Table of Contents:
-
Introduction to CloudGuard for NSX-T
-
Required Components for installation of CloudGuard Gateway for NSX-T on ESXi Server
-
Logical Components
-
Prerequisites
-
Installation Instructions
-
Configuration
-
Documentation
-
Known Limitations
(1) Introduction to CloudGuard for NSX-T
NSX-T Overview
In much the same way that server virtualization programmatically creates, snapshots, deletes, and restores software-based virtual machines (VMs), NSX-T network virtualization programmatically creates, snapshots, deletes, and restores software-based virtual networks.
With network virtualization, the functional equivalent of a network hypervisor reproduces the complete set of Layer 2 through Layer 7 networking services (for example, switching, routing, access control, firewalling, and QoS) in software. As a result, these services can be programmatically assembled in any arbitrary combination to produce unique, isolated virtual networks in a matter of seconds.
Service Insertion at the Edge
Service Insertion at the Edge NSX-T Data Center as a key networking platform provides a rich set of capabilities that allow you to create network topologies that connect and secure application endpoints (VMs, containers, bare-metal servers). With this release, NSX can now deploy your choice of partner security solutions at the edge of NSX-T network topologies, i.e., at the Tier 0 and Tier 1 routing boundaries. NSX-T Data Center onboards and catalogs the partner services, allowing the NSX Administrator to deploy and consume the cataloged services.
CloudGuard for NSX-T acts as a Security Gateway in a bridge mode that is invisible to Layer-3 traffic. When authorized traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the other interface. Bridging lets the Security Gateway inspect and forward traffic without the original IP routing.
Service Chaining
NSX-T Data Center 2.4 introduces a broad array of native security functionalities such as Layer 7 Application Identity, FQDN Whitelisting, and Identity Firewall, all of which allow more granular micro-segmentation. In addition to the native security controls delivered by the Distributed and Gateway Firewall, the NSX Service Insertion Framework allows various types of Partner Services (e.g., IDS/IPS, NGFW, and Network Monitoring solutions) to be inserted transparently into the data path and consumed from within NSX without making changes to the topology.
In NSX-T Data Center 2.4, Service Insertion now supports East-West Traffic (i.e., traffic between the VMs in the Data Center). All traffic between VMs in the Data Center can be redirected to a dynamic chain of partner services.
The East-West service plane provides its own forwarding mechanism. The forwarding mechanism allows policy-based redirection of traffic along chains of services. Forwarding along the service plane is entirely automated by the platform: failures are detected, existing/new flows are redirected as appropriate, flow pinning is performed to support stateful services, and multiple path selection policies are available to optimize for throughput/latency or density.
CloudGuard for NSX-T can leverage this service insertion to act as a Security Gateway in hairpin bridge mode, in which the Gateway can inspect all the traffic redirected to it by the forwarding mechanism; authorized traffic will be passed back to the bridge interface, allowing the forwarding mechanism to return the traffic to its original path. Bridging lets the Security Gateway inspect and return traffic without the original IP routing.
As of NSX-T 2.5, two modes of Partner SVM deployment are supported: clustered deployment, in which Service Virtual Machines are deployed on a dedicated vSphere (Service) Cluster, and Host-Based deployment, in which one Service Virtual Machine per service is deployed on each Compute Host in a particular cluster. In this mode, when a new compute host is added to a cluster, the appropriate SVMs are automatically deployed.
(2) Required Components for installation of CloudGuard Gateway for NSX-T on ESXi Server
| Component |
Description |
| Security Management Server/Multi-Domain Security Management Server |
The Check Point Security Management Server is the basic infrastructure managing Check Point Security Gateways. |
| SmartConsole |
SmartConsole is the unified application of Check Point's Security Management. |
| Service Registration Bundle |
This package installs modules on the Check Point Security Management Server that are required by VMware NSX-T Manager in order to register a service. |
| CloudGuard for NSX-T OVF Template |
This is the standard OVF template that deploys the Check Point Security Gateway as a Service VM. |
| VMware's NSX-T Manager |
NSX Manager is a virtual appliance that provides the Graphical User Interface (GUI) and the REST APIs for creating, configuring, and monitoring NSX-T components, such as logical switches and NSX Edge services Gateways. |
|
NSX Controller
|
NSX Controller, called Central Control Plane (CCP), is an advanced distributed state management system that controls virtual networks and overlay transport tunnels.
|
| NSX Edge |
NSX Edge provides routing services and connectivity to networks that are external to the NSX-T deployment. |
| File Server |
A dedicated file server should be used in order to make the OVF bundle files reachable for the deployment of the CloudGuard Gateways. |
| CME Bundle |
The CME (Cloud Management Extension) is a utility that runs on Check Point Security Management Servers and Multi-Domain Security Management Servers running Gaia OS. The utility allows integration between Check Point CloudGuard IaaS solutions and cloud platforms such as AWS (Amazon Web Services), Azure and GCP (Google Cloud Platform). CME can be installed on Management and Multi-Domain Management Servers deployed in cloud platforms or on-premise. |
(3) Logical Components
| Component |
Description |
| Transport Zone |
A transport zone is a logical construct that controls which hosts a logical switch can reach. It can span one or more host clusters. Transport zones dictate which hosts and, therefore, which VMs can participate in the use of a particular network. |
|
Logical Router
|
An NSX-T Data Center logical router reproduces routing functionality in a virtual environment completely decoupled from underlying hardware.
The Tier-0 logical router provides an on-and-off Gateway service between the logical and physical networks. The Tier-1 logical router must be connected to the Tier-0 logical router to get the northbound physical router access. For more information about Logical Routers, refer to:
|
(4) Prerequisites
Supported versions of VMware's components
| Component |
Service Insertion on the Edge
(N/S) |
Service Chaining (E/W) |
|
Check Point Network Security Gateway Version
|
R81, R81.10 |
R81, R81.10 |
| NSX-T Manager |
3.0, 3.1.x, 3.2 |
3.0, 3.1.x, 3.2, 4.0 |
|
vCenter/ESXi Server
|
6.5, 6.7, 7.x |
6.5U2, 6.7, 7.x |
Refer to "CloudGuard for NSX-T Service Chaining" in the VMware Compatibility Guide for supported versions.
CloudGuard for NSX-T service Insertion on the edge requires the following VMware components:
(5) Installation Instructions
NSX-T 2.5/3.0/3.1/3.2/4.0 - Service Chaining
(6) Configuration
NSX-T 2.5/3.0/3.1/3.2/4.0 - Service Chaining
Show / Hide this section
- Add a New CME Controller using the CME menu
- Register a New Service using the CME menu
- Deploy a Check Point Service using the NSX-T Manager UI
- Enable the Redirection Rules
Refer to the Deployment Guide for detailed instructions.
(7) Documentation
