Hi,
What is the difference between EGC Firewall and firewall witch is located in the menu network and security
and witch of them is prefered if i want porhibit to a client to access to a one of tenant
Thank you
First Question:
The Edge Services Gateway firewall affects only traffic that traverses the ESG(s) where the rule(s) is/are applied. If it is at the permimeter of the overlay, it is effectively a North/South firewall. The Distributed Firewall (DFW) is the firewall that is attached to the I/O chain of every vNIC in the environment and is an East/West firewall.
Second Question:
The firewall node in the Networking and Security plug-in can be used to push rules to the ESG, by using the Applied To field as well is for configuring rules for the DFW.
Third Question:
If the tenant is behind a specific Edge, it best to apply the rule at that specific tenant Edge.
Additional Information:
Below are the official definitions from the design guide.
Edge Firewall - Edge firewall services are part of the NSX Edge Services Gateway (ESG). The Edge firewall provides essential perimeter firewall protection which can be used in addition to a physical perimeter firewall. The ESG-based firewall is useful in developing PCI zones, multi-tenant environments, or dev-ops style connectivity without forcing the inter-tenant or inter-zone traffic onto the physical network.
Distributed Firewall – Security enforcement is done directly at the kernel and vNIC level. This enables highly scalable firewall rule enforcement by avoiding bottlenecks on physical appliances. The firewall is distributed in kernel, minimizing CPU overhead while enabling line-rate performance.
First Question:
The Edge Services Gateway firewall affects only traffic that traverses the ESG(s) where the rule(s) is/are applied. If it is at the permimeter of the overlay, it is effectively a North/South firewall. The Distributed Firewall (DFW) is the firewall that is attached to the I/O chain of every vNIC in the environment and is an East/West firewall.
Second Question:
The firewall node in the Networking and Security plug-in can be used to push rules to the ESG, by using the Applied To field as well is for configuring rules for the DFW.
Third Question:
If the tenant is behind a specific Edge, it best to apply the rule at that specific tenant Edge.
Additional Information:
Below are the official definitions from the design guide.
Edge Firewall - Edge firewall services are part of the NSX Edge Services Gateway (ESG). The Edge firewall provides essential perimeter firewall protection which can be used in addition to a physical perimeter firewall. The ESG-based firewall is useful in developing PCI zones, multi-tenant environments, or dev-ops style connectivity without forcing the inter-tenant or inter-zone traffic onto the physical network.
Distributed Firewall – Security enforcement is done directly at the kernel and vNIC level. This enables highly scalable firewall rule enforcement by avoiding bottlenecks on physical appliances. The firewall is distributed in kernel, minimizing CPU overhead while enabling line-rate performance.
Thank you very much
i understand now
thanks