I have created the security group only to allow icmp so that I can test using ping. I have created the firewall like below. I am able to ping the VM's floating ip(192.52.1.6) from network node(192.52.1.45) even though I have added rule for denying 192.52.1.0/24 however ping from VM to network node is denied as expected. One more observation is if I disable the second rule r2 which is "allow all", then the ping from network node to VM is blocked as expected since it hits the default rule "deny all". root@IGA-OSC:~# neutron firewall-rule-show r1 +------------------------+--------------------------------------+ | Field | Value | +------------------------+--------------------------------------+ | action | deny | | description | | | destination_ip_address | 192.52.1.0/24 | | destination_port | | | enabled | True | | firewall_policy_id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 | | id | fe18a16c-a792-4763-890e-3e0f37591b05 | | ip_version | 4 | | name | r1 | | position | 1 | | protocol | icmp | | shared | False | | source_ip_address | | | source_port | | | tenant_id | d9481c57a11c46eea62886938b5378a7 | +------------------------+--------------------------------------+ root@IGA-OSC:~# neutron firewall-rule-show r2 +------------------------+--------------------------------------+ | Field | Value | +------------------------+--------------------------------------+ | action | allow | | description | | | destination_ip_address | | | destination_port | | | enabled | True | | firewall_policy_id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 | | id | a4d231de-bf05-4353-8c69-b1698b6b997d | | ip_version | 4 | | name | r2 | | position | 2 | | protocol | | | shared | False | | source_ip_address | | | source_port | | | tenant_id | d9481c57a11c46eea62886938b5378a7 | +------------------------+--------------------------------------+ root@IGA-OSC:~# neutron firewall-policy-show p1 +----------------+--------------------------------------+ | Field | Value | +----------------+--------------------------------------+ | audited | False | | description | | | firewall_rules | fe18a16c-a792-4763-890e-3e0f37591b05 | | | a4d231de-bf05-4353-8c69-b1698b6b997d | | id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 | | name | p1 | | shared | False | | tenant_id | d9481c57a11c46eea62886938b5378a7 | +----------------+--------------------------------------+ root@IGA-OSC:~# neutron firewall-show f1 +--------------------+--------------------------------------+ | Field | Value | +--------------------+--------------------------------------+ | admin_state_up | True | | description | | | firewall_policy_id | 924d41cd-fad1-4ed4-9114-6dd704382bd3 | | id | 7a808890-c015-40e9-b1f8-a7c498a9fa70 | | name | f1 | | status | ACTIVE | | tenant_id | d9481c57a11c46eea62886938b5378a7 | +--------------------+--------------------------------------+ root@IGA-OSC:~# sgl +--------------------------------------+---------+-------------+ | id | name | description | +--------------------------------------+---------+-------------+ | 179ecb86-0bcc-4a65-9e5b-dd583cdded5d | default | default | +--------------------------------------+---------+-------------+ root@IGA-OSC:~# sgrl +--------------------------------------+----------------+-----------+----------+------------------+--------------+ | id | security_group | direction | protocol | remote_ip_prefix | remote_group | +--------------------------------------+----------------+-----------+----------+------------------+--------------+ | 1f857515-6466-4e9e-aa13-4d579c2cd3ef | default | ingress | | | default | | 5a3b13b8-2839-47f8-8d93-feeece9ea9f4 | default | egress | | | | | 5f39ea2a-3a03-46cc-aa22-e722676629a9 | default | ingress | icmp | 0.0.0.0/0 | | | 8e884c2c-0e47-4a97-8cb9-db09c9eea491 | default | ingress | tcp | | | | bba8b5b4-74ba-4850-8742-4ffb25c19c82 | default | ingress | udp | | | | bceb6300-142e-42d6-816d-1fbad7190c57 | default | ingress | | | default | | e85aa835-490b-4c34-b2a9-726c4c4a0392 | default | egress | | | | +--------------------------------------+----------------+-----------+----------+------------------+--------------+