To protect traffic to and from an edge gateway, you can create and manage firewall rules on that edge gateway.

For information about protecting traffic traveling between virtual machines in an organization virtual data center, see Managing the Distributed Firewall on a VMware Cloud Director Organization Virtual Data Center.

Rules created on the distributed firewall screen that have an advanced edge gateway specified in their Applied To column are not displayed in the Firewall screen for that advanced edge gateway .

The edge gateway firewall rules for an edge gateway are displayed in the Firewall screen and are enforced in the following order:

  1. Internal rules, also known as auto-plumbed rules. These internal rules enable control traffic to flow for edge gateway services.
  2. User-defined rules.
  3. Default rule.

The default rule settings apply to traffic that does not match any of the user-defined firewall rules. The default rule is displayed at the bottom of the rules on the Firewall screen.

In the tenant portal, use the Enable toggle on the Firewall Rules screen of the edge gateway to activate or deactivate an edge gateway firewall.

Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal

You use the edge gateway Firewall tab to add firewall rules for that edge gateway. You can add multiple edge interfaces and multiple IP address groups as the source and destination for these firewall rules.

Specifying internal for a source or a destination of a rule indicates traffic for all subnets on the port groups connected to the NSX edge gateway. If you select internal as the source, the rule is automatically updated when additional internal interfaces are configured on the NSX gateway.

Note: Edge gateway firewall rules on internal interfaces do not work when the edge gateway is configured for dynamic routing.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. If the Firewall Rules screen is not already visible, click the Firewall tab.
  3. To add a rule below an existing rule in the firewall rules table, click in the existing row and then click the Create button.
    A row for the new rule is added below the selected rule, and is assigned any destination, any service, and the Allow action by default. When the system-defined default rule is the only rule in the firewall table, the new rule is added above the default rule.
  4. Click in the Name cell and type in a name.
  5. Click in the Source cell and use the now visible icons to select a source to add to the rule:
    Option Description
    Click the IP icon Type the source value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The edge gateway firewall supports both IPv4 and IPv6 formats.
    Click the + icon Use the + icon to specify the source as an object other than a specific IP address:
    • Use the Select objects window to add objects that match your selections and click Keep to add them to the rule.
    • To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.

    When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window

  6. Click in the Destination cell and perform one of the following options:
    Option Description
    Click the IP icon Type the destination value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The edge gateway firewall supports both IPv4 and IPv6 formats.
    Click the + icon Use the + icon to specify the source as an object other than a specific IP address:
    • Use the Select objects window to add objects that match your selections and click Keep to add them to the rule.
    • To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.

    When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window

  7. Click in the Service cell of the new rule and click the + icon to specify the service as a port-protocol combination:
    1. Select the service protocol.
    2. Type the port numbers for the source and destination ports, or specify any.
    3. Click Keep.
  8. In the Action cell of the new rule, configure the action for the rule.
    Option Description
    Accept Allows traffic from or to the specified sources, destinations, and services.
    Deny Blocks traffic from or to the specified sources, destinations, and services.
  9. Click Save changes.
    The save operation can take a minute to complete.

Modify NSX Data Center for vSphere Edge Gateway Firewall Rules in the VMware Cloud Director Service Provider Admin Portal

You can edit and delete only the user-defined firewall rules that were added to an edge gateway. You cannot edit or delete an auto-generated rule or a default rule, except for changing the action setting of the default rule. You can change the priority order of user-defined rules.

For details about the available settings for the various cells of a rule, see Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Service Provider Admin Portal.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
    2. From the secondary left panel, select Edge Gateways.
    3. Click the radio button next to the name of the target edge gateway, and click Services.
  2. Click the Firewall tab.
  3. Manage the firewall rules.
    • Deactivate a rule by clicking the green check mark in its No. cell. The green check mark turns to a red deactivated icon. If the rule is deactivated and you want to activate the rule, click the red deactivated icon.
    • Edit a rule name by double-clicking in its Name cell and typing the new name.
    • Modify the settings for a rule, such as the source or action settings, by selecting the appropriate cell and using the displayed controls.
    • Delete a rule by selecting it and clicking the Delete button located above the rules table.
    • Hide system-generated rules by using the Show only user-defined rules toggle.
    • Move a rule up or down in the rules table by selecting the rule and clicking the up and down arrow buttons located above the rules table.
  4. Click Save changes.

Apply Syslog Server Settings to an NSX Data Center for vSphere Edge Gateway in VMware Cloud Director

If you enabled logging for one or more edge gateway firewall rules, the edge gateway connects to the syslog server. If you created an edge gateway before the initial configuration of the syslog server, or if you changed the syslog server settings, you must synchronize the syslog server settings for this edge gateway.

Procedure

  1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
  2. From the secondary left panel, select Edge Gateways.
  3. Click the radio button next to the name of the target edge gateway, and click Sync syslog.
  4. To confirm, click OK.