Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MikeB
Advisor
Jump to solution

CloudGuard for VMware ESXi

I'm looking for some advice from the community on how to protect a small DC environment with VM over Vmware Vsphere ESXi hypervisor (not VCenter and much less NSX). I know the right product would be CloudGuard for VMware ESXi, but I would like to know the following:

  1. Implementing this would be like putting a perimeter firewall where VMs need to point their default gateway to this Cloudguard VM to be inspected/protected?
  2. Regarding lateral movement,  Is it possible to protect communications between VMs in the same segment within the host where Cloudguard is installed? (without the need for NSX or VCenter) maybe deploying Cloudguard in layer2??

Thank you for your comments

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @MikeB 

You can use the Cloud Guard image for NSX or a normal R80.40 installation image. Cloud Guard image for NSX contains only Cloud Guard controller 2.0, which allows you to import cloud objects into SmartConsole.

To your question, I would always use a dedicated management interface.

Layer 2 is not so good, because the VMWare interface (vSwitch) has to be set to promiscuous mode. This may cause to L2 spanning tree problems.

➜ CCSM Elite, CCME, CCTE

View solution in original post

3 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @MikeB 

You can use the Cloud Guard image for NSX or a normal R80.40 installation image. Cloud Guard image for NSX contains only Cloud Guard controller 2.0, which allows you to import cloud objects into SmartConsole.

To your question, I would always use a dedicated management interface.

Layer 2 is not so good, because the VMWare interface (vSwitch) has to be set to promiscuous mode. This may cause to L2 spanning tree problems.

➜ CCSM Elite, CCME, CCTE
PhoneBoy
Admin
Admin

I run CloudGuard IaaS on bare metal ESXi just fine.
To get full protection from lateral movement in Layer 2, you do unfortunately need to use NSX-T.

MikeB
Advisor

Thank you @HeikoAnkenbrand  and @PhoneBoy . It's clearer to me now.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.