NSX allows distributed Security on a vSphere Distributed Switch (VDS). As the host switch is of the type VDS, you can enable DFW capabilities on workload VMs.
Starting with NSX 4.2, DFW supports both DVPGs created in vSphere and segments created in NSX within the same cluster.
Distributed Security provides security-related functionality to your VDS such as:
- Distributed Firewall (DFW)
- Distributed IDS/IPS
- Identity Firewall
- L7 App ID
- Fully Qualified Domain Name (FQDN) Filtering
- Security Intelligence
- NSX Malware Prevention
- NSX Guest Introspection
After you activate security on DVPGs, DVPG ports and DVPG segments are discovered by NSX.
Prerequisites
The following are the requirements for installing Distributed Security for VDS:
- vSphere 7.0.3 or later.
The vSphere cluster should have at least one VDS with distributed switch version 7.0.3 or later configured and ESXi cluster hosts must be members of a VDS with uplinks configured.
- A compute manager must be registered in NSX. See Add a Compute Manager.
Before you deploy and configure Distributed Security on hosts, ensure that NSX is not deployed on such hosts.
Procedure
- From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
- Navigate toSystem > Quick Start.
- On the Prepare Clusters for Networking and Security card, click Get Started.
- Select the clusters where you want to activate distributed security.
- Click Install NSX and under Networking, choose either VLAN or Overlay.
Note:
Choosing VLAN enables only NSX VLAN Networking.
- In the dialog box, click Install.
- Navigate to the System > Fabric > Hosts page to activate security on DVPG within a cluster.
- On the Hosts > Cluster page, select the cluster on which you want to activate security on the DVPGs within the cluster.
Note:
Ensure you select all clusters where the VDS spans. If you leave out a cluster where VDS spans, security will not be activated on DVPGs of that cluster.
- On the Hosts page, click Actions > Activate NSX on DVPGs.
Note:
Before you activate on DVPGs, protect all the management appliances by adding them to the DFW Exclusion list.
- On the Activate NSX on DVPGs card, click Yes to activate the DVPGs.
NSX discovers the port groups associated to a VDS switch. To know more about how to find the discovered ports in NSX, see Distributed Port Groups.
- To deactivate security on DVPGs within a cluster:
- On the Hosts > Cluster page, select the cluster on which you want to deactivate security on the DVPGs within the cluster.
- On the Hosts page, click Actions > Deactivate NSX on DVPGs.
Results
After successfully activating security on a cluster, on the Hosts page, the NSX on DVPGs column status is updated to Yes. Distributed Security is installed and you can begin using security capabilities such as creating DFW policies and rules for the VDS.