Distributed Firewall rules and Edge Firewall rules can be managed in a centralized manner on the Firewall tab. In a multi-tenant environment, providers can define high-level traffic flow rules on the centralized Firewall user interface.
Each traffic session is checked against the top rule in the Firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced. Rules are displayed in the following order:
- Rules defined in the Firewall user interface by users have the highest priority, and are enforced in top-to-bottom ordering with a per-virtual NIC level precedence.
- Auto-plumbed rules (rules that enable control traffic to flow for Edge services).
- Rules defined in the NSX Edge interface by users.
- Service Composer rules - a separate section for each policy. You cannot edit these rules in the Firewall table, but you can add rules at the top of a security policy firewall rules section. If you do so, you must re-synchronize the rules in Service Composer. For more information, see Service Composer.
- Default Distributed Firewall rules
Note that firewall rules are enforced only on clusters on which you have enabled firewall. For information on preparing clusters, see the NSX Installation Guide.