Enhanced Firewall Services (EFS) provide additional EFS security functionalities on VMware SD-WAN Edges. The NSX Security powered EFS functionality supports URL Category filtering, URL Reputation filtering, Malicious IP filtering, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) services on VMware SD-WAN Edges. The Edge Enhanced Firewall Services (EFS) protect Edge traffic from intrusions across Branch-to-Branch, Branch-to-Hub, or Branch-to-Internet traffic patterns.

Currently, SD-WAN Edge Firewall provides stateful inspection along with application identification without additional EFS security features. While the stateful Firewall SD-WAN Edge provides security, it is not adequate and creates a gap in providing EFS security integrated natively with VMware SD-WAN. Edge EFS addresses these security gaps and offers enhanced threat protection natively on the SD-WAN Edge in conjunction with VMware SD-WAN.

Customers can configure and manage the EFS features using the Firewall functionality in VMware SASE Orchestrator. Customers can configure Firewall Rules to block web traffic based on IDS/IPS Signature matching, category, and/or reputation of the URL or IP.

Limitations

• When EFS is activated and IDS/IPS is configured, only static addressing is supported. Do not use the Dynamic address on LAN networks such as DHCPv4 Client, DHCPv6 Client, DHCPv6 PD, and IPv6 SLAAC.

If the dynamic addressing is used and the address range is outside the private address range in the case of IPv4 and the ULA address range in the case of IPv6 described in RFC1918, rule matching might not happen due to the address not being part of HOME_NETWORK setting in suricata.yaml.