After you convert existing firewall rules to the current format, you can reconfigure your Edge Gateways and vApp networks to enable normal operation and remove the limitations imposed by compatibility mode.

In earlier releases of vCloud Director, firewall rules specified the direction of packets subject to the rule. Beginning with this release, packet direction is derived from the source and destination IP addresses. In the Source or Destination IP address of a firewall rule, you can now use the keywords internal and external in addition to the any keyword or an IP address.

After an upgrade, all firewall services in Edge Gateways and vApp networks are running in compatibility mode, which preserves the operational semantics of their firewall rules. After you convert existing firewall rules to the current format, you can upgrade your networks to remove the limitations imposed by compatibility mode. See the vCloud Director Administrator's Guide for more about firewall rules.

1

Redeploy all Edge Gateways.

Right-click each Edge Gateway and select Re-Deploy.

2

Redeploy all vApp networks.

Right-click each vApp network and select Reset Network.

3

Convert all Edge Gateway firewall rules to the current format.

You can click Convert Rules on the Firewall tab of the Gateway Services page to automatically convert the rules. You can also convert the rules manually.

a

On the Firewall tab of the Gateway Services page, select the rule and click Edit.

b

Clear the Match rule on translated IP checkbox.

c

Wherever any is used to specify a Source or Destination IP address, use internal or external instead.

d

If the rule is intended to provide destination NAT, change the Destination IP address from internal to external.

4

Convert all vApp network firewall rules to the current format.

You can click Convert Rules on the Firewall tab of the Configure Services page of a vApp network to automatically convert the rules. You can also convert the rules manually.

a

On the Firewall tab of the Configure Services page of a vApp network select the rule and click Edit.

b

Clear the Match rule on translated IP checkbox.

c

Wherever any is used to specify a Source or Destination IP address, use internal or external instead.

d

If the rule is intended to provide destination NAT, change the Destination IP address from internal to external.

5

Reconfigure all Edge Gateways to remove compatibility mode constraints.

On the General tab of the Edge Gateway Properties page, select Enable multiple interface support.

6

Reconfigure all vApp networks to remove compatibility mode constraints.

a

Click the My Cloud tab and click vApps in the left pane.

b

Right-click a vApp and select Open.

c

On the Networking tab, select Show networking details.

d

Right-click the vApp network and select Configure Services.

e

In the Firewall tab, select Match rules on original addresses only