Imperva Cyber Community

Hi everyone,

If we want to deploy virtual appliance as bridge mode on ESX, how should we configure virtual switches and port groups on ESX to pass traffic through the gateway without latency or other network issues?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)
#AllImperva

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Hi Ceszmi

In general terms, you'd still use one interface for ingress (client side) and one interface for egress (server side) and simply use VLANs on your ESX vSwitches.

In our labs this is what we do, with an ingress VLAN connected to the ingress interface on the VM and the egress VLAN connected to the egress interface. Managing the traffic from a VLAN perspective on your vswitches then simply becomes a matter of standard software defined networking, which the networking team should be able to do as a matter of course.

As long as the traffic coming from your upstream device (firewall, edge router, etc) is tagged correctly and the downstream device(s) are set to accept the correct egress VLAN tags all should be good.

------------------------------
Stefan Pynappels
Escalation Engineer
Imperva
------------------------------

Original Message:
Sent: 11-20-2019 03:04
From: cezmi çal
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi everyone,

If we want to deploy virtual appliance as bridge mode on ESX, how should we configure virtual switches and port groups on ESX to pass traffic through the gateway without latency or other network issues?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)
#AllImperva

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Hi Stefan,

Thanks for the general info about the issue. Actually what I wonder is that how should I configure distributed switch and port group security policies on ESX when VLAN tags are used on network. For example; is the images below also valid for Imperva?




------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Original Message:
Sent: 11-20-2019 04:46
From: Stefan Pynappels
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi Ceszmi

In general terms, you'd still use one interface for ingress (client side) and one interface for egress (server side) and simply use VLANs on your ESX vSwitches.

In our labs this is what we do, with an ingress VLAN connected to the ingress interface on the VM and the egress VLAN connected to the egress interface. Managing the traffic from a VLAN perspective on your vswitches then simply becomes a matter of standard software defined networking, which the networking team should be able to do as a matter of course.

As long as the traffic coming from your upstream device (firewall, edge router, etc) is tagged correctly and the downstream device(s) are set to accept the correct egress VLAN tags all should be good.

------------------------------
Stefan Pynappels
Escalation Engineer
Imperva

Original Message:
Sent: 11-20-2019 03:04
From: cezmi çal
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi everyone,

If we want to deploy virtual appliance as bridge mode on ESX, how should we configure virtual switches and port groups on ESX to pass traffic through the gateway without latency or other network issues?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)
#AllImperva

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Hi Cezmi,

For more information, please review: https://docs.imperva.com/bundle/v13.5-vmware-installation-guide/page/57605.htm

------------------------------
Jaired Anderson
Senior Professional Services Consultant
imperva
Tulsa OK
------------------------------

Original Message:
Sent: 11-20-2019 09:12
From: cezmi çal
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi Stefan,

Thanks for the general info about the issue. Actually what I wonder is that how should I configure distributed switch and port group security policies on ESX when VLAN tags are used on network. For example; is the images below also valid for Imperva?

------------------------------
cezmi çal
technical expert
Barikat Cyber Security

Original Message:
Sent: 11-20-2019 04:46
From: Stefan Pynappels
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi Ceszmi

In general terms, you'd still use one interface for ingress (client side) and one interface for egress (server side) and simply use VLANs on your ESX vSwitches.

In our labs this is what we do, with an ingress VLAN connected to the ingress interface on the VM and the egress VLAN connected to the egress interface. Managing the traffic from a VLAN perspective on your vswitches then simply becomes a matter of standard software defined networking, which the networking team should be able to do as a matter of course.

As long as the traffic coming from your upstream device (firewall, edge router, etc) is tagged correctly and the downstream device(s) are set to accept the correct egress VLAN tags all should be good.

------------------------------
Stefan Pynappels
Escalation Engineer
Imperva

Original Message:
Sent: 11-20-2019 03:04
From: cezmi çal
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi everyone,

If we want to deploy virtual appliance as bridge mode on ESX, how should we configure virtual switches and port groups on ESX to pass traffic through the gateway without latency or other network issues?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)
#AllImperva

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Hi Jaired,

Thanks for the link. We deployed v2500 gw running with 13.5.0.20_0 as bridge-impha. We faced with slowness problem while accessing web servers behind the Imperva V2500. After disabling LRO on bridge interfaces, we solved the slowness problem. However, if we enable TRP for web services, we encounter stability issues about SSL connections. I have tried many different SSL settings, but the problem was not solved. Finally, I had to disable TRP.

Is there any known issue about TRP on virtual gateway?
​

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------

Original Message:
Sent: 11-21-2019 09:39
From: Jaired Anderson
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi Cezmi,

For more information, please review: https://docs.imperva.com/bundle/v13.5-vmware-installation-guide/page/57605.htm

------------------------------
Jaired Anderson
Senior Professional Services Consultant
imperva
Tulsa OK

Original Message:
Sent: 11-20-2019 09:12
From: cezmi çal
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi Stefan,

Thanks for the general info about the issue. Actually what I wonder is that how should I configure distributed switch and port group security policies on ESX when VLAN tags are used on network. For example; is the images below also valid for Imperva?

------------------------------
cezmi çal
technical expert
Barikat Cyber Security

Original Message:
Sent: 11-20-2019 04:46
From: Stefan Pynappels
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi Ceszmi

In general terms, you'd still use one interface for ingress (client side) and one interface for egress (server side) and simply use VLANs on your ESX vSwitches.

In our labs this is what we do, with an ingress VLAN connected to the ingress interface on the VM and the egress VLAN connected to the egress interface. Managing the traffic from a VLAN perspective on your vswitches then simply becomes a matter of standard software defined networking, which the networking team should be able to do as a matter of course.

As long as the traffic coming from your upstream device (firewall, edge router, etc) is tagged correctly and the downstream device(s) are set to accept the correct egress VLAN tags all should be good.

------------------------------
Stefan Pynappels
Escalation Engineer
Imperva

Original Message:
Sent: 11-20-2019 03:04
From: cezmi çal
Subject: Running Virtual Appliance as Bridge Mode on ESX

Hi everyone,

If we want to deploy virtual appliance as bridge mode on ESX, how should we configure virtual switches and port groups on ESX to pass traffic through the gateway without latency or other network issues?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)
#AllImperva

------------------------------
cezmi çal
technical expert
Barikat Cyber Security
------------------------------