Enhanced Firewall Services (EFS) service provides additional EFS security functionalities on VMware SD-WAN Edges. The NSX Security powered EFS functionality supports Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) services on VMware SD-WAN Edges. The Edge Firewall EFS protect Edge traffic from intrusions across Branch to Branch, Branch to Hub, or Branch to Internet traffic patterns.
Currently, SD-WAN Edge Firewall provides stateful inspection along with application identification without additional EFS security features. While the stateful Firewall SD-WAN Edge provides security, it is not adequate and creates a gap in providing EFS security integrated natively with VMware SD-WAN. Edge EFS address these security gaps and offers enhanced firewall services natively on the SD-WAN Edge in conjunction with VMware SD-WAN.
Customer can configure and manage the EFS using the Firewall functionality in VMware SASE Orchestrator.
Limitations
- When EFS is activated, only static addressing is supported. Do not use the Dynamic address on LAN networks such as DHCPv4 Client, DHCPv6 Client, DHCPv6 PD, and IPv6 SLAAC.
If the dynamic addressing is used and the address range is outside the private address range in case of IPv4 and ULA address range in case of IPv6 described in RFC1918, rule matching might not happen due to the address not being part of HOME_NETWORK setting in suricata.yaml.