topic Re: Cloudguard EDGE vs IaaS on Cisco ENCS platform for SD-WAN firewall security in SASE and Remote Access

Cloudguard EDGE vs IaaS on Cisco ENCS platform for SD-WAN firewall security

Garrett_DirSec — Fri, 04 Sep 2020 18:48:14 GMT

Hello -- Checkpoint customer looking into Cisco 5000 Enterprise Network Compute System (ENCS) for SD-WAN platform.

Customer has been running R80.30 and looking into upgrades to R80.40. They are hesitant to consider EDGE for ENCS because current available image based on R77.20.xx.

Can they run Cloudguard IaaS in place of the EDGE VNF image for SD-WAN security on 5000-series ENCS platform?

Yes, I understand there is a licensing and cost difference between the two.

Thanks-GA

Cloudguard IaaS is "mostly full GAIA" and R80.30+

Cloudguard VNF/EDGE is embedded GAIA and R77.20x

reference links below.

The R80.30 GAIA build for ENCS is listed as "Cloudguard for private cloud".

http://supportcontent.checkpoint.com/solutions?id=sk158292

The R77.30 VNF build for ENCS listed as "Cloudguard EDGE".

http://supportcontent.checkpoint.com/solutions?id=sk166421

SD-WAN integration guides HERE.

Re: Cloudguard EDGE vs IaaS on Cisco ENCS platform for SD-WAN firewall security

PhoneBoy — Sat, 05 Sep 2020 03:44:22 GMT

At least the way I read the download SK, you should be able to use the R80.30 image that says it’s for ENCS.
I would not use a standard R80.40 ISO here as there are probably a few differences in drivers/packaging that would make it not work.

We should have an R80.20 version of CloudGuard VNF soon as well.

Re: Cloudguard EDGE vs IaaS on Cisco ENCS platform for SD-WAN firewall security

Garrett_DirSec — Wed, 09 Sep 2020 16:13:25 GMT

Hello @PhoneBoy . thanks for reply and insight.

while customer (and myself) feel that R77.20.x embedded GAIA is ancient, the current R80.20 embedded GAIA release is becoming somewhat "old" as well. I suggest the embedded GAIA releases (for appliances and VNF) should be updated to more recent GAIA release sooner vs later (example: straight to R80.40).

The primary gateway focus for customer are (a) layers, and (b) HTTPS decrypt enhancements with more recent GAIA builds.

Both the embedded GAIA and Cloudguard releases trail the primary GAIA release cycles. Customer has encountered numerous "defects" and issues requiring hotfixes (or waiting for fix to arrive in JHA/jumbo). they are concerned about using a "special" GAIA release (embedded or cloudguard) that is not updated frequently and does not have obvious any way to apply hotfixes, etc.

Re: Cloudguard EDGE vs IaaS on Cisco ENCS platform for SD-WAN firewall security

PhoneBoy — Wed, 09 Sep 2020 19:40:29 GMT

The logic behind using our SMB code for VNF is that it operates in a reduced memory/CPU footprint, which is appropriate in some SD-WAN devices.
In general, while the version is nominally R80.20, features from later releases are sometimes backported into the current SMB release.
I wouldn't get hung up on the precise version here, though pointing out missing features is fair.

My understanding on the two issues you bring up are: Layers are supported (when managed with regular Check Point Security Management), and that SNI support should be there.

I presume we will create a version of SMB/VNF based on a newer version of maintrain code (probably in the R81 line), but don't know the precise timeline.