You add firewall rules at the NSX Manager scope. Using the Applied To field, you can then narrow down the scope at which you want to apply the rule. You can add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.

Prerequisites

If you are adding a rule based on a VMware vCenter object, ensure that VMware Tools is installed on the virtual machines. See NSX Installation Guide.

VMs that are migrated from 6.1.5 to 6.2.3 do not have support for TFTP ALG. To enable TFTP ALG support after migrating, add and remove the VM from the exclusion list or restart the VM. A new 6.2.3 filter is created, with support for TFTP ALG.

Note: Identity Based Firewall Rule Prerequisites:
  • One or more domains have been registered with NSX Manager. NSX Manager gets group and user information as well as the relationship between them from each domain that it is registered with. See Register a Windows Domain with NSX Manager.
  • A security group based on Active Directory objects has been created which can be used as the source or destination of the rule. See Create a Security Group.
  • Active Directory Server must be integrated with NSX Manager.
  • Hosts must have DFW enabled and be upgraded to NSX 6.4.0.
  • Guest machines must run updated VMware Tools.
  • The version of the GI SVM must be 6.4 or later.
  • The rule must be created in a new section of Firewall Rules.
  • The rule must have Enable User Identity at Source selected.
  • The Applied to field is not supported for rules for remote desktop access.
  • ICMP is not supported for IDFW for RDSH.
Note: Universal Firewall Rule Prerequisties:

In a cross-vCenter NSX environment, universal rules refer to the distributed firewall rules defined on the primary NSX Manager in the universal rules section. These rules are replicated on all secondary NSX Managers in your environment, which enables you to maintain a consistent firewall policy across vCenter boundaries. The primary NSX Manager can contain multiple universal sections for universal L2 rules and multiple universal sections for universal L3 rules. Universal sections are on top of all local and service composer sections. Universal sections and universal rules can be viewed but not edited on the secondary NSX Managers. The placement of the universal section with respect to the local section does not interfere with rule precedence.

Edge firewall rules are not supported for vMotion between multiple vCenter Servers.

Table 1. Objects supported for universal firewall rules
Source and Destination Applied To Service
  • universal MAC set
  • universal IP set
  • universal security group, which can contain a universal security tag, an IP set, MAC set, or universal security group
  • universal security group, which can contain a universal security tag, IP set, MAC set, or universal security group
  • universal logical switch
  • Distributed Firewall - applies rules on all clusters on which Distributed Firewall is installed
  • pre-created universal services and service groups
  • user created universal services and services groups
Note that other vCenter objects are not supported for universal rules.

Make sure the state of NSX distributed firewall is not in backward compatibility mode. To check the current state, use the REST API call GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/state. If the current state is backward compatibility mode, you can change the state to forward by using the RES API call PUT https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/state. Do not try to publish a distributed firewall rule while the distributed firewall is in backward compatibility mode.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Security > Firewall.
  2. Ensure that you are in the Configuration > General tab to add an L3, L4, or L7 rule. Click the Ethernet tab to add an L2 rule.
    If creating a universal firewall rule, create the rule in a universal rule section.
  3. Point to the Name cell of the new rule and click edit.
  4. Type a name for the new rule.