VMware Networking Community
vmware3222
Enthusiast
Enthusiast
Jump to solution

EGS Firewall

Hi,

What is the difference between EGC Firewall and firewall witch is located in the menu network and security

and witch of them is prefered if i want porhibit to a client to access to a one of tenant

Thank you

Reply
0 Kudos
1 Solution

Accepted Solutions
larsonm
VMware Employee
VMware Employee
Jump to solution

First Question:

The Edge Services Gateway firewall affects only traffic that traverses the ESG(s) where the rule(s) is/are applied.  If it is at the permimeter of the overlay, it is effectively a North/South firewall.  The Distributed Firewall (DFW) is the firewall that is attached to the I/O chain of every vNIC in the environment and is an East/West firewall.

Second Question:

The firewall node in the Networking and Security plug-in can be used to push rules to the ESG, by using the Applied To field as well is for configuring rules for the DFW.

Third Question:

If the tenant is behind a specific Edge, it best to apply the rule at that specific tenant Edge.

Additional Information:

Below are the official definitions from the design guide.

Edge Firewall - Edge firewall services are part of the NSX Edge Services Gateway (ESG). The Edge firewall provides essential perimeter firewall protection which can be used in addition to a  physical perimeter firewall. The ESG-based firewall is useful in developing PCI zones, multi-tenant environments, or dev-ops style connectivity without forcing the inter-tenant or inter-zone traffic onto the physical network.

Distributed Firewall – Security enforcement is done directly at the kernel and vNIC level. This enables highly scalable firewall rule enforcement by avoiding bottlenecks on physical appliances. The firewall is distributed in kernel, minimizing CPU overhead while enabling line-rate performance.

View solution in original post

Reply
0 Kudos
2 Replies
larsonm
VMware Employee
VMware Employee
Jump to solution

First Question:

The Edge Services Gateway firewall affects only traffic that traverses the ESG(s) where the rule(s) is/are applied.  If it is at the permimeter of the overlay, it is effectively a North/South firewall.  The Distributed Firewall (DFW) is the firewall that is attached to the I/O chain of every vNIC in the environment and is an East/West firewall.

Second Question:

The firewall node in the Networking and Security plug-in can be used to push rules to the ESG, by using the Applied To field as well is for configuring rules for the DFW.

Third Question:

If the tenant is behind a specific Edge, it best to apply the rule at that specific tenant Edge.

Additional Information:

Below are the official definitions from the design guide.

Edge Firewall - Edge firewall services are part of the NSX Edge Services Gateway (ESG). The Edge firewall provides essential perimeter firewall protection which can be used in addition to a  physical perimeter firewall. The ESG-based firewall is useful in developing PCI zones, multi-tenant environments, or dev-ops style connectivity without forcing the inter-tenant or inter-zone traffic onto the physical network.

Distributed Firewall – Security enforcement is done directly at the kernel and vNIC level. This enables highly scalable firewall rule enforcement by avoiding bottlenecks on physical appliances. The firewall is distributed in kernel, minimizing CPU overhead while enabling line-rate performance.

Reply
0 Kudos
vmware3222
Enthusiast
Enthusiast
Jump to solution

Thank you very much

i understand now

thanks

Reply
0 Kudos