This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nelson_Thoms
Participant
‎2018-09-17 12:23 AM

R80.10 Gateway on ESXi

Hi all,

I’m after opinions on running an R80.10 gateway purely for Layer4 ACLs, IPS and Threat Prevention – and running that gateway on vmware’s ESXi hypervisor. I’ve tried Checkpoint’s hypervisor implementation (VSX) in previous roles and had issues (not sure if the issues I ran into on VSX R77.30 are specifically solved in the R80.10 release, but I’m not keen to go VSX again).

We would probably be hitting 5GB throughput, but these aren’t perimeter firewalls and the upper tiers handle DDoS/volumetric/L3,L4 attacks, also these R80.10 gateways won’t have any crypto work since that is being offloaded elsewhere so it’s really just the IPS/AV/AB throughput I need to consider.

Keen to hear any comments!

0 Kudos
2 Replies
Vladimir
Champion
Champion
‎2018-09-17 05:54 AM

Nelson,

While I routinely build the gateways and clusters on ESXi, none of them were production bound.

So I am just extrapolating from my previous experience here: so long as it is a dedicated host with hyperthreading disabled, you should be able to do this.

If this gateway is running on a dedicated host, you may have to play with DPIO to get the maximum performance out of it, but keep in mind that it'll prevent you from using snapshots, Vmotion, HA and FT.

I am cuirious to know if you are offloading the HTTPS and SMTP TLS decrypts to external device, do you then pipe it in the clear through this gateway, or is it processed elsewhere? Are you going to enable CIFS snd SMB inspection on it as well?

Regards,

Vladimir

0 Kudos
Nelson_Thoms
Participant
‎2018-09-17 03:15 PM
In response to Vladimir

Thanks Vladimir for your feedback and the advice regarding HT and DPIO.  SMTP can be pulled from the default AV profile since that can be filtered by a dedicated appliance, but I hadn’t considered CIFS inspection – Thanks for pointing that out!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top