Objective 6.3 – Configure and Manage Universal Logical Security Objects

Skills and Abilities

• Configure Universal MAC sets
• Configure Universal IP sets
• Configure Universal security groups
• Configure Universal firewall rules
• Configure Universal services and service groups

The concept of group security objects is the same for both a normal NSX environment and a universal NSX environment. It’s a way to combine multiple objects together to be used on the distributed firewall for constructing rules. When creating universal grouping objects, they must be created from the primary NSX manager.

Configure Universal MAC sets

You can group MAC addresses to be used in the source or destination fields on the distributed firewall when creating rules. To create a universal mac set first navigate to Networking & Security > Groups and Tags > Grouping Objects > MAC Sets. Click the green +.

Enter in a name, description, and MAC addresses. Also, make sure to click the box for “Mark this object for Universal Synchronization”. Click OK.

Now you will see the universal MAC set that can be used in the DFW when creating rules.

Now if I go to my DFW and create a new universal firewall rule, I have the MAC set that I can choose to enter as a source or destination.

Configure Universal IP sets

You can group IP addresses to be used in the source or destination fields on the distributed firewall when creating rules. To create a universal mac set first navigate to Networking & Security > Groups and Tags > Grouping Objects > IP Sets. Click the green +.

Enter in a name, description, and IP addresses. Also, make sure to click the box next to “Mark this object for Universal Synchronization”. Click OK.

Now you will see the newly created Universal IP Set.

Now if we try to create a new rule under our universal rule section, we can select our IP Set in the source or destination fields.

Configure Universal security groups

Universal security groups are like regular security groups except it can only contain other universal security objects. (Ex. Universal MAC Sets, Universal IP sets, etc.) To create a universal security group, navigate to Networking & Security > Groups and Tags > Grouping Objects > Security Group. Click the green +.

Enter in a name and description. Make sure you check the box for “Mark this object for Universal Synchronization”. Click Next.

As mentioned, you can only add other universal security groups, IP sets, and MAC sets to a universal security group. Click Next.

Click Finish.

Now you see the newly created universal security group.

Configure Universal firewall rules

To create a universal firewall rule, we must create a new section under the distributed firewall. Navigate to Networking & Security > Security > Firewall and click the Add Section button.

Enter in a name for the section and click the box for “Mark this section for Universal Synchronization”. Click Save.

Now I can go and create a universal firewall rule under that new section and it will also show on the secondary NSX manager.

Configure Universal services and service groups

To configure a universal service, navigate to Networking & Security > Groups and Tags > Grouping Objects > Service. Click the green +. Give the service a name and make sure to check the box for “Mark this object for Universal Synchronization”. Click OK.

To configure a universal service group, navigate to Networking & Security > Groups and Tags > Grouping Objects > Service Group. Click the green +. Give a name to the service group. Click the box for “Mark this object for Universal Synchronization”. You can only add other universal services to a universal service group. Click OK.

Now you see the newly created universal service group.