f3669228d9
The admin-policy scenario test configures test topology that allows VMs at 2 tenants to talk to each other or rejected based on the NSX policy being applied to their security-group. Traffic forwarding is validated using different policy-ID assigned to tenant VMs' security-group. Ping-test uses CONF.scenario.waitfor_connectivity for how long it should wait for ping test to PASS or FAIL. If ping not in expected condition, additinoal ping-test will be conducted. All three router types are tested. policy-AA and policy-BB blueprint to be imported to NSX. Change-Id: I6960a1bbccdb6c4664a36a22ec4ccc28b368f2c0
286 lines
11 KiB
Plaintext
286 lines
11 KiB
Plaintext
<securityPolicyHierarchy>
|
|
<name>admin-policy-BB</name>
|
|
<description>policy-BB, ssh from anywhere are OK, but ping limited to same security-group</description>
|
|
<securityPolicy>
|
|
<revision>0</revision>
|
|
<name>security-policy-BB</name>
|
|
<description>Security Policy BB</description>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>false</inheritanceAllowed>
|
|
<precedence>5600</precedence>
|
|
<actionsByCategory>
|
|
<category>firewall</category>
|
|
<action class="firewallSecurityAction">
|
|
<revision>0</revision>
|
|
<name>dhcp-in</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<category>firewall</category>
|
|
<executionOrder>1</executionOrder>
|
|
<isEnabled>true</isEnabled>
|
|
<isActionEnforced>false</isActionEnforced>
|
|
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
|
<applications>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>DHCP-Client</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>UDP</applicationProtocol>
|
|
<value>68</value>
|
|
</element>
|
|
</application>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>DHCP-Server</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>UDP</applicationProtocol>
|
|
<value>67</value>
|
|
</element>
|
|
</application>
|
|
</applications>
|
|
<invalidApplications>false</invalidApplications>
|
|
<logged>false</logged>
|
|
<action>allow</action>
|
|
<direction>inbound</direction>
|
|
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
|
</action>
|
|
<action class="firewallSecurityAction">
|
|
<revision>0</revision>
|
|
<name>dhcp-out</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<category>firewall</category>
|
|
<executionOrder>2</executionOrder>
|
|
<isEnabled>true</isEnabled>
|
|
<isActionEnforced>false</isActionEnforced>
|
|
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
|
<applications>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>DHCP-Client</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>UDP</applicationProtocol>
|
|
<value>68</value>
|
|
</element>
|
|
</application>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>DHCP-Server</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>UDP</applicationProtocol>
|
|
<value>67</value>
|
|
</element>
|
|
</application>
|
|
</applications>
|
|
<invalidApplications>false</invalidApplications>
|
|
<logged>false</logged>
|
|
<action>allow</action>
|
|
<direction>outbound</direction>
|
|
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
|
</action>
|
|
<action class="firewallSecurityAction">
|
|
<revision>0</revision>
|
|
<name>group-ping-ok</name>
|
|
<description>icmp only allowed from VM with same security-policy</description>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<category>firewall</category>
|
|
<executionOrder>3</executionOrder>
|
|
<isEnabled>true</isEnabled>
|
|
<isActionEnforced>false</isActionEnforced>
|
|
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
|
<applications>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>ICMP Echo</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>ICMP</applicationProtocol>
|
|
<value>echo-request</value>
|
|
</element>
|
|
</application>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>ICMP Redirect</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>ICMP</applicationProtocol>
|
|
<value>redirect</value>
|
|
</element>
|
|
</application>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>ICMP Echo Reply</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>ICMP</applicationProtocol>
|
|
<value>echo-reply</value>
|
|
</element>
|
|
</application>
|
|
</applications>
|
|
<invalidApplications>false</invalidApplications>
|
|
<logged>false</logged>
|
|
<action>allow</action>
|
|
<direction>intra</direction>
|
|
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
|
</action>
|
|
<action class="firewallSecurityAction">
|
|
<revision>0</revision>
|
|
<name>ssh-in-ok</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<category>firewall</category>
|
|
<executionOrder>4</executionOrder>
|
|
<isEnabled>true</isEnabled>
|
|
<isActionEnforced>false</isActionEnforced>
|
|
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
|
<applications>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>SSH</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>TCP</applicationProtocol>
|
|
<value>22</value>
|
|
</element>
|
|
</application>
|
|
</applications>
|
|
<invalidApplications>false</invalidApplications>
|
|
<logged>false</logged>
|
|
<action>allow</action>
|
|
<direction>inbound</direction>
|
|
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
|
</action>
|
|
<action class="firewallSecurityAction">
|
|
<revision>0</revision>
|
|
<name>ssh-out-ok</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<category>firewall</category>
|
|
<executionOrder>5</executionOrder>
|
|
<isEnabled>true</isEnabled>
|
|
<isActionEnforced>false</isActionEnforced>
|
|
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
|
<applications>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>SSH</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>TCP</applicationProtocol>
|
|
<value>22</value>
|
|
</element>
|
|
</application>
|
|
</applications>
|
|
<invalidApplications>false</invalidApplications>
|
|
<logged>false</logged>
|
|
<action>allow</action>
|
|
<direction>outbound</direction>
|
|
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
|
</action>
|
|
<action class="firewallSecurityAction">
|
|
<revision>0</revision>
|
|
<name>group-HTTP</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<category>firewall</category>
|
|
<executionOrder>6</executionOrder>
|
|
<isEnabled>true</isEnabled>
|
|
<isActionEnforced>false</isActionEnforced>
|
|
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
|
<applications>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>HTTP</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>TCP</applicationProtocol>
|
|
<value>80</value>
|
|
</element>
|
|
</application>
|
|
<application>
|
|
<revision>0</revision>
|
|
<name>HTTPS</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<inheritanceAllowed>true</inheritanceAllowed>
|
|
<element>
|
|
<applicationProtocol>TCP</applicationProtocol>
|
|
<value>443</value>
|
|
</element>
|
|
</application>
|
|
</applications>
|
|
<invalidApplications>false</invalidApplications>
|
|
<logged>false</logged>
|
|
<action>allow</action>
|
|
<direction>intra</direction>
|
|
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
|
</action>
|
|
<action class="firewallSecurityAction">
|
|
<revision>0</revision>
|
|
<name>sorry-nothing-allowed</name>
|
|
<clientHandle></clientHandle>
|
|
<isUniversal>false</isUniversal>
|
|
<universalRevision>0</universalRevision>
|
|
<category>firewall</category>
|
|
<executionOrder>7</executionOrder>
|
|
<isEnabled>true</isEnabled>
|
|
<isActionEnforced>false</isActionEnforced>
|
|
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
|
<invalidApplications>false</invalidApplications>
|
|
<logged>false</logged>
|
|
<action>reject</action>
|
|
<direction>inbound</direction>
|
|
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
|
</action>
|
|
</actionsByCategory>
|
|
<statusesByCategory>
|
|
<category>firewall</category>
|
|
<status>in_sync</status>
|
|
</statusesByCategory>
|
|
</securityPolicy>
|
|
</securityPolicyHierarchy>
|