Product Offerings for VMware NSX Security 3.1.x
search cancel

Product Offerings for VMware NSX Security 3.1.x

book

Article ID: 325115

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

This article provides information on licensing editions of VMware NSX and a list of features associated with the various licensing editions in VMware NSX Security.

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Resolution

New VMware NSX Security editions became available to order on October 29th, 2020. The tiers of NSX Security licenses are as follows:
  • NSX Firewall for Baremetal Hosts: For organizations needing an agent-based network segmentation solution.
  • NSX Firewall Edition: For organizations needing network security and network segmentation.
  • NSX Firewall with Advanced Threat Prevention Edition: For organizations needing Firewall, and advanced threat prevention features.
The following table outlines specific functions available by edition. NSX Security is available as a single download image with license keys required to enable specific functionality.
 
FeatureFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Platform Features    
vSphere Distributed SwitchYesYesYesYes
ESXi Support ¹NoYesYesYes
KVM Support ²NoYesYesYes
Controller ClusteringYesYesYesYes
vCenter Integration ¹NoYesYesYes
Multi-vCenter Networking and SecurityNoYesYesYes
FederationNoNoNoYes
     
Edge Platform FeaturesFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Edge in VM Form FactorNoYesYesYes
Edge in Bare-Metal Form FactorNoYesYesYes
DPDK Optimized ForwardingNoYesYesYes
     
SwitchingFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Distributed SwitchingYesYesYesYes
VLAN Backed Logical SwitchingYesYesYesYes
Overlay Backed Logical SwitchingNoNoNoYes
Multiple TEP SupportNoNoNoYes
Optimized ARP Learning and Broadcast SuppressionYesYesYesYes
GENEVE EncapsulationNoNoNoYes
Unicast ReplicationNoNoNoYes
Headend ReplicationNoNoNoYes
SpoofguardYesYesYesYes
LACP (Edge and Host)YesYesYesYes
     
Quality of Service (QoS)Firewall for Baremetal HostsFirewallFirewall and Advanced Threat Prevention 
Qos MarkingNoNoNo 
Qos DSCP Trust BoundaryNoNoNo 
     
L2 Bridging to Physical EnvironmentFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Software Based L2 Bridge to Physical EnvironmentsNoNoNoYes
     
RoutingFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Distributed RoutingNoYesYesYes
Multi-Tier RoutingNoYesYesYes
Dynamic Routing with ECMPNoYesYesYes
Virtual Routing and Forwarding (Tier-0 Gateway VRFs)NoNoNoYes
E-VPNNoNoNoYes
     
Static Routing - IPv4Firewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Static RoutingNoYesYesYes
BFDNoYesYesYes
Null RoutesNoYesYesYes
Device RoutesNoYesYesYes
     
Static Routing - IPv6Firewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Static RoutingNoYesYesYes
Null RoutesNoYesYesYes
Device RoutesNoYesYesYes
     
BGP - IPv4 UnicastFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
eBGPNoYesYesYes
eBGP MultihopNoYesYesYes
iBGPNoYesYesYes
Graceful RestartNoYesYesYes
4-byte ASNNoYesYesYes
     
BGP - IPv6 UnicastFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
eBGPNoNoNoYes
eBGP MultihopNoNoNoYes
iBGPNoNoNoYes
Graceful RestartNoNoNoYes
     
BFD - IPv4Firewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Sub-Second Keepalive TimerNoYesYesYes
     
Route MapsFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Match on Prefix-List and Community-ListNoYesYesYes
Set Weight, MED, AS Path, Prepending, Local Preference, and CommunityNoYesYesYes
     
OtherFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
High Availability Virtual IP (HA VIP)NoYesYesYes
Route RedistributionNoYesYesYes
IP Prefix-ListsNoYesYesYes
Active / Active Redundancy (Stateless)NoYesYesYes
Active / Standby RedundancyNoYesYesYes
Per Interface RPF CheckNoYesYesYes
     
NATFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
NAT on North/South and East/West Logical RoutesNoYesYesYes
Source NATNoYesYesYes
Destination NATNoYesYesYes
NAT N:NNoYesYesYes
Stateless NATNoYesYesYes
NAT LoggingNoYesYesYes
NAT64NoNoNoYes
     
FirewallFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Gateway FirewallNoYesYesYes
Distributed FirewallingYesYesYesYes
Common Firewall User InterfaceYesYesYesYes
Firewall SectionsYesYesYesYes
Firewall LoggingYesYesYesYes
Stateful L2 and L3 RulesYesYesYesYes
Stateless L2 and L3 RulesYesYesYesYes
Tag-Based RulesYesYesYesYes
Distributed Firewall based IPFIXNoYesYesYes
Distributed FQDN FilteringNoYesYesYes
L7 Application Identification RulesNoYesYesYes
Agent-Based enforcement for Physical ServersYesYesYesYes
     
Identity FirewallFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Identity-based Groups using Active DirectoryNoYesYesYes
     
NSX Distributed Threat Prevention ⁶Firewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Distributed IDSNoNoYesYes
Distributed IPSNoNoYesYes
IDS/IPS Signature UpdatesNoNoYesYes
     
Policy, Tagging and GroupingFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Object Tagging / Security TagsYesYesYesYes
Network Centric GroupingYesYesYesYes
Workload Centric GroupingYesYesYesYes
IP Based GroupsYesYesYesYes
MAC Based GroupsYesYesYesYes
Intent-based Networking and Security PolicyYesYesYesYes
     
DNS, DHCP and IPAM (DDI)Firewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
IPAMNoYesYesYes
IP BlocksNoYesYesYes
IP SubnetsNoYesYesYes
IP PoolsNoYesYesYes
IPv4 DHCP ServerNoYesYesYes
IPv6 DHCP ServerNoNoNoYes
IPv4 DHCP RelayNoYesYesYes
IPv6 DHCP RelayNoNoNoYes
IPv4 DHCP Static Bindings / Fixed AddressesNoYesYesYes
IPv6 DHCP Static Bindings / Fixed AddressesNoNoNoYes
IPv4 DNS Relay / DNS ProxyYesYesYesYes
IPv4 Meta-Data ProxyYesYesYesYes
     
Load Balancing ⁶Firewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Protocols    
TCP (L4-L7)NoNoNoYes
UDPNoNoNoYes
HTTPNoNoNoYes
Load Balancing Methods    
Round RobinNoNoNoYes
Source IP HashNoNoNoYes
Least ConnectionsNoNoNoYes
L7 Application Rules with RegEX SupportNoNoNoYes
     
VPNFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
L2 VPNNoNoNoYes
L3 VPNNoYesYesYes
     
Health ChecksFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
TCPNoNoNoYes
ICMPNoNoNoYes
UDPNoNoNoYes
HTTPNoNoNoYes
HTTPSNoNoNoYes
     
MonitoringFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
View VIP / Pool / Server ObjectsNoNoNoYes
View VIP / Pool / Server StatisticsNoNoNoYes
View Global Statistics VIP SessionsNoNoNoYes
     
Load Balancing AutomationFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Pool Members Based on vCenter Context or IP AddressesNoNoNoYes
     
OtherFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Connectivity ThrottlingNoNoNoYes
High-AvailabilityNoNoNoYes
     
API Driven AutomationFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
REST APIYesYesYesYes
Hierarchical Policy APIYesYesYesYes
JSON SupportYesYesYesYes
OpenAPI / Swagger SpecYesYesYesYes
Java SDKYesYesYesYes
Python SDKYesYesYesYes
Auto-generated API DocumentationYesYesYesYes
Terraform Provider ⁵YesYesYesYes
Ansible Modules ⁵YesYesYesYes
     
Cloud-Native and Integration with Cloud Management PlatformsFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Container Networking and SecurityNoNoNoYes
Integration with vRealize Automation ¹, ⁵NoNoNoNo
Integration with vCloud Director ¹, ⁵YesYesYesYes
Integration with VMware Integrated OpenStack ¹, ⁵YesYesYesYes
Integration with other OpenStack Platform ³, ⁵YesYesYesYes
     
Service Insertion IntegrationsFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Endpoint ProtectionNoYesYesYes
Network IntrospectionNoNoNoYes
     
NSX IntelligenceFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Layer 4 / Layer 7 VM-to-VM Traffic Flow AnalysisNoYesYesYes
Layer 4 / Layer 7 Firewall VisibilityNoYesYesYes
Layer 4 / Layer 7 Automated Security PolicyNoYesYesYes
Layer 4 / Layer 7 Rule and Group Recommendation AnalyticsNoYesYesYes
     
Integration with NSX Cloud for AWS and AzureFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
NSX on-prem license portability for Public Cloud workloadsNoNoNoNo
NSX Enforced Mode (Agent-Based Cloud Security)NoYesYesYes
Cloud Enforced Mode (Agentless Based Cloud Security)NoYesYesYes
Service InsertionNoNoNoNo
L4 Stateful Firewall Rules on AWS WorkloadsNoYesYesYes
L4 Stateless Firewall Rules on AWS WorkloadsNoYesYesYes
L4 Stateful Firewall Rules on Azure WorkloadsNoYesYesYes
L4 Stateless Firewall Rules on Azure WorkloadsNoYesYesYes
L3 VPNNoNoNoYes
Support for AWS Gov Cloud and Azure Government Cloud workloadsNoYesYesYes
     
Authentication and AuthorizationFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Authentication using vIDM ¹, ⁴YesYesYesYes
Direct Active Directory Integration via LDAPYesYesYesYes
Authentication via OpenLDAPYesYesYesYes
Session-Based AuthenticationYesYesYesYes
Certificate-Based Authentication (Principle Identity)YesYesYesYes
Role-Based Access ControlYesYesYesYes
     
Log ManagementFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Splunk Integration ²YesYesYesYes
vRealize Log ManagementYesYesYesYes
     
InstallationFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Automated Controller DevelopmentYesYesYesYes
Manual Controller DeploymentYesYesYesYes
Automated Edge DeploymentNoYesYesYes
Manual Edge DeploymentNoYesYesYes
Automated Host Preparation by ClusterNoYesYesYes
     
OperationsFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Port MirroringYesYesYesYes
Trace FlowYesYesYesYes
Tunnel Health MonitoringYesYesYesYes
Port Connectivity ToolYesYesYesYes
Switch Based IPFIXYesYesYesYes
LLDPYesYesYesYes
Automated Technical Support BundlesYesYesYesYes
Backup and RestoreYesYesYesYes
SNMP v1/v2/v3 with TrapsYesYesYesYes
     
Upgrades and MigrationsFirewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Upgrade CoordinatorYesYesYesYes
NSX for vSphere to NSX-T Migration CoordinatorNoYesYesYes
     
Network Detection and Response ⁷Firewall for Baremetal HostsFirewallFirewall and Advanced Threat PreventionNSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Malware DetectionNoNoYesYes
Network Sandboxing and Artifact Analysis ⁹NoNoYesYes
Network Traffic Analytics ⁹NoNoYesYes

Notes:
  1. Please refer to the VMware Product Interoperability Matrices for specific versions supported with NSX-T Data Center.
  2. Please refer to the NSX-T Data Center release notes for specific versions.
  3. Please refer to the NSX Data Center partner web site for specific versions.
  4. VMware Identity Manager - A license to use VMware NSX Data Center includes an entitlement to use the VMware Identity Manager feature, but only for the following functionalities:
    • Directory integration functionality of VMware Identity Manager to authenticate users in a user directory such as Microsoft Active Directory or LDAP.
    • Conditional access policy.
    • Single-sign-on integration functionality with third party Identity providers to allow third-party identity providers’ users to single-sign-on into NSX Data Center.
    • Two-factor authentication solution through integration with third-party systems. VMware Verify, VMware’s multi-factor authentication solution, received as part of VMware Identity Manager, may not be used as part of NSX Data Center.
    • Single-sign-on functionality to access VMware products that support single-sign-on capabilities.
  5. Integration with automation tools such as vRealize Automation, vCloud Director, VMware Integrated OpenStack, and other OpenStack distributions, Ansible, and Terraform is available for all editions of NSX, however, you must have the appropriate NSX edition for the feature which is automated by these tools. For example automation of load balancing from Terraform or OpenStack requires NSX Data Center  Advanced, Enterprise Plus, or ROBO. 
  6. Both IPv4 and IPv6 are supported for all Load Balancing features except for IPv6-VIP-to-IPv4-member and IPv4-VIP-to-IPv6-member translations.
  7. Network Detection and Response is only available in hosted mode and not integrated into NSX-T 3.1 with the NSX Platform. For your region, please select the appropriate license SKU.
  8. A single sensor socket entitles up to 250 artifact submissions per day with a maximum artifact size of 64MB.
  9. A single sensor socket entitles up to a daily average of 100 Mbps sustained throughput for traffic analytics with a limit of 10 network records per second per NDR Sensor uploaded for analysis.
Powered by Wolken Software