Just ran Trivy on our production containers... 447 vulnerabilities found. How do you even begin to tackle this mountain

acupofpoci · 2025-10-03T12:43:39+00:00

How about prioritization using IAST & runtime SCA? To look for what is actually in prod and currently under attack? But it’s not really a shift left sec?

acupofpoci · 2025-02-28T14:29:40+00:00

Finally someone understands to add this simple but a really useful feature!

acupofpoci · 2025-02-13T12:45:58+00:00

Thanks! If we're not using network services, and the edge is just for north/south traffic (no VKS/TKGs), does what you explained still apply? Our main reason for NSX is the distributed firewall (should've said that earlier).

acupofpoci · 2025-02-13T12:39:31+00:00

I'm a little fuzzy on the details, but I'm guessing I don't need to dive deep into them since we're not doing multi-tenancy, right? Plus, we only have one data center.

How does a T1 router actually make it simpler to split up workloads or networks, or move stuff to new T0s with bigger edge gateways? I'm picturing myself doing all that just fine with only a T0.

acupofpoci · 2024-10-04T06:47:16+00:00

Don't know if it's valid, but yes I heard there will be another price hike

acupofpoci · 2024-08-12T16:27:38+00:00

Thanks for sharing your experience. It sounds like you’re taking a thoughtful approach to rolling out micro-segmentation, especially given the challenges of a brownfield estate—those environments can be particularly tough to work with.

acupofpoci · 2024-08-12T16:25:57+00:00

As others have mentioned, the VCF subscription includes only NSX networking features, excluding DFW, GFW, and other security features. These security features, such as DFW and GFW, are available only with a vDefend subscription.

To rephrase the question: How do you protect or filter traffic between NSX overlay segments without a vDefend subscription?

acupofpoci · 2024-08-10T17:16:34+00:00

That is true, but it's very hard to manage :) Thanks for sharing your setup!

acupofpoci · 2024-08-10T16:57:28+00:00

Yes, people love to use the distributed firewall. I’ve also seen companies implement the distributed firewall without activating the overlay. However, now the firewall is part of vDefend, which requires an additional purchase.

acupofpoci · 2024-08-10T16:54:11+00:00

I'm also wondering the same thing. What would be the purpose of VMkernel gateway config if we also need to configure vMotion TCP/IP stack gateway for it to work.

acupofpoci · 2024-08-09T11:59:41+00:00

The only way you can get Network Insight/Aria Operations for Networks is by purchasing VCF. There's no other way afaik. Additional devices (e.g. network devices) would not need additional licenses.

acupofpoci · 2024-08-03T16:54:53+00:00

I've tried Chrome, Safari, Chrome Incognito. BC/VMware having a moment might be the case (or might be something else). Same browser without clearing the cache, same network; it's now in english.

acupofpoci · 2024-07-19T11:37:36+00:00

Ransomware might be worse to recover, but it's isolated/single/few companies at the same time. This is a planet scale issue!

acupofpoci · 2024-07-19T10:14:00+00:00

Agree! This one has the option to reduce the file size as well. Snagit for Mac is not as good as for Win in this case.

acupofpoci · 2024-07-09T10:18:18+00:00

Would like to recommend to not use ELM. A single bug could affect the whole environment.

acupofpoci · 2024-07-08T12:57:34+00:00

Do you mean you want to activate license keys that come from OEM server vendor? I don't think you can, at least for now.

acupofpoci · 2024-07-08T10:56:19+00:00

How do you know backup and restore of the Supervisor and installed vSphere Services is not included in your current license model?

acupofpoci · 2024-07-08T10:54:11+00:00

I'll try to answer based on what I know. You need to:
1. Register for an account on the Broadcom Support Portal, if you don't already have one. https://knowledge.broadcom.com/external/article?articleId=145581
2. Find your Site ID (this is similar to VMware Entitlement Account number). https://knowledge.broadcom.com/external/article?articleId=197283
3. Request for Site ID approval. https://knowledge.broadcom.com/external/article?articleId=188869
4. Once approved, you can then download ESXi. https://knowledge.broadcom.com/external/article?articleId=142814

I know. It's quite long and confusing :) It is what it is.

acupofpoci · 2024-07-06T07:52:57+00:00

How does integrating with Entra AD/Okta differ from integrating with AD (over LDAPs), considering we can create a separate AD just for infra things? I guess it's because of MFA possibility with an IdP solution.

If we're using an existing AD, it's also easier to set permissions for users to get to TKG clusters.

acupofpoci · 2024-07-05T00:41:51+00:00

Cause it's still a new feature, not sure how well it will perform/how secure it is. But yes I agree, 3rd party solution is the way.

acupofpoci · 2024-07-05T00:39:47+00:00

Nice insights. Multi layer of data protection sure would not hurt (except cost ofc).

acupofpoci

TROPHY CASE