1 01:00:00,233 --> 01:00:01,266 Hello and welcome. 2 01:00:01,800 --> 01:00:06,133 This is the VCD Roundtable, episode number 54. 3 01:00:06,833 --> 01:00:11,566 And the topic of the day is the vDefend Firewall, IDS / IPS, 4 01:00:12,033 --> 01:00:13,433 and Advanced Threat Protection. 5 01:00:14,533 --> 01:00:17,633 And let me quickly cover why we thought 6 01:00:17,766 --> 01:00:21,199 this topic should be at the top of the agenda again, 7 01:00:21,199 --> 01:00:25,833 not only because this is quite an interesting additional 8 01:00:25,933 --> 01:00:29,266 service, which can be offered by service providers, 9 01:00:29,866 --> 01:00:33,766 but also due to the latest changes in the licensing 10 01:00:34,066 --> 01:00:36,133 scenarios with Usage Meter 9 11 01:00:36,133 --> 01:00:38,033 and changes in the license guide, 12 01:00:38,566 --> 01:00:41,433 it's now finally possible that we can actually 13 01:00:41,533 --> 01:00:43,900 license the firewall features 14 01:00:43,900 --> 01:00:47,633 on an overage scenario as well. 15 01:00:47,633 --> 01:00:49,866 So you are no longer bound to actually make a three-year 16 01:00:49,866 --> 01:00:52,466 commit if you want to use the firewall features potentially 17 01:00:52,766 --> 01:00:55,233 to test it out with a customer or something else. 18 01:00:55,633 --> 01:00:58,266 But Sascha is going to cover that for a bit 19 01:00:58,300 --> 01:01:01,266 and Matthias is going to tell us a bit more about use cases 20 01:01:01,266 --> 01:01:03,533 and everything else for the vDefend Firewall, 21 01:01:04,000 --> 01:01:07,199 distributed firewalls, gateways, and whatever else. 22 01:01:08,133 --> 01:01:11,333 So let me throw the ball over 23 01:01:11,333 --> 01:01:13,066 to Matthias first, who can then 24 01:01:13,099 --> 01:01:15,533 throw it to Sascha for the licensing piece. 25 01:01:15,533 --> 01:01:18,000 And then Matthias can give us the tech dive. 26 01:01:19,633 --> 01:01:22,266 Yeah, as always, I just try to take a sip, 27 01:01:22,266 --> 01:01:23,266 and then I have to talk. 28 01:01:23,533 --> 01:01:24,233 It's always a same. 29 01:01:24,233 --> 01:01:24,533 Hello. 30 01:01:24,733 --> 01:01:25,633 Welcome from my side. 31 01:01:25,699 --> 01:01:26,666 Now I'm looking forward to 32 01:01:26,666 --> 01:01:28,300 this more technical session again. 33 01:01:29,099 --> 01:01:31,166 Sascha, what are you going to offer us? 34 01:01:31,166 --> 01:01:32,966 What do you have to offer us today? 35 01:01:33,966 --> 01:01:34,166 Yes. 36 01:01:35,000 --> 01:01:36,400 Nice to meet you here. 37 01:01:36,800 --> 01:01:40,933 I think it's important that we talk a bit about all of that 38 01:01:40,933 --> 01:01:42,466 stuff from a license perspective. 39 01:01:42,766 --> 01:01:43,533 What does it mean? 40 01:01:43,833 --> 01:01:46,466 What options we now have also with the changes, 41 01:01:46,900 --> 01:01:48,566 how we can license vDefend. 42 01:01:48,966 --> 01:01:52,000 So yeah, happy to share this information with you. 43 01:01:57,266 --> 01:01:59,333 Then why don't we start with the licensing part 44 01:01:59,333 --> 01:02:01,166 before we get into the tech part? 45 01:02:02,300 --> 01:02:04,066 Yeah, let's do it. 46 01:02:04,266 --> 01:02:08,466 So, Yves told us that there were changes, 47 01:02:08,966 --> 01:02:12,633 and now we can license - as a service provider - 48 01:02:12,633 --> 01:02:14,066 vDefend as an overage. 49 01:02:14,466 --> 01:02:16,833 So that's very important for us. 50 01:02:18,266 --> 01:02:22,000 So that means with changes, Usage Meter 9... 51 01:02:22,866 --> 01:02:26,033 two weeks ago, there 52 01:02:26,033 --> 01:02:28,266 came the announcement that on demand 53 01:02:28,266 --> 01:02:31,166 is now available for all vDefend products. 54 01:02:32,433 --> 01:02:34,333 And what does it mean for us? 55 01:02:34,333 --> 01:02:37,166 So there are still some open questions to be fair. 56 01:02:37,466 --> 01:02:41,733 So we got this information that only 200% of license 57 01:02:41,766 --> 01:02:43,166 keys can be generated. 58 01:02:44,433 --> 01:02:47,633 So does that also mean that the service providers that 59 01:02:47,766 --> 01:02:51,566 don't use vDefendcan use vDefend on demand? 60 01:02:53,033 --> 01:02:55,066 Currently, nobody knows, but let's see. 61 01:02:56,533 --> 01:02:59,900 But you are also able to say, "hey, 62 01:02:59,900 --> 01:03:04,566 I want to activate or license vDefend on the host space." 63 01:03:05,766 --> 01:03:10,366 That helps us a lot now, because service providers 64 01:03:10,666 --> 01:03:14,033 don't need to start to say, "hey, I need to license 65 01:03:14,033 --> 01:03:17,366 my complete cluster or create a dedicated cluster 66 01:03:17,566 --> 01:03:21,766 for vDefend with Advanced Threat Protection or whatever." 67 01:03:22,800 --> 01:03:25,266 And that is very beneficial for you, 68 01:03:25,266 --> 01:03:30,966 because you can now say, "hey, create a rule 69 01:03:31,166 --> 01:03:34,666 that vDefend only -- or a vDefend feature -- 70 01:03:35,266 --> 01:03:39,333 runs only on virtual machines on host one, two, three." 71 01:03:40,633 --> 01:03:44,733 And the other hosts don't need to be licensed for vDefend. 72 01:03:45,166 --> 01:03:46,633 So that will help us a lot. 73 01:03:47,066 --> 01:03:49,400 And then, additional to that, that makes sense. 74 01:03:49,400 --> 01:03:51,233 We can go with the commit for three hosts 75 01:03:52,033 --> 01:03:54,466 and can say, "hey, if you need a fourth one, 76 01:03:54,466 --> 01:03:55,766 we can go as an overage." 77 01:03:56,966 --> 01:03:57,866 So that's beneficial. 78 01:03:58,433 --> 01:04:00,566 That makes absolutely sense with this 200%. 79 01:04:01,933 --> 01:04:03,433 So that will helps us a lot. 80 01:04:04,233 --> 01:04:04,900 Other question? 81 01:04:05,866 --> 01:04:06,233 What license-- 82 01:04:06,233 --> 01:04:09,300 But Sasha, let's stick on this one a little bit, 83 01:04:09,366 --> 01:04:13,400 because... let's start with a short discussion here, 84 01:04:13,400 --> 01:04:15,133 because I totally understand what you're talking about. 85 01:04:16,366 --> 01:04:19,633 That introduces a ton of administrative overhead. 86 01:04:21,333 --> 01:04:24,900 So it is a solution just to license only a few hosts 87 01:04:24,900 --> 01:04:25,633 of a cluster. 88 01:04:26,333 --> 01:04:29,366 But it's always a trade-off because, on the other hand, 89 01:04:30,333 --> 01:04:31,633 you have the administrative overhead 90 01:04:32,066 --> 01:04:36,233 to create the RTS groups, to stick virtual machines 91 01:04:36,233 --> 01:04:38,133 or to glue virtual machines to certain hosts. 92 01:04:38,933 --> 01:04:42,933 What if one host of that group fails, hardware error, 93 01:04:42,933 --> 01:04:43,266 whatever? 94 01:04:44,033 --> 01:04:45,833 You need to add another host to the group. 95 01:04:46,166 --> 01:04:48,800 That load gets redistributed and so on and so forth. 96 01:04:49,000 --> 01:04:55,366 So because we're blunt on all this stuff, 97 01:04:55,366 --> 01:05:01,333 so we need to say, "guys, be careful if or if you 98 01:05:01,333 --> 01:05:04,800 go down that route, you have administrative overhead. 99 01:05:06,233 --> 01:05:11,433 Firstly, and secondly, if you fat-finger something, 100 01:05:12,766 --> 01:05:15,400 it has a high price tag associated, 101 01:05:15,666 --> 01:05:20,333 because if you accidentally add a host to that group, 102 01:05:21,033 --> 01:05:21,633 thank you. 103 01:05:21,633 --> 01:05:22,500 You pay overage." 104 01:05:24,800 --> 01:05:27,166 So I think we should be very honest on that part. 105 01:05:28,666 --> 01:05:29,133 Absolutely. 106 01:05:29,833 --> 01:05:35,900 But compared to that, the other way 107 01:05:35,900 --> 01:05:39,333 is to create a dedicated cluster for VCF, 108 01:05:39,533 --> 01:05:41,333 if I want to start with VCF. 109 01:05:42,166 --> 01:05:46,599 And then I use the complete flexibility to say, 110 01:05:46,833 --> 01:05:49,300 "hey, one customer wants to test VCF 111 01:05:50,466 --> 01:05:51,433 Advanced Threat Protection." 112 01:05:51,833 --> 01:05:54,433 And I think that becomes more and more interesting 113 01:05:54,433 --> 01:05:58,733 from a security perspective to run Advanced Threat 114 01:05:58,833 --> 01:06:01,666 Protection on microsegmentation, for example. 115 01:06:02,766 --> 01:06:03,866 Let's face it. 116 01:06:04,166 --> 01:06:06,233 Advanced Threat Protection requires you 117 01:06:06,233 --> 01:06:08,666 to actually install the Kubernetes pieces and stuff 118 01:06:08,666 --> 01:06:11,533 like that for that special features in any way. 119 01:06:11,733 --> 01:06:14,599 If you just want to have the baseline features, 120 01:06:16,099 --> 01:06:17,466 it's not that bad. 121 01:06:17,800 --> 01:06:23,800 But also, I mean, the cost is $100 per year 122 01:06:23,900 --> 01:06:27,199 per core for vDefend basic. 123 01:06:28,066 --> 01:06:28,566 So for the... 124 01:06:28,566 --> 01:06:29,166 I think it's $120. 125 01:06:30,866 --> 01:06:31,533 120, yeah. 126 01:06:31,900 --> 01:06:33,900 So we are talking about $10 per core. 127 01:06:34,266 --> 01:06:37,066 So even if by mistake, you put in a host 128 01:06:37,066 --> 01:06:41,500 and you would not actually put that in by 120 divided 129 01:06:41,666 --> 01:06:42,866 by 12 is 10. 130 01:06:43,866 --> 01:06:44,433 That's easy. 131 01:06:45,233 --> 01:06:45,900 Why 12? 132 01:06:46,266 --> 01:06:48,500 But let's not start math here. 133 01:06:50,033 --> 01:06:50,633 Why 12? 134 01:06:50,766 --> 01:06:52,533 Because 12 months is in a year. 135 01:06:54,400 --> 01:06:55,733 Oh, Okey-dokey. 136 01:06:56,533 --> 01:06:58,000 I was thinking about cores. 137 01:06:58,699 --> 01:07:00,300 How 12, right? 138 01:07:01,300 --> 01:07:01,833 No, because-- 139 01:07:01,833 --> 01:07:02,933 You always talk 16. 140 01:07:04,633 --> 01:07:08,466 So it would be per core a total cost of $10 per month. 141 01:07:08,866 --> 01:07:11,300 And typically, you don't turn on the host 142 01:07:11,500 --> 01:07:16,266 at the first of the month at zero or at 001 143 01:07:16,500 --> 01:07:17,333 or something like that. 144 01:07:18,466 --> 01:07:21,433 I think the overall, yes, if you make the mistake, 145 01:07:21,433 --> 01:07:23,333 it's not going to be that bad. 146 01:07:23,866 --> 01:07:26,433 Because it's not like you turn on a feature 147 01:07:26,566 --> 01:07:28,400 like by mistake in Avi Load Balancer. 148 01:07:28,400 --> 01:07:30,199 So that's a totally different piece. 149 01:07:31,900 --> 01:07:34,066 Absolutely... but it's not $10 a month, Yves. 150 01:07:34,333 --> 01:07:37,966 It's $10 times at least 16. 151 01:07:39,033 --> 01:07:40,066 Yeah, that's $160. 152 01:07:40,066 --> 01:07:40,633 It's not us. 153 01:07:42,033 --> 01:07:43,366 Yeah, but to be fair, so we 154 01:07:43,366 --> 01:07:46,033 have all the operation stuff now 155 01:07:46,066 --> 01:07:46,566 included. 156 01:07:46,833 --> 01:07:49,066 And it's an easy one for a service provider 157 01:07:49,533 --> 01:07:51,000 to create an alert if I'm 158 01:07:51,000 --> 01:07:53,066 using more licenses than expected. 159 01:07:53,333 --> 01:07:55,166 For me, it's an open discussion, 160 01:07:55,166 --> 01:07:57,699 because honestly, I don't get, 161 01:07:58,000 --> 01:08:00,266 why should I not license vDefend? 162 01:08:01,133 --> 01:08:04,033 Because I still consider vDefend being a base feature. 163 01:08:04,633 --> 01:08:06,766 And as Yves mentioned, we're not talking 164 01:08:06,966 --> 01:08:08,500 a big amount of money here. 165 01:08:09,199 --> 01:08:14,166 So as a CSP, I should at least license one cluster 166 01:08:15,066 --> 01:08:16,033 with vDefend. 167 01:08:16,533 --> 01:08:18,166 And if I have only a single cluster, 168 01:08:18,600 --> 01:08:20,666 I'm not that large anyway. 169 01:08:21,000 --> 01:08:25,133 So we're not talking that big of an additional cost. 170 01:08:26,866 --> 01:08:28,633 So that's honestly speaking. 171 01:08:28,666 --> 01:08:32,166 It's easier to sell and it's higher flexibility. 172 01:08:32,866 --> 01:08:37,633 And I need to compare the cost of the licenses 173 01:08:37,933 --> 01:08:41,133 with the administrative overhead I have on the other hand. 174 01:08:41,899 --> 01:08:43,433 Yeah, the challenge is, I think-- 175 01:08:43,800 --> 01:08:46,233 and that's what we got out of the meetings 176 01:08:46,466 --> 01:08:48,333 with most of the service providers is 177 01:08:48,500 --> 01:08:51,199 that they say,"hey, I want to start with vDefend, 178 01:08:52,233 --> 01:08:55,199 but I can only start with one to three customers 179 01:08:55,633 --> 01:08:58,966 and then migrate more and more customers to vDefend." 180 01:08:59,533 --> 01:09:01,766 That doesn't start with day one. 181 01:09:02,300 --> 01:09:04,300 And that's a challenge for service providers currently 182 01:09:04,300 --> 01:09:05,766 to say, "hey, I need to license 183 01:09:05,766 --> 01:09:07,466 my complete cluster on day one. 184 01:09:07,733 --> 01:09:10,266 And now I need at least one or two years 185 01:09:10,366 --> 01:09:12,733 until every customer is using it." 186 01:09:16,066 --> 01:09:19,800 So this is an option to license only dedicated hosts. 187 01:09:20,633 --> 01:09:23,266 And everyone needs to decide for themselves. 188 01:09:24,000 --> 01:09:28,433 If they want to take the time to do all the configurations 189 01:09:29,300 --> 01:09:32,433 and save some money, especially at the beginning, 190 01:09:33,233 --> 01:09:35,866 or make the decision to go with the dedicated cluster, 191 01:09:36,600 --> 01:09:40,766 or make the decision to license a complete cluster 192 01:09:40,766 --> 01:09:41,600 from day zero. 193 01:09:46,633 --> 01:09:48,366 But yes, maybe you can tell us 194 01:09:48,366 --> 01:09:50,566 a bit more about the features 195 01:09:51,233 --> 01:09:54,333 and what we can do with that protection, 196 01:09:54,366 --> 01:09:56,866 with microsegmentation, and why this is important. 197 01:09:59,333 --> 01:09:59,866 Why ATP? 198 01:10:00,433 --> 01:10:02,533 Let's start basic with microsegmentation. 199 01:10:03,733 --> 01:10:06,033 There is not always the need to have ATP on top. 200 01:10:06,933 --> 01:10:11,333 So with microsegmentation, you enable a more secure 201 01:10:11,366 --> 01:10:14,833 infrastructure also to protect workloads from each other 202 01:10:14,866 --> 01:10:16,033 within a single tenant. 203 01:10:16,966 --> 01:10:19,366 I think that's the most overseen feature 204 01:10:19,733 --> 01:10:20,933 of what microsegmentation 205 01:10:20,933 --> 01:10:22,533 introduces to your infrastructure. 206 01:10:24,633 --> 01:10:26,766 Most people think like, "oh, I have 207 01:10:26,766 --> 01:10:31,100 to protect my environment against threats 208 01:10:31,333 --> 01:10:37,133 from the internet or from the bad guys sitting somewhere." 209 01:10:37,366 --> 01:10:41,766 But honestly, most of the attacks are from inside, 210 01:10:42,066 --> 01:10:46,566 so internally, because someone clicks a link in an email 211 01:10:46,566 --> 01:10:47,233 or whatever. 212 01:10:48,100 --> 01:10:52,466 And then the big question is, how fast 213 01:10:52,699 --> 01:10:55,266 is a threat able to spread itself 214 01:10:55,433 --> 01:10:56,500 within the infrastructure? 215 01:10:57,366 --> 01:11:00,633 And that's where the whole microsegmentation kicks in. 216 01:11:01,100 --> 01:11:03,933 Because if you protect workloads even 217 01:11:04,033 --> 01:11:07,466 within a single layer 2 subnet, the spread rate 218 01:11:08,133 --> 01:11:11,233 is a lot slower compared to no protection 219 01:11:11,500 --> 01:11:13,066 within the whole environment. 220 01:11:13,533 --> 01:11:16,733 I think that's one of the most important features that 221 01:11:17,066 --> 01:11:20,566 the whole vDefend (DFW) brings to the table. 222 01:11:23,766 --> 01:11:25,933 The vDefend, of course, the other part 223 01:11:25,933 --> 01:11:27,066 is the gateway firewall. 224 01:11:27,333 --> 01:11:30,233 But I consider this one being like a perimeter, 225 01:11:30,933 --> 01:11:34,300 as we have always treated a firewall sitting 226 01:11:34,500 --> 01:11:36,566 at the border of our environment. 227 01:11:37,333 --> 01:11:40,766 It's an additional firewall sitting behind a physical 228 01:11:40,866 --> 01:11:44,600 firewalling device, because I still have my opinion. 229 01:11:44,666 --> 01:11:48,300 I'm not moving a micrometer off. 230 01:11:49,433 --> 01:11:53,000 There is always a physical firewalling device 231 01:11:53,000 --> 01:11:54,066 in front of the environment. 232 01:11:54,933 --> 01:11:57,233 So vDefend is always an additional solution, 233 01:11:57,500 --> 01:11:59,466 not an in-stead of solution. 234 01:12:01,733 --> 01:12:03,733 So that's the whole vDefend Firewall part. 235 01:12:04,566 --> 01:12:07,966 And I think it's also important that everyone is aware 236 01:12:08,066 --> 01:12:12,266 that if I have two networks, two routed networks in Cloud 237 01:12:12,366 --> 01:12:16,399 Director on one edge gateway, I have the default one 238 01:12:16,433 --> 01:12:21,733 distributed routing enabled that there is no firewall rule. 239 01:12:21,733 --> 01:12:24,166 I can create this firewall rule on the edge gateway, 240 01:12:24,833 --> 01:12:26,199 but it doesn't match. 241 01:12:27,300 --> 01:12:28,199 Exactly, Sascha. 242 01:12:28,433 --> 01:12:31,833 So that's a very valid point you have taken. 243 01:12:34,233 --> 01:12:35,866 If a tenant creates, as you said, 244 01:12:36,100 --> 01:12:37,766 two router or multiple router networks 245 01:12:37,933 --> 01:12:41,699 within a single tenant, they assume the gateway 246 01:12:41,933 --> 01:12:45,266 protects those networks from each other, but it doesn't. 247 01:12:46,833 --> 01:12:49,699 For that specific behavior, I think we typically 248 01:12:49,766 --> 01:12:54,666 recommend having the CSP or instructor CSPs have 249 01:12:54,666 --> 01:12:59,933 a document ready to provide guidance for their tenants 250 01:13:00,100 --> 01:13:03,766 how to use those two firewalls together, 251 01:13:04,500 --> 01:13:10,433 because it's not using either the gateway or the DFW. 252 01:13:10,966 --> 01:13:13,733 How can I combine those two firewalls 253 01:13:13,733 --> 01:13:17,066 to achieve the best solution for me as a tenant. 254 01:13:20,000 --> 01:13:20,300 Absolutely. 255 01:13:22,033 --> 01:13:24,466 Because, yes, you can create this firewall rules, 256 01:13:24,466 --> 01:13:25,399 but they don't match. 257 01:13:25,833 --> 01:13:28,066 And that's the interesting part of it. 258 01:13:28,433 --> 01:13:32,233 And a lot of times, really funny, if you are doing-- 259 01:13:32,233 --> 01:13:35,033 And you spend hours and hours and hours of troubleshooting. 260 01:13:35,366 --> 01:13:37,833 Why is the traffic still flowing? 261 01:13:42,300 --> 01:13:45,333 Or they only test what's possible or what's allowed 262 01:13:45,500 --> 01:13:47,966 and never test what's not possible. 263 01:13:50,266 --> 01:13:50,466 Yeah. 264 01:13:51,033 --> 01:13:52,399 So especially with Cloud Director, 265 01:13:52,633 --> 01:13:55,100 because if we talk about a CSP environment, 266 01:13:55,366 --> 01:13:58,466 it's even easier, because Cloud Director 267 01:13:58,533 --> 01:14:00,966 adds some very nice gimmicks 268 01:14:00,966 --> 01:14:03,633 or actually some configurations 269 01:14:03,633 --> 01:14:08,399 to the DFW by default, which is not part of the base 270 01:14:08,399 --> 01:14:09,333 NSX configuration. 271 01:14:10,100 --> 01:14:12,266 So with Cloud Director, Cloud Director automatically 272 01:14:12,466 --> 01:14:16,933 configures the DFW to create an internally any-any-any 273 01:14:16,933 --> 01:14:20,733 drop-wall instead of an any-any-any block globally. 274 01:14:20,966 --> 01:14:22,233 So that's a pretty cool feature. 275 01:14:22,899 --> 01:14:25,699 So it protects only tenant 276 01:14:25,699 --> 01:14:29,666 local flows instead of protecting 277 01:14:29,899 --> 01:14:32,033 flows from or to the tenant. 278 01:14:32,333 --> 01:14:34,233 So that's the big difference if you 279 01:14:34,233 --> 01:14:37,899 compare the Cloud Director environment with a base 280 01:14:38,133 --> 01:14:39,366 or plain NSX environment. 281 01:14:40,666 --> 01:14:41,533 That's pretty cool. 282 01:14:42,033 --> 01:14:44,466 And that, at least from my perspective, 283 01:14:45,100 --> 01:14:46,866 makes the combination of the 284 01:14:46,866 --> 01:14:49,100 two firewalls, gateway and DFW, 285 01:14:49,500 --> 01:14:51,633 a lot easier, because on the DFW, 286 01:14:51,933 --> 01:14:53,933 you focus on internal flows only. 287 01:14:54,933 --> 01:14:57,066 And on the gateway, you focus 288 01:14:57,066 --> 01:14:59,866 on flows from and to your tenant. 289 01:15:01,366 --> 01:15:02,733 So that's pretty cool. 290 01:15:05,133 --> 01:15:05,333 Yeah. 291 01:15:05,566 --> 01:15:07,133 And let me add one part. 292 01:15:07,166 --> 01:15:10,466 So please be aware, when you enable distributed 293 01:15:10,666 --> 01:15:13,466 firewall in your tenant that you don't 294 01:15:13,566 --> 01:15:15,866 start in a brownfield environment 295 01:15:16,366 --> 01:15:19,300 with the any-any deny rule or any-any reject rule 296 01:15:19,300 --> 01:15:20,966 retract rule; that will not work. 297 01:15:22,166 --> 01:15:23,366 Oh, it will work. 298 01:15:23,800 --> 01:15:24,133 It will work. 299 01:15:24,133 --> 01:15:25,100 It works as designed. 300 01:15:26,366 --> 01:15:26,800 That's right. 301 01:15:27,399 --> 01:15:30,166 And to dramatically reduce unwanted traffic. 302 01:15:30,800 --> 01:15:32,466 But also wanted traffic. 303 01:15:34,733 --> 01:15:38,066 But I think from a business perspective of the customers, 304 01:15:38,300 --> 01:15:38,933 it will not work. 305 01:15:39,166 --> 01:15:40,899 So yeah. 306 01:15:41,566 --> 01:15:42,933 But you know what I mean. 307 01:15:43,199 --> 01:15:45,933 And I think we need to mention it. 308 01:15:47,066 --> 01:15:49,600 So what you forgot to mention, that's 309 01:15:49,833 --> 01:15:54,166 another unbelievable feature we have with VCF. 310 01:15:55,066 --> 01:15:58,433 Because VCF contains the whole Aria Suite, which 311 01:15:58,500 --> 01:16:00,866 implies we have Aria Operations for Log. 312 01:16:01,966 --> 01:16:04,399 And if you configure Aria Operations for Log 313 01:16:04,466 --> 01:16:09,866 being the syslog receiver for the vSphere part of VCF 314 01:16:09,866 --> 01:16:12,366 and the NSX part of VCF and all the gateways, 315 01:16:12,866 --> 01:16:15,666 you have the ability to feed back 316 01:16:16,166 --> 01:16:20,466 the tenant-specific firewall logs into the Cloud Director 317 01:16:20,466 --> 01:16:21,033 UI. 318 01:16:21,566 --> 01:16:25,433 So that enables a tenant to troubleshoot their own firewall 319 01:16:25,433 --> 01:16:25,966 rule set. 320 01:16:29,600 --> 01:16:30,233 That's amazing. 321 01:16:32,466 --> 01:16:35,233 But there was one point, or there is one point, 322 01:16:35,233 --> 01:16:36,399 with the IP addresses. 323 01:16:39,399 --> 01:16:42,733 If you have overlapping IP ranges, is this fixed? 324 01:16:45,266 --> 01:16:47,366 As far as I know, it should be fixed. 325 01:16:49,133 --> 01:16:49,366 Okay. 326 01:16:50,666 --> 01:16:51,066 I don't know. 327 01:16:51,066 --> 01:16:51,866 We need to look it up. 328 01:16:54,899 --> 01:16:56,033 Yeah, maybe we should do it. 329 01:16:56,033 --> 01:16:58,333 Because I heard it again from one service provider 330 01:16:58,500 --> 01:16:59,666 that it is not fixed. 331 01:17:00,266 --> 01:17:02,066 But I never tested it myself. 332 01:17:12,366 --> 01:17:13,800 Let's move forward to IDS/IPS. 333 01:17:14,966 --> 01:17:16,000 I was just about to say. 334 01:17:17,866 --> 01:17:19,433 So now there are some prerequisites 335 01:17:19,433 --> 01:17:21,933 you need to fulfill for IDS/IPS. 336 01:17:22,699 --> 01:17:24,333 It's not just a turn-on feature. 337 01:17:28,500 --> 01:17:28,733 Isn't it? 338 01:17:29,733 --> 01:17:34,933 Yeah, you need this crazy Kubernetes cluster. 339 01:17:35,233 --> 01:17:38,766 But it should be no longer. 340 01:17:40,199 --> 01:17:42,866 Not for basic IDS/IPS. 341 01:17:43,766 --> 01:17:47,933 You need the Kubernetes for all the other ATP features. 342 01:17:48,433 --> 01:17:48,966 Yeah, you're right. 343 01:17:50,399 --> 01:17:53,033 So IDS/IPS... so ATP contains 344 01:17:53,033 --> 01:17:55,266 four features, as far as I have, 345 01:17:55,533 --> 01:17:56,100 out of my head. 346 01:17:56,600 --> 01:17:57,633 One is IDS/IPS. 347 01:17:58,433 --> 01:18:00,566 There is the mobile protection. 348 01:18:01,866 --> 01:18:04,433 The-- help me out. 349 01:18:06,199 --> 01:18:08,266 It's mobile protection, mobile prevention. 350 01:18:08,866 --> 01:18:11,266 It's the whole visualization thingy, 351 01:18:12,100 --> 01:18:14,066 the flow visualization, and that part. 352 01:18:14,833 --> 01:18:15,933 And there is a fourth feature. 353 01:18:16,500 --> 01:18:19,433 IDS/IPS is the only feature of ATP, 354 01:18:19,433 --> 01:18:22,333 which is not dependent on the Kubernetes. 355 01:18:22,433 --> 01:18:23,133 Yeah, that part. 356 01:18:26,133 --> 01:18:34,466 But, Yves is right somehow, because the big thing 357 01:18:34,466 --> 01:18:38,066 with IDS/IPS from a CSP standpoint of view 358 01:18:38,066 --> 01:18:40,666 is it's not a self-service feature. 359 01:18:41,300 --> 01:18:42,800 It still is not. 360 01:18:42,800 --> 01:18:45,433 It can only be consumed as a managed service. 361 01:18:47,399 --> 01:18:50,100 But the amazing thing is if 362 01:18:50,100 --> 01:18:54,033 you think about Gateway IDS/IPS, 363 01:18:54,800 --> 01:18:58,600 it can be enabled on a per T1 base. 364 01:18:59,466 --> 01:19:01,966 So I can enable it only for a single tenant. 365 01:19:03,133 --> 01:19:05,733 But a T1 runs on an Edge Gateway, 366 01:19:06,333 --> 01:19:09,433 and the Edge Gateway needs to be licensed for IDS/IPS. 367 01:19:11,266 --> 01:19:12,333 That's the ATP license. 368 01:19:14,133 --> 01:19:18,500 Or if you're aiming for the Distributed IDS/IPS 369 01:19:20,066 --> 01:19:24,500 implementation, you need to license all the hosts with ATP. 370 01:19:25,966 --> 01:19:28,166 But Sascha, can you license ATP also, 371 01:19:28,533 --> 01:19:30,066 as you have mentioned, for the vDefend Firewall 372 01:19:30,066 --> 01:19:33,733 on a dedicated host perspective in a single cluster? 373 01:19:34,066 --> 01:19:37,233 Or do you need to license the whole cluster with ATP? 374 01:19:38,533 --> 01:19:40,466 No, that's the same rule like vDefend. 375 01:19:41,533 --> 01:19:41,966 OK, cool. 376 01:19:42,266 --> 01:19:47,633 That's important to know. 377 01:19:47,633 --> 01:19:48,733 Because for IDS/IPS-- 378 01:19:49,966 --> 01:19:50,100 Sorry? 379 01:19:51,366 --> 01:19:54,199 If I run it on a gateway, I can also 380 01:19:54,266 --> 01:19:57,466 run the vDefend Advanced Threat Protection licenses 381 01:19:57,766 --> 01:20:02,133 on the same regulations like we have it for normal gateway 382 01:20:02,166 --> 01:20:02,666 firewalls. 383 01:20:04,133 --> 01:20:04,666 Yeah, cool. 384 01:20:05,733 --> 01:20:07,966 So the only thing what we need to be aware of 385 01:20:08,066 --> 01:20:13,033 is with IDS/IPS, deploy at least extra large Edge 386 01:20:13,433 --> 01:20:14,166 transport nodes. 387 01:20:15,233 --> 01:20:20,066 Otherwise, you might have issues with the throughput. 388 01:20:21,600 --> 01:20:21,800 Yes. 389 01:20:25,300 --> 01:20:26,899 Speaking of IDS/IPS, there is 390 01:20:26,899 --> 01:20:28,466 another very important prerequisite, 391 01:20:28,866 --> 01:20:32,166 and this is internet connection of the NSX managers. 392 01:20:33,866 --> 01:20:36,266 Because they need to download all the patterns 393 01:20:37,766 --> 01:20:42,733 and those are downloaded from a cloud service. 394 01:20:43,833 --> 01:20:46,500 So the NSX manager needs to have internet access. 395 01:20:48,166 --> 01:20:52,533 A proxy can be configured, and Broadcom 396 01:20:52,666 --> 01:20:56,566 provides a proper documentation which of URLs 397 01:20:56,866 --> 01:20:58,366 need to be allowed to access. 398 01:21:01,566 --> 01:21:03,833 If you're not able to provide an internet connectivity, 399 01:21:04,633 --> 01:21:09,666 I think you can do an air gap installation as well. 400 01:21:10,133 --> 01:21:11,433 But then you need to ship all 401 01:21:11,433 --> 01:21:14,933 the patterns and all the stuff 402 01:21:14,933 --> 01:21:17,933 you need manually via USB stick or whatever. 403 01:21:21,433 --> 01:21:25,600 And I think with IDS/IPS, it's an amazing feature, 404 01:21:26,100 --> 01:21:28,166 especially the distributed implementation. 405 01:21:28,433 --> 01:21:32,833 Because you can, again, filter the traffic internally 406 01:21:33,166 --> 01:21:37,399 so that the different flows you have between the stages 407 01:21:37,399 --> 01:21:40,266 of an application or the layers of an application. 408 01:21:41,199 --> 01:21:44,333 But always keep in mind, do not try 409 01:21:44,466 --> 01:21:49,066 to filter every traffic you find in your infrastructure 410 01:21:49,699 --> 01:21:50,633 with IDS/IPS. 411 01:21:52,566 --> 01:21:55,433 That's just consuming so many CPU cycles, 412 01:21:55,666 --> 01:21:59,166 so you will barely run any workloads anymore, because 413 01:21:59,166 --> 01:22:00,266 of just traffic filtering. 414 01:22:01,966 --> 01:22:06,533 So before doing IDS/IPS, build a proper design, 415 01:22:06,533 --> 01:22:09,100 think about which traffic flows to analyze, 416 01:22:10,133 --> 01:22:12,899 and configure the redirect rules accordingly. 417 01:22:13,533 --> 01:22:14,666 Yes, redirect rules. 418 01:22:15,366 --> 01:22:17,266 So you redirect certain traffic 419 01:22:17,266 --> 01:22:19,533 flows to the IDS/IPS analysis. 420 01:22:22,100 --> 01:22:26,366 But that's the same on the physical firewalls. 421 01:22:27,466 --> 01:22:30,333 So you're not able to run every traffic 422 01:22:31,233 --> 01:22:33,600 through the IDS/IPS filters. 423 01:22:34,166 --> 01:22:36,733 Well, you can, but throughput will suffer. 424 01:22:37,899 --> 01:22:40,833 Yeah, and the memory and CPU 425 01:22:40,833 --> 01:22:44,133 will also go higher and higher. 426 01:22:44,533 --> 01:22:46,566 And then there will be a stop. 427 01:22:47,666 --> 01:22:50,899 Yeah, but that's, again, a very important thing. 428 01:22:50,899 --> 01:22:54,766 And that's also good that IDS/IPS can only 429 01:22:54,766 --> 01:22:58,766 be consumed as a managed service because the CSP 430 01:22:59,033 --> 01:23:02,633 has a perfect overview how much CPU is left, 431 01:23:03,333 --> 01:23:07,533 how much throughput is an Edge transport node still 432 01:23:07,666 --> 01:23:10,266 able to handle if we talk about gateway IDS. 433 01:23:11,233 --> 01:23:12,733 Especially in shared environments. 434 01:23:15,766 --> 01:23:19,433 So there is a lot of stuff to consider, 435 01:23:19,766 --> 01:23:22,733 not only licensing also, infrastructure. 436 01:23:23,300 --> 01:23:27,933 Yeah, but that's like with every other product. 437 01:23:27,966 --> 01:23:31,333 So you need to have a proper design before you 438 01:23:31,333 --> 01:23:32,866 start with the implementation. 439 01:23:33,833 --> 01:23:37,033 So you have the right size of Edge nodes rolled out, 440 01:23:38,699 --> 01:23:41,766 decide which firewall rules make sense 441 01:23:41,766 --> 01:23:44,066 to be routed over IDS/IPS. 442 01:23:47,300 --> 01:23:47,633 Yeah. 443 01:23:56,100 --> 01:23:56,366 Good. 444 01:23:58,600 --> 01:24:04,100 So I think when we sum it all up, so on one end, 445 01:24:04,100 --> 01:24:06,300 we have the licensing changes which 446 01:24:06,300 --> 01:24:08,366 make it easier to play around with it 447 01:24:08,366 --> 01:24:10,766 or try it out or deploy it at the customer 448 01:24:11,266 --> 01:24:12,699 or for individual customers. 449 01:24:12,966 --> 01:24:14,733 We have the uncertainty that it's 450 01:24:14,766 --> 01:24:18,966 unclear how to deal with customers where we have-- 451 01:24:19,699 --> 01:24:22,466 or for service providers who don't have any customer 452 01:24:22,566 --> 01:24:27,633 commit for NSX so far or for vDefend so far 453 01:24:27,766 --> 01:24:29,500 because NSX is always included. 454 01:24:30,033 --> 01:24:31,733 So that's the vDefend part that you 455 01:24:31,733 --> 01:24:33,366 need to license specifically. 456 01:24:34,866 --> 01:24:36,033 So that is still outstanding. 457 01:24:36,333 --> 01:24:39,233 Maybe we get some answers on that in the upcoming weeks. 458 01:24:40,500 --> 01:24:42,333 But I think there is a huge opportunity 459 01:24:42,633 --> 01:24:44,766 not only from additional features 460 01:24:44,966 --> 01:24:46,133 which we have in the system, 461 01:24:46,133 --> 01:24:49,566 but also how to actually charge 462 01:24:49,666 --> 01:24:50,466 customers for that. 463 01:24:50,800 --> 01:24:52,833 And as we discussed last week 464 01:24:52,833 --> 01:24:54,233 at the Service Provider Summit 465 01:24:54,366 --> 01:24:57,533 as well, it's like the importance for service 466 01:24:57,566 --> 01:24:59,133 providers to provide 467 01:24:59,133 --> 01:25:01,766 additional services you can charge for. 468 01:25:01,766 --> 01:25:04,366 So not only technology services, but also 469 01:25:05,666 --> 01:25:09,333 manual consulting, architecture, et cetera, services 470 01:25:09,333 --> 01:25:12,833 you can charge for is becoming more and more important 471 01:25:13,300 --> 01:25:16,199 because the other thing which happened due to the Broadcom 472 01:25:16,266 --> 01:25:19,033 change is that everybody has now the same license package 473 01:25:19,033 --> 01:25:20,733 more or less except for the add-ons 474 01:25:21,466 --> 01:25:27,300 is that the space for VCSPs or for VMware Cloud Service 475 01:25:27,333 --> 01:25:30,866 Providers to take it the long road has become more 476 01:25:30,899 --> 01:25:33,366 competitive, because it's much easier to compare. 477 01:25:33,466 --> 01:25:37,266 Previously, customers were like, "oh, I have a future ABC 478 01:25:37,533 --> 01:25:39,066 included with this provider. 479 01:25:39,066 --> 01:25:40,233 I don't have it with that one." 480 01:25:40,833 --> 01:25:43,466 That is actually far more leveled. 481 01:25:43,966 --> 01:25:46,033 So that is going to be quite interesting. 482 01:25:46,500 --> 01:25:51,366 So I think overall, it's definitely something 483 01:25:51,466 --> 01:25:52,833 service providers should look into. 484 01:25:53,366 --> 01:25:57,433 It's definitely something which can open the market 485 01:25:57,633 --> 01:25:59,166 for additional features. 486 01:26:00,600 --> 01:26:03,166 And potentially from a lot of the other add-ons, 487 01:26:03,166 --> 01:26:06,466 it's the one which is the easiest for service providers 488 01:26:06,466 --> 01:26:07,333 to monetize. 489 01:26:08,066 --> 01:26:09,433 So that being-- 490 01:26:10,266 --> 01:26:10,866 To be fair... 491 01:26:12,633 --> 01:26:13,033 Go on. 492 01:26:14,800 --> 01:26:18,366 Yeah, so what I want to mention additionally to that 493 01:26:18,433 --> 01:26:22,466 is, with the end of life of Cloud Director and all 494 01:26:22,466 --> 01:26:24,766 of this information, so we will not 495 01:26:24,866 --> 01:26:27,699 expect that we will get new features out of Cloud 496 01:26:27,766 --> 01:26:30,533 Director in the next one, two, three years, 497 01:26:30,699 --> 01:26:31,666 until the end of life. 498 01:26:32,366 --> 01:26:34,666 But your customers will expect that you 499 01:26:34,666 --> 01:26:36,833 have new features in your products 500 01:26:37,033 --> 01:26:40,266 or in your offerings as a service provider. 501 01:26:40,933 --> 01:26:44,366 And I think now we need to take a look what products 502 01:26:44,733 --> 01:26:48,066 are included now, what can we use, 503 01:26:48,666 --> 01:26:50,733 and then offer these products to your customers 504 01:26:51,166 --> 01:26:54,333 to show your customers, hey, we are still working. 505 01:26:54,533 --> 01:26:57,266 We have still more products available for you. 506 01:26:57,633 --> 01:26:59,066 I think that's an important part. 507 01:27:03,166 --> 01:27:04,933 Nice closing word, I would say. 508 01:27:05,966 --> 01:27:07,233 Matthias, anything to add? 509 01:27:08,566 --> 01:27:11,566 Yeah, come up with proper product and packaging. 510 01:27:12,166 --> 01:27:12,766 Sell it. 511 01:27:12,899 --> 01:27:15,633 It's easy to sell, easy to use, easy to consume. 512 01:27:18,466 --> 01:27:18,666 Good. 513 01:27:19,433 --> 01:27:21,000 So I would say thank you all 514 01:27:21,000 --> 01:27:22,933 for listening in today's episode 515 01:27:23,133 --> 01:27:26,800 of our VCD Roundtable number 54. 516 01:27:27,733 --> 01:27:31,733 55 is going to come out in approximately two weeks. 517 01:27:33,066 --> 01:27:37,966 That is going to be from Palo Alto, I think, Sascha? 518 01:27:39,266 --> 01:27:39,500 Yes. 519 01:27:40,466 --> 01:27:43,266 As far as my head actually is correct. 520 01:27:43,466 --> 01:27:45,333 So maybe you have some fantastic news 521 01:27:45,866 --> 01:27:50,433 from the VMware mothership and can share them with you. 522 01:27:51,033 --> 01:27:52,000 Hopefully we get something. 523 01:27:53,066 --> 01:27:55,533 And yeah, that being said, thank 524 01:27:55,533 --> 01:27:58,566 you all for watching live today. 525 01:27:58,866 --> 01:28:01,466 As always, if you watch us live, which is typically 526 01:28:01,633 --> 01:28:04,300 recorded every other Thursday, 527 01:28:05,633 --> 01:28:07,566 you can always throw in some questions. 528 01:28:07,766 --> 01:28:09,666 Otherwise, thank you for listening to us 529 01:28:09,800 --> 01:28:12,100 on all the usual podcast platforms 530 01:28:12,333 --> 01:28:16,566 and hope to see you, hear you again soon. 531 01:28:17,066 --> 01:28:17,399 Good day. 532 01:28:17,666 --> 01:28:18,266 Perfect. 533 01:28:19,566 --> 01:28:19,866 Bye. 534 01:28:20,733 --> 01:28:20,866 Bye.