This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2022-09-14 10:52 AM

VWMARE NSX vs R81.10

What does Check Point offer than NSX doesn't at this point?  I saw that NSX goes to layer 7 and has an IPS now.  I know we/Check Point are partners with NSX and have integration.  I just want some talking point ammunition since I want to use Check Point.  Thanks!

The AWS cloud integration with NSX makes cloud and on prem environments similiar.

2 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-09-14 12:42 PM

The biggest selling point of Check Point's software to me is the management.

NSX has deeply, deeply terrible rule lifecycle management tools. There's not a good way to find out who made a rule, when it was made, and so on. There's also no way to specify a source/destination/service of "None". New rules always start with "Any" in all those fields, and they're set to apply to Distributed Firewall. This all combines to form a "fun" problem: I have repeatedly found Any/Any/Any/Accept rules in my NSX policy, and nobody can tell me how they got there. Current speculation is somebody started making a rule, and some UI glitch dropped the modifications they were making to constrain the Any/Any/Any/Accept to the proper matching criteria. Check Point's audit logging is far more mature.

Last time I checked, each vCenter needs its own NSX manager, and you can't use dynamic matching criteria for VMs owned by another vCenter or for IP Sets. You can't say "All of this application's web servers should be able to talk to all of this application's database servers regardless of datacenter" in a simple way. It involves building a lot of manual objects and manually adding them to rules.

This next one is truly bizarre: in my testing, NSX has worse performance than sending frame out to a separate firewall then back to another VM on the same host. I have no idea how this can be the case, but my tests showed it very consistently. It's not a small performance gap either, it was something like half the throughput. I never got to dig very far into this, as I only got to test it after somebody else had already decided to purchase NSX.

Nir_Shamir
Employee Employee
Employee
‎2022-09-18 10:24 PM

The main thing is the management and logging which are more superior to the current NSX management and logs. and if you already have a Check Point Infrastructure then all your security comes together in one place.

of course we have numerous other Security features , other then IPS, like Anti-Malware , Anti-Bot etc. which in my opinion will secure your VMWARE environment better then what VMWARE currently has.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events