When deploying the Palo Alto Networks NGFW on NSX, do packets from an application VM go through the NSX firewall?

The correct answer indicates that packets from an application VM go through both the NSX firewall and the Palo Alto Networks NGFW before traveling to the vSwitch and out to the network. This reflects a deployment architecture where the firewall functions are layered for enhanced security.

In this setup, the application VM communicates with the NSX firewall first. The NSX firewall performs its primary role in inspecting and filtering the traffic according to defined security policies. After passing through the NSX firewall, traffic reaches the Palo Alto Networks NGFW for further deep packet inspection, threat prevention, and additional advanced security features. This dual-layer approach allows organizations to leverage the strengths of both the NSX firewall and the Palo Alto Networks NGFW, ensuring multiple levels of security inspection and control.

Deploying the firewall in this manner also helps in managing complex security policies and addressing specific use cases within a virtualized environment, aligning with the best practices of securing application traffic.

The combination of both firewalls enhances overall security, which is particularly important in environments where data protection and threat detection are paramount. The answer recognizes this layered defense strategy within a hybrid firewall solution.