VMware Hands-on Labs - HOL-2026-91-NET


HOL-2026-91-NET - VMware NSX-T Distributed Firewalling Lightning Lab

Distributed Firewall and Tools - Introduction


Welcome to the NSX-T - Distributed Firewall and Tools Lightning Lab.

We have developed Lightning Labs to help you learn about VMware products in small segments of time.  In this module you will learn how to configure the Distributed Firewall, Spoof Guard, and use various tools within NSX-T.

 Lab Captains:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Below are the lab modules included in the complete VMware NSX-T: Getting Started lab (HOL-2026-01-NET):

If you have never taken a lab, view the Appendix - Lab Guidance to see best practices and tips on how to use the lab environment console.


 

DFW and Tools

The goal of this module is to demonstrate how the distributed firewall (DFW) and operational tools within NSX-T function and are configured.  The Distributed Firewall in NSX-T 2.4 is installed by default with a Connectivity Strategy as "Blacklist".  This means that all traffic is permitted and Micro Segmentation is "off".  In this module we will execute the following operations:  

 

 

HOL-2026 Logical Diagram

This diagram illustrates what virtual machines make up our 3 Tier Web App for testing

 

 

 

3 Tier Web App ports

This diagram illustrates the port requirements for our 3 Tier Web App

 

 

Distributed Firewall



 

Distributed Firewall in NSX-T

In this Chapter we will review and configure the Distributed Firewall of NSX-T

By default the NSX-T Connectivity Strategy is Blacklist, this means that all traffic is allowed and Blacklist or "Deny" firewall rules need to be created in order to block traffic.  Lets verify our precreated 3 Tier App works as expected.

 

 

Connect to 3 Tier Web App

 

  1. Double click on the Chrome icon on the desktop

 

  1. Click on the 3 Tier App bookmark bar folder
  2. Click on the Web-01a shortcut

 

 

Verify connectivity to Web-01a

 

  1. Verify you have successfully connected to Web-01a and it has retrieved data from the App server

Note: Feel free to test Web-02a and Web-03a shortcuts to verify they work as well.  

Now that we have verified our 3 Tier App works let's change the Connectivity Strategy to Whitelist

 

 

Login to NSX-T Manager

 

 

  1. Click to open a new tab
  2. Click NSX-T shortcut to launch log in page

 

  1. Input admin for the user name and VMware1!VMware1! for the password
  2. Click Log in

 

 

Navigate to the DFW management page

 

  1. Click on Security
  2. Click on Distributed Firewall
  3. Click on Blacklist

 

  1. Click the radio button next to Whitelist to change the Connectivity Strategy
  2. Click Save to save the configuration
  3. Now that the Connectivity Strategy is Whitelist explicit allow rules must be made for communication to be allowed in the environment.  Let's verify our 3 Tier App is being blocked.

 

 

Verify 3 Tier App traffic is blocked

 

  1. Switch back to the first Chrome tab
  2. Click the 3 Tier App bookmark folder
  3. Click the Web-01a shortcut
  4. Verify the App can no longer be accessed

Note:  It may take up to 20 seconds for the page to timeout, you can also verify web-02a and web-03a cannot be accessed.  Now that we know the app can not be reached lets enable the preconfigured rules and test again.

 

 

Switch back to the NSX-T management tab

 

  1. Click the NSX-T management tab

 

 

Explore the preconfigured 3 Tier App rules

 

  1. Verify you are in the application section of the DFW
  2. Expand the 3 Tier App section
  3. Review the preconfigured rules required for the 3 Tier App to function

 

 

Enable the preconfigured DFW rules

 

  1. Enable each preconfigured rule by clicking the enable / disable slider to the right of the rule
  2. Click Publish to save the settings
  3. Now that the allow rules are enabled lets test the 3 Tier App connectivity

 

 

Test 3 Tier App connectivity

 

  1. Switch back to the first Chrome tab
  2. Click the 3 Tier App bookmark folder
  3. Click the Web-01a shortcut
  4. Verify the App can be accessed again

We have now enabled the DFW within NSX-T and proven that the preconfigured 3 Tier App rules work as expected.  We will now delete and reconfigure the rules and groups to take a more detailed look at how they are configured.  If you would like to skip this configuration you can jump ahead to the next module.

 

 

Delete the preconfigured 3 Tier App policy

 

  1. Switch back to the NSX-T Chrome tab
  2. Click the 3 dots next to the 3 Tier App policy
  3. Click Delete policy

 

 

Publish the changes

 

 

Navigate to the Groups screen in the Inventory

 

 

Delete the preconfigured groups

 

  1. Delete the app_servers, db_servers, and web_servers groups by following the next step for each

 

 

  1. Click the the three dots
  2. Click Delete
  3. Click Delete to confirm

Do this for all three groups (app_servers, db_servers, and web_servers)

 

 

Refresh the screen

 

  1. Click refresh
  2. Verify the groups were deleted

 

 

Create Web Servers group

 

  1. Click Add Group
  2. Input web_servers
  3. Click Set Members

 

 

Select Web Server group members

 

  1. Click on Members
  2. Select Category Virtual Machine from the drop down
  3. Scroll to the bottom of the list
  4. Check box all 4 Web Servers
  5. Click Apply

Note: This is just one way of creating a group of virtual machines, the groups you previously deleted utilized tags instead of static members.

 

 

  1. Click Save to save the group

 

 

Create App Servers group

 

  1. Click Add Group
  2. Input app_servers
  3. Click Set Members

 

 

Select App Server group members

 

  1. Click on Members
  2. Select Category Virtual Machine from the drop down
  3. Check box app-01a
  4. Click Apply

Note: This is just one way of creating a group of virtual machines, the groups you previously deleted utilized tags instead of static members.

 

 

  1. Click Save to save the group

 

 

Create DB Servers group

 

  1. Click Add Group
  2. Input db_servers
  3. Click Set Members

 

 

Select DB Server group members

 

  1. Click on Members
  2. Select Category Virtual Machine from the drop down
  3. Check box db-01a
  4. Click Apply

Note: This is just one way of creating a group of virtual machines, the groups you previously deleted utilized tags instead of static members.

 

 

  1. Click Save to save the group

 

 

Verify your new groups have been created

 

  1. Verify your three groups were created
  2. Optional: You can click each group's View Members link to verify the correct vm's are included.

 

 

3 Tier App port requirements

 

As  a reminder here are the port requirements for the 3 Tier App to function. Next lets go to the Distributed Firewall section to create the rules.

 

 

Navigate to the DFW section

 

  1. Click Security
  2. Click Distributed Firewall
  3. Click Application

 

 

Create a new Security Policy

 

  1. Click Add Policy
  2. Type 3 Tier App in the text field

 

 

Add Client Access rule

 

  1. Click the three dots next to the 3 Tier App Policy
  2. Click Add Rule

 

  1. Click on the name field and name the rule Client Access
  2. Leave the Source as Any
  3. Click on the pencil icon under Destinations

 

  1. Check the check box next to web_servers group you created earlier
  2. Click Apply to save the Destination

 

  1. Click the pencil icon under Services

 

  1. Type HTTPS in the search box to find the HTTPS service
  2. Check the check box next to the HTTPS service
  3. Click Apply

 

 

Verify and publish the Client Access Rule

 

  1. Verify the Client Access rule is configured as follows
  2. Click Publish

Client Access Rule settings:

Name:  Client Access

Sources: Any

Destinations: web_servers

Services: HTTPS

Action: Allow

 

 

Create Web to App access rule

 

  1. Use the same process to create the Web to App Access rule as you did for the Client Access rule
  2. Click Publish

Web to App Access Rule settings:

Name:  Web to App Access

Sources: web_servers

Destinations: app_servers

Services: TCP_8443

Action: Allow

 

 

Create App to DB access rule

 

  1. Use the same process to create the App to DB Access rule as you did for the Client Access rule
  2. Click Publish

App to DB Access Rule settings:

Name:  App to DB Access

Sources: app_servers

Destinations: db_servers

Services: HTTP

Action: Allow

 

 

Test the 3 Tier App

 

  1. Switch back to the 3 Tier App Chrome tab
  2. Click the 3 Tier App bookmark folder
  3. Click web-01a shortcut
  4. Verify the 3 Tier App functions properly

Congratulations you have successfully configured micro segmentation rules for a 3 Tier App!!!  

 

Lightning Lab Conclusion


In this lab you learned about DFW  and Tools that can be deployed and used in NSX-T


 

You've finished the Lightning Lab

 

Congratulations on completing the Lightning Lab.

Below are the lab modules included in the complete VMware NSX-T: Getting Started lab (HOL-2026-01-NET)

Lab Module List:

 

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Appendix - Lab Guidance



 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

Click here to return to the click VMware Cloud on AWS - Introduction

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-2026-91-NET

Version: 20200512-075322