topic Re: Application Control POC in General Topics

Application Control POC

Calvin_Piggott — Wed, 31 Oct 2018 11:51:03 GMT

Greetings Esteemed Members.

I am in the planning stages of a POC for inserting Open Server R80.10 gateway with R80.20 management virtual machines into a customer network.

The objective is to replace their current URL filtering solution with Check Point's SSL Inspection, Application Control and URL blades in the initial phase.

The customer's perimeter firewall is a Cisco ASA cluster and currently terminates VPN tunnels.

I was wondering whether the gateway can be inserted into the routing path using a single interface only, meaning that their layer 3 switch uses it as its default gateway and the Check Point's default gateway will be the ASA cluster, or do I need to physically place it between the internal network and the ASA cluster.

HTTP Proxy is not an option.

Thanks in advance for your support.

Re: Application Control POC

Vladimir — Wed, 31 Oct 2018 13:29:51 GMT

Look for "Deploying a Security Gateway or a ClusterXL in Bridge Mode" in Installation and Upgrade Guide R80.20 and check limitations and notes before doing it.

From the table, it looks like you can achieve most of what you want with a single gateway in a bridge mode.

Re: Application Control POC

Calvin_Piggott — Wed, 31 Oct 2018 14:44:23 GMT

Hi Vladimir,

Thanks for the link, in fact it is something that I looked at last night and I'm considering it.

It will also be the least intrusive topology option for the POC.

Only concern is this note #3

Identity Awareness in Bridge Mode supports only the AD Query authentication

I take it that it means Identity Collector isn't supported?

Do you know?

Cheers,

Calvin.

Re: Application Control POC

Vladimir — Wed, 31 Oct 2018 18:20:47 GMT

I am not certain. Can someone from Check Point chime in please?

Re: Application Control POC

Jason_Dance — Wed, 31 Oct 2018 19:11:40 GMT

Could another solution be to employ two vlans on your single interface? You should be able to route through with that configuration...

Re: Application Control POC

Calvin_Piggott — Wed, 31 Oct 2018 19:13:55 GMT

Jason,

This thought did cross my mind and it's an excellent idea.

Thanks for pointing it out.

Re: Application Control POC

Calvin_Piggott — Wed, 31 Oct 2018 23:12:58 GMT

Ok so after careful consideration and discussions w/ the client, it would be best to use bridge mode since the POC requires that no routing changes to the current network are to be made at this time.

The only risk in my mind then is that the server identified for the POC does not have bypass NICs in case of hardware failure or having to reboot for whatever reason.

Appreciate everyone's input thus far.

Re: Application Control POC

Calvin_Piggott — Thu, 01 Nov 2018 02:51:16 GMT

Yep would really like to have Check Point clarify Identity Collector compatibility w/ gateway bridge mode

I don't see any reason why it won't work though.

Re: Application Control POC

Maarten_Sjouw — Thu, 01 Nov 2018 06:34:16 GMT

You could also use proxy mode, than you don't need to be inline, the working is abou the same for the actual policy.

Regarding the policy itself I have created a mgmt_cli script to create a shared APCL/URLF policy, which you can use ordered or as a inline internet filter.

Re: Application Control POC

Calvin_Piggott — Thu, 01 Nov 2018 14:43:26 GMT

Hey Maarten - this is a good approach also, but the client does not want proxy mode.

How has your experience w/ this been in terms of performance, because as I understand it, proxy mode does not benefit from SecureXL.

Re: Application Control POC

Maarten_Sjouw — Thu, 01 Nov 2018 15:39:10 GMT

I have 1 customer running it on a 13500 with around 4000 users and 700Mb of traffic running through it and it is humming just fine. I see it is running around 50/50 FW/PXL and they are not using HTTPS decryption.

I also need to tell you that all Guest network connections run inline, not using the proxy, I do not know the number of users on guest.

Re: Application Control POC

Calvin_Piggott — Thu, 01 Nov 2018 15:44:11 GMT

Ok good info.

This POC will run as a Hyper-V VM as follows:

Management - 8GB RAM, 4 vCPU, 100GB disk, 1Gbps vNIC

Gateway - 4GB RAM, 4 vCPU, 100GB disk, 1Gbps vNIC

1000 corporate users, no guests

SSL Inspection required

Re: Application Control POC

Maarten_Sjouw — Thu, 01 Nov 2018 16:00:12 GMT

If you can hit it with 8 cores, the all-in-one Eval is supporting 8 cores...

Normally we calculate with a multiplier of 1,6 for ssl inspection.

Re: Application Control POC

Calvin_Piggott — Thu, 01 Nov 2018 16:03:33 GMT

Can you explain the multiplier?

What value is multiplied by 1.6?

Re: Application Control POC

Maarten_Sjouw — Thu, 01 Nov 2018 22:32:13 GMT

Have you ever looked at the CP Sizing tool? There the outcome for a appliance will be a certain load lets say 60% with the parameters that you have set, which means that with SSL inspection, you need to mylitply the 60% with 1.6 = 96% load on the appliance.

So far this has been pretty accurate.

Re: Application Control POC

Calvin_Piggott — Thu, 01 Nov 2018 22:38:54 GMT

I have used the sizing tool but always wondered about the SSL. So my configs were always analyzed by the SSL team. But it's good to know about the 1.6 multiplier.