Network Security
Network Security is available exclusively with an Enterprise license. The required feature flag is microsegmentation. Learn more about licensing.
The Network Security page provides centralized firewall rule management for your entire Proxmox infrastructure. It covers firewall rules at every level -- VM, host, and cluster -- along with security groups, IP sets, aliases, and network microsegmentation for granular traffic control.
Overview
Proxmox VE includes a built-in firewall based on iptables/nftables, but managing rules across dozens of VMs and multiple nodes through individual Proxmox web interfaces is tedious and error-prone. ProxCenter aggregates all firewall configuration into a single view, letting you define, audit, and enforce network security policies across your entire infrastructure from one place.
Interface Tabs
The Network Security page is organized into nine tabs: Overview, Micro-segmentation, Security Groups, Aliases, IP Sets, VM Rules, Host Rules, Cluster Rules, and Settings.
Overview
The Overview tab provides a dashboard-level summary of your network security posture:
- Security Groups count with total rule count
- IP Sets count with total entry count
- Aliases count
- Cluster firewall status -- whether the cluster-level firewall is active or inactive
Below the stats, a detailed overview shows:
- Per-VM firewall status at a glance, including which VMs have firewalls enabled and how many rules are applied
- Top security groups by rule count
- Quick navigation links to other tabs
Use the Overview tab as a daily check to verify that your firewall policies are applied consistently across all VMs. Click any stat card to jump directly to the relevant tab.
Micro-segmentation
Microsegmentation enables fine-grained network traffic control between individual VMs, regardless of which node they run on. Instead of relying solely on broad network-level rules, microsegmentation lets you define policies such as:
- Allow database VMs to communicate only with application VMs on specific ports
- Isolate development workloads from production entirely
- Restrict management traffic to a designated set of admin VMs
This tab provides a visual interface to define and manage microsegmentation policies, giving you zero-trust networking within your Proxmox clusters.
Security Groups
Security groups are reusable collections of firewall rules. Define a group once (e.g., "Web Servers" with rules allowing ports 80 and 443) and apply it to any number of VMs -- changes to the group automatically propagate to all associated VMs.
For each security group, you can:
- View and edit the rules it contains
- See which VMs reference the group
- Add new rules with full control over direction (IN/OUT), action (ACCEPT, DROP, REJECT), protocol, source, destination, and port
Aliases
Aliases let you assign human-readable names to IP addresses or CIDR ranges. Instead of remembering that 10.0.5.20 is your monitoring server, create an alias called monitoring and reference it in your firewall rules.
- Create, edit, and delete aliases
- Use aliases in any firewall rule source or destination field
- Share aliases across the entire cluster
IP Sets
IP sets are named collections of IP addresses or CIDR ranges. They are useful when a firewall rule needs to reference multiple IPs -- for example, allowing access from a list of trusted management workstations.
For each IP set, you can:
- Add and remove IP entries
- Reference the IP set in firewall rules using the
+ipsetnamesyntax - Manage entries across clusters
Combine aliases for single hosts and IP sets for groups of hosts to keep your firewall rules clean and readable.
VM Rules
The VM Rules tab shows firewall rules applied at the individual VM level. Select a connection to view all VMs with their firewall status and rule counts.
For each VM, you can:
- View the list of applied rules
- Toggle the VM-level firewall on or off
- See which security groups are referenced
Host Rules
The Host Rules tab manages firewall rules applied at the Proxmox host (node) level. These rules control traffic to and from the hypervisor itself -- for example, restricting SSH access or Proxmox web interface access to specific management networks.
Select a connection and node to view and manage host-level rules.
Cluster Rules
Cluster-level firewall rules apply across all nodes and VMs in a Proxmox cluster. The Cluster Rules tab lets you:
- View and edit cluster-wide firewall rules
- Toggle the cluster firewall on or off
- Set the default input/output policy (ACCEPT or DROP)
Disabling the cluster firewall or changing the default policy to DROP without proper rules in place can lock you out of your Proxmox nodes. Always ensure management access rules are in place before making changes.
Settings
The Settings tab provides global firewall configuration options for the selected Proxmox connection, including:
- Cluster-level firewall enable/disable
- Default input and output policies
- Log rate limiting
- Additional firewall options exposed by the Proxmox API
Multi-Connection Support
If you have multiple Proxmox clusters connected to ProxCenter, a connection selector at the top of the page lets you switch between them. All tabs (security groups, aliases, IP sets, rules) reflect the currently selected connection.
Permissions
| Permission | Description |
|---|---|
admin.settings | Required to access Network Security and manage firewall rules |
Users without the admin.settings permission will not see the Network Security entry in the navigation sidebar.