All Products
Search

This Product

    :Configure a CGW firewall in VMware NSX

    Document Center

    :Configure a CGW firewall in VMware NSX

    Last Updated:May 22, 2024

    By default, a compute gateway (CGW) firewall blocks all inbound and outbound traffic for the workload network of CGW T1. You can create a CGW firewall rule to manage the traffic based on your business requirements.

    Rule description

    VMware NSX can perform the following operations on the network traffic that matches the CGW firewall rules:

    • Allow: allows the matched traffic.

    • Drop: silently drops the matched traffic.

    • Reject: drops the matched traffic and notifies the source.

    image

    CGW firewall rules can be used to protect network traffic for different uplink interfaces. The following uplink interfaces are supported:

    • All Uplinks: all uplink interfaces excluding VPN Tunnel Interface.

    • Internet Interface: an uplink interface of the tier-0 logical router. This uplink interface is used to forward the network traffic for accessing the Internet.

    • Intranet Interface: an uplink interface of the tier-0 logical router. This uplink interface is used to forward the network traffic for accessing a virtual private cloud (VPC) or an on-premises data center.

    • Services Interface: an uplink interface of the tier-0 logical router. This uplink interface is not enabled.

    • VPN Tunnel Interface: an uplink interface that is used to forward network traffic over the route-based VPN channel recommended by VMware NSX.

    image

    For more information, see Network architecture.

    Match traffic with firewall rules

    VMware NSX matches the network traffic with firewall rules in order from top to bottom of the rule list. If a rule is matched, the network traffic is allowed, dropped, or denied based on the operation that you specify, and the matching stops. If the network traffic does not match the rules that you create, VMware NSX matches the network traffic with the default rules and drops the network data.

    By default, the following two CGW firewall rules are provided:

    Name

    Sources

    Destinations

    Services

    Applied To

    Action

    Modifiable

    Default VTI Rule

    Any

    Any

    Any

    VPN Tunnel Interface

    Drop

    Yes

    Default uplink rule

    Any

    Any

    Any

    All Uplinks

    Drop

    No

    Create a firewall rule

    1. Log on to the VMware NSX console. For more information, see Log on to a dedicated VMware environment.

    2. On the Security page, click Gateway Firewall in the left-side navigation pane. On the Gateway Firewall page, click the Compute Gateway tab.

    3. Click ADD RULE and specify a name for the new rule.

    4. Configure parameters for the new rule.

      Parameters are initially set to their default values. For example, the Sources and Destinations parameters are initially set to Any. If you want to modify a parameter value, move the pointer over the parameter value and click the pencil icon to go to the corresponding configuration page.

      Parameter

      Description

      Sources

      Click Any in the Sources column, and select a group for the source network traffic or click ADD GROUP to create a custom group for the rule. Then, click APPLY.

      Destinations

      Click Any in the Destinations column, and select a group for the destination network traffic or click ADD GROUP to create a custom group for the rule. Then, click APPLY.

      Services

      Click Any in the Services column, and select a service from the list or click ADD SERVICE to create a custom service for the rule. Then, click APPLY.

      Applied To

      Select the uplink interface corresponding to the type of network traffic to which the firewall rule applies. Valid values:

      1. All Uplinks

      2. Internet Interface

      3. Intranet Interface

      4. Services Interface

      5. VPN Tunnel Interface

      Action

      1. If you select Allow, VMware NSX allows all L3 traffic.

      2. If you select Drop, VMware NSX drops packets that match the source, destination, and service specified in the rule. The source and destination systems are not notified. If packets are dropped, the CGW firewall retries the connection until the number of retries reaches the limit.

      3. If you select Reject, VMware NSX rejects packets that match the source, destination, and service specified in the rule. In this case, a message that indicates the failure of reaching the destination is sent to the CGW firewall. For TCP packets, the response includes a TCP Reset (RST) message. For packets over UDP, Internet Control Message Protocol (ICMP), and other protocols, the response contains the management forbidden code. The code can be 9 or 10. If the connection fails, the CGW firewall is immediately notified and no retries are performed.

      Note

      By default, the new rule is enabled. To disable the rule, turn off the switch.

    5. Click PUBLISH to create the rule.

    Change the order of firewall rules

    A newly created rule is displayed at the top of the rule list. VMware NSX matches network traffic with firewall rules in order from top to bottom of the rule list. To change the position of a rule in the list, select the rule and drag it to a new position. Then, click PUBLISH to make the change take effect.