Prerequisites

To turn on Gateway Firewall select the Settings tab. Click TURN ON for the Tier-1 or Tier-0 gateway firewall you want to activate.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Select Security > Gateway Firewall.
  3. Click Add Policy .
  4. Enter a Name for the new policy section.
  5. Select the policy Destination.
  6. Click the gear icon to configure the following policy settings:
    Settings Description
    TCP Strict By default, gateway firewall operates in strict TCP mode. TCP Strict is only applied to stateful TCP rules, and is enabled at the gateway firewall policy level. TCP strict is not enforced for packets that match a default ANY-ANY Allow which has no TCP service specified.
    Stateful By default, stateful is turned on. A stateful firewall monitors the state of active connections, and uses this information to determine which packets to allow through the firewall.
    Locked By default, locked is tuned off. The policy can be locked to prevent multiple users from making changes to the same sections. When locking a section, you must include a comment.
  7. Click Publish.
    Multiple Policies can be added, and then published together at one time.
    The new policy is shown on the screen.
  8. Select a policy section and click Add Rule.
  9. Enter a name for the rule. IPv4, and IPv6 addresses are supported.
  10. In the Sources column, click the edit icon and select the source of the rule. Groups with Active Directory members can be used for the source box of an IDFW rule. See Add a Group.
  11. In the Destinations column, click the edit icon and select the destination of the rule. If not defined, the destination matches any. See Add a Group.
  12. In the Services column, click the pencil icon and select services. The service matches any if not defined. See Add a Service.
  13. For Tier-1 gateways, in the Profiles column, click the edit icon and select a context profile, or L7 Access Profile. Or, create new profiles. See Profiles.
    • A security rule can contain either a context profile or an L7 access profile, but not both.
    • Context profiles and L7 access profiles are not supported on tier-0 gateway firewall policy.
    • Gateway firewall rules do not support context profiles with attribute type Domain (FQDN) Name.
    • Gateway firewall rules support L7 access profiles with attribute type App ID, URL Category, Custom URL and URL Reputation. The attribute type App ID supports multiple sub attributes.
    Multiple App ID context profiles can be used in a firewall rule with services set to Any. Only a single L7 Access profile can be used within a single gateway firewall rule.
  14. Click Apply.
  15. Click the pencil icon for the Applied To column to change the scope of enforcement per rule. From the Applied To | New Rule dialog box, click the Categories drop-down menu to filter by object type such as interfaces, labels, and VTIs to select those specific objects.
    By default, gateway firewall rules are applied to all the available uplinks and service interfaces on a selected gateway.

    For URL filtering, Applied To can only be Tier-1 gateways.

  16. In the Action column, select an action.
    Option Description
    Allow Allows all traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.

    The rule action with an L7 access profile must be Allow.

    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject

    Rejects packets with the specified source, destination, and protocol. Rejecting a packet sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. The sending application is notified after one attempt that the connection cannot be established.
  17. Click the status toggle button to activate or deactivate the rule.
  18. Click the gear icon to set logging, direction, IP protocol, and comments.
    Option Description
    Logging

    Logging can be turned on or off. Gateway firewall logs provide the gateway virtual routing and forwarding, and gateway interface information, along with flow details. Gateway firewall logs can be found in the file named firewallpkt.log in the /var/log directory.
    Direction The options are In, Out, and In/Out. The default is In/Out. This field refers to the direction of traffic from the point of view of the destination object. In means that only traffic to the object is checked, Out means that only traffic from the object is checked, and In/Out means that traffic in both directions is checked.
    IP Protocol The options are IPv4, IPv6, and IPv4_IPv6. The default is IPv4_IPv6.
    Note: Click the graph icon to view the flow statistics of the firewall rule. You can see information such as the byte, packet count, and sessions.
  19. Click Publish. Multiple rules can be added and then published together at one time.
  20. On each policy section, click the Info icon to view the current status of edge firewall rules that are pushed to edge nodes. Any alarms generated when rules were pushed to edge nodes are also displayed.
  21. To view consolidated status of policy rules that are applied to edge nodes, make the API call.
    GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?intent_path=/infra/domains/default/gateway-policies/<GatewayPolicy_ID>&include_enforced_status=true