If the edge gateway for your vCloud Director organization virtual datacenter has been converted to an advanced edge gateway, you can use the vCloud Director tenant portal to work with that edge gateway's firewall rules. If the edge gateway has not been converted to an advanced edge gateway, you can do so from the Edge Gateway services.
In addition to the requirement that the edge gateway must be an advanced edge gateway to use the tenant portal with it, the firewall must also be enabled for that edge gateway before you can work with the advanced edge gateway's firewall's rules.
As described in the NSX Administration Guide, firewall rules applied to an edge gateway router only protect traffic to and from the router. They do not protect traffic traveling between virtual machines within an organization virtual data center.
Rules created on the distributed firewall screen that have an advanced edge gateway specified in their Applied To column are not displayed in the Firewall screen for that advanced edge gateway .
The edge gateway firewall rules that are displayed in the tenant portal's Firewall screen for an edge gateway are enforced in the following order:
Internal rules, also known as auto-plumbed rules. These internal rules enable control traffic to flow for edge gateway services.
The default rule's settings apply to traffic that does not match any of the user-defined firewall rules. The default rule is displayed at the bottom of the rules on the Firewall screen.
In the tenant portal, use the Enable toggle on the edge gateway's Firewall Rules screen to disable or enable an edge gateway's firewall.