Scribd
Upload
19 views47 pages

Flow Microsegmentation Guide

Flow Microsegmentation guide

Uploaded by

hajar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views47 pages

Flow Microsegmentation Guide

Flow Microsegmentation guide

Uploaded by

hajar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

Flow Microsegmentation Guide

Flow Network Security (formerly Flow Microsegmentation) 6.5


September 13, 2024
Contents

Security Policies................................................................................................4

Types of Policies...............................................................................................5

Security Policy Model....................................................................................... 7

Requirements.....................................................................................................9

Enabling Microsegmentation......................................................................... 10
Disabling Microsegmentation.................................................................................................................... 10

Built-in Categories for Security Policies...................................................... 11

Services............................................................................................................ 12
Creating a Service.....................................................................................................................................12

Addresses........................................................................................................ 13
Creating an Address................................................................................................................................. 13

Allowing Discovered Traffic...........................................................................14

Application Security Policy Configuration................................................... 17


Creating an Application Security Policy.................................................................................................... 17
Modifying an Application Security Policy.................................................................................................. 22
Applying an Application Security Policy....................................................................................................22
Monitoring an Application Security Policy (Visualizing Network Flows)....................................................23
Deleting an Application Security Policy.................................................................................................... 24

Isolation Environment Policy Configuration................................................ 26


Creating an Isolation Environment Policy................................................................................................. 27
Modifying an Isolation Environment Policy............................................................................................... 29
Applying an Isolation Environment Policy.................................................................................................29
Monitoring an Isolation Environment Policy (Visualizing Network Flows).................................................29
Deleting an Isolation Environment Policy................................................................................................. 30

Quarantine Policy Configuration................................................................... 31


Configuring the Quarantine Policy............................................................................................................ 31

ii
Quarantining a VM.................................................................................................................................... 33
Removing a VM from the Quarantine.......................................................................................................33

VDI Policy Configuration................................................................................ 34


Creating a VDI Policy................................................................................................................................34
Default VDI Policy.......................................................................................................................... 38
Configuring Active Directory Domain Services.............................................................................. 38
Modifying the VDI Policy...........................................................................................................................40
Applying the VDI Policy............................................................................................................................ 40
Monitoring the VDI Policy......................................................................................................................... 41
Deleting the VDI Policy............................................................................................................................. 41

Applying Filtering and Grouping to a Security Policy.................................42

Exporting and Importing Security Policies.................................................. 46

Copyright..........................................................................................................47

iii
SECURITY POLICIES
Traditional data centers use firewalls to implement security checks at the perimeter—the points at which traffic enters
and leaves the data center network. Such perimeter firewalls are effective at protecting the network from external
threats. However, they offer no protection against threats that originate from within the data center and spread
laterally, from one compromised machine to another.
The problem is compounded by virtualized workloads changing their network configurations and hosts as they start,
stop, and migrate frequently. For example, IP addresses and MAC addresses can change as applications are shut down
on one host and started on another. Manual enforcement of security policies through traditional firewalls, which rely
on network configurations to inspect traffic, cannot keep up with these frequent changes and are error-prone.
Network-centric security policies also require the involvement of network security teams that have intimate
knowledge of network configuration in terms of VLANs, subnets, and other network entities.
Nutanix Flow includes a policy-driven security framework that inspects traffic within the data center. The framework
works as follows:

• Security policies inspect traffic that originates and terminates within a data center and help eliminate the need for
additional firewalls within the data center.
• The framework uses a workload-centric approach instead of a network-centric approach. Therefore, it can
scrutinize traffic to and from VMs no matter how their network configurations change and where they reside
in the data center. The workload-centric, network-agnostic approach also enables the virtualization team to
implement these security policies without having to rely on network security teams.
• Security policies are applied to categories (a logical grouping of VMs) and not to the VMs themselves. Therefore,
it does not matter how many VMs are started up in a given category. Traffic associated with the VMs in a
category is secured without administrative intervention, at any scale.
• Prism Central offers a visualization-based approach to configuring policies and monitoring the traffic to which a
given policy applies.
• Using Prism Central, you can configure syslog monitoring by forwarding Flow logs to an external syslog server.
For details, see Configuring Syslog Monitoring in the Prism Central Admin Center Guide.

Note: Nutanix Flow supports only AHV hypervisor; security policies can not be applied to VMs running on other
hypervisors.

Flow Network Security (formerly Flow Microsegmentation) | Security Policies | 4


TYPES OF POLICIES
The types of policies in Prism Central and their use cases are described here.

Table 1: Types of Policies

Policy Type Use Case


Application Security Policy Use an application security policy when you want to
secure an application by specifying allowed traffic
sources and destinations. This method of securing
an application is typically called application ring
fencing.
For example, use an application security policy
when you want to allow only those VMs in the
categories department: engineering and
department: customersupport (the allowed
sources) to communicate with an issue tracking tool in
the category AppType: IssueTracker (the secured
application), and you want the issue tracking tool to
be able to send traffic only to an integrated customer
relationship management application in the category
AppType: CRM.

The secured application itself can be divided into tiers by


the use of categories (the built-in AppTier category). For
example, you can divide the issue tracking tool into web,
application, and database tiers and configure tier-to-tier
rules.
For more information, see Application Security Policy
Configuration on page 17.

Isolation Environment Policy Use an isolation environment policy when you want
to block all traffic, regardless of direction, between
two groups of VMs identified by their category. VMs
within a group can communicate with each other.
For example, use an isolation environment policy
when you want to block all traffic between VMs in the
category Environment: sandbox and VMs in the
category Environment: production, and you want
to allow all the VMs within each of those categories to
communicate with each other.
For more information, see Isolation Environment
Policy Configuration on page 26.

Quarantine Policy Use a quarantine policy when you want to isolate a


compromised or infected VM and optionally want to
subject it to forensics.
For more information, see Quarantine Policy
Configuration on page 31.

Flow Network Security (formerly Flow Microsegmentation) | Types of Policies | 5


Policy Type Use Case
VDI Policy Use a VDI policy when you want to secure your VDI
environment.
For more information, see VDI Policy Configuration on
page 34

Flow Network Security (formerly Flow Microsegmentation) | Types of Policies | 6


SECURITY POLICY MODEL
Application-centricity
The security policy model uses an application-centric policy language instead of the more complex, traditional
network-centric policy language. Configuring an application security policy involves specifying which VMs belong
to the application you want to protect and then identifying the entities or networks, in the inbound and outbound
directions, with which you want to allow communication.
All the entities in an application security policy are identified by the categories to which they belong and not by their
IP address, VLAN, or other network attributes. After a VM is associated with a category and the category is specified
in a security policy, traffic associated with the VM is monitored even if it migrates to another network or changes its
IP address.
The default options for allowing traffic on the inbound and outbound directions are also inherently application centric.
For application security policies, the default option for inbound traffic is Allowed List, which means that Allowed
List is usually the recommended option for inbound traffic. The default option can be changed to Allow All traffic.
The default option in the outbound direction allows the application to send traffic to all destinations, but you can
configure a destination Allowed List if desired.
For forensic quarantine policies, the default option in both directions is Allowed List, but you can Allow All traffic
in both directions. For strict quarantine policies, no traffic is allowed in either direction.
All the VMs within a category can communicate with each other. For example, in a tiered application, regardless of
how you configure tier-to-tier rules, the VMs within a given tier can communicate with each other.

Allowed List-Based Policy Expression


An application security policy is expressed in terms of the categories and subnets with which you want the application
to communicate and therefore, by extension, the traffic you want to allow. A more granular policy expression can be
achieved by specifying which protocols and ports can be used for communication.
Any category or subnet that is not in the allowed list is blocked. You cannot specify the categories and subnets you
want to block because the number of such entities are typically much larger and grow at a much higher rate than the
categories and subnets with which an application should be allowed to communicate. Expressing a policy in terms of
allowed traffic results in a smaller, tighter policy configuration that can be modified, monitored, and controlled more
easily.

Enforcement Modes
All policies, whether associated with securing an application, isolating environments, or quarantining VMs, can be
run in the following modes:
Monitor Mode
Allows all traffic, including traffic that is not allowed by the policy. This mode enables you to
visualize both allowed and disallowed traffic and fine-tune the policy before applying it.
Enforce Mode
Blocks all traffic that is not allowed by the policy.
You can switch a policy between these two modes as many times as you want.

Automated Enforcement
A policy uses categories to identify the VMs to which it must apply. This model allows the automatic enforcement
of a policy to VMs regardless of their number and network attributes. Connectivity between Prism Central and
a registered AHV cluster is required only when creating and modifying policies, or when changing the mode
of operation (applied or monitoring) of a policy. Policies are applied to the VMs in a cluster even if the cluster
temporarily loses network connectivity with the Prism Central instance with which it is registered. New policies and
changes are applied to the cluster when connectivity is restored.

Flow Network Security (formerly Flow Microsegmentation) | Security Policy Model | 7


Priorities Between Policies
Prism Central does not provide a way for you to specify priorities between policies of a single type. For example, you
cannot prioritize one security policy over another. There is no limit to the number of inbound and outbound rules that
you can add to a security policy, allowing you to define all of an application's security requirements in a single policy.
This makes priorities between policies unnecessary.
However, priorities exist between the different policy types. Quarantine policies have the highest priority followed
by isolation environment policies, and application security policies, in that order. The VDI Policy takes the last
precedence, for example, if an application security is protecting a VM, it cannot simultaneously be protected with the
VDI policy.
Isolation environment rules take precedence over application security rules, so make sure that isolation environment
policies and application security policies are not in conflict. An isolation environment rule and an application security
rule are said to be in conflict if they apply to the same traffic (a scenario that is encountered when VMs in one of the
categories in the isolation environment send traffic to an application in the other category, and some or all of that
traffic is either allowed or disallowed by the application security policy). The effect that an isolation environment
policy has on a conflicting application security policy depends on the mode in which the isolation environment policy
is deployed, and is as follows:

• If the isolation environment policy is in the applied mode, it blocks all traffic to the application, including the
traffic that is allowed by the application security policy.
• If the isolation environment policy is in the monitoring mode, it allows all traffic to the application, including any
traffic that is disallowed by the application security policy.

Flow Network Security (formerly Flow Microsegmentation) | Security Policy Model | 8


REQUIREMENTS
The Security Policies feature has the following requirements:

• The feature is supported only on AHV clusters running AOS 5.6 or later and AHV version 20170830.115 or later.
• The Prism Central instance must be hosted on one of the AHV clusters registered with it. The AHV cluster that
hosts the Prism Central instance must be running AOS 5.6 or later.
• The host must have at least 1 GB of additional memory for each Prism Central VM hosted on it.
• If you are running a Prism Central scale-out instance, all the VMs in the Prism Central cluster must be powered
on.
• The AHV hosts must be allowed to communicate with the Prism Central VMs over TCP port 9446. Keeping the
port open enables the hosts to send the Prism Central VMs connection tracking data. Prism Central uses that data
to show network flows.
• Flow supports only TCP, UDP, or ICMP traffic.

Caution:

• When Flow is enabled, a Kafka container is automatically created on the cluster where Prism Central is
hosted. The container is used to store data that is required for flow visualization to work and must not be
deleted.
• Cross cluster live migration of guest VMs that are part of Flow security policy is not supported.
• Security Policies are not supported for VMs that are on the advanced networking stack. An alert is
raised for VMs that are part of both VPC and Flow policy, and Flow policies are not enforced for VMs
on VPCs.
• Overlapping or conflicting policy configuration is not supported and might cause unintended
interruption of network services.

Flow Network Security (formerly Flow Microsegmentation) | Requirements | 9


ENABLING MICROSEGMENTATION
Microsegmentation is disabled by default. Before you can configure and use application security policies,
isolation environment policies, and quarantine policies, you must enable the feature. The feature requires a
Flow license. If you have not installed a Flow license, you can try the feature for a period of 60 days. After
this period expires, you will be required to install the license to continue using the feature.

Before you begin


Ensure that you meet Microsegmentation requirements.

About this task


To enable microsegmentation, do the following:

Procedure

1. Log on to the Prism Central web console.

2. Click the collapse menu ("hamburger") button on the left of the main menu and then select Prism Central
Settings to display the Settings page.

3. Click Microsegmentation from the Settings menu (on the left).


The Enable Microsegmentation dialog box is displayed.

4. To determine whether the registered clusters are capable of supporting microsegmentation, do the following:

a. Click View Cluster Capability, and then review the results of the capability checks that Prism Central
performed on the registered clusters.
b. Click Back.

5. Select the Enable Microsegmentation check box.

6. Click OK.

Disabling Microsegmentation
Prism Central web console provides you the ability to disable the microsegmentation feature.

About this task


To disable microsegmentation, do the following:

Procedure

1. Log on to the Prism Central web console.

2. Click the gear icon in the main menu and then select Microsegmentation in the Settings page.

3. Click Disable Microsegmentation.


A confirmation message appears.

4. Click Disable to confirm disabling the microsegmentation feature.

Flow Network Security (formerly Flow Microsegmentation) | Enabling Microsegmentation | 10


BUILT-IN CATEGORIES FOR SECURITY
POLICIES
Prism Central includes built-in categories that you can use in application security policies and isolation
policies. It also includes a built-in category for quarantining VMs.

Table 2: Built-In Categories

Category Description
AppTier Add values for the tiers in your application (such
as web, application_logic, and database) to
this category and use the values to divide the
application into tiers when configuring a security
policy.
AppType Associate the VMs in your application with the
appropriate built-in application type such as
Exchange and Apache_Spark. You can also update
the category to add values for applications not listed
in this category.
Environment Add values for environments that you want to
isolate from each other and then associate VMs
with the values.
Quarantine Add a VM to this category when you want to
quarantine the VM. You cannot modify this
category. The category has the following values:
Strict
Use this value when you want to block all
inbound and outbound traffic.
Forensic
Use this value when you want to block all
inbound and outbound traffic except the
traffic to and from categories that contain
forensic tools.

ADGroup This category is managed by ID Based Security


(ID Firewall). Each ADGroup value represents
an imported group from Active Directory. To add
or remove values to use in Flow policies use the
ID Based Security configuration page (Prism
Central Settings > Flow > ID Based Security).
The category values may be used in VDI policies,
see VDI Policy Configuration on page 34 for
details.
ADGroup:Default This category is applied to the VDI VMs of the AD
group when the VM inclusion criteria is set and
allows you to apply a default set of rules for the VDI
VMs (without the requirement of user logons).

Flow Network Security (formerly Flow Microsegmentation) | Built-in Categories for Security Policies | 11
SERVICES
Service is a group of protocol-port combination. You can use any of the default services or create a custom service.
The ability to use the service entities in the policy creation workflow reduces any manual configuration error and
enables reusability of available entities.

• To create or update a custom service, see Creating a Service on page 12.


• To view the list of available services (built-in and custom services), go to Network & Security > Security
Policies > Services.

Creating a Service
About this task
To create a custom service, do the following.

Procedure

1. Log on to the Prism Central web console.

2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Network & Security >
Security Policies > Services.

3. Click Create Service Group.

4. Enter a name and description for the service.

5. Select the Protocol from the drop-down menu and enter the port number or port range in the Port field.
You can add multiple protocol-port combinations in a single service. To add more protocol-port combination,
click Add Row and specify the required values.

6. Click Save to save the service.

Flow Network Security (formerly Flow Microsegmentation) | Services | 12


ADDRESSES
Address is a way to group one or many IP addresses or ranges. You can create an address entity and use that address
entity while creating policies. The ability to use the addresses in the policy creation work flow reduces any manual
configuration error and enables reusability of available entities.

• To create or update an Address, see Creating an Address on page 13.


• To view the list of available addresses, go to Network & Security > Security Policies > Addresses.

Creating an Address
About this task
To create an Address, do the following.

Procedure

1. Log on to the Prism Central web console.

2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Network & Security >
Security Policies > Addresses.

3. Click Create Address.

4. Enter a name and description for the address.

5. Enter the IP address or a IP range in the Subnet field.


You can add multiple subnets in a single address entity. To add more subnets, click Add Row and specify the
required values.

6. Click Save to save the address.

Flow Network Security (formerly Flow Microsegmentation) | Addresses | 13


ALLOWING DISCOVERED TRAFFIC
About this task
A generic policy in the enforced mode discovers traffic intended to reach the secured entities. When the policy is
in the enforced mode, by default the system does not allow the discovered traffic to reach the secured entities. To
process the discovered traffic, you update the policy to manually allow the discovered traffic. Later, the traffic is
subjected to the configured rules that is defined in the policy. To allow the discovered traffic, follow these steps:

Procedure

1. Log on to Prism Central.

2. Select Infrastructure application from the Application Switcher Function, and navigate to Network &
Security > Security Policies
The Security Policies page appears.

3. In the Security Policies page, select the policy.


The policy page shows the discovered traffic in the Inbounds and Outbounds.

4. Click Update.
The Update Security Policy page appears.

5. Click Next.

• In the Inbounds > Discovered or Outbounds > Discovered section, hover over the traffic source and
click Allow Traffic.

Figure 1: Discovered Traffic - Visual View

Flow Network Security (formerly Flow Microsegmentation) | Allowing Discovered Traffic | 14


6. In the Allow Traffic page, select the source of the discovered traffic and choose a service.
Show All Traffic: Shows a consolidated list of sources trying to reach all AppTiers (secured VMs).

Figure 2: Allow Traffic - Show All Traffic

Show Tiers: Shows a source trying to reach different AppTypes within an AppTier.

Figure 3: Allow Traffic - Show Tiers

You can select more than one traffic source. If a required service is not present in the drop-down, you can create a
new service. See Creating a Service on page 12 for more information.

Flow Network Security (formerly Flow Microsegmentation) | Allowing Discovered Traffic | 15


7. Click Allow Discovered Traffic and click Next.

8. In the Review page, select a policy mode and click Confirm to complete updating the security policy.

Flow Network Security (formerly Flow Microsegmentation) | Allowing Discovered Traffic | 16


APPLICATION SECURITY POLICY
CONFIGURATION
Creating an Application Security Policy

Before you begin

• Create the categories you need and associate the VMs that you want to protect with those categories. You might
be required to create categories for the following purposes. Some categories or category values are required while
others are optional:

• Every security policy must be associated with a value in the AppType category, so make sure that you update
the AppType category with appropriate values if the built-in values do not work for you. For information about
this category and its values, see Category Details View in the Prism Central Infrastructure Guide.
• If you need to apply the policy to an application in a specific environment (for example, development, test, or
production) or an application at a specific location, create the category you need and apply it to the application.
Prism Central includes a built-in Environment category that you can use or update with values of your own.
You can also create your own categories.
• If you want to specify categories for traffic sources and destinations instead of allowing all inbound and
outbound traffic, create those categories and apply them to the traffic sources and destinations.
• If you want to divide the application into tiers in a security policy, add tiers to the AppTier category. The
AppTier category has a built-in default value, but you can update the category to add values of your choice.
For information about categories and their values, see Category Management in the Prism Central
Infrastructure Guide.
• Security policy configuration might require more time than the default session timeout allows you. You might
want to increase the session timeout so that you do not lose a configuration that is left unattended while you
perform associated tasks such as referring to this documentation. For more information, see Configuring Prism
Central UI Settings in the Prism Central Admin Center Guide.

About this task


To secure an application, do the following:
1.

Procedure

1. Log on to Prism Central.

2. Select Infrastructure application from the Application Switcher Function, and navigate to Network &
Security > Security PoliciesThe Security Policies page appears.

3. In the Security Policies page, click Create Security Policy, and then click Secure an Application.
The Create App Security Policy page is displayed.

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 17
4. On the Define Policy tab, do the following in the indicated fields, and then click Next:

Figure 4: Define Policy Tab

a. Name: Enter a name for the security policy.


b. Purpose: Describe the purpose of the security policy.
c. Secure This App: Select the type of application that you want to secure.
The Secure This App list displays available values in the AppType category. It uses the format AppType:
value, where value represents a type of application. Every application that you want Prism Central to secure
must be associated with a value from the built-in AppType category. The AppType category includes values
for frequently encountered applications, such as Exchange and Hadoop. The AppType category also includes
a built-in default value that you can use if your application cannot be associated with one of the other built-
in values. You can also update the AppType category to add a value of your choice. For information about
categories and their values, see Category Management in the Prism Central Infrastructure Guide.
d. If you want to filter the VMs by an additional category, select Filter the app type by category, and then
enter the name of the category in the text box that is displayed.
This option enables you to apply the policy to an additional category. For example, if you are configuring
a policy for an application in the category AppType: Exchange, this option enables you to further restrict
the policy to specific locations (such as Location: US and Location: EU) or environments (such as
Environment: Production, Environment: Development, and Environment: Test).

e. Optionally, in the Advanced Configuration section, select the Allow radio button to allow IPv6 traffic.
The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.

Note: If you choose to block IPv6 traffic, the IPv6 traffic remains blocked even in the monitoring mode.

f. Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules.
You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog
Monitoring in the Prism Central Admin Center Guide.

Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.

5. In the Securing an App dialog box, review the schematic that illustrates the flow of traffic through a secured
app, and then click OK, Got it!
The Secure Application tab is displayed. The schematic on this tab can be divided into three areas of
configuration: the Inbound side, (for adding traffic source allowlist), the application at the center (for

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 18
configuring inbound, outbound, and tier-to-tier rules), and the Outbound side (for adding traffic destination
allowlist).

6. On the Secure Application tab, do the following, and then click Next:

a. On the application at the center of the tab, do the following in the indicated fields:

• If you want to divide the application into tiers (such as a web tier, an application tier, and a database tier)
and configure tier-to-tier rules, first configure the application as described in this step, and then configure
inbound and outbound rules. This approach ensures that the individual tiers are available when you want to
configure inbound and outbound rules at the tier level. Skip this step if you want to treat the application as
a single entity in the security policy.
To divide your application into tiers and create tier-to-tier rules, do the following:
1. On the application, click Set Rules on App Tiers, Instead.

Note: After you click Set Rules on App Tiers, Instead, the link text, Set rules on the whole
app, instead, is displayed in its place. Click Set rules on the whole app, instead if you want to
discard the tiered configuration and return to configuring rules on the application as a whole.

2. Click Add Tier, and then select a tier.


Repeat this step to add as many tiers as you require. The following figure shows an application with a
web tier, an application tier, and a database tier:
3. To delete a tier, pause over the tier you want to delete and click the delete button that is displayed.
4. Click Set Rules Within App.

Note: When configuring tier-to-tier rules, two modes are made available to you through the buttons
Set Rules to & from App and Set Rules Within App. The Set Rules to & from App option
enables you to add application tiers and to specify allowed inbound and outbound traffic. The Set

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 19
Rules Within App option enables you to specify tier-to-tier rules within the application. These buttons
enable you to switch between the two modes.

5. Click each tier in the application and click Yes or No to specify whether or not you want to allow the
VMs in the tier to communicate with each other.
6. Configure a tier-to-tier rule as follows:
1. Click the source tier (for example, if the tiers are WebTier and AppTier and you want to configure a
tier-to-tier rule from WebTier to AppTier, click the source tier, WebTier).
2. Click the plus sign that is displayed on the destination tier (in this example, click the destination tier,
AppTier). The Create Tier to Tier Rule dialog box
3. Enter a description for the rule.

Note: The policy rule description is captured in the policy hitlog data.

• Policy hitlog must be enabled


• Rule description is added to the hitlog only for allowed traffic

4. In Service Details, click Allow all traffic to allow all types of traffic or click Select a service
to choose any default or custom service.
5. Click Save.
Configure tier-to-tier rules for as many source and destination tiers as you want.
b. To add traffic sources, on the Inbound side of the Secure Application tab, do the following:

• From the drop-down list, select one of the following options:

• Allow All: Allows traffic from all sources.


• Allowed List Only: Allows traffic only if the traffic originates from entities on the security policy's
source allowlist. This option is the default option. If this option is selected, you must also configure the
source allowlist by clicking Add Source.
• Click Add Source, and then do the following:
1. Select one of the following options from the drop-down list:

• Category: Allows traffic only if that traffic originates from entities that are in the selected
category.
• Subnet/IP: Allows traffic only if that traffic originates from entities that are in the selected subnet.
• Addresses: Allows traffic only if the traffic originates from the entities that are in the selected
address.
2. Enter the value in the text box, and then click Add.
When entering the name of a category, a list of matching names is displayed, and you can select the
name you want to specify. The subnet mask must be specified in the CIDR format.
When entering the address, a list of available address group names appears. Select the address group or
you can create a new address group.
3. To add another category, subnet or address, click Add Source. Add as many another category, subnet
or address as you want to allow.
Each entry in this list represents a stream of inbound traffic.
c. To add traffic destinations, on the Outbound side, do the following:

• From the drop-down list, select one of the following options:

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 20
• Allow All: Allows traffic to all destinations. This option is the default option.
• Allowed List Only: Allows traffic only if the traffic is destined for entities on the security policy's
destination allowlist. If this option is selected, you must also configure the destination allowlist by
clicking Add Destination.
• Click Add Destination, and then do the following:
1. Select one of the following options from the drop-down list:

• Category: Allows traffic only if that traffic is destined for entities in the selected category.
• Subnet/IP: Allows traffic only if that traffic is destined for entities in the selected subnet.
• Addresses: Allows traffic only if the traffic originates from the entities that are in the selected
address.
2. Enter the value in the text box and then click Add.
When entering the name of a category, a list of matching names is displayed, and you can select the
name you want to specify. The subnet mask must be specified in the CIDR format.
When entering the address, a list of available address group names appears. Select the address group or
you can create a new address group.
3. To add another category, subnet or address, click Add Destination. Add as many categories, subnets
or address as you want to allow.
Each entry in this list represents a stream of outbound traffic.
• To specify the protocols that you want to allow from each stream of inbound and outbound traffic, do the
following:
1. If you added application tiers and configured tier-to-tier rules, first click Set Rules to & from App.
2. Click the traffic source or traffic destination (a category or subnet if you have configured a allowlist or
All Sources if you have chosen to allow all sources) for which you want to create a rule.
3. Click the plus icon that appears on the application (if you are treating the application as a single entity)
or application tier (if you have divided the application into tiers). The Create Inbound Rule or
Create Outbound Rule dialog box appears.
4. Enter a description for the rule.
5. In Service Details, click Allow all traffic to allow all types of traffic or click Select a service to
choose any default or custom service.
6. Click Save.
After you configure a rule, a dotted line appears between the two endpoints of the rule. Point to the dotted line to
show the list of ports that the rule allows.

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 21
7. On the Review tab, review the security policy configuration, and then do one of the following:

• If you want to apply the configuration, select Enforce and click Apply.
Applying a security policy enforces the security policy on the application, and traffic from entities that are not
defined as sources in the policy is blocked.
• If you want to save the configuration and monitor how the security policy works, select Monitor and click
Save and Monitor.
When a policy is in the monitoring state, the application continues to receive all traffic, but disallowed traffic
is highlighted on the monitoring page. Traffic is not blocked until the policy is enforced.

Note: A policy that you have chosen to save and monitor can be applied from the policy update page.

Figure 5: Review

Modifying an Application Security Policy


About this task
To modify a security policy, do the following:

Procedure

1. In the Security Policies page, select the policy that you want to modify, click Actions, and then click Update.

2. Make the changes you want and then apply or save and monitor the policy.
The update options are the same as those for creating a policy. For information about the options, see Creating an
Application Security Policy on page 17.

Applying an Application Security Policy


Applying a security policy enforces the security policy on the application, and any traffic from sources that
are not allowed is blocked.

About this task


To apply a security policy, do the following:

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 22
Procedure

1. In the Security Policies page, select the policy that you want to apply, click Actions, and then click Apply.

2. Confirm by typing Apply in the dialog box, and then click OK.

Monitoring an Application Security Policy (Visualizing Network Flows)


About this task
When a policy is in the monitoring state, the application continues to receive all traffic, but disallowed traffic
is highlighted on the monitoring page. Traffic is not blocked until the policy is applied.
To monitor a security policy, do the following:

Procedure

1. In the Security Policies page, select the policy that you want to monitor, click Actions, and then click
Monitor.

2. Confirm by typing Monitor in the dialog box, and then click OK.
Allowed network flows and disallowed network flows are shown on the monitoring page, as shown in the
following figure. Allowed flows are depicted with a blue dotted line and disallowed network flows are depicted
with a red dotted line:

Figure 6: Monitoring Page for an Application Security Policy

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 23
3. To show a preview of the network flow in a tooltip, pause over the dotted line that depicts the network flow in the
diagram.
A tooltip similar to the following is displayed. The tooltip shows a graph for each connection:

Figure 7: Tooltip Showing a Preview of the Network Flow

4. To see a graph of a network flow, click the dotted line that depicts the network flow in the visualization.
A more detailed graph of the network flows is displayed, as shown in the following figure:

Figure 8: Network Flows Graph

5. To block unwanted flows, click Update, and then update the policy. For information about updating an
application security policy, see Modifying an Application Security Policy on page 22.

6. To apply the policy, click Apply.


Applying a policy enforces the policy and traffic from sources that are not allowed is blocked.

Deleting an Application Security Policy

About this task


To delete an application security policy, do the following:

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 24
Procedure

1. In the Security Policies page, select the policy that you want to delete.
You can select multiple policies and delete them all at once.

2. Click Delete in the Actions menu.

Flow Network Security (formerly Flow Microsegmentation) | Application Security Policy Configuration | 25
ISOLATION ENVIRONMENT POLICY
CONFIGURATION
An isolation environment identifies two groups of VMs by category, and it blocks communications between the
groups.
You can also specify an additional category to restrict the scope of the isolation environment to that category.
For example, consider that you have an application category with values app1 and app2 and that you have
associated some VMs with application: app1 and some VMs with application: app2. Also, consider that
these same VMs are distributed between two sites, and have accordingly been associated with values site1 and site2 in
a category named location (location: site1 and location: site2).
In this example, you might want to block communications between the VMs in the two locations. Additionally, you
might want to restrict the scope of the policy to VMs in category application: app1. In other words, app1 VMs
in site1 cannot communicate with app1 VMs in site2. The following diagram illustrates the desired outcome. The
red connectors illustrate blocked traffic. The green connectors illustrate allowed traffic.

Figure 9: Applications Across Sites

You can configure an isolation policy for this by creating the following categories and isolation policy in Prism
Central:

Table 3: Sample Configurations For Categories and the Isolation Policy

Entity Values

Categories
• Name: application
• Values: app1 and app2

• Name: location
• Values: site1 and site2

Flow Network Security (formerly Flow Microsegmentation) | Isolation Environment Policy Configuration | 26
Entity Values
Isolation Policy
• Name: eng_isolation_policy_across_sites
• Description: Isolate engineering VMs across sites
• Isolate This Category: location: site1
• From This Category: location: site2
• Apply the isolation only within a subset of
the data center: application: app1

Layer 2 Isolation
Flow supports Layer 2 isolation to enable filtering of the layer 2 packets across all isolated entities. When an isolation
policy is applied between two category-based VM groups, all ingress and egress traffic (broadcast, unknown-unicast,
and multicast traffic) is dropped at the destination VM group.

Note:

• If VMs are part of both isolation policy and quarantine policy, the quarantine policy takes priority of
processing over the isolation policy. For example, if VMs with category app1 are isolated from VMs
with category app2 using an isolation policy, the traffic between these VM groups are not dropped if the
VM groups are also part of a quarantine forensic policy that allows communication between these VMs.
In this case, since the quarantine forensics policy matches the VMs, and this policy allows the traffic,
the isolation policy is not enforced.
• IPv6 traffic between isolated VMs is blocked by default with the introduction of layer 2 isolation.

Creating an Isolation Environment Policy


An isolation environment policy identifies two groups of VMs and blocks communications between the
groups. The two groups are identified by category. You can specify an additional category to restrict the
scope of the policy to that category.

About this task


To create an isolation environment, do the following:

Procedure

1. Log on to Prism Central.

2. Select Infrastructure application from the Application Switcher Function, and navigate to Network &
Security > Security PoliciesThe Security Policies page appears.

Flow Network Security (formerly Flow Microsegmentation) | Isolation Environment Policy Configuration | 27
3. In the Security Policies page, click Create Security Policy, and then click Isolate Environments.
The Create Isolation Policy page appears.

Figure 10: Create Isolation Policy

4. Do the following in the indicated fields:

• Name: Enter a name for the isolation policy.


• Purpose: Describe the purpose of the isolation policy.
• Isolate this category: Type the name of one of the two categories that you want to isolate from each other.
Matching names appear in a list as you type. You can click the name of the category you want.
• From this category: Type the name of other category.
• Apply the isolation only within a subset of the data center. If you want to restrict the scope of the policy to
a specific category of VMs, select this check box, type the name of the category in the text box, and select the
category from the list of matches.
If you isolate VMs in category Environment: Production from VMs in category Environment:
Staging, and you restrict the scope of the policy to VMs in the category Environment: Dev, Prism Central
applies the isolation policy to the following groups:

• VMs that are in both Environment: Production and Environment: Dev


• VMs that are in both Environment: Staging and Environment: Dev.
• IPv6 Traffic. Optionally, in the Advanced Configuration section, select the Allow radio button to allow
IPv6 traffic. The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.
• Policy Hit Logs. Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on
the policy rules. You can configure syslog monitoring for the policy hit logs for Flow. For details, see
Configuring Syslog Monitoring in the Prism Central Admin Center Guide for details.

Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.

Flow Network Security (formerly Flow Microsegmentation) | Isolation Environment Policy Configuration | 28
5. Do one of the following:

» Click Apply Now to apply the isolation environment.


» Click Save and Monitor to save the configuration and place the isolation environment in the monitoring
mode.
You can switch between the monitoring and applied states by selecting the isolation environment on the Security
Policies page and clicking the appropriate option in the Actions menu.

Modifying an Isolation Environment Policy

About this task


To modify an isolation environment, do the following:

Procedure

1. In the Security Policies page, select the isolation policy that you want to modify, click Actions, and then click
Update.

2. Make the changes you want and then apply or save and monitor the policy.
The update options are the same as those for creating a policy. For information about the options, see Creating an
Isolation Environment Policy on page 27.

Applying an Isolation Environment Policy


Applying an isolation environment policy enforces the policy on the specified categories, and any traffic
between the categories is blocked.

About this task

Note: Changing the state of an isolation environment policy affects the functioning of any conflicting application
security policies. For more information, see Priorities Between Policies on page 8.

To apply an isolation environment policy, do the following:

Procedure

1. In the Security Policies page, select the policy, click Actions, and then click Apply.

2. Confirm by typing Apply in the dialog box, and then click OK.

Monitoring an Isolation Environment Policy (Visualizing Network Flows)


About this task
The VMs in the two categories in an isolation environment policy are allowed to communicate with each
other when the policy is in the monitoring state. Traffic is blocked only during the time the policy is applied.

Note: Changing the state of an isolation environment policy affects the functioning of any conflicting application
security policies. For more information, see Priorities Between Policies on page 8.

To monitor a security policy, do the following:

Flow Network Security (formerly Flow Microsegmentation) | Isolation Environment Policy Configuration | 29
Procedure

1. In the Security Policies page, select the policy, click Actions, and then click Monitor.

2. Confirm by typing Monitor in the dialog box, and then click OK.
The monitoring page shows the flows between the two categories.

3. To view information about a particular network flow, pause over the flow.
A tooltip similar to the following is displayed:

Figure 11: Monitoring Page for an Isolation Environment Policy

Deleting an Isolation Environment Policy

About this task


To delete an isolation environment policy, do the following:

Procedure

1. In the Security Policies page, select the policy.


You can select multiple policies to delete them all at once.

2. Click Delete in the Actions menu.

Flow Network Security (formerly Flow Microsegmentation) | Isolation Environment Policy Configuration | 30
QUARANTINE POLICY CONFIGURATION
Prism Central includes a system-defined quarantine policy that enables you to perform the following tasks:

• Completely isolate an infected VM that must not have any traffic associated with it.
• Isolate an infected VM but specify a set of forensic tools that can communicate with the VM.
For these use cases, Prism Central includes built-in categories that are included in the system-defined quarantine
policy.

Note: You cannot create a quarantine policy. However, you can modify existing (system-defined) quarantine policy.

Prism Central also enables you to monitor the quarantine policy before applying it.
The quarantine policy cannot be deleted.

Configuring the Quarantine Policy


In the built-in quarantine policy, you specify categories that can communicate with VMs that have been
added to the Quarantine: Forensics category.

About this task


To configure the quarantine policy, do the following;

Procedure

1. Log on to Prism Central.

2. Select Infrastructure application from the Application Switcher Function, and navigate to Network &
Security > Security PoliciesThe Security Policies page appears.

3. In the Security Policies page, select Quarantine, and then click Update in the Actions menu.

4. Optionally, in the Advanced Configuration under the Define Policy tab, do the following.

a. Select the Allow radio button to allow IPv6 traffic. The policy rules apply to IPv4 traffic only and all IPv6
traffic is blocked by default. You can configure the allow option for both Forensic and Strict modes.
b. Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules.
You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog
Monitoring in the Prism Central Admin Center Guide . You can enable the policy hit log option for both
Forensic and Strict modes.

Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.

Flow Network Security (formerly Flow Microsegmentation) | Quarantine Policy Configuration | 31


5. On the Add Forensic Tools tab, do the following, and then click Next:

a. To specify the categories that contain forensic tools, on the Inbound and Outbound sides of the policy
diagram, do the following:

• From the drop-down list, select one of the following options:

• Allow All: Allows traffic associated with all sources or destinations.


• Allowed List Only: Allows traffic only if the traffic is associated with the categories and subnets on
the allowlist. This option is the default option. If this option is selected, you must also configure the
allowlist by clicking Add Source or Add Destination.
• Click Add Source or Add Destination, and then do the following:
1. Select one of the following options from the drop-down list:

• Category: Allows traffic to or from the specified category.


• Subnet/IP: Allows traffic to or from the specified subnet.
Addresses: Allows traffic only if the traffic originates from the entities that are in the selected

address.
2. Enter the value in the text box, and then click Add.
When entering the name of a category, a list of matching names is displayed, and you can select the
name you want to specify. The subnet mask must be specified in the CIDR format.
When entering the address, a list of available address group names appears. Select the address group or
you can create a new address group.
3. To add another category, subnet or address, click Add Source or Add Destination. Add as many
category, subnet or address as you want to allow.
b. To specify the protocols and ports over which the forensic tools can communicate with the VMs in the forensic
category, do the following:

• 1. On the Inbound and Outbound sides of the policy diagram, click a category or subnet (if you have
configured a allowed list) or All Sources (if you have chosen to allow all sources) for which you want
to create a rule.
2. Click the plus icon that appears on the Quarantine: Forensic category. The Create Inbound Rule
or Create Outbound Rule dialog box
3. Enter a description for the rule.

Note: The policy rule description is captured in the policy hitlog data.

• Policy hitlog must be enabled


• Rule description is added to the hitlog only for allowed traffic

4. In Service Details, click Allow all traffic to allow all types of traffic or click Select a service to
choose any default or custom service.
5. Click Save.
After you configure a rule, a dotted line appears between the two endpoints of the rule. Point to the dotted line to
show the list of ports that the rule allows.

Flow Network Security (formerly Flow Microsegmentation) | Quarantine Policy Configuration | 32


6. On the Review tab, do one of the following:

» Click Apply Now to apply the quarantine policy.


» Click Save and Monitor to save the configuration and place the quarantine policy in the monitoring mode.
You can switch between the monitoring and applied states by selecting Quarantine on the Security Policies
page and clicking the appropriate option in the Actions menu.

Quarantining a VM
You quarantine a VM by adding the VM to a quarantine category.

About this task


To add an infected VM to a quarantine category, do the following:

Procedure

1. In the VMs dashboard List tab (see VMs Summary View in the Prism Central Infrastructure Guide), select the
infected VM, click Actions, and then click Quarantine VMs.

2. Under Quarantine Method, click one of the following options:

» Strict. Isolates the VM from all traffic. No exceptions can be made for forensics.
» Forensic. Isolates the VM from all traffic except traffic from categories specified in the built-in quarantine
policy. The allowed categories contain forensic tools that enable you to perform forensics on the VM.
For VMs added to the strict quarantine, a red icon is displayed in the name column.

3. Click Quarantine.

Removing a VM from the Quarantine

About this task


To remove a VM from the quarantine, do the following:

Procedure

1. In the VMs dashboard List tab (see VMs Summary View in the Prism Central Infrastructure Guide), select the
VM that you want to remove from the quarantine, click Actions, and then click Unquarantine VMs.
You can select multiple VMs and remove them from the quarantine in a single step.

2. In the Unquarantine VMs dialog box, click Unquarantine.

Flow Network Security (formerly Flow Microsegmentation) | Quarantine Policy Configuration | 33


VDI POLICY CONFIGURATION
The VDI Policy is based on identity-based categorization of the VDI VMs using Active Directory group
membership. Configuring VDI policy includes adding an Active Directory domain that is used for the ID firewall (ID
Based Security) and configuring a service account for the domain.

ID Based Security
ID firewall is an extension to Flow that allows you to write security policies based on users and groups in an Active
Directory domain in which your VDI VMs are attached. When using ID firewall, you can import groups from Active
Directory into Prism Central as categories (in the category key ADGroup), and then write policies around these
categories, just as you would for any other category. A new type of policy has been added for this purpose - the VDI
Policy. ID firewall takes care of automatically placing VDI VMs in the appropriate categories on detecting user
logons into the VM hosted on Nutanix infrastructure associated with Prism Central, thus allowing user and group
based enforcement of Flow policies.

• See Configuring Active Directory Domain Services on page 38 to import user groups for identity-based
security policies.
• See Creating a VDI Policy on page 34 to create a VDI policy.
• See Default VDI Policy on page 38 configuration to define a default VDI policy.

Note:

• It is recommended to disable credential caching on VDI VMs for Flow ID Firewall. The Flow ID
Firewall checks the domain controller events for logon attempts. If the VM connection to the domain
controller is not available, a user is able to logon (if credential caching enabled) but no event is
generated on the domain controller inhibiting the ID Firewall to detect the logon.
• To disable credential caching, see Interactive logon: Number of previous logons to cache (in case
domain controller is not available) on Microsoft documentation website.
• A basic assumption of VDI Policies is that a single end-user is logged on to each desktop VM at a point
in time. As a result, if multiple users log into a single desktop VM at once, the security posture of the
VM may change in unpredictable ways. Please ensure that for predictable behavior, only one user is
logged into the desktop VMs at a time.

Creating a VDI Policy


ID firewall integrates Nutanix Flow with Microsoft Active Directory (AD), such that the groups in the AD
can be imported into Prism Central as categories. These imported categories can then be used in the
VDI policy as target groups, inbound traffic, and outbound traffic. Prism Central automatically places VMs
inside the imported AD group categories when user logons are detected on VMs that are part of the Active
Directory domain and also present on Nutanix managed clusters, thus applying security policies based on
user group membership.

Before you begin

Note:

• Flow Network Security does not support LDAPS encrypted connections on port 636. Therefore, to use
VDI policies, configure an unencrypted port 389 for LDAP connection.
• Flow ID firewall is supported only for AHV host compatible with AOS version 5.17 and above and
Prism Central version 5.17 and above.

Flow Network Security (formerly Flow Microsegmentation) | VDI Policy Configuration | 34


• Flow ID firewall does not detect user logoffs. The policy applied to a VM is kept applied until next user
logon on the same VM.
• VMs with an AppType category assignment do not get categorized by ID Based Security.
• You can use the Default VDI Policy on page 38 to apply a default set of rules for the VDI VMs
(without the requirement of user logons).
• Since a VM user can be a member of multiple ADGroups that are mapped into Prism Central from
Active Directory, when a user logs on, a VM may be placed in multiple ADGroups at once. This is the
correct behavior, and the policy applied to the VM will be a union of the respective combination of
inbounds and outbounds across all ADGroups the VM is placed into.

• If not already available, configure an Active Directory domain that is used for ID firewall, see Configuring
Active Directory Domain Services on page 38.
• Configure a service account with required configuration for the Active Directory domain, see Configure Service
Account for ID Firewall on page 39.

About this task


To secure a VDI environment, do the following:

Procedure

1. Log on to Prism Central.

2. Select Infrastructure application from the Application Switcher Function, and navigate to Network &
Security > Security PoliciesThe Security Policies page appears.

3. In the Security Policies page, click Create Security Policy. Select Secure VDI Groups (VDI Policy) and
click Create.
You can create only one VDI policy for securing applications through ID Firewall.
The Define Policy page is displayed.

Flow Network Security (formerly Flow Microsegmentation) | VDI Policy Configuration | 35


4. On the Define Policy tab, do the following in the indicated fields, and then click Next:

a. The Policy Name and Purpose fields are auto-populated.


b. Select either Include all VMs or Include VMs by name as the VDI VM Filter.

Figure 12: Define Tab

You can use the VDI VM Filter for the following scenarios.

• Include VMs by name - Select Include VMs by name and enter the matching criteria in the VM
Name Contains field. Select the Assign matching VMs to an optional default category
(ADGroup:Default) check-box to apply a default posture to the VMs, see Default VDI Policy on
page 38 for details. Optionally, select the Keep the default category upon user logon check-box to
preserve the default category even after user logon.

Note:

• Assign ADGroup categories only when the VM matches the filter criteria, otherwise ADGroups
apply to all VMs where a logon is detected.
• VMs with an AppType category assigned is never categorized with an ADGroup.
• While updating the VDI policy, if inclusion criteria is changed to exclude and then re-include
previously included VMs (that were previously logged on and categorized), upon re-inclusion the

Flow Network Security (formerly Flow Microsegmentation) | VDI Policy Configuration | 36


previous categories will not be applied; consecutively, a new logon must occur for the VM for
categories to apply.

• Include all VMs - Select Include all VMs to include all the VMs in the AD group in the policy. Note that
non-VDI VMs will also be included in the policy if Include all VMs option is selected.

a. Optionally, in the Advanced Configuration section, select the Allow option to allow IPv6 traffic. The
policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.

Note: If you choose to block IPv6 traffic, the IPv6 traffic remains blocked even in the monitoring mode.

b. Optionally, turn on the Policy Hit Logs option to log traffic flow hits on the policy rules.
You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog
Monitoring in the Prism Central Admin Central Guide.

Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.

5. In the Secure AD Groups tab, do the following in the indicated fields and click Next.

a. For Inbound Traffic, click + Add Source and enter the category or subnets that the VDI group can receive
the traffic from, as the source.
b. For each VDI ADGroup, click +Add AD Group to select the AD groups (categorized VDI VMs) that you
want to secure. You can click Import all AD Groups to add all imported ADGroup categories to the VDI
policy.
c. For Outbound Traffic, click + Add Destination and enter the category or subnets that the VDI group can
send the traffic to, as the destination.\

Note: If you have not used the default VDI option in Step 2b, ensure that you add all of your Active Directory
domain controllers as part of this step, using either categories or subnets, for each ADGroup.

Figure 13: Secure AD Groups Tab

Flow Network Security (formerly Flow Microsegmentation) | VDI Policy Configuration | 37


6. Do one of the following:

» Click Apply Now to apply the VDI Policy.


» Click Save and Monitor to save the configuration.
You can switch between the monitoring and applied states on the Security Policies page and clicking the
appropriate option in the Actions menu.

Default VDI Policy


The Default VDI policy feature allows you to apply a default set of rules as defined by the desktop administrator for
VDI VMs and users. There are two primary use cases for Default VDI Policy (ADGroup:Default).

• To ensure that a VDI VM is secure even before a user logs on to the VDI VM.
• To enable access to common network resources without the need to add the resources to every tier of a VDI
policy.
You can define a default VDI policy at the time of creating a new VDI policy, or by updating any existing VDI
policy. See Step 2b of the VDI Policy Configuration topic for details.

Configuring Active Directory Domain Services


Active Directory Domain Services configuration is used to import user groups for identity based security
policies.

Before you begin

• Microsegmentation must be enabled to be able to use the ID Firewall feature. For more information, see Enabling
Microsegmentation on page 10.
• You must allow WMI access from Prism Central to all the Active Directory Domain Controllers in your network
firewall and Active Directory firewall.
• Active Directory Requirements:

• Minimum supported domain functional level in Active Directory is Windows Server 2008 R2.
• ID Firewall checks the membership of Security Groups only, Distribution Groups are not supported.
• NTP must be configured on Active Directory and Prism Central.
• DNS must be configured on Prism Central if you want to use host name for domain controllers.

About this task


To configure an Active Directory domain, do the following.

Procedure

1. Log on to the Prism Central web console.

2. Click the collapse menu ("hamburger") button on the left of the main menu and then select Prism Central
Settings to display the Settings page.

3. Click ID Based Security from the Settings menu (on the left).
The ID Based Security page is displayed. This page allows you to Add New Domain or use an Existing AD.

Flow Network Security (formerly Flow Microsegmentation) | VDI Policy Configuration | 38


4. If you select Use Existing AD in step 3, do the following in the indicated fields:

a. Click the Manually Add Domain Controller button, then click + Domain Controller.
b. Enter the IP Address or Host Name of the domain controllers that you want to monitor for user logons
events. You must add all the domain controllers associated with your Active Directory manually.
Click + and add each domain controller individually, then click the blue check mark icon to save.

Note: DNS must be configured on Prism Central for the host name option to work.

5. If you select Add New Domain in step 3, a set of fields is displayed. Do the following in the indicated fields:

a. Name: Enter a directory name.


This is a name you choose to identify this entry; it need not be the name of an actual directory.
b. Domain: Enter the domain name.
Enter the domain name in DNS format, for example, nutanix.com.
c. Directory URL: Enter the LDAP address of the directory, including the port number.
d. Service Account Username: Enter the service account user name in the [email protected]
format that you want Prism Central to use to detect logons and query user and group information from Active
Directory.

Caution: Do not use the Domain Admin account as the service account considering the security best practices.
Create a new domain user and grant it required permissions as described in Configure Service Account for
ID Firewall on page 39.

A service account is a special user account that an application or service uses to interact with the Active
Directory. Enter your Active Directory service account credentials in this (username) and the following
(password) field.

Note: Ensure that you update the service account credentials here whenever the service account password
changes or when a different service account is used.

e. Service Account Password: Enter the service account password.


f. When all the fields are correct, click the Save button (lower right).
ID Firewall uses the service account for ID based security with additional requirements, see Configure
Service Account for ID Firewall on page 39.
Once saved, the Referenced AD Groups section is displayed. You can add a new user group by clicking +
Add User Group and edit the auto-generated Category Value. After the active directory configuration is
complete, you can create the VDI Policy, see Creating a VDI Policy on page 34

6. Select Add Inclusion Criteria under Manage the VM Inclusion Criteria to specify which VMs are assigned
to AD Group categories upon user logon based on VM name.

Note: It is recommend that users add inclusion criteria if at all possible to prevent any unintended categorizations.

Note: The VMs with AppType category assigned cannot be categorized by ID Based Security.

Configure Service Account for ID Firewall


Active Directory service account in Prism Central is used for connectivity with the Active Directory domain
services. ID Firewall also uses the same service account for ID based security.
To configure a service account for ID firewall, do the following.

Flow Network Security (formerly Flow Microsegmentation) | VDI Policy Configuration | 39


1. Create a new user in the Active Directory.
2. Add the user to the Distributed COM Users group and the Event Log Readers domain groups.
3. Start the dcomcnfg.exe utility and go to Component Services > Computers > My Computer >
DCOM Config.
4. Right-click on Windows Management and Instrumentation and select Properties from the menu.
5. Switch to Security tab, select Customize option in the Access Permissions section and then click Edit.
6. Add the user and grant Local Access and Remote Access permissions to the user. Click OK to confirm
changes.
7. Run the WMIMGMT.msc command to start Windows Management Instrumentation snap-in.
8. Right-click on WMI control (local) and select Properties from the menu.
9. Switch to Security tab and expand Root tree.
10. Select CIMV2 in the expanded tree and click Security.
11. Go to Advanced > Add > Principal and enter the user name.
12. Change scope by selecting This namespace and subnamespaces in the Applies to drop-down menu.
13. Click the check-box to grant the Enable Account and Remote Enable permissions. Click OK to confirm
changes.
14. Restart the winmgmt service.
C:\> net stop winmgmt
C:\> net start winmgmt
Alternatively, reboot the domain controller.
15. Repeat step 3 to step 14 on every domain controller.

Modifying the VDI Policy

About this task


To modify the VDI policy, do the following:

Procedure

1. In the Security Policies page, select the policy, click Actions, and then click Update.

2. Make the changes you want and then apply or save and monitor the policy.
The update options are the same as those for creating a policy. For information about the options, see Creating a
VDI Policy on page 34.

Applying the VDI Policy


Applying the VDI policy enforces the policy on the specified categories (VDI AD groups), and any traffic
between the categories is blocked.

About this task


To apply the VDI policy, do the following:

Procedure

1. In the Security Policiespage, select the policy, click Actions, and then click Apply.

2. Confirm by typing Apply in the dialog box, and then click OK.

Flow Network Security (formerly Flow Microsegmentation) | VDI Policy Configuration | 40


Monitoring the VDI Policy
About this task
The VMs in VDI AD Groups in the VDI policy are allowed to communicate with each other when the policy
is in the monitoring state. Traffic is blocked only during the time the policy is applied.
To monitor a security policy, do the following:

Procedure

1. In the Security Policiespage, select the policy, click Actions, and then click Monitor.

2. Confirm by typing Monitor in the dialog box, and then click OK.

Deleting the VDI Policy

About this task


To delete the VDI policy, do the following:

Procedure

1. In the Security Policies page, select the VDI policy.

2. Click Delete in the Actions menu.

Flow Network Security (formerly Flow Microsegmentation) | VDI Policy Configuration | 41


APPLYING FILTERING AND GROUPING
TO A SECURITY POLICY
You can apply different types of filters to view results based on properties like source , destination,
category, ports, and more. You can also group related rule attributes together for easier visualization of
connection flows. Grouping and Filtering work together to provide an intuitive view for the security policy.

About this task


To apply filtering and grouping to a security policy, do the following.

Procedure

1. Log on to the Prism Central web console.

2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security. The
Policies page is displayed.

3. Click any policy to view the inbound, application, and outbound configuration.

Flow Network Security (formerly Flow Microsegmentation) | Applying Filtering and Grouping to a Security
Policy | 42
4. To view specific rule properties, do one of the following.

» In the Search box, search for the required string using the default All filter.
» Click the filter drop-down menu to search the policy based on any of the following filter types.
Category
search category name and value
Address
search address and subnet IP address
Subnet IP
search subnet IP address
Service
search service name
Rule Description
search rule description
Ports (TCP/UDP)
search TCP/UDP ports and services
ICMP
search ICMP ports and services

Flow Network Security (formerly Flow Microsegmentation) | Applying Filtering and Grouping to a Security
Policy | 43
Figure 14: Filtering Policies

Flow Network Security (formerly Flow Microsegmentation) | Applying Filtering and Grouping to a Security
Policy | 44
5. To group related rule entities together, click the group icon.
The group option organizes related rule attributes like subnet IP, categories, and service in distinct boxes. Also,
the connection flows for all the entities in a group are displayed as a single connection flow. To view all the
entities belonging to a group, click the down-arrow icon to expand the group.

Figure 15: Filtering Policies

Flow Network Security (formerly Flow Microsegmentation) | Applying Filtering and Grouping to a Security
Policy | 45
EXPORTING AND IMPORTING SECURITY
POLICIES
Prism Central allows you to export and import security policies for the following security administration aspects.

• Have a snapshot of a working security configuration so that system can be restored to the desired state when
needed.
• Ability to apply security policies as templates. This scenario is useful in ROBO environments (disaster recovery
deployments) where the datacenters are being managed by multiple Prism Central instances.

Exporting Security Policies


To export or import security policy, do the following in the Security Policies page.

Note: For VDI policy, the inclusion criteria and default VDI category settings are not included in the export process.
You must set these manually after an import if required.

• Click the Export & Import drop down menu.


• To export the security policies, select Export Security Policy. The security policies binary file is downloaded.
• To import any previously exported security policies binary file, select Import Security Policy, then click
Browse to select the binary file. Click Import. The security policies are imported.

Note: Existing policies are overridden with new policies. Policies that are not part of this import are deleted.

Flow Network Security (formerly Flow Microsegmentation) | Exporting and Importing Security Policies | 46
COPYRIGHT
Copyright 2024 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual property
laws. Nutanix and the Nutanix logo are registered trademarks of Nutanix, Inc. in the United States and/or other
jurisdictions. All other brand and product names mentioned herein are for identification purposes only and may be
trademarks of their respective holders.

Flow Network Security (formerly Flow Microsegmentation) | Copyright | 47

You might also like