Implement gateway firewall rules by adding them under a firewall policy section that belongs to a predefined category.


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select Security > North South Security > Gateway Firewall.
  3. To enable Gateway Firewall select Actions > General Settings, and toggle the status button. Click Save.
  4. Click Add Policy, for more about categories see Gateway Firewall.
  5. Enter a Name for the new policy section.
  6. Select the policy Destination.
  7. Click the gear icon to configure the following policy settings:
    Settings Description
    TCP Strict A TCP connection begins with a three-way handshake (SYN, SYN-ACK, ACK), and typically ends with a two-way exchange (FIN, ACK). In certain circumstances, the firewall may not see the three-way handshake for a particular flow (i.e. due to asymmetric traffic). By default, the firewall does not enforce the need to see a three-way handshake, and will pick-up sessions that are already established. TCP strict can be enabled on a per section basis to turn off mid-session pick-up, and enforce the requirement for a three-way handshake. When enabling TCP strict mode for a particular firewall policy and using a default ANY-ANY Block rule, packets that do not complete the three-way handshake connection requirements and that match a TCP-based rule in this policy section are dropped. Strict is only applied to stateful TCP rules, and is enabled at the gateway firewall policy level. TCP strict is not enforced for packets that match a default ANY-ANY Allow which has no TCP service specified.
    Stateful A stateful firewall monitors the state of active connections, and uses this information to determine which packets to allow through the firewall.
    Locked The policy can be locked to prevent multiple users from making changes to the same sections. When locking a section, you must include a comment.
  8. Click Publish. Multiple Policies can be added, and then published together at one time.
    The new policy is shown on the screen.
  9. Select a policy section and click Add Rule.
  10. Enter a name for the rule. IPv4, IPv6, and multicast addresses are supported.
  11. In the Sources column, click the edit icon and select the source of the rule. See Add a Group for more information.
  12. In the Destinations column, click the edit icon and select the destination of the rule. If not defined, the destination matches any. See Add a Group for more information.
  13. In the Services column, click the pencil icon and select services. The service matches any if not defined.
  14. In the Profiles column, click the edit icon and select a context profile, or click Add New Context Profile. See Add a Context Profile.
    Gateway firewall rules do not support context profiles with FQDN attributes. Context profiles use layer 7 APP ID attributes for use in distributed firewall rules and gateway firewall rules. Multiple App Id context profiles can be used in a firewall rule with services set to Any. For ALG profiles (FTP, and TFTP), one context profile is supported per rule.
  15. Click Apply.
  16. The Applied to column defines the scope of enforcement per rule and is used mainly for optimization of resources on ESXi and KVM hosts. You can define a targeted policy for specific zones and tenants without interfering with policy defined for other tenants and zones. You can select a logical router (Tier-0 or Tier-1) or interfaces on logical routers or route-based VPN sessions in this column.
  17. In the Action column, select an action.
    Option Description
    Allow Allows all traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.

    Rejects packets with the specified source, destination, and protocol. Rejecting a packet sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. The sending application is notified after one attempt that the connection cannot be established.

  18. Click the status toggle button to enable or disable the rule.
  19. Click the gear icon to set logging, direction, IP protocol, tag, and notes.
    Option Description
    Logging Logging can be turned off or on. Logs are stored at /var/log/syslog on the Edge.
    Direction The options are In, Out, and In/Out. The default is In/Out. This field refers to the direction of traffic from the point of view of the destination object. In means that only traffic to the object is checked, Out means that only traffic from the object is checked, and In/Out means that traffic in both directions is checked.
    IP Protocol The options are IPv4, IPv6, and IPv4_IPv6. The default is IPv4_IPv6.
    Tag Tag that has been added to the rule.
    Note: Click the graph icon to view the flow statistics of the firewall rule. You can see information such as the byte, packet count, and sessions.
  20. Click Publish. Multiple rules can be added and then published together at one time.
  21. On each policy section, click the Info icon to view the current status of edge firewall rules that are pushed to edge nodes. Any alarms generated when rules were pushed to edge nodes are also displayed.
  22. To view consolidated status of policy rules that are applied to edge nodes, make the API call.
    GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?intent_path=/infra/domains/default/gateway-policies/<GatewayPolicy_ID>&include_enforced_status=true