If the edge gateway for your vCloud Director organization virtual data center has been converted to an advanced edge gateway, you can use the vCloud Director tenant portal to work with the firewall rules of that edge gateway. If the edge gateway has not been converted to an advanced edge gateway, you can do so from the Edge Gateway services.
In addition to the requirement that the edge gateway must be an advanced edge gateway to use the tenant portal with it, the firewall must also be enabled for that edge gateway before you can work with the advanced edge gateway's firewall rules.
As described in the NSX Administration Guide, firewall rules applied to an edge gateway router only protect traffic to and from the router. They do not protect traffic traveling between virtual machines within an organization virtual data center.
Rules created on the distributed firewall screen that have an advanced edge gateway specified in their Applied To column are not displayed in the Firewall screen for that advanced edge gateway .
The edge gateway firewall rules for an edge gateway are displayed in the Firewall screen of the tenant portal and are enforced in the following order:
Internal rules, also known as auto-plumbed rules. These internal rules enable control traffic to flow for edge gateway services.
The default rule settings apply to traffic that does not match any of the user-defined firewall rules. The default rule is displayed at the bottom of the rules on the Firewall screen.
In the tenant portal, use the Enable toggle on the Firewall Rules screen of the edge gateway to disable or enable an edge gateway firewall.