Edge Firewall monitors the North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT), and site-to-site IPSec and SSL VPN functionality. This solution is available in the virtual machine form factor and can be deployed in a High Availability mode.

Firewall support is limited on the Logical Router. Only the rules on management or uplink interfaces work, however, the rules on internal interfaces do not work.

Note: The Edge Services Gateway (ESG) is vulnerable to SYN flood attacks, where an attacker fills the firewall state tracking table by flooding SYN packets. This DOS/DDOS attack creates a service disruption to genuine users. The NSX Edge can defend itself from SYN flood attacks by using the SYN cookie mechanism in a smart way to detect bogus TCP connections and stop them without consuming firewall state tracking resources. Before the SYN queue is not full, the incoming connections pass normally. After the SYN queue is full, the SYN cookie mechanism takes effect.

However, for the servers behind the NSX Edge, the SYN flood protection feature is disabled by default. The NSX Edge uses SYNPROXY to do the SYN flood protection.

For detailed information about SYNPROXY behavior when SynFloodProtection is enabled on an NSX Edge, see the VMware knowledge base article at https://kb.vmware.com/s/article/54527.