The default FirewallService in an EdgeGatewayServiceConfiguration is enabled and configured to block all incoming traffic. You can modify that FirewallService to allow incoming traffic, block outgoing traffic, or both.

A firewall service configuration includes several important parameters.

Firewall Rules

Each firewall rule specifies a protocol, IP address, and port. Packets that match the criteria in the rule are subject to an action defined in the Policy element of the rule. The action can forward the packet to the destination IP address and port, or drop it and optionally log a message describing the packet that was dropped. Packets that do not match any rule are subject to the policy contained in the DefaultAction element of the FirewallService.

Firewall Rule Logging

Firewall rule actions can be logged to the system syslog server, and optionally to a syslog server you create and manage. When you specify a value of true in the EnableLogging element of a FirewallRule, all packets that trigger the rule are logged to the system syslog server. Logging for all rules is controlled by the value of the LogDefaultAction element of the FirewallService.

To log firewall rule messages from this Edge Gateway to your own syslog server in addition to the system syslog server, add a SyslogServerSettings element to its Configuration element and specify your syslog server's IP address in the SyslogServerIp element of its TenantSyslogServerSettings.

Port and Address Ranges

These elements in a FirewallRule specify source and destination IP ports and addresses to which the rule applies.

Example: Firewall Service Definition with Two Rules

This fragment of an EdgeGatewayServiceConfiguration defines a firewall service with two rules: one that allows incoming SSH connection, and one that denies incoming Telnet connections. These rules apply to any virtual machine that connects to a network backed by this Edge Gateway. Each rule is defined in a FirewallRule element, and can include the following specifications:

Policy

The default policy value, allow, causes the firewall to forward packets that match the rules. Specify drop to drop packets that match the rules.

Protocols

By default, a rule applies to both UDP and TCP protocols. You can limit the rule to one protocol or the other by including Tcp and Udp elements in Protocols and specifying a value of true or false for each.

SourcePortRange

Specify a source IP port or port range, or set to any to match any port.

DestinationPortRange

Specify a destination IP port or port range, or set to any to match any port.

SourceIp

Specify a source IP address, or use one of these strings.

SourceIp and DestinationIp Values

Value

Result

Any

Matches any IP address

Internal

Matches any IP address originating on an organization VDC network connected to this EdgeGateway. When used in a vApp network, matches any IP address assigned to a virtual machine in the vApp.

External

Matches any IP address originating on an external network connected to this EdgeGateway. When used in a vApp network, matches any IP address except those assigned to a virtual machine in the vApp.

DestinationIp

Specify a source IP address, or use one of the strings shown in SourceIp and DestinationIp Values.

EnableLogging

Set to true to log all packets that trigger this rule. See Firewall Rule Logging.

Rules are applied to packets in the order in which the FirewallRule elements appear in the FirewallService definition.

Note

The system assigns an Id value to each rule you create and uses these values when logging rule actions. 

<FirewallService>
   <IsEnabled>true</IsEnabled>
   <DefaultAction>allow</DefaultAction>
   <LogDefaultAction>false</LogDefaultAction>
   <FirewallRule>
      <IsEnabled>true</IsEnabled>
      <Description>allow incoming ssh</Description>
      <Policy>allow</Policy>
      <Protocols>
         <Tcp>true</Tcp>
      </Protocols>
      <DestinationPortRange>22</DestinationPortRange>
      <DestinationIp>Internal</DestinationIp>
      <SourcePortRange>Any</SourcePortRange>
      <SourceIp>External</SourceIp>
      <EnableLogging>false</EnableLogging>
   </FirewallRule>
   <FirewallRule>
      <IsEnabled>true</IsEnabled>
      <Description>deny incoming telnet</Description>
      <Policy>drop</Policy>
      <Protocols>
         <Tcp>true</Tcp>
      </Protocols>
      <DestinationPortRange>23</DestinationPortRange>
      <DestinationIp>Internal</DestinationIp>
      <SourcePortRange>Any</SourcePortRange>
      <SourceIp>External</SourceIp>
      <EnableLogging>false</EnableLogging>
   </FirewallRule>
</FirewallService>

You can see this fragment in the context of an Edge Gateway configuration in Example: Configure Services on an Edge Gateway.