vmmedmed
Enthusiast
Enthusiast

NSX PAN Integration

Jump to solution

I would like to integrate NSX with my PAN firewall such that the PAN DMZ interface because a gateway into the NSX controlled VLANs. So north-south traffic would be regulated by the PAN and host to host flows would be restricted via tag based policies in NSX. I also want to have a have a gateway into the NSX from the internal Cisco Nexus switch. 

Q: is it possible to have two gateways into NSX?  

It's been a while since I worked with it. Thank you.

0 Kudos
1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee

I'm assuming you are referring to NSX-T :).  The easiest option is to create additional uplink interfaces on existing Edges and peer them with a DMZ firewall. If there are security concerns around this design , you will need dedicated DMZ T1 and T0/VRF  to reach DMZ segments and you can simply route from there based on the use cases. That being said, how you connect the Server to the network (DC&DMZ switches ) also matters and it should be aligned with the Routing design for optimistic traffic flow.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

0 Kudos
4 Replies
Sreec
VMware Employee
VMware Employee

Just to clarify your question,  do you have DMZ and Server farm use case with a unique Firewall instance configuration?  When you say integrate, are you referring to Network Introspection use cases or simply have a routing adjacency between NSX Edge and Firewall instances?

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
vmmedmed
Enthusiast
Enthusiast

There is an Internet facing firewall with say three interfaces - outside, inside and DMZ. 

 

All the servers presently are VMs reachable from the inside interface of that inet connected firewall. So now I want to move some of the servers to a DMZ. Since we'll be implementing NSX - I see two options:

1) Keep all of the VMs reachable from that inside FW interface and create a DMZ vlan/subnet within NSX. All traffic would flow from inside interface to NSX Edge VM routing. Restrict traffic in and out of that DMZ using NSX firewall ability. This seems simplest.

2) Somehow employ the inet connected firewall's DMZ interface to NSX/VMWare environment via a second edge VM. 

It's the second scenario I'm trying to think through. Is it possible for an NSX environment to have two edge VMs/routers? One would be just for routing to the DMZ and the other edge would be handling all other traffic. If I'm still clear as mud I can post a diagram of the idea.

0 Kudos
Sreec
VMware Employee
VMware Employee

I'm assuming you are referring to NSX-T :).  The easiest option is to create additional uplink interfaces on existing Edges and peer them with a DMZ firewall. If there are security concerns around this design , you will need dedicated DMZ T1 and T0/VRF  to reach DMZ segments and you can simply route from there based on the use cases. That being said, how you connect the Server to the network (DC&DMZ switches ) also matters and it should be aligned with the Routing design for optimistic traffic flow.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
vmmedmed
Enthusiast
Enthusiast

The NSX edge being able to have additional uplink interfaces - I think is the key info. Thank you! 

As for NSX-T - gawd. I left the NSX game just as it was starting to get popular and didn't look deeply at it. I was under the impression that people would use NSX-T if they wanted to integrate VMs/NSX into the cloud. But perhaps you're suggesting the product overall is now just called NSX-T? Not sure where you were going w that distinction. 

 

0 Kudos