Configure and Administer Firewall Services on an NSX Edge


Create Modify and Delete an Edge Firewall rule in NSX

Both the Edge Firewall and the Distributed Firewall are really awesome features of NSX. The Edge Services Gateway is more of a border firewall as the function of this edge device is north and south traffic (perimeter of datacenter) while the Distributed router focuses on East-West traffic (within the datacenter). I will cover the distributed firewall in the next section, but the Distributed Firewall policies are pushed to the ESXi host which allows the firewall to function before the traffic enters the virtual switch. As I will mention below, you can specify the source or destination of the traffic ranging from a single VM, to an entire datacenter, or even specify dynamic security groups of objects based on security tags, OS type, or even VM name.
Step 1. Open the vSphere Web Client and Navigate to Networking & Security -> NSX Edges and then double click on the Edge Device in which you would like to add a firewall rule
Step 2. Click on Manage -> Firewall
Step 3. Click on the + sign to add a new Firewall Rule You will notice a blank line is created and highlighted. Click the + sign inside of the Name box to add a name for this rule
Note: To modify a rule, click in the rule box and change the value, to delete a rule click on the rule and then click the Red X.

Configure Source/Destination/Service/Action rule components

Step 4. Specify a Source. You can either provide an IP address by clicking the IP sign inside the source box, or you can click on + sign to specify objects. I will specify an Object.
Step 5. Choose the Source that you would like the apply the firewall rule, there are many options here ranging from a single virtual machine or an entire cluster or even specific security groups. Security Groups are probably my favorite thing because they can be set dynamically by tags or VM names, for more information on creating security groups, please click here. I have selected a dynamic security group called Web Tier, which has two members that are virtual machines. Note: You can also create new groups from this menu.
Step 6. Double Click the Object, or select the Right Arrow to move the object to Select Objects, then hit OK
Step 7. Follow the same steps to add a Destination to the rule.
Step 8. Select a Service for the firewall rule. You can either specify a Protocol and Ports a predefined Service by NSX, or create a new Service. There are quite a few predefined services, so use the search box to confirm one isn’t already there before creating a new service.
An example of a the Add Service page is below. You specify the Protocol and any other options associated with the protocol, for example, Source and Destination Ports
Step 9. Finally, specify if you want to Accept, Reject, or Deny the traffic as well as if you want to Log the Action
Step 10. Once your rule is created, click on Publish

Modify the order/priority of Firewall rules

Step 11. The rules are processed from the top down. If you need change the priority of the rules, you can simply click the rule, then hit either Move Rule Up or Move Rule Down


  1. Rajeev -  February 13, 2016 - 4:37 am 408

    Hi Sean

    I need to your inputs in answering the below question which i have been asked.

    We are deploying NSX in our environment & we are more focused on the NSX Micro segmentation using distributed firewall.
    The question is since we are moving from the physical firewall to virtual firewall how can i measure the performance or throughput of the NSX distributed firewall.
    How can i check & ensure that the firewall firewall is not affecting the performance ?
    How can i compare its performance with the actual physical firewall ?

    • Sean Whitney -  February 13, 2016 - 7:45 am 413

      Hi Rajeev,

      Th throughput of the Distributed firewall is close to line rate because it runs through the ESXi kernel. Meaning each host can have a DFW firewall rate of almost 20GB/s (Maybe around 19.5GB/s). Every single host that you add will increase the total firewall capacity allowing you to scale out as your environment grows. This is what makes the NSX DFW so great, by the time you reach a compute limit on an ESXi host and add another, you get more firewall capacity. Traditional firewalls that run at 100 GB can be very costly, but if you have 5 ESXi hosts, you have same capacity for a lot cheaper.


  2. Gbenga -  September 11, 2019 - 7:06 am 678

    Hi Sean,
    We have the NSX setup but configuring the Edge Gateway, we noticed that these features (Firewall, Routing, VPN, SSL-VPN-Plus) are not displaying for configuration. What could we have done wrong and what can be done to correct this issue. Thank you


Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top