cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Just wondering if anyone running gateway and management in ESXi has any recommendations. We are planning to deploy sort of simple  remote site with management and gateway (not in hypervisor mode, just plain gw in VM) in ESX. Same ESX will host few servers. What would be the best approach - standalone gw & Mgmt in one VM or create two separate VMs - one for GW and one for Mgmt. No need for cluster. I don't expect too much traffic new connections wise. Throughput could get high-ish but purely for file transfer. Don't need any advanced blades, just firewall as IP filter. Any suggestions for number of cores / RAM? Either in one or split VM case. Never really run vSec gateway in production especially standalone solution so need someone with practical experience. Deploying as R80.10.

1 Solution

Accepted Solutions

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Kaspars,

we are on our 3rd VSEC for VMWare installation.  Our smallest install runs with 4 other VM’s and the largest has 9. In all cases we utilize standalone installations.  I would make the following recommendations based on your environment:

1 - vCore (if 2 GHz or above - otherwise 2 vCores)

16 Gigabytes of RAM

Min. 250 GB for like Log Partition

75 GB for System Partition 

100 GB for backup and update Partition

Hope this is useful.

20 Replies
Vladimir
Pearl

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Kaspars,

I only run the management in VM in production, but am running both: management and a gateway in the lab environment.

Strongly suggest not to have it as all in one, if it is possible and another good idea is to configure a boot loader delay parameters to allow for invocation of repair functions.

Somewhere on CheckMates it was mentioned before, that in case of corruption of the filesystem, vSECs were not properly configured by default for user input.

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Thanks Vladimir! We do the same - MDS/MLM environment is all in VM. This new project is on the smaller scale. Wondering if https://community.checkpoint.com/people/dhart87070b18-7c75-33a5-b483-3fdda90dcf92‌ has anything to say - you had a standalone setup?

0 Kudos
Vladimir
Pearl

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

At the risk of being run out of town: if all you need is a simple IP filter, why not use PFsense?

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

It's a long story. Can't disclose details. Plus checkpoint has nice logs haha..

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Kaspars,

we are on our 3rd VSEC for VMWare installation.  Our smallest install runs with 4 other VM’s and the largest has 9. In all cases we utilize standalone installations.  I would make the following recommendations based on your environment:

1 - vCore (if 2 GHz or above - otherwise 2 vCores)

16 Gigabytes of RAM

Min. 250 GB for like Log Partition

75 GB for System Partition 

100 GB for backup and update Partition

Hope this is useful.

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Thanks heaps Duane! That's exactly what I need to hear! So you recon for 9 VM solution 2 cores over 2GHz should be enough? Sounds very little but I have zero experience.. Smiley Happy 

Is there single Mgmt+gw vSec license too or you get them separately? Probably our SE question but you may know

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

You are welcome! To be clear, the 2 vCore solution is just dedicated to the VSec server when using FW, AB, AV and IPS blades. The ESXi hosts that we utilize with a VSec FW and other VM’s have a min. of 20 vCores.

Licensing can be done for a stand-alone GW/Mgmt installation, but only with purchasing one or more core licenses of VSec.

Cheers,

Duane Hartman

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Great! Thanks again - then we'll start small and grow if needed! 

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Hello Duane how was the performance with a single vcpu?, I wanted to used for small implementations.

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

For a small deployment just running the firewall and Mobile Access (endpoint connect only) modules, it is was not bad. However, as a qualifier, I only ran it for a week with 14 users. More curiosity than anything else.

Cheers,

Duane Hartman

Admin
Admin

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Worth noting that while a single core does work, I believe we only officially support 2 or more cores in a CloudGuard IaaS instance.

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Dameon, do you happen to know if there are a "dimension" guidelines for standalone solution case (in ESX). Any official recommendations regarding number of cores based on connections/VMs/Throughput or something like that?

0 Kudos
Admin
Admin

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Most of the sizing I've seen has been for an externally managed gateway/VM, not a standalone (gateway + management on same VM).

We do have some numbers that can be shared privately through your Check Point SE. 

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

I'm looking for this table with R80.10

Admin
Admin

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

The numbers should be similar for R80.10.

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Bingo! That's what I wanted to see, thanks heaps

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Would be great if the table also included the information with 8 vCPU as well. currently only provides information on 2,4 & 6 vCPU options.

Vaibhav

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Kaspars,

I now have 4 standalone VSec installations running at different customers.  In each case I am running Firewall + Anti-Virus + Anti-Bot + IPS.  I have found the following configuration works well:

2 - vCore (avg. CPU being 2.8Ghz)

 

30 Gigabytes of RAM

 

Min. 400 GB for like Log Partition

 

150 GB for System Partition 

 

150 GB for backup and update Partition

Additional Note:  I use dedicated Gigabit NIC's for each FW Interface.

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Thanks for the update!

0 Kudos

Re: ESXi vSec aka CouldGuard recommendations for a small site

Jump to solution

Do keep in mind that when you use the CP supplied OVF to deploy a VE gateway (with or without (Mgmt) with R77.30 the disk is 10GB and with R80.10 it is 50GB. So when you need to store a longer period of log's either you will have to enlarge the volume or add another volume and link it to the log dir.

Regards, Maarten