Understanding the vGW Series Policy-per-vNIC Feature

This topic covers the vGW Series Policy-per-vNIC feature that allows you to configure separate firewall policies for individual interfaces, or virtual NICs (vNICs), on the same VM.

Before you use the Policy-per-vNIC feature, you should be familiar with securing VMs and policy management, and you should have an overall understanding of VMs with more than one vNIC.

About Policy-per-vNIC

You use Settings >Install Settings page to configure the Policy-per-vNIC feature. You can choose to enable the Policy-per-vNIC feature, or you can use the default capability that secures all vNICs on a VM in the same way. If you enable Policy-per-vNIC, you can still configure a policy for a single vNIC on a VM that has only one vNIC.

If you do not enable Policy-per-vNIC, you cannot configure individual policies for any vNICs on the VM. All of the VM’s vNICs inherit the same policy. How you choose to configure vNICs is applied globally for your deployment. That is, it applies to all VMs configured using the same vGW Security Design VM.

If you enable the Policy-per-vNIC feature, you can enable an option that allows you to exempt one or more vNICs on the same VM from requiring a firewall policy, effectively bypassing firewall security. When you enable this option, you can secure some individual vNICs with their own policies and leave other vNICs on the same VM unsecured.

Figure 92 shows the Install Settings page that you use to enable vGW Policy-per-vNIC and define its behavior.

Figure 92: Policy Per vNIC

Policy Per vNIC

Why Use Policy-per-vNIC

The Policy-per-vNIC feature meets many requirements. For example, an administrator whose deployment includes more than one PortGroup/vSwitch might want to have different policies for each of the networks that their VMs connect to.

Their deployment might include a server that connects to both the front-end for customer interaction and the back-end for storage and management. The administrator might want to disable the firewall on the back-end. For this purpose, he can select the Enable opt-out of firewalling per vNIC feature.

vNICs With Individual Polices and Smart Groups

VMs for which the Policy-per-vNIC feature is used can be included in Smart Groups. You can choose whether membership in a Smart Group applies to the entire VM, that is, all of its interfaces, or only the vNICs that the Smart Group logic applies to. For example, an interface might belong to a port group or be connected to a certain VLAN which could qualify its membership in a Smart Group. For details on the relationship between vNICs and Smart Groups when Policy-per-vNIC is configured, see Understanding Policy-per-vNIC and Smart Groups.

Displaying vNICs With Individual Policies

This section gives an overview of how vNICs and their information is displayed by the vGW Security Design VM. For additional information on how policy information is configured and displayed for vNICs, see Configuring and Displaying vGW Policies for Individual vNICs on the Same VM.

When the Policy-per-vNIC feature is enabled:

Note: If you do not use the Policy-per-vNIC feature, the same policy is applied to all vNICs, and the VM is displayed as a single node in the VM Tree.

Naming Conventions for vNICs

vGW Series aligns with the convention for naming vNICs that is used by VMware in its vCenter:

Related Documentation