OptimalDesign
Enthusiast
Enthusiast

Disable firewall in Edge(ESG)

Hi, All

In Edge(ESG), there is a firewall tab under Manage.

And I found that "firewall (Source vse -> Destination any, service any, Action Accept)" rule has been gone if I clicked Disable button.

Q1) What does vse include it actually?

Q2) I found there is no traffic impact even if I clicked Disable button. Is that right?

Before clicking Disable button.

Before_disable_Firewall.jpg

After clicked Disable button, the firewall rule has been gone.

After_disable_firewall.jpg

Thank you

0 Kudos
4 Replies
hansroeder
Enthusiast
Enthusiast

Q1) Not an expert on vShield, but I think "vse" stands for vShield Edge. Google seems to confirm this (also keep in mind that NSX is a combination of Nicira and vShield products, so it makes sense). This would imply that this rule allows all traffic related to the Edge itself to go anywhere.

Q2) Yes, that is correct. As you can see, the default rule is set to allow all traffic from flowing, which is of course basically the same thing as not having a firewall at all (or disabling it).

0 Kudos
bayupw
Leadership
Leadership

Hi

Q1) What does vse include it actually?

vse is one of the object under vNIC Group, vse is most likely vShield Edge but it is essentially an object to specify source/destination is the traffic generated by the Edge Gateway

Add an NSX Edge Firewall Rule

Select an object from the drop-down and then make the appropriate selections.

If you select vNIC Group and then select vse, the rule applies to traffic generated by the NSX Edge.

pastedImage_2.png

Some of rules in your screenshot are normally created as part of the auto rule configuration

Change Auto Rule Configuration

If auto rule generation is enabled, NSX Edge adds firewall, NAT, and routing routes to enable control traffic to flow for these services. If auto rule generation is not enabled, you must manually add firewall, NAT, and routing configuration to allow control channel traffic for NSX Edge services such as Load Balancing, VPN, etc

pastedImage_16.png

Q2) I found there is no traffic impact even if I clicked Disable button. Is that right?

I would say it depends

Some stateful services features are dependent on Firewall such as Load Balancer, NAT

So make sure you don't have any features that dependent on the Firewall services, else those features might not work

and ECMP requires Firewall to be disabled.

Specify Global Configuration

Stateful services such as NAT did not work with ECMP

Bayu Wibowo | VCIX6-DCV/NV Author of VMware NSX Cookbook http://bit.ly/NSXCookbook https://github.com/bayupw/PowerNSX-Scripts https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
rbudavari
VMware Employee
VMware Employee

A vNIC Group of vse in the Edge Firewall configuration refers to any traffic sourced from the Edge itself (syslog, DNS relay etc).

0 Kudos
davidwzhang
Contributor
Contributor

I can see we can configure "vse" as destination in a firewall rule (example in vmware doc)

it looks like that  the vse is not only for outbound traffic which generate by ESG.

0 Kudos