You use the edge gateway's Firewall screen in the tenant portal to add firewall rules for that edge gateway. You can add multiple NSX edge interfaces and multiple IP address groups as the source and destination for these firewall rules

About this task

Specifying internal for a rule's source or destination indicates traffic for all subnets on the portgroups connected to the NSX edge gateway. If you select internal as the source, the rule is automatically updated when additional internal interfaces are configured on the NSX edge gateway.

Note:

Edge gateway firewall rules on internal interfaces do not work when the edge gateway is configured for dynamic routing.

Prerequisites

For the ability to use the vCloud Director tenant portal to work with firewall rules for an edge gateway, the edge gateway must have already been converted to an advanced edge gateway using the Convert to Advanced Gateway action . You can perform this action from the tenant portal or via the vCloud Director Web console. For instructions on converting the edge gateway on the tenant portal, see Convert an Edge Gateway to an Advanced Edge Gateway.

See the vCloud Director Administrator's Guide for details on converting the edge gateway via the vCloud Director web console.

Procedure

  1. Launch Edge Gateway Services by completing the following steps.
    1. Click Network > Edge Gateway.
    2. Select the edge gateway to edit, and click Configure Services.

      The tenant portal opens Edge Gateway Services.

  2. If the Firewall Rules screen is not already visible, click the Firewall tab.
  3. To add a rule below an existing rule in the firewall rules table, click in the existing row and then click the + icon.

    A row for the new rule is added below the selected rule, and is assigned any destination, any service, and the Allow action by default . When the system-defined default rule is the only rule in the firewall table, the new rule is added above the default rule.

  4. Click in the Name cell and type in a name.
  5. Click in the Source cell and use the now visible icons to select a source to add to the rule:

    Option

    Description

    Click the IP icon

    Type the source value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The edge gateway firewall supports both IPv4 and IPv6 formats.

    Click the + icon

    Use the + icon to specify the source as an object other than a specific IP address:

    • Use the Select objects window to add objects that match your selections and click Keep to add them to the rule.

    • To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.

    When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window

  6. Click in the Destination cell and perform one of the following options:

    Option

    Description

    Click the IP icon

    Type the destination value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The edge gateway firewall supports both IPv4 and IPv6 formats.

    Click the + icon

    Use the + icon to specify the source as an object other than a specific IP address:

    • Use the Select objects window to add objects that match your selections and click Keep to add them to the rule.

    • To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.

    When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window

  7. Click in the Service cell of the new rule and click the + icon to specify the service as a port-protocol combination:
    1. Select the service protocol.
    2. Type the port numbers for the source and destination ports, or specify any.
    3. Click Keep.
  8. In the Action cell of the new rule, configure the action for the rule.

    Option

    Description

    Accept

    Allows traffic from or to the specified sources, destinations, and services.

    Deny

    Blocks traffic from or to the specified sources, destinations, and services.

  9. Click Save changes.

    The save operation can take a minute to complete.