This topic explains the default state of the Activate Default Distributed Firewall Rules toggle in the project under various scenarios.
- NSX Networking for VMware Cloud Foundation
- Solution License for VCF
For more information about how to turn on or turn off the default distributed firewall rules for a project, see Add an NSX Project.
| Sr. No. | Scenario | Default State of the Toggle | Notes |
|---|---|---|---|
1 |
You are a new NSX customer and have applied a base license that entitles the system to only the NSX networking features. |
Off |
This toggle is not editable because the current applied license does not support the configuration of distributed firewall security rules. You need to apply the appropriate security license in the system, and then turn on this toggle to activate the default distributed firewall rules in the project. |
2 |
You are a new NSX customer. On day 0, you have applied a base license that entitles the system to NSX networking features. You have also applied an appropriate security license that entitles the system to distributed firewall security. |
On |
The default distributed firewall rules are activated for the project. You can turn it off in the project if required. |
3 |
You are a new NSX customer. On day 0, you applied only the base license that entitles the system to only the NSX networking features. You have added some projects in the system, let us say, projects A and B Later, during day 2 operations, you applied an appropriate security license that entitles the system to distributed firewall security. Now, you added user-defined distributed firewall rules in the existing projects A and B, and also created new projects in the system, let us say, projects C and D. |
Off: for pre-existing projects in the system On: for new projects in the system |
In this scenario, the term "pre-existing projects" refers to projects that existed in the system before the security license was applied on day 2. In this scenario, they refer to projects A and B. The term "new projects" refers to projects that are added in the system after the security license was applied on day 2. In this scenario, they refer to projects C and D. For pre-existing projects A and B, the system behavior is as follows: This toggle will be in the Off state, by default. The user-defined DFW rules are effective in projects A and B. If you want to activate the default distributed firewall rules in these projects, open these projects in the edit mode, and turn on this toggle manually. However, when turned on, it might impact the behavior of east-west traffic in projects A and B. For new projects C and D, the system behavior is as follows: This toggle will be in the On state by default. That is, for projects C and D, the default distributed firewall rules are activated, by default. If required, you can turn it off so that only the user-defined distributed firewall rules are effective in these projects. |
4 |
You are an existing NSX customer with a legacy NSX license that entitles your system to a full DFW access. After the legacy license expires, you applied a base license that entitles your system to NSX networking features, and also applied a security license that entitles your system to distributed firewall security. |
On |
The default distributed firewall rules and user-defined distributed firewall rules continue to run in existing projects that you created before changing to the new license. There is no change in the system behavior. For all new projects that you add after changing the license, this toggle is turned on, by default. You can optionally turn it off, if required. |
5 |
You are an existing NSX customer with a legacy NSX license that entitles your system to a full DFW access. You have added two projects in the system, let us say, projects A and B. After the current legacy license expires, you have applied the base license that entitles your system to only the NSX networking features. The security license is not applied. Now, you have created two new projects in the system, let us say, projects C and D. |
On: for pre-existing projects Off: for new projects |
In this scenario, the term "pre-existing projects" refers to projects that were added in the system when the legacy NSX license was valid. In this scenario, they refer to projects A and B. The term "new projects" refers to projects that are added in the system after the base license was applied. In this scenario, they refer to projects C and D. For pre-existing projects A and B, the system behavior is as follows: This toggle is in the On state, by default. You can turn it off, if needed. But, this action is not reversible. That is, you cannot activate the default E-W firewall rules again in projects A and B. The default distributed firewall rules and user-defined distributed firewall rules continue to run in projects A and B. But, you cannot edit these rules. Neither, you can add new distributed firewall rules. But, you can delete the existing user-defined firewall rules. To have a full access to the distributed firewall rules, you need to apply an appropriate security license. For new projects C and D, the system behavior is as follows: This toggle is in the Off state, by default. You cannot turn it on because the current applied license does not entitle the system to the distributed firewall feature. |
| 6 | You are a new NSX customer and your system has entered an Evaluation mode, which is valid for 60 days. |
Off |
During the evaluation period of a new NSX deployment, the system is entitled to only the networking features. The security features are not entitled. |
For information related to setting the Activate Default Distributed Firewall Rules toggle, see Add an NSX Project.
