Before creating application firewall rules on the Tier-0 gateway firewall, it is important to manually add gateway firewall rules to allow routing protocols such as BGP, OSPF, and the failure detection protocol BFD. These rules should be added before any application rules to ensure that routing peering respective failure detection protocol is not impacted when changing application firewall rules.

Prerequisites

IPv4, and IPv6 addresses are supported.

To turn on Gateway Firewall select the Security > Gateway Firewall > Settings. Click TURN ON for the Tier-1 or Tier-0 gateway firewall you want to activate.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Select Security > Gateway Firewall.
  3. Select either the All Shared Rules or Gateway Specific Rules tab. Click Add Policy. See Gateway Firewall for more information on rule categories.
  4. Enter a Name for the new policy section.
  5. Click the gear icon to configure the following policy settings:
    Settings Description
    TCP Strict By default, gateway firewall operates in strict TCP mode. TCP Strict is only applied to stateful TCP rules, and is enabled at the gateway firewall policy level. TCP strict is not enforced for packets that match a default ANY-ANY Allow which has no TCP service specified.
    Stateful By default, stateful is turned on. A stateful firewall monitors the state of active connections, and uses this information to determine which packets to allow through the firewall.
    Locked By default, locked is tuned off. The policy can be locked to prevent multiple users from making changes to the same sections. When locking a section, you must include a comment.
  6. Select a policy section and click Add Rule.
  7. Enter a name for the rule.
  8. In the Sources column, click the pencil icon and select either Groups or IP Addresses. For IP addresses you can enter an IP address, CIDR, or range of IP addresses. Groups with Active Directory members can be used for the source box of an IDFW rule. See Add a Group.
  9. In the Destinations column, click the pencil icon and select either Groups or IP Addresses. For IP addresses you can enter an IP address, CIDR, or range of IP addresses. If not defined, the destination matches any. See Add a Group.
  10. In the Services column, click the pencil icon and select services. The service matches any if not defined. See Add a Service.
  11. For Tier-1 gateways, in the Profiles column, click the pencil icon and select a context profile, or L7 Access Profile. Or, create new profiles. See Profiles. See Layer 7 Firewall Rule Workflow for design guidelines for context profiles.
    • A gateway firewall rule can contain either a context profile or an L7 access profile, but not both.
    • Gateway firewall rules do not support context profiles with attribute type Domain (FQDN) Name.
    • Only a single L7 Access profile can be used within a single gateway firewall rule.
  12. In 4.2.1 and later, for Tier-0 gateways, in the Profiles column, click the pencil icon and select an L7 Access Profile. See L7 Access Profiles. Context profiles are not supported on Tier-0 gateway firewall policy.
  13. Click Apply.
  14. Click the pencil icon for the Applied To column to change the scope of enforcement per rule. From the Applied To dialog box, click the Category drop-down menu to filter by object type such as interfaces, labels, and VTIs to select those specific objects.
    By default, gateway firewall rules are applied to all the available uplinks and service interfaces on a selected gateway.

    For URL filtering, Applied To can only be Tier-1 gateways.

  15. In the Action column, select an action.
    Option Description
    Allow Allows all traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.

    The rule action with an L7 access profile must be Allow.

    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject

    Rejects packets with the specified source, destination, and protocol. Rejecting a packet sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. The sending application is notified after one attempt that the connection cannot be established.
  16. Click the status toggle button to activate or deactivate the rule.
  17. Click the gear icon to set logging, direction, IP protocol, and comments.
    Option Description
    Logging

    Logging can be turned on or off. Gateway firewall logs provide the gateway virtual routing and forwarding, and gateway interface information, along with flow details. Gateway firewall logs can be found in the file named firewallpkt.log in the /var/log directory.
    Direction The options are In, Out, and In/Out. The default is In/Out. This field refers to the direction of traffic from the point of view of the destination object. In means that only traffic to the object is checked, Out means that only traffic from the object is checked, and In/Out means that traffic in both directions is checked.
    IP Protocol The options are IPv4, IPv6, and IPv4_IPv6. The default is IPv4_IPv6.
    Log Label The log label is the name of the log when logging is turned on. The maximum number of characters is 39.
    Comments Add comments to the firewall rule.
    Note: Click the graph icon to view the flow statistics of the firewall rule. You can see information such as the byte, packet count, and sessions.
  18. Click Publish. Multiple rules can be added and then published together at one time.
  19. On each policy section, click the Info icon to view the current status of edge firewall rules that are pushed to edge nodes. Any alarms generated when rules were pushed to edge nodes are also displayed.
  20. To view consolidated status of gateway firewall rules that are applied to edge nodes, make the API call.
    GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?intent_path=/infra/domains/default/gateway-policies/<GatewayPolicy_ID>&include_enforced_status=true