Skip to main content

NSX-T Data Center Firewalls

NSX-T Data Center included two types of firewalls:

  1. Distributed Firewall    (for east-west traffic)
  2. Gateway Firewall        (for north-south traffic)

                                             Fig:1 (credit:
The distributed firewall is a hypervisor, kernel-embedded stateful firewall: 
  • It resides in the kernel of the hypervisor and outside the guest OS of the VM. 
  • It controls the I/O path to and from the vNIC.
The gateway firewall is used for north-south traffic between the NSX-T gateways and the physical network:
  • Its is also called as perimeter firewall protect to and from the physical environment.
  • It applies to Tier-0 and Tier-1 gateway uplinks and service interfaces. 
  • It support both Tier-0 and Tier-1 gateway. If its applies to Tier-0 or Tier-1 gateway then HA status of that gateway should be active-standby.
  • It is a centralized stateful service enforced on the NSX Edge node.

Lets discuss both of the above firewall types in detail:

  1. Distributed Firewall

DFW(Distributed Firewall) works on ZTNA( Zero trust network architecture) or you can say TNO (Trust no one). All this can be achived with micro-segmentation and where distributed firewall fall in picture.

DFW basically pushes the firewall rules down to the virtual machine virtual nic as mentioned in below fig:2. 

                                                            Fig:2 (Credit:

Its something pushing the intelligence as close to the source of the traffic as possible. Here source of the traffic is going to be virtual machine, virtual appliances, containers or even baremetal servers. As mentioned above workload could be different kind of which is being secure by DFW.

The beauty of microsegmentation is not only pushes the DFW firewall ruleset down to the VM virtual nic but also as that VM moves to other host using vMotion during balancing the cluster resouces or any other reason as per the need like who communicate to whom where the VM vmnic policy also sustain with the VM and secure its traffic. Same has ben demonstrated in below figure.

                                                           Fig:3 (Credit:

Features of Distributed Firewall:

  • Support for multiple hypervisors (ESXi, KVM)
  • Support for multiple workloads (VM and container) 
  • On-premises and public cloud support 
  • Static and dynamic grouping based on compute objects and tags.
  • Firewall rule enforcement regardless of the network transport type (overlay or VLAN).
  • vSphere vMotion support: Firewall policies move with VMs.
  • Centralized configuration through the NSX UI or API.
  • Layer 2 stateless firewall rules .
  • Layer 3 stateless and stateful firewall rules.
  • Context-aware (layer 7) firewall rules 

                                                                        Fig:4 (Credit:

Distributed Firewall Architecture

PS: Below config supports on hypervisor type ESXi only

  • nsx-proxy: Retrieve configuration change from CCP (Central Control Plane) and configure datapath module.
  • DataPath Modules:
    - VSIP: Receive firewall rules and downloads to each VM vmnic.
    - VDPI: Perform L7 packet inspection.
  • stats Exporter: Collect flow records from the distributed firewall data plane kernel module and generate rule statistics.
  • nsx-proxy: Passes rules statistics and real-time data to management plane.

2. Gateway Firewall

The NSX-T Data Center gateway firewall provides essential perimeter firewall protection that can be used in addition to a physical perimeter firewall. The gateway firewall data path uses the Data Plane Development Kit (DPDK) framework supported on NSX Edge to provide better throughput. 

The NSX-T Data Center gateway firewall is instantiated per logical router and supported at both Tier-0 and Tier-1.

The Tier-0 Gateway firewall supports stateful firewall filtering only with active-standby high availability mode. The active-active mode supports only stateless rules.

The NSX-T Edge cluster must support NSX gateway to provide statefull firewall services.

Some characteristics of Gateway Firewall

  • Enforced on the northbound-facing interface of the gateway
  • Implemented per NSX gateway node and supported at both Tier-0 and Tier-1
  • A centralized service requiring the SR component of the router
  • A statefull firewall for north-south traffic, generally used as a perimeter firewall 


As mentioned in above figure, Distributed firewall can be applied at Tier-0 and Tier1 gateway as statefull and stateless. For statefull GW its require to have instantiation of SR router and Edge HA status require to be in active-standby state.
Hope this article help you in getting more insight about DFW and GW Firewall. :)


Popular posts from this blog

Changing the FQDN of the vCenter appliance (VCSA)

This article states how to change the system name or the FQDN of the vCenter appliance 6.x You may not find any way to change the FQDN from the vCenter GUI either from VAMI page of from webclient as the option to change the hostname always be greyed out. Now the option left is from the command line of VCSA appliance. Below steps will make it possible to change the FQDN of the VCSA from the command line. Access the VCSA from console or from Putty session. Login with root permission Use above command in the command prompt of VCSA : /opt/vmware/share/vami/vami_config_net Opt for option 3 (Hostname) Change the hostname to new name Reboot the VCSA appliance.   After reboot you will be successfully manage to change the FQDN of the VCSA . Note: Above step is unsupported by VMware and may impact your SSL certificate and face problem while logging to vSphere Web Client. If you are using self-signed certificate, you can regenerate the certificate with the

Issue : Configure Management Network option is Grayed out into ESXi

Last week I got into an issue of one of my client into Vsphere environment where one of its ESXi went done out of the network. Issue was IP address was showing on main Esxi screen and when I tried to change the network configuration, its " Configure Management network option was greyed out.  I tried to gid into it and try to analyis its vmKernal and vmwarning logs. What I found is its VMkernal switch got removed due to unexpected reason. So to resolve the issue I tried to reconfigure its vswitch0 (vmk0) by going into Tech Mode of that Exi. Below are the steps which I followed to resolve the issue. 1) Login to ESXi 2) Press F2, Check if you " Configure Management network " is greyed out or not" if yes,    follow below 3) Press ALT+F1 to move the ESXi screen to tech mode   ( This is command line like dos) 4) login with root account 5) Run the following command into it esxcli network ip interface add --interface-name= vmk0

Collecting Logs from NSX-T Edge nodes using CLI

  This article explains how to extract the logs from NSX-T Edge nodes from CLI. Let's view the steps involved: 1) Login to NSX-T  Edge node using CLI from admin credentials. 2) Use of  " get support-bundle " for Log extraction. get support-bundle command will extract the complete logs from NSX-T manager/Edge nodes. nsx-manager-1> get support-bundle file support-bundle.tgz 3) Last step is to us e of " copy file support-bundle.tgz url " command. copy file will forward your collected logs from the NSX-T manager to the destination(URL) host from where you can download the logs. copy file support.bundle.tgz url scp://root@ Here, the URL specified is the ESXi host ( under /tmp partition where logs will be copied and from there one can extract it for further log review. Happy Learning.  :)