Gateway Firewall in VMware NSX-T
Today we are going to talk about the VMware NSX-T Gateway Firewall. The NSX-T Gateway firewall provides essential perimeter firewall protection which can be used in addition to a physical perimeter firewall.
Gateway firewall service is part of the NSX-T Edge node for both bare metal and VM form factors. The Gateway firewall is useful in developing PCI zones, multi-tenant environments, or DevOps style connectivity without forcing the inter-tenant or inter-zone traffic onto the physical network.
The Gateway firewall data path uses DPDK framework supported on Edge to provide better throughput. Optionally, Gateway Firewall service insertion capability can be leveraged with the partner ecosystem to provide advanced security services like IPS/IDS and more.
This enhances the security posture by providing next-generation firewall (NGFW) services on top of native firewall capability NSX-T provides. This is applicable for the design where security compliance requirements mandate zone or group of workloads need to be secured using NGFW, for example, DMZ or PCI zones or Multi-Tenant environments.
Deployment Scenarios:
Let's talk about the deployment scenarios, there are two different ways of doing the deployments and these are Gateway FW as Perimeter FW at virtual & Physical boundary and the other way is Gateway Firewall as inter-tenant Firewall.
Gateway FW as Inter-tenant FW
The Tier-1 Gateway firewall is used as inter-tenant firewall within an NSX-T virtual domain. This is used to define policies between different tenants who resides within an NSX-T environment.
This firewall is enforced for the traffic leaving the Tier-1 router and uses the Tier-0 SR component which resides on the Edge node to enforce the firewall policy before sending to the Tier-0 Gateway for further processing of the traffic. The intra-tenant traffic continues to leverage distributed routing and firewalling capabilities native to the NSX-T.
 |
| Fig 1.1-Gateway FW as Inter-tenant FW |
Gateway FW as Perimeter FW at Virtual and Physical Boundary :
The Tier-0 Gateway firewall is used as perimeter firewall between physical and virtual domains. This is mainly used for N-S traffic from the virtualized environment to physical world.
In this case, the Tier-0 SR component which resides on the Edge node enforces the firewall policy before traffic enters or leaves the NSX-T virtual environment. The E-W traffic continues to leverage the distributed routing and firewalling capability which NSX-T natively provides in the hypervisor.
 |
| Fig 1.2- Gateway FW as Perimeter FW at Virtual and Physical Boundary |
Implementation within NSX-T
Gateway firewall is an optional centralized firewall implemented on NSX-T Tier-0 gateway uplinks and Tier-1 gateway links. This is implemented on a Tier-0/1 SR component which is hosted on NSX-T Edge. Tier-0 Gateway firewall supports stateful firewalling only with active/standby HA mode.
It can also be enabled in an active/active mode, though it will be only working in stateless mode. Gateway firewall uses a similar model as DFW for defining policy, and NSX-T grouping construct can be used as well. Gateway firewall policy rules are organized using one or more policy sections in the firewall table for each Tier-0 and Tier-1 Gateway.
Consumption model in VMware NSX-T
NSX-T Gateway firewall is instantiated per gateway and supported at both Tier-0 and Tier-1. Gateway firewall works independent of NSX-T DFW from a policy configuration and enforcement perspective. A user can consume the Gateway firewall using either the GUI or REST API framework provided by NSX-T Manager.
The Gateway firewall configuration is similar to DFW firewall policy; it is defined as a set of individual rules within a section. Like DFW, the Gateway firewall rules can use logical objects, tagging and grouping constructs (e.g., Groups) to build policies.
Similarly, regarding L4 services in a rule, it is valid to use predefined Services, custom Services, predefined service groups, custom service groups, or TCP/UDP protocols with the ports. NSX-T Gateway firewall also supports multiple Application Level Gateways (ALGs).
The user can select an ALG and supported protocols by using the other setting for type of service. Gateway FW supports only FTP and TFTP as part of ALG. ALGs are only supported in stateful mode; if the section is marked as stateless, the ALGs will not be implemented.
