The customer ask

I had a customer ask a good question about Distributed Firewall rules and if they’re enforced on NSX Edges. The customers interpretation of the two enforcement points made it look like he had to maintain two sets of firewall rules – one set for a Distributed Firewall and the other on each NSX edge.

The difference in firewalls

The Distributed Firewall is a vNIC level firewall on the hypervisor kernel that protects each workload. The filter itself follows the workload anywhere as it is instantiated and enforced on the vNIC. The NSX Edge also has a rudimentary firewall filtering on egress and ingress.

Applying rules across all edges

The customer sought to adjust the default Edge firewall rules from a single point. Using the Web Client browse to Network & Security \> Firewall 

I have made a ruleset here

  • SRC IP Set
  • DST mgt-sv-01a
  • Port RDP
  • Action Block

By default this would be applied to the Distributed Firewall after saving the ruleset.


I need to enforce this across all edges as per the original request. This can be done by modifying the Applied To field. By checking the box that states “Apply this rule on all the Edge Gateways” it will enforce this onto all NSX Edge Firewalls.


Alternatively you could select the Edges that are pertinent to a customer or application topology. This can be done by not Applying to All and calling out the individual objects.


The result under the Firewall management panel looks something like this.


To validate that it is applied browse to the relevant Edge you have enforced the rule on. Networking & Security \> NSX Edges  and in this case, double click on Edge-Gateway-01. Select the Firewall tab. The result should look something like this


You will find the rule is faithfully represented and enforced on the edge.

Efficient firewalls

If you just apply rules to the Distributed Firewall only you will get enforcement on ANY workload that matches the criteria across the entire NSX domain. If you want to enforce based on a different object type such as Security Group have a look at this blog entry.

Leave a Reply

Your email address will not be published. Required fields are marked *