- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: ESXi vSec aka CouldGuard recommendations for a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ESXi vSec aka CouldGuard recommendations for a small site
Just wondering if anyone running gateway and management in ESXi has any recommendations. We are planning to deploy sort of simple remote site with management and gateway (not in hypervisor mode, just plain gw in VM) in ESX. Same ESX will host few servers. What would be the best approach - standalone gw & Mgmt in one VM or create two separate VMs - one for GW and one for Mgmt. No need for cluster. I don't expect too much traffic new connections wise. Throughput could get high-ish but purely for file transfer. Don't need any advanced blades, just firewall as IP filter. Any suggestions for number of cores / RAM? Either in one or split VM case. Never really run vSec gateway in production especially standalone solution so need someone with practical experience. Deploying as R80.10.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kaspars,
we are on our 3rd VSEC for VMWare installation. Our smallest install runs with 4 other VM’s and the largest has 9. In all cases we utilize standalone installations. I would make the following recommendations based on your environment:
1 - vCore (if 2 GHz or above - otherwise 2 vCores)
16 Gigabytes of RAM
Min. 250 GB for like Log Partition
75 GB for System Partition
100 GB for backup and update Partition
Hope this is useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kaspars,
I only run the management in VM in production, but am running both: management and a gateway in the lab environment.
Strongly suggest not to have it as all in one, if it is possible and another good idea is to configure a boot loader delay parameters to allow for invocation of repair functions.
Somewhere on CheckMates it was mentioned before, that in case of corruption of the filesystem, vSECs were not properly configured by default for user input.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Vladimir! We do the same - MDS/MLM environment is all in VM. This new project is on the smaller scale. Wondering if https://community.checkpoint.com/people/dhart87070b18-7c75-33a5-b483-3fdda90dcf92 has anything to say - you had a standalone setup?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the risk of being run out of town: if all you need is a simple IP filter, why not use PFsense?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a long story. Can't disclose details. Plus checkpoint has nice logs haha..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kaspars,
we are on our 3rd VSEC for VMWare installation. Our smallest install runs with 4 other VM’s and the largest has 9. In all cases we utilize standalone installations. I would make the following recommendations based on your environment:
1 - vCore (if 2 GHz or above - otherwise 2 vCores)
16 Gigabytes of RAM
Min. 250 GB for like Log Partition
75 GB for System Partition
100 GB for backup and update Partition
Hope this is useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks heaps Duane! That's exactly what I need to hear! So you recon for 9 VM solution 2 cores over 2GHz should be enough? Sounds very little but I have zero experience..
Is there single Mgmt+gw vSec license too or you get them separately? Probably our SE question but you may know
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are welcome! To be clear, the 2 vCore solution is just dedicated to the VSec server when using FW, AB, AV and IPS blades. The ESXi hosts that we utilize with a VSec FW and other VM’s have a min. of 20 vCores.
Licensing can be done for a stand-alone GW/Mgmt installation, but only with purchasing one or more core licenses of VSec.
Cheers,
Duane Hartman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! Thanks again - then we'll start small and grow if needed!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Duane how was the performance with a single vcpu?, I wanted to used for small implementations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a small deployment just running the firewall and Mobile Access (endpoint connect only) modules, it is was not bad. However, as a qualifier, I only ran it for a week with 14 users. More curiosity than anything else.
Cheers,
Duane Hartman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worth noting that while a single core does work, I believe we only officially support 2 or more cores in a CloudGuard IaaS instance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dameon, do you happen to know if there are a "dimension" guidelines for standalone solution case (in ESX). Any official recommendations regarding number of cores based on connections/VMs/Throughput or something like that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most of the sizing I've seen has been for an externally managed gateway/VM, not a standalone (gateway + management on same VM).
We do have some numbers that can be shared privately through your Check Point SE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking for this table with R80.10
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The numbers should be similar for R80.10.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bingo! That's what I wanted to see, thanks heaps
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would be great if the table also included the information with 8 vCPU as well. currently only provides information on 2,4 & 6 vCPU options.
Vaibhav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kaspars,
I now have 4 standalone VSec installations running at different customers. In each case I am running Firewall + Anti-Virus + Anti-Bot + IPS. I have found the following configuration works well:
2 - vCore (avg. CPU being 2.8Ghz)
30 Gigabytes of RAM
Min. 400 GB for like Log Partition
150 GB for System Partition
150 GB for backup and update Partition
Additional Note: I use dedicated Gigabit NIC's for each FW Interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the update!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do keep in mind that when you use the CP supplied OVF to deploy a VE gateway (with or without (Mgmt) with R77.30 the disk is 10GB and with R80.10 it is 50GB. So when you need to store a longer period of log's either you will have to enlarge the volume or add another volume and link it to the log dir.