You can add an NSX Edge firewall rule for traffic flowing from or to an NSX Edge interface or IP address group.

You can add multiple NSX Edge interfaces and/or IP address groups as the source and destination for firewall rules.

Firewall rule for traffic to flow from an NSX Edge interface to an HTTP server
rule

Firewall rule for traffic to flow from all internal interfaces (subnets on portgroups connected to internal interfaces) of a NSX Edge to an HTTP Server
rule

Note

If you select internal as the source, the rule is automatically updated when you configure additional internal interfaces.

Firewall rule for traffic to allow SSH into a m/c in internal network
rule

1

Log in to the vSphere Web Client.

2

Click Networking & Security and then click NSX Edges.

3

Double-click an NSX Edge.

4

Click the Manage tab and then click the Firewall tab.

5

Do one of the following.

Option

Description

To add a rule at a specific place in the firewall table

a

Select a rule.

b

In the No. column, click edit and select Add Above or Add Below.

A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

To add a rule by copying a rule

a

Select a rule.

b

Click the Copy (copy) icon.

c

Select a rule.

d

In the No. column, click edit and select Paste Above or Paste Below.

To add a rule anywhere in the firewall table

a

Click the Add (add icon) icon.

A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

The new rule is enabled by default.

6

Point to the Name cell of the new rule and click edit.

7

Type a name for the new rule.

8

Point to the Source cell of the new rule and click edit or .

If you clicked , type an IP address.

a

Select an object from the drop-down and then make the appropriate selections.

If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces.

If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column. For information on creating an IP Set, see Create an IP Address Group.

b

Click OK.

9

Point to the Destination cell of the new rule and click edit or .

a

Select an object from the drop-down and then make the appropriate selections.

If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic going to any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces.

If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column. For information on creating an IP Set, see Create an IP Address Group.

b

Click OK.

10

Point to the Service cell of the new rule and click edit or .

If you clicked edit, select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column. For more information on creating a new service, see Create a Service.

If you clicked , select a protocol. You can specify the source port by clicking the arrow next to Advance options. VMware recommends that you avoid specifying the source port from release 5.1 onwards. Instead, you can create a service for a protocol-port combination.

Note

NSX Edge only supports services defined with L3 protocols.

11

Point to the Action cell of the new rule and click edit.

a

Click Deny to block traffic from or to the specified source and destination.

b

Click Log to log all sessions matching this rule.

Enabling logging can affect performance.

c

Type comments if required.

d

Click expand next to Advance options.

e

To apply the rule to the translated IP address and services for a NAT rule, select Translated IP for Match on.

f

Click Enable Rule Direction and select Incoming or Outgoing. VMware does not recommend specifying the direction for firewall rules.

g

Click OK.

12

Click Publish Changes to push the new rule to the NSX Edgee instance.

Disable a rule by clicking disable next to the rule number in the No. column.

Display additional columns in the rule table by clicking select columns and selecting the appropriate columns.

Column Name

Information Displayed

Rule Tag

Unique system generated ID for each rule

Log

Traffic for this rule is being logged or not

Stats

Clicking stats shows the traffic affected by this rule (number of sessions, traffic packets, and size)

Comments

Comments for the rule

Search for rules by typing text in the Search field.