Support Center > Search Results > SecureKnowledge Details
CloudGuard for NSX-T: Service Insertion at the Edge & Service Chaining Technical Level
Solution

Table of Contents:

  1. Introduction to CloudGuard for NSX-T
    • NSX-T Overview
    • Service Insertion at the Edge
    • Service Chaining
  2. Required Components for installation of CloudGuard Gateway for NSX-T on ESXi Server
  3. Logical Components
  4. Prerequisites
  5. Installation Instructions
    • NSX-T 2.5/3.0/3.1 - Service Chaining 
  6. Configuration
    • NSX-T 2.5/3.0/3.1 - Service Chaining 
  7. Documentation
  8. Known Limitations

(1) Introduction to CloudGuard for NSX-T

NSX-T Overview

    In much the same way that server virtualization programmatically creates, snapshots, deletes, and restores software-based virtual machines (VMs), NSX-T network virtualization programmatically creates, snapshots, deletes, and restores software-based virtual networks.

    With network virtualization, the functional equivalent of a network hypervisor reproduces the complete set of Layer 2 through Layer 7 networking services (for example, switching, routing, access control, firewalling, and QoS) in software. As a result, these services can be programmatically assembled in any arbitrary combination to produce unique, isolated virtual networks in a matter of seconds.

    Service Insertion at the Edge

    Service Insertion at the Edge NSX-T Data Center as a key networking platform provides a rich set of capabilities that allow you to create network topologies that connect and secure application endpoints (VMs, containers, bare-metal servers). With this release, NSX can now deploy your choice of partner security solutions at the edge of NSX-T network topologies, i.e., at the Tier 0 and Tier 1 routing boundaries. NSX-T Data Center onboards and catalogs the partner services, allowing the NSX Administrator to deploy and consume the cataloged services. 

    CloudGuard for NSX-T acts as a Security Gateway in a bridge mode that is invisible to Layer-3 traffic. When authorized traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the other interface. Bridging lets the Security Gateway inspect and forward traffic without the original IP routing.

    Service Chaining 

    NSX-T Data Center 2.4 introduces a broad array of native security functionalities such as Layer 7 Application Identity, FQDN Whitelisting, and Identity Firewall, all of which allow more granular micro-segmentation. In addition to the native security controls delivered by the Distributed and Gateway Firewall, the NSX Service Insertion Framework allows various types of Partner Services (e.g., IDS/IPS, NGFW, and Network Monitoring solutions) to be inserted transparently into the data path and consumed from within NSX without making changes to the topology.

    In NSX-T Data Center 2.4, Service Insertion now supports East-West Traffic (i.e., traffic between the VMs in the Data Center). All traffic between VMs in the Data Center can be redirected to a dynamic chain of partner services.

    The East-West service plane provides its own forwarding mechanism. The forwarding mechanism allows policy-based redirection of traffic along chains of services. Forwarding along the service plane is entirely automated by the platform: failures are detected, existing/new flows are redirected as appropriate, flow pinning is performed to support stateful services, and multiple path selection policies are available to optimize for throughput/latency or density.

    CloudGuard for NSX-T can leverage this service insertion to act as a Security Gateway in hairpin bridge mode, in which the Gateway can inspect all the traffic redirected to it by the forwarding mechanism; authorized traffic will be passed back to the bridge interface, allowing the forwarding mechanism to return the traffic to its original path. Bridging lets the Security Gateway inspect and return traffic without the original IP routing.

    As of NSX-T 2.5, two modes of Partner SVM deployment are supported: clustered deployment, in which Service Virtual Machines are deployed on a dedicated vSphere (Service) Cluster, and Host-Based delployment, in which one Service Virtual Machine per service is deployed on each Compute Host in a particular cluster. In this mode, when a new compute host is added to a cluster, the appropriate SVMs are automatically deployed.


    (2) Required Components for installation of CloudGuard Gateway for NSX-T on ESXi Server

    Component Description
    Security Management Server/Multi-Domain Security Management Server The Check Point Security Management Server is the basic infrastructure managing Check Point Security Gateways.
    SmartConsole SmartConsole is the new unified application of Check Point's R80.10 Security Management.
    Service Registration Bundle This package installs modules on the Check Point Security Management Server that are required by VMware NSX-T Manager in order to register a service.
    CloudGuard for NSX-T OVF Template This is the standard OVF template that deploys the Check Point Security Gateway as a Service VM.
    VMware's NSX-T Manager NSX Manager is a virtual appliance that provides the Graphical User Interface (GUI) and the REST APIs for creating, configuring, and monitoring NSX-T components, such as logical switches and NSX Edge services Gateways.

    NSX Controller

    NSX Controller, called Central Control Plane (CCP), is an advanced distributed state management system that controls virtual networks and overlay transport tunnels.

    NSX Edge NSX Edge provides routing services and connectivity to networks that are external to the NSX-T deployment.
    File Server A dedicated file server should be used in order to make the OVF bundle files reachable for the deployment of the CloudGuard Gateways.
    CME Bundle The CME (Cloud Management Extension) is a utility that runs on Check Point Security Management Servers and Multi-Domain Security Management Servers running Gaia OS. The utility allows integration between Check Point CloudGuard IaaS solutions and cloud platforms such as AWS (Amazon Web Services), Azure and GCP (Google Cloud Platform). CME can be installed on Management and Multi-Domain Management Servers deployed in cloud platforms or on-premise.


    (3) Logical Components

    Component Description
    Transport Zone A transport zone is a logical construct that controls which hosts a logical switch can reach. It can span one or more host clusters. Transport zones dictate which hosts and, therefore, which VMs can participate in the use of a particular network.

    Logical Router

    An NSX-T Data Center logical router reproduces routing functionality in a virtual environment completely decoupled from underlying hardware.

    The Tier-0 logical router provides an on-and-off Gateway service between the logical and physical networks. The Tier-1 logical router must be connected to the Tier-0 logical router to get the northbound physical router access. For more information about Logical Routers, refer to:

     

    (4) Prerequisites

    Supported versions of VMware's components

    Component Service Chaining (E/W) Service Insertion on the Edge (N/S)
    NSX-T Manager R81
    3.0, 3.1.x

    vCenter/ESXi Server

    6.5U2, 6.7, 7.0 6.5, 6.7, 7
    ESXi Server 6.5U2, 6.7, 7.0 6.5, 6.7, 7

    Refer to "CloudGuard for NSX-T Service Chaining" in the VMware Compatibility Guide for supported versions.

    CloudGuard for NSX-T service Insertion on the edge requires the following VMware components:

    • NSX Edge
    • Tier-0/1 Logical Router

    Refer to the VMware NSX-T Data Center Documentation for more information.

     

    (5) Installation Instructions

    NSX-T 2.5/3.0/3.1 - Service Chaining 

    Show / Hide this section

    1. Install the Security Management Server:

    1. Install Security Management Server / Multi-Domain Security Management Server.
    2. Install SmartConsole for Security Management Server.
    3. Install the CME Bundle on the Security Management Server.
    4. Install CloudGuard for NSX-T OVF on a file server.
    Management Downloads Link
    CloudGuard for NSX-T Management Bundles
    Check Point R80.40 CloudGuard service registration v7  (TGZ)
    Check Point R81 CloudGuard Service Registration  (TAR)
    CME (Cloud Management Extension)
    CME (Cloud Management Extension) for CloudGuard (WWW)
    Security Gateway Downloads Supported NSX-T
    R81 CloudGuard for NSX-T Service Chaining (East/West)  3.0/3.1 
    R81 CloudGuard for NSX-T East/West - OVF package (TGZ)
    R81 CloudGuard for NSX-T Service Insertion at the Edge 3.0/3.1
    R81 CloudGuard for NSX-T North/South - OVF package (TGZ)

    Note: R81 Security Gateways in NSX-T can be managed only by R81 Management server. 

    Note: Check Point CloudGuard service registration is required only in a scenario where NSX-V and NSX-T are being managed by the same Management Server. 

    (6) Configuration

    NSX-T 2.5/3.0/3.1 - Service Chaining 

    Show / Hide this section
    1. Add a New CME Controller using the CME menu
    2. Register a New Service using the CME menu
    3. Deploy a Check Point Service using the NSX-T Manager UI
    4. Enable the Redirection Rules
    Refer to the Deployment Guide for detailed instructions.

    (7) Documentation

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment