How to Add an Edge Gateway Firewall Rule

IMPORTANT: This article should only be followed if you are using the NSX Edge as your Edge firewall.  In instances where you have an Expedient-provided firewall or your own firewall in any of Expedient’s cloud offerings, you should utilize the NSX-V Distributed Firewall by following the guide “Writing Distributed Firewall Rules” under the Networking category on the left.

You use the edge gateway Firewall screen in the EEC portal to add firewall rules for that edge gateway. You can add multiple NSX edge interfaces and multiple IP address groups as the source and destination for these firewall rules

Specifying internal for a source or a destination of a rule indicates traffic for all subnets on the port groups connected to the NSX edge gateway. If you select internal as the source, the rule is automatically updated when additional internal interfaces are configured on the NSX edge gateway.

Note:

Edge gateway firewall rules on internal interfaces do not work when the edge gateway is configured for dynamic routing.

Procedure

1. Open Edge Gateway Services.
2. Navigate to Networking > Edges.
3. Select the edge gateway to edit, and click Configure Services.
4. If the Firewall Rules screen is not already visible, click the Firewall tab
5. To add a rule below an existing rule in the firewall rules table, click in the existing row and then click the Create button.
6. A row for the new rule is added below the selected rule, and is assigned any destination, any service, and the Allow action by default . When the system-defined default rule is the only rule in the firewall table, the new rule is added above the default rule.
7. Click in the Name cell and type in a name.
8. Click in the Source cell and use the now visible icons to select a source to add to the rule:
   
   

   Option	Description
   Click the IP icon	Type the source value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The edge gateway firewall supports both IPv4 and IPv6 formats.
   Click the + icon	Use the + icon to specify the source as an object other than a specific IP address: Use the Select objects window to add objects that match your selections and click Keepto add them to the rule. To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule. When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window