In January 2018, VMware® announced the release of VMware NSX® 6.4. You may be forgiven for thinking that this is just another minor release, but NSX 6.4 has several new headline features which customers have been requesting for a while. In this blog I highlight two, that in my opinion, will make difference to how NSX is deployed and adopted.

Network flow app detection and enforcement at Layer 7

NSX version 6.30 brought with it the ability to look inside the VM at the application using Endpoint monitoring, however, until this latest release NSX has not been able to construct firewall rules based solely around the application. NSX 6.4 has the ability to do network flow app detection and enforcement at Layer 7; which is great but what does this really mean?

Let’s look at a quick example, a customer might be blocking SSH across their estate, to do this prior to version 6.4, you would create a rule to block port TCP/22, if anything tried to connect or listen on port TCP/22 it would be blocked by the NSX Distributed Firewall. However, if the user or malware changed the SSH port from its default of TCP/22 it would now not be blocked by the rule as its not on the expected port and therefore not a match.

With this release, NSX now negates that threat with the ability to inspect at Layer 7, meaning you can create distributed firewall rules for several pre-determined applications, therefore creating a block rule purely based around the application SSH rather than its port (TCP/22). NSX 6.4 will come packaged with support for several pre-defined applications out- of-the-box and I suspect VMware will be expanding this list in future versions.

Virtual Desktop and Remote (RDSH) Session Security per User

This feature has been long overdue, but it has been dependant on the Layer 7 functionality discussed above.

The NSX Identity Firewall has, for me, always been the poor cousin when exploring the NSX feature set, it kind of did what you expected but at the same time for most customer use cases it didn’t. That’s because until the 6.4 release if you used the NSX Identity Firewall to apply a firewall rule, it could only apply those rules to a single user per VM, this ruled out the majority of use cases such as securing Citrix or RDS servers using the NSX Identity Firewall.

With the addition of Layer 7 support with the NSX Distributed Firewall we can now detect the user’s identities at source and therefore have multiple different firewall rules applied to multiple users on the same VM. This is a very welcome addition and I know a lot of customers will be looking forward to finally being able to implement the NSX Identity Firewall fully across their Citrix or RDS estate.

Other Features

VMware have managed to package in quite a few new features in this version of NSX such as support for BGP and static routing over GRE tunnels, the packet capture tool now has a UI and an upgrade co-ordinator to help with the planning and execution of your NSX upgrades.

This release addresses a number of specific customer bugs and resolves some key issues from previous versions which I feel will make a significant difference to customer environments running NSX.  For a full list of changes please refer to the VMware NSX Release Notes

Xtravirt is a leading VMware NSX specialist and has the ultimate combination of deep experience and agility to design and deliver your IT transformation. If you’re interested in exploring Network Virtualization but are not sure where to start, contact us, and we’d be happy to use our wealth of knowledge and experience to assist you.

To find out more visit: