- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Checkpoint Hardware Renew/Upgrade
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checkpoint Hardware Renew/Upgrade
Hello and Happy new year checkmates,
I'm coming back to you for some discussion and guidance as this year we're looking into refreshing our CheckPoint infrastructure in our DataCenters.
Just to have the clearest picture of our environment, currently we have 3 clusters like below, plus couple of virtual (that are not performing anything else just IPS and FWL) and 2 x Management :
- Amst - 2 x 15600 with 10Gb uplinks/downlinks
- Dallas - 2 x 15600 with 10Gb uplinks/downlinks
- Sing - 2 x 15500 with 10Gb uplinks/downlinks
As active services on all clusters we have:
- Firewall
- App Control
- URL Filtering
- with HTTP Decryption
- we intend to start doing inbound HTTPS decryption for some DMZ traffic....
- Identity Awareness
- Autonomous Threat Prevention
- w/o Threat Extraction
- w/o Threat Emulation
- w/o Zero Phishing
Now going back on the hardware renewal, I was looking on several models and I was pretty impressed by the QLS models.
Therefore I was looking into getting a cluster of 2 x QLS450 in each DC, as I really liked the Nvidia Network cards and packet acceleration that can be done with them, and at the same time, my manager was considering the Maestro Hyperscale way. Just if we would require in future to quickly grow in capacity - still I don't see it as a need currently .
If we consider the current HW capacity and future capacity we have on old HW approx. 20Gbps FWL throughput or 2.2Gbps NGTP to what QLS450 supports ~154Gbps NGFW, we should have room to grow .
Reading in the last days/weeks on QLS450 Nvidia card traffic and Maestro Hyperscale, I started to have some questions and not only in regard to that.
Like:
- we intend to build port-channels from QLS450 cards (one port from each, to cover Uplink and Downlink) but, the Nvidia acceleration is supported only if the traffic comes and goes on the same card - clearly I understand why it should be like that - so therefore the question I have is, how can I set and make sure traffic coming through the Nvidia card A uplink will exit through the Nvidia card A downlink ? in some Checkpoint forum comments I've read about Smart PortChannel that should assure that, but nothing clear if it's already available or not.
- same question from above in the case of Maestro Hyperscale 😊
- on the code discussion, I understood that R82 does not support some features (I'm really not finding right now the SK I read about this but it was related to SecureXL ?!?!?!?!) so I was thinking to stay with R81.20 but still I'll have to upgrade in under a year since it's becoming EOL in 2026, or we can go R82 without a problem....
- if we go Maestro Hyperscale, will the nodes be active-active (this is my understanding from documentation) so the traffic will be shared between them, but I will not be able to implement any virtualization, as moving to QLS450, and having some "processing power" available, I was thinking to go and implement VSX, so we will have some different firewalls on the cluster (like 2 max 3)
So, does any of you uses QLS series and can provide more details on the Nvidia acceleration? Also can an of you share thoughts on Maestro Hyperscale and if it's worth going that path, even we would not grow that much.
I'll add other comments as the discussion builds.
Thank you and have a nice week,
PS: if there are unclarities on the topics, let me know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Start with a CPsizeme on all active gateways that support it. After that load in in the sales tool to see what new appliance could replace it. Run the script on the most busy days of the week! But not to long, 2 - 3 days is OK. Couple hours
CPSizeme:
https://support.checkpoint.com/results/sk/sk88160
Sales tool:
https://usercenter.checkpoint.com/ucapps/appliance-sizing-tool
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Lesley,
I think we already pass the HW selection as we look for QLS450.
If we were to migrate to the 15000 series replacement, that is recommended, we would go with 16200 or higher.
Still we have to consider future growth as we might have to firewall more traffic in future - like Cloud Connect traffic (Microsoft Azure and similar) - and therefore we look for a bigger appliances.
Thank you,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Future growth is also calculated in the appliance size tool.
I highly suspect the SE you are going to contact will also ask for CPSizeme. I would recommend to perform the cpsizeme to make sure you make the right pick. Potentially you can save some budget. And if you picked undersized unit would be a bummer. Long story short, spend some time on the cpsimeme 😉
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For what its worth, AI copilot response about it.
Andy
***********************
Certainly! The new Quantum LightSpeed (QLS) appliances are designed to provide hyper-fast network security for data centers and large enterprises. These appliances are built to handle high-performance requirements, such as large file transfers, low latency for high-frequency applications, and dynamic scalability as business needs grow.
Key Features of Quantum LightSpeed Appliances:
- Firewall Performance at Line-Rate: Ensures high-speed data processing without compromising security.
- Ultra-Low Latency: Ideal for applications that require minimal delay.
- Modular Platforms: Support up to 72 virtual CPU cores, providing flexibility and scalability.
- Redundant Storage Devices and AC Power Supplies: Enhance reliability and uptime.
- Wide Variety of Network Interfaces: Ranging from 1 GbE copper and fiber to 100 GbE interfaces.
- Hyperscale-Ready: Capable of providing up to 1 terabit/sec of Threat Prevention Performance.
- Dedicated MLS Models for Maestro Systems: Offer superior performance in a consolidated 1U form-factor with true 100 GbE connectivity.
Nvidia Acceleration:
The Quantum LightSpeed appliances leverage Nvidia acceleration to enhance their performance capabilities. Nvidia's technology provides hardware acceleration for various security functions, significantly boosting the throughput and efficiency of the appliances. This integration allows for:
- Enhanced Threat Prevention: Accelerated processing of security functions such as intrusion prevention, antivirus, and anti-bot.
- Improved Performance: Higher throughput and lower latency for security operations.
- Scalability: Ability to handle increased traffic loads without degradation in performance.
Supported Models:
- QLS250
- QLS450
- QLS650
- QLS800
- MLS200
- MLS400
These models are designed to meet the needs of different enterprise environments, providing a range of performance and connectivity options.
For more detailed information, you can refer to the Check Point LightSpeed Appliances documentation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why waste so much electrical power for information readily available in CP user center ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you the_rock, still ChatGPT or any other "AI" does not answer my questions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please discuss the detailed requirements with your local SE.
Likely the Quantum Force family of appliances are best suited to this need.
The throughput numbers you've quoted for QLS seem not to align with the high level datasheet figures, moreover please note the fields are not additive nor consider things such as HTTPs inspection etc.
sk179432: Lightspeed and Quantum Force Software Releases
sk181128: R82 Known Limitations
sk173183: Maestro Comparison Between Versions
sk79700 - VSX Supported Features
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Chris,
We'll discuss with our SE, still I wanted to see if others are using those appliances and get secomandarions.
In regard to the numbers, I got them from an initial specs document, I see that in the newer ones that is no longer there. Still the numbers would cover our current and future needs.
Thank you,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Noted but just to clarify further this is still not the NGFW number rather FW-only.