VMware Networking Community
akumbalakandy
Enthusiast
Enthusiast
‎05-26-2022 12:53 AM
Jump to solution

NSX-T Security Only Mode and Gateway Firewalling

Dear All,

I want to achieve the following with NSX-T Security Only deployment:

1. Micro segmentation for my workloads along with IDFW.

2. URL Filtering and URL Analysis (reputation based) for certain workload (like VDI).

The challenge is that the URL analysis is supported only only on the gateway firewalls. How do I make use of Gateway firewalling incase of security only deployment. I am using NSX-T 3.2. 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
chandrakm
VMware Employee
VMware Employee
‎05-30-2022 06:38 AM
Jump to solution

Hi,

What license do you have?

Based on my knowledge with NSX-T Security only(DFW for VDS port groups). you can do DFW and FQDN filtering using DFW rules. URL Analysis and Filtering would not be possible with DFW as of now.

If you have required license to run T0, I think you can make T0 as gateway for VLAN port groups to enforce URL analysis and filtering at gateway level. I am not sure how feasible it is.

But if URL analysis and filtering is a mandatory requirement. I think the only way that I see is by using NSX-T for both Networking and Security, use overlay networking, T0/T1 and move VM's under NSX-T segments. and use DFW and take full advantage of overlay networking and URL filtering and analysis services on gateway firewall.

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

4 Replies
akumbalakandy
Enthusiast
Enthusiast
‎05-30-2022 05:48 AM
Jump to solution

Any response for this!!

0 Kudos
chandrakm
VMware Employee
VMware Employee
‎05-30-2022 06:38 AM
Jump to solution

Hi,

What license do you have?

Based on my knowledge with NSX-T Security only(DFW for VDS port groups). you can do DFW and FQDN filtering using DFW rules. URL Analysis and Filtering would not be possible with DFW as of now.

If you have required license to run T0, I think you can make T0 as gateway for VLAN port groups to enforce URL analysis and filtering at gateway level. I am not sure how feasible it is.

But if URL analysis and filtering is a mandatory requirement. I think the only way that I see is by using NSX-T for both Networking and Security, use overlay networking, T0/T1 and move VM's under NSX-T segments. and use DFW and take full advantage of overlay networking and URL filtering and analysis services on gateway firewall.

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered
akumbalakandy
Enthusiast
Enthusiast
‎06-03-2022 12:53 AM
Jump to solution

Hello Chandra,

 

Thank you for the response. 

We have Micro Segmentation License for VDI. 

 

As it is VDI, we are looking for the same security control set that we used to have in the Laptops & Desktops. 

 

It looks like micro segmentation only will not add any value to the solution and we need to go with our traditional firewall and security controls. And, the app control (app-id) of NSX-T is very limited even 3.2 for end-user computing. 

 

 

0 Kudos
chandrakm
VMware Employee
VMware Employee
‎07-19-2022 08:20 AM
Jump to solution

I think you should use DFW with Identity based firewall feature(UserID) to take full advantage of micro-segmentation for VDI environments. you can even build DFW rules using AD Users group as source or destination. highly scalable and not sure get this on physical firewalls though. but combination of DFW and physical firewall is also a good use case by many. Just FYI.

Cheers,
Chandra | 2xVCIX | CCIE | TOGAF
Please KUDO helpful posts and mark the thread as solved if answered