The Edge Firewall tab displays rules created on the centralized Firewall tab in a read-only mode. Any rules that you add here are not displayed on the centralized Firewall tab.

You can add multiple NSX Edge interfaces and/or IP address groups as the source and destination for firewall rules.

Figure 1. Firewall rule for traffic to flow from an NSX Edge interface to an HTTP server
rule
Figure 2. Firewall rule for traffic to flow from all internal interfaces (subnets on portgroups connected to internal interfaces) of a NSX Edge to an HTTP Server
rule
Note: If you select internal as the source, the rule is automatically updated when you configure additional internal interfaces.
Figure 3. Firewall rule for traffic to allow SSH into a m/c in internal network
rule

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > NSX Edges.
  2. Double-click an NSX Edge.
  3. Click the Manage tab and then click the Firewall tab.
  4. Do one of the following.
    Option Description
    To add a rule at a specific place in the firewall table
    1. Select a rule.
    2. In the No. column, click edit and select Add Above or Add Below.

    A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

    To add a rule by copying a rule
    1. Select a rule.
    2. Click the Copy (copy) icon.
    3. Select a rule.
    4. In the No. column, click edit and select Paste Above or Paste Below.
    To add a rule anywhere in the firewall table
    1. Click the Add (add icon) icon.

    A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

    The new rule is enabled by default.
  5. Point to the Name cell of the new rule and click edit.
  6. Type a name for the new rule.
  7. Point to the Source cell of the new rule and click edit or .
    If you clicked , type an IP address.
    1. Select an object from the drop-down and then make the appropriate selections.
      If you select vNIC Group and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. Note that firewall rules on internal interfaces do not work for a Logical Router.

      If you select IP Sets, you can create a new IP address group. After you create the new group, it is automatically added to the source column. For information on creating an IP Set, see Create an IP Address Group.

    2. Click OK.
  8. Point to the Destination cell of the new rule and click edit or .
    1. Select an object from the drop-down and then make the appropriate selections.
      If you select vNIC Group and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic going to any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. Note that firewall rules on internal interfaces do not work for a Logical Router.

      If you select IP Sets, you can create a new IP address group. After you create the new group, it is automatically added to the source column. For information on creating an IP Set, see Create an IP Address Group.

    2. Click OK.
  9. Point to the Service cell of the new rule and click edit or .
    • If you clicked edit, select a service. To create a new service or service group, click New. After you create the new service, it is automatically added to the Service column. For more information on creating a new service, see Create a Service.
    • If you clicked , select a protocol. You can specify the source port by clicking the arrow next to Advanced options. VMware recommends that you avoid specifying the source port from release 5.1 and later. Instead, you can create a service for a protocol-port combination.
    Note: NSX Edge only supports services defined with L3 protocols.
  10. Point to the Action cell of the new rule and click edit. Make appropriate selections as described in the table below and click OK.
    Action selected Results in
    Allow Allows traffic from or to the specified source and destination.
    Block Blocks traffic from or to the specified source and destination.
    Reject Sends reject message for unaccepted packets.

    RST packets are sent for TCP packets.

    ICMP unreachable (administratively restricted) packets are sent for other packets.

    Log Logs all sessions matching this rule. Enabling logging can affect performance.
    Do not log Does not log sessions.
    Comments Type comments if required.
    Advanced options > Match on Translated Applies the rule to the translated IP address and services for a NAT rule
    Enable Rule Direction Indicates whether the rule is incoming or outgoing.

    VMware does not recommend specifying the direction for firewall rules.

  11. Click Publish Changes to push the new rule to the NSX Edge instance.

What to do next

  • Disable a rule by clicking disable next to the rule number in the No. column.
  • Hide generated rules or pre rules (rules added on the centralized Firewall tab) by clicking Hide Generated rules or Hide Pre rules.
  • Display additional columns in the rule table by clicking select columns and selecting the appropriate columns.
    Column Name Information Displayed
    Rule Tag Unique system generated ID for each rule
    Log Traffic for this rule is being logged or not
    Stats Clicking stats shows the traffic affected by this rule (number of sessions, traffic packets, and size)
    Comments Comments for the rule
  • Search for rules by typing text in the Search field.