You can use NSX Gateway Firewall to firewalling for the North-South traffic at the Layer 3 boundary. You can use the Gateway Firewall as an inter-tenant/zone firewall from the north-south perspective, along with the Distributed Firewall. Gateway Firewall is supported on both Tier-0 and Tier-1 gateways. Tier-0 supports basic L3/L4 stateful firewall, where as Tier-1 supports basic L3/L4 and advanced L7 features like L7 Application ID, URL filtering, IDS/IPS, TLS Inspection, Identity Firewall, and Malware Prevention. The Gateway Firewall provides firewalling services and other services that cannot be distributed such as NAT, DHCP, VPN, and load balancing, and needs the services router component of the gateway. This means that the Gateway Firewall is implemented in the NSX Edge Transport Nodes, which are dedicated DPDK appliances.
At a high level, Gateway Security preparation involves the following steps:
- Deploy NSX Manager
- Deploy NSX Edge Transport Node and provision Edge Cluster
- Create NSX Tier-0/1 Gateway
- Create Service Interface/Uplink Interface on Tier-1 or External Interface on Tier-0
- Define Zone/Inter-VLAN Firewall Policies