The Edge Firewall tab displays rules created on the centralized Firewall tab in a read-only mode. Any rules that you add here are not displayed on the centralized Firewall tab.

About this task

You can add multiple NSX Edge interfaces and/or IP address groups as the source and destination for firewall rules.

Figure 1. Firewall rule for traffic to flow from an NSX Edge interface to an HTTP server
rule

Figure 2. Firewall rule for traffic to flow from all internal interfaces (subnets on portgroups connected to internal interfaces) of a NSX Edge to an HTTP Server
rule

Note:

If you select internal as the source, the rule is automatically updated when you configure additional internal interfaces.

Figure 3. Firewall rule for traffic to allow SSH into a m/c in internal network
rule

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > NSX Edges.
  2. Double-click an NSX Edge.
  3. Click the Manage tab and then click the Firewall tab.
  4. Do one of the following.

    Option

    Description

    To add a rule at a specific place in the firewall table

    1. Select a rule.

    2. In the No. column, click edit and select Add Above or Add Below.

    A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

    To add a rule by copying a rule

    1. Select a rule.

    2. Click the Copy (copy) icon.

    3. Select a rule.

    4. In the No. column, click edit and select Paste Above or Paste Below.

    To add a rule anywhere in the firewall table

    1. Click the Add (add icon) icon.

    A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

    The new rule is enabled by default.

  5. Point to the Name cell of the new rule and click edit.
  6. Type a name for the new rule.
  7. Point to the Source cell of the new rule and click edit or .

    If you clicked , type an IP address.

    1. Select an object from the drop-down and then make the appropriate selections.

      If you select vNIC Group and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. Note that firewall rules on internal interfaces do not work for a Logical Router.

      If you select IP Sets, you can create a new IP address group. After you create the new group, it is automatically added to the source column. For information on creating an IP Set, see Create an IP Address Group.

    2. Click OK.
  8. Point to the Destination cell of the new rule and click edit or .
    1. Select an object from the drop-down and then make the appropriate selections.

      If you select vNIC Group and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic going to any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. Note that firewall rules on internal interfaces do not work for a Logical Router.

      If you select IP Sets, you can create a new IP address group. After you create the new group, it is automatically added to the source column. For information on creating an IP Set, see Create an IP Address Group.

    2. Click OK.
  9. Point to the Service cell of the new rule and click edit or .
    • If you clicked edit, select a service. To create a new service or service group, click New. After you create the new service, it is automatically added to the Service column. For more information on creating a new service, see Create a Service.

    • If you clicked , select a protocol. You can specify the source port by clicking the arrow next to Advanced options. VMware recommends that you avoid specifying the source port from release 5.1 and later. Instead, you can create a service for a protocol-port combination.

    Note:

    NSX Edge only supports services defined with L3 protocols.

  10. Point to the Action cell of the new rule and click edit. Make appropriate selections as described in the table below and click OK.

    Action selected

    Results in

    Allow

    Allows traffic from or to the specified source and destination.

    Block

    Blocks traffic from or to the specified source and destination.

    Reject

    Sends reject message for unaccepted packets.

    RST packets are sent for TCP packets.

    ICMP unreachable (administratively restricted) packets are sent for other packets.

    Log

    Logs all sessions matching this rule. Enabling logging can affect performance.

    Do not log

    Does not log sessions.

    Comments

    Type comments if required.

    Advanced options > Match on Translated

    Applies the rule to the translated IP address and services for a NAT rule

    Enable Rule Direction

    Indicates whether the rule is incoming or outgoing.

    VMware does not recommend specifying the direction for firewall rules.

  11. Click Publish Changes to push the new rule to the NSX Edge instance.

What to do next

  • Disable a rule by clicking disable next to the rule number in the No. column.

  • Hide generated rules or pre rules (rules added on the centralized Firewall tab) by clicking Hide Generated rules or Hide Pre rules.

  • Display additional columns in the rule table by clicking select columns and selecting the appropriate columns.

    Column Name

    Information Displayed

    Rule Tag

    Unique system generated ID for each rule

    Log

    Traffic for this rule is being logged or not

    Stats

    Clicking stats shows the traffic affected by this rule (number of sessions, traffic packets, and size)

    Comments

    Comments for the rule

  • Search for rules by typing text in the Search field.