: Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
Focus
Focus

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

Table of Contents

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

You can deploy one or more instances of the VM-Series firewall as a partner service in your VMware NSX-T Data Center to secure East-West traffic and perform micro-segmentation. To configure the VM-Series firewall to perform micro-segmentation, you can deploy the firewalls in a service cluster or per host.
  • Service Cluster—In a clustered deployment, all the VM-Series firewalls are installed on a single cluster. Traffic between VMs and groups are redirected to the VM-Series cluster for policy inspection and enforcement before continuing to its destination. When you configure a clustered deployment, you can specify a particular host within the cluster or select Any and let NSX-T choose a host.
  • Host-Based—In a per host deployment, an instance of the VM-Series firewall is installed on each host in the ESXi cluster. Traffic between guests on the same host is inspected by the local firewall, so it does not need to leave the host for inspection. Traffic leaving the host is inspected by the firewall before reaching the vSwitch.
After deploying the firewall, you configure traffic redirection rules that send traffic to the VM-Series firewall. Security policy rules that you configure on Panorama are pushed to managed VM-Series firewalls and then applied to traffic passing through the firewall.
To deploy your VM-Series firewall on VMware NSX-T, you have two workflow options—operations-centric and security-centric deployment.
  • Operations-centric—in an operations-centric workflow, some portions of the deployment procedure are performed on Panorama and the remainder are performed on NSX-T manager. On Panorama, you must first enable communication between Panorama and NSX-T Manager, configure the service definition, and launch the VM-Series firewall. Then, you must log in to NSX-T Manager to continue the configuration by creating service chains and steering rules. To complete your VM-Series deployment, you must return to Panorama to create security policy.
  • Security-centric—in a security-centric workflow, you can use Panorama as a single pane of glass to control and manage security operations. You complete the entire deployment workflow from Panorama. The Panorama plugin for VMware NSX pushes configuration to NSX-T Manager that creates service chains and steering rules.
It is recommended that you select one deployment workflow for your VM-Series deployment on NSX-T for ease of use. However, the VM-Series firewall for VMware NSX-T does support the use of both workflows on the same plugin.