NSX-T High level Data flow with Service Insertion -Palo alto VM series

3 mins. read
Sudheer Reddy V
Huco Professional Services - Hybrid Cloud

This Post talks about high level data flow in NSX-T enabled with Service Insertion (Palo Alto VM Series NGFW) 

Before we start the data flow, let’s have short brief on Palo alto VMSeries firewall integration with NSX-T.  In this blog we will be considering VM-Series Firewall on NSX-T (East-West) as reference for Data flow.

Note: - We are describing firewall data flow as per VMware security guidelines and it may vary if we consider data packet routing.

The VM-Series firewall on VMware NSX-T

The VM-Series firewall on VMware NSX-T integrates the Palo Alto next-generation firewalls. And Panorama with ESXi host servers to provide comprehensive visibility and safe application enablement of all north-south traffic in your NSX-T software-defined datacenter.

There are two different types of Supported Deployments of the VM-Series Firewall on VMware NSX-T

  • VM-Series Firewall on NSX-T (East-West)
  • VM-Series Firewall on NSX-T (North-South)

NSX-T (East-West)

You can deploy one or more instances of the VM-Series firewall as a partner service in your VMware NSX-T Data Center to secure East-West traffic and perform micro-segmentation. To configure the VM-Series firewall to perform micro-segmentation you can deploy the firewalls in a service cluster or per host basis.

In our Context we will be using Service Cluster.

Service Cluster—In a clustered deployment, all the VM-Series firewalls are installed on a single cluster. Traffic between VMs and groups is redirected to the VM-Series cluster for policy inspection and enforcement before continuing to its destination. When you configure a clustered deployment, you can specify a particular host within the cluster or select Any and let NSX-T choose a host.

Following are 3 different types of data packet flows we can see as example 

  • VM to VM Traffic East-West
  • VM Ingress Traffic from Physical Network
  • VM Egress Traffic from Physical Network

VM to VM Traffic East-West

Step1: - VM1 wanted to send data to VM2 and Forward the packet to its own firewall instance right next to it’s NIC which is directly connected to VSIP FW kernel module on its hosted ESXi host.

Step2:- VSIP kernel forwards will inspect the packet with it’s policy define to redirect the traffic using service segment to VMSeries Palo alto  Service Cluster. 

Step3:- VMSeries Palo alto  Service Cluster will  inspect the packet then forwards to T1 gateway of the respective Host where the VM I placed.

Step4:- T1 gateway will be aware of the destination ESXi host TEP and forward the traffic to Destination ESXi host VSIP Kernal Module.

Step5:- VSIP Kernal Module will gain inspect the data with it’s redirect policy towards VMSeries Palo alto  Service Cluster

Step6 : VMSeries Palo alto  Service Cluster will inspect the packet and forward it to destination VM 

VM Ingress Traffic from Physical Network

Step1: - Physical firewall will inject packet to VM on NSX-T Overlay segment and forward the packet using uplink management to T0 SR router hosted on Edge VM.

Step2:- T0 SR router will Forward the packet to T0 DR router  which is again on Edge VM

Step3:- T0 DR router forward packet to T1 Router on Edge-VVM

Step:4- T1 router will forward the packet to VSIP Kernel Module on the host where the destination VM has been placed.

Step5: - VSIP Kernal Module will inspect the data with its redirect policy towards VMSeries Palo alto Service Cluster

Step6:- VMSeries Palo alto  Service Cluster will inspect the packet and forward it to destination VM 

VM Egress Traffic from Physical Network

 

Step1: - VM1 wanted to send data to Physical network or Underlaying network and forward the packet to its own firewall instance right next to its NIC which is directly connected to VSIP FW kernel module on its hosted ESXi host.

Step2: - VSIP kernel forwards will inspect the packet with its policy define to redirect the traffic using service segment to VMSeries Palo alto Service Cluster. 

Step3: - VMSeries Palo alto Service Cluster will inspect the packet then forwards to T1 router of the respective Edge VM.

Step4: - Edge VM T1 router will forward packet to T0 DR router.

Step5: - T0 DR router will forward the packet to its SR router on the same Edge VM

Step6: T0 SR router will forward the traffic using uplink management to its upstream peering Firewall.

Get in touch with us
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.