VMware NSX

 View Only
  • 1.  Can I deploy DFW and gateway FW in security only mode ?

    Posted Apr 20, 2023 08:23 AM

    I want deploy DFW for my VMs, and Gateway FW for my 2 physical subnets, Can I achive this purpose by deploying NSX-T  in the "Security only" Mode? Or I have tow deply in Network & Security mode?



  • 2.  RE: Can I deploy DFW and gateway FW in security only mode ?

    Broadcom Employee
    Posted Apr 20, 2023 08:45 AM

    You should be able to use Gateway firewall in Security only also mode based on my knowledge. 3.2 introduced a new licensing model for Gateway Firewall. You should be able to do that in case if licensing is not a constraint. You can even mix security only and network & security deployments on different clusters under one NSX umbrella.

     

    If possible, ideal thing to do is to prepare cluster with NSX network & security, create T0/T1 gateways and overlay networks, bring VM's under Geneve segments and use DFW on GFW.



  • 3.  RE: Can I deploy DFW and gateway FW in security only mode ?
    Best Answer

    Broadcom Employee
    Posted Apr 20, 2023 08:56 AM

    Distributed Security provides only the below security-related functionality to your VDS 

    • Distributed Firewall (DFW)
    • Distributed IDS/IPS
    • Identity Firewall
    • L7 App ID
    • Fully Qualified Domain Name (FQDN) Filtering
    • NSX Intelligence
    • NSX Malware Prevention
    • NSX Guest Introspection


  • 4.  RE: Can I deploy DFW and gateway FW in security only mode ?

    Posted Apr 21, 2023 12:36 AM

    Because some server VMs are in the same subnets with some physical PCs, So I can can't migrate server VMs in the overlay network without  modification server VMs IP addr. Now I have a 10 nodes VSAN cluster, and gonna to deploy NSX DFW in the cluster, and GFW for my PCs. Can I achive this goal under the  constraints?

    Is there some how to guide in this scenario? I googled a lot of times and searched VMware docs, but get nothing exactly about it.



  • 5.  RE: Can I deploy DFW and gateway FW in security only mode ?

    Broadcom Employee
    Posted Apr 21, 2023 09:29 AM


  • 6.  RE: Can I deploy DFW and gateway FW in security only mode ?

    Broadcom Employee
    Posted Apr 25, 2023 06:36 PM

    If you have NSX Network & Security license. You can prepare your clusters with Network & Security > Create NSX VLAN Segments > Move your VM's from VDS VLAN port groups to NSX VLAN Segments. You don't need bridging as well for this.  When there is no physical dependency you can switch from NSX VLAN segments to NSX Overly segments. You can implement both DFW & GFW.