Dear All,
I want to achieve the following with NSX-T Security Only deployment:
1. Micro segmentation for my workloads along with IDFW.
2. URL Filtering and URL Analysis (reputation based) for certain workload (like VDI).
The challenge is that the URL analysis is supported only only on the gateway firewalls. How do I make use of Gateway firewalling incase of security only deployment. I am using NSX-T 3.2.
Hi,
What license do you have?
Based on my knowledge with NSX-T Security only(DFW for VDS port groups). you can do DFW and FQDN filtering using DFW rules. URL Analysis and Filtering would not be possible with DFW as of now.
If you have required license to run T0, I think you can make T0 as gateway for VLAN port groups to enforce URL analysis and filtering at gateway level. I am not sure how feasible it is.
But if URL analysis and filtering is a mandatory requirement. I think the only way that I see is by using NSX-T for both Networking and Security, use overlay networking, T0/T1 and move VM's under NSX-T segments. and use DFW and take full advantage of overlay networking and URL filtering and analysis services on gateway firewall.
Any response for this!!
Hi,
What license do you have?
Based on my knowledge with NSX-T Security only(DFW for VDS port groups). you can do DFW and FQDN filtering using DFW rules. URL Analysis and Filtering would not be possible with DFW as of now.
If you have required license to run T0, I think you can make T0 as gateway for VLAN port groups to enforce URL analysis and filtering at gateway level. I am not sure how feasible it is.
But if URL analysis and filtering is a mandatory requirement. I think the only way that I see is by using NSX-T for both Networking and Security, use overlay networking, T0/T1 and move VM's under NSX-T segments. and use DFW and take full advantage of overlay networking and URL filtering and analysis services on gateway firewall.
Hello Chandra,
Thank you for the response.
We have Micro Segmentation License for VDI.
As it is VDI, we are looking for the same security control set that we used to have in the Laptops & Desktops.
It looks like micro segmentation only will not add any value to the solution and we need to go with our traditional firewall and security controls. And, the app control (app-id) of NSX-T is very limited even 3.2 for end-user computing.
I think you should use DFW with Identity based firewall feature(UserID) to take full advantage of micro-segmentation for VDI environments. you can even build DFW rules using AD Users group as source or destination. highly scalable and not sure get this on physical firewalls though. but combination of DFW and physical firewall is also a good use case by many. Just FYI.