What’s New with NSX 6.4?
VMware’s latest version of NSX for vSphere has just been released, version 6.4.0, bringing with it a number of changes operations and security services, updates to the NSX interface as well as some enhancements to the Edge appliance.
For an incremental release, there has been a lot of new features added.
- Identity Firewall
Identity Firewall (IDFW) support for user sessions on remote desktop and application servers (RDSH). NSX can now apply rules based on users on the same shared machine. Adding further micro segmentation capability to Horizon, RDSH and Citrix environments.
- Distributed Firewall
NSX Distributed Firewall (DFW) previously worked with layer 2 to layer 4 rules, with this update some layer 7 functions have been added. Once upgraded this allows NSX to inspect inside the traffic flows. Now application context can be used for micro segmentation rules rather than just using the port. New services have been added to make it easier to create rules based on applications.
Not all advanced firewall features have been added, for instance, no IDS or IPS features, a 3rd party security product is still leveraged for these features. NSX Enterprise licensing is required to be able to leverage layer 7 capabilities in the new release.
Other improvements include DFW rules can now be created in a stateless fashion, AD integration to allow for selective synchronisation speeding up AD updates and Application Rule Manager (ARM) can recommend security groups and policies based on new application ID. ARM was introduced in 6.3, ARM can leverage real-time flow information to discover communications between applications to be able to help build a security model around that application.
- User Interface
With this version, a new HTML5 plugin has been introduced to support the vSphere HTML Client. Features developed in HTML5 still remain compatible with the vSphere Web Client to provide a seamless experience. This move aligns other VMware products developing HTML5 interfaces.
- Upgrade Coordinator
The upgrade coordinator is a wizard driven upgrade review of the NSX system, the admin can choose the upgrade type and the wizard will guide the admin through the correct planning, reducing errors and increasing visibility into the upgrade process of each component.
- System Scale
A new feature added to the client, this provides a dashboard with visibility into the current system scale capacity for various objects within NSX. For instance, the dashboard will list the amount of currently configured hosts for NSX or the number of created Logical Switches then provide the maximum number of supported instances to easily show the admin how close they are to the limit. Warnings and alerts can be configured when these limits are approaching or have been exceeded.
- Central CLI
A central CLI has been added for logical switches, distributed firewall and logical router function to provide central access and troubleshooting.
- API Improvements
REST API now supports JSON for API calls giving the admin a choice now between XML or JSON, XML does still remain the default. JSON format support for POST, GET, PUT and DELETE operations.
- NSX Edge Enhancement
Enhancement to the Edge load balancer health check, adding three new health check monitors – DNS, LDAP and SQL as well as some further enhancement to existing monitors. This provides deeper load balancing monitoring for more applications.
Generic Routing Encapsulation (GRE) is now supported in the Edge. GRE must be configured via the API initially and is supported on the ESG uplink interface only. Initially, only BGP over GRE is supported.
A new Support Bundle tab has been added to the UI to be able to collect the required logs via a single click that can then be easily downloaded. Multiple syslog servers can now be configured where previously only one could be, now up to five syslog servers can be configured.
NAT64 facilitates communications between IPv6 and IPv4 hosts by using a form of NAT. Stateful NAT64 is supported and only supported on ESG uplink interfaces
As ever with all VMware upgrades it’s critical the VMware Product Interoperability Matrix is referred to before proceeding with any upgrade. Review the documentation from VMware including the published release notes in case a specific upgrade issue has been reported. When upgrading NSX, a full NSX upgrade must be performed including the host upgrade which upgrades the NSX host VIBs. Once upgraded, NSX cannot be downgraded, a backup of NSX manager is recommended before any upgrade.
vSphere 6.0 must be update 2 onwards and vSphere 6.5 must be 6.5a onwards, critically vSphere 5.5 is not supported with NSX 6.4.
NSX 6.4 continues VMware’s NSX vision to cover the on-premises, EUC, support of for “New-App” framework and public cloud. This upgrade brings advanced micro-segmentation, ease of use and scalability as well as bringing core feature enhancements all from an incremental upgrade.
Additional features can simply be added following an upgrade realising a true benefit of running a Software Defined Network such as NSX.
Why not also read 'Advanced Security through Micro-Segmentation'?