Network & Security VMUG Community

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON
------------------------------

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Thank you Chad, only one reply - doesn't bode well.  Really expected more replies.

Cheers from Montréal.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

I have implemented NSX before using Checkpoint and Palo Alto, but only for Firewalls not for network introspection. We have also used Symantec for the agentless AV. I know a few NSX customers, but many don't use the third party tools and don't know any that are doing network introspection at this time.

-Manuel

------------------------------
Manuel Martinez
Engineer
MacStadium
Las Vegas NV
------------------------------

Original Message:
Sent: 01-08-2019 01:43 PM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Thank you Chad, only one reply - doesn't bode well.  Really expected more replies.

Cheers from Montréal.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

THank you for the feedback Manuel.

Cheers.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Original Message:
Sent: 01-09-2019 12:04 PM
From: Manuel Martinez
Subject: NSX DFW + Network Introspection

I have implemented NSX before using Checkpoint and Palo Alto, but only for Firewalls not for network introspection. We have also used Symantec for the agentless AV. I know a few NSX customers, but many don't use the third party tools and don't know any that are doing network introspection at this time.

-Manuel

------------------------------
Manuel Martinez
Engineer
MacStadium
Las Vegas NV

Original Message:
Sent: 01-08-2019 01:43 PM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Thank you Chad, only one reply - doesn't bode well.  Really expected more replies.

Cheers from Montréal.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

​Hello Luis,

We use NSX and had professional services help us in setting up our environment.  I would highly recommend you have someone help, makes it easier for implementation and troubleshooting any issues you might encounter.  Hope this helps.

------------------------------
Julio Arevalo
Manager, System Engineering
Alliant Credit Union
Chicago IL
------------------------------

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Hi Luis,
we are a VMWARE-Partner and also doing PSO for our customers...

Implementing third-party solutions in NSX environments is a common task on our site, both the GuestIntrospection with agentless AntiMalware same as NetworkIntrospection with virtual patching like TrendMicro DeepSecurity does...

If you are interested in direct contact to discuss - I´ll appreciate it.

We have mostly not the biggest implementations but very advanced configurations for our customers.

KR Peter

------------------------------
Peter Hirschbeck
Senior Consultant & IT-Architect
Profi Engineering Systems AG
Munich
------------------------------

Original Message:
Sent: 01-09-2019 11:37 AM
From: Julio Arevalo
Subject: NSX DFW + Network Introspection

​Hello Luis,

We use NSX and had professional services help us in setting up our environment.  I would highly recommend you have someone help, makes it easier for implementation and troubleshooting any issues you might encounter.  Hope this helps.

------------------------------
Julio Arevalo
Manager, System Engineering
Alliant Credit Union
Chicago IL

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Hi Julio, I have no issues with NSX, have my own lab and it works at my client on-prem when you follow the NSX VVD, but it is the Network Introspection part that is tricky and not many people seam to have or want to share their experience.

Sorry for replying so late, was away on business.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Original Message:
Sent: 01-09-2019 11:37 AM
From: Julio Arevalo
Subject: NSX DFW + Network Introspection

​Hello Luis,

We use NSX and had professional services help us in setting up our environment.  I would highly recommend you have someone help, makes it easier for implementation and troubleshooting any issues you might encounter.  Hope this helps.

------------------------------
Julio Arevalo
Manager, System Engineering
Alliant Credit Union
Chicago IL

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

​Luis,

There are new functions in 6.4 which provide some L4-7 and context aware micro-segmentation out of the box. However, there are several tools that come with some substantial cost from third parties that do contain functionality that allow you to either replace or enhance, the out of box L2-4 functions of NSX.

We have implemented some of this in our development NSX environment and are in the process of bringing our production environment up. Whether you go with the out of box function, or go with Palo Alto, Trend Micro or the other Network Introspection enhanced services, the biggest challenges that I find we face, and all companies are facing, is operationalizing NSX management. Network engineers understand what the product SAYS it can do, but finding either the time, or having the willingness to not spend time on a Cisco or Juniper console and transfer that knowledge to NSX is difficult.

It almost has to be a top-down push to get adoption. As an architect, this is part of the nature of the job, be progressive on new technologies, learn, understand... but often people want to twist the knobs and push the buttons as they always have and resist change.

That being said, my first recommendation is get the idea of micro-segmentation at L2-4 and the context aware L4-7 supported out of box adopted and understood, then if that does not meet the needs you have, then look at bolting on third party. We HAVE the products, but we are only using minimal functions (AV/anti-MW) because we have to get the knob turners to adopt the new tech first.

For what it's worth.
PM me if you want more info...

Michael Toney

------------------------------
Michael Toney
Architect
Trellis Company
Round Rock TX
------------------------------

Original Message:
Sent: 01-16-2019 09:49 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Hi Julio, I have no issues with NSX, have my own lab and it works at my client on-prem when you follow the NSX VVD, but it is the Network Introspection part that is tricky and not many people seam to have or want to share their experience.

Sorry for replying so late, was away on business.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 01-09-2019 11:37 AM
From: Julio Arevalo
Subject: NSX DFW + Network Introspection

​Hello Luis,

We use NSX and had professional services help us in setting up our environment.  I would highly recommend you have someone help, makes it easier for implementation and troubleshooting any issues you might encounter.  Hope this helps.

------------------------------
Julio Arevalo
Manager, System Engineering
Alliant Credit Union
Chicago IL

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Hi Luis,

To start with, many may not want to sure much about their environment for various reasons, so please don't be so judgmental.  Some details usually can't be shared for those reasons.

I can say we have implemented NSX, as of about 4 yrs ago, in five of our datacenters.  It is used in our general compute environment and the use case was generally two-fold, help decrease the "time to market" (i.e. provisioning customer VM's faster with vRA/etc.  The thinking here was to cut down on time the network group takes to implement something new for X customer.) and DFW.  We leverage DFW micro-segmentation for a couple different applications where customers saw the benefits.

The big plus for us was helping decrease time to market because of the time it took physical network to get things stood up for x customer.  That left it in our hands (virtualization team) to implement either automated or just through a few mouse clicks/etc., whereas network could take weeks.  In the beginning using the product was rough due to some of the bugs the earlier versions had.  Most of the customer impacting bugs were fixed and for the most part is a stable product.  There are hiccups every now and then like most things in technology.  You call support, get things corrected and then RCA is established/etc.  If I remember right, we have not had a wide-spread outage in at least 3 years.  Also, we did bring in professional services for health check purposes and a few minor things were found that were corrected.  For the most part we are happy with NSX.

We do not do guest introspection.  In my experience, doing guest introspection makes NSX upgrades way more difficult, but with the right people that can be pulled off.

Hope that helps answer your questions.

Thanks,
Raymond

------------------------------
Raymond Riley
Cloud Virtualization Engineer
McKesson Corp.
------------------------------

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Thank you Raymond, is not the NSX part my issues, is the 3rd-party Network Introspection that bothers me.

VMware has been excellent for their NSX solution, is the rest (3rd-party network introspection) that I find not mature.

Also, no issues with Guest Introspection as that is within the VM and it is handled by other tools (CrowdkStrike, Symantec EDR, etc....)



------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

Original Message:
Sent: 01-09-2019 11:46 AM
From: Raymond Riley
Subject: NSX DFW + Network Introspection

Hi Luis,

To start with, many may not want to sure much about their environment for various reasons, so please don't be so judgmental.  Some details usually can't be shared for those reasons.

I can say we have implemented NSX, as of about 4 yrs ago, in five of our datacenters.  It is used in our general compute environment and the use case was generally two-fold, help decrease the "time to market" (i.e. provisioning customer VM's faster with vRA/etc.  The thinking here was to cut down on time the network group takes to implement something new for X customer.) and DFW.  We leverage DFW micro-segmentation for a couple different applications where customers saw the benefits.

The big plus for us was helping decrease time to market because of the time it took physical network to get things stood up for x customer.  That left it in our hands (virtualization team) to implement either automated or just through a few mouse clicks/etc., whereas network could take weeks.  In the beginning using the product was rough due to some of the bugs the earlier versions had.  Most of the customer impacting bugs were fixed and for the most part is a stable product.  There are hiccups every now and then like most things in technology.  You call support, get things corrected and then RCA is established/etc.  If I remember right, we have not had a wide-spread outage in at least 3 years.  Also, we did bring in professional services for health check purposes and a few minor things were found that were corrected.  For the most part we are happy with NSX.

We do not do guest introspection.  In my experience, doing guest introspection makes NSX upgrades way more difficult, but with the right people that can be pulled off.

Hope that helps answer your questions.

Thanks,
Raymond

------------------------------
Raymond Riley
Cloud Virtualization Engineer
McKesson Corp.

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------

VMware is not lying when they tout the number of NSX customers, I'd chalk the lack of response more to the VMUG forums not being highly trafficked and customers likely not wanting to talk about their environments much.

I've personally worked and helped deploy dozens of implementations across different customers and accounts of varying sizes. Smallest was a 4 node cluster that needed PCI compliance and HIPPA compliance and the largest was a very well known bank with over 30k VM's in their VDI environment they wanted protected.

Third party integration is often the trickiest part of the product as it depends on the third party to have implemented a quality product and many times you have to simply learn the quirks of their implementation. VMware's NetX API is standard for all of them so there's only one way to interact with VMware, it's up to each third party company to design their system and how it works.

As others have stated it's best to deploy NSX via a PSO engagement but it absolutely can all be done in house. The documentation and blogging that exists is extensive and you could likely deploy or copy one of the VVD designs for most environments. Where PSO comes in handy is the unique quirks that each customer invariably has. Additionally PSO can help companies reorganize the workflow and streams for day to day operations or at least help companies identify where they may need to change process, ownership and organizational challenges.


------------------------------
William de Marigny
Senior VMware NSX Technical Account Specialist
VCIX-NV, VCIX-DCV
San Antonio TX
------------------------------

Original Message:
Sent: 01-16-2019 09:55 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Thank you Raymond, is not the NSX part my issues, is the 3rd-party Network Introspection that bothers me.

VMware has been excellent for their NSX solution, is the rest (3rd-party network introspection) that I find not mature.

Also, no issues with Guest Introspection as that is within the VM and it is handled by other tools (CrowdkStrike, Symantec EDR, etc....)



------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 01-09-2019 11:46 AM
From: Raymond Riley
Subject: NSX DFW + Network Introspection

Hi Luis,

To start with, many may not want to sure much about their environment for various reasons, so please don't be so judgmental.  Some details usually can't be shared for those reasons.

I can say we have implemented NSX, as of about 4 yrs ago, in five of our datacenters.  It is used in our general compute environment and the use case was generally two-fold, help decrease the "time to market" (i.e. provisioning customer VM's faster with vRA/etc.  The thinking here was to cut down on time the network group takes to implement something new for X customer.) and DFW.  We leverage DFW micro-segmentation for a couple different applications where customers saw the benefits.

The big plus for us was helping decrease time to market because of the time it took physical network to get things stood up for x customer.  That left it in our hands (virtualization team) to implement either automated or just through a few mouse clicks/etc., whereas network could take weeks.  In the beginning using the product was rough due to some of the bugs the earlier versions had.  Most of the customer impacting bugs were fixed and for the most part is a stable product.  There are hiccups every now and then like most things in technology.  You call support, get things corrected and then RCA is established/etc.  If I remember right, we have not had a wide-spread outage in at least 3 years.  Also, we did bring in professional services for health check purposes and a few minor things were found that were corrected.  For the most part we are happy with NSX.

We do not do guest introspection.  In my experience, doing guest introspection makes NSX upgrades way more difficult, but with the right people that can be pulled off.

Hope that helps answer your questions.

Thanks,
Raymond

------------------------------
Raymond Riley
Cloud Virtualization Engineer
McKesson Corp.

Original Message:
Sent: 01-08-2019 11:55 AM
From: Chad Carter
Subject: NSX DFW + Network Introspection

Hi Luis,

We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

Thanks,

------------------------------
Chad Carter
Enterprise Architect
Sault Area Hospital
Sault Ste Marie ON

Original Message:
Sent: 01-07-2019 11:31 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com

Original Message:
Sent: 12-20-2018 09:57 AM
From: Luis Miguel Astudillo
Subject: NSX DFW + Network Introspection

Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

What were your use cases?
What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
What were your operational, administrative and governance impacts?
What were the estimated and realized benefits?
What were your irritants or "show stoppers"?
Have you worked with a partner or solution manufacturer directly (Professional Services)?
Estimated time of realization + reality?
What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

By professionalism, all the answers that are addressed to me directly will not be published or made public.

------------------------------
Luis Miguel Astudillo
Conseiller en architecture TI / IT Architect
Services Conseils AIGS Inc.
Tel: 514-213-6270
Email: lm.astudillo@sc-aigs.com
------------------------------