OPERATIONAL DEFECT DATABASE
...
...
This article provides information on licensing editions of VMware NSX for Security specific deployments and the list of features associated with different licensing editions. NSX Distributed Firewall Editions: NSX offers Security capabilities for Zero-Trust scenarios leveraging "Distributed Firewall" product line. Different editions focused on delivering micro-segmentation for east-west traffic leveraging Distributed Firewalls are as listed below: NSX Distributed Firewall for Baremetal Hosts: For organizations needing an agent-based network segmentation solution for bare-metal workloads.NSX Distributed Firewall Edition: For organizations needing implement access controls for east-west traffic within the network (micro-segmentation) but not focused on threat detection and prevention services.NSX Distributed Firewall with Threat Prevention Edition: For organizations needing access control and select threat prevention features for east-west traffic within the network.NSX Distributed Firewall with Advanced Threat Prevention Edition: For organizations needing Firewall, and all advanced threat prevention features for east-west traffic within the network. VMware NSX Gateway Firewall Editions: NSX offers security capabilities for zone-segmentation and public cloud internet gateway scenarios leveraging "Gateway Firewall" product line. The various "Gateway Firewall" editions are listed below: Gateway Firewall: For organizations needing to implement firewalling capabilities for zone segmentation; but not focused on threat detection and prevention services.Gateway Firewall with Threat Prevention Edition: For organizations needing to implement firewalling capabilities for zone segmentation along with select threat detection and prevention services offered in the Gateway form factor.Gateway Firewall with Advanced Threat Prevention Edition: For organizations needing to implement firewalling capabilities for zone segmentation along with all advanced threat detection and prevention services offered in the Gateway form factor. The Gateway Firewall product can be deployed either as a Virtual Machine (VM) or as an ISO image on physical servers depending upon the license procured. The Gateway Firewall Editions listed above are applicable for both the VM and ISO based deployments. NSX Network Detection and Response (NDR): NSX NDR product offers advanced threat identification and response capabilities for Security Operations Center (SoC) deployment. At this time, we offer on-premises deployment for this solution NSX Network Detection and Response (NDR) for on-premises: For SoC teams needing implement NDR solution to identify advanced attacks on the network. NSX NDR solution does not provide entitlements for NSX Distributed or Gateway Firewall capabilities. It is a stand-alone offer focused on SoC deployments. Customers interested in deploying Network Virtualization capabilities of NSX should refer to https://kb.vmware.com/s/article/86095. Customers who have already purchased NSX Data Center (NSX-T) Advanced and Enterprise+ editions can procure NSX Firewall Threat Prevention or NSX Firewall Advanced Threat Prevention add-on licenses
The following table outlines specific functions available by edition. NSX Security is available as a single download image with license keys required to enable specific functionality. Distributed Security NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Distributed Security Features NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat PreventionDistributed Firewall for NSX SwitchportsYesYesYesYesNoNoNoDistributed Firewall for VDS SwitchportsYesYesYesNoNoNoNoStateful L2 and L3 RulesYesYesYesYesNoNoNoStateless L2 and L3 RulesYesYesYesYesNoNoNoDistributed FQDN FilteringYesYesYesNoNoNoNoBasic L7 Application Identification RulesYesYesYesNoNoNoNoAdvanced L7 Application Identification RulesYesYesYesNoNoNoNoDistributed Flood ProtectionYesYesYesNoNoNoNoAgent-Based enforcement for Physical ServersYesYesYesYesNoNoNoUser Identity Firewall Distributed Identity Firewall using Guest IntrospectionYesYesYesNoNoNoNoDistributed Identity Firewall using Active Directory Event ServerYesYesYesNoNoNoNoDistributed Identity Firewall using third-party log sourcesNoNoNoNoNoNoNoNSX Distributed Threat Prevention7 Distributed Intrusion Detection Service (IDS)NoYesYesNoNoNoNoDistributed Behavioral IDSNoYesYesNoNoNoNoDistributed Intrusion Prevention Service (IPS)NoYesYesNoNoNoNoNSX Distributed Advanced Threat Prevention9 Distributed Malware Detection and PreventionNoNoYesNoNoNoNoCloud Sandboxing and Artifact Analysis10, 13NoNoYesNoNoNoNoDistributed IDS Event Forwarding to NDRNoYesYesNoNoNoNoDistributed Service Insertion Integrations Distributed Endpoint ProtectionNoNoNoNoNoNoNoDistributed Network IntrospectionNoNoNoNoNoNoNoPolicy, Tagging and Grouping Object Tagging / Security TagsYesYesYesYesYesYesYesNetwork Centric GroupingYesYesYesYesYesYesYesWorkload Centric GroupingYesYesYesYesYesYesYesIP Based GroupsYesYesYesYesYesYesYesMAC Based GroupsYesYesYesYesYesYesYesTag Based RulesYesYesYesYesYesYesYesFirewall Operations Firewall LoggingYesYesYesYesYesYesYesDistributed Firewall based IPFIXYesYesYesYesNoNoNoRule Hit Count, Popularity Index, Flow StatisticsYesYesYesYesYesYesYesFirewall DraftsYesYesYesNoNoNoNo Gateway Firewall Features NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Gateway Security Features NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat PreventionStateful L3 RulesNoNoNoNoYesYesYesStateless L3 RulesNoNoNoNoYesYesYesBasic L7 Application Identification RulesNoNoNoNoYesYesYesAdvanced L7 Application Identification RulesNoNoNoNoYesYesYesURL FilteringNoNoNoNoYesYesYesGateway Flood ProtectionNoNoNoNoYesYesYesIdentity Firewall Gateway Identity Firewall using Active Directory Event ServerNoNoNoNoYesYesYesGateway Identity Firewall using third-party log sourcesNoNoNoNoYesYesYesNSX Gateway Advanced Threat Prevention7 Malware DetectionNoNoNoNoNoNoYesCloud Sandboxing and Artifact Analysis10NoNoNoNoNoNoYesNAT NAT on North/South and East/West Logical RoutersNoNoNoNoYesYesYesSource NATNoNoNoNoYesYesYesDestination NATNoNoNoNoYesYesYesNAT N:NNoNoNoNoYesYesYesStateless NATNoNoNoNoYesYesYesNAT LoggingNoNoNoNoYesYesYesNAT64NoNoNoNoYesYesYesActive/Active NAT ServicesNoNoNoNoYesYesYesVPN L2 VPNNoNoNoNoYesYesYesActive / Standby L3 VPNNoNoNoNoYesYesYesGateway Service Insertion Integrations Gateway Network IntrospectionNoNoNoNoYesYesYesGateway Firewall High Availability14 Active/Standby Gateway Firewall Services NoNoNoNoYesYesYesPolicy, Tagging and Grouping Object Tagging / Security TagsYesYesYesYesYesYesYesNetwork Centric GroupingYesYesYesYesYesYesYesWorkload Centric GroupingYesYesYesYesYesYesYesIP Based GroupsYesYesYesYesYesYesYesTag-Based RulesYesYesYesYesYesYesYesPer-Gateway and Multi-Gateway Policy ManagementNoNoNoNoYesYesYesFirewall Operations Firewall LoggingYesYesYesYesYesYesYesRule Hit Count, Popularity Index, Flow StatisticsYesYesYesYesYesYesYesFirewall DraftsNoNoNoNoYesYesYes Networking NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Feature NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat PreventionvSphere Distributed Switch¹⁰YesYesYesYesYesYesYesVLAN Backed Logical SwitchingYesYesYesYesYesYesYesOverlay Backed Logical SwitchingNoNoNoNoYesYesYesMultiple TEP SupportNoNoNoNoYesYesYesOptimized ARP Learning and Broadcast SuppressionNoNoNoNoNoNoNoGENEVE EncapsulationNoNoNoNoYesYesYesUnicast ReplicationNoNoNoNoNoNoNoHeadend ReplicationNoNoNoNoNoNoNoSpoofguardYesYesYesYesNoNoNoLACP (Edge and Host)YesYesYesYesYesYesYesL2 MulticastNoNoNoNoYesYesYesL3 MulticastNoNoNoNoYesYesYesQuality of Service (QoS) QoS MarkingNoNoNoNoNoNoNoQoS DSCP Trust BoundaryNoNoNoNoNoNoNoL2 Bridging to Physical Environment Software Based L2 Bridge to Physical EnvironmentsNoNoNoNoYesYesYesRouting Distributed RoutingNoNoNoNoNoNoNoMulti-Tier RoutingNoNoNoNoYesYesYesDynamic Routing with ECMPNoNoNoNoYesYesYesActive / Standby Redundancy for RoutingNoNoNoNoYesYesYesActive / Active Redundancy for RoutingNoNoNoNoYesYesYesVirtual Routing and Forwarding (Tier-0 Gateway VRFs)NoNoNoNoYesYesYesEVPNNoNoNoNoYesYesYesOSPF v2NoNoNoNoYesYesYesStatic Routing - IPv4 Static RoutingNoNoNoNoYesYesYesBFDNoNoNoNoYesYesYesNull RoutesNoNoNoNoYesYesYesDevice RoutesNoNoNoNoYesYesYesStatic Routing - IPv6 Static RoutingNoNoNoNoYesYesYesNull RoutesNoNoNoNoYesYesYesDevice RoutesNoNoNoNoYesYesYesBGP - IPv4 Unicast eBGPNoNoNoNoYesYesYeseBGP MultihopNoNoNoNoYesYesYesiBGPNoNoNoNoYesYesYesGraceful RestartNoNoNoNoYesYesYesBFDNoNoNoNoYesYesYes4-byte ASNNoNoNoNoYesYesYesBGP - IPv6 Unicast eBGPNoNoNoNoYesYesYeseBGP MultihopNoNoNoNoYesYesYesiBGPNoNoNoNoYesYesYesGraceful RestartNoNoNoNoYesYesYes4-byte ASNNoNoNoNoYesYesYesBFD - IPv4 Sub-Second Keepalive TimerNoNoNoNoYesYesYesRoute Maps Match on Prefix-List and Community-ListNoNoNoNoYesYesYesSet Weight, MED, AS Path, Prepending, Local Preference, and CommunityNoNoNoNoYesYesYesOther High Availability Virtual IP (HA VIP)NoNoNoNoYesYesYesRoute RedistributionNoNoNoNoYesYesYesIP Prefix-ListsNoNoNoNoYesYesYesPer Interface RPF CheckNoNoNoNoYesYesYesDNS, DHCP and IPAM (DDI) IPAMNoNoNoNoYesYesYesIP BlocksNoNoNoNoYesYesYesIP SubnetsNoNoNoNoYesYesYesIP PoolsNoNoNoNoYesYesYesIPv4 DHCP ServerNoNoNoNoYesYesYesIPv6 DHCP ServerNoNoNoNoYesYesYesIPv4 DHCP RelayNoNoNoNoYesYesYesIPv6 DHCP RelayNoNoNoNoYesYesYesIPv4 DHCP Static Bindings / Fixed AddressesNoNoNoNoYesYesYesIPv6 DHCP Static Bindings / Fixed AddressesNoNoNoNoYesYesYesIPv4 DNS Relay / DNS ProxyNoNoNoNoYesYesYesIPv4 Meta-Data ProxyNoNoNoNoNoNoNo NSX Intelligence NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Feature NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat PreventionLayer 4 VM-to-VM Traffic Flow AnalysisYesYesYesNoNoNoNoLayer 4 Firewall VisibilityYesYesYesNoNoNoNoLayer 4 Automated Security PolicyYesYesYesNoNoNoNoLayer 4 Rule and Group Recommendation AnalyticsYesYesYesNoNoNoNoNetwork Traffic AnalyticsNoNoYesNoNoNoNoNetwork Detection and Response12NoNoYesNoNoNoNo Load Balancing8 NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Feature NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat PreventionProtocols TCP (L4-L7)NoNoNoNoNoNoNoUDPNoNoNoNoNoNoNoHTTPNoNoNoNoNoNoNoLoad Balancing Methods Round RobinNoNoNoNoNoNoNoSource IP HashNoNoNoNoNoNoNoLeast ConnectionsNoNoNoNoNoNoNoL7 Application Rules with RegEx SupportNoNoNoNoNoNoNoHealth Checks TCPNoNoNoNoNoNoNoICMPNoNoNoNoNoNoNoUDPNoNoNoNoNoNoNoHTTPNoNoNoNoNoNoNoHTTPSNoNoNoNoNoNoNoMonitoring View VIP / Pool / Server ObjectsNoNoNoNoNoNoNoView VIP / Pool / Server StatisticsNoNoNoNoNoNoNoView Global Statistics VIP SessionsNoNoNoNoNoNoNoLoad Balancing Automation Pool Members Based on vCenter Context or IP AddressesNoNoNoNoNoNoNoOther Connection ThrottlingNoNoNoNoNoNoNoHigh-AvailabilityNoNoNoNoNoNoNo NSX Cloud for AWS and Azure NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Feature NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat PreventionNSX on-prem license portability for Public Cloud workloadsYesYesYesNoYesNoYesNSX Enforced Mode (Agent-Based Cloud Security)YesYesYesNoNoNoNoCloud Enforced Mode (Agentless Based Cloud Security)YesYesYesNoNoNoNoStateful L2 and L3 RulesYesYesYesNoNoNoNoStateless L2 and L3 RulesYesYesYesNoNoNoNoDistributed Identity Firewall using Active Directory Event ServerYesYesYesNoNoNoNoL7 Security Features (Basic L7 Application Identification Rules)YesYesYesNoNoNoNoAdvanced Security capabilities in Public Cloud Gateway (L7 firewall / URL Filtering)NoNoNoNoYesYesYesVPN (on-prem to public cloud; public cloud - public cloud; intra public cloud)NoNoNoNoYesYesYesSupport for AWS Gov Cloud and Azure Government Cloud workloadsYesYesYesYesYesYesYes Modern Apps NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Feature NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat Prevention Container Networking and Security NoNoNoNoNoNoNoVMware Container Networking with Project Antrea EnterpriseNoNoNoNoNoNoNo Automation NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Feature NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat PreventionAPI Driven Automation REST APIYesYesYesYesYesYesYesHierarchical Policy APIYesYesYesYesYesYesYesJSON SupportYesYesYesYesYesYesYesOpenAPI / Swagger SpecYesYesYesYesYesYesYesJava SDKYesYesYesYesYesYesYesPython SDKYesYesYesYesYesYesYesAuto-generated API DocumentationYesYesYesYesYesYesYesTerraform Provider6YesYesYesYesYesYesYesAnsible Modules6YesYesYesYesYesYesYesIntegration with Cloud Management Platforms Integration with vRealize Automation1,6YesYesYesYesYesYesYesIntegration with vCloud Director1,6YesYesYesYesYesYesYesIntegration with VMware Integrated OpenStack1,6YesYesYesYesYesYesYesIntegration with other OpenStack Platform3, 6YesYesYesYesYesYesYes Platform NSX-T Distributed Firewall Packages NSX-T Gateway Firewall Packages Feature NSX Distributed FirewallNSX Distributed Firewall With Threat PreventionNSX Distributed Firewall With Advanced Threat PreventionFirewall (Agent) For Baremetal ServersNSX Gateway FirewallNSX Gateway Firewall with Threat PreventionNSX Gateway Firewall with Advanced Threat PreventionPlatform Features ESXi Support1YesYesYesNoNoNoNoKVM Support2YesYesYesNoNoNoNoController ClusteringYesYesYesYesYesYesYesvCenter Integration1YesYesYesNoYesYesYesMulti-vCenter® Networking and SecurityYesYesYesNoYesYesYesFederationNoNoNoNoNoNoNoEdge Platform Features Edge in VM Form FactorNoNoNoNoYesYesYesEdge in Bare-Metal Form Factor for RoutingNoNoNoNoYesYesYesEdge in Bare-Metal Form Factor for Gateway FirewallNoNoNoNoYesYesYesDPDK Optimized ForwardingNoNoNoNoYesYesYesAuthentication and Authorization Authentication using Workspace ONE Access1, 5 Yes YesYesYesYesYesYesDirect Active Directory Integration via LDAPYesYesYesYesYesYesYesAuthentication via OpenLDAPYesYesYesYesYesYesYesSession-Based AuthenticationYesYesYesYesYesYesYesCertificate-Based Authentication (Principle Identity)YesYesYesYesYesYesYesRole-Based Access ControlYesYesYesYesYesYesYesLog Management vRealize Log Insight Integration1, 4YesYesYesYesYesYesYesSplunk Integration2YesYesYesYesYesYesYesInstallation Automated Manager Deployment Yes YesYesYesYesYesYesManual Controller DeploymentYesYesYesYesYesYesYesAutomated Edge Deployment No NoNoNoYesYesYesManual Edge DeploymentNoNoNoNoYesYesYesAutomated Compute Host Preparation by ClusterYesYesYesNoNoNoNoOperations Port Mirroring Yes YesYesYesYesYesYesTraceflowYesYesYesYesYesYesYesNSX Live Traffic AnalysisYesYesYesYesYesYesYesTunnel Health MonitoringYesYesYesYesYesYesYesPort Connectivity ToolYesYesYesYesYesYesYesSwitch Based IPFIXYesYesYesYesYesYesYesLLDPYesYesYesYesYesYesYesAutomated Technical Support BundlesYesYesYesYesYesYesYesPacket CaptureYesYesYesYesYesYesYesBackup and RestoreYesYesYesYesYesYesYesSNMP v1/v2/v3 with TrapsYesYesYesYesYesYesYesMonitoring Time-Series Metrics (Note: Name for this feature is under discussion)NoNoNoNoNoNoYesUpgrades and Migrations Upgrade CoordinatorYesYesYesYesYesYesYesNSX for vSphere to NSX-T Migration Coordinator 11 Yes YesYesYesYesYesYesNSX Manager to Policy Promotion Yes YesYesYesYesYesYes Notes: 1 Please refer to the VMware Product Interoperability Matrices for specific versions supported with NSX-T Data Center.2 Please refer to the NSX-T Data Center release notes for specific versions.3 Please refer to the NSX-T Data Center partner website for specific versions.4 VMware vRealize Log Insight for NSX provides intelligent log analytics for NSX Data Center. Log Insight provides monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis, and alerts. VMware vRealize Log Insight version 3.3.2 and later accepts NSX Data Center Standard/ProfessionalAdvanced/Enterprise Plus edition license keys issued for NSX-T 1.0.0 and later. This means you will have an enterprise-level Log Insight license for every license of NSX Data Center.5 VMware Workspace ONE Access - A license to use VMware NSX Data Center includes an entitlement to use the VMware Workspace ONE Access feature, but only for the following functionalities: Directory integration functionality of VMware Workspace ONE Access to authenticate users in a user directory such as Microsoft Active Directory or LDAP.Conditional access policy.Single-sign-on integration functionality with third party Identity providers to allow third party identity providers’ users to single-sign-on into NSX Data Center.Two-factor authentication solution through integration with third party systems. VMware Verify, VMware’s multi-factor authentication solution, received as part of VMware Workspace ONE Access may not be used as part of NSX Data Center.Single-sign-on functionality to access VMware products that support single-sign-on capabilities. 6 Integration with automation tools such as vRealize Automation, vCloud Director, VMware Integrated OpenStack, and other OpenStack distributions, Ansible, and Terraform is available for all editions of NSX, however, you must have the appropriate NSX edition for the feature which is automated by these tools. For example automation of load balancing from Terraform or OpenStack requires NSX Data Center Advanced, Enterprise Plus, or ROBO.7 NSX Distributed Threat Prevention requires an additional subscription-based purchase.8 Both IPv4 and IPv6 are supported for all Load Balancing features except for IPv6-VIP-to-IPv4-member and IPv4-VIP-to-IPv6-member translations.9 Customers who have purchased the legacy NSX editions can apply their licenses to NSX-T Data Center.10 Requires VDS 7.0 or higher11 Migration Coordinator will migrate the deployment in NSX for vSphere and the features used in NSX-T. It is the responsibility of the customer to ensure the version of NSX-T allows the use of those features.12 Network Detection and Response supports event and artifact submission from Distributed Firewall only. It is a hosted service running from various VMware Regions.13 A single sensor socket entitles up to 250 artifact submissions per day with a maximum artifact size of 64MB.14 Subject to Gateway Firewall features available in that specific SKU. Please refer to the https://kb.vmware.com/s/article/87077 15 Please refer to NSX Security Features covered in https://kb.vmware.com/s/article/87077
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
