vCloud Director 5.5.3

Hi

I have a vApp with ~30 VMs. I want to test a situation where two of the VMs in my vApp must communicate through a firewall. Specifically, I want to set up this firewall to only allow the ssh protocol to be used to communicate between these two systems.

Within the vApp, I click the Networking tab, right-click the network used to connect the VMs and select 'Configure Services...'. I click the Firewall tab, select 'Enable firewall', for 'Default action' I select Allow. When I click Ok then Apply, I see that all of my VMs can communicate with each other.  So far, so good.

I again select 'Configure Services...', click the Firewall tab, and click Add to add a specific firewall rule. As an initial test, I want to create a rule that will block all access between two of the VMs in my vApp. In the 'Add Firewall Rule' page, I select/enter:

Enabled [checked]

Name: "Block access between A and B"

Source: 192.168.2.108

Source port: any

Destination: 192.168.2.125

Destination port: any

Protocol: any

Action: Deny

Log network traffic for firewall rule [checked]

I've clicked Ok on the 'Edit Firewall Rule' page, clicked 'OK' on the 'Configure Services...' page, and then clicked 'Apply' on the vApp' 'Networking' page. When I go back into 'Configure services...', Firewall tab, I see that the rule that I created has a green check in the Enabled column.

Yet, when I log in to 192.168.2.108, I'm able to ping 192.168.2.125.

As a test, I clicked the Networking tab, right-clicked the network used to connect the VMs and select 'Configure Services...'. I clicked the Firewall tab, selected 'Enable firewall', for 'Default action' I selected Deny. When I click Ok then Apply, I found that all of the VMs in my vApp could not communicate with each other.  So, I see that the firewall must be functional.

What could I have done wrong to have this not work?  Have I run into a defect in vCD 5.5.3?

Thanks!

tl