cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.10 Gateway on ESXi

Hi all,

I’m after opinions on running an R80.10 gateway purely for Layer4 ACLs, IPS and Threat Prevention – and running that gateway on vmware’s ESXi hypervisor. I’ve tried Checkpoint’s hypervisor implementation (VSX) in previous roles and had issues (not sure if the issues I ran into on VSX R77.30 are specifically solved in the R80.10 release, but I’m not keen to go VSX again).

We would probably be hitting 5GB throughput, but these aren’t perimeter firewalls and the upper tiers handle DDoS/volumetric/L3,L4 attacks, also these R80.10 gateways won’t have any crypto work since that is being offloaded elsewhere so it’s really just the IPS/AV/AB throughput I need to consider.

Keen to hear any comments!

0 Kudos
2 Replies
Vladimir
Pearl

Re: R80.10 Gateway on ESXi

Nelson,

While I routinely build the gateways and clusters on ESXi, none of them were production bound.

So I am just extrapolating from my previous experience here: so long as it is a dedicated host with hyperthreading disabled, you should be able to do this.

If this gateway is running on a dedicated host, you may have to play with DPIO to get the maximum performance out of it, but keep in mind that it'll prevent you from using snapshots, Vmotion, HA and FT.

I am cuirious to know if you are offloading the HTTPS and SMTP TLS decrypts to external device, do you then pipe it in the clear through this gateway, or is it processed elsewhere? Are you going to enable CIFS snd SMB inspection on it as well?

Regards,

Vladimir

0 Kudos

Re: R80.10 Gateway on ESXi

Thanks Vladimir for your feedback and the advice regarding HT and DPIO.  SMTP can be pulled from the default AV profile since that can be filtered by a dedicated appliance, but I hadn’t considered CIFS inspection – Thanks for pointing that out!

0 Kudos