Hi Vladimir,

Thanks for the link, in fact it is something that I looked at last night and I'm considering it.

It will also be the least intrusive topology option for the POC.

Only concern is this note #3

Identity Awareness in Bridge Mode supports only the AD Query authentication

I take it that it means Identity Collector isn't supported?

Do you know?

Cheers,

Calvin.

I am not certain. Can someone from Check Point chime in please?

Yep would really like to have Check Point clarify Identity Collector compatibility w/ gateway bridge mode

I don't see any reason why it won't work though.

Jason,

This thought did cross my mind and it's an excellent idea.

Thanks for pointing it out.

Ok so after careful consideration and discussions w/ the client, it would be best to use bridge mode since the POC requires that no routing changes to the current network are to be made at this time.

The only risk in my mind then is that the server identified for the POC does not have bypass NICs in case of hardware failure or having to reboot for whatever reason.

Appreciate everyone's input thus far.

Hey Maarten - this is a good approach also, but the client does not want proxy mode.

How has your experience w/ this been in terms of performance, because as I understand it, proxy mode does not benefit from SecureXL.

I have 1 customer running it on a 13500 with around 4000 users and 700Mb of traffic running through it and it is humming just fine. I see it is running around 50/50 FW/PXL and they are not using HTTPS decryption.

I also need to tell you that all Guest network connections run inline, not using the proxy, I do not know the number of users on guest.

Ok good info.

This POC will run as a Hyper-V VM as follows:

Management - 8GB RAM, 4 vCPU, 100GB disk, 1Gbps vNIC

Gateway - 4GB RAM, 4 vCPU, 100GB disk, 1Gbps vNIC

1000 corporate users, no guests

SSL Inspection required

If you can hit it with 8 cores, the all-in-one Eval is supporting 8 cores...

Normally we calculate with a multiplier of 1,6 for ssl inspection.

Can you explain the multiplier?

What value is multiplied by 1.6?

Have you ever looked at the CP Sizing tool? There the outcome for a appliance will be a certain load lets say 60% with the parameters that you have set, which means that with SSL inspection, you need to mylitply the 60% with 1.6 = 96% load on the appliance.

So far this has been pretty accurate.

I have used the sizing tool but always wondered about the SSL. So my configs were always analyzed by the SSL team. But it's good to know about the 1.6 multiplier.