You can add firewall rules to a tier-0 or tier-1 logical router to control communication into the router.
Edge fire-walling is implemented on uplink router ports, meaning that firewall rules will be applicable only if traffic hits uplink router ports on edge. To apply firewall rules to particular IP destination, you must configure groups with /32 network. If you provide a subnet other than /32, firewall rules will be applied to the complete subnet.
Prerequisites
-
Familiarize yourself with the parameters of a firewall rule. See Add a Firewall Rule in Manager Mode.
-
Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure the User Interface Settings.
Procedure
Results
Note: If you add a firewall rule to a tier-0 logical router and the
NSX Edge cluster backing the router is running in active-active mode, the firewall can only run in stateless mode. If you configure the firewall rule with stateful services such as HTTP, SSL, TCP, and so on, the firewall rule will not work as expected. To avoid this issue, configure the
NSX Edge cluster to run in active-standby mode.