Understanding the vGW Series Policy per vNIC Feature

This topic covers the vGW Series Policy per vNIC feature that allows you to configure separate firewall policies for individual interfaces, or virtual NICs (vNICs), configured on the same VM.

Before you use Policy per vNIC, you should be familiar with how to secure VMs and manage firewall policies, and you should have an overall understanding of the configuration of VMs that include more than one vNIC.

This topic includes the following sections:

About Policy per vNIC

You use the Settings module vGW Application Settings > Install Settings > Policy Per vNIC pane to enable the Policy per vNIC feature. You can enable the Policy per vNIC feature or you can allow the default capability that secures all vNICs on a VM in the same way. If you enable Policy per vNIC, you can still configure a policy for a VM that has only one vNIC.

If you do not enable Policy per vNIC, you can not configure individual policies for any vNICs on a VM that has more than one vNIC. In that case, all of the VM’s vNICs inherit the same policy.

If you enable the Policy per vNIC feature, you can enable an option that allows you to exempt one or more vNICs on the same VM from requiring a firewall policy, effectively bypassing firewall security. When you enable this option, you can secure some individual vNICs with their own policies and leave other vNICs on the same VM unsecured.

You enable or disable Policy per vNIC at the global level: its configuration applies to all VMs that you secure using the same vGW Security Design VM. You cannot disable Policy per vNIC when individual vNICs have active policies applied to them.

You create policies for vNICs using the Firewall Manage Policy page. Figure 125 shows the policy page for the vNIC1 that belongs to the IT-WWW-DEV VM.

Figure 125: Policy for Single vNIC

Policy for Single vNIC

Why Use Policy per vNIC

Policy per vNIC satisfies many requirements that emerge in a virtualized environment. For example:

vNICs With Individual Polices and Smart Groups

VMs for which the Policy per vNIC feature is used can be included in Smart Groups. You can choose whether membership in a Smart Group applies to the entire VM, that is, all of its interfaces, or only the vNICs that the Smart Group logic applies to. For example, an interface (a single vNIC) might belong to a port group or be connected to a certain VLAN which could qualify its membership in a Smart Group. For details on the relationship between vNICs and Smart Groups when Policy per vNIC is configured, see Understanding Policy per vNIC and Smart Groups for VMware Environments.

Viewing vNICs With Individual Policies

This section gives an overview of vNICs information as displayed by the vGW Security Design VM. See alsoConfiguring and Displaying vGW Policies for Individual vNICs on the Same VM.

When the Policy per vNIC feature is enabled:

If you do not use the Policy per vNIC feature, the same policy is applied to all vNICs of a VM, and the VM is displayed as a single host in the VM Tree.

Note: When a vNIC with a policy is deleted, it no longer shows up in the list of vNICs with a policy. When you disable Policy per vNIC, the policies for all deleted vNICs are cleared. However these changes are not applied automatically. Consequently, if you create a vNIC again after having deleted it, the Apply Policy page for the VM might show that there are policy changes that have not been applied, but it would not state changes under Global, Group, and VM policies.

Naming Conventions for vNICs

vGW Series aligns with the convention for naming vNICs that is used by VMware in its vCenter:

Related Documentation