On ESG's you can only create firewall rules on internal (downstream) or external (uplink) interfaces.
If you select vNIC Group and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. Note that firewall rules on internal interfaces do not work for a Logical Router.
For more information please check this Add an NSX Edge Firewall Rule
Sorry, I might not have been clear.
On a Edge Service Gateway rules can only be applied to internal and External interfaces.
Yacudzer You cannot create any firewall role for Sub interface on Edge as mentioned by VMware "A sub interface cannot be used for HA or Logical Firewall. You can, however, use the IP address of the sub interface in a firewall rule." but for trunk you can create a firewall and select from the vNIC Group the interface name you write it when you was configuring the trunk interface in the interface tab.
Firewall vNIC Group Drop menu
This is How you can do. But let me ask you why you want to do this? we can find different solution more easy and more supportable. Share you bussnis requirement or the design you want to go with and lets think all together.
I hope this answer your question and i hope that this become answer or helpful comment for you. also, for More details and more information just follow my blog http://www.syncgates.com.