies to; for example, if you set application for the type, specify application ID (a9648d0a-e549-31f0-8a6c-270f18990d0e).

If necessary, submit a GET request to the object to obtain the object ID.

type

String

No

Specifies whether the service is an application or ApplicationGroup

isValid

Boolean

No

Whether the services value specified is a valid object

When false, indicates that the service was deleted.

ipSetValue

String

No

sourcePort

String

No

Sets the source port as part of the port–protocol combination

You can specify an array of up to 15 ports for the service source.

destinationPort

String

No

Sets the destination port as part of the port–protocol combination

You can specify an array of up to 15 ports for the service destination.

protocol

Integer

No

Sets the protocol for the rule

Note

The distributed firewall supports Application Level Gateway (ALG) for the following protocols: FTP, CIFS, Oracle TNS, MS-RPC, and Sun-RPC.

subProtocol

Integer

No

The TCP or UDP port

icmpCode

Integer

No

If the protocol is ICMP, the ICMP sub-type

protocolName

String

No

Displays the protocol name

A read-only field.

subProtocolName

String

No

A display name for the subprotocol

A read-only field.

Configure the following additional elements for the distributed firewall.

RULES — ADDITIONAL ELEMENTS

Element

Type

Required

Description

type

Number

No

A read-only field

managedBy

String

No

A read-only field

direction

String

No

Indicates whether the rule controls traffic incoming, outgoing, or both (inout)

Note

VMware does not recommend specifying the direction for firewall rules.

packetType

String

No

Specify any, IPv4, or IPv6

ruleDisabled

Number

No

Enables or disables the rule

By default, the value of ruleDisabled is set to false.