To enable identity firewall, navigate to Security > Gateway Firewall, and click Actions, General Settings. Toggle the bar to enable identity firewall, noting that you must have active directory.


  1. With admin privileges, log in to NSX Manager.
  2. Select Security > Gateway Firewall.
  3. To enable Gateway Firewall select Actions > General Settings, and toggle the status button. Click Save.
  4. Click Add Policy, for more about categories see Gateway Firewall.
  5. Enter a Name for the new policy section.
  6. Select the policy Destination.
  7. Click the gear icon to configure the following policy settings:
    Settings Description
    TCP Strict A TCP connection begins with a three-way handshake (SYN, SYN-ACK, ACK), and typically ends with a two-way exchange (FIN, ACK). In certain circumstances, the firewall may not see the three-way handshake for a particular flow (i.e. due to asymmetric traffic). By default, the firewall does not enforce the need to see a three-way handshake, and will pick-up sessions that are already established. TCP strict can be enabled on a per section basis to turn off mid-session pick-up, and enforce the requirement for a three-way handshake. When enabling TCP strict mode for a particular firewall policy and using a default ANY-ANY Block rule, packets that do not complete the three-way handshake connection requirements and that match a TCP-based rule in this policy section are dropped. Strict is only applied to stateful TCP rules, and is enabled at the gateway firewall policy level. TCP strict is not enforced for packets that match a default ANY-ANY Allow which has no TCP service specified.
    Stateful A stateful firewall monitors the state of active connections, and uses this information to determine which packets to allow through the firewall.
    Locked The policy can be locked to prevent multiple users from making changes to the same sections. When locking a section, you must include a comment.
  8. Click Publish.
    Multiple Policies can be added, and then published together at one time.
    The new policy is shown on the screen.
  9. Select a policy section and click Add Rule.
  10. Enter a name for the rule. IPv4, and IPv6 addresses are supported.
  11. In the Sources column, click the edit icon and select the source of the rule. Groups with Active Directory members can be used for the source box of an IDFW rule. See Add a Group.
  12. In the Destinations column, click the edit icon and select the destination of the rule. If not defined, the destination matches any. See Add a Group.
  13. In the Services column, click the pencil icon and select services. The service matches any if not defined. See Add a Service.
  14. For Tier-1 gateways, in the Profiles column, click the edit icon and select a context profile, or L7 Access Profile. Or, create new profiles. See Profiles.
    • A security rule can contain either a context profile or an L7 access profile, but not both.
    • Context profiles and L7 access profiles are not supported on tier-0 gateway firewall policy.
    • Gateway firewall rules do not support context profiles with attribute type Domain(FQDN) Name.
    • Gateway firewall rules support L7 access profiles with attribute type App ID, URL Category, Custom URL and URL Reputation. The attribute type App ID supports multiple sub attributes.
    Multiple App ID context profiles can be used in a firewall rule with services set to Any. Only a single L7 Access profile can be used within a single gateway firewall rule.
  15. Click Apply.
  16. Click the pencil icon for the Applied To column to change the scope of enforcement per rule. From the Applied To | New Rule dialog box, click the Categories drop-down menu to filter by object type such as interfaces, labels, and VTIs to select those specific objects.
    By default, gateway firewall rules are applied to all the available uplinks and service interfaces on a selected gateway.

    For URL filtering, Applied To can only be Tier-1 gateways.

  17. In the Action column, select an action.
    Option Description
    Allow Allows all traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.

    The rule action with an L7 access profile must be Allow.

    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.

    Rejects packets with the specified source, destination, and protocol. Rejecting a packet sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. The sending application is notified after one attempt that the connection cannot be established.

  18. Click the status toggle button to activate or deactivate the rule.
  19. Click the gear icon to set logging, direction, IP protocol, and comments.
    Option Description

    Logging can be turned on or off. Gateway firewall logs provide the gateway virtual routing and forwarding, and gateway interface information, along with flow details. Gateway firewall logs can be found in the file named firewallpkt.log in the /var/log directory.

    Direction The options are In, Out, and In/Out. The default is In/Out. This field refers to the direction of traffic from the point of view of the destination object. In means that only traffic to the object is checked, Out means that only traffic from the object is checked, and In/Out means that traffic in both directions is checked.
    IP Protocol The options are IPv4, IPv6, and IPv4_IPv6. The default is IPv4_IPv6.
    Note: Click the graph icon to view the flow statistics of the firewall rule. You can see information such as the byte, packet count, and sessions.
  20. Click Publish. Multiple rules can be added and then published together at one time.
  21. On each policy section, click the Info icon to view the current status of edge firewall rules that are pushed to edge nodes. Any alarms generated when rules were pushed to edge nodes are also displayed.
  22. To view consolidated status of policy rules that are applied to edge nodes, make the API call.
    GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?intent_path=/infra/domains/default/gateway-policies/<GatewayPolicy_ID>&include_enforced_status=true