Configurar el NSX Edge Firewall (EN)

creating firewall rules

Last updated 25th November 2021


The NSX firewall service restricts or allows network traffic based on rules applied to network nodes or groups.

This guide explain how to create rules.



Interface access

In the vSphere interface menu, go to the Networking and Security dashboard.


On the left side, navigate to the NSX Edges section then click on the appliance you're setting up.


The Firewall tab shows the status with a simple button to stop or start the service.

Any change made will need to be published to be validated, so you will not shut down the service at the single push of a button.


Firewall Rules

The basics of a firewall rule is to manage identified service(s) from specified source(s) to specified destination(s).

Click on + Add Rule.

The new rule shows with:

  • An activation slider
  • A selection box for specific actions (order change, deletion...)
  • Name
  • ID
  • Type
  • Source
  • Destination
  • Service
  • Action
  • Log slider
  • Advanced settings


By default, rules have Any as source and destination, meaning it encompasses all traffic. To avoid security issues, it is best practices to avoid broad targets.

Name the rule by clicking the Name field. ID and Type fields are automatically populated.


The source field defines the origin of the traffic.

Hover over the field and click on the pencil icon. You can add objects and/or IP addresses as needed.

If "Negate Source" is turned on, the rule is applied to all sources except for the sources selected.

Click Save when ready.




The destination field defines the target of the traffic.

Hover over the field and click on the pencil icon. You have the same choices for destination as you had for source.

If "Negate Source" is turned on, the rule is applied to all destinations except for the destinations selected.

Click Save when ready.




The service field defines the type of traffic aimed at.

Hover over the field and click on the pencil icon. You have the choice between using existing services and groups or add raw ports/protocols.

Clicking on an existing service or group will show you a description with the ports and protocols involved.

Click Save when ready.





The action field defines how to handle the traffic.

You have three possible options to choose from:

  • Accept: The traffic will go through.
  • Deny: The traffic will be blocked with no further communication.
  • Reject: The traffic will be blocked and a "port unreachable" message will be sent to the source.



The log slider allows you to keep a journal of events on the rule.

Advanced Settings

Aside from a comments section and a statistics section, the advanced settings section allows you to define if the target traffic is inbound, outbound or both. In case of NAT traffic, you can choose if the rule applies to the original or translated source.


Rules priorities

Once the rule is set up, you see it in the list. The number of the rule in the list defines its priority.

Rules are applied from top to bottom.
The first rule that matches the traffic overrides all the other rules below.
That means that in the case of conflicting rules, the rule with the highest priority (lowest number) will be applied.

You can modify the rule order by selecting a rule and using the up and down arrows.


Publishing rules

No creation/modification of a rule will be registered until you click the Publish button.



Go further

Join our community of users on

¿Le ha resultado útil esta guía?

Si lo desea, también puede enviarnos sus sugerencias para ayudarnos a mejorar nuestra documentación.

Imágenes, contenido, estructura...: ayúdenos a mejorar nuestra documentación con sus sugerencias.

No podemos tratar sus solicitudes de asistencia a través de este formulario. Para ello, haga clic en "Crear un tíquet" .

¡Gracias! Tendremos en cuenta su opinión.

Otras guías que podrían interesarle...

OVHcloud Community

¡Acceda al espacio de la OVHcloud Community! Resuelva sus dudas, busque información, publique contenido e interactúe con otros miembros de la comunidad.

Discuss with the OVHcloud community

A partir del 1 de enero de 2015, con arreglo a la Directiva 2006/112/CE modificada, los precios IVA incluido pueden variar según el país de residencia del cliente (por defecto, los precios con IVA incluyen el IVA español vigente).