VMware

VMware NSX and VMC on AWS

As part of an End of Life process, support for VMWare NSX-V is limited in TOS. For details, see Release Notes.
Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Accountability - Installed Revisions (Supported for VMware NSX only)

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Topology

Static Topology

BGP Dynamic Routes

IPv6 routes

Path analysis with IPv6 addresses in source and destination

Notes for VMware NSX and VMC on AWS

  • Real-time monitoring uses device polling.

  • These features are not supported: unused objects cleanup, offline analysis.

  • Topology support only includes North-South connectivity and, in topology diagrams, traffic inside a logical switch will be seen as passing logical router.

  • For Auditing and Reporting, these features are supported: Regulations browser, Rule Viewer, New Revision report.

  • Dynamic Topology (BGP dynamic routing) is supported for NSX-T.

  • New NSX-T devices are automatically configured with Declarative (Policy) APIs. Devices that were previously added using Imperative APIs will continue to work. In the Device Manager, the name of a device indicates whether the device is configured with a Declarative or Impertitive API.

    To convert a device that was previously added using Imperative APIs to Declarative APIs you need to add the device as a new device, and remove or disable the old instance of the device.

  • In NSX-T Devices, support for dynamic Security Groups based on tags set in the device.

  • TOS supports IPv6 for NSX devices in the Map.

    • Path Analysis calculations support IPv6 traffic and matching rules.

  • BGP routes for VMC on AWS are not supported.

  • NSX-T VRF-lite devices are supported in TOS:

    • You can import VRF-lite devices when importing gateways for NSX devices.

    • Map presents VRF-lite devices.

    • Path Analysis calculations include VRF-lite traffic.

Gateway Firewall

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Topology

Static Topology

BGP Dynamic Routes

IPv6 routes

Path analysis with IPv6 addresses in source and destination

Notes for Gateway Firewall

  • TOS supports these policy types:

    • Shared Rules: On the VMware side, you can select more than one gateway device in the Applied To column for the rule. In TOS, you will see these rules under the Shared policy.

    • Gateway Specific Rules: Each gateway on the VMware side is modeled as a separate policy in TOS.

  • In a single Path Analysis query, you can troubleshoot connectivity for NSX workloads including Distributed Firewall rules, Gateway Specific rules, and Shared rules in the same path. For topology calculations, TOS uses the same logical routers for both the Distributed Firewall and the Gateway Firewall.

  • NSX Gateway Firewall is not supported for VMC on AWS.

  • If you use a specific interface within the Gateway Firewall, note that TOS considers all gateway interfaces when calculating violations.

  • If you do not import NSX logical routers, you will not see their Gateway Firewall policies in TOS.