Add an NSX Edge Firewall Rule

You can add user-defined edge firewall rules on the NSX Edge Service Gateways to accept, reject, or deny specific types of traffic. However, you cannot add user-defined firewall rules on a distributed logical router.

The Edge Firewall interface provides the following methods to add an edge firewall rule:

Add a rule either above or below an existing rule in the firewall table.
Add a rule by copying an existing rule.
Add a rule by clicking the Add icon.

Remember: If you have created distributed firewall rules and applied them to the edge, these firewall rules are displayed in a read-only mode on the Edge Firewall user interface. However, the edge firewall rules that you create using the Edge Firewall user interface are not displayed on the Firewall interface that you used to create the distributed firewall rules ( Networking & Security > Security > Firewall).

Procedure

Log in to the vSphere Web Client.
Click Networking & Security > NSX Edges.
Double-click an NSX Edge.
Click Manage > Firewall.

Use any of the following three methods to start the process of adding an edge firewall rule.

Method #1: Add a rule either above or below an existing rule in the firewall table.

NSX sets the source, destination, and service columns of the newly added rule as "any". If the system-generated default rule is the only rule in the firewall table, the new rule is added above the default rule. The new rule is enabled by default.

NSX Version	Steps
6.4.6 and later	Select a rule. Click and select Add Above or Add Below.
6.4.5 and earlier	Select a rule. In the No. column, click , and then select Add Above or Add Below.

Method #2: Add a rule by copying an existing rule.

In NSX 6.4.5 and earlier, you can create a rule by copying one rule at a time. Starting in NSX 6.4.6, you can select multiple rules to copy simultaneously. The copied rules are enabled by default, and you can edit the rule properties, as necessary.

Note: When you copy and paste system-generated "internal" rules and "default" rule, the newly created rules are automatically assigned the rule type as "user".

NSX Version	Steps
6.4.6 and later	Select the check box next to the rules that you want to copy. Click More > Copy Selected Rule(s). Select the rule where you want the copied rules to be pasted. Click , and select Paste Rule(s) Above or Paste Rule(s) Below.
6.4.5 and earlier	Select a rule. Click the Copy () icon or , and then select Copy. Select a rule where you want the copied rule to be pasted. In the No. column, click , and select Paste Above or Paste Below.

Method #3: Add a rule by clicking the Add ( Add

) icon.

A new row is added in the firewall table. NSX sets the source, destination, and service columns of the newly added rule as "any". If the system-generated default rule is the only rule in the firewall table, the new rule is added above the default rule. The new rule is enabled by default.

(Optional) Specify a rule name.
- In NSX 6.4.6 and later, click in the Name column of the new rule, and enter a rule name.
- In NSX 6.4.5 and earlier, point to the Name column of the new rule, and click . Enter a rule name, and click OK.

(Optional) Specify the source of the firewall rule.

You can add IP addresses, vCenter objects, and grouping objects as the source. If no source is added, the source is set to "any". You can add multiple NSX Edge interfaces and IP address groups as the source for firewall rules.

You can choose to create a new IP set or a new security group. After the IP set or security group is created, it is automatically added in the Source column of the rule.

Select one or more objects to use as sources in the firewall rule.

NSX Version	Steps
6.4.6 and later	To select objects: Point to the Source column of the rule, and click . In the Objects tab, select an object type from the Object Type drop-down menu. Select the objects from the Available Objects list and move them to the Selected Objects list.
6.4.5 and earlier	To select objects: Point to the Source column of the rule, and click . Select an object type from the Object Type drop-down menu. Select the objects from the Available Objects list and move them to the Selected Objects list.

For example, in the following two situations, you can use the "vNIC Group" object type as the source:

Select all traffic generated by the NSX Edge: In this situation, select vNIC Group from the Object Type drop-down menu, and from the Available Objects list, select vse.

Select all traffic originating from any internal or uplink (external) interface of the selected NSX Edge: In this situation, select vNIC Group from the Object Type drop-down menu, and from the Available Objects list, select internal or external.
The rule is automatically updated when you configure additional interfaces on the edge.

Remember: Firewall rules defined on the internal interfaces do not work on a distributed logical router.

Enter IP address to use as a source for the firewall rule.
You can enter multiple IP addresses by using a comma-separated list or enter an IP address range. Both IPv4 and IPv6 addresses are supported.
- In NSX 6.4.6 and later, click . Click the IP Addresses tab, and then click Add to enter the IP addresses.
- In NSX 6.4.5 and earlier, click and enter the IP addresses.
(Optional) Negate the sources defined in your firewall rule.
- If the Negate Source option is turned on or selected, the rule is applied to traffic coming from all sources except for the sources defined in this rule.
- If the Negate Source option is turned off or not selected, the rule is applied to traffic coming from the sources in this rule.

(Optional) Specify the destination of the firewall rule.
You can add IP addresses, vCenter objects, and grouping objects as the destination. If no destination is added, the destination is set to "any". You can add multiple NSX Edge interfaces and IP address groups as the destination for firewall rules.
The procedure to add objects and IP addresses in the rule destination remains the same as explained in the substeps for adding the rule source.

Tip: Starting in NSX 6.4.6, you can drag objects and IP addresses from the Source column to the Destination column and conversely. In addition, you can drag objects and IP addresses from one rule to another rule.

(Optional) Specify the service to use in the firewall rule.

Add one or more services or service groups in the firewall rule.

You can add either a predefined service or a service group in the rule, or create a new service or a service group to use in the rule. NSX Edge supports services defined only with L3 protocols.

NSX Version	Steps
6.4.6 and later	Point to the Service column of the new rule and click . In the Service/Service Groups tab, select either a service or a service group from the Object Type drop-down menu. Select the objects from the Available Objects list and move them to the Selected Objects list.
6.4.5 and earlier	Point to the Service column of the new rule and click . From the Object Type drop-down menu, select a service or a service group. Select the objects from the Available Objects list and move them to the Selected Objects list.

Tip: In NSX 6.4.6 and later, you can drag service and service group objects from one user-defined rule to another user-defined rule.

Add one or more services in the firewall rule as a port-protocol combination.

Restriction: Stream Control Transmission Protocol (SCTP) protocol is not supported on an Edge Firewall.

NSX Version	Steps
6.4.6 and later	Point to the Service column of the new rule and click . Click the Raw Port-Protocol tab, and then click Add. Select a protocol. In the Source Port column, and enter the port numbers.
6.4.5 and earlier	Point to the Service column of the new rule and click . Select a protocol. Expand Advanced Options, and enter the source port numbers.

Specify the rule action.

In NSX 6.4.6 and later, selection an action from the drop-down menu.
In NSX 6.4.5 and earlier, point to the Action column of the rule, and click . Select an action and click OK.

The following table describes the rule actions.

Action	Description
Accept or Allow	Allows traffic from or to the specified sources, destinations, and services. By default, action is set to accept traffic.
Deny or Block	Blocks traffic from or to the specified sources, destinations, and services.
Reject	Sends reject message for unaccepted packets. RST packets are sent for TCP connections. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections.

(Optional) Specify whether sessions that match this new firewall rule must be logged.
By default, logging is disabled for the rule. Enabling logging can affect performance.
- In NSX 6.4.6 and later, click the toggle switch in the Log column to enable logging.
- In NSX 6.4.5 and earlier, point to the Action column of the new rule, and click . Select Log or Do not log.

(Optional) Specify the advanced settings of the firewall rule.

In NSX 6.4.6 and later, click the Advanced Settings () icon.
In NSX 6.4.5 and earlier, point to the Action column of the new rule, and click . Expand the Advanced options.

The following table describes the advanced options.

Option	Description
Direction	Select whether the rule must be applied on incoming traffic or outgoing traffic or both. The default value is "In/Out", which means that rule is applied symmetrically across both source and destination. VMware does not recommend specifying the direction of firewall rules because "in" or "out" direction can cause the rules to become asymmetric. For example, consider that you have created a firewall rule to "allow" traffic from source A to destination B, and the rule direction is set to "out". When A sends a packet to B, a state is created based on this rule on A because the direction of traffic is "out" on A. When the packet is received on B, the actual traffic direction is "in". Because the rule direction is set to accepting only “outgoing traffic”, the rule does not hit this packet on B. This example shows that setting the "out" direction in the rule causes the rule to become asymmetric.
Match on	Use this option to specify when the firewall rule must be applied. Select Original when you want the rule to be applied on original IP address and services before network address translation is performed. Select Translated when you want the rule to be applied on translated IP address and services after network address translation is performed.

Option

Description

Direction

Select whether the rule must be applied on incoming traffic or outgoing traffic or both. The default value is "In/Out", which means that rule is applied symmetrically across both source and destination.

VMware does not recommend specifying the direction of firewall rules because "in" or "out" direction can cause the rules to become asymmetric.

For example, consider that you have created a firewall rule to "allow" traffic from source A to destination B, and the rule direction is set to "out".

When A sends a packet to B, a state is created based on this rule on A because the direction of traffic is "out" on A.
When the packet is received on B, the actual traffic direction is "in". Because the rule direction is set to accepting only “outgoing traffic”, the rule does not hit this packet on B.

This example shows that setting the "out" direction in the rule causes the rule to become asymmetric.

Match on

Use this option to specify when the firewall rule must be applied.

Select Original when you want the rule to be applied on original IP address and services before network address translation is performed.
Select Translated when you want the rule to be applied on translated IP address and services after network address translation is performed.

Click Publish Changes to push the new rule to the NSX Edge.

Example: Sample Firewall Rules

Rule source is the vNIC interface of an NSX Edge. Rule destination is an HTTP server group. Service is TCP port 8080. — Figure 1. Firewall rule for traffic to flow from an NSX Edge interface to an HTTP server

Rule source is all internal interfaces of an NSX Edge. Rule destination is an HTTP server group. Service is TCP port 8080. — Figure 2. Firewall rule for traffic to flow from all internal interfaces (subnets on portgroups connected to internal interfaces) of a NSX Edge to an HTTP Server

Rule source is Any. Rule destination is a VM on an internal network. Service is TCP port 22. — Figure 3. Firewall rule for traffic to allow SSH into a machine on internal network

What to do next

While working with edge firewall rules, you can perform several additional tasks in the firewall table. For example:

Filter the list of rules in the table by hiding the system-generated default and internal rules, or by hiding the predefined distributed firewall rules that were applied on the edge.
Search rules that match a specific string by using the Search text box. For instance, if you want to search all the rules that contain the string "133", type 133 in the Search text box.
View statistics of the published rules.
- In NSX 6.4.6 and later, click the Statistics () icon.
- In NSX 6.4.5 and earlier, make sure that the Stats column is displayed in the firewall table. If the Stats column is not displayed, click and select the Stats column. To view the rule statistics, click .
Change the order of user-defined rules by clicking the Move Up ( or ) or Move Down ( or ) icons. In NSX 6.4.6 and later, you can drag user-defined rules to change the order. Point to the user-defined rule that you want to drag. A drag handle () icon appears to the left of the rule. Click and drag this handle to move the rule to a valid location in the firewall table.
Important: You cannot change the order of system-generated internal rules and the default rule.
Disable a rule.
- In NSX 6.4.6 and later, click the toggle switch to the left of the rule name.
- In NSX 6.4.5 and earlier, click in the No. column.
Undo and redo rule changes until the rule is published. This feature is available in NSX 6.4.6 and later. After the rule is published, the history of rule changes is lost, and you cannot undo or redo the changes.