Supported Deployments of the VM-Series Firewall on VMware NSX-T
You can deploy one or more instances
of the VM-Series firewall as a partner service in your VMware NSX-T
Data Center. Attach a VM-Series firewall to any tier-0 or tier-1
logical router to protect north-south traffic. You can deploy the
VM-Series firewall as standalone service instance or two firewalls
in a high-availability (HA) pair. Panorama manages the connection
with NSX-T Manager and the VM-Series firewalls deployed in your
NSX-T software-defined datacenter.
Tier-0 Insertion—Tier-0 insertion deploys a VM-Series
firewall to a tier-0 logical router, which processes traffic between
logical and physical networks. When you deploy the VM-Series firewall
with tier-0 insertion, NSX-T Manager uses the deployment information you
configured on Panorama to attach a firewall to a tier-0 logical router
in virtual wire mode.
Tier-1 Insertion—Tier-1 insertion deploys a VM-Series firewall
to a tier-1 logical router, which provides downlink connections
to segments and uplink connection to tier-0 logical routers. NSX-T Manager
attaches VM-Series firewalls deployed with tier-1 insertions to
a tier-1 logical router in virtual wire mode.
After deploying the firewall, you configure traffic redirection
rules that send traffic to the VM-Series firewall when crossing
a tier-0 or tier-1 router. Security policy rules that you configure
on Panorama are pushed to managed VM-Series firewalls and then applied
to traffic passing through the firewall.