Disable Edge Gateway Firewall if not in use
search cancel

Disable Edge Gateway Firewall if not in use

book

Article ID: 389357

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • The Edge Gateway Firewall provides an environment with L2-L4 perimeter firewall and also is required for security services such as URL Filtering /FQDN Analysis, TLS Inspection or Intrusion Detection and Prevention Service. 
  • The Edge Gateway Firewall is enabled by default and is programmed with a default Any Any Allow rule.
  • Even if no user created rules are added, the firewall is active and consuming resources.

Environment

VMware NSX-T 3.x
VMware NSX 4.x

Resolution

In environments that do not consume the Gateway Firewall or its related services, the best practice for optimum resource usage and performance is to disable the Gateway Firewall.

Note, if NAT rules are configured, there can be a dependency on the Gateway Firewall. Consider the following scenarios before disabling the firewall: 





Tier1-A has an SNAT rule configured that translates traffic from its attached to 10.1.1.1.


Scenario #1 - No FW dependency - Traffic initiated by VM-A

  • Traffic initiated from VM-A, 192.168.1.1 to VM-B, 20.1.1.1 or any other destination.
  • SNAT 192.168.1.1 to 10.1.1.1
  • Return traffic will a destination IP of 10.1.1.1
  • Tier-1-A will match it up with the existing SNAT flow and translate it
  • Traffic delivered back to VM-A
  • There is no dependency on Gateway Firewall for NAT to function.


Scenario #2 - Tier-1-A has Stateful firewall rule - Traffic initiated by VM-B

  • Traffic initiated from VM-B, 20.1.1.1 to VM-A, 192.168.1.1
  • Tier-1-A has a stateful firewall rule allowing this traffic
  • Firewall connection tracker is updated with an entry for the TCP SYN packet from VM-B/20.1.1.1 to VM-A/192.168.1.1
  • When VM-A replies, Tier-1-A matches the reply packet with the FW stateful connection entry
  • SNAT translation is bypassed when traffic matches an existing Firewall connection entry.


Scenario #3 - Tier-1-A has Firewall disabled or stateless rule - Traffic initiated by VM-B -DP impact

  • Traffic initiated from VM-B, 20.1.1.1 to VM-A, 192.168.1.1
  • Tier-1-A has Firewall disabled (note same behaviour for stateless rules)
  • Tier-1-A forwards the TCP SYN packet from VM-B/20.1.1.1 to VM-A/192.168.1.1 without creating a firewall connection entry
  • When VM-A/192.168.1.1 replies back to VM-B/20.1.1.1
  • Tier-1-A sees that there’s no Firewall connection entry, performs SNAT of source IP 192.168.1.1 to 10.1.1.1
  • VM-B drops these packet as it was communicating with 192.168.1.1 and not 10.1.1.1.
  • The solution would be to configure a No SNAT rule which excludes the return traffic flow from having NAT applied before disabling the FW.



To disable the GW firewall

On the UI navigate to Security > Gateway Firewall > Settings > Gateway Specific Settings

The Gateway Firewall can be disabled individually or via the multi select option if there are multiple Gateways.

Note: This configuration change does not impact datapath traffic.

Additional Information

Powered by Wolken Software