Supported Deployments of the VM-Series Firewall on VMware
NSX-T (East-West)
You can deploy one or more instances
of the VM-Series firewall as a partner service in your VMware NSX-T
Data Center to secure East-West traffic and perform micro-segmentation.
To configure the VM-Series firewall to perform mirco-segmentation,
you can deploy the firewalls in a service cluster or per host.
- Service Cluster—In a clustered deployment, all the VM-Series firewalls are installed on a single cluster. Traffic between VMs and groups are redirected to the VM-Series cluster for policy inspection and enforcement before continuing to its destination. When you configure a clustered deployment, you can specify a particular host within the cluster or selectAnyand let NSX-T choose a host.
- Host-Based—In a per host deployment, an instance of the VM-Series firewall is installed on each host in the ESXi cluster. Traffic between guests on the same host is inspected by the local firewall, so it does not need to leave the host for inspection. Traffic leaving the host is inspected by the firewall before reaching the vSwitch.
After deploying the firewall, you configure traffic redirection
rules that send traffic to the VM-Series firewall. Security policy
rules that you configure on Panorama are pushed to managed VM-Series
firewalls and then applied to traffic passing through the firewall.
