Solved: Re: ESXi vSec aka CouldGuard recommendations for a...

Kaspars_Zibarts · ‎2018-03-05

Just wondering if anyone running gateway and management in ESXi has any recommendations. We are planning to deploy sort of simple remote site with management and gateway (not in hypervisor mode, just plain gw in VM) in ESX. Same ESX will host few servers. What would be the best approach - standalone gw & Mgmt in one VM or create two separate VMs - one for GW and one for Mgmt. No need for cluster. I don't expect too much traffic new connections wise. Throughput could get high-ish but purely for file transfer. Don't need any advanced blades, just firewall as IP filter. Any suggestions for number of cores / RAM? Either in one or split VM case. Never really run vSec gateway in production especially standalone solution so need someone with practical experience. Deploying as R80.10.

Duane_Hartman · ‎2018-03-05

Kaspars,

we are on our 3rd VSEC for VMWare installation. Our smallest install runs with 4 other VM’s and the largest has 9. In all cases we utilize standalone installations. I would make the following recommendations based on your environment:

1 - vCore (if 2 GHz or above - otherwise 2 vCores)

16 Gigabytes of RAM

Min. 250 GB for like Log Partition

75 GB for System Partition

100 GB for backup and update Partition

Hope this is useful.

View solution in original post

Vladimir · ‎2018-03-05

Kaspars,

I only run the management in VM in production, but am running both: management and a gateway in the lab environment.

Strongly suggest not to have it as all in one, if it is possible and another good idea is to configure a boot loader delay parameters to allow for invocation of repair functions.

Somewhere on CheckMates it was mentioned before, that in case of corruption of the filesystem, vSECs were not properly configured by default for user input.

Kaspars_Zibarts · ‎2018-03-05

Thanks Vladimir! We do the same - MDS/MLM environment is all in VM. This new project is on the smaller scale. Wondering if https://community.checkpoint.com/people/dhart87070b18-7c75-33a5-b483-3fdda90dcf92‌ has anything to say - you had a standalone setup?

Vladimir · ‎2018-03-05

At the risk of being run out of town: if all you need is a simple IP filter, why not use PFsense?

Kaspars_Zibarts · ‎2018-03-05

It's a long story. Can't disclose details. Plus checkpoint has nice logs haha..

Duane_Hartman · ‎2018-03-05

Kaspars,

we are on our 3rd VSEC for VMWare installation. Our smallest install runs with 4 other VM’s and the largest has 9. In all cases we utilize standalone installations. I would make the following recommendations based on your environment:

1 - vCore (if 2 GHz or above - otherwise 2 vCores)

16 Gigabytes of RAM

Min. 250 GB for like Log Partition

75 GB for System Partition

100 GB for backup and update Partition

Hope this is useful.

Kaspars_Zibarts · ‎2018-03-05

Thanks heaps Duane! That's exactly what I need to hear! So you recon for 9 VM solution 2 cores over 2GHz should be enough? Sounds very little but I have zero experience..

Is there single Mgmt+gw vSec license too or you get them separately? Probably our SE question but you may know

Duane_Hartman · ‎2018-03-06

You are welcome! To be clear, the 2 vCore solution is just dedicated to the VSec server when using FW, AB, AV and IPS blades. The ESXi hosts that we utilize with a VSec FW and other VM’s have a min. of 20 vCores.

Licensing can be done for a stand-alone GW/Mgmt installation, but only with purchasing one or more core licenses of VSec.

Cheers,

Duane Hartman

Kaspars_Zibarts · ‎2018-03-06

Great! Thanks again - then we'll start small and grow if needed!

Pablo_Barriga · ‎2018-03-06

Hello Duane how was the performance with a single vcpu?, I wanted to used for small implementations.

Duane_Hartman · ‎2018-03-06

For a small deployment just running the firewall and Mobile Access (endpoint connect only) modules, it is was not bad. However, as a qualifier, I only ran it for a week with 14 users. More curiosity than anything else.

Cheers,

Duane Hartman

PhoneBoy · ‎2018-03-06

Worth noting that while a single core does work, I believe we only officially support 2 or more cores in a CloudGuard IaaS instance.

Kaspars_Zibarts · ‎2018-03-06

Dameon, do you happen to know if there are a "dimension" guidelines for standalone solution case (in ESX). Any official recommendations regarding number of cores based on connections/VMs/Throughput or something like that?

PhoneBoy · ‎2018-03-07

Most of the sizing I've seen has been for an externally managed gateway/VM, not a standalone (gateway + management on same VM).

We do have some numbers that can be shared privately through your Check Point SE.

Pablo_Barriga · ‎2018-03-07

I'm looking for this table with R80.10

PhoneBoy · ‎2018-03-07

The numbers should be similar for R80.10.

Kaspars_Zibarts · ‎2018-03-07

Bingo! That's what I wanted to see, thanks heaps

vaibhav_Parleka · ‎2018-05-31

Would be great if the table also included the information with 8 vCPU as well. currently only provides information on 2,4 & 6 vCPU options.

Vaibhav

Duane_Hartman · ‎2018-06-08

Kaspars,

I now have 4 standalone VSec installations running at different customers. In each case I am running Firewall + Anti-Virus + Anti-Bot + IPS. I have found the following configuration works well:

2 - vCore (avg. CPU being 2.8Ghz)

30 Gigabytes of RAM

Min. 400 GB for like Log Partition

150 GB for System Partition

150 GB for backup and update Partition

Additional Note: I use dedicated Gigabit NIC's for each FW Interface.

Kaspars_Zibarts · ‎2018-06-08

Thanks for the update!

Maarten_Sjouw · ‎2018-06-18

Do keep in mind that when you use the CP supplied OVF to deploy a VE gateway (with or without (Mgmt) with R77.30 the disk is 10GB and with R80.10 it is 50GB. So when you need to store a longer period of log's either you will have to enlarge the volume or add another volume and link it to the log dir.

Regards, Maarten

Are you a member of CheckMates?

ESXi vSec aka CouldGuard recommendations for a small site