The Firewall tab displays rules created on the centralized Firewall tab in a read-only mode. Any rules that you add here are not displayed on the centralized Firewall tab. You can add multiple edge gateway interfaces and IP address groups as the source and destination for firewall rules.

When you select vNIC Group and vse as an object for a source or destination, the rule applies to traffic generated by the edge gateway. When you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected edge gateway instance.

Note

Edge gateway firewall rules on internal interfaces do not work when you configure dynamic routing for the edge gateway.

1

Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI.

See Log In and Navigate to Advanced Networking Services for information.

2

Click the Firewall tab.

3

Perform one of the following actions:

Option

Description

To add a rule at a specific place in the firewall table

a

Select a rule.

b

In the No. column, click edit and select Add Above or Add Below.

A new any any allow rule is added below the selected rule. When the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

To add a rule by copying a rule

a

Select a rule.

b

Click the Copy (copy) icon.

c

Select a rule.

d

In the No. column, click edit and select Paste Above or Paste Below.

To add a rule anywhere in the firewall table

a

Click the Add (add icon) icon.

A new any any allow rule is added below the selected rule. When the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.

The new rule is enabled by default.

4

Point to the Name cell of the new rule and click edit. Enter a name for the rule.

5

Point to the Source cell of the new rule. Perform one of the following options:

Option

Description

Click IP

Type the source IP address. The firewall supports both IPv4 and IPv6 formats.

Click edit

To specify the source as an object other than a specific IP address:

a

Select one or more objects and click add.

You can create a new IP Set. Once you create the new object, it is added to the source column by default.

b

To exclude a source from the rule, click Advance options.

c

Select Negate Source to exclude this source from the rule.

When Negate Source is selected, the rule is applied to traffic coming from all sources except for the source you specified in the previous step.

When Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.

d

Click OK.

6

Point to the Destination cell of the new rule. Perform one of the following options:

Option

Description

Click IP

Type the destination IP address. The firewall supports both IPv4 and IPv6 formats.

Click edit

To specify the destination as an object other than a specific IP address:

a

Select one or more objects and click add.

You can create a new IP Set. Once you create the new object, it is added to the Destination column by default.

b

To exclude a destination port, click Advance options.

c

Select Negate Destination to exclude this destination from the rule.

When Negate Destination is selected, the rule is applied to traffic going to all destinations except for the destination you specified in the previous step.

When Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.

d

Click OK.

7

Point to the Service cell of the new rule. Perform one of the following options:

Option

Description

Click port

To specify the service as a port–protocol combination:

a

Select the service protocol.

Note

The edge gateway supports ALG for FTP only.

b

Under Advanced options, type the port number.

c

Click OK.

Click edit

To select a pre-defined service or service group, or define a new one:

a

Select one or more objects and click add.

You can create a new service or service group. Once you create the new object, it is added to the Selected Objects column by default.

b

Click OK.

In order to protect your network from ACK or SYN floods, you can set the service to TCP-all_ports or UDP-all_ports and set the action to Block for the default rule.

8

Point to the Action cell of the new rule and click edit. Select the required actions and click OK.

Action

Results in

Accept

Allows traffic from or to the specified sources, destinations, and services.

Deny

Blocks traffic from or to the specified sources, destinations, and services.

Reject

Sends reject message for unaccepted packets.

RST packets are sent for TCP connections.

ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections.

Log

Logs all sessions matching this rule. Enabling logging can affect performance.

Do not log

Does not log sessions.

Advanced options > Match on Translated

Applies the rule to the translated IP address and services for a NAT rule

Enable Rule Direction

Indicates whether the rule is incoming or outgoing.

Note

VMware does not recommend specifying the direction for firewall rules.

9

Click Publish.

After a few moments, a message indicating whether the publish operation was successful appears. In case of any failures, the hosts on which the rule was not applied are listed. When you click Publish, the firewall configuration is automatically saved.