Hi Dima,

Are there any news regarding having R80.20 Smart Center running on Nutanix AHV? We also have a customer that has this requirement.

Thank you,

Alex

We may be able to provide this through your local Check Point office.

Hi.

Any progress on the certification process?

Thanks in advance

aner.

I had the same question recently and was told they stopped testing due to lack of a solid business case and there weren't many customers requesting this from checkpoint. I opened an RFE with checkpoint and notified my checkpoint team a couple weeks ago but haven't heard back yet if they will continue testing or not.  For us the business case would be pretty simple - we can put everything else in AHV but would have to keep a separate environment just for Checkpoint management VMs.  One cluster is sure easier than two (on different technologies).  Nutanix loses a lot if we instead do Nutanix on Hyper-V (ADS, windows stability, windows update issues,  etc) and I don't have any vmware admins sitting around.  It seems like management should be somehow easier to certify than gateways but I suppose it's more a matter of enough customers requesting AHV support.

I have seen in the Check Point site, https://www.checkpoint.com/support-services/hcl/, that the Nutanix Acropolis Hypervisor (AHV/AOS), version AHV-20170830.184 & AOS-5.10 is supported by the version R80.30 (3.10 Kernel) to run the Security Gateway (not the SMS).

Nudging this topic to see if there's an update from @Tomer_Noy and team.

   I know it's a financial decision.     I understand the Nutanix platform supported in Cloudguard IaaS (gateway) with special NIC driver.

Customer would like to leverage Nutanix LEAP (DR-as-a-service).

In the LEAP environment they can deploy stand-alone VM image.    Customer wants to deploy CP SmartCenter in Nutanix LEAP environment to augment their existing Mgmt HA between primary and physical DR sites.     

Over time, physical DR moving to LEAP as some legacy apps tying them to physical DR are decomissioned.

Of course, a great alternative strategy would be to leverage MaaS (management-as-a-service) but it's unclear if/when MaaS will support Mgmt HA with on-premise SmartCenter. 

Yes, I understand target for MaaS is 99.9xxxxx% uptime, but Mgmt HA provides operational flexibility for network circuit issues.   Thus, the number of "9's" for MaaS does not solve all issues.

advise on thoughts. -GA

Regarding official driver support for Management as well as Gateway, that's really something for the OS team. If you need to promote it, then Solution Center may be the right path.

Regarding MaaS, we are looking into the option of allowing HA but it's not going to be immediate.

There are various challenges when MaaS is maintained by Check Point while the on-premise HA is maintained by the customer. For example, Management machines must be on the same version and JHF level for HF sync to succeed. If the secondary HA will be on-premise the sync will frequently break whenever we update / upgrade our side.

Also, the main benefit of MaaS is not having to deal with maintenance and sizing of the Management. It loses the impact a bit if the customer needs to take care of a secondary.

We are looking into other options such as the ability to fetch an export of the Management environment. A customer could periodically copy these on-premise and in a disaster case, install a new machine / VM, import and control his gateways.

Would be glad to hear thoughts / comments from the field on these directions.

Hello @Tomer_Noy .  thanks for update and insight.     

Customer currently using SmartEvent onsite with dedicated appliance (in addition to HA Management between two physical SmartCenters). 

How does "logging" work with MaaS?    Is there a equivalent of Log Exporter to redirect MaaS logging to SIEM, etc.?

Can customer leverage MaaS with separate on-premise Log Server?    Is this recommended when using SmartEvent?

Thanks -GA

A main benefit of MaaS is that it takes care of the logging for you.
We also plan to support a way to use log exporter to export your logs from the cloud to you SIEM.

We've heard some requests for using an on-premise log server. We may offer such support going forward, but we are still evaluating the use-cases. If you are interested, you can take this discussion offline with @Amir_Jaron.

👍

Hello @PhoneBoy and @Tomer_Noy .   

For past Nutanix builds, @Timothy_Hall observed the following problems with SmartCenter open-server build. 

Per comments from @Alexandru_Costi , I plan to have (different) customer re-test and validate Nutanix versions.

>>

1. [use] netstat -ni .   they were accumulating RX-DRPs when under no load whatsoever, the virtio network driver appears to suck.
2. horrible disk I/O. 

Thanks to all.  -GA

how did you test the io?

did you find a way to install nutanix guest tools ? would love to know how

hello @Alexandru_Costi .   thanks for this very helpful insight.  -GA

wow.  thanks @Dima_M 

Hello @Dima_M ,    any ideas if "overview" section of sk158292 will be updated to specifically mention Nutanix AHV?

At moment, here's the relevant portion from Overview section.   It seems somewhat ambiguous to think Nutanix support is present (unless you read checkmates!). 

////   sk158292 

The below tables show CloudGuard for Private Cloud R80.x releases for the following Cloud platfoms:

• VMware ESXi
• KVM/OpenStack

Hello @Dima_M .     thanks for update.   

small topic that may be relevant to  sk158292  would be licensing.    Will a standard open-server container licenses work with these cloudguard builds or are there cloudguard-specific licenses (smartcenter, MDS, gateway, all-in-one, etc)?

thanks GA

It's in works