Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

You can deploy one or more instances of the VM-Series firewall as a partner service in your VMware NSX-T Data Center to secure East-West traffic and perform micro-segmentation. To configure the VM-Series firewall to perform mirco-segmentation, you can deploy the firewalls in a service cluster or per host.
  • Service Cluster
    —In a clustered deployment, all the VM-Series firewalls are installed on a single cluster. Traffic between VMs and groups are redirected to the VM-Series cluster for policy inspection and enforcement before continuing to its destination. When you configure a clustered deployment, you can specify a particular host within the cluster or select
    Any
    and let NSX-T choose a host.
    nsxt-ew-clustered.png
  • Host-Based
    —In a per host deployment, an instance of the VM-Series firewall is installed on each host in the ESXi cluster. Traffic between guests on the same host is inspected by the local firewall, so it does not need to leave the host for inspection. Traffic leaving the host is inspected by the firewall before reaching the vSwitch.
    nsxt-ew-per-host.png
After deploying the firewall, you configure traffic redirection rules that send traffic to the VM-Series firewall. Security policy rules that you configure on Panorama are pushed to managed VM-Series firewalls and then applied to traffic passing through the firewall.

Recommended For You