cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Application Control POC

Greetings Esteemed Members.

I am in the planning stages of a POC for inserting Open Server R80.10 gateway with R80.20 management virtual machines into a customer network.

The objective is to replace their current URL filtering solution with Check Point's SSL Inspection, Application Control and URL blades in the initial phase.

The customer's perimeter firewall is a Cisco ASA cluster and currently terminates VPN tunnels.

I was wondering whether the gateway can be inserted into the routing path using a single interface only, meaning that their layer 3 switch uses it as its default gateway and the Check Point's default gateway will be the ASA cluster, or do I need to physically place it between the internal network and the ASA cluster.

HTTP Proxy is not an option.

Thanks in advance for your support.

15 Replies
Vladimir
Pearl

Re: Application Control POC

Look for "Deploying a Security Gateway or a ClusterXL in Bridge Mode" in Installation and Upgrade Guide R80.20 and check limitations and notes before doing it.

From the table, it looks like you can achieve most of what you want with a single gateway in a bridge mode.

0 Kudos

Re: Application Control POC

Hi Vladimir,

Thanks for the link, in fact it is something that I looked at last night and I'm considering it.

It will also be the least intrusive topology option for the POC.

Only concern is this note #3

Identity Awareness in Bridge Mode supports only the AD Query authentication

I take it that it means Identity Collector isn't supported?

Do you know?

Cheers,

Calvin.

0 Kudos
Vladimir
Pearl

Re: Application Control POC

I am not certain. Can someone from Check Point chime in please?

0 Kudos

Re: Application Control POC

Yep would really like to have Check Point clarify Identity Collector compatibility w/ gateway bridge mode

I don't see any reason why it won't work though.

0 Kudos
Jason_Dance
Copper

Re: Application Control POC

Could another solution be to employ two vlans on your single interface? You should be able to route through with that configuration...

Re: Application Control POC

Jason,

This thought did cross my mind and it's an excellent idea.

Thanks for pointing it out.

0 Kudos

Re: Application Control POC

Ok so after careful consideration and discussions w/ the client, it would be best to use bridge mode since the POC requires that no routing changes to the current network are to be made at this time.

The only risk in my mind then is that the server identified for the POC does not have bypass NICs in case of hardware failure or having to reboot for whatever reason.

Appreciate everyone's input thus far.

0 Kudos

Re: Application Control POC

You could also use proxy mode, than you don't need to be inline, the working is abou the same for the actual policy.

Regarding the policy itself I have created a mgmt_cli script to create a shared APCL/URLF policy, which you can use ordered or as a inline internet filter.

Regards, Maarten
0 Kudos

Re: Application Control POC

Hey Maarten - this is a good approach also, but the client does not want proxy mode.

How has your experience w/ this been in terms of performance, because as I understand it, proxy mode does not benefit from SecureXL.

0 Kudos

Re: Application Control POC

I have 1 customer running it on a 13500 with around 4000 users and 700Mb of traffic running through it and it is humming just fine. I see it is running around 50/50 FW/PXL and they are not using HTTPS decryption.

I also need to tell you that all Guest network connections run inline, not using the proxy, I do not know the number of users on guest.

Regards, Maarten
0 Kudos

Re: Application Control POC

Ok good info.

This POC will run as a Hyper-V VM as follows:

Management - 8GB RAM, 4 vCPU, 100GB disk, 1Gbps vNIC

Gateway - 4GB RAM, 4 vCPU, 100GB disk, 1Gbps vNIC

1000 corporate users, no guests

SSL Inspection required

0 Kudos

Re: Application Control POC

If you can hit it with 8 cores, the all-in-one Eval is supporting 8 cores...

Normally we calculate with a multiplier of 1,6 for ssl inspection.

Regards, Maarten
0 Kudos

Re: Application Control POC

Can you explain the multiplier?

What value is multiplied by 1.6?

0 Kudos

Re: Application Control POC

Have you ever looked at the CP Sizing tool? There the outcome for a appliance will be a certain load lets say 60% with the parameters that you have set, which means that with SSL inspection, you need to mylitply the 60% with 1.6 = 96% load on the appliance.

So far this has been pretty accurate.

Regards, Maarten
0 Kudos

Re: Application Control POC

I have used the sizing tool but always wondered about the SSL. So my configs were always analyzed by the SSL team. But it's good to know about the 1.6 multiplier.

0 Kudos