NSX-T uses firewall rules to specify traffic handling in and out of the network.

Firewall offers multiple sets of configurable rules: Layer 3 rules (General tab) and Layer 2 rules (Ethernet tab). Layer 2 firewall rules are processed before Layer 3 rules. The Configuration tab contains the exclusion list, which contains logical switches, logical ports and groups that are to be excluded from firewall enforcement.

Firewall Rules are enforced as follows:

  • Rules are processed in top-to-bottom ordering.

  • Each packet is checked against the top rule in the rule table before moving down the subsequent rules in the table.

  • The first rule in the table that matches the traffic parameters is enforced.

No subsequent rules can be enforced as the search is then terminated for that packet. Because of this behavior, it is always recommended to put the most granular policies at the top of the rule table. This will ensure they will be enforced before more specific rules.

The default rule, located at the bottom of the rule table, is a catchall rule; packets not matching any other rules will be enforced by the default rule. After the host preparation operation, the default rule is set to allow action. This ensures that VM-to-VM communication is not broken during staging or migration phases. It is a best practice to then change this default rule to block action and enforce access control through a positive control model (i.e., only traffic defined in the firewall rule is allowed onto the network).

Firewall rule options are accessible by clicking the drop down arrow next to Columns, and checking the columns you'd like to be included in the firewall rules window. The following options are available.

Table 1. Columns in the firewall rule screen

Column Name



Name of the firewall rule.


The source of the rule can be either an IP or MAC address or an object other than an IP address. The source will match any if not defined. IPv6 is not supported for source or destination range.


Unique system generated ID for each rule.


The direction rule element matches the direction a packet is traveling as it traverses the interface. A direction of In is for traffic ingressing through the firewall. A direction of out is for traffic egressing through a firewall. By default the direction will be In Out (both directions).

IP Protocol

This is applicable only for L3 rules. Both IPv4 and IPv6 are supported. The default value is both.


The destination IP or MAC address/netmask of the connection that is affected by the rule. The destination will match any if not defined. IPv6 is not supported for source or destination range.


The service can be a predefined port protocol combination for L3. For L2 it can be ether-type. For both L2 and L3 you can manually define a new service or service group. The service will match any, if it is not specified.

Action (required)

The action applied by the rule can be allow, block, or reject.

Applied To

Defines the scope at which this rule is applicable. If not defined the scope will be all logical ports. If you have added "applied to" in a section it will overwrite the rule.


Logging can be turned off or on. Logs are stored at /var/log/dfwpktlogs.log file on ESX and KVM hosts.


Read-only field that displays the byte, packet count, and sessions.


Comments for the rule.

Below is the default firewall rule with a portion of the column options shown.

Figure 1. Firewall Rules Window
Main window where you create firewall rules.