Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
phlrnnr
Advisor

Do any Checkpoint appliances offer SSL offload?

I understand that Check Point is a software company.  But, since they sell their software on their own dedicated appliances, I was wondering if any of the appliances can do https encryption/decryption offload to a separate card/chip/asic so the CoreXL CPUs don't have to handle that burden?  I know other vendors that require ssl inspection have these types of asics to reduce CPU processing burden.  Just wondering if Checkpoint does this on any appliance models or is considering this?

I'd rather have CoreXL working hard at inspecting traffic and let something else worry about the encrypt/decrypt.

0 Kudos
Reply
6 Replies
Timothy_Hall
Champion
Champion

This will soon be possible with the Falcon accelerator cards which are in EA right now as mentioned in the thread below by Dorit Dor‌:

Check Point R80.20 Now GA

If you'd like to join the EA program for this product I'm sure they'd love to hear from you.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Sarah_Elie1
Employee Alumnus
Employee Alumnus

Checkpoint has a partnership with Radware you can purchase a Radware appliance to do the ssl decryption and the Checkpoint gateways will focus on the security inspection. This is a link to the white paper.

https://www.checkpoint.com/downloads/product-related/solution-brief/sb-radware-checkpoint.pdf

_Val_
Admin
Admin

Second that. With a pair of Radware appliances you can create something called "clear text sandwich". Radware will do encryption & decryption while CP GW can do decent inspection in the middle

Pablo_Barriga
Advisor

Hello so far I tested that with Symantec SSL Visibility.

https://community.checkpoint.com/message/13951-symantec-visibility-appliance-netronome 

0 Kudos
Reply
Vato_Chantladze
Contributor

Hi!

I see Check Point has an official partnership with Radware and this is the reason why there is only one solution brief file what describes Radware Alteon ADC SSL offloading capabilities with CP.

Otherwise, the same thing should work perfectly with other vendors, like Symantec SSL Visibility Appliance or for me, even better product, F5 with hardware SSL offloader. 

Next step I plan to test deployment so-called "Burrito Design" configuration for an F5 SSL offloader with Check Point Appliance in L2 mode with NGTP.

Hope it will work, by design it should.

BR

Vato

0 Kudos
Reply
Vladimir
Champion
Champion

@Vato_Chantladze , please let us know your findings. I am interested in how it works out and what the final design looked like.

Regards,

Vladimir

0 Kudos
Reply