Edge Firewall monitors North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT) as well as site-to-site IPSec and SSL VPN functionality. This solution is available in the virtual machine form factor and can be deployed in a High Availability mode.

Firewall support is limited on the Logical Router. Only the rules on management and/or uplink interfaces work, however, the rules on internal interfaces do not work.


NSX-V Edge is vulnerable to Syn-Flood attacks, where an attacker fills the firewall state tracking table by flooding SYN packets. This DOS/DDOS attack creates a service disruption to genuine users. Edge must defend from Syn-Flood attacks by implementing logic to detect bogus TCP connections and terminate them without consuming Firewall state tracking resources. This feature is disabled by default. To enable this feature in a high risk environment, set the REST API enableSynFloodProtection value to 'true' as part of the Firewall Global Configuration.