VMware NSX

 View Only
  • 1.  Virtual firewall

    Posted Nov 28, 2023 07:17 PM

    Hello all,

    Need some help if possible. I'm managing a multi-tenant NSX 4.x environment. I'm using VRF Lite to separate all customers.

    I'm receiving requests of customers that want to use a Firewall to manage the access of their VMs to the internet, or manage the traffic that comes from outside NSX to the VMs on their VRF. Customers don't have access to Gateway FW or DFW.

    Each customer have a VRF and a T1, and inside NSX the VMs only use overlay segments.

    Is it possible to deploy a virtual firewall, like Fortigate VM (but not integrate it with the NSX) to that customers, so they can manage themselves the firewall?

    Anyone test it?

    Thanks.

    Regards.



  • 2.  RE: Virtual firewall

    Broadcom Employee
    Posted Nov 29, 2023 07:34 AM

    Why not, it's a VM :), so as long as your connectivity and placement is done correctly it will work. Will this be a scalable design?  I don't think so.



  • 3.  RE: Virtual firewall

    Posted Nov 29, 2023 08:14 AM

    hi,

    But imagine, when i create an overlay segment, eg: 192.168.100.1/24, the .1 is the default gateway. How can assign that .1 ip to that virtual firewall?

     

    Thanks.

    Regards.



  • 4.  RE: Virtual firewall

    Posted Nov 29, 2023 08:29 AM

    You don't really have to. The customer can route their traffic to the firewall VM, the firewall VM can then route it out via the segment gateway IP.

    It might be worth looking into other options as well though. Either through service insertion, or using multi tenancy. There were quite a few new features added in 4.1 to allow your tenants access to their own DFW/gateway FW but nothing else. It could be worth a look.



  • 5.  RE: Virtual firewall

    Posted Nov 29, 2023 12:02 PM

    Hi ,

    Those features are NSX Projects, right? But in that case customer will need to have access to NSX UI.

    Thanks.

    Regards.



  • 6.  RE: Virtual firewall

    Posted Nov 29, 2023 12:55 PM

    I believe so, if you want the customer to access the native FW, they'll need access to either the UI or the API.