Starting with VMware Cloud Director 10.5.1, you can configure firewall rules on your provider gateway that uses IP spaces.

Prerequisites

  • Verify that the provider gateway is using IP spaces.
  • Verify that the provider gateway is private, i.e. that it is dedicated to a single orgnization.
  • Verify that the NAT and Firewall Service Intentions of the provider gateway is set to Provider Gateways or to Provider and Edge Gateways.
  • Verify that your role includes the Provider Gateway Firewall: View and Provider Gateway Firewall: Manage rights.
  • Verify that the backing NSX tier-0 router is in active-standby mode. Otherwise, you won't be able to set the NAT and Firewall Service Intentions of the provider gateway to Provider Gateways or to Provider and Edge Gateways.

Procedure

  1. From the primary left navigation panel, select Networking and from the page top navigation bar, select Provider Gateways.
  2. Click the provider gateway.
  3. Under Services, click Firewall.
  4. To create a new firewall rule, click New.
  5. Configure the firewall rule.
    Name Enter a name for the rule.
    State To enable the rule upon creation, turn on the State toggle.
    Applications (Optional) Choose one of the options.
    • To apply the rule to specific applications, turn on the Applications toggle, select the one or more applications from the list, and click Save.
    • To select specific ports to which the rule applies, click Raw Port-Protocols, select a protocol type, and enter source and destination ports or port ranges, separated by commas. You can add up to 15 port-protocol rows per rule.
    Source
    1. Choose one of the following options.
      • To allow or deny traffic from any source address, toggle on Any Source.
      • To allow or deny traffic from specific firewall groups, , click Firewall Groups and select the firewall groups from the list.
      • To enter IP addresses, CIDR blocks, or IP ranges manually, click Firewall IP Addresses, then click Add and enter the individual IP addresses, CIDR blocks, or ranges.
    2. Click Keep.
    Destination
    1. Choose one of the following options.
      • To allow or deny traffic to any destination address, toggle on Any Destination.
      • To allow or deny traffic to specific firewall groups, click Firewall Groups and select the firewall groups from the list.
      • To enter IP addresses, CIDR blocks, or IP ranges manually, click Firewall IP Addresses, then click Add and enter the individual IP addresses, CIDR blocks, or ranges.
    2. Click Keep.
    Action Select an option.
    • To allow traffic from or to the specified sources, destinations, and services, select Allow.
    • To block traffic from or to the specified sources, destinations, and services, without notifying the blocked client select Drop.
    • To block traffic from or to the specified sources, destinations, and services, and to notify the blocked client that traffic was rejected, select Reject.
    IP Protocol Select whether to apply the rule to IPv4, IPv6 traffic, or both.
    Applied To (Optional) From the drop-down menu, select an IP space uplink to which to apply the rule.
    Logging

    To have the address translation performed by this rule logged, turn on the Logging toggle.

    After you create the rule, in the Logging ID text box, you can see the unique NSX firewall rule ID that the system generates upon the rule creation.

    Comment (Optional) Add a comment to the firewall rule.
  6. Click Save.
  7. To change the position of the firewall rule, select the rule, click Move to, and, from the drop-down menu, select a new position.
  8. To configure additional rules, repeat these steps.

Results

After a firewall rule is created, it appears in the Firewall Rules list. You can move up, move down, edit, or delete the rule as needed.