NSX-T Data Center included two types of firewalls:
- Distributed Firewall (for east-west traffic)
- Gateway Firewall (for north-south traffic)
The distributed firewall is a hypervisor, kernel-embedded stateful firewall:
- It resides in the kernel of the hypervisor and outside the guest OS of the VM.
- It controls the I/O path to and from the vNIC.
- Its is also called as perimeter firewall protect to and from the physical environment.
- It applies to Tier-0 and Tier-1 gateway uplinks and service interfaces.
- It support both Tier-0 and Tier-1 gateway. If its applies to Tier-0 or Tier-1 gateway then HA status of that gateway should be active-standby.
- It is a centralized stateful service enforced on the NSX Edge node.
Lets discuss both of the above firewall types in detail:
- Distributed Firewall
DFW(Distributed Firewall) works on ZTNA( Zero trust network architecture) or you can say TNO (Trust no one). All this can be achived with micro-segmentation and where distributed firewall fall in picture.
DFW basically pushes the firewall rules down to the virtual machine virtual nic as mentioned in below fig:2.
Its something pushing the intelligence as close to the source of the traffic as possible. Here source of the traffic is going to be virtual machine, virtual appliances, containers or even baremetal servers. As mentioned above workload could be different kind of which is being secure by DFW.
The beauty of microsegmentation is not only pushes the DFW firewall ruleset down to the VM virtual nic but also as that VM moves to other host using vMotion during balancing the cluster resouces or any other reason as per the need like who communicate to whom where the VM vmnic policy also sustain with the VM and secure its traffic. Same has ben demonstrated in below figure.
Features of Distributed Firewall:
- Support for multiple hypervisors (ESXi, KVM)
- Support for multiple workloads (VM and container)
- On-premises and public cloud support
- Static and dynamic grouping based on compute objects and tags.
- Firewall rule enforcement regardless of the network transport type (overlay or VLAN).
- vSphere vMotion support: Firewall policies move with VMs.
- Centralized configuration through the NSX UI or API.
- Layer 2 stateless firewall rules .
- Layer 3 stateless and stateful firewall rules.
- Context-aware (layer 7) firewall rules
Distributed Firewall Architecture
PS: Below config supports on hypervisor type ESXi only
- nsx-proxy: Retrieve configuration change from CCP (Central Control Plane) and configure datapath module.
- DataPath Modules:
- VSIP: Receive firewall rules and downloads to each VM vmnic.
- VDPI: Perform L7 packet inspection.
- stats Exporter: Collect flow records from the distributed firewall data plane kernel module and generate rule statistics.
- nsx-proxy: Passes rules statistics and real-time data to management plane.
2. Gateway Firewall
The NSX-T Data Center gateway firewall provides essential perimeter firewall protection that can be used in addition to a physical perimeter firewall. The gateway firewall data path uses the Data Plane Development Kit (DPDK) framework supported on NSX Edge to provide better throughput.
The NSX-T Data Center gateway firewall is instantiated per logical router and supported at both Tier-0 and Tier-1.
The Tier-0 Gateway firewall supports stateful firewall filtering only with active-standby high availability mode. The active-active mode supports only stateless rules.
The NSX-T Edge cluster must support NSX gateway to provide statefull firewall services.
Some characteristics of Gateway Firewall
- Enforced on the northbound-facing interface of the gateway
- Implemented per NSX gateway node and supported at both Tier-0 and Tier-1
- A centralized service requiring the SR component of the router
- A statefull firewall for north-south traffic, generally used as a perimeter firewall
As mentioned in above figure, Distributed firewall can be applied at Tier-0 and Tier1 gateway as statefull and stateless. For statefull GW its require to have instantiation of SR router and Edge HA status require to be in active-standby state.
Hope this article help you in getting more insight about DFW and GW Firewall. :)