https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111657#M15440 <P>Throughput is fine. Latency is maybe 10x higher, but that's going from tens of microseconds to hundreds of microseconds. Not really a noticeable difference in most situations. With VT-D, you can hand a whole PCIe card directly to a VM. In that case, latency is still higher than on dedicated hardware, but less so. Virtualization costs a lot of I/O latency.</P> <P>The larger concern is the failure domain. If your VM environment goes down (e.g., your datacenter loses power and all hosts need to come up from scratch), do you need that firewall working to be able to get tech support and/or recover? With virtualization, it's entirely possible to set up your environment in such a way that it's impossible to recover from a full outage.</P> Tue, 23 Feb 2021 19:02:16 GMT Bob_Zimmerman 2021-02-23T19:02:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111636#M15436 <P>Hi,</P><P>I wasn't able to find a matching board entry, so I'm creating one here. I'm in need for your experience.</P><P>My company has everything virtualized. Only the Checkpoint Security Gateway is not. Now we are discussing the possible virtualization of this machine.</P><P>Has anybody experience with this solution? I'm currently torn. Does this method have enouth performance?</P><P>Currently we're using an OpenServer with multible VLANs on a Bond and 2 Core licensing.</P><P>Hopefully somebody out there has some experience since our reseller has none.</P><P>Thank you,</P><P>Stephan Kögler</P> Tue, 23 Feb 2021 15:15:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111636#M15436 Helpdesk_Borken 2021-02-23T15:15:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111637#M15437 <P>Security Gateway on VMWare works, We run dozens that way.</P> Tue, 23 Feb 2021 15:33:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111637#M15437 Vincent_Bacher 2021-02-23T15:33:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111650#M15438 <P>For your gateway VMs, I'd suggest creating the interfaces with interface type vxmnet3 (which supports Multi-Queue) instead of the standard e1000.</P> Tue, 23 Feb 2021 17:16:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111650#M15438 Timothy_Hall 2021-02-23T17:16:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111654#M15439 <P>Tim, doesnt Cloudguard Vsec for vmware running R81 preinstalled with vmxnet3? Those that I spinned up in vCenter already had this config. Though I am wondering why it detects a 10G network adapter and not just unlimited link speed.</P><P>Do you have any recommend performance ideas? With 4 cores vsec I can with ngfw get almost 3.6gbps when testing with iperf with 1 mb data package over 1 hour.</P><P>&nbsp;</P> Tue, 23 Feb 2021 17:47:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111654#M15439 Kim_Moberg 2021-02-23T17:47:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111657#M15440 <P>Throughput is fine. Latency is maybe 10x higher, but that's going from tens of microseconds to hundreds of microseconds. Not really a noticeable difference in most situations. With VT-D, you can hand a whole PCIe card directly to a VM. In that case, latency is still higher than on dedicated hardware, but less so. Virtualization costs a lot of I/O latency.</P> <P>The larger concern is the failure domain. If your VM environment goes down (e.g., your datacenter loses power and all hosts need to come up from scratch), do you need that firewall working to be able to get tech support and/or recover? With virtualization, it's entirely possible to set up your environment in such a way that it's impossible to recover from a full outage.</P> Tue, 23 Feb 2021 19:02:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111657#M15440 Bob_Zimmerman 2021-02-23T19:02:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111711#M15448 <P>Yes it should use vmxnet3, but I have seen some VMWare implementations that still default to e1000 for some reason.&nbsp; Just something to check.</P> Wed, 24 Feb 2021 12:40:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/111711#M15448 Timothy_Hall 2021-02-24T12:40:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/112019#M15524 <P>We have sold Check Point gateways in VMware and public clouds for years.<BR />In the past, the solution went by such names a VE (Virtual Edition), vSEC, and CloudGuard IaaS.<BR />Currently, it is called CloudGuard Network Security.<BR />We even have spaces for it on CheckMates <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Your existing Open Server licenses should work with virtualized gateways, though we sell specific licenses for it now.</P> Sun, 28 Feb 2021 18:40:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/112019#M15524 PhoneBoy 2021-02-28T18:40:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/112348#M15591 <P>Thank you all for your insights.</P><P>I'll follow this solution further.</P> Wed, 03 Mar 2021 06:45:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Experiences-in-Gateway-on-VMware/m-p/112348#M15591 Helpdesk_Borken 2021-03-03T06:45:53Z