I have one concern/feasibility check request from customer to consider VMware edge as perimeter firewall for their IT private cloud.
Afaik, above theory is not recommended as Edge firewall lacks advanced features such as IDS,IPS etc,. (At least I’m not aware if they are supported)
My queries are below
1. Can Gateway firewall supports IDS ? (For North-south traffic)
2. Let's say if I use gateway firewalls in cluster, will there be stateful information sync between them. For example, if one gateway firewall is down then do clients need to re-establish their connection?
3. If I integrate 3rd party service firewalls, can they work as Active/Active cluster? I see there is a limitation of running Active/Standby services in NSX for stateful services. Is this citation applicable to 3rd party services as well?
Thanks in advance.
As far as I am aware IDS/IPS is enabled at the hypervisor level and not at the edge, if you are going to be using an SVM / service insertion then the t0 gateway has to be in Active-Standby. https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-53D6C480-7AD3-4B23-922D-...
Have you had a look at the security reference design guide https://nsx.techzone.vmware.com/resource/nsx-security-reference-design-guide.
Also the reference design guide https://communities.vmware.com/t5/VMware-NSX-Documents/VMware-NSX-T-Reference-Design/ta-p/2778093.
This blog my be of use as well. https://blogs.vmware.com/networkvirtualization/2020/08/the-nsx-t-gateway-firewall-secures-physical-s....
Just trying to dig up some information regarding states for you.
Does that mean we can't have IDS at Edge firewall for North-South traffic
IDS is currently not supported on the Edge, you can youse introspection / SVM's to inspect traffic if you'd like.