Firewall rule creation in a virtualized computing environment

We claim: 1. A method for a network management entity to perform firewall rule creation in a virtualized computing environment that includes the network management entity, a first endpoint and a second endpoint, wherein the method comprises: obtaining flow data associated with an application-layer protocol session between the first endpoint and second endpoint; identifying, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session; based on the association, creating a firewall rule that is applicable to both the control flow and at least one data flow; and instructing a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session, wherein the first firewall engine, or the second firewall engine, or both processes packets in response to the instructing to apply the firewall rule. 2. The method of claim 1 , wherein creating the firewall rule comprises: creating the firewall rule based on the control flow, while ignoring the at least one data flow during firewall rule creation. 3. The method of claim 2 , wherein creating the firewall rule comprises: creating the firewall rule to allow communication via a control port number associated with the control flow, wherein at least one ephemeral data port number is dynamically negotiated for the respective at least one data flow through the control flow. 4. The method of claim 3 , wherein creating the firewall rule comprises: creating the firewall rule to specify an application-layer protocol for which application-layer gateway (ALG) processing is supported by the first firewall engine, the second firewall engine, or both, wherein the ALG processing is to allow communication via the at least one ephemeral data port number based on the firewall rule. 5. The method of claim 1 , wherein identifying the association comprises: traversing a tree structure in the flow data to identify the association based on a parent node and at least one child node linked to the parent node, wherein the parent node represents the control flow and the at least one child node represents respective at least one data flow. 6. The method of claim 1 , wherein obtaining the flow data comprises: obtaining the tree structure from the first firewall engine, the second firewall engine, or both. 7. The method of claim 1 , wherein obtaining the flow data comprises: obtaining the flow data associated with the application-layer protocol session that utilizes one of the following application-layer protocols: File Transfer Protocol (FTP), Remote Procedure Call (RPC), Common Internet File System (CIFS), Transparent Network Substrate (TNS) and Trivial File Transfer Protocol (TFTP). 8. A non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a network management entity, cause the processor to perform a method of firewall rule creation in a virtualized computing environment that includes the network management entity, a first endpoint and a second endpoint, wherein the method comprises: obtaining flow data associated with an application-layer protocol session between the first endpoint and second endpoint; identifying, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session; based on the association, creating a firewall rule that is applicable to both the control flow and at least one data flow; and instructing a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session, wherein the first firewall engine, or the second firewall engine, or both processes packets in response to the instructing to apply the firewall rule. 9. The non-transitory computer-readable storage medium of claim 8 , wherein creating the firewall rule comprises: creating the firewall rule based on the control flow, while ignoring the at least one data flow during firewall rule creation. 10. The non-transitory computer-readable storage medium of claim 9 , wherein creating the firewall rule comprises: creating the firewall rule to allow communication via a control port number associated with the control flow, wherein at least one ephemeral data port number is dynamically negotiated for the respective at least one data flow through the control flow. 11. The non-transitory computer-readable storage medium of claim 10 , wherein creating the firewall rule comprises: creating the firewall rule to specify an application-layer protocol for which application-layer gateway (ALG) processing is supported by the first firewall engine, the second firewall engine, or both, wherein the ALG processing is to allow communication via the at least one ephemeral data port number based on the firewall rule. 12. The non-transitory computer-readable storage medium of claim 8 , wherein identifying the association comprises: traversing a tree structure in the flow data to identify the association based on a parent node and at least one child node linked to the parent node, wherein the parent node represents the control flow and the at least one child node represents respective at least one data flow. 13. The non-transitory computer-readable storage medium of claim 8 , wherein obtaining the flow data comprises: obtaining the tree structure from the first firewall engine, the second firewall engine, or both. 14. The non-transitory computer-readable storage medium of claim 8 , wherein obtaining the flow data comprises: obtaining the flow data associated with the application-layer protocol session that utilizes one of the following application-layer protocols: File Transfer Protocol (FTP), Remote Procedure Call (RPC), Common Internet File System (CIFS), Transparent Network Substrate (TNS) and Trivial File Transfer Protocol (TFTP). 15. A computer system configured to perform firewall rule creation in a virtualized computing environment, the computer system comprising: a processor; and a non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor, cause the processor to: obtain flow data associated with an application-layer protocol session between a first endpoint and a second endpoint in the virtualized computing environment; identify, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session; based on the association, create a firewall rule that is applicable to both the control flow and at least one data flow; and instruct a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session, wherein the first firewall engine, or the second firewall engine, or both processes packets in response to the processor instructing to apply the firewall rule. 16. The computer system of claim 15 , wherein instructions for creating the firewall rule cause the processor to: create the firewall rule based on the control flow, while ignoring the at least one data flow during firewall rule creation. 17. The computer system of claim 16 , wherein instructions for creating the firewall rule cause the processor to: create the firewall rule to allow communication via