Product Offerings for VMware NSX Security 3.1.x

search cancel

Product Offerings for VMware NSX Security 3.1.x

book

Article ID: 325115

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

This article provides information on licensing editions of VMware NSX-T Data Center 3.1.x and a list of features associated with the various licensing editions in VMware NSX Security.

Environment

VMware NSX-T Data Center 3.1.x

Resolution

New VMware NSX-T Data Center Security editions became available to order on October 29th, 2020. The tiers of NSX Security licenses are as follows:

NSX Firewall for Baremetal Hosts: For organizations needing an agent-based network segmentation solution.
NSX Firewall Edition: For organizations needing network security and network segmentation.
NSX Firewall with Advanced Threat Prevention Edition: For organizations needing Firewall, and advanced threat prevention features.

The following table outlines specific functions available by edition. NSX Security is available as a single download image with license keys required to enable specific functionality.

Feature	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Platform Features
vSphere Distributed Switch	Yes	Yes	Yes	Yes
ESXi Support ¹	No	Yes	Yes	Yes
KVM Support ²	No	Yes	Yes	Yes
Controller Clustering	Yes	Yes	Yes	Yes
vCenter Integration ¹	No	Yes	Yes	Yes
Multi-vCenter Networking and Security	No	Yes	Yes	Yes
Federation	No	No	No	Yes

Edge Platform Features	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Edge in VM Form Factor	No	Yes	Yes	Yes
Edge in Bare-Metal Form Factor	No	Yes	Yes	Yes
DPDK Optimized Forwarding	No	Yes	Yes	Yes

Switching	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Distributed Switching	Yes	Yes	Yes	Yes
VLAN Backed Logical Switching	Yes	Yes	Yes	Yes
Overlay Backed Logical Switching	No	No	No	Yes
Multiple TEP Support	No	No	No	Yes
Optimized ARP Learning and Broadcast Suppression	Yes	Yes	Yes	Yes
GENEVE Encapsulation	No	No	No	Yes
Unicast Replication	No	No	No	Yes
Headend Replication	No	No	No	Yes
Spoofguard	Yes	Yes	Yes	Yes
LACP (Edge and Host)	Yes	Yes	Yes	Yes

Quality of Service (QoS)	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention
Qos Marking	No	No	No
Qos DSCP Trust Boundary	No	No	No

L2 Bridging to Physical Environment	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Software Based L2 Bridge to Physical Environments	No	No	No	Yes

Routing	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Distributed Routing	No	Yes	Yes	Yes
Multi-Tier Routing	No	Yes	Yes	Yes
Dynamic Routing with ECMP	No	Yes	Yes	Yes
Virtual Routing and Forwarding (Tier-0 Gateway VRFs)	No	No	No	Yes
E-VPN	No	No	No	Yes

Static Routing - IPv4	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Static Routing	No	Yes	Yes	Yes
BFD	No	Yes	Yes	Yes
Null Routes	No	Yes	Yes	Yes
Device Routes	No	Yes	Yes	Yes

Static Routing - IPv6	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Static Routing	No	Yes	Yes	Yes
Null Routes	No	Yes	Yes	Yes
Device Routes	No	Yes	Yes	Yes

BGP - IPv4 Unicast	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
eBGP	No	Yes	Yes	Yes
eBGP Multihop	No	Yes	Yes	Yes
iBGP	No	Yes	Yes	Yes
Graceful Restart	No	Yes	Yes	Yes
4-byte ASN	No	Yes	Yes	Yes

BGP - IPv6 Unicast	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
eBGP	No	No	No	Yes
eBGP Multihop	No	No	No	Yes
iBGP	No	No	No	Yes
Graceful Restart	No	No	No	Yes

BFD - IPv4	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Sub-Second Keepalive Timer	No	Yes	Yes	Yes

Route Maps	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Match on Prefix-List and Community-List	No	Yes	Yes	Yes
Set Weight, MED, AS Path, Prepending, Local Preference, and Community	No	Yes	Yes	Yes

Other	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
High Availability Virtual IP (HA VIP)	No	Yes	Yes	Yes
Route Redistribution	No	Yes	Yes	Yes
IP Prefix-Lists	No	Yes	Yes	Yes
Active / Active Redundancy (Stateless)	No	Yes	Yes	Yes
Active / Standby Redundancy	No	Yes	Yes	Yes
Per Interface RPF Check	No	Yes	Yes	Yes

NAT	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
NAT on North/South and East/West Logical Routes	No	Yes	Yes	Yes
Source NAT	No	Yes	Yes	Yes
Destination NAT	No	Yes	Yes	Yes
NAT N:N	No	Yes	Yes	Yes
Stateless NAT	No	Yes	Yes	Yes
NAT Logging	No	Yes	Yes	Yes
NAT64	No	No	No	Yes

Firewall	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Gateway Firewall	No	Yes	Yes	Yes
Distributed Firewalling	Yes	Yes	Yes	Yes
Common Firewall User Interface	Yes	Yes	Yes	Yes
Firewall Sections	Yes	Yes	Yes	Yes
Firewall Logging	Yes	Yes	Yes	Yes
Stateful L2 and L3 Rules	Yes	Yes	Yes	Yes
Stateless L2 and L3 Rules	Yes	Yes	Yes	Yes
Tag-Based Rules	Yes	Yes	Yes	Yes
Distributed Firewall based IPFIX	No	Yes	Yes	Yes
Distributed FQDN Filtering	No	Yes	Yes	Yes
L7 Application Identification Rules	No	Yes	Yes	Yes
Agent-Based enforcement for Physical Servers	Yes	Yes	Yes	Yes

Identity Firewall	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Identity-based Groups using Active Directory	No	Yes	Yes	Yes

NSX Distributed Threat Prevention ⁶	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Distributed IDS	No	No	Yes	Yes
Distributed IPS	No	No	Yes	Yes
IDS/IPS Signature Updates	No	No	Yes	Yes

Policy, Tagging and Grouping	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Object Tagging / Security Tags	Yes	Yes	Yes	Yes
Network Centric Grouping	Yes	Yes	Yes	Yes
Workload Centric Grouping	Yes	Yes	Yes	Yes
IP Based Groups	Yes	Yes	Yes	Yes
MAC Based Groups	Yes	Yes	Yes	Yes
Intent-based Networking and Security Policy	Yes	Yes	Yes	Yes

DNS, DHCP and IPAM (DDI)	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
IPAM	No	Yes	Yes	Yes
IP Blocks	No	Yes	Yes	Yes
IP Subnets	No	Yes	Yes	Yes
IP Pools	No	Yes	Yes	Yes
IPv4 DHCP Server	No	Yes	Yes	Yes
IPv6 DHCP Server	No	No	No	Yes
IPv4 DHCP Relay	No	Yes	Yes	Yes
IPv6 DHCP Relay	No	No	No	Yes
IPv4 DHCP Static Bindings / Fixed Addresses	No	Yes	Yes	Yes
IPv6 DHCP Static Bindings / Fixed Addresses	No	No	No	Yes
IPv4 DNS Relay / DNS Proxy	Yes	Yes	Yes	Yes
IPv4 Meta-Data Proxy	Yes	Yes	Yes	Yes

Load Balancing ⁶	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Protocols
TCP (L4-L7)	No	No	No	Yes
UDP	No	No	No	Yes
HTTP	No	No	No	Yes
Load Balancing Methods
Round Robin	No	No	No	Yes
Source IP Hash	No	No	No	Yes
Least Connections	No	No	No	Yes
L7 Application Rules with RegEX Support	No	No	No	Yes

VPN	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
L2 VPN	No	No	No	Yes
L3 VPN	No	Yes	Yes	Yes

Health Checks	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
TCP	No	No	No	Yes
ICMP	No	No	No	Yes
UDP	No	No	No	Yes
HTTP	No	No	No	Yes
HTTPS	No	No	No	Yes

Monitoring	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
View VIP / Pool / Server Objects	No	No	No	Yes
View VIP / Pool / Server Statistics	No	No	No	Yes
View Global Statistics VIP Sessions	No	No	No	Yes

Load Balancing Automation	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Pool Members Based on vCenter Context or IP Addresses	No	No	No	Yes

Other	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Connectivity Throttling	No	No	No	Yes
High-Availability	No	No	No	Yes

API Driven Automation	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
REST API	Yes	Yes	Yes	Yes
Hierarchical Policy API	Yes	Yes	Yes	Yes
JSON Support	Yes	Yes	Yes	Yes
OpenAPI / Swagger Spec	Yes	Yes	Yes	Yes
Java SDK	Yes	Yes	Yes	Yes
Python SDK	Yes	Yes	Yes	Yes
Auto-generated API Documentation	Yes	Yes	Yes	Yes
Terraform Provider ⁵	Yes	Yes	Yes	Yes
Ansible Modules ⁵	Yes	Yes	Yes	Yes

Cloud-Native and Integration with Cloud Management Platforms	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Container Networking and Security	No	No	No	Yes
Integration with vRealize Automation ¹, ⁵	No	No	No	No
Integration with vCloud Director ¹, ⁵	Yes	Yes	Yes	Yes
Integration with VMware Integrated OpenStack ¹, ⁵	Yes	Yes	Yes	Yes
Integration with other OpenStack Platform ³, ⁵	Yes	Yes	Yes	Yes

Service Insertion Integrations	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Endpoint Protection	No	Yes	Yes	Yes
Network Introspection	No	No	No	Yes

NSX Intelligence	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Layer 4 / Layer 7 VM-to-VM Traffic Flow Analysis	No	Yes	Yes	Yes
Layer 4 / Layer 7 Firewall Visibility	No	Yes	Yes	Yes
Layer 4 / Layer 7 Automated Security Policy	No	Yes	Yes	Yes
Layer 4 / Layer 7 Rule and Group Recommendation Analytics	No	Yes	Yes	Yes

Integration with NSX Cloud for AWS and Azure	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
NSX on-prem license portability for Public Cloud workloads	No	No	No	No
NSX Enforced Mode (Agent-Based Cloud Security)	No	Yes	Yes	Yes
Cloud Enforced Mode (Agentless Based Cloud Security)	No	Yes	Yes	Yes
Service Insertion	No	No	No	No
L4 Stateful Firewall Rules on AWS Workloads	No	Yes	Yes	Yes
L4 Stateless Firewall Rules on AWS Workloads	No	Yes	Yes	Yes
L4 Stateful Firewall Rules on Azure Workloads	No	Yes	Yes	Yes
L4 Stateless Firewall Rules on Azure Workloads	No	Yes	Yes	Yes
L3 VPN	No	No	No	Yes
Support for AWS Gov Cloud and Azure Government Cloud workloads	No	Yes	Yes	Yes

Authentication and Authorization	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Authentication using vIDM ¹, ⁴	Yes	Yes	Yes	Yes
Direct Active Directory Integration via LDAP	Yes	Yes	Yes	Yes
Authentication via OpenLDAP	Yes	Yes	Yes	Yes
Session-Based Authentication	Yes	Yes	Yes	Yes
Certificate-Based Authentication (Principle Identity)	Yes	Yes	Yes	Yes
Role-Based Access Control	Yes	Yes	Yes	Yes

Log Management	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Splunk Integration ²	Yes	Yes	Yes	Yes
vRealize Log Management	Yes	Yes	Yes	Yes

Installation	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Automated Controller Development	Yes	Yes	Yes	Yes
Manual Controller Deployment	Yes	Yes	Yes	Yes
Automated Edge Deployment	No	Yes	Yes	Yes
Manual Edge Deployment	No	Yes	Yes	Yes
Automated Host Preparation by Cluster	No	Yes	Yes	Yes

Operations	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Port Mirroring	Yes	Yes	Yes	Yes
Trace Flow	Yes	Yes	Yes	Yes
Tunnel Health Monitoring	Yes	Yes	Yes	Yes
Port Connectivity Tool	Yes	Yes	Yes	Yes
Switch Based IPFIX	Yes	Yes	Yes	Yes
LLDP	Yes	Yes	Yes	Yes
Automated Technical Support Bundles	Yes	Yes	Yes	Yes
Backup and Restore	Yes	Yes	Yes	Yes
SNMP v1/v2/v3 with Traps	Yes	Yes	Yes	Yes

Upgrades and Migrations	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Upgrade Coordinator	Yes	Yes	Yes	Yes
NSX for vSphere to NSX-T Migration Coordinator	No	Yes	Yes	Yes

Network Detection and Response ⁷	Firewall for Baremetal Hosts	Firewall	Firewall and Advanced Threat Prevention	NSX DC Enterprise + Add-On for Firewall with Advanced Threat Prevention
Malware Detection	No	No	Yes	Yes
Network Sandboxing and Artifact Analysis ⁹	No	No	Yes	Yes
Network Traffic Analytics ⁹	No	No	Yes	Yes

Notes:

Please refer to the VMware Product Interoperability Matrices for specific versions supported with NSX-T Data Center.
Please refer to the NSX-T Data Center release notes for specific versions.
Please refer to the NSX Data Center partner web site for specific versions.
VMware Identity Manager - A license to use VMware NSX Data Center includes an entitlement to use the VMware Identity Manager feature, but only for the following functionalities:
- Directory integration functionality of VMware Identity Manager to authenticate users in a user directory such as Microsoft Active Directory or LDAP.
- Conditional access policy.
- Single-sign-on integration functionality with third party Identity providers to allow third-party identity providers’ users to single-sign-on into NSX Data Center.
- Two-factor authentication solution through integration with third-party systems. VMware Verify, VMware’s multi-factor authentication solution, received as part of VMware Identity Manager, may not be used as part of NSX Data Center.
- Single-sign-on functionality to access VMware products that support single-sign-on capabilities.
Integration with automation tools such as vRealize Automation, vCloud Director, VMware Integrated OpenStack, and other OpenStack distributions, Ansible, and Terraform is available for all editions of NSX, however, you must have the appropriate NSX edition for the feature which is automated by these tools. For example automation of load balancing from Terraform or OpenStack requires NSX Data Center Advanced, Enterprise Plus, or ROBO.
Both IPv4 and IPv6 are supported for all Load Balancing features except for IPv6-VIP-to-IPv4-member and IPv4-VIP-to-IPv6-member translations.
Network Detection and Response is only available in hosted mode and not integrated into NSX-T 3.1 with the NSX Platform. For your region, please select the appropriate license SKU.
A single sensor socket entitles up to 250 artifact submissions per day with a maximum artifact size of 64MB.
A single sensor socket entitles up to a daily average of 100 Mbps sustained throughput for traffic analytics with a limit of 10 network records per second per NDR Sensor uploaded for analysis.

Feedback

thumb_up Yes

thumb_down No