Supported Deployments of the VM-Series Firewall on VMware
You can deploy one or more instances
of the VM-Series firewall as a partner service in your VMware NSX-T
Data Center to secure East-West traffic and perform micro-segmentation.
To configure the VM-Series firewall to perform micro-segmentation,
you can deploy the firewalls in a service cluster or per host.
—In a clustered deployment, all
the VM-Series firewalls are installed on a single cluster. Traffic
between VMs and groups are redirected to the VM-Series cluster for
policy inspection and enforcement before continuing to its destination.
When you configure a clustered deployment, you can specify a particular
host within the cluster or select
let NSX-T choose a host.
—In a per host deployment, an instance of
the VM-Series firewall is installed on each host in the ESXi cluster.
Traffic between guests on the same host is inspected by the local
firewall, so it does not need to leave the host for inspection.
Traffic leaving the host is inspected by the firewall before reaching
After deploying the firewall, you configure traffic redirection
rules that send traffic to the VM-Series firewall. Security policy
rules that you configure on Panorama are pushed to managed VM-Series
firewalls and then applied to traffic passing through the firewall.
To deploy your VM-Series firewall on VMware NSX-T, you have two
workflow options—operations-centric and security-centric deployment.
an operations-centric workflow, some portions of the deployment procedure
are performed on Panorama and the remainder are performed on NSX-T manager.
On Panorama, you must first enable communication between Panorama
and NSX-T Manager, configure the service definition, and launch
the VM-Series firewall. Then, you must log in to NSX-T Manager to
continue the configuration by creating service chains and steering
rules. To complete your VM-Series deployment, you must return to Panorama
to create security policy.
a security-centric workflow, you can use Panorama as a single pane of
glass to control and manage security operations. You complete the
entire deployment workflow from Panorama. The Panorama plugin for
VMware NSX pushes configuration to NSX-T Manager that creates service
chains and steering rules.
It is recommended that you select one deployment workflow for
your VM-Series deployment on NSX-T for ease of use. However, the
VM-Series firewall for VMware NSX-T does support the use of both
workflows on the same plugin.