Forwarding elements in a network typically enforce permissive rules that specify how the traffic in network should flow. On the other hand, firewall rules in the network define the type of traffic that can flow through the network. Today, networks typically enforce firewall rules by using one or more hardware appliances and/or software firewall engines, such as service virtual machines (VMs) or firewall engines linked to software ports on host computers.
With logical networking space increasing drastically in software-defined datacenters, demand for traffic filtering via firewalls is increasing. While conventional firewalls provide a means to filter the traffic going through them, their location (e.g., perimeter versus port) and behavior (e.g., simple packet filtering, proxy server, stateful firewall, and deep packet inspection) cannot be easily be changed dynamically, in order to ensure that all traffic pass through them.
Moreover, existing firewall solutions lack adequate controls for identifying in a granular fashion the different sets of ports that are to be assigned the different sets of firewall rules. This problem becomes worse when different enforcements schemes are utilized, such as enforcement rules that restrict east-west traffic (e.g., L3 firewall rules that restrict routing within the datacenter) and north-south traffic (e.g., L3 firewall rules that restrict traffic coming into or going out of the datacenter). This problem is especially acute when third party vendor solutions with different management interfaces are used to define these different enforcement schemes.