https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837726#M10 <P>Hi,</P><P>As you see, distributed IDS/IPS is a new feature for East-West traffics. Otherwise, you could enable NSX Edge Firewall rules or the other stateful services on T1 level, so that you may deploy T0 in active-active mode.</P> Wed, 24 Mar 2021 01:22:20 GMT AntareSLyu 2021-03-24T01:22:20Z https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837452#M6 <P class="x_MsoNormal"><SPAN>Hi Team,</SPAN></P><P class="x_MsoNormal"><SPAN>I have one concern/feasibility check request from customer to consider VMware edge as perimeter firewall for their IT private cloud.</SPAN></P><P class="x_MsoNormal"><SPAN>&nbsp;</SPAN></P><P class="x_MsoNormal"><SPAN>Afaik, above theory is not reco</SPAN><SPAN>mmended as Edge firewall lacks advanced features such as IDS,IPS etc,. (At least I’m not aware if they are supported)</SPAN></P><P class="x_MsoNormal"><SPAN>My queries are below</SPAN></P><P class="x_MsoNormal"><SPAN>1. Can Gateway firewall supports IDS ? (For North-south traffic)</SPAN></P><P class="x_MsoNormal"><SPAN>2. Let's say if I use gateway firewalls in&nbsp;</SPAN>cluster, will there be stateful information sync between them. For example, if one gateway firewall is down then do clients need to re-establish their connection?</P><P class="x_MsoNormal">3. If I integrate 3rd party service firewalls, can they work as Active/Active cluster? I see there is a limitation of running Active/Standby services in NSX for stateful services. Is this citation applicable to 3rd party services as well?</P><P class="x_MsoNormal">Thanks in advance.</P><P class="x_MsoNormal">&nbsp;</P> Tue, 23 Mar 2021 05:31:17 GMT https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837452#M6 cbg2008 2021-03-23T05:31:17Z https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837460#M7 <P>As far as I am aware IDS/IPS is enabled at the hypervisor level and not at the edge, if you are going to be using an SVM / service insertion then the t0 gateway has to be in Active-Standby.&nbsp;<A href="https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-53D6C480-7AD3-4B23-922D-430C89992B57.html" target="_blank">https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-53D6C480-7AD3-4B23-922D-430C89992B57.html</A></P><P>Have you had a look at the security reference design guide&nbsp;<A href="https://nsx.techzone.vmware.com/resource/nsx-security-reference-design-guide" target="_blank">https://nsx.techzone.vmware.com/resource/nsx-security-reference-design-guide</A>.</P><P>Also the reference design guide&nbsp;<A href="https://communities.vmware.com/t5/VMware-NSX-Documents/VMware-NSX-T-Reference-Design/ta-p/2778093" target="_blank">https://communities.vmware.com/t5/VMware-NSX-Documents/VMware-NSX-T-Reference-Design/ta-p/2778093</A>.</P><P>This blog my be of use as well.&nbsp;<A href="https://blogs.vmware.com/networkvirtualization/2020/08/the-nsx-t-gateway-firewall-secures-physical-servers.html/#:~:text=We%20can%20use%20the%20NSX,any%20site%2C%20and%20any%20cloud" target="_blank">https://blogs.vmware.com/networkvirtualization/2020/08/the-nsx-t-gateway-firewall-secures-physical-servers.html/#:~:text=We%20can%20use%20the%20NSX,any%20site%2C%20and%20any%20cloud</A>.<BR /><BR />Just trying to dig up some information regarding states for you.</P> Tue, 23 Mar 2021 06:25:33 GMT https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837460#M7 shank89 2021-03-23T06:25:33Z https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837462#M8 <P>Does that mean we can't have IDS at Edge firewall for North-South traffic</P> Tue, 23 Mar 2021 06:36:16 GMT https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837462#M8 cbg2008 2021-03-23T06:36:16Z https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837484#M9 <P>IDS is currently not supported on the Edge, you can youse introspection / SVM's to inspect traffic if you'd like.</P> Tue, 23 Mar 2021 08:32:43 GMT https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837484#M9 shank89 2021-03-23T08:32:43Z https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837726#M10 <P>Hi,</P><P>As you see, distributed IDS/IPS is a new feature for East-West traffics. Otherwise, you could enable NSX Edge Firewall rules or the other stateful services on T1 level, so that you may deploy T0 in active-active mode.</P> Wed, 24 Mar 2021 01:22:20 GMT https://communities.vmware.com/t5/Networking-Members/NSX-Edge-as-perimeter-firewall/m-p/2837726#M10 AntareSLyu 2021-03-24T01:22:20Z