About this task

A firewall rule section is edited and saved independently and is used to apply separate firewall configuration to tenants.


  1. Select Firewall in the navigation panel.
  2. Click the General tab for L3 rules or the Ethernet tab for L2 rules.
  3. Click an existing section or rule.
  4. Click Add Section on the menu bar, or click the menu icon in the first column of a section and select Add Section Above or Add Section Below.

    For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.

  5. Enter the section name and an optional description.
  6. Select either Stateful or Stateless. This option is applicable only for L3.

    Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. Stateful firewalls can watch traffic streams from end to end. Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful firewalls are better at identifying unauthorized and forged communications. There is no toggling between stateful and stateless once it is defined.

  7. Select one or more objects to apply the section.

    The types of object are logical ports, logical switches, and NSGroups. If you select an NSGroup, it must contain one or more logical switches or logical ports. If the NSGroup contains only IP sets or MAC sets, it will be ignored.


    The Applied To in a section it will override any Applied To settings in the rules in that section.

  8. Click Save to save the section.

    The newly added Section appears in the Firewall window.

What to do next

Add Firewall rules to the section.