, pub-4920175566720914, DIRECT, f08c47fec0942fa0 Skip to main content

NSX-T Datacenter Firewall

In NSX-T we have two types of firewall which we will discuss into this post.

1) Distributed firewall
2) Gateway firewall

Lets talk about one by one..

1) Distributed firewall:

A distributed firewall hosted at the host (hypervisor) level which is kernel-embedded statefull firewall. This kind of firewall mostly used in between the transport nodes or you can say within in east-west network.

Basically distributed firewall helps protecting the virtual machine at the virtual machine level from the hacking attack.

Many people have a question like , if we have perimeter firewall at the physical layer to protect the network then why we require a firewall (distributed firewall) at the VM level......

  To answer this question, Yes many of you are correct that perimeter firwall is there to protect the network at the top level. However, there are some attach which directly attach at the VM level like attach from USB drive, phishing emails and advertisements attracts.

  To protect at VM level kind of attach its quite essential to deploy something which is (distributed firewall) in case of NSX-T.

Fig:1 Distributed firewall flow

Lets point some of the highlights of distributed firewall.

  • It resides outside the VM guest OS.
  • It control the I/O path and from the nic (vnic). Now, lets say a VM has 4 nics, then in that case distributed firewall will protect all the nics of the VM individually.
  • It monitor the states of active connection and used this information to traverse the VM vnic.
  • It validates all the tables (connection and Rules) to validate and compare the packets if connection needed to accept or deny the connection on VM from the firewall.

2) Gateway firewall

Gateway firewall is also knows as perimeter firewall which protect the traffic to and from the physical environment.

It provide both North-South and East-West connectivity which enables tenants to access the public network, as well as connecting between different network with the same tenants.

The gateway router is a configured partition of a traditional network hardware router, commonly refereed to as virtual routeing and forwarding (VRF). It replace the hardware functionality create multiple routing domain with single router.

Fig. Gateway router

Gateway router perform a subset of the task that can be handled by physical router and each can contain multiple routing instance and routing table.

Using Gateway router can be an efficient way to maximize router usage, because a set of gateway router with a single physical router can perform the operation previously performed by several piece of equipment.

Some of the highlights of distributed firewall
  • It is similar to the port based firewall and applied to Tier-0 and Tier-1 Gateway nodes.
  • NSX gateway must be backed with  NSX Edge Cluster which is combination of 2 or more Edge nodes VM or baremental.
  • Destination (NAT) and source NAT rules are implemented to uplink and back-plane interface of the service router (SR).
  • The gateway firewall is implemented only on the uplink of Tier-0 and Tier-1 gateway nodes.

A Gateway router is comprised of up to two components: a distributed router (DR), and optionally one or more service routers (SR).   
The DR is kernel based and spans hypervisors, providing local routing functions to those VMs that are connected to it, and also exists in any edge nodes the logical router is bound to. Functionally, the DR is responsible for one-hop distributed routing between logical switches and/or Gateway routers connected to this logical router, and functions similar to the distributed logical router (DLR) in earlier viersions of NSX.

The SR is responsible for delivering services that are not currently implemented in a distributed fashion, such as stateful NAT, load balancing, DHCP or VPN services. Service Routers are deployed on the Edge node cluster that is selected when the T0/T1 router is initially configured.

To reiterate, a Gateway router in NSX-T always has an associated DR, regardless of whether it's deployed as a T0 or a T1. It will also have an associated SR created if either of the following is true:

The Gateway router is a Tier-0 router, even if no stateful services are configured
The Gateway router is a Tier-1 router, is linked to a Tier-0 router, and has services configured that do not have a distributed implementation (such as NAT, LB, DHCP or VPN)

--Happy Learing --- :)


Popular posts from this blog

Changing the FQDN of the vCenter appliance (VCSA)

This article states how to change the system name or the FQDN of the vCenter appliance 6.x
You may not find any way to change the FQDN from the vCenter GUI either from VAMI page of from webclient as the option to change the hostname always be greyed out.
Now the option left is from the command line of VCSA appliance.
Below steps will make it possible to change the FQDN of the VCSA from the command line.
Access the VCSA from console or from Putty session.Login with root permissionUse above command in the command prompt of VCSA : /opt/vmware/share/vami/vami_config_netOpt for option 3 (Hostname)Change the hostname to new nameReboot the VCSA appliance.After reboot you will be successfully manage to change the FQDN of the VCSA .

Note: Above step is unsupported by VMware and may impact your SSL certificate and face problem while logging to vSphere Web Client.

If you are using self-signed certificate, you can regenerate the certificate with the help of below KB 2112283 article.

Happy Sharin…

VM Creation Date & Time from Powercli

Most of the times we have several requirement when we talk about IT environment like designing , deployment , compliance check or for Security auditing the environment.
Somewhere during security auditing we require to provide several information to security team to get successful audit.
One of them is the compliance of Virtual machine auditing of creation date and time.
Here into this post we will explore how to get the creation date and time of virtual machine hosted into the vCenter or ESXi.
To get the details we will use VMware Powercli to extract the details.
By default there is no function added into Powercli to get such details, so here we will add a function of vm creation date.
Below is the function which needed to be copy and paste into the Powercli.
function Get-VMCreationTime { $vms = get-vm $vmevts = @() $vmevt = new-object PSObject foreach ($vm in $vms) { #Progress bar: $foundString = "       Found: "+$v…

Could not connect to one or more vCenter Server systems: https://FQDN:443/sdk

Recently I got a case where vCenter 6.0 where the webclient was not showing inventory while loading. Issue occur when the customer was performing migration activity of virtual machine.
We verified that the vpxd services of vCenter, which is VCSA (Appliance), went into stopped stated just after starting means its crashing.
On VCSA Shell: service-control --status vmware-vpxd shows "stopped" service-control --start vmware-vpxd starts the service starts for a couple of seconds and stops again
VCSA 6.0 is linked with extrnal PSC 6.0. Verified the services of PSC and found all looks into good state.
Tried to power off both the VCSA and PSC and Power on in sequence where we started first PSC and later VCSA. After restarting the VCSA, status of the VPXD services was same as it was getting stopped after couple of seconds.
Checked the VPXD logs and found that the heartbeat between ESXi and VCSA was getting timed out for more than 1032 ms or more.
VCSA has generated the core dump at /var/core. …