VMware Networking Community
flow-ever-junli
Contributor
Contributor
Jump to solution

Can I deploy DFW and gateway FW in security only mode ?

I want deploy DFW for my VMs, and Gateway FW for my 2 physical subnets, Can I achive this purpose by deploying NSX-T  in the "Security only" Mode? Or I have tow deply in Network & Security mode?

Reply
0 Kudos
1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee
Jump to solution

Distributed Security provides only the below security-related functionality to your VDS 

  • Distributed Firewall (DFW)
  • Distributed IDS/IPS
  • Identity Firewall
  • L7 App ID
  • Fully Qualified Domain Name (FQDN) Filtering
  • NSX Intelligence
  • NSX Malware Prevention
  • NSX Guest Introspection
Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

5 Replies
chandrakm
VMware Employee
VMware Employee
Jump to solution

You should be able to use Gateway firewall in Security only also mode based on my knowledge. 3.2 introduced a new licensing model for Gateway Firewall. You should be able to do that in case if licensing is not a constraint. You can even mix security only and network & security deployments on different clusters under one NSX umbrella.

 

If possible, ideal thing to do is to prepare cluster with NSX network & security, create T0/T1 gateways and overlay networks, bring VM's under Geneve segments and use DFW on GFW.

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered
Sreec
VMware Employee
VMware Employee
Jump to solution

Distributed Security provides only the below security-related functionality to your VDS 

  • Distributed Firewall (DFW)
  • Distributed IDS/IPS
  • Identity Firewall
  • L7 App ID
  • Fully Qualified Domain Name (FQDN) Filtering
  • NSX Intelligence
  • NSX Malware Prevention
  • NSX Guest Introspection
Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
flow-ever-junli
Contributor
Contributor
Jump to solution

Because some server VMs are in the same subnets with some physical PCs, So I can can't migrate server VMs in the overlay network without  modification server VMs IP addr. Now I have a 10 nodes VSAN cluster, and gonna to deploy NSX DFW in the cluster, and GFW for my PCs. Can I achive this goal under the  constraints?

Is there some how to guide in this scenario? I googled a lot of times and searched VMware docs, but get nothing exactly about it.

Tags (1)
Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
Jump to solution

Did you try to explore NSX bridging? 

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/migration/GUID-12FE83E9-2FA9-40F7-A3FF-BC21E... 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
chandrakm
VMware Employee
VMware Employee
Jump to solution

If you have NSX Network & Security license. You can prepare your clusters with Network & Security > Create NSX VLAN Segments > Move your VM's from VDS VLAN port groups to NSX VLAN Segments. You don't need bridging as well for this.  When there is no physical dependency you can switch from NSX VLAN segments to NSX Overly segments. You can implement both DFW & GFW.

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos