You can use IP addresses, vCenter objects, and NSX grouping objects as sources. You can also define sources and destinations and negate them. If no sources or destinations are defined, the source or destination is set to "any".

The following vCenter objects can be specified as the source or destination for a firewall rule:

Table 1. Objects supported for firewall rules

Source or Destination

Applied To

  • cluster

  • datacenter

  • distributed port group

  • IP set

  • legacy port group

  • logical switch

  • resource pool

  • security group

  • vApp

  • virtual machine

  • vNIC

  • IP address (IPv4 or IPv6)

  • All clusters on which Distributed Firewall has been installed (in other words, all clusters that have been prepared for network virtualization)

  • All Edge gateways installed on prepared clusters

  • cluster

  • datacenter

  • distributed port group

  • Edge

  • legacy port group

  • logical switch

  • security group

  • virtual machine

  • vNIC

Procedure

  1. (Optional) Select objects to use in the firewall rule.
    1. Click Edit in the source or destination column.
    2. Select the object type from the Object Type drop-down menu.

      You can create a new security group or IP set. Once you create the new object, it is added to the source or destination column by default. For information on creating a new security group or IP set, see Network and Security Objects.

    3. Select one or more objects and click the arrow to move them to the Selected Objects column.
  2. (Optional) Select IP addresses to use in the firewall rule.

    Option

    Description

    NSX 6.4.1

    1. Click Edit in the source or destination column, select IP addresses, and click Add.

    2. Enter one IP address. Both IPv4 and IPv6 addresses are valid.

    3. Click Add if you need to enter additional IP addresses.

    NSX 6.4.0

    1. Click IP (IP) in the source column.

    2. Select IPv4 or IPv6.

    3. Type the IP address.

      You can enter multiple IP addresses in a comma-separated list. The list can contain up to 255 characters.

  3. (Optional) Negate the sources or destinations defined in this rule.

    If Negate Source is selected, the rule is applied to traffic coming from all sources except for the sources defined for this rule.

    If Negate Source is not selected, the rule applies to traffic coming from the sources or destinations defined for this rule.

    You can select Negate Source only if you have at least one source or destination defined.

    Option

    Description

    NSX 6.4.1

    1. Click Edit in the source column.

    2. Set Negate Source to On.

    NSX 6.4.0

    1. Click Edit () in the source column.

    2. Select the Negate source check box.