Product offerings for NSX-T 3.2 Security
search cancel

Product offerings for NSX-T 3.2 Security

book

Article ID: 336803

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

This article provides information on licensing editions of VMware NSX for Security specific deployments and the list of features associated with different licensing editions.

NSX Distributed Firewall Editions:

NSX offers Security capabilities for Zero-Trust scenarios leveraging "Distributed Firewall" product line. Different editions focused on delivering micro-segmentation for east-west traffic leveraging Distributed Firewalls are as listed below:

  • NSX Distributed Firewall for Baremetal Hosts: For organizations needing an agent-based network segmentation solution for bare-metal workloads.
  • NSX Distributed Firewall Edition: For organizations needing implement access controls for east-west traffic within the network (micro-segmentation) but not focused on threat detection and prevention services.
  • NSX Distributed Firewall with Threat Prevention Edition: For organizations needing access control and select threat prevention features for east-west traffic within the network.
  • NSX Distributed Firewall with Advanced Threat Prevention Edition: For organizations needing Firewall, and all advanced threat prevention features for east-west traffic within the network.

VMware NSX Gateway Firewall Editions:

NSX offers security capabilities for zone-segmentation and public cloud internet gateway scenarios leveraging "Gateway Firewall" product line. The various "Gateway Firewall" editions are listed below:

  • Gateway Firewall: For organizations needing to implement firewalling capabilities for zone segmentation; but not focused on threat detection and prevention services.
  • Gateway Firewall with Threat Prevention Edition: For organizations needing to implement firewalling capabilities for zone segmentation along with select threat detection and prevention services offered in the Gateway form factor.
  • Gateway Firewall with Advanced Threat Prevention Edition: For organizations needing to implement firewalling capabilities for zone segmentation along with all advanced threat detection and prevention services offered in the Gateway form factor.

The Gateway Firewall product can be deployed either as a Virtual Machine (VM) or as an ISO image on physical servers depending upon the license procured. The Gateway Firewall Editions listed above are applicable for both the VM and ISO based deployments.

NSX Network Detection and Response (NDR):

NSX NDR product offers advanced threat identification and response capabilities for Security Operations Center (SoC) deployment. At this time, we offer on-premises deployment for this solution

  • NSX Network Detection and Response (NDR) for on-premises: For SoC teams needing implement NDR solution to identify advanced attacks on the network.

NSX NDR solution does not provide entitlements for NSX Distributed or Gateway Firewall capabilities. It is a stand-alone offer focused on SoC deployments.

 

Customers interested in deploying Network Virtualization capabilities of NSX should refer to https://kb.vmware.com/s/article/86095. Customers who have already purchased NSX Data Center (NSX-T) Advanced and Enterprise+ editions can procure NSX Firewall Threat Prevention or NSX Firewall Advanced Threat Prevention add-on licenses


Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center

Resolution

The following table outlines specific functions available by edition. NSX Security is available as a single download image with license keys required to enable specific functionality.
 

Distributed Security

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Distributed Security Features

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention
Distributed Firewall for NSX SwitchportsYesYesYesYesNoNoNo
Distributed Firewall for VDS SwitchportsYesYesYesNoNoNoNo
Stateful L2 and L3 RulesYesYesYesYesNoNoNo
Stateless L2 and L3 RulesYesYesYesYesNoNoNo
Distributed FQDN FilteringYesYesYesNoNoNoNo
Basic L7 Application Identification RulesYesYesYesNoNoNoNo
Advanced L7 Application Identification RulesYesYesYesNoNoNoNo
Distributed Flood ProtectionYesYesYesNoNoNoNo
Agent-Based enforcement for Physical ServersYesYesYesYesNoNoNo
User Identity Firewall       
Distributed Identity Firewall using Guest IntrospectionYesYesYesNoNoNoNo
Distributed Identity Firewall using Active Directory Event ServerYesYesYesNoNoNoNo
Distributed Identity Firewall using third-party log sourcesNoNoNoNoNoNoNo
NSX Distributed Threat Prevention7       
Distributed Intrusion Detection Service (IDS)NoYesYesNoNoNoNo
Distributed Behavioral IDSNoYesYesNoNoNoNo
Distributed Intrusion Prevention Service (IPS)NoYesYesNoNoNoNo
NSX Distributed Advanced Threat Prevention9       
Distributed Malware Detection and PreventionNoNoYesNoNoNoNo
Cloud Sandboxing and Artifact Analysis10, 13NoNoYesNoNoNoNo
Distributed IDS Event Forwarding to NDRNoYesYesNoNoNoNo
Distributed Service Insertion Integrations       
Distributed Endpoint ProtectionNoNoNoNoNoNoNo
Distributed Network IntrospectionNoNoNoNoNoNoNo
Policy, Tagging and Grouping       
Object Tagging / Security TagsYesYesYesYesYesYesYes
Network Centric GroupingYesYesYesYesYesYesYes
Workload Centric GroupingYesYesYesYesYesYesYes
IP Based GroupsYesYesYesYesYesYesYes
MAC Based GroupsYesYesYesYesYesYesYes
Tag Based RulesYesYesYesYesYesYesYes
Firewall Operations       
Firewall LoggingYesYesYesYesYesYesYes
Distributed Firewall based IPFIXYesYesYesYesNoNoNo
Rule Hit Count, Popularity Index, Flow StatisticsYesYesYesYesYesYesYes
Firewall DraftsYesYesYesNoNoNoNo

Gateway Firewall Features

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Gateway Security Features

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention
Stateful L3 RulesNoNoNoNoYesYesYes
Stateless L3 RulesNoNoNoNoYesYesYes
Basic L7 Application Identification RulesNoNoNoNoYesYesYes
Advanced L7 Application Identification RulesNoNoNoNoYesYesYes
URL FilteringNoNoNoNoYesYesYes
Gateway Flood ProtectionNoNoNoNoYesYesYes
Identity Firewall       
Gateway Identity Firewall using Active Directory Event ServerNoNoNoNoYesYesYes
Gateway Identity Firewall using third-party log sourcesNoNoNoNoYesYesYes
NSX Gateway Advanced Threat Prevention7       
Malware DetectionNoNoNoNoNoNoYes
Cloud Sandboxing and Artifact Analysis10NoNoNoNoNoNoYes
NAT       
NAT on North/South and East/West Logical RoutersNoNoNoNoYesYesYes
Source NATNoNoNoNoYesYesYes
Destination NATNoNoNoNoYesYesYes
NAT N:NNoNoNoNoYesYesYes
Stateless NATNoNoNoNoYesYesYes
NAT LoggingNoNoNoNoYesYesYes
NAT64NoNoNoNoYesYesYes
Active/Active NAT ServicesNoNoNoNoYesYesYes
VPN       
L2 VPNNoNoNoNoYesYesYes
Active / Standby L3 VPNNoNoNoNoYesYesYes
Gateway Service Insertion Integrations       
Gateway Network IntrospectionNoNoNoNoYesYesYes
Gateway Firewall High Availability14       
Active/Standby Gateway Firewall Services NoNoNoNoYesYesYes
Policy, Tagging and Grouping       
Object Tagging / Security TagsYesYesYesYesYesYesYes
Network Centric GroupingYesYesYesYesYesYesYes
Workload Centric GroupingYesYesYesYesYesYesYes
IP Based GroupsYesYesYesYesYesYesYes
Tag-Based RulesYesYesYesYesYesYesYes
Per-Gateway and Multi-Gateway Policy ManagementNoNoNoNoYesYesYes
Firewall Operations       
Firewall LoggingYesYesYesYesYesYesYes
Rule Hit Count, Popularity Index, Flow StatisticsYesYesYesYesYesYesYes
Firewall DraftsNoNoNoNoYesYesYes

 

Networking

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Feature

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention
vSphere Distributed Switch¹⁰YesYesYesYesYesYesYes
VLAN Backed Logical SwitchingYesYesYesYesYesYesYes
Overlay Backed Logical SwitchingNoNoNoNoYesYesYes
Multiple TEP SupportNoNoNoNoYesYesYes
Optimized ARP Learning and Broadcast SuppressionNoNoNoNoNoNoNo
GENEVE EncapsulationNoNoNoNoYesYesYes
Unicast ReplicationNoNoNoNoNoNoNo
Headend ReplicationNoNoNoNoNoNoNo
SpoofguardYesYesYesYesNoNoNo
LACP (Edge and Host)YesYesYesYesYesYesYes
L2 MulticastNoNoNoNoYesYesYes
L3 MulticastNoNoNoNoYesYesYes
Quality of Service (QoS)       
QoS MarkingNoNoNoNoNoNoNo
QoS DSCP Trust BoundaryNoNoNoNoNoNoNo
L2 Bridging to Physical Environment       
Software Based L2 Bridge to Physical EnvironmentsNoNoNoNoYesYesYes
Routing       
Distributed RoutingNoNoNoNoNoNoNo
Multi-Tier RoutingNoNoNoNoYesYesYes
Dynamic Routing with ECMPNoNoNoNoYesYesYes
Active / Standby Redundancy for RoutingNoNoNoNoYesYesYes
Active / Active Redundancy for RoutingNoNoNoNoYesYesYes
Virtual Routing and Forwarding (Tier-0 Gateway VRFs)NoNoNoNoYesYesYes
EVPNNoNoNoNoYesYesYes
OSPF v2NoNoNoNoYesYesYes
Static Routing - IPv4       
Static RoutingNoNoNoNoYesYesYes
BFDNoNoNoNoYesYesYes
Null RoutesNoNoNoNoYesYesYes
Device RoutesNoNoNoNoYesYesYes
Static Routing - IPv6       
Static RoutingNoNoNoNoYesYesYes
Null RoutesNoNoNoNoYesYesYes
Device RoutesNoNoNoNoYesYesYes
BGP - IPv4 Unicast       
eBGPNoNoNoNoYesYesYes
eBGP MultihopNoNoNoNoYesYesYes
iBGPNoNoNoNoYesYesYes
Graceful RestartNoNoNoNoYesYesYes
BFDNoNoNoNoYesYesYes
4-byte ASNNoNoNoNoYesYesYes
BGP - IPv6 Unicast       
eBGPNoNoNoNoYesYesYes
eBGP MultihopNoNoNoNoYesYesYes
iBGPNoNoNoNoYesYesYes
Graceful RestartNoNoNoNoYesYesYes
4-byte ASNNoNoNoNoYesYesYes
BFD - IPv4       
Sub-Second Keepalive TimerNoNoNoNoYesYesYes
Route Maps       
Match on Prefix-List and Community-ListNoNoNoNoYesYesYes
Set Weight, MED, AS Path, Prepending, Local Preference, and CommunityNoNoNoNoYesYesYes
Other       
High Availability Virtual IP (HA VIP)NoNoNoNoYesYesYes
Route RedistributionNoNoNoNoYesYesYes
IP Prefix-ListsNoNoNoNoYesYesYes
Per Interface RPF CheckNoNoNoNoYesYesYes
DNS, DHCP and IPAM (DDI)       
IPAMNoNoNoNoYesYesYes
IP BlocksNoNoNoNoYesYesYes
IP SubnetsNoNoNoNoYesYesYes
IP PoolsNoNoNoNoYesYesYes
IPv4 DHCP ServerNoNoNoNoYesYesYes
IPv6 DHCP ServerNoNoNoNoYesYesYes
IPv4 DHCP RelayNoNoNoNoYesYesYes
IPv6 DHCP RelayNoNoNoNoYesYesYes
IPv4 DHCP Static Bindings / Fixed AddressesNoNoNoNoYesYesYes
IPv6 DHCP Static Bindings / Fixed AddressesNoNoNoNoYesYesYes
IPv4 DNS Relay / DNS ProxyNoNoNoNoYesYesYes
IPv4 Meta-Data ProxyNoNoNoNoNoNoNo

 

NSX Intelligence

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Feature

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention
Layer 4 VM-to-VM Traffic Flow AnalysisYesYesYesNoNoNoNo
Layer 4 Firewall VisibilityYesYesYesNoNoNoNo
Layer 4 Automated Security PolicyYesYesYesNoNoNoNo
Layer 4 Rule and Group Recommendation AnalyticsYesYesYesNoNoNoNo
Network Traffic AnalyticsNoNoYesNoNoNoNo
Network Detection and Response12NoNoYesNoNoNoNo

 

Load Balancing8

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Feature

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention
Protocols       
TCP (L4-L7)NoNoNoNoNoNoNo
UDPNoNoNoNoNoNoNo
HTTPNoNoNoNoNoNoNo
Load Balancing Methods       
Round RobinNoNoNoNoNoNoNo
Source IP HashNoNoNoNoNoNoNo
Least ConnectionsNoNoNoNoNoNoNo
L7 Application Rules with RegEx SupportNoNoNoNoNoNoNo
Health Checks       
TCPNoNoNoNoNoNoNo
ICMPNoNoNoNoNoNoNo
UDPNoNoNoNoNoNoNo
HTTPNoNoNoNoNoNoNo
HTTPSNoNoNoNoNoNoNo
Monitoring       
View VIP / Pool / Server ObjectsNoNoNoNoNoNoNo
View VIP / Pool / Server StatisticsNoNoNoNoNoNoNo
View Global Statistics VIP SessionsNoNoNoNoNoNoNo
Load Balancing Automation       
Pool Members Based on vCenter Context or IP AddressesNoNoNoNoNoNoNo
Other       
Connection ThrottlingNoNoNoNoNoNoNo
High-AvailabilityNoNoNoNoNoNoNo

NSX Cloud for AWS and Azure

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Feature

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention
NSX on-prem license portability for Public Cloud workloadsYesYesYesNoYesNoYes
NSX Enforced Mode (Agent-Based Cloud Security)YesYesYesNoNoNoNo
Cloud Enforced Mode (Agentless Based Cloud Security)YesYesYesNoNoNoNo
Stateful L2 and L3 RulesYesYesYesNoNoNoNo
Stateless L2 and L3 RulesYesYesYesNoNoNoNo
Distributed Identity Firewall using Active Directory Event ServerYesYesYesNoNoNoNo
L7 Security Features (Basic L7 Application Identification Rules)YesYesYesNoNoNoNo
Advanced Security capabilities in Public Cloud Gateway (L7 firewall / URL Filtering)NoNoNoNoYesYesYes
VPN (on-prem to public cloud; public cloud - public cloud; intra public cloud)NoNoNoNoYesYesYes
Support for AWS Gov Cloud and Azure Government Cloud workloadsYesYesYesYesYesYesYes

 

Modern Apps

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Feature

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention

Container Networking and Security

NoNoNoNoNoNoNo
VMware Container Networking with Project Antrea EnterpriseNoNoNoNoNoNoNo

Automation

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Feature

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention
API Driven Automation       
REST APIYesYesYesYesYesYesYes
Hierarchical Policy APIYesYesYesYesYesYesYes
JSON SupportYesYesYesYesYesYesYes
OpenAPI / Swagger SpecYesYesYesYesYesYesYes
Java SDKYesYesYesYesYesYesYes
Python SDKYesYesYesYesYesYesYes
Auto-generated API DocumentationYesYesYesYesYesYesYes
Terraform Provider6YesYesYesYesYesYesYes
Ansible Modules6YesYesYesYesYesYesYes
Integration with Cloud Management Platforms       
Integration with vRealize Automation1,6YesYesYesYesYesYesYes
Integration with vCloud Director1,6YesYesYesYesYesYesYes
Integration with VMware Integrated OpenStack1,6YesYesYesYesYesYesYes
Integration with other OpenStack Platform3, 6YesYesYesYesYesYesYes

Platform

 

NSX-T Distributed Firewall Packages

NSX-T Gateway Firewall Packages

Feature

NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention
Platform Features       
ESXi Support1YesYesYesNoNoNoNo
KVM Support2YesYesYesNoNoNoNo
Controller ClusteringYesYesYesYesYesYesYes
vCenter Integration1YesYesYesNoYesYesYes
Multi-vCenter® Networking and SecurityYesYesYesNoYesYesYes
FederationNoNoNoNoNoNoNo
Edge Platform Features       
Edge in VM Form FactorNoNoNoNoYesYesYes
Edge in Bare-Metal Form Factor for RoutingNoNoNoNoYesYesYes
Edge in Bare-Metal Form Factor for Gateway FirewallNoNoNoNoYesYesYes
DPDK Optimized ForwardingNoNoNoNoYesYesYes
Authentication and Authorization       
Authentication using Workspace ONE Access1, 5

Yes

YesYesYesYesYesYes
Direct Active Directory Integration via LDAPYesYesYesYesYesYesYes
Authentication via OpenLDAPYesYesYesYesYesYesYes
Session-Based AuthenticationYesYesYesYesYesYesYes
Certificate-Based Authentication (Principle Identity)YesYesYesYesYesYesYes
Role-Based Access ControlYesYesYesYesYesYesYes
Log Management       
vRealize Log Insight Integration1, 4YesYesYesYesYesYesYes
Splunk Integration2YesYesYesYesYesYesYes
Installation       
Automated Manager Deployment

Yes

YesYesYesYesYesYes
Manual Controller DeploymentYesYesYesYesYesYesYes
Automated Edge Deployment

No

NoNoNoYesYesYes
Manual Edge DeploymentNoNoNoNoYesYesYes
Automated Compute Host Preparation by ClusterYesYesYesNoNoNoNo
Operations       
Port Mirroring

Yes

YesYesYesYesYesYes
TraceflowYesYesYesYesYesYesYes
NSX Live Traffic AnalysisYesYesYesYesYesYesYes
Tunnel Health MonitoringYesYesYesYesYesYesYes
Port Connectivity ToolYesYesYesYesYesYesYes
Switch Based IPFIXYesYesYesYesYesYesYes
LLDPYesYesYesYesYesYesYes
Automated Technical Support BundlesYesYesYesYesYesYesYes
Packet CaptureYesYesYesYesYesYesYes
Backup and RestoreYesYesYesYesYesYesYes
SNMP v1/v2/v3 with TrapsYesYesYesYesYesYesYes
Monitoring       
Time-Series Metrics (Note: Name for this feature is under discussion)NoNoNoNoNoNoYes
Upgrades and Migrations       
Upgrade CoordinatorYesYesYesYesYesYesYes
NSX for vSphere to NSX-T Migration Coordinator 11

Yes

YesYesYesYesYesYes
NSX Manager to Policy Promotion

Yes

YesYesYesYesYesYes


Notes:


1 Please refer to the VMware Product Interoperability Matrices for specific versions supported with NSX-T Data Center.

2 Please refer to the NSX-T Data Center release notes for specific versions.

3 Please refer to the NSX-T Data Center partner website for specific versions.

4 VMware vRealize Log Insight for NSX provides intelligent log analytics for NSX Data Center. Log Insight provides monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis, and alerts. VMware vRealize Log Insight version 3.3.2 and later accepts NSX Data Center Standard/ProfessionalAdvanced/Enterprise Plus edition license keys issued for NSX-T 1.0.0 and later. This means you will have an enterprise-level Log Insight license for every license of NSX Data Center.

5 VMware Workspace ONE Access - A license to use VMware NSX Data Center includes an entitlement to use the VMware Workspace ONE Access feature, but only for the following functionalities:

  • Directory integration functionality of VMware Workspace ONE Access to authenticate users in a user directory such as Microsoft Active Directory or LDAP.
  • Conditional access policy.
  • Single-sign-on integration functionality with third party Identity providers to allow third party identity providers’ users to single-sign-on into NSX Data Center.
  • Two-factor authentication solution through integration with third party systems. VMware Verify, VMware’s multi-factor authentication solution, received as part of VMware Workspace ONE Access may not be used as part of NSX Data Center.
  • Single-sign-on functionality to access VMware products that support single-sign-on capabilities.

6 Integration with automation tools such as vRealize Automation, vCloud Director, VMware Integrated OpenStack, and other OpenStack distributions, Ansible, and Terraform is available for all editions of NSX, however, you must have the appropriate NSX edition for the feature which is automated by these tools. For example automation of load balancing from Terraform or OpenStack requires NSX Data Center  Advanced, Enterprise Plus, or ROBO.

7 NSX Distributed Threat Prevention requires an additional subscription-based purchase.

8 Both IPv4 and IPv6 are supported for all Load Balancing features except for IPv6-VIP-to-IPv4-member and IPv4-VIP-to-IPv6-member translations.

9 Customers who have purchased the legacy NSX editions can apply their licenses to NSX-T Data Center.

10 Requires VDS 7.0 or higher

11 Migration Coordinator will migrate the deployment in NSX for vSphere and the features used in NSX-T. It is the responsibility of the customer to ensure the version of NSX-T allows the use of those features.

12 Network Detection and Response supports event and artifact submission from Distributed Firewall only. It is a hosted service running from various VMware Regions.

13 A single sensor socket entitles up to 250 artifact submissions per day with a maximum artifact size of 64MB.

14 Subject to Gateway Firewall features available in that specific SKU. Please refer to the https://kb.vmware.com/s/article/87077

15 Please refer to NSX Security Features covered in https://kb.vmware.com/s/article/87077

Powered by Wolken Software