You can add firewall rules to a tier-0 or tier-1 logical router to control communication into the router.

Edge fire-walling is implemented on uplink router ports, meaning that firewall rules will be applicable only if traffic hits uplink router ports on edge. To apply firewall rules to particular IP destination, you must configure groups with /32 network. If you provide a subnet other than /32, firewall rules will be applied to the complete subnet.

Prerequisites

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Locate the router in Networking > Tier-0 Logical Routers or Networking > Tier-1 Logical Routers.
  3. Click the name of the logical router.
  4. Select Services > Edge Firewall.
  5. Click an existing section or rule.
  6. To add a rule, click Add Rule on the menu bar and select Add Rule Above or Add Rule Below, or click the menu icon in the first column of a rule and select Add Rule Above or Add Rule Below, and specify the rule parameters.
    The Applied To field is not shown because this rule applies only to the logical router.
  7. To delete a rule, select the rule, click Delete on the menu bar or click the menu icon in the first column and select Delete.

Results

Note: If you add a firewall rule to a tier-0 logical router and the NSX Edge cluster backing the router is running in active-active mode, the firewall can only run in stateless mode. If you configure the firewall rule with stateful services such as HTTP, SSL, TCP, and so on, the firewall rule will not work as expected. To avoid this issue, configure the NSX Edge cluster to run in active-standby mode.