NSX Security Services

  • VMware NSX by default offers L2 – L4 security through Distributed firewall & NSX Edge firewall.
  • Distributed Firewall (DFW) provides L2 – L4 security for protecting East – West traffic at vNIC level.
  • NSX Edge Gateway provides L2 – L4 security for protecting North – South traffic.
  • To have the security or firewall capability above L2 – L4 , NSX provides functionality to integrate with registered 3rd party service providers.
  • Integrating with 3rd party service providers delivers security services beyond L2 – L4 (L5 – L7)
Some of the technology providers which can be integrated with NSX are
  1. PaloAlto
  2. McAfee
  3. Check Point
  4. Symantec
  5. Fortinet

Ref: For the latest technology partners kindly refer to the below link for updated information.


Security services which can be achieved by integrating VMware NSX with 3rd party integrators include:

  • Data loss prevention (DLP)
  • Intrusion Detection (IDS)
  • Intrusion Prevention (IPS)
  • Vulnerability Management
  • Anti-Virus & Malware protection.

The above security services are broadly classified into

  • Guest Introspection
  • Network Introspection

Guest Introspection: (Required for Activity Monitoring & 3rd party security service integration)

  • Malware protection – Guest Introspection offloads antivirus & anti-malware agent processing to a dedicated secure virtual appliance supported by VMware partners.


    • Guest introspection feature will deploy an appliance per host & also installs new vib.
    • The virtual appliance is responsible for continuously updating the antivirus signature & providing un interrupted protection to the VMs.
    • Guest Introspection service is enabled at the cluster level.
    • VMware tools on the VMs is required as the pre-requisite.
    • VMs must have the Guest Introspection thin agent installed to be protected by Guest Introspection security solution.

Note: Not all guest operating systems are supported for the Guest Introspection.

VMs with non-supported operating systems are not protected.

Network Introspection:

  • Network Introspection also known as traffic steering, where the traffic sourced or destined to the VMs are redirected to the 3rd party virtual appliance.
  • Traffic steering is achieved by assigning a slot in the IO Chain.
  • IO chains are responsible for handling the process of the packets at the kernel level.

                VMware has reserved the IO slots for specific purposes.

Slot 2:  DFW (vmware-sfw) – Slot where the NSX Distributed Firewall resides & where the DFW rules are stored & enforced.

         Slot 4-12: 3rd party services – Reserved for traffic steering to 3rd party virtual appliances.

  • The NSX distributed firewall (DFW) is the main component for the Network introspection to steer the traffic to the 3rd party virtual appliance.
  • All ingress & egress traffic must go through the DFW instance (slot 2)1st before the traffic is steered to the 3rd party virtual appliance for policy enforcement on slot 4.
  • Once traffic is inspected by the network introspection module, it is then returned to the NSX VDS switch for delivery to the final destination.
  • The traffic redirection is defined under Security Policy in NSX Service Composer.