You add firewall rules at the global scope. You can then narrow down the scope (datacenter, cluster, distributed virtual port group, network, virtual machine, vNIC, or virtual wire) at which you want to apply the rule. Firewall allows you to add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.

If you are adding an identity based firewall rule, ensure that:

One or more domains have been registered with NSX Manager. NSX Manager gets group and user information as well as the relationship between them from each domain that it is registered with. See Register a Windows Domain with NSX Manager.

A security group based on Active Directory objects has been created which can be used as the source or destination of the rule. See Create a Security Group.

1

Log in to the vSphere Web Client.

2

Click Networking & Security and then click Firewall.

3

Ensure that you are in the General tab to add an L3 rule. Click the Ethernet tab to add an L2 rule.

4

In the section that you add a rule, click Add rule (add icon) icon.

A new any any allow rule is added at the top of the section. If the system defined rule is the only rule in the section, the new rule is added above the default rule.

If you want to add a rule at a specific place in a section, select a rule. In the No. column, click edit and select Add Above or Add Below.

add

5

Point to the Name cell of the new rule and click edit.

6

Type a name for the new rule.

7

Point to the Source cell of the new rule.

Option

Description

Click IP

To specify source as an IP address.

a

Select the IP address format.

Firewall supports both IPv4 and IPv6 formats.

b

Type the IP address.

Click edit

To specify source as an object other than a specific IP address.

a

In View, select a container from which the communication originated.

Objects for the selected container are displayed.

b

Select one or more objects and click add.

You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see Grouping Objects.

c

To specify a source port, click Advance options and type the port number or range.

d

Select Negate Source to exclude this source port from the rule.

If Negate Source is selected, the rule applied to traffic coming from all sources except for the source you specified in the previous step.

If Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.

e

Click OK.

8

Point to the Destination cell of the new rule.

Option

Description

Click IP

To specify destination as an IP address.

a

Select the IP address format.

Firewall supports both IPv4 and IPv6 formats.

b

Type the IP address.

Click edit

To specify destination as an object other than a specific IP address.

a

In View, select a container which the communication is targeting.

Objects for the selected container are displayed.

b

Select one or more objects and click add.

You can create a new security group or IPSet. Once you create the new object, it is added to the Destination column by default. For information on creating a new security group or IPSet, see Grouping Objects.

c

To specify a destination port, click Advance options and type the port number or range.

d

Select Negate Destination to exclude this source port from the rule.

If Negate Destination is selected, the rule applied to traffic going to all destinations except for the destination you specified in the previous step.

If Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.

e

Click OK.

9

Point to the Service cell of the new rule.

Option

Description

Click port

To specify service as a port protocol combination.

a

Select the service protocol.

Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC.

b

Type the port number and click OK.

Click edit

To select a pre-defined service/service group or define a new one.

a

Select one or more objects and click add.

You can create a new service or service group. Once you create the new object, it is added to the Destination column by default.

b

Click OK.

In order to protect your network from ACK or SYN floods, you can set Service to TCP-all_ports or UDP-all_ports and set Action to Block for the default rule. For information on modifying the default rule, see Edit the Default Distributed Firewall Rule.

10

Point to the Action cell of the new rule and click edit.

a

Click Block to block traffic from or to the specified source and destination.

b

Click Log to log all sessions matching this rule.

Enabling logging can affect performance.

c

Type comments if required.

d

Click OK.

11

To define the scope at which this rule is applicable, click select columns and select Applied To.

a

Point to the Applied To cell of the new rule and click edit.

b

In View, select a container. The containers you can select in this field are: datacenter, cluster, distributed virtual port group, network, virtual machine, vNIC, and virtual wire.

c

Select one or more objects and click add.

d

Click OK.

If the rule contains virtual machines/vNICS in the source and destination fields, you must add both the source and destination virtual machines/vNICS to Applied To for the rule to work correctly.

12

Click Publish Changes to push the new rule.

Disable a rule by clicking disable or enable a rule by clicking enable rule.

Display additional columns in the rule table by clicking select columns and selecting the appropriate columns.

Column Name

Information Displayed

Rule ID

Unique system generated ID for each rule

Log

Traffic for this rule is being logged or not

Stats

Clicking stats shows the traffic related to this rule (traffic packets and size)

Comments

Comments for the rule

Search for rules by typing text in the Search field.

Merge sections by clicking the Merge section icon and selecting Merge with above section or Merge with below section.