Supported Deployments of the VM-Series Firewall on VMware
You can deploy one or more instances
of the VM-Series firewall as a partner service in your VMware NSX-T
Data Center to secure East-West traffic and perform micro-segmentation.
To configure the VM-Series firewall to perform mirco-segmentation,
you can deploy the firewalls in a service cluster or per host.
—In a clustered deployment, all
the VM-Series firewalls are installed on a single cluster. Traffic
between VMs and groups are redirected to the VM-Series cluster for
policy inspection and enforcement before continuing to its destination.
When you configure a clustered deployment, you can specify a particular
host within the cluster or select
let NSX-T choose a host.
—In a per host deployment, an instance of
the VM-Series firewall is installed on each host in the ESXi cluster.
Traffic between guests on the same host is inspected by the local
firewall, so it does not need to leave the host for inspection.
Traffic leaving the host is inspected by the firewall before reaching
After deploying the firewall, you configure traffic redirection
rules that send traffic to the VM-Series firewall. Security policy
rules that you configure on Panorama are pushed to managed VM-Series
firewalls and then applied to traffic passing through the firewall.