Stateful Firewall and NSX

One question that I get asked often is how NSX firewall state is maintained if you have a hypervisor based distributed firewall? The big difference in a distributed firewall vs a perimeter based firewall is that firewall execution has been moved from the perimeter of the network to the vNIC of the Virtual Machine…

With the move from perimeter to vNIC, firewall state information has also moved from the perimeter to the vNIC and associated with the VM itself. As part of vMotion activities, not only is a VM’s RAM pages and possibly storage moved between hypervisors, but any active state associated with firewall policy is also moved.

Irrespective of how many vMotion events occur and the addition and deletion of hypervisors to clusters,  state is always maintained with the individual VM.

In summary, distributed firewall capabilities include:

  • Firewall rules enforced at the vNIC level.
  • Firewall policy is independent of VM network location (Layer 2 or Layer 3 adjacency)
  • Enforcement based on VM attributes such as Security Tags, VM Names, Logical Switch connectivity, Cluster name, and more.
  • State persistent across vMotion
Related Posts
Jumbo Frames and Network Virtualization Overlay Networks
Network Engineers and Software Defined Networking…
NSX and Virtual Machine Sprawl