most of the documents i found are focusing on "distributed firewall", either tech details or configurations.
it seemed that there are very few resources,video or documents do the deep dive of edge firewall, and basically are introductions.(or maybe i just missed?)
i would like to know:
1. what type of firewall is the edge firewall belongs to?stateful firewall?
2. are the firewall rules for layer 3 filtering only?what about protocols and applications?
3. can the edge firewall completely replace physical firewall(or any other firewalls) to guard the entire vSphere's north-south traffic?
4. the performance is close to line rate?(or not that good as distributed firewall?)
5. more to add...
thanks for any reply
There are similarities but for sure they are not the same , difference start all the way from kernel vs Virtual Form factor appliance and for E-W protection DFW is the ideal candidate also for traffic steering to third party appliances based on the use cases which is not possible with Edge and deployment like ECMP might force you to consider E-W with few IPset based rules . Most importantly from a license perspective Edge firewall is available in all the editions which is not the case for DFW from a use case perspective . For eg :NSX Data Center Professional will provide Context-based control of FW enforcement but not Identity Firewall Rules while Edge firewall is available in both the editions.
. 1.what type of firewall is the edge firewall belongs to?stateful firewall?
Yes, it is a statefull firewall.
2. are the firewall rules for layer 3 filtering only?what about protocols and applications?
Yes,We can filter with services&protocols as well.
3. can the edge firewall completely replace physical firewall(or any other firewalls) to guard the entire vSphere's north-south traffic?
This is a design decision for vSphere workloads leveraging NSX-V . You could offload N-S fw to Edge or have multi level protection . Lot depends upon what type of rule/filtering etc we are in need of . Remember Edge firewall is not a NGFW .
4. the performance is close to line rate?(or not that good as distributed firewall?)
If you are in need of high performance recommendation is Quad Large size for NSX Edges . I think we will get around 9-10Gps per Edge .
Sreec thanks for the answer!
it seemed that the edge firewall could do the identity and context filtering...
so i guess there's only a few differences between the edge and the E-W?
(e.g. edge is a virtual appliance not kernel-embedded)
There are similarities but for sure they are not the same , difference start all the way from kernel vs Virtual Form factor appliance and for E-W protection DFW is the ideal candidate also for traffic steering to third party appliances based on the use cases which is not possible with Edge and deployment like ECMP might force you to consider E-W with few IPset based rules . Most importantly from a license perspective Edge firewall is available in all the editions which is not the case for DFW from a use case perspective . For eg :NSX Data Center Professional will provide Context-based control of FW enforcement but not Identity Firewall Rules while Edge firewall is available in both the editions.