Hi, All
In Edge(ESG), there is a firewall tab under Manage.
And I found that "firewall (Source vse -> Destination any, service any, Action Accept)" rule has been gone if I clicked Disable button.
Q1) What does vse include it actually?
Q2) I found there is no traffic impact even if I clicked Disable button. Is that right?
Before clicking Disable button.
After clicked Disable button, the firewall rule has been gone.
Thank you
Q1) Not an expert on vShield, but I think "vse" stands for vShield Edge. Google seems to confirm this (also keep in mind that NSX is a combination of Nicira and vShield products, so it makes sense). This would imply that this rule allows all traffic related to the Edge itself to go anywhere.
Q2) Yes, that is correct. As you can see, the default rule is set to allow all traffic from flowing, which is of course basically the same thing as not having a firewall at all (or disabling it).
Hi
Q1) What does vse include it actually?
vse is one of the object under vNIC Group, vse is most likely vShield Edge but it is essentially an object to specify source/destination is the traffic generated by the Edge Gateway
Select an object from the drop-down and then make the appropriate selections.
If you select vNIC Group and then select vse, the rule applies to traffic generated by the NSX Edge.
Some of rules in your screenshot are normally created as part of the auto rule configuration
Change Auto Rule Configuration
If auto rule generation is enabled, NSX Edge adds firewall, NAT, and routing routes to enable control traffic to flow for these services. If auto rule generation is not enabled, you must manually add firewall, NAT, and routing configuration to allow control channel traffic for NSX Edge services such as Load Balancing, VPN, etc
Q2) I found there is no traffic impact even if I clicked Disable button. Is that right?
I would say it depends
Some stateful services features are dependent on Firewall such as Load Balancer, NAT
So make sure you don't have any features that dependent on the Firewall services, else those features might not work
and ECMP requires Firewall to be disabled.
Stateful services such as NAT did not work with ECMP
A vNIC Group of vse in the Edge Firewall configuration refers to any traffic sourced from the Edge itself (syslog, DNS relay etc).
I can see we can configure "vse" as destination in a firewall rule (example in vmware doc)
it looks like that the vse is not only for outbound traffic which generate by ESG.