A firewall rule section is edited and saved independently and is used to apply separate firewall configuration to tenants.

Prerequisites

Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure the User Interface Settings.

Procedure

  1. Select Security > Distributed Firewall.
  2. Click the General tab for layer 3 (L3) rules or the Ethernet tab for layer 2 (L2) rules.
  3. Click an existing section or rule.
  4. Click the section icon on the menu bar and select Add Section Above or Add Section Below.
    Note: For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.
  5. Enter the section name.
    Note: By default, firewall rule sections (and their rules) are configured as stateful. In a stateful firewall, a cache is created and maintained for traffic flows that match a firewall rule in which the action is ALLOW. After the first packet of a new flow has been validated against the firewall ruleset, subsequent network packets belonging to that flow no longer need to be checked. This will result in lower flow latency and better overall firewall performance under heavier traffic loads. Stateful firewalls are also better at identifying unauthorized or forged network traffic.

    For some applications, a stateless firewall may be required. In a stateless firewall, each packet of a flow is validated against the ruleset. No cache is maintained for stateless flows. To change a firewall rule section to include only stateless rules, see step 6, otherwise continue with step 7.

  6. (Optional) To make the firewall stateless, select the Enable Stateless Firewall button. This option is applicable for L3 only.
    There is no toggling between stateful and stateless once it is defined.
  7. Select one or more objects to apply the section.
    The types of object are logical ports, logical switches, and NSGroups. If you select an NSGroup, it must contain one or more logical switches or logical ports. If the NSGroup contains only IP sets or MAC sets, it will be ignored.
    Note: If both the section and the rules within have Applied To set to NSGroup, then the Applied To in a section it will override any Applied To settings in the rules in that section. This is because the firewall section level Applied To takes precedence over Applied To at the rule level.
  8. Click OK.

What to do next

Add Firewall rules to the section.