VMware NSX-T Data Center 3.2.0 | 16 December 2021 | Build 19067070
***VMware removed 3.2.0 around a week or two after the release and recommend users upgrade to 126.96.36.199 instead***
NSX-T Data Center 3.2.0 is a major release offering many new features in all the verticals of NSX-T: networking, security, services and onboarding. Here are some of the major enhancements.
- Switch agnostic distributed security: Ability to extend micro-segmentation to workloads deployed on vSphere networks.
- Gateway Security: Enhanced L7 App IDs, Malware Detection and Sandboxing, URL filtering, User-ID firewall, TLS inspection (Tech Preview) and Intrusion Detection and Prevention Service (IDS/IPS).
- Enhanced Distributed Security: Malware detection and Prevention, Behavioral IDS/IPS, enhanced application identities for L7 firewall.
- Improved integration with NSX Advanced Load Balancer (formerly Avi): Install and configure NSX ALB (Avi) from NSX-T UI; Migrate NSX for vSphere LB to NSX ALB (Avi).
- NSX for vSphere to NSX-T Migration: Major enhancements to the Migration Coordinator to extend coverage of supported NSX for vSphere topologies and provide flexibility on the target NSX-T topologies.
- Improved protection against Log4j vulnerability: Updated Apache Log4j to version 2.16 to resolve CVE-2021-44228 and CVE-2021-45046. For more information on these vulnerabilities and their impact on VMware products, please see VMSA-2021-0028.
VMware introduces new capabilities on the Gateway and with this a new licensing model has been introduced focusing on Security capabilities
- VMware NSX Gateway
- VMware NSX Advanced Threat Prevention Add-on to NSX Gateway Firewall
Refer to Product Offerings for NSX-T 3.2 Security for all the features included in these new licenses.
- The introduction of Advanced Threat Prevention capabilities with Malware Detection and Prevention and Network Detection and Response fully integrated into the NSX-T UI. This brings Sandboxing capabilities native to the platform.
- Now customers can leverage their native VDS switch to take advantage of all these distributed security capabilities without having to recreate segments via the NSX-T UI and migrate workloads between port groups.
- NSX-T 3.2 introduces the NSX Application platform which replaces the traditional NSX-T Intelligence appliance. VMware NSX Application Platform is a new container based solution introduced in NSX-T 3.2.0 that provides a highly available, resilient, scale out architecture to deliver a set of core platform services which enables several new NSX features.
- Some of the new features are currently made available as Tech Preview – Gateway Intrusion Detection/Prevention and TLS decryption/encryption
- User Identity-based Access Control – Gateway Firewall introduces the following additional User Identity Firewall capabilities:For deployments where Active Directory is used as the user authentication system, NSX leverages Active Directory logs.
- For all other authentication systems, NSX can now leverage vRealize Log Insight based logs to identify User Identity to IP address mapping.
- Enhanced set of L7 AppIDs – Gateway Firewall capabilities are enhanced to identify a more comprehensive number of Layer-7 applications.
- TLS Inspection for both inbound and outbound traffic (🔎Tech Preview; not for production deployments) – More and more traffic is getting encrypted on the network. With the TLS inspection feature, you can now leverage NSX Gateway Firewall to do deep-packet inspection and threat detection and prevention services for encrypted traffic as well.
- URL Filtering (includes categorization and reputation of URLs) – You can now control internet bound traffic based on the new URL Filtering feature. This feature allows you to control internet access based on the URL categories and as well as the reputation of the URLs. URL repository, including the categorization and reputation data, is updated on an ongoing basis for updated protection.
- Malware Analysis and Sandboxing support – NSX Gateway Firewall now provides malware detection from known as well as zero-day malware using advanced machine learning techniques and sandboxing capabilities. The known malware data is updated on an ongoing basis. (Please see known issue 2888658 before deploying in live production deployments.)
- Intrusion Detection and Prevention (🔎Tech Preview; not for production deployments) – For NSX Gateway Firewall, Intrusion Detection and Prevention capabilities (IPS) are introduced in a “Tech Preview” mode. You can try the feature set in non-production deployments.
New NSX Application Platform
- NSX Application Platform – VMware NSX Application Platform is a new container based solution introduced in NSX-T 3.2.0 that provides a highly available, resilient, scale out architecture to deliver a set of core platform services which enables several new NSX features such as:
- NSX Intelligence
- NSX Metrics
- NSX Network Detection and Response
- NSX Malware Prevention
The NSX Application Platform deployment process is fully orchestrated through the NSX UI and requires a supported Kubernetes environment. Refer to the Deploying and Managing the VMware NSX Application Platform guide for more information on the infrastructure prerequisites and requirements for installation.
Network Detection and Response
- VMware Network Detection and Response correlates IDPS, Malware and Anomaly events into intrusion campaigns that help identify threats and malicious activities on the network.
- Correlation into threat campaigns rather than events, which allows SOC operators to focus on triaging only a small set of actionable threats.
- Network Detection and Response collects IDPS events from Distributed IDPS, Malware events (malicious files only) from Gateway, and Network Anomaly events from NSX Intelligence.Gateway IDPS (Tech Preview) events are not collected by NSX Network Detection and Response in NSX-T 3.2.
- Network Detection and Response functionality runs in the cloud and is available in two cloud regions: US and EU.
- License Enforcement – NSX-T now ensures that users are license-compliant by restricting access to features based on license edition. New users are able to access only those features that are available in the edition that they have purchased. Existing users who have used features that are not in their license edition are restricted to only viewing the objects; create and edit will be disallowed.
- New Licenses – Added support for new VMware NSX Gateway Firewall and continues to support NSX Data Center licenses (Standard, Professional, Advanced, Enterprise Plus, Remote Office Branch Office) introduced in June 2018, and previous VMware NSX for vSphere license keys. See VMware knowledge base article 52462 for more information about NSX licenses.
Tech Preview Features
NSX-T Data Center 3.2 offers several features for your technical preview. Technical preview features are not supported by VMware for production use. They are not fully tested and some functionality might not work as expected. However, these previews help VMware improve current NSX-T functionality and develop future enhancements.
For details about these technical preview features, see the available documentation provided in the NSX-T Data Center 3.2 Administration Guide. Links are provided in the following list that briefly describes these technical preview features. The topics will have Technical Preview in their titles.
So many new capabilities in NSX-T 3.2.0 will definitely be keeping me busy with future blogs posts which will hopefully help other get some of these features enabled.