Create a Post
Daniel_Kavan
Advisor

VWMARE NSX vs R81.10

What does Check Point offer than NSX doesn't at this point?  I saw that NSX goes to layer 7 and has an IPS now.  I know we/Check Point are partners with NSX and have integration.  I just want some talking point ammunition since I want to use Check Point.  Thanks!

The AWS cloud integration with NSX makes cloud and on prem environments similiar.

2 Replies

The biggest selling point of Check Point's software to me is the management.

NSX has deeply, deeply terrible rule lifecycle management tools. There's not a good way to find out who made a rule, when it was made, and so on. There's also no way to specify a source/destination/service of "None". New rules always start with "Any" in all those fields, and they're set to apply to Distributed Firewall. This all combines to form a "fun" problem: I have repeatedly found Any/Any/Any/Accept rules in my NSX policy, and nobody can tell me how they got there. Current speculation is somebody started making a rule, and some UI glitch dropped the modifications they were making to constrain the Any/Any/Any/Accept to the proper matching criteria. Check Point's audit logging is far more mature.

Last time I checked, each vCenter needs its own NSX manager, and you can't use dynamic matching criteria for VMs owned by another vCenter or for IP Sets. You can't say "All of this application's web servers should be able to talk to all of this application's database servers regardless of datacenter" in a simple way. It involves building a lot of manual objects and manually adding them to rules.

This next one is truly bizarre: in my testing, NSX has worse performance than sending frame out to a separate firewall then back to another VM on the same host. I have no idea how this can be the case, but my tests showed it very consistently. It's not a small performance gap either, it was something like half the throughput. I never got to dig very far into this, as I only got to test it after somebody else had already decided to purchase NSX.

Nir_Shamir
Employee
Employee

The main thing is the management and logging which are more superior to the current NSX management and logs. and if you already have a Check Point Infrastructure then all your security comes together in one place.

of course we have numerous other Security features , other then IPS, like Anti-Malware , Anti-Bot etc. which in my opinion will secure your VMWARE environment better then what VMWARE currently has.