You can add sections in the firewall table to organize your rules or to create a universal section for use in cross-vCenter NSX environments.

Prerequisites

Determine the appropriate NSX Manager on which to make your changes.

  • In a standalone or single vCenter NSX environment there is only one NSX Manager so you do not need to select one.

  • Universal objects must be managed from the primary NSX Manager.

  • Objects local to an NSX Manager must be managed from that NSX Manager.

  • In a cross-vCenter NSX environment that does not have Enhanced Linked Mode enabled, you must make configuration changes from the vCenter linked to the NSX Manager that you want to modify.

  • In a cross-vCenter NSX environment in Enhanced Linked Mode, you can make configuration changes to any NSX Manager from any linked vCenter. Select the appropriate NSX Manager from the NSX Manager drop-down menu.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Security > Firewall.
  2. If there is more than one NSX Manager available, select one. You must select the Primary NSX Manager to add a universal section.
  3. Ensure that you are in the Configuration > General tab to add a section for L3, L4, or L7 rules. Click the Ethernet tab to add a section for L2 rules.
  4. Click Add Section (Add Section icon or Add Section icon).
  5. Enter a name for the section. Section names must be unique within NSX Manager.
  6. (Optional) In a cross-vCenter NSX environment, you can configure the section as a universal firewall rule section.
    • In NSX 6.4.1 and later, click the Universal Synchronization button.

    • In NSX 6.4.0, select Mark this section for Universal Synchronization.

  7. (Optional) Configure firewall rule properties for the firewall section by selecting the appropriate check boxes.

    Firewall Rule Section Properties

    Description

    Enable User Identity at Source

    When using Identity Firewall for RDSH, Enable User Identity at Source must be checked. Note that this disables the enable stateless firewall option because the TCP connection state is tracked for identifying the context.

    Enable TCP Strict

    TCP strict determines whether to drop an established TCP connection when the firewall does not see the initial three-way handshake. If set to true, the connection is dropped.

    Enable Stateless Firewall

    Enable stateless firewall for the firewall section.

  8. Click OK and then click Publish Changes.

What to do next

Add rules to the section. See Add a Firewall Rule.