You can create gateway firewall policies and rules to be applied to multiple locations or selected interfaces for particular locations, from the Global Manager.

Tier-0 or tier-1 gateways created from the Global Manager span all or a set of locations. You have a few options when applying gateway firewall rules created from the Global Manager: Gateway firewall rules can be applied to all the locations included in the gateway's span, or all interfaces of a particular location, or specific interfaces of one or more locations.

On the Local Manager rules are enforced in the following order:
  1. Any rules you create from the Global Manager, that get successfully realized on the Local Manager, are enforced first.
  2. Any rules that you create from the Local Manager are enforced next.
  3. The last rule enforced is the default gateway firewall rule. This is the allow-all or deny-all rule applicable to all locations and all workloads. You can edit the behavior for this default rule from the Global Manager.


  1. From your browser, log in with Enterprise Admin or Security Admin privileges to the Global Manager at https://<global-manager-ip-address>.
  2. Select Security > Gateway Firewall.
  3. Ensure that you are in the correct pre-defined category. Only Pre Rules, Local Gateway and Default categories are supported on Global Manager. To define policy under the Local Gateway category, click the category name from the All Shared Rules tab or directly click the Gateway Specific Rules tab.

    Select a tier-0 or tier-1 gateway from the drop-down menu next to Gateway. The span of the tier-0 or tier-1 gateway you selected becomes the default span of the Gateway Firewall policy and rule. You can reduce the span but not expand it.

  4. Click Add Policy.
  5. Enter a Name for the new policy section.
  6. (Optional) Click the gear icon to configure the following policy settings:
    Settings Description
    TCP Strict A TCP connection begins with a three-way handshake (SYN, SYN-ACK, ACK), and typically ends with a two-way exchange (FIN, ACK). In certain circumstances, the firewall may not see the three-way handshake for a particular flow (i.e. due to asymmetric traffic). By default, the firewall does not enforce the need to see a three-way handshake, and will pick up sessions that are already established. TCP strict can be enabled on a per section basis to turn off mid-session pick-up, and enforce the requirement for a three-way handshake. When enabling TCP strict mode for a particular firewall policy and using a default ANY-ANY Block rule, packets that do not complete the three-way handshake connection requirements and that match a TCP-based rule in this policy section are dropped. Strict is only applied to stateful TCP rules, and is enabled at the gateway firewall policy level. TCP strict is not enforced for packets that match a default ANY-ANY Allow which has no TCP service specified.
    Stateful A stateful firewall monitors the state of active connections, and uses this information to determine which packets to allow through the firewall.
    Locked The policy can be locked to prevent multiple users from making changes to the same sections. When locking a section, you must include a comment.
  7. Click Publish. Multiple Policies can be added, and then published together at one time.
    The new policy is shown on the screen.
  8. Select a policy section and click Add Rule.
  9. Enter a name for the rule.
  10. In the Sources column, click the edit icon and select the source of the rule. The source group must have the same or a subset of the gateway's span.
  11. In the Destinations column, click the edit icon and select the destination of the rule. If not defined, the destination matches any. The destination group must have the same or a subset of the gateway's span.
  12. In the Services column, click the pencil icon and select services. The service matches any if not defined. Click Apply to save.
  13. In the Profiles column, click the edit icon and select a context profile, or click Add New Context Profile. See Add a Context Profile.
    Note: Context profiles are not supported for tier-0 gateways. You can apply L7 context profiles to tier-1 gateways.
  14. Click the pencil icon in the Applied to column. In the Applied To dialog box:
    Applied To Selection Result
    Select Apply rule to gateway The gateway firewall rule is applied to all locations covered by the gateway's span. If you add another location to the gateway, this gateway firewall rule automatically gets applied to the location.
    Select a location and then select Apply rules to all Entities Apply this rule to all interfaces in the selected location.
    Select a location and then select interfaces for that location Apply the rule only to selected interfaces in one or more locations.
    Note: There is no default selection for Applied To. You must make a selection to be able to publish this rule.
  15. In the Action column, select an action.
    Option Description
    Allow Allows all traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.

    Rejects packets with the specified source, destination, and protocol. Rejecting a packet sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. The sending application is notified after one attempt that the connection cannot be established.

  16. Click the status toggle button to enable or disable the rule.
  17. Click the gear icon to set logging, direction, IP protocol, tag, and notes.
    Option Description
    Logging Logging can be turned off or on. You can access logs using the following NSX CLI command on NSX Edge:
    get log-file syslog | find datapathd.firewallpkt
    Logs can also be sent to an external syslog server.
    Direction The options are In, Out, and In/Out. The default is In/Out. This field refers to the direction of traffic from the point of view of the destination object. In means that only traffic to the object is checked, Out means that only traffic from the object is checked, and In/Out means that traffic in both directions is checked.
    IP Protocol The options are IPv4, IPv6, and IPv4_IPv6. The default is IPv4_IPv6.
    Log Label Log label that has been added to the rule.
    Note: Click the graph icon to view the flow statistics of the firewall rule. You can see information such as the byte, packet count, and sessions.
  18. Click Publish. Multiple rules can be added and then published together at one time.
  19. Click Check Status to view the realization status of policy applied to gateways through edge nodes in different locations. You can click Success or Failed to open the policy status window.