Although Enhanced Firewall Services (EFS) can be set up with a few mouse clicks, a thorough understanding of the network, traffic flows, and current configurations is required before activating and configuring the feature.
Performance Impact
Traffic inspected by the IDPS with Stateful Firewall may experience a performance impact. Performance numbers can be found here. There is a balancing act between securing the network and making it performant. By understanding your network, EFS can be applied to the appropriate traffic.
Logging
Logging is essential when it comes to troubleshooting issues, investigating threats, and complying with PCI DSS, NIST, and others.
VMware SD-WAN accomplishes this by utilizing regionally hosted logging infrastructure and/or exporting logs via syslog to a central log server, Security Orchestration, Automation and Response (SOAR), or Security Information and Event Management (SIEM) such as Splunk or IBM's QRadar. These two features are not mutually exclusive, so both can be used together.
Note: Avoid logging for firewall rules that are either highly permissive or overly strict. Excessive logging may cause unnecessary stress on the hard disk, potentially causing hard disk failure.
Syslog
Companies with an existing central log server, SIEM, or SOAR can export the logs via syslog into those solutions. The following image depicts the syslog configuration. You can configure the feature at the Profile or Edge level. It is important to note that syslog traffic is not encrypted.
Figure 1. Syslog Configuration
The following images are examples of an IBM QRadar instance receiving logs from an Edge device.
Figure 2. IBM QRadar View - Example 1
Figure 3. IBM QRadar View - Example 2
Known Limitations
In 5.2 release, traffic that hits a 1:1 NAT or Port Forwarding rule will not be inspected by the IDPS Engine. This limitation will be addressed in a future release.
Figure 4. 1:1 NAT and Port Forwarding Configuration
