VMware Networking Community
cbg2008
Contributor
Contributor

NSX Edge as perimeter firewall

Hi Team,

I have one concern/feasibility check request from customer to consider VMware edge as perimeter firewall for their IT private cloud.

 

Afaik, above theory is not recommended as Edge firewall lacks advanced features such as IDS,IPS etc,. (At least I’m not aware if they are supported)

My queries are below

1. Can Gateway firewall supports IDS ? (For North-south traffic)

2. Let's say if I use gateway firewalls in cluster, will there be stateful information sync between them. For example, if one gateway firewall is down then do clients need to re-establish their connection?

3. If I integrate 3rd party service firewalls, can they work as Active/Active cluster? I see there is a limitation of running Active/Standby services in NSX for stateful services. Is this citation applicable to 3rd party services as well?

Thanks in advance.

 

Reply
0 Kudos
4 Replies
shank89
Expert
Expert

As far as I am aware IDS/IPS is enabled at the hypervisor level and not at the edge, if you are going to be using an SVM / service insertion then the t0 gateway has to be in Active-Standby. https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-53D6C480-7AD3-4B23-922D-...

Have you had a look at the security reference design guide https://nsx.techzone.vmware.com/resource/nsx-security-reference-design-guide.

Also the reference design guide https://communities.vmware.com/t5/VMware-NSX-Documents/VMware-NSX-T-Reference-Design/ta-p/2778093.

This blog my be of use as well. https://blogs.vmware.com/networkvirtualization/2020/08/the-nsx-t-gateway-firewall-secures-physical-s....

Just trying to dig up some information regarding states for you.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
Reply
0 Kudos
cbg2008
Contributor
Contributor

Does that mean we can't have IDS at Edge firewall for North-South traffic

Reply
0 Kudos
shank89
Expert
Expert

IDS is currently not supported on the Edge, you can youse introspection / SVM's to inspect traffic if you'd like.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3
Tags (1)
Reply
0 Kudos
AntareSLyu
Contributor
Contributor

Hi,

As you see, distributed IDS/IPS is a new feature for East-West traffics. Otherwise, you could enable NSX Edge Firewall rules or the other stateful services on T1 level, so that you may deploy T0 in active-active mode.

VCIX-NV & DCV | VCAP-CMA & DTM | VCP-DW
Wechat: love5plus7
Reply
0 Kudos