---
title: "Administración de firewall distribuida en NSX (EN)"
description: "Learn how to manage the distributed firewall by creating a rule that blocks traffic between a virtual machine and all virtual machines in another segment"
url: https://docs.ovhcloud.com/es/guides/hosted-private-cloud/powered-by-vmware/nsx-manage-distributed-firewall
lang: es
lastUpdated: 2023-02-27
---
# Administración de firewall distribuida en NSX (EN)

## Objective

The distributed firewall feature in NSX allows filtering with all elements in your VMware cluster that are on Overlay or VLAN segments. It should be used normally on east-west connections (ovh-T1-gw), but it also works with elements of the VMware cluster that are connected on the north-south gateway (ovh-T0-gw). Filtering applies from the source (VM, segment, network, etc.).

To simplify the administration of NSX, it is possible to place tags on your elements (segments, virtual machines, roles, etc..) and create groups that contain the objects associated with the tags or IP address ranges (this solution should not be preferred).

**Learn how to manage the distributed firewall by creating a rule that blocks traffic between a virtual machine and all virtual machines in another segment.**

:::warning
OVHcloud provides services for which you are responsible, with regard to their configuration and management. It is therefore your responsibility to ensure that they work properly.

This guide is designed to assist you as much as possible with common tasks. However, we recommend contacting a [specialist provider](https://partner.ovhcloud.com/es-es/directory/) if you experience any difficulties or doubts when it comes to managing, using or setting up a service on a server.

:::

## Requirements

- Being an administrative contact of your [Hosted Private Cloud infrastructure](https://www.ovhcloud.com/es-es/enterprise/products/hosted-private-cloud/) to receive login credentials.
- A user account with access to the <ManagerLink to="/">OVHcloud Control Panel</ManagerLink>.
- Having **NSX** deployed with two segments configured in your NSX configuration, you can use our guide on [segment management in NSX](/es/guides/hosted-private-cloud/powered-by-vmware/nsx-segment-management.md) for more information.

## Instructions

We will isolate communication between a virtual machine and all virtual machines in a segment bi-directionally by performing these operations :

- Create two tags, one on a virtual machine and one on a segment.
- Create two associated groups, one containing the first tag and the other the second.
- Create a policy in the distributed firewall that will contain two rules:
  - A rule that will forbid traffic from the first group to the second.
  - Another rule that will forbid traffic from the second group to the first.

### Creating tags

In the NSX interface, go to the `Networking
` tab and click `Segments
` to the left in **Connectivity**
.
Then click on the `three vertical dots
` to the left of the segment you want to tag and choose `Edit
` from the menu.
![01 Create tag on segment 01](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/01-create-tag-on-segment01.png)
To the right of **Tags**
, enter `ovsegment
` instead of tag and click `Add Item(s) ovsegment
` below the input box.
![01 Create tag on segment 02](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/01-create-tag-on-segment02.png)
Enter `ov1
` instead of **Scope**
 and click `Add Item(s) ov1
` below the input box.
![01 Create tag on segment 02](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/01-create-tag-on-segment02.png)
Click the `\+
` button to the left of your tag.
![01 Create tag on segment 03](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/01-create-tag-on-segment03.png)
The created tag is displayed in the bottom right of **Tags**, you can create more tags depending on your needs.

Click `SAVE
`.
![01 Create tag on segment 04](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/01-create-tag-on-segment04.png)
Click `CLOSE EDITING
` to complete the markup for your segment.
![01 Create tag on segment 05](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/01-create-tag-on-segment04.png)
Go to the `Inventory
` tab and click `Virtual Machines
` on the left in the inventory to view the list of virtual machines.
Then click on the `three vertical dots
` to the left of the virtual machine that you want to tag and choose `Edit
` from the menu.
![02 Create tag on vm 01](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/02-create-tag-on-vm01.png)
Enter `vm
` instead of **Tag**
 and click `Add Item(s) vm
` below the input box.
![02 Create tag on vm 02](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/02-create-tag-on-vm02.png)
Enter `ov2
` instead of **Scope**
 and click `Add Item(s) ov2
` below the input box.
![02 Create tag on vm 03](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/02-create-tag-on-vm03.png)
Click the `\+
` button to the left of your tag.
![02 Create tag on vm 04](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/02-create-tag-on-vm04.png)
The tag is created, click `SAVE
` to save your changes.
![02 Create tag on vm 05](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/02-create-tag-on-vm05.png)
Stay in the inventory and click `Tags
` on the left to see the list of tags.
![03 Show tags 01](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/03-show-tags01.png)
### Add groups that contain tags

In the inventory, go to `Groups
` on the left and click `ADD GROUP
` to create a group.
![04 Create Group With tag on segment 01](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/04-create-group-with-tag-on-segment01.png)
Type `g-segment01
` below the **Name**
 column and click `Set
` under the **Compute Members**
 column.
![04 Create Group With tag on segment 02](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/04-create-group-with-tag-on-segment02.png)
Leave `Generic
` selected and click `\+ ADD CRITERION
`.
![04 Create Group With tag on segment 03](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/04-create-group-with-tag-on-segment03.png)
Choose these settings :

- **Type** : `NSX Segment`.
- **Tags** : Equals `ovsegment`.
- **Scope**: Equals `ov1`.

Click `APPLY
`.
![04 Create Group With tag on segment 04](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/04-create-group-with-tag-on-segment04.png)
Click `SAVE
`.
![04 Create Group With tag on segment 05](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/04-create-group-with-tag-on-segment05.png)
The group is created. Click `View Members
` in the row of your group to display the members list.
![04 Create Group With tag on segment 06](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/04-create-group-with-tag-on-segment06.png)
Click `IP Addresses
` to view the IP addresses that are used on your segment and which have been automatically added to your group.
![04 Create Group With tag on segment 07](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/04-create-group-with-tag-on-segment07.png)
Click `NSX Segments
` to display the member segment of this group which has been automatically added from the criteria. You can click on `CLOSE
` to close this window.
![04 Create Group With tag on segment 08](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/04-create-group-with-tag-on-segment08.png)
Click `ADD GROUP
` to create a second group.
![05 Create Group With tag on VM 01](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/05-create-group-with-tag-on-vm01.png)
Type `g-vm
` below the **Name**
 column and click `Set
` under the **Compute Members**
 column.
![05 Create Group With tag on VM 02](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/05-create-group-with-tag-on-vm02.png)
Leave `Generic
` selected and click `\+ ADD CRITERION
`.
![05 Create Group With tag on VM 03](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/05-create-group-with-tag-on-vm03.png)
Choose these settings :

- **Type** : `Virtual Machine`.
- **Tags** : Equals `vm`.
- **Scope**: Equals `ov2`.

Click on `APPLY
`.
![05 Create Group With tag on VM 04](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/05-create-group-with-tag-on-vm04.png)
Click `SAVE
`.
![05 Create Group With tag on VM 05](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/05-create-group-with-tag-on-vm05.png)
Click `View Members
` in the row of your group to view the members.
![05 Create Group With tag on VM 06](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/05-create-group-with-tag-on-vm06.png)
In the **Virtual Machines** section, you can see the tagged virtual machine that has been automatically added.

Click `CLOSE
` to close this window.
![05 Create Group With tag on VM 07](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/05-create-group-with-tag-on-vm07.png)
### Setting up a distributed firewall rule

We will now create a two-way blocking rule, on the distributed firewall, between the two created groups.

Go to the `Security
` tab, select `Distributed Firewall
` and click `\+ ADD POLICY
`.
![06 Create distributed firewall rules 01](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules01.png)
Name your strategy `Isolate vm and segment
`.
![06 Create distributed firewall rules 02](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules02.png)
Click the `three vertical dots
` to the left of your policy and choose `Add Rule
` from the menu.
![06 Create distributed firewall rules 03](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules03.png)
Click the `Pen
` icon to the right of **Any**
 in the **Sources**
 column.
![06 Create distributed firewall rules 04](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules04.png)
Stay on the `groups
` tab, check the `g-segment01
` group and click `APPLY
`.
![06 Create distributed firewall rules 05](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules05.png)
Click the `Pen
` icon to the right of **Any**
 in the **Destinations**
 column.
![06 Create distributed firewall rules 06](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules06.png)
Select the `g-vm
` group and click `APPLY
`.
![06 Create distributed firewall rules 07](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules07.png)
Choose `Drop
` to remove packages on this rule and click the `three vertical dots
` to the left of your policy.
![06 Create distributed firewall rules 08](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules08.png)
Click `Add Rule
` in the menu.
![06 Create distributed firewall rules 09](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules09.png)
Click the `Pen
` icon to the right of **Any**
 in the **Sources**
 column.
![06 Create distributed firewall rules 10](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules10.png)
Select the `g-vm
` group and click `APPLY
`.
![06 Create distributed firewall rules 11](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules11.png)
Click the `Pen
` icon to the right of **Any**
 in the **Destinations**
 column.
![06 Create distributed firewall rules 12](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules12.png)
Select the `g-segment01
` group and click `APPLY
`.
![06 Create distributed firewall rules 13](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules13.png)
Choose `Drop
` to remove packages from this rule and click `publish
` to validate the creation of the policy and its two associated rules.
![06 Create distributed firewall rules 14](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules14.png)
Your rule is active, the traffic between the virtual machine member of the g-vm group and the segment member of the g-segment group is no longer possible.

![06 Create distributed firewall rules 14](/images/hosted-private-cloud/powered-by-vmware/nsx-05-manage-distributed-firewall/06-create-distributed-firewall-rules14.png)
## Go further [](#)
[Getting started with NSX](/es/guides/hosted-private-cloud/powered-by-vmware/nsx-first-steps.md)

[Segment management in NSX](/es/guides/hosted-private-cloud/powered-by-vmware/nsx-segment-management.md)

[VMware Distributed Firewall in NSX documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-6AB240DB-949C-4E95-A9A7-4AC6EF5E3036.html)

If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](https://www.ovhcloud.com/es-es/professional-services/) to get a quote and ask our Professional Services experts for a custom analysis of your project.

Join our [community of users](https://community.ovhcloud.com/).