VMware NSX

 View Only
  • 1.  nsx firewall rules vs. security policies

    Posted Jan 07, 2016 04:10 PM

    How would you positioning the security policies firewall rules in comparison to regular nsx firewall rules?

    Regular nsx firewall rules have sections, security policies firewall rules have a weight.

    Should we mix them to get best out of both worlds or is it better to decide for one?

    What are other differences between them?

  • 2.  RE: nsx firewall rules vs. security policies

    Posted Jan 22, 2016 03:06 PM

    You *can* mix and match them, but its best to pick one or the other.  Basic differences are:

    1.     Security Policies can't do L2 rules, DFW rules can

    2.     Security Policies can do service insertion, DFW rules can't

    3.     Security Policies take a bit more effort to understand at first, but in the long run you will end up managing far fewer rules/SGs if they're used right

    Here's an article that talks about using SPs vs DFW rules:  http://nsxperts.com/?p=65

    Also, don't worry about the weights if you're configuring SPs in the GUI.  Just order them the way you want and it will set them to appropriate values.

  • 3.  RE: nsx firewall rules vs. security policies

    Posted Jan 25, 2016 12:14 PM

    In addition to what Sean mentioned, I am seeing a combination of both. Customers have a common Services Section for Services like NTP, DNS, AD etc. They create rules for this manually. Rules created via  Service Composer are more dynamic in nature but will take you some time to get used to it.  One main advantage of creating the rules from SC, is that you can apply the same security policies to multiple security groups.