CloudGuard IaaS for NSX-T

Check Point CloudGuard for VMware NSX delivers multi-layered defense to protect East-West and North-South traffic within the deployed Data Center. CloudGuard transparently enforces security at the hypervisor level between Virtual Machines (VMs), and provides comprehensive visibility into virtual network traffic trends and threats.

CloudGuard Gateway for NSX is automatically deployed as a service Virtual Machine (VM) in a virtual environment. The CloudGuard Gateway secures Data Center traffic between VMs across the virtual network.

ESXi Host Security Considerations

To learn how to secure your ESXi server, see VMware Best Practices - Security Hardening

Check Point Best Practices:

  • Use a separate secured network for the vSphere server management.

  • Permissions required for integration between different solutions should follow the least privileges model. This provides the minimum permissions required for proper function. For example, VMware NSX-T Manager and Check Point Security Management Server.

To learn more about VMware roles and permissions, see the best practices in the Managing VMware Virtual Center Roles and Permissions Guide.

Note - CloudGuard for NSX requires NSX Administrator Permission.

Supported Gateway Versions:

Service Insertion (North/South)

  • R80.30

  • R81

  • R81.10

Service Chaining (East/West)

  • R80.30

  • R81

  • R81.10

Supported Management Versions:

  • R80.30 and higher (with CME bundle)

Basic Deployment with Hypervisor Mode

The CloudGuard Gateways inspection of all traffic that goes to, from or inside the protected Security Group.





ESXi host

The physical infrastructure is multiple ESXi hosts in an ESXi cluster.



NSX Manager defines Security Group and the redirection policy.


vCenter Server

vCenter manages ESXi hosts.


CloudGuard Gateway

Inspects traffic:

  • Between VMs in the Security Group.

  • To and from the Security Group.



Virtual Machines.


Protected Security Group

Collection of vSphere objects protected by NSX.


Data Center core

The Data Center switching and routing infrastructure.


Physical Security Gateway

Physical enforcement point.


Security Management Server

Software-Defined Data Center aware Security Management Server.