A firewall rule section is edited and saved independently and is used to apply separate firewall configuration to tenants.

Prerequisites

Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure User Interface Settings.

Procedure

  1. Select Security > Distributed Firewall.
  2. Click the General tab for layer 3 (L3) rules or the Ethernet tab for layer 2 (L2) rules.
  3. Click an existing section or rule.
  4. Click the section icon on the menu bar and select Add Section Above or Add Section Below.
    Note: For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.
  5. Enter the section name.
  6. To make the firewall stateless, select the Enable Stateless Firewall. This option is applicable for L3 only.
    Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. For TCP and UDP flows, after the first packet, a cache is created and maintained for the traffic tuple in either direction, if the firewall result is ALLOW. This means that the traffic no longer needs to check with the firewall rules, resulting in lower latency. Stateless firewalls are thus typically faster and perform better under heavier traffic loads.

    Stateful firewalls can watch traffic streams from end to end. The firewall is always consulted for every packet, to validate the state and sequence numbers. Stateful firewalls are better at identifying unauthorized and forged communications.

    There is no toggling between stateful and stateless once it is defined.
  7. Select one or more objects to apply the section.
    The types of object are logical ports, logical switches, and NSGroups. If you select an NSGroup, it must contain one or more logical switches or logical ports. If the NSGroup contains only IP sets or MAC sets, it will be ignored.
    Note: The Applied To in a section it will override any Applied To settings in the rules in that section.
  8. Click OK.

What to do next

Add Firewall rules to the section.