Section creation is optional, and more for rule organization. Next, we will configure the required rules under the newly-created section Application A.

1. Make sure you are in the General tab. In the center pane, click the green plus Add rule icon or right-click the newly-created Application A section and click Add rule.
2. A new row inside the Application A section will be created with no Name, no Rule ID, from Source any, to Destination any, for Service any, Action Allow, and Applied To Distributed Firewall:

3. To edit the firewall rule, navigate to each of the column boxes (Name, Source, Destination, Service, Action, and Applied To) until the edit pencil icon is showing, and click the icon.
4. For the Rule Name, we will use Allow Any to Web Tier and click Save.
5. Leave the Source as any, and for Destination, use Virtual Machine as the Object Type. Select web-01a and web02a using the arrow in the center, or by double-clicking the objects and click OK:

6. For the service, use Service as the Object Type; select HTTP:

7. For the edit action, set the Action to Allow, with In/Out as the Direction and Any as the Packet Type. To log the session matching the DFW rule, set Log to Log:

DFW logging will be shown in dfwpktlogs.log as part of the ESXi host log. See Chapter 11, Managing and Monitoring VMware NSX Platform, for information on how to locate and access the DFW logs:

1. The following is the completed firewall rule. After completing the rule editing, click Publish Changes.
2. To add more rules into the section, select an existing rule and click the green plus Add rule icon above the No. column. This will add the rule below the selected rule. Another option to add more rules is to select an existing rule and click the green plus Add rule icon below the Applied To column, which will add the rule above the selected rule. Adding a rule can also be done by clicking the pencil icon and choosing Add Above or Add Below. Create the remaining DFW rules; the following are the completed rules for our scenario:

3. For Services that are not listed,such as Tomcat, for the second rule Allow Web Tier to App Tier. In this example, we will create the Tomcat service by clicking New Service...A new Add Service dialog will open. For our example, use Tomcat as the Name, TCP for the Protocol, and 8443 for the Destination ports. Optionally, put a Description in and click OK.

4. The newly-created port will be automatically selected; click OK.
5. We will leave the Applied To set to Distributed Firewall for now. We will cover this in a separate recipe. Click Publish Changes once completed.