VMware NSX

 View Only
  • 1.  Nsxt DFW allow all northbound traffic

    Posted Dec 20, 2020 10:29 PM

    Hello,

    We are designing nsxt firewall environment and would like to implement zero trust / microsegmentation.  Because we use physical perimeter firewalls we allow all traffic through nsxt gateway firewalls.  But when we enable micro segmentation on dfw No northbound traffic is allowed anymore. Could someone please point us out how to allow all northbound traffic for dfw! Thanks in advance!



  • 2.  RE: Nsxt DFW allow all northbound traffic

    Posted Dec 22, 2020 04:54 PM

    N-S traffic is the one that will enter thru the EDGES, in terms of rules you need to verify if you are using a deny to all other traffic this depends on your approach so to make it simple VM1 ->VM2  will have a rule of deny/allow traffic on DFW but if this VM1 needs to reach something outside the overlay if this is the case or the vSphere environment (scope of the DFW) then you will have a DFW rule as well, also check that EDGES doe not have any FW active.

     

    my 2 cents .



  • 3.  RE: Nsxt DFW allow all northbound traffic

    Posted Dec 23, 2020 09:51 AM

    Not sure if this is the smartest approach, but perhaps you could create a Group containing all your local IP ranges, then create a Rule to allow traffic to this Group and choose to Negate Selections? This means that it allows traffic to any IP except for your local ones which you already have created Allow rules for. Note that I have not tested this in production so use at your own risk.