Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Mentor
Mentor

Hardware Upgrade (Replacement)

hi folks, quick one

 

got a enquiry from the customer, did the CPSizeme (72h span) and got a results, but customer insist on 2nd opinion hence my post here. what would you upgrade to hardware wise if you have following dilemmas? Please let me know should have any meaningful comment or recommendation in mind. I believe that last column represents recommended path but just wanted to ask what do you think about that or maybe I should suggest something different? Please exclude vSEC, AWS, ClouldSec etc. This is purely APPLIANCE HA to APPLIANCE HA path, no more no less.

HW model No. of Cores No. of Tunnels No. of Peak Conns. CPU User Time CPU System Time CPU Iddle Time each CPU CORE at peak times BH Comments Recommended HW replacement
        average since 7 days in %   by cpsizeme script and SE's from IL
6700 12 64 106k 33.70% 20.10% 48.10% 97/95/93/92/85/90/94/93/98/94/76/91 very busy firewall, recommended HW replacement for more powerful device 16200 MAX (48 vCORE)
5800 8 104 168k 3.63% 44.60% 51.80% 50/93/94/96/43/93/93/93 large number of conc.conn and IPSec Tunnels, recommended HW replacement 6900 MAX (16 vCORE)
Jerry
0 Kudos
20 Replies
_Val_
Admin
Admin

CPSizeME actually provides you the amount of growth with the new system, in percentages. Do you have these numbers as well?

0 Kudos
Jerry
Mentor
Mentor

no, hence my question Val

Jerry
_Val_
Admin
Admin

 PM me your SE name, and I will check offline. There should be multiple options in the report. 

PM means personal message, just in case 🙂

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Are there other factors / requirements to be considered here? e.g.

- Expected life span v traffic growth

- Enabled blades now v future

- Interface density

- Internal redundancy 

- Others?

CCSM R77/R80/ELITE
0 Kudos
Jerry
Mentor
Mentor

Thanks Chris, hare are the answers:

1. 5y life span, not much traffic growth

2. same blades, same stuff just more performance req.

3. 1 lacp with round 50 subs (vlans)

4.HA is in place so looking for HA - like for like

5. no other considerations just like for like upgrade with new appliance in mind

Jerry
0 Kudos
the_rock
Legend
Legend

By the way, I can tell you we recommend 6000 appliance series to every CP customer and they all love it. Cant go wrong man, they are super solid.

Chris_Atkinson
Employee Employee
Employee

Lastly for context, the current software version is R81.10?

Also how long has the 6700 been in service?

CCSM R77/R80/ELITE
0 Kudos
Jerry
Mentor
Mentor

yes Chris, it is now R80.10 but obviously when MDS/MLM's run R80.20 the HA GWs will get R80.20 as well. Clear and obvious 🙂

Jerry
0 Kudos
the_rock
Legend
Legend

I would install R81.20 on mgmt any time, super solid! As far as gateway, I would do the same, but better to wait until CP officially recommends it. PS guy told me latest September, but lets see : - )

Jerry
Mentor
Mentor

Andy, please ... we know all this, OS is out of the questions here, I know .20 "rocks" but my original Q was purely about the HW upgrade from 5800 HA and 6700 HA whilst 6700 is supper busy cluster with 64 tunnels and loads of subs whilst 5800 is EOSale still not EOL but old. My customer is just asking for 2nd opinion which may or may not differ from the CPsizeME (if you wish I can share the CPsizeME reports but not sure this is the good idea to share them publicaly here. I run the new one and they are supposed to be finished tomorrow 3pm UK time 🙂 previous once shows the report but I was provided only above table hence my query to you all folks to cross check that this would be a good idea to spare 6700s with 16200 MAX and 5800s with 6600-6900s MAX.

 

Cheers!

Jerry
the_rock
Legend
Legend

Ok, thats fair, Im just "throwing" it out there : - ). As I said as far as hardware, I would always go with 6000 series, based on all the previous experiences.

the_rock
Legend
Legend

Btw, not to brag now, but if you need to test anything as far as R81.20, message me offline, you got my info : - ). I think lab is decent if dude from R&D says so, just saying ; - )

Chris_Atkinson
Employee Employee
Employee

A hybrid / phased approach might apply depending on customers appetite & budget...

Upgrade the 6700 to preferred choice of gateway and repurpose the 6700 to replace the 5800 as is the successor model.

Then revisit the latter on a needs basis in future.

 

Granted only going on the limited info available here, commercials & timing can also be a key factor for many customers.

 

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Honestly mate, I can tell you, as this certainly is not any sort of secret...literally EVERY fw vendor will tell you to size up when buying an appliance, but I get it, not cause they want to make more money(thats their business), but if you think about it, yes, customer will pay more, BUT, they will be happy they did, since appliance will last them way longer, rather than if they cheap out and have to get new one 3 years later.

Andy

Bob_Zimmerman
Authority
Authority

Skip the 16200 units. The QLS250 is a maxed-out 16200 plus a specialized 100g network card, and it's less than 1/3 the price. It's also cheaper than the 6900 by a pretty wide margin right now, though it's 2U and consumes more power.

I think Check Point's branded hardware is deeply amateurish and would never buy it myself nor recommend anybody else buy it except at the very low end. Even I have to admit you can't beat the QLS250 for the money.

(1)
Jerry
Mentor
Mentor

so what's instead considering that 6700s can barely cope just now?

Jerry
0 Kudos
Bob_Zimmerman
Authority
Authority

Like I said, the QLS250 is more powerful than either of the recommended models in the table, and it's a lot cheaper than either of them. Hit https://catalog.checkpoint.com/ > Quantum > Security Gateway, and compare the specs and price of the QLS250 to the specs and price of the 16200 or 6900. It's even cheaper than the 6700 right now.

If you're stuck with branded boxes, you should buy the QLS250.

the_rock
Legend
Legend

It comes with 128 GB of ram and 32 M concurrent connections for 51K? Dang,thats really good!!

Andy

Bob_Zimmerman
Authority
Authority

So that gets a little weird. In one spot, the catalog says it comes with 128 GB of RAM. In another spot, it says it comes with 192 GB of RAM. It's either the same as the 16200 Plus with an added-cost RAM upgrade, or it comes with more than the 16200 officially supports at all.

It also says it comes with two 4x10g cards, LOM, both drives, and both power supplies. All are added-cost options for the 16200, and I think all are included with the 16200 Plus.

Finally, the QLS250's SSDs are 960 GB, while the 16200 and 6900 have 480 GB SSDs. This doesn't matter quite as much, since firewalls generally don't need a lot of drive space. Still, it's nice to have more headroom for snapshots.

the_rock
Legend
Legend

Thank you so much for mentioning these appliances, I honestly never even heard of them before. For the price, though its double what some 6000 models cost, but what you get, seems so worth the money, no question.

Appreciated!!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events