Default firewall settings apply to traffic that does not match any of the user-defined firewall rules. The Distributed Firewall default rule is displayed on the centralized firewall user interface, and the default rule for each NSX Edge is displayed at the NSX Edge level.

The default Distributed Firewall rule allows all L3 and L2 traffic to pass through all prepared clusters in your infrastructure. The default rule is always at the bottom of the rules table and cannot be deleted or added to. However, you can change the Action element of the rule from Allow to Block or Reject, add comments for the rule, and indicate whether traffic for that rule should be logged.

In a cross-vCenter NSX environment the default rule is not a universal rule. Any changes to the default rule must be made on each NSX Manager.


  1. In the vSphere Web Client, navigate to Networking & Security > Security > Firewall.
  2. Expand the Default Section and make the required changes.
    You can only edit Action and Log, or add comments to the default rule.