NSX-T Firewall Rules

NSX-T firewall is a set of customizable rules, which protect the system against network threatsNSX-T firewall rules are completely synchronized with the vCloud, so regardless of the side from where you are updating the firewalls, all updates are visible on your OnApp Control Panel.

In OnApp, you can manage the firewall rule separately for each NSX-T edge gateway in your cloud. You can also configure the details of sources and destinations for each rule.

At this point we support only firewall rules with IPv4 type.

Create NSX-T Firewall Rule


To add a new firewall rule:

  1. Go to your Control Panel > Cloud > Edge Gateways menu.
  2. Select the NSX-T tab.
  3. Click the label of the necessary NSX-T edge gateway.
  4. Click the Firewall Rules tab to see the list of the firewall rules. 
  5. Click  above the table. A new row will appear in the table of firewall rules with the default data. You can add the desired amount of rows by clicking .
  6. Hover over the row that appeared and specify the following parameters:
    • Label – name of the rule.
    • Sources – click  to add security groups and IP sets imported from the vCloud sideSelect the necessary options from the list.
      Click  to add a new group of source IP addresses this firewall rule will be active for. This can be an IP address, CIDR, or IP range.
    • Destinations – click  to add security groups and IP sets imported from the vCloud sideClick  to add a new group of destination IP addresses this firewall rule will be active for. This can be an IP address, CIDR, or IP range. 
    • Applications – click , then select the needed application port profiles. 

If you don't specify any source, application, or destination value, it will be displayed as "Any" by default. 

    • Directions – the options are In, Out, and In/Out. The default is In/Out. This field refers to the direction of traffic from the point of view of the destination object. In means that only traffic to the object is checked, Out means that only traffic from the object is checked, and In/Out means traffic in both directions is checked. Click to specify that the traffic from or to the specified source(s), destination(s), and service(s) will be accepted by the firewall.
      Click Save to save the changes.
    • Actions – the action applied by the rule can be Accept or Deny. The default is Accept. Click to specify that the traffic from or to the specified source(s), destination(s), and service(s) will be allowed by the firewall.
    • Logging – move the slider to the right to enable logging for this rule.

6. Click Save below the table to apply the changes.

  • To select all firewall rules on the list, hover over the top left corner of the table, and tick the checkbox that appears. 
  • To revert the last changes applied, click Discard Changes below the table.
  • To see only the enabled rules, move the Only Enabled slider above the table to the right. 



Edit NSX-T Firewall Rule


To edit a firewall rule:

  1. Go to your Control Panel > Cloud > Edge Gateways menu NSX-T tab.
  2. Click the label of the necessary NSX-T edge gateway.
  3. Click the Firewall Rules tab to see the list of the firewall rules. Find the necessary rule and make the necessary changes in the corresponding row. 

     Click to view the description of parameters available for editing.
    •  – move the slider on the Status column to the right to enable the rule. If the rule is enabled, move the slider to the left to disable it.
    • Label – click to change the name of the rule.
    • Sources - as you hover over the required row, the  button will appear:
      • Click  to add IP sets and security groups imported from the vCloud side. Select the necessary options from the list
      • Click  to create a new source IP set this firewall rule will be active for. This can be an IP address, CIDR, or IP range. 
      • Click Gray close window icon - Free gray cancel iconsnear a source if you want to remove it.  
    • Destinations - as you hover over the required row, the  button will appear:
      • Click  to configure the IP sets and security groups imported from vCloud side for this rule. Select the necessary options from the list
      • Click  to create a destination IP set this firewall rule will be active for. This can be an IP address, CIDR, or IP range.
      • Click Gray close window icon - Free gray cancel icons near a destination if you want to remove it  
    • Applications - as you hover over the required row, the  button will appear:
      • Click  to configure the application port profiles for this rule. Select the necessary options from the list
      • Click Gray close window icon - Free gray cancel icons near an application port profile if you want to remove it.
        Click Save to save the changes.

    If you don't specify any source, destination, or service value, it will be displayed as "Any" by default. 

      • Directions – click to specify that the traffic from or to the specified source(s), destination(s), and service(s) will be accepted by the firewall.
      • Actions – click to specify that the traffic from or to the specified source(s), destination(s), and service(s) will be allowed by the firewall.
      • Logging – move the slider to the right to enable logging for this rule.
  4. Click Save below the table to apply the changes.

Delete NSX-T Firewall Rule


To delete a firewall rule:

  1. Go to your Control Panel > Cloud > Edge Gateways menu.
  2. Select the NSX-T tab.
  3. Click specific Edge Gateway's label.
  4. Click the Firewall Rules tab.
  5. On the page that appears, you will see the list of firewall rules. Select a rule you want to delete from the list, and then click the  button above the table.
  6. Click the Save button below the table to apply the changes.