nsx firewall rules vs. security policies

How would you positioning the security policies firewall rules in comparison to regular nsx firewall rules?

Regular nsx firewall rules have sections, security policies firewall rules have a weight.

Should we mix them to get best out of both worlds or is it better to decide for one?

What are other differences between them?

2 Replies

You *can* mix and match them, but its best to pick one or the other.  Basic differences are:

1.     Security Policies can't do L2 rules, DFW rules can

2.     Security Policies can do service insertion, DFW rules can't

3.     Security Policies take a bit more effort to understand at first, but in the long run you will end up managing far fewer rules/SGs if they're used right

Here's an article that talks about using SPs vs DFW rules:

Also, don't worry about the weights if you're configuring SPs in the GUI.  Just order them the way you want and it will set them to appropriate values.

VMware Employee
VMware Employee

In addition to what Sean mentioned, I am seeing a combination of both. Customers have a common Services Section for Services like NTP, DNS, AD etc. They create rules for this manually. Rules created via  Service Composer are more dynamic in nature but will take you some time to get used to it.  One main advantage of creating the rules from SC, is that you can apply the same security policies to multiple security groups.