I was working on some labs recently and creating custom services to block ports that may otherwise not exist in the NSX Service list. NSX allows you to create custom services in Firewall rules to block certain kinds of services. I was fumbling about in the interface trying to figure out where all you could create these custom services, and also where the heck do I edit them after I’ve created them? Just a bit of background on what I’m talking about.
Services – NSX has out of the box Services that can be used when creating Security Policies and Firewall rules for common types of services that may run in most datacenters. These can be used to either, Accept, Block, or Reject, those types of service traffic with NSX. Here’s just a glimpse of the list. It’s quite extensive.
Service Groups – NSX has out of the box Service Groups, which are groupings of common services that make up certain types of applications. You can see from this list, what I’m referring to. Let’s take a look at SharePoint 2010. It has several services that could be grouped together to easily create one rule that could encompass all of the services associated with that application. This means when I want to setup a rule for that type of application service, I only have to create one rule to ‘rule’ the entire application. Beautiful!
As I was working through my lab and practicing making Security Policies and Service Groups using the Service Composer, I noticed that when I went to put in a service I wanted to block, that service wasn’t in the list. Nobody likes CIFS and I wanted to try and block it for a VM. So I figured I would just create a custom service for CIFS to block it. What I found was that CIFS wasn’t in the list. 😦
What I also found out is that you can’t create a custom service from Service Composer through the Security Policies Wizard. You can see from the shot below there’s no ‘New Service…’ link.
However there is a ‘New Service…’ link when you edit a Firewall rule as you can see here. I figured there had to be a better way to get my custom Service input without having to go through a Firewall rule to do it.
Never one to consult the documentation, because what fun is that, I went digging through the interface to find out where the custom service would show up and I found it!
The list of Services and Service Groups can be found by selecting NSX Managers>Click on the NSX Manager in the list>Manage>Grouping Objects>Service/Service Groups. From this interface I can create new services and new service groups as well as edit them. You can also edit the out of the box policies as well.
According to this link, I can see what I need to help me in terms of ports and protocols. Now I can create my custom service for CIFS. CIFS operates on both TCP and UDP 445, so I’m going to create a custom Service Group to encompass both of those into one easy group to make my rule with. But I first have to create both of the services I want to add to the group, one for TCP and one for UDP.
I can now add both of these to a new Service Group to be used in my Security Policy.
And now I can select it from the list when I create my Security Policy and all is well. Easy stuff.