A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined firewall rules.

Firewall rules are added at the NSX Manager scope. Using the Applied To field, you can then narrow down the scope at which you want to apply the rule. You can add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.
Note: By default, a rule matches on the default of any source, destination, and service rule elements, matching all interfaces and traffic directions. If you want to restrict the effect of the rule to particular interfaces or traffic directions, you must specify the restriction in the rule.

Prerequisites

  • To use a group of addresses, first manually associate the IP and MAC address of each VM with their logical switch.

  • Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure the User Interface Settings.

Procedure

  1. Select Security > Distributed Firewall.
  2. Click the General tab for L3 rules or the Ethernet tab for L2 rules.
  3. Click an existing section or rule.
  4. Click the menu icon in the first column of a rule and select Add Rule Above or Add Rule Below.
    A new row appears to define a firewall rule.
    Note: For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.
  5. In the Name column, enter the rule name.
  6. In the Source column, click the edit icon and select the source of the rule. The source will match any if not defined.
    Option Description
    IP Addresses Enter multiple IP or MAC addresses in a comma-separated list. The list can contain up to 255 characters. Both IPv4 and IPv6 formats are supported.
    Container Objects The available objects are IP Set, Logical Port, Logical Switch, and NS Group. Select the objects and click OK.
  7. In the Destination column, click the edit icon and select the destination. The destination will match any if not defined.
    Option Description
    IP Addresses You can enter multiple IP or MAC addresses in a comma-separated list. The list can contain up to 255 characters. Both IPv4 and IPv6 formats are supported.
    Container Objects The available objects are IP Set, Logical Port, Logical Switch, and NS Group. Select the objects and click OK.
  8. In the Service column, click the edit icon and select services. The service will match any if not defined.
  9. To select a predefined service, select one of more available services.
  10. To define a new service, click the Raw Port-Protocol tab and click Add..
    Option Description
    Type of Service
    • ALG
    • ICMP
    • IGMP
    • IP
    • L4 Port Set
    Protocol Select one of the available protocols.
    Source Ports Enter the source port.
    Destination Ports Select the destination port.
  11. In the Applied To column, click the edit icon and select objects.
  12. In the Log column, set the logging option.
    Logs are in the /var/log/dfwpktlogs.log file on ESXi and KVM hosts. Enabling logging can affect performance.
  13. In the Action column, select an action.
    Option Description
    Allow Allows all L3 or L2 traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. One benefit of using Reject is that the sending application is notified after only one attempt that the connection cannot be established.
  14. Click the Advanced Settings icon to specify IP protocol, direction, rule tags, and comments.
  15. Click Publish.