You can set up service insertion to redirect north-south traffic at a Tier-0 router, or east-west traffic at a Tier-1 router to a VM. A service running in the VM can process the traffic and take appropriate actions.
You can read more about Service Insertion in the NSX-T Manager Administration Guide's Service Insertion section.
The following architectural diagram shows the flow of data with Service Insertion configured:

Setting up Service Insertion
1. From the Security Management Server:
- Register a service (see steps below).
2. From the NSX-T Partner Services panel (see steps below):
- Deploy a service instance
- Configure traffic redirection
Register a Service
1. Connect to the Security Management Server.
2. Run python cloudguard_config.py.
3. Choose Register Service.
4. Enter the NSX-T Manager network address.
5. Validate and approve the NSX-T Manager server certificate.
6. Enter the NSX-T Manager user name.
7. Enter the NSX-T Manager user password.
8. Enter the desired Tier (attachment point).
9. Enter the OVF file URL.
Deploy a Service Instance
1. From your browser, log in with administrator privileges to an NSX Manager at https://nsx-manager-ip-address.
2. Choose Partner Services from the navigation panel.
3. Click on Deploy.
4. Enter an instance name and, optionally, a description.
5. Click on the Partner Service field and choose Check Point CloudGuard for NSX-T service.
6. Choose the Deployment Specification esx-01a.corp.local.
7. Choose a logical router. Only routers that do not have Service Insertion configured will be displayed.
8. Click on Next.
9. Click on the Compute Manager field and choose a compute manager.
10. Click on the Cluster field and choose a cluster.
11. Click on the Datastore field and choose a datastore.
12. Choose a Deployment Mode. At this point, only Standalone deployment is supported.
13. Choose a Failure Policy. The choices are Allow or Block. These options specify the default action when the Service VM is not functioning. Allow means the traffic will pass without inspection; Block means that all traffic will be dropped.
14. Enter the IP address of the VM.
15. Enter the default Gateway for the VM's IP address.
16. Enter the subnet mask for the VM's IP address.
17. Click on Next.
18. Click on Finish.
Configure the Service VMs
This procedure is relevant to NSX-T 2.3 only. From NSX-T 2.4, the Service VM will be configured automatically.
1. Connect to the service VM CLI and configure the default Gateway by running 'set static-route default nexthope gateway address <default gateway IP> on'
2. For each CloudGuard SVM, use your browser and log in to the Blink installation portal.
3. Fill in the Blink Installation page. Cluster membership is not supported at this point.

4. Click on Go!
5. Log into the service web-UI.
6. Go to Network Interfaces and edit interface br0 IP.
7. Enter the IPv4 address: 192.0.2.1
8. Enter the Subnet mask: 255.255.255.0
9. Go to Time and click on Set Time Zone to set the service time zone.
10. Log out.
Create a New CloudGuard for NSX-T Security Gateway on the Security Manager Server
This procedure is relevant to NSX-T 2.3 only. From NSX-T 2.4, the Security Gateway will be created automatically on the Security Management Server.
For more information refer to the Security Management R80.10 Administration Guide - Managing Gateways section.
To define a new Security Gateway object:
1. From the navigation toolbar, choose Gateways & Servers.
2. Click on New, and choose Gateway. The Check Point Security Gateway Creation window will open.
3. Click on Classic Mode. The Check Point Gateway's properties window will open and show the General Properties screen.
4. Enter the host Name and the IPv4 Address.
5. Click on Communication. The Trusted Communication window will open.
6. Choose a Platform.
7. In the Authentication section, enter and confirm a one-time password.
8. Click on Initialize to establish trusted communication with the Gateway. If trust fails to establish, click on OK to continue configuring the Gateway.
9. Click on OK.
10. The Get Topology Results window that now opens shows interfaces successfully configured on the Gateway.
11. Click on Close.
12. In the Platform section, choose the Hardware, the Version, and the OS. If trust is established between the server and the Gateway, click on Get to automatically retrieve the information from the Gateway.
13. Choose the Software Blades to enable on the Security Gateway. For some of the Software Blades, a first-time setup wizard will open. You can run the wizard now or later. For more on the setup wizards, refer to the relevant Administration Guide.
Configure Traffic Redirection
1. From your browser, log in with administrator privileges to NSX Manager at https://nsx-manager-ip-address.
2. Choose Partner Services from the navigation panel.
3. Click on Check Point's CloudGuard for NSX-T Service.
4. Click on the Traffic Redirection tab.
5. Add or remove sections and rules.
Note: To redirect the traffic to the service VM, you will need to add a rule to allow BFD-Single_hop traffic.
