A firewall rule section is edited and saved independently and is used to apply separate firewall configuration to tenants.


  1. Select Security > Distributed Firewall from the navigation panel.
  2. Click the General tab for layer 3 (L3) rules or the Ethernet tab for layer 2 (L2) rules.
  3. Click an existing section or rule.
  4. Click the section icon on the menu bar and select Add Section Above or Add Section Below.
    Note: For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.
  5. Enter the section name.
  6. To make the firewall stateless, select the Enable Stateless Firewall. This option is applicable for L3 only.
    Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. Stateful firewalls can watch traffic streams from end to end. Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful firewalls are better at identifying unauthorized and forged communications. There is no toggling between stateful and stateless once it is defined.
  7. Select one or more objects to apply the section.
    The types of object are logical ports, logical switches, and NSGroups. If you select an NSGroup, it must contain one or more logical switches or logical ports. If the NSGroup contains only IP sets or MAC sets, it will be ignored.
    Note: The Applied To in a section it will override any Applied To settings in the rules in that section.
  8. Click OK.

What to do next

Add Firewall rules to the section.