NSX Firewalls

NSX Firewall monitors the North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT), and site-to-site IPSec VPN functionality. 

OnApp provides you with the possibility to manage NSX firewall service separately for each vCloud edge gateway in your cloud. It is possible to enable and disable firewall for the entire edge gateway or enable some of the rules on the list. You can configure the details of sources and destinations for each rule.

There are two major types of firewall rules in OnApp: internal (created on vCloud side and imported to OnApp) and user-defined (created on OnApp side). 

NSX firewalls may be configured for an existing vCloud edge gateway or vCenter edge. For more information on creation and import of the aforementioned instances, see vCloud Edge Gateways and Edges sections of this guide. 

Create Firewall Rule


To add a new firewall rule:

  1. Go to your Control Panel > Cloud > Edge Gateways menu.
  2. Click the label of the necessary Edge Gateway.
  3. Click the Firewall tab to see the list of the firewall rules. 
  4. Click the  button above the table. A new line will appear on the list.
  5. In the line that appeared, specify the following parameters:
    •  - click to enable the rule.
    • Rule name - click to add the name of the rule.
    • Sources - as you hover over the Sources column space in the required line, the and  buttons will appear:
      • Click the  button to add a source IP address this firewall rule will be active for. This can be an IP address, CIDR, IP range, "any", "internal" or "external". This field is not case sensitive. Click the Apply IP button to save the changes. 
      • Click the  button to add the following types of destinations for this rule:
        • Network interfaces - select the necessary network interfaces from the list
        • Virtual machines - select the necessary virtual servers from the list
        • Networks - select the necessary networks from the list
        • IP sets - select the necessary options from the list of IP sets imported from vCloud side
        • Security groups - select the necessary options from the list of security groups imported from vCloud side
          Click the Apply rules button to save the changes. 
      • The Toggle exclusion button appears only if there are any sources already added to the list. Click this button to exclude all the specified sources, so that the rule will accept as a source all possible options, except the ones you included. Once this option is enabled, the Any but tag appears before the list of sources. 
    • Destinations - as you hover over the Destinations column space in the required line, the  and  buttons will appear:
      • Click the  button to add a destination IP addresses this firewall rule will be active for. This can be an IP address, CIDR, IP range, "any", "internal" or "external". This field is not case sensitive. Click the Apply IP button to save the changes. 
      • Click the  button to configure the following types of destinations for this rule:
        • Network interfaces - select the necessary network interfaces from the list.
        • Virtual machines - select the necessary virtual servers from the list.
        • Networks - select the necessary networks from the list.
        • IP sets - select the necessary options from the list of IP sets imported from vCloud side.
        • Security groups - select the necessary options from the list of security groups imported from vCloud side.
          Click the Apply rules button to save the changes. 
      • The Toggle exclusion button appears only if there are any destinations already added to the list. Click this button to exclude all the specified destinations, so that the rule will accept as a destination all possible options, except the ones you included. Once this option is enabled, the Any but tag appears before the list of destinations. 
    • Services - click the  button to open up a pop up window. Once it appears, specify the following values: 
      • Protocol - select TCP, UDP, ICMP, or Any.
      • Source port - insert the source port (from 1 to 65535).
      • Destination port - insert the destination port (from 1 to 65535).

If you don't specify any source, destination, or service value, it will be displayed as "any" by default. 

    • ACCEPT – click to specify that the traffic from or to the specified source(s), destination(s), and service(s) that will be accepted by the firewall.
    • DENY – click to specify that the traffic from or to the specified source(s), destination(s), and service(s) that will be denied by the firewall.
    • Logging - move the slider to the right to enable logging for this rule.

6. Click the Save button above the table to apply the changes.

  • You may filter the rules in the list by name, source, destination, and service.
  • To select all firewall rules on the list, hover over the top left corner of the table, and tick the checkbox that appears. 
  • To revert the last changes applied, click  (Undo changes) above the table.
  • To see the rules of the user-defined type only, click the  icon above the table.

































Edit Firewall Rule


To edit a firewall rule:

  1. Go to your Control Panel > Cloud > Edge Gateways menu.
  2. Click specific Edge Gateway's label.
  3. Click the Firewall tab. 
  4. On the page that appears, you will see the list of firewall rules for this edge gateway. Find the necessary rule and make the necessary changes in the corresponding line. 

     Click to view the description of parameters available for editing.
    •  - click to enable the rule. If the rule is enabled, click the  button to disable it.
    • Rule name - click to change the name of the rule.
    • Sources - as you hover over the Sources column space in the required line, the  and  buttons will appear:
      • Click the  button to add a source IP address this firewall rule will be active for. This can be an IP address, CIDR, IP range, "any", "internal" or "external". This field is not case sensitive. Click the Apply IP button to save the changes.
      • Click the  button to configure the following types of destinations for this rule:
        • Network interfaces - select the necessary network interfaces from the list.
        • Virtual machines - select the necessary virtual servers from the list.
        • Networks - select the necessary networks from the list.
        • IP sets - select the necessary options from the list of IP sets imported from vCloud side.
        • Security groups - select the necessary options from the list of security groups imported from vCloud side.
          Click the Apply rules button to save the changes.
      • the Toggle exclusion button appears only if there are any sources already added to the list. Click this button to exclude all the sources except the ones added to the list. Once this option is enabled, the Any but tag appears before the list of sources. 
      • Destinations - as you hover over the Destinations column space in the required line, the  and  buttons will appear:
        • Click the  button to add a destination IP addresses this firewall rule will be active for. This can be an IP address, CIDR, IP range, "any", "internal" or "external". This field is not case sensitive.  Click the Apply IP button to save the changes.
        • Click the  button to configure the following types of destinations for this rule:
          • Network interfaces - select the necessary network interfaces from the list.
          • Virtual machines - select the necessary virtual servers from the list.
          • Networks - select the necessary networks from the list.
          • IP sets - select the necessary options from the list of IP sets imported from vCloud side.
          • Security groups - select the necessary options from the list of security groups imported from vCloud side.
            Click the Apply rules button to save the changes.
        • The Toggle exclusion button appears only if there are any destinations already added to the list. Click this button to exclude all the destinations except the ones added to the list. Once this option is enabled, the Any but tag appears before the list of destinations. 
      • Services - click the  button to open up a pop up window. Once it appears, specify the following values: 
        • Protocol - select TCP, UDP, ICMP, or Any.
        • Source port - insert the source port (from 1 to 65535).
        • Destination port - insert the destination port (from 1 to 65535).

    If you don't specify any source, destination, or service value, it will be displayed as "any" by default. 

      • ACCEPT – click to specify that the traffic from or to the specified source(s), destination(s), and service(s) that will be accepted by the firewall.
      • DENY – click to specify that the traffic from or to the specified source(s), destination(s), and service(s) that will be denied by the firewall.
      • Logging - move the slider to the right to enable logging for this rule.
  5. Click the Save button above the table to apply the changes.


Delete Firewall Rule


To delete a firewall rule:

  1. Go to your Control Panel > Cloud > Edge Gateways menu.
  2. Click specific Edge Gateway's label.
  3. Click the Firewall tab.
  4. On the page that appears, you will see the list of  firewall rules. Select a rule from the list, and then click the  button above the table.
  5. Click the Save button above the table to apply the changes.