| CPC H04L 63/0263 (2013.01) [G06F 9/3826 (2013.01); G06F 9/4486 (2018.02); H04L 41/0803 (2013.01); H04L 41/0894 (2022.05); H04L 43/04 (2013.01); H04L 63/0227 (2013.01); H04L 63/0236 (2013.01); H04L 63/0254 (2013.01); H04L 63/20 (2013.01); H04L 41/0895 (2022.05)] | 20 Claims |
|
1. A method for generating firewall rules of a segmentation firewall that enforces a segmentation policy and that co-exists with a system firewall, the method comprising:
receiving by a host from a segmentation server, management instructions specifying permitted communications with a workload executing on the host in accordance with the segmentation policy;
generating, based on the management instructions, a configuration of a segmentation firewall for enforcing the management instructions, the configuration comprising a sequence of firewall rules, wherein a segmentation firewall rule of the plurality of firewall rules, when executed, determines if an input packet meets criteria associated with the segmentation policy permitting the input packet, and responsive to determining that the input packet meets the criteria, executes a command to exit the sequence of firewall rules without dropping or accepting the input packet to enable the system firewall to determine whether to drop or accept the input packet, and wherein the sequence of firewall rules includes a default firewall rule to drop the input packet responsive to the input packet failing to meet criteria associated with prior rules in the sequence of firewall rules; and
configuring a segmentation firewall of the host in accordance with the configuration to cause the segmentation firewall to enforce the segmentation policy.
|