You can use services in firewall rules. You can use pre-defined services, or create additional services.

You might need to create a service because your application is not already defined, or it is using a standard protocol, with a non-default port. For example:
  • HTTP on a non-default port - TCP:8080
  • FTP on a non-default port - FTP:8021
  • NoMachine Server port - UDP:4000
Note: SCTP protocol is not supported on Edge Firewall.


  1. In the vSphere Web Client, click Networking & Security > Groups and Tags.
  2. Navigate to Services:
    • In NSX 6.4.1 and later, ensure that you are in the Services tab.
    • In NSX 6.4.0, ensure that you are in the Grouping Objects > Service tab.
  3. If multiple IP addresses are available in the NSX Manager drop-down menu, select an IP address, or keep the default selection.
    • To manage universal services, the primary NSX Manager must be selected.
  4. Click Add or the Add (Add) icon.
  5. Enter a Name to identify the service.
  6. (Optional) Enter a Description for the service.
  7. Select a Layer.
    If you select Layer 7, you are prompted to select an App ID.
  8. Select a Protocol.
    For example, TCP, UDP, or FTP.

    Depending on the protocol selected, you might be prompted to enter further information, such as the destination port. Expand Advanced Options to enter a source port.

    Note: SCTP protocol is not supported on Edge Firewall.
  9. (Optional) Select Inheritance or Enable inheritance to allow visibility at underlying scopes.
    When inheritance is enabled, grouping objects created at the global scope are accessible from derived scopes, such as datacenter, Edge, and so on.
  10. (Optional) Select Universal Synchronization or Mark this object for Universal Synchronization to create a universal service.
  11. Click Add or OK.


The service appears in the Services table.