This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sorin_Gogean
Advisor
Sunday

Checkpoint Hardware Renew/Upgrade

Hello and Happy new year checkmates, 

 

I'm coming back to you for some discussion and guidance as this year we're looking into refreshing our CheckPoint infrastructure in our DataCenters. 

Just to have the clearest picture of our environment, currently we have 3 clusters like below, plus couple of virtual (that are not performing anything else just IPS and FWL) and 2 x Management :

  • Amst - 2 x 15600 with 10Gb uplinks/downlinks
  • Dallas - 2 x 15600 with 10Gb uplinks/downlinks
  • Sing - 2 x 15500 with 10Gb uplinks/downlinks

 

As active services on all clusters we have: 

  • Firewall
  • App Control
  • URL Filtering
    • with HTTP Decryption
    • we intend to start doing inbound HTTPS decryption for some DMZ traffic....
  • Identity Awareness
  • Autonomous Threat Prevention 
    • w/o Threat Extraction
    • w/o Threat Emulation
    • w/o Zero Phishing 

 

Now going back on the hardware renewal, I was looking on several models and I was pretty impressed by the QLS models.

Therefore I was looking into getting a cluster of 2 x QLS450 in each DC, as I really liked the Nvidia Network cards and packet acceleration that can be done with them, and at the same time, my manager was considering the Maestro Hyperscale way. Just if we would require in future to quickly grow in capacity - still I don't see it as a need currently .

If we consider the current HW capacity and future capacity we have on old HW approx. 20Gbps FWL throughput or 2.2Gbps NGTP to what QLS450 supports ~154Gbps NGFW, we should have room to grow .

Reading in the last days/weeks on QLS450 Nvidia card traffic and Maestro Hyperscale, I started to have some questions and not only in regard to that.

Like:

  • we intend to build port-channels from QLS450 cards (one port from each, to cover Uplink and Downlink) but, the Nvidia acceleration is supported only if the traffic comes and goes on the same card - clearly I understand why it should be like that - so therefore the question I have is, how can I set and make sure traffic coming through the Nvidia card A uplink will exit through the Nvidia card A downlink ? in some Checkpoint forum comments I've read about Smart PortChannel that should assure that, but nothing clear if it's already available or not.
  • same question from above in the case of Maestro Hyperscale 😊
  • on the code discussion, I understood that R82 does not support some features (I'm really not finding right now the SK I read about this but it was related to SecureXL ?!?!?!?!) so I was thinking to stay with R81.20 but still I'll have to upgrade in under a year since it's becoming EOL in 2026, or we can go R82 without a problem....
     
  • if we go Maestro Hyperscale, will the nodes be active-active (this is my understanding from documentation) so the traffic will be shared between them, but I will not be able to implement any virtualization, as moving to QLS450, and having some "processing power" available, I was thinking to go and implement VSX, so we will have some different firewalls on the cluster (like 2 max 3)

 

So, does any of you uses QLS series and can provide more details on the Nvidia acceleration? Also can an of you share thoughts on Maestro Hyperscale and if it's worth going that path, even we would not grow that much.

 

I'll add other comments as the discussion builds.

 

Thank you and have a nice week,

PS: if there are unclarities on the topics, let me know.

0 Kudos
9 Replies
Lesley
Mentor Mentor
Mentor
Sunday

Start with a CPsizeme on all active gateways that support it. After that load in in the sales tool to see what new appliance could replace it. Run the script on the most busy days of the week! But not to long, 2 - 3 days is OK. Couple hours 

CPSizeme:

https://support.checkpoint.com/results/sk/sk88160

Sales tool:

https://usercenter.checkpoint.com/ucapps/appliance-sizing-tool

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Sorin_Gogean
Advisor
yesterday
In response to Lesley

Hello Lesley,

 

I think we already pass the HW selection as we look for QLS450. 

If we were to migrate to the 15000 series replacement, that is recommended, we would go with 16200 or higher.

Still we have to consider future growth as we might have to firewall more traffic in future - like Cloud Connect traffic (Microsoft Azure and similar) - and therefore we look for a bigger appliances.

 

Thank you, 

0 Kudos
Lesley
Mentor Mentor
Mentor
yesterday
In response to Sorin_Gogean

Future growth is also calculated in the appliance size tool.

I highly suspect the SE you are going to contact will also ask for CPSizeme. I would recommend to perform the cpsizeme to make sure you make the right pick. Potentially you can save some budget. And if you picked undersized unit would be a bummer. Long story short, spend some time on the cpsimeme 😉 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
Sunday

For what its worth, AI copilot response about it.

Andy

 

***********************

 

can you please tell me about new QLS appliances and Nvidia acceleration?
03:12 PM

Certainly! The new Quantum LightSpeed (QLS) appliances are designed to provide hyper-fast network security for data centers and large enterprises. These appliances are built to handle high-performance requirements, such as large file transfers, low latency for high-frequency applications, and dynamic scalability as business needs grow.

Key Features of Quantum LightSpeed Appliances:

  • Firewall Performance at Line-Rate: Ensures high-speed data processing without compromising security.
  • Ultra-Low Latency: Ideal for applications that require minimal delay.
  • Modular Platforms: Support up to 72 virtual CPU cores, providing flexibility and scalability.
  • Redundant Storage Devices and AC Power Supplies: Enhance reliability and uptime.
  • Wide Variety of Network Interfaces: Ranging from 1 GbE copper and fiber to 100 GbE interfaces.
  • Hyperscale-Ready: Capable of providing up to 1 terabit/sec of Threat Prevention Performance.
  • Dedicated MLS Models for Maestro Systems: Offer superior performance in a consolidated 1U form-factor with true 100 GbE connectivity.

Nvidia Acceleration:

The Quantum LightSpeed appliances leverage Nvidia acceleration to enhance their performance capabilities. Nvidia's technology provides hardware acceleration for various security functions, significantly boosting the throughput and efficiency of the appliances. This integration allows for:

  • Enhanced Threat Prevention: Accelerated processing of security functions such as intrusion prevention, antivirus, and anti-bot.
  • Improved Performance: Higher throughput and lower latency for security operations.
  • Scalability: Ability to handle increased traffic loads without degradation in performance.

Supported Models:

  • QLS250
  • QLS450
  • QLS650
  • QLS800
  • MLS200
  • MLS400

These models are designed to meet the needs of different enterprise environments, providing a range of performance and connectivity options.

For more detailed information, you can refer to the Check Point LightSpeed Appliances documentation.

Learn more:
  1. sk179432 - Software Releases for Quantum LightSpeed Appliances QLS / MLS and Quantum Force Appliance...
  2. sk162373 - Quantum Maestro supported combinations of mix-and-match appliances
  3. sk176466 - Check Point LightSpeed Appliances
  4. sk96246 - Documentation For Check Point Appliances
0 Kudos
G_W_Albrecht
Legend Legend
Legend
yesterday
In response to the_rock

Why waste so much electrical power for information readily available in CP user center ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sorin_Gogean
Advisor
yesterday
In response to the_rock

Thank you the_rock, still ChatGPT or any other "AI" does not answer my questions. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Sunday

Please discuss the detailed requirements with your local SE.

Likely the Quantum Force family of appliances are best suited to this need.

The throughput numbers you've quoted for QLS seem not to align with the high level datasheet figures, moreover please note the fields are not additive nor consider things such as HTTPs inspection etc.

sk179432: Lightspeed and Quantum Force Software Releases 

SmartNIC - Known Limitations 

sk181128: R82 Known Limitations  

sk173183: Maestro Comparison Between Versions 

sk79700 - VSX Supported Features 

 

CCSM R77/R80/ELITE
0 Kudos
Sorin_Gogean
Advisor
yesterday
In response to Chris_Atkinson

Hello Chris, 

We'll discuss with our SE, still I wanted to see if others are using those appliances and get secomandarions.

In regard to the numbers, I got them from an initial specs document, I see that in the newer ones that is no longer there. Still the numbers would cover our current and future needs.

CKP_QLS450.png

Thank you,

0 Kudos
Chris_Atkinson
Employee Employee
Employee
yesterday
In response to Sorin_Gogean

Noted but just to clarify further this is still not the NGFW number rather FW-only.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events