Create a Post
Kaspars_Zibarts
Authority
Authority

ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Just wondering if anyone running gateway and management in ESXi has any recommendations. We are planning to deploy sort of simple  remote site with management and gateway (not in hypervisor mode, just plain gw in VM) in ESX. Same ESX will host few servers. What would be the best approach - standalone gw & Mgmt in one VM or create two separate VMs - one for GW and one for Mgmt. No need for cluster. I don't expect too much traffic new connections wise. Throughput could get high-ish but purely for file transfer. Don't need any advanced blades, just firewall as IP filter. Any suggestions for number of cores / RAM? Either in one or split VM case. Never really run vSec gateway in production especially standalone solution so need someone with practical experience. Deploying as R80.10.

1 Solution

Accepted Solutions
Duane_Hartman
Participant

Kaspars,

we are on our 3rd VSEC for VMWare installation.  Our smallest install runs with 4 other VM’s and the largest has 9. In all cases we utilize standalone installations.  I would make the following recommendations based on your environment:

1 - vCore (if 2 GHz or above - otherwise 2 vCores)

16 Gigabytes of RAM

Min. 250 GB for like Log Partition

75 GB for System Partition 

100 GB for backup and update Partition

Hope this is useful.

View solution in original post

20 Replies
Vladimir
Champion
Champion

Kaspars,

I only run the management in VM in production, but am running both: management and a gateway in the lab environment.

Strongly suggest not to have it as all in one, if it is possible and another good idea is to configure a boot loader delay parameters to allow for invocation of repair functions.

Somewhere on CheckMates it was mentioned before, that in case of corruption of the filesystem, vSECs were not properly configured by default for user input.

0 Kudos
Kaspars_Zibarts
Authority
Authority

Thanks Vladimir! We do the same - MDS/MLM environment is all in VM. This new project is on the smaller scale. Wondering if https://community.checkpoint.com/people/dhart87070b18-7c75-33a5-b483-3fdda90dcf92‌ has anything to say - you had a standalone setup?

0 Kudos
Vladimir
Champion
Champion

At the risk of being run out of town: if all you need is a simple IP filter, why not use PFsense?

0 Kudos
Kaspars_Zibarts
Authority
Authority

It's a long story. Can't disclose details. Plus checkpoint has nice logs haha..

0 Kudos
Duane_Hartman
Participant

Kaspars,

we are on our 3rd VSEC for VMWare installation.  Our smallest install runs with 4 other VM’s and the largest has 9. In all cases we utilize standalone installations.  I would make the following recommendations based on your environment:

1 - vCore (if 2 GHz or above - otherwise 2 vCores)

16 Gigabytes of RAM

Min. 250 GB for like Log Partition

75 GB for System Partition 

100 GB for backup and update Partition

Hope this is useful.

Kaspars_Zibarts
Authority
Authority

Thanks heaps Duane! That's exactly what I need to hear! So you recon for 9 VM solution 2 cores over 2GHz should be enough? Sounds very little but I have zero experience.. Smiley Happy 

Is there single Mgmt+gw vSec license too or you get them separately? Probably our SE question but you may know

0 Kudos
Duane_Hartman
Participant

You are welcome! To be clear, the 2 vCore solution is just dedicated to the VSec server when using FW, AB, AV and IPS blades. The ESXi hosts that we utilize with a VSec FW and other VM’s have a min. of 20 vCores.

Licensing can be done for a stand-alone GW/Mgmt installation, but only with purchasing one or more core licenses of VSec.

Cheers,

Duane Hartman

0 Kudos
Kaspars_Zibarts
Authority
Authority

Great! Thanks again - then we'll start small and grow if needed! 

0 Kudos
Pablo_Barriga
Advisor

Hello Duane how was the performance with a single vcpu?, I wanted to used for small implementations.

0 Kudos
Duane_Hartman
Participant

For a small deployment just running the firewall and Mobile Access (endpoint connect only) modules, it is was not bad. However, as a qualifier, I only ran it for a week with 14 users. More curiosity than anything else.

Cheers,

Duane Hartman

PhoneBoy
Admin
Admin

Worth noting that while a single core does work, I believe we only officially support 2 or more cores in a CloudGuard IaaS instance.

0 Kudos
Kaspars_Zibarts
Authority
Authority

Dameon, do you happen to know if there are a "dimension" guidelines for standalone solution case (in ESX). Any official recommendations regarding number of cores based on connections/VMs/Throughput or something like that?

0 Kudos
PhoneBoy
Admin
Admin

Most of the sizing I've seen has been for an externally managed gateway/VM, not a standalone (gateway + management on same VM).

We do have some numbers that can be shared privately through your Check Point SE. 

Pablo_Barriga
Advisor

I'm looking for this table with R80.10

PhoneBoy
Admin
Admin

The numbers should be similar for R80.10.

Kaspars_Zibarts
Authority
Authority

Bingo! That's what I wanted to see, thanks heaps

vaibhav_Parleka
Participant

Would be great if the table also included the information with 8 vCPU as well. currently only provides information on 2,4 & 6 vCPU options.

Vaibhav

Duane_Hartman
Participant

Kaspars,

I now have 4 standalone VSec installations running at different customers.  In each case I am running Firewall + Anti-Virus + Anti-Bot + IPS.  I have found the following configuration works well:

2 - vCore (avg. CPU being 2.8Ghz)

 

30 Gigabytes of RAM

 

Min. 400 GB for like Log Partition

 

150 GB for System Partition 

 

150 GB for backup and update Partition

Additional Note:  I use dedicated Gigabit NIC's for each FW Interface.

Kaspars_Zibarts
Authority
Authority

Thanks for the update!

0 Kudos
Maarten_Sjouw
Champion
Champion

Do keep in mind that when you use the CP supplied OVF to deploy a VE gateway (with or without (Mgmt) with R77.30 the disk is 10GB and with R80.10 it is 50GB. So when you need to store a longer period of log's either you will have to enlarge the volume or add another volume and link it to the log dir.

Regards, Maarten