As stated above, you can deactivate IPS for protocols not needing inspection.

You do want me to go and exclude all protocol one by one. Ugh, that's what I want to avoid?

IPS only inspects traffic allowed by your access policy.

If you only allow HTTPS, DNS, and SMTP via your access policy, IPS will only inspect that traffic.

Thanx for the clarification. That is somehow logical but I am being paranoid lately

This is absolutely true.  I would add one additional piece of information.  In my experience with 1100 devices, the recommendation to disable protections earlier than 2010 was not enough.  As the years progressed, I had to disable protections from later years as well.  For example, in 2014, disabling protections older than 2010 worked.  By 2015, I had to disable protections older than 2012.  2016, disable protections older than 2013 and so on.  For the 1100 series at least, it worked out to roughly a window of 3 to 5 years of IPS protections that I could have enabled at any given time.

The newer 1400 series have more RAM and are more powerful, so they may be able to handle more.

Just recently, i discovered that after firmware update to R77.20.80, on a 1140 SMB appliance policy install will fail as there are too many enabled blades, that is FW, VPN, IPS, ABOT, AV, APCL, URLF, QoS. Even setting new .80 Advanced Settings "Move temporary policy files to storage" to true does not help. That is a bad sign for a hardware that is supported until summer 2020...

Yeah, hmm... It is now evident that SMB appliances are just not up to task of being full FW + TP solution. It is good that there are so many blades to choose from but running all of them at the same time is overkill even on 1470/1490.  I have enabled only the AC/UF and IPS blades. Works somehow but SFWD process crashes way to often (max rss increased to 300MB). I understood there are other people experiencing same problem.

Would love to enable HTTPS inspection also. But I am kind of afraid to do it

And I wonder what it will be when/if R80.20 is released.

For me, stability is more important than anything else.  

You have to think of SMB appliances as successors to the Edge / Safe@Office units - and in comparison, they have a whole lot more functionality - apart from NGTP, just look into the advanced routing possible now. But that enabling NGTP Blades lowers the traffic throughput is clear, and you can not argue that buying the blades and services makes the hardware able to cope with them performance-wise. More expensive hardware makes more ressources available, it would be unnecessarys otherwise 😉

Have you hit upon the magic combination or magic number of blades that can be enabled at once?

No, because that also depends very much on the traffic, both its load and mix that can be quite different at every customer.

Hello Hristo,

In the beginning I had some issues with HTTPS Inspection, but I worked with TAC and R&D was able to reach a stable build, I believe starting from build 402. GA is 392, but build 437 is available for download in sk134253 and also corrects some CVEs and VPN issues.

I am currently running HTTPS Inspection and full NGTP in a 1450 cluster with 12 users, 3 Site-to-site VPN Tunnels, 200 Mbps link. It is working fine.

There were some serious memory leak issues in SFWD but they seem to be solved as well. It has been weeks without a failover due to SFWD crash.

I believe we will see greater improvements in R77.20.85 also, which should be out in October.

Hey Pedro,

I am running cluster of two 1470 appliances used by 70 users, 5 SS VPNs, few remote access users on a dual ISP connection with total 100 Mbps capacity. Not too much I think. Build is also 437.

Some days it will work fine, no issues. But on most of the days SFWD will crash every now and then. It is immediately restarted by a watchdog service and there is no failover in the cluster. In fact the only visible effect is that all SS VPNs are restarted (currently open user connections are dropped).  I have no other custom settings on the device other than the RSS memory increased to 300MB. R77.20.75 build 239 was the last one that had stable SFWD process that never crashed. 

SecureXL does not work also for me. When I enabled it device restarts in few minutes. TAC was able to fix that and provide me with custom build but I had to replace it with 437 because of the CVE security fixes. I hope they will include this fix in the main branch. 

HTTPS Inspection generally works here but I have disabled it because of the SNI problem that seems to be properly fixed only in R80.10 so far. Check this thread:

https://community.checkpoint.com/thread/6245-is-there-any-workaround-for-sni-https-traffic-when-enab... 

I hope stability will be improved even more but as we discussed in another thread current Gaia embedded design is not very good (everything is handled by a single process). I am assuming this and other things will change in R80.20 if it is still planned release for SMB.

You wrote:

I hope stability will be improved even more but as we discussed in another thread current Gaia embedded design is not very good (everything is handled by a single process). I am assuming this and other things will change in R80.20 if it is still planned release for SMB.

I would expect that a much smaller hardware footprint exists on this kind of embedded devices and that everything is handled by a single process is only a symptom of a reduction process. I do not expect these things to change in the future - if the hardware platform gets more power ( see the difference between 600/1100 and 7x0/14x0 models ), more functionality can be added. But in the same time, the "big" GAiA devices also get better hardware that makes new functionality possible. So the SMB devices will always keep behind and no full R80.20 port could ever be released for install on SMB. I do remember the older SMB units being included in turbines to provide them safe internet connectivity. 1200Rs are just looking richt for this field of application.

Next Version is R77.20.81, and a little bird has told me that it might bring more flexible ISP connections (more than four).

Hi,

This is all too exciting but sadly SecureXL does not really work on SMB if you have ISP in load-balancing configuration. On primary/backup it works fine. I hope they fix that as well.

Reference sk104679

The sk104679 does speak about ISP Redundancy enabled in Primary/Backup mode, and it also includes SMB as well as all CP versions up to R77.30. The configuration of ISPs in load-balancing configuration does not work with SecureXL at all despite of hotfixes installed. I would not expect that this can be fixed for SMBs...

Why would LB cause more load than HA? Btw, it is more like load sharing, not really balancing.

HA only has to check if the primary is up, but LS has to distribute the load according to some algorithm or config between the ISPs. This is similar ti the use of multiple cores as distributing work there also needs ressources...

Correct me if I am wrong but LB only works on outbound connections? Also, I do not think link selection algorithm is that complex to cause any significant load. It all depends on how many concurrent connections there are of course but still... Do not underestimate SMB power

Also, If it cannot LB between 2x ISP links why on earth would I need 4x ? One primary and three backups sounds crazy to me.

You can use SecureXL together with ISP redundancy (let us use the correct term). but not when ISP LB is needed - but what is the gain of using SecureXL on SMBs ? LB surely works on outbound connections as you rarely can control inbound connections.

The question of link selection algorithm is a rather complicated theme especially if the ISPs have different performance characteristics. Dpending on hard- and software, adding a second core might give 30% to 70% improvement (maybe even up tp 90%, but Amdahl's law rules).

Hmm, isn't SecureXL supposed to offload some traffic from firewall module thus reducing actual load on the system? Something especially needed on these low-end devices. 

I believe link selection on SMB is pure round-robin algorithm. I seriously doubt it is accounting for latency and such.... or keeping in time stats and trying to use some predictive methods... May be utilizing some fast math to prioritize link based on pre-configured preference.

I would vote for adding more memory and disk space rather than increasing number of cores but this is purely personal preference

Now, look at this. Beautiful isn't it?

[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:41:03] [INFO] CPWD is already performing active monitoring on CheckPoint services/processes
[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:41:04] [SUCCESS] cposd started successfully (pid=2814)
[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:41:04] [SUCCESS] RTDB started successfully (pid=2834)
[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:42:38] [SUCCESS] SFWD started successfully (pid=5397)
[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:42:43] [SUCCESS] CPHAMCSET started successfully (pid=6707)
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 9:03:11] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 9:04:11] [SUCCESS] SFWD started successfully (pid=21999)
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 11:32:19] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 11:33:19] [SUCCESS] SFWD started successfully (pid=28000)
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 13:40:58] [ERROR] Process SFWD terminated abnormally : Unhandled signal 11 (SIGSEGV). Core dumped.
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 13:41:58] [SUCCESS] SFWD started successfully (pid=30460)

This is a completely different theme, so please post that seperately from Optimizing an IPS profile for SMB