Supported Deployments of the VM-Series Firewall on VMware NSX-T
You can deploy one or more instances
of the VM-Series firewall as a partner service in your VMware NSX-T
Data Center. Attach a VM-Series firewall to any tier-0 or tier-1
logical router to protect north-south traffic. You can deploy the
VM-Series firewall as standalone service instance or two firewalls in
a high-availability (HA) pair. Panorama manages the connection with NSX-T
Manager and the VM-Series firewalls deployed in your NSX-T software-defined
Tier-0 Insertion—Tier-0 insertion deploys a VM-Series
firewall to a tier-0 logical router, which processes traffic between
logical and physical networks. When you deploy the VM-Series firewall
with tier-0 insertion, NSX-T Manager uses the deployment information
you configured on Panorama to attach a firewall to a tier-0 logical
router in virtual wire mode.
Tier-1 Insertion—Tier-1 insertion deploys a VM-Series firewall
to a tier-1 logical router, which provides downlink connections
to segments and uplink connection to tier-0 logical routers. NSX-T
Manager attaches VM-Series firewalls deployed with tier-1 insertions
to a tier-1 logical router in virtual wire mode.
After deploying the firewall, you configure traffic redirection
rules that send traffic to the VM-Series firewall when crossing
a tier-0 or tier-1 router. Security policy rules that you configure
on Panorama are pushed to managed VM-Series firewalls and then applied
to traffic passing through the firewall.