You add firewall rules at the NSX Manager scope. Using the Applied To field, you can then narrow down the scope at which you want to apply the rule. You can add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.

About this task

The following vCenter objects can be specified as the source or destination for a firewall rule:

Table 1. Objects supported for firewall rules

Source or Destination

Applied To

  • cluster

  • datacenter

  • distributed port group

  • IP set

  • legacy port group

  • logical switch

  • resource pool

  • security group

  • vApp

  • virtual machine

  • vNIC

  • IP address (IPv4 or IPv6)

  • All clusters on which Distributed Firewall has been installed (in other words, all clusters that have been prepared for network virtualization)

  • All Edge gateways installed on prepared clusters

  • cluster

  • datacenter

  • distributed port group

  • Edge

  • legacy port group

  • logical switch

  • security group

  • virtual machine

  • vNIC

Prerequisites

Make sure the state of NSX distributed firewall is not in backward compatibility mode. To check the current state, use the REST API call GET https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/state. If the current state is backward compatibility mode, you can change the state to forward by using the REST API call PUT https://<nsxmgr-ip>/api/4.0/firewall/globalroot-0/state. Do not try to publish a distributed firewall rule while the distributed firewall is in backward compatibility mode.

If you are adding universal firewall rules, see Add a Universal Firewall Rule

If you are adding an identity-based firewall rule, ensure that:

  • One or more domains have been registered with NSX Manager. NSX Manager gets group and user information as well as the relationship between them from each domain that it is registered with. See Register a Windows Domain with NSX Manager.

  • A security group based on Active Directory objects has been created which can be used as the source or destination of the rule. See Create a Security Group.

If you are adding a rule based on a VMware vCenter object, ensure that VMware Tools is installed on the virtual machines. See NSX Installation Guide.

VMs that are migrated from 6.1.5 to 6.2.3 do not have support for TFTP ALG. To enable TFTP ALG support after migrating, add and remove the VM from the exclusion list or restart the VM. A new 6.2.3 filter is created, with support for TFTP ALG.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Firewall.
  2. Ensure that you are in the General tab to add an L3 rule. Click the Ethernet tab to add an L2 rule.
  3. In the section in which you add a rule, click Add rule (add icon) icon.
  4. Click Publish Changes.

    A new any allow rule is added at the top of the section. If the system-defined rule is the only rule in the section, the new rule is added above the default rule.

    If you want to add a rule at a specific place in a section, select a rule. In the No. column, click and select Add Above or Add Below.

  5. Point to the Name cell of the new rule and click edit.
  6. Type a name for the new rule.
  7. Point to the Source cell of the new rule. Additional icons are displayed as described in the table below.

    Option

    Description

    Click IP

    To specify source as an IP address.

    1. Select the IP address format.

      Firewall supports both IPv4 and IPv6 formats.

    2. Type the IP address.

      You can enter multiple IP addresses in a comma-separated list. The list can contain up to 255 characters.

    Click

    To specify source as an object other than a specific IP address.

    1. In View, select a container from which the communication originated.

      Objects for the selected container are displayed.

    2. Select one or more objects and click add.

      You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see Network and Security Objects.

    3. To exclude a source from the rule, click Advanced options.

    4. Select Negate Source to exclude this source from the rule.

      If Negate Source is selected, the rule is applied to traffic coming from all sources except for the source you specified in the previous step.

      If Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.

    5. Click OK.

  8. Point to the Destination cell of the new rule. Additional icons are displayed as described in the table below.

    Option

    Description

    Click IP

    To specify destination as an IP address.

    1. Select the IP address format.

      Firewall supports both IPv4 and IPv6 formats.

    2. Type the IP address.

      You can enter multiple IP addresses in a comma-separated list. The list can contain up to 255 characters.

    Click

    To specify destination as an object other than a specific IP address.

    1. In View, select a container which the communication is targeting.

      Objects for the selected container are displayed.

    2. Select one or more objects and click add.

      You can create a new security group or IPSet. Once you create the new object, it is added to the Destination column by default. For information on creating a new security group or IPSet, see Network and Security Objects.

    3. To exclude a destination port, click Advanced options.

    4. Select Negate Destination to exclude this destination from the rule.

      If Negate Destination is selected, the rule is applied to traffic going to all destinations except for the destination you specified in the previous step.

      If Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.

    5. Click OK.

  9. Point to the Service cell of the new rule. Additional icons are displayed as described in the table below.

    Option

    Description

    Click port

    To specify service as a port protocol combination.

    1. Select the service protocol.

      Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: TFTP, FTP, ORACLE TNS, MS-RPC, and SUN-RPC.

      Edge supports ALG for FTP, TFTP, and SNMP_BASIC.

      Note: VMs that are migrated from 6.1.5 to 6.2.3 do not have support for TFTP ALG. To enable TFTP ALG support after migrating, add and remove the VM from the exclusion list or restart the VM. A new 6.2.3 filter is created, with support for TFTP ALG.

    2. Type the port number and click OK.

    Click

    To select a pre-defined service/service group or define a new one.

    1. Select one or more objects and click add.

      You can create a new service or service group. Once you create the new object, it is added to the Selected Objects column by default.

    2. Click OK.

    In order to protect your network from ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule. For information on modifying the default rule, see Edit the Default Distributed Firewall Rule.

  10. Point to the Action cell of the new rule and click edit. Make appropriate selections as described in the table below and click OK.

    Action

    Results in

    Allow

    Allows traffic from or to the specified source(s), destination(s), and service(s).

    Block

    Blocks traffic from or to the specified source(s), destination(s), and service(s).

    Reject

    Sends reject message for unaccepted packets.

    RST packets are sent for TCP connections.

    ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections.

    Log

    Logs all sessions matching this rule. Enabling logging can affect performance.

    Do not log

    Does not log sessions.

  11. In Applied To, define the scope at which this rule is applicable. Make appropriate selections as described in the table below and click OK.

    To apply a rule to

    Do this

    All prepared clusters in your environment

    Select Apply this rule on all clusters on which Distributed Firewall is enabled. After you click OK, the Applied To column for this rule displays Distributed Firewall.

    All NSX Edge gateways in your environment

    Select Apply this rule on all Edge gateways. After you click OK, the Applied To column for this rule displays All Edges.

    If both the above options are selected, the Applied To column displays Any.

    One or more cluster, datacenter, distributed virtual port group, NSX Edge, network, virtual machine, vNIC, or logical switch

    1. In Container type, select the appropriate object..

    2. In the Available list, select one or more objects and click add.

    If the rule contains virtual machines/vNICS in the source and destination fields, you must add both the source and destination virtual machines/vNICS to Applied To for the rule to work correctly.

  12. Click Publish Changes.

    After a few moments, a message indicating whether the publish operation was successful is displayed. In case of any failures, the hosts on which the rule was not applied are listed. For additional details on a failed publish, navigate to NSX Managers > NSX_Manager_IP_Address > Monitor > System Events.

    When you click Publish Changes, the firewall configuration is automatically saved. For information on reverting to an earlier configuration, see Load a Saved Firewall Configuration.

What to do next

  • Disable a rule by clicking disable, or enable a rule by clicking enable rule.

  • Display additional columns in the rule table by clicking select columns and selecting the appropriate columns.

    Column Name

    Information Displayed

    Rule ID

    Unique system generated ID for each rule

    Log

    Traffic for this rule is being logged or not

    Stats

    Clicking stats shows the traffic related to this rule (traffic packets and size)

    Comments

    Comments for the rule

  • Search for rules by typing text in the Search field.

  • Move a rule up or down in the Firewall table.

  • Merge sections by clicking the Merge section icon and selecting Merge with above section or Merge with below section.