Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Application Control POC

Greetings Esteemed Members.

I am in the planning stages of a POC for inserting Open Server R80.10 gateway with R80.20 management virtual machines into a customer network.

The objective is to replace their current URL filtering solution with Check Point's SSL Inspection, Application Control and URL blades in the initial phase.

The customer's perimeter firewall is a Cisco ASA cluster and currently terminates VPN tunnels.

I was wondering whether the gateway can be inserted into the routing path using a single interface only, meaning that their layer 3 switch uses it as its default gateway and the Check Point's default gateway will be the ASA cluster, or do I need to physically place it between the internal network and the ASA cluster.

HTTP Proxy is not an option.

Thanks in advance for your support.

15 Replies
Highlighted
Champion
Champion

Look for "Deploying a Security Gateway or a ClusterXL in Bridge Mode" in Installation and Upgrade Guide R80.20 and check limitations and notes before doing it.

From the table, it looks like you can achieve most of what you want with a single gateway in a bridge mode.

0 Kudos
Highlighted
Participant

Hi Vladimir,

Thanks for the link, in fact it is something that I looked at last night and I'm considering it.

It will also be the least intrusive topology option for the POC.

Only concern is this note #3

Identity Awareness in Bridge Mode supports only the AD Query authentication

I take it that it means Identity Collector isn't supported?

Do you know?

Cheers,

Calvin.

0 Kudos
Highlighted
Champion
Champion

I am not certain. Can someone from Check Point chime in please?

0 Kudos
Highlighted
Participant

Yep would really like to have Check Point clarify Identity Collector compatibility w/ gateway bridge mode

I don't see any reason why it won't work though.

0 Kudos
Highlighted
Collaborator

Could another solution be to employ two vlans on your single interface? You should be able to route through with that configuration...

Highlighted
Participant

Jason,

This thought did cross my mind and it's an excellent idea.

Thanks for pointing it out.

0 Kudos
Highlighted
Participant

Ok so after careful consideration and discussions w/ the client, it would be best to use bridge mode since the POC requires that no routing changes to the current network are to be made at this time.

The only risk in my mind then is that the server identified for the POC does not have bypass NICs in case of hardware failure or having to reboot for whatever reason.

Appreciate everyone's input thus far.

0 Kudos
Highlighted
Champion
Champion

You could also use proxy mode, than you don't need to be inline, the working is abou the same for the actual policy.

Regarding the policy itself I have created a mgmt_cli script to create a shared APCL/URLF policy, which you can use ordered or as a inline internet filter.

Regards, Maarten
0 Kudos
Highlighted
Participant

Hey Maarten - this is a good approach also, but the client does not want proxy mode.

How has your experience w/ this been in terms of performance, because as I understand it, proxy mode does not benefit from SecureXL.

0 Kudos
Highlighted
Champion
Champion

I have 1 customer running it on a 13500 with around 4000 users and 700Mb of traffic running through it and it is humming just fine. I see it is running around 50/50 FW/PXL and they are not using HTTPS decryption.

I also need to tell you that all Guest network connections run inline, not using the proxy, I do not know the number of users on guest.

Regards, Maarten
0 Kudos
Highlighted
Participant

Ok good info.

This POC will run as a Hyper-V VM as follows:

Management - 8GB RAM, 4 vCPU, 100GB disk, 1Gbps vNIC

Gateway - 4GB RAM, 4 vCPU, 100GB disk, 1Gbps vNIC

1000 corporate users, no guests

SSL Inspection required

0 Kudos
Highlighted
Champion
Champion

If you can hit it with 8 cores, the all-in-one Eval is supporting 8 cores...

Normally we calculate with a multiplier of 1,6 for ssl inspection.

Regards, Maarten
0 Kudos
Highlighted
Participant

Can you explain the multiplier?

What value is multiplied by 1.6?

0 Kudos
Highlighted
Champion
Champion

Have you ever looked at the CP Sizing tool? There the outcome for a appliance will be a certain load lets say 60% with the parameters that you have set, which means that with SSL inspection, you need to mylitply the 60% with 1.6 = 96% load on the appliance.

So far this has been pretty accurate.

Regards, Maarten
0 Kudos
Highlighted
Participant

I have used the sizing tool but always wondered about the SSL. So my configs were always analyzed by the SSL team. But it's good to know about the 1.6 multiplier.

0 Kudos