cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
phlrnnr
Silver

Do any Checkpoint appliances offer SSL offload?

I understand that Check Point is a software company.  But, since they sell their software on their own dedicated appliances, I was wondering if any of the appliances can do https encryption/decryption offload to a separate card/chip/asic so the CoreXL CPUs don't have to handle that burden?  I know other vendors that require ssl inspection have these types of asics to reduce CPU processing burden.  Just wondering if Checkpoint does this on any appliance models or is considering this?

I'd rather have CoreXL working hard at inspecting traffic and let something else worry about the encrypt/decrypt.

0 Kudos
6 Replies

Re: Do any Checkpoint appliances offer SSL offload?

This will soon be possible with the Falcon accelerator cards which are in EA right now as mentioned in the thread below by Dorit Dor‌:

Check Point R80.20 Now GA

If you'd like to join the EA program for this product I'm sure they'd love to hear from you.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Highlighted
Employee
Employee

Re: Do any Checkpoint appliances offer SSL offload?

Checkpoint has a partnership with Radware you can purchase a Radware appliance to do the ssl decryption and the Checkpoint gateways will focus on the security inspection. This is a link to the white paper.

https://www.checkpoint.com/downloads/product-related/solution-brief/sb-radware-checkpoint.pdf

Re: Do any Checkpoint appliances offer SSL offload?

Second that. With a pair of Radware appliances you can create something called "clear text sandwich". Radware will do encryption & decryption while CP GW can do decent inspection in the middle

Re: Do any Checkpoint appliances offer SSL offload?

Hello so far I tested that with Symantec SSL Visibility.

https://community.checkpoint.com/message/13951-symantec-visibility-appliance-netronome 

0 Kudos

Re: Do any Checkpoint appliances offer SSL offload?

Hi!

I see Check Point has an official partnership with Radware and this is the reason why there is only one solution brief file what describes Radware Alteon ADC SSL offloading capabilities with CP.

Otherwise, the same thing should work perfectly with other vendors, like Symantec SSL Visibility Appliance or for me, even better product, F5 with hardware SSL offloader. 

Next step I plan to test deployment so-called "Burrito Design" configuration for an F5 SSL offloader with Check Point Appliance in L2 mode with NGTP.

Hope it will work, by design it should.

BR

Vato

0 Kudos
Vladimir
Pearl

Re: Do any Checkpoint appliances offer SSL offload?

@Vato_Chantladze , please let us know your findings. I am interested in how it works out and what the final design looked like.

Regards,

Vladimir

0 Kudos