topic Re: 23500 and/or 23800 appliances in Firewall and Security Management

23500 and/or 23800 appliances

Alex_Rozhko — Fri, 30 Mar 2018 06:15:58 GMT

Hi checkmates,

anyone had experience with 23.5, and 23.8k appliances? If yes in what configuration?

Re: 23500 and/or 23800 appliances

Kaspars_Zibarts — Fri, 30 Mar 2018 07:46:02 GMT

23800, R80.10 VSX, < 10 VSes, static routing, peaking 10 Gbps, bond to the core. Nothing too much with fancy blades. FW, ips, ia. So far so good. Nothing to complain about. Just ordered another pair to replace 13800

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Fri, 30 Mar 2018 14:56:30 GMT

Is it single 23800 VSX or cluster?

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Sun, 01 Apr 2018 04:40:11 GMT

Kaspar, I assume your configuration is single 238k model?

Re: 23500 and/or 23800 appliances

Kaspars_Zibarts — Mon, 02 Apr 2018 20:53:39 GMT

Sorry, Easter break from work.. no it's a cluster.:)

Re: 23500 and/or 23800 appliances

Doeschi — Fri, 06 Apr 2018 11:16:32 GMT

We have 2 VRRP Clusters on 23800 Appliances as datacenter core firewalls with a lot of VLANs (150+) on 10GB Bonds and actually have issues with the VRRP failover (routed seems to hang, case open) as well as some false positives on the power supply monitoring via snmp. Other than that, those applicances are very fast, but cost a fortune 🙂

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Sat, 21 Apr 2018 06:04:38 GMT

why vrrp not ccp?

Re: 23500 and/or 23800 appliances

Vladimir — Sun, 22 Apr 2018 17:00:02 GMT

I've deployed a number of those with R77.30 VSX in ClusterXL. Number of VS' on each cluster with variety of configurations.

Generally, all is well. The only thing of note was an incorrect memory reporting by show asset all command.

Re: 23500 and/or 23800 appliances

Victor_MR — Mon, 23 Apr 2018 04:36:55 GMT

Hi Alex,

We have many 23500/23800 deployments, in several different scenarios (with and without Blades, clusters -usually ClusterXL-, regular Gateways and VSX...)

Are you looking for anything specific? Hardware related issues maybe?

Regards!

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Mon, 23 Apr 2018 13:23:26 GMT

Needed to know memory/CPU concerns/considerations and performance before purchase commitment. I settled with 2x23.5(s). Now configuration fun: since VS licensing comes as VSLS, does it mean to fully utilize functionality VSX gateways have to be configured in load sharing mode, not HA?

Re: 23500 and/or 23800 appliances

Vladimir — Mon, 23 Apr 2018 13:39:19 GMT

I would look at it differently: when and if you'll get to the third appliance, you'll have an option of taking advantage of VSLS.

With 2 appliances, the HA is a better option (personal opinion). Otherwise, you'll have to keep track on utilization in order to avoid overloading the systems.

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Mon, 23 Apr 2018 21:39:03 GMT

Valid point however theoretically, if gateway has enough power to run 10 VM(s) in VLSM mode it should be fine since only half of active VS(s) will be running on one gateway at given time (5act and 5 standby on each? What would be the breaking point to consider 3rd VSX gateway?

Re: 23500 and/or 23800 appliances

Vladimir — Mon, 23 Apr 2018 21:47:46 GMT

When VS' were 32 bit, it was easier to answer this question, since we knew the maximum allocated vRAM.

With 64 bit VSX memory consumption is dynamic, so you'll have to monitor total active (non-cached) memory consumption of the each member of VSX cluster is lower than 50%. Otherwise, when one of the appliances is down, you may end-up with underperforming VS.

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Mon, 23 Apr 2018 22:15:03 GMT

Good info, thank you. Anything else to watch for or be prepared for before I disappear in VSX forest?

Re: 23500 and/or 23800 appliances

Vladimir — Mon, 23 Apr 2018 22:24:51 GMT

Just that you'll lose the WebUI when you designate units as VSX. Not the end of the world, but for consistency sake, pre-configure both units same way and check the diff between configs. Primarily applicable to routing, if you are planning to use any advance features. And, of course, NTP sync the units before clustering them. If your Check Point infrastructure is not huge, consider configuring static DNS entries for all of its components on each unit as well as verify access to the Internet for licensing and CPUSE.

Best of luck!

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Tue, 24 Apr 2018 03:36:39 GMT

Cool stuff, info I was looking for, thank you. One more Q: I am planning to have 2 VSX gateways in SL mode with VS(s) in HA mode on them. Theoretically should work? Crazy, stupid or potential subside?

Re: 23500 and/or 23800 appliances

Vladimir — Tue, 24 Apr 2018 12:51:33 GMT

You mean VSX' in LS and VS' in HA? I'd suggest asking Kaspars Zibarts, as he is working with VSX more than I do, but if my recollection is correct, VSLS is enabling 3 instances of the same VS, active, standby and a backup. Not sure what that does to resource consumption, but I think it'll be on par with HA with the backup version being normally suspended.

The only advantages to this approach is the ability to rapidly expand the cluster without changing its mode and equal stress of the hardware.

From the point of view of redundancy and failover time, I do not believe you'll gain anything.

Try to find an ARTG articles on VSX, those may come handy.

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Wed, 25 Apr 2018 19:46:21 GMT

Vladimir, you are correct regarding configuration. Do you know where I can find information on why some VSX CLI commands blocked? There is no explanation why, it is simply blocked? Particular command I need is to add brdge.

Re: 23500 and/or 23800 appliances

Vladimir — Wed, 25 Apr 2018 19:58:11 GMT

Could it be that you have chosen one of the preset VSX models instead of "Custom Properties"?

And are those interfaces defined as "Physical Interfaces"?

Re: 23500 and/or 23800 appliances

Alex_Rozhko — Wed, 25 Apr 2018 20:04:57 GMT

Yes and yes :only custom template and can see physical interfaces but no love from bridging side.