VMware Networking Community
NSXplore
Contributor
Contributor

Can a third party firewall like Palo Alto VMseries work without NSX DFW in securing E-W traffic in NSX environment?

Can a third party firewall like Palo Alto VMseries work without NSX DFW in securing E-W traffic in NSX environment?

What are the things which DFW cannot do for which we need integration with third party firewalls?

Reply
0 Kudos
4 Replies
rajeevsrikant
Expert
Expert

NSX DFW will provide security from Layer 2 (Data link layer) to Layer 4 (Transport layer)

If security is required above these layers like Layer 7 then it has be integrated with 3rd party firewalls like PaloAlto.

My understanding is that 3rd party firewall can not work without NSX DFW to protect E-W traffic.

Reply
0 Kudos
NSXplore
Contributor
Contributor

Hi rajeevsrikant,

Thanks a lot.

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee

If you are in need of URL Filtering, Anti-Virus, Anti-Bot, and Threat Emulation , NGFW is the right way to go and you can see all technology partners in below list VMware NSX Technology Partners . Starting from NSX 6.4 we can create Layer-7 Context Aware rules as well.Context-aware or application-based firewall rules can be defined by defining Layer 7 service objects. After defining Layer 7 service objects in rules, you can define rules with specific protocol, ports, and their application definition. Rule definition can be based on more than 5-tuples. You can also use Application Rule Manager to create context-aware firewall rules.

Context-aware firewall is only supported for NSX for vSphere 6.4 and above

So please do check if your rule falls under that category.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
IvarHome
Hot Shot
Hot Shot

Of course you can use it. DFW dont have matter. But Palo can control only L3. For L2 Palo dont have stateless rules mode and usually in L2 you need stateless rules. 

>>>What are the things which DFW cannot do for which we need integration with third party firewalls?

I have example Mikrotik and I control with it north-south traffic in L2 level. Also ESXi management through vmkernel adapter goes through Mikrotik. What I can do?  Example, I can send every single VM egress with personal VLAN id, but ingress can be any choosen vlan id, not only the same ID as egress. Also I can commutate east-west traffic, I can choose whitch VMs can communicate themselves. And I dont need for this MAC addresses and I can freely choose who can communicate with who, not restricted by vlan-s. Mikrotik RouterOS includes also full managed L2 switch. Also I can block and allow some NSX logical switch VM output by host. This is what I usually need to control. But Mikrotik allows also MAC address SNAT and DNAT, and also VLAN ID number translation, also L2 firewall rules and of course also L3 firewall rules.

Reply
0 Kudos