Add a Firewall Rule Service

For firewall rules you can create a new service group or use a predefined service group.

Procedure

Select a pre-defined Service or Service Group to use in the firewall rule.

Option	Description
NSX 6.4.1	Point to the Service cell of the new rule and click . Select the object type from the Object Type drop-down menu. You can create a new security group or IP set. Once you create the new object, it is added to the source or destination column by default. For information on creating a new security group or IP set, see Network and Security Objects Select one or more objects and click the arrow to move them to the Selected Objects column.
NSX 6.4.0	Point to the Service cell of the new rule and click . Select one or more objects and click . You can create a new service or service group. Once you create the new object, it is added to the Selected Objects column by default. Click OK.

Option

Description

NSX 6.4.1

Point to the Service cell of the new rule and click .
Select the object type from the Object Type drop-down menu. You can create a new security group or IP set. Once you create the new object, it is added to the source or destination column by default. For information on creating a new security group or IP set, see Network and Security Objects
Select one or more objects and click the arrow to move them to the Selected Objects column.

NSX 6.4.0

Point to the Service cell of the new rule and click .
Select one or more objects and click .
You can create a new service or service group. Once you create the new object, it is added to the Selected Objects column by default.
Click OK.

Select a Port/Protocol to use in the firewall rule or define a new one.

Option	Description
NSX 6.4.1	Point to the Service cell of the new rule and click . Select Raw Port-Protocol, and click Add. Select the Protocol from the list and click OK.
NSX 6.4.0	Point to the Service cell of the new rule and click . Select the service protocol. Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: TFTP, FTP, ORACLE TNS, MS-RPC, and SUN-RPC. Edge supports ALG for FTP, TFTP, and SNMP_BASIC. Note: VMs that are migrated from 6.1.5 to 6.2.3 do not have support for TFTP ALG. To enable TFTP ALG support after migrating, add and remove the VM from the exclusion list or restart the VM. A new 6.2.3 filter is created, with support for TFTP ALG. Type the port number and click OK.

Option

Description

NSX 6.4.1

Point to the Service cell of the new rule and click .
Select Raw Port-Protocol, and click Add.
Select the Protocol from the list and click OK.

NSX 6.4.0

Point to the Service cell of the new rule and click .
Select the service protocol.
Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: TFTP, FTP, ORACLE TNS, MS-RPC, and SUN-RPC.

Edge supports ALG for FTP, TFTP, and SNMP_BASIC.

Note: VMs that are migrated from 6.1.5 to 6.2.3 do not have support for TFTP ALG. To enable TFTP ALG support after migrating, add and remove the VM from the exclusion list or restart the VM. A new 6.2.3 filter is created, with support for TFTP ALG.
Type the port number and click OK.

In order to protect your network from ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule. For information on modifying the default rule, see Edit the Default Distributed Firewall Rule.