The edge gateway includes the following schema for global configuration and default policy.

Use the global settings to configure specific TCP settings and the connection inactivity timeouts. Setting these values is not available by using the Advanced Networking Services Web UI.

Use the globalGonfig object to change the values from the following defaults: 

{
"distributedFirewall" : {
"globalConfig" : {
     "tcpPickOngoingConnections" : false,
     "tcpAllowOutOfWindowPackets" : false,
     "tcpSendResetForClosedVsePorts" : true,
     "dropInvalidTraffic" : true,
     "logInvalidTraffic" : false,
     "tcpTimeoutOpen" : 30,
     "tcpTimeoutEstablished" : 3600,
     "tcpTimeoutClose" : 30,
     "udpTimeout" : 60,
     "icmpTimeout" : 10,
     "icmp6Timeout" : 10,
     "ipGenericTimeout" : 120
},

For an example of the schema for the edge gateway firewall, see Example: Request and Response to Get Edge Gateway Firewall Rules.

EDGE GATEWAY FIREWALL CONFIGURATION

Element

Type

Required

Description

featureType

String

Yes

Identifies the Advanced Networking Services feature

Note

This element is set as "featureType" : "firewall_4.0". This value is required. Do not change it.

version

Number

Yes

The current version of the edge gateway firewall configuration

enabled

Boolean

No

Enables the edge gateway firewall

GLOBAL CONFIGURATION (globalConfig)

tcpPickOngoingConnections

Boolean

No

Allows for nonintrusive control of TCP connections by slowing down ongoing TCP connections thereby reducing the TCP congestion window

tcpAllowOutOfWindowPackets

Boolean

No

Allows the edge gateway firewall to accept packets that have sequence numbers falling outside the sliding window

By default, packets are dropped when the sequence numbers fall outside the sliding window. This setting prevents certain types of attacks.

tcpSendResetForClosedVsePorts

Boolean

No

Resets the edge gateway ports if closed so that traffic is allow through the ports

dropInvalidTraffic

Boolean

No

Drops invalid traffic

logInvalidTraffic

Boolean

No

Logs invalid traffic

tcpTimeoutOpen

Integer

No

Sets the inactivity timeout (seconds) for the TCP connection after the session opens (SYN-SENT, SYN-RCVD states)

tcpTimeoutEstablished

Integer

No

Sets the inactivity timeout (seconds) for the TCP connection after the session is established

tcpTimeoutClose

Integer

No

Sets the inactivity timeout (seconds) after TCP Close (TIME-WAIT, FIN_WAIT states)

udpTimeout

Integer

No

Sets the inactivity timeout (seconds) for UDP connections

icmpTimeout

Integer

No

Sets the inactivity timeout (seconds) for ICMP connections

icmp6Timeout

Integer

No

Sets the inactivity timeout (seconds) for ICMP 6 connections

ipGenericTimeout

Integer

No

Sets the inactivity timeout (seconds) for generic IP connections

DEFAULT POLICY (defaultPolicy)

Element

Type

Required

Description

action

String

No

Sets the default action for the edge gateway firewall

loggingEnabled

Boolean

No

Enables or disables logging

By default, loggingEnabled is set to false.

You use the following schema to configure and modify user-defined firewall rules that were added to an edge gateway. You cannot edit or delete an auto-generated rule or the default rule.

FIREWALL RULES (firewallRules – Array)

Element

Type

Required

Description

ruleId

Number

Yes

The ID for the rule

Note

Leave this element empty when creating a rule by using the PUT method. The system will auto-generate an ID for the rule.

ruleTag

Number

No

Specifies user controlled IDs on the edge gateway

Note

The system generates this value. Do not change it.

name

String

Yes

The name for the rule

ruleType

String

Yes

Specifies whether the rule was created by the system as an auto-generated rule or the default rule (internal); or whether it is a local (user) rule

Note

When creating a rule, set ruleType to user because you cannot create auto-generated rules or the default rule.

invalidSource

Boolean

No

Indicates the element specified in the source was deleted

invalidDestination

Boolean

No

Indicates the element specified in the destination was deleted

invalidApplication

Boolean

No

Indicates the application specified was deleted

direction

String

No

Indicates whether the rule controls traffic incoming, outgoing, or both (inout)

Note

VMware does not recommend specifying the direction for firewall rules.

enabled

Boolean

Yes

Enables or disables the rule

By default, enabled is set to true.

loggingEnabled

Boolean

No

Enables logging for the rule

By default, loggingEnabled is set to false.

description

String

No

A description of the rule

matchTranslated

Boolean

No

When set to true, applies the rule to the translated IP address and services for a NAT rule

action

String

Yes

Sets one of the following actions:

accept — allows traffic to the specified sources, destinations, or services

deny — blocks traffic from the specified sources, destinations, or services

reject — sends reject messages for unaccepted packets (RST for TCP connections, and ICMP for UDP and other IP connections)

By default, the action is set to deny.

STATISTICS (statistics)

timestamp

Number

No

When rule logging is enabled, displays the time the rule was modified

connectionCount

Number

No

When rule logging is enabled, displays statistics for the rule

packetCount

Number

No

When rule logging is enabled, displays statistics for the rule

byteCount

Number

No

When rule logging is enabled, displays statistics for the rule

SOURCE (source)

exclude

Boolean

No

Excludes a source from the rule

ipAddress | items

Array | String

No

Source IP address for the rule

You can enter the source using the following formats: IP, IP1-IPN, and CIDR.

The firewall supports both IPv4 and IPv6 formats.

groupingObjectId | items

Array | String

No

Selects one or more IP address (IP Sets) grouping objects available to the edge gateway

vnicGroupId | items

Array | String

No

Selects one or more vNICs for the rule

You can enter the following values: vnic-index-[0-9], external, or internal.

DESTINATION (destination)

exclude

Boolean

No

Excludes a destination from the rule

When set to true, the rule is applied to traffic going to all destinations except for the IP addresses specified.

ipAddress | items

Array | String

No

Destination IP address for the rule

The firewall supports both IPv4 and IPv6 formats.

groupingObjectId | items

Array | String

No

Selects one or more IP Set objects for the rule in the format ipset-X

vnicGroupId | items

Array | String

No

Selects one or more vNICs for the rule

APPLICATION (application)

applicationId | items

Array | String

No

Specifies an application ID for the rule in the format application-X

SERVICE (service)

protocol

String

No

The service protocol

Note

The edge gateway supports ALG for FTP only.

port | items

Array | String

No

The port number

By default, port is set to any.

sourcePort | items

Array | String

No

The source port number

By default, sourcePort is set to any.

icmpType

String

No