Skip to main content

NSX-T Data Center Firewalls

NSX-T Data Center included two types of firewalls:

  1. Distributed Firewall    (for east-west traffic)
  2. Gateway Firewall        (for north-south traffic)

                                             Fig:1 (credit:
The distributed firewall is a hypervisor, kernel-embedded stateful firewall: 
  • It resides in the kernel of the hypervisor and outside the guest OS of the VM. 
  • It controls the I/O path to and from the vNIC.
The gateway firewall is used for north-south traffic between the NSX-T gateways and the physical network:
  • Its is also called as perimeter firewall protect to and from the physical environment.
  • It applies to Tier-0 and Tier-1 gateway uplinks and service interfaces. 
  • It support both Tier-0 and Tier-1 gateway. If its applies to Tier-0 or Tier-1 gateway then HA status of that gateway should be active-standby.
  • It is a centralized stateful service enforced on the NSX Edge node.

Lets discuss both of the above firewall types in detail:

  1. Distributed Firewall

DFW(Distributed Firewall) works on ZTNA( Zero trust network architecture) or you can say TNO (Trust no one). All this can be achived with micro-segmentation and where distributed firewall fall in picture.

DFW basically pushes the firewall rules down to the virtual machine virtual nic as mentioned in below fig:2. 

                                                            Fig:2 (Credit:

Its something pushing the intelligence as close to the source of the traffic as possible. Here source of the traffic is going to be virtual machine, virtual appliances, containers or even baremetal servers. As mentioned above workload could be different kind of which is being secure by DFW.

The beauty of microsegmentation is not only pushes the DFW firewall ruleset down to the VM virtual nic but also as that VM moves to other host using vMotion during balancing the cluster resouces or any other reason as per the need like who communicate to whom where the VM vmnic policy also sustain with the VM and secure its traffic. Same has ben demonstrated in below figure.

                                                           Fig:3 (Credit:

Features of Distributed Firewall:

  • Support for multiple hypervisors (ESXi, KVM)
  • Support for multiple workloads (VM and container) 
  • On-premises and public cloud support 
  • Static and dynamic grouping based on compute objects and tags.
  • Firewall rule enforcement regardless of the network transport type (overlay or VLAN).
  • vSphere vMotion support: Firewall policies move with VMs.
  • Centralized configuration through the NSX UI or API.
  • Layer 2 stateless firewall rules .
  • Layer 3 stateless and stateful firewall rules.
  • Context-aware (layer 7) firewall rules 

                                                                        Fig:4 (Credit:

Distributed Firewall Architecture

PS: Below config supports on hypervisor type ESXi only

  • nsx-proxy: Retrieve configuration change from CCP (Central Control Plane) and configure datapath module.
  • DataPath Modules:
    - VSIP: Receive firewall rules and downloads to each VM vmnic.
    - VDPI: Perform L7 packet inspection.
  • stats Exporter: Collect flow records from the distributed firewall data plane kernel module and generate rule statistics.
  • nsx-proxy: Passes rules statistics and real-time data to management plane.

2. Gateway Firewall

The NSX-T Data Center gateway firewall provides essential perimeter firewall protection that can be used in addition to a physical perimeter firewall. The gateway firewall data path uses the Data Plane Development Kit (DPDK) framework supported on NSX Edge to provide better throughput. 

The NSX-T Data Center gateway firewall is instantiated per logical router and supported at both Tier-0 and Tier-1.

The Tier-0 Gateway firewall supports stateful firewall filtering only with active-standby high availability mode. The active-active mode supports only stateless rules.

The NSX-T Edge cluster must support NSX gateway to provide statefull firewall services.

Some characteristics of Gateway Firewall

  • Enforced on the northbound-facing interface of the gateway
  • Implemented per NSX gateway node and supported at both Tier-0 and Tier-1
  • A centralized service requiring the SR component of the router
  • A statefull firewall for north-south traffic, generally used as a perimeter firewall 


As mentioned in above figure, Distributed firewall can be applied at Tier-0 and Tier1 gateway as statefull and stateless. For statefull GW its require to have instantiation of SR router and Edge HA status require to be in active-standby state.
Hope this article help you in getting more insight about DFW and GW Firewall. :)


Popular posts from this blog

Changing the FQDN of the vCenter appliance (VCSA)

This article states how to change the system name or the FQDN of the vCenter appliance 6.x You may not find any way to change the FQDN from the vCenter GUI either from VAMI page of from webclient as the option to change the hostname always be greyed out. Now the option left is from the command line of VCSA appliance. Below steps will make it possible to change the FQDN of the VCSA from the command line. Access the VCSA from console or from Putty session. Login with root permission Use above command in the command prompt of VCSA : /opt/vmware/share/vami/vami_config_net Opt for option 3 (Hostname) Change the hostname to new name Reboot the VCSA appliance.   After reboot you will be successfully manage to change the FQDN of the VCSA . Note: Above step is unsupported by VMware and may impact your SSL certificate and face problem while logging to vSphere Web Client. If you are using self-signed certificate, you can regenerate the certificate with the

Unable to poweron the VM. (Failed to lock the file)

I have encountered may issues like where after some upgrade or migration we were unable to power on the VM. Figure 1 An error was received from the ESX host while powering on VM HSSVSQL01. Failed to start the virtual machine. Cannot open the disk '/vmfs/volumes/578d835c-18b2c97a-9b0d-0025b5f13920/SAMPLE1_cloud/000000.vmdk' or one of the snapshot disks it depends on. Failed to lock the file In above Figure:1, where while powering on the VM, its prompt for an error. Well, there are several reason for where the VM unable to poweron and you can find many article on this. Here in this article we will discuss to resolve this issue. Please use below step to resolve the disk lock issue  C hecked that VM is running on snapshot if its getting error " VM Consolidation required". Checked the snapshot manager if its showing any snapshot. If yes, try to delete the  snapshot. Verified the same from Esxi cl

VM Creation Date & Time from Powercli

Most of the times we have several requirement when we talk about IT environment like designing , deployment , compliance check or for Security auditing the environment. Somewhere during security auditing we require to provide several information to security team to get successful audit. One of them is the compliance of Virtual machine auditing of creation date and time. Here into this post we will explore how to get the creation date and time of virtual machine hosted into the vCenter or ESXi. To get the details we will use VMware Powercli to extract the details. By default there is no function added into Powercli to get such details, so here we will add a function of vm creation date. Below is the function which needed to be copy and paste into the Powercli. ======================================================================= function  Get-VMCreationTime  {     $vms  =  get-vm     $vmevts  = @()     $vmevt  =  new-object  PSObject     for