You can add firewall rules to a tier-0 or tier-1 logical router to control communication into the router.

Prerequisites

Familiarize yourself with the parameters of a firewall rule. See Add a Firewall Rule.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://nsx-manager-ip-address.
  2. Select Networking > Routing from the navigation panel.
  3. Click the Routers tab if it is not already selected.
  4. Click the name of a logical router.
  5. Select Services > Edge Firewall.
  6. Click an existing section or rule.
  7. To add a rule, click Add Rule on the menu bar and select Add Rule Above or Add Rule Below, or click the menu icon in the first column of a rule and select Add Rule Above or Add Rule Below, and specify the rule parameters.
    The Applied To field is not shown because this rule applies only to the logical router.
  8. To delete a rule, select the rule, click Delete on the menu bar or click the menu icon in the first column and select Delete.

Results

Note: If you add a firewall rule to a tier-0 logical router and the NSX Edge cluster backing the router is running in active-active mode, the firewall can only run in stateless mode. If you configure the firewall rule with stateful services such as HTTP, SSL, TCP, and so on, the firewall rule will not work as expected. To avoid this issue, configure the NSX Edge cluster to run in active-standby mode.