Configure and Administer Firewall Services on an NSX Edge
Create Modify and Delete an Edge Firewall rule in NSX
Both the Edge Firewall and the Distributed Firewall are really awesome features of NSX. The Edge Services Gateway is more of a border firewall as the function of this edge device is north and south traffic (perimeter of datacenter) while the Distributed router focuses on East-West traffic (within the datacenter). I will cover the distributed firewall in the next section, but the Distributed Firewall policies are pushed to the ESXi host which allows the firewall to function before the traffic enters the virtual switch. As I will mention below, you can specify the source or destination of the traffic ranging from a single VM, to an entire datacenter, or even specify dynamic security groups of objects based on security tags, OS type, or even VM name.
Step 1. Open the vSphere Web Client and Navigate to Networking & Security -> NSX Edges and then double click on the Edge Device in which you would like to add a firewall rule
Step 2. Click on Manage -> Firewall
Step 3. Click on the + sign to add a new Firewall Rule You will notice a blank line is created and highlighted. Click the + sign inside of the Name box to add a name for this rule
Note: To modify a rule, click in the rule box and change the value, to delete a rule click on the rule and then click the Red X.
Configure Source/Destination/Service/Action rule components
Step 4. Specify a Source. You can either provide an IP address by clicking the IP sign inside the source box, or you can click on + sign to specify objects. I will specify an Object.
Step 5. Choose the Source that you would like the apply the firewall rule, there are many options here ranging from a single virtual machine or an entire cluster or even specific security groups. Security Groups are probably my favorite thing because they can be set dynamically by tags or VM names, for more information on creating security groups, please click here. I have selected a dynamic security group called Web Tier, which has two members that are virtual machines. Note: You can also create new groups from this menu.
Step 6. Double Click the Object, or select the Right Arrow to move the object to Select Objects, then hit OK
Step 7. Follow the same steps to add a Destination to the rule.
Step 8. Select a Service for the firewall rule. You can either specify a Protocol and Ports a predefined Service by NSX, or create a new Service. There are quite a few predefined services, so use the search box to confirm one isn’t already there before creating a new service.
An example of a the Add Service page is below. You specify the Protocol and any other options associated with the protocol, for example, Source and Destination Ports
Step 9. Finally, specify if you want to Accept, Reject, or Deny the traffic as well as if you want to Log the Action
Step 10. Once your rule is created, click on Publish