Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
aner_sagi
Contributor
Jump to solution

Smartcenter gaia on nutanix ?

Hi All,

A new customer of mine want to move his R80.10 smartcenter (currently on Hyper-V) to Nutanix.

is it supported ?

Thanks in advance

Aner

2 Solutions

Accepted Solutions
Dima_M
Employee
Employee

@aner_sagi @Garrett_DirSec @Alexandru_Costi  

Hi all,

We now support R80.40 Security Management on Nutanix AHV.

To install R80.40 on Nutanix AHV, please use qcow2 image files from sk158292 

image.png

View solution in original post

DS9ish
Participant

@Amir_AramaI was able to import the R80.40 OpenStack / Nutanix AHV / KVM qcow2 image from sk158292 to our Nutanix image service, then clone the disk as a SCSI disk during creation of the Management guest VM.  This created a system that booted and was ready to run the first-time wizard.  From there I was able to install it as a secondary management server, and sync to it from our primary.  At this point I am currently actively testing this build so I don't have further results to share (positive or negative).

Note this does only give you the single 100GB disk - as I indicated in my previous post I was able to add additional storage capacity by following the general process outlined in sk94671: creating a new disk, adding it to the VM definition, then going through the LVM process within Gaia to add the new disks' capacity at the OS level.

View solution in original post

50 Replies
Norbert_Bohusch
Advisor

Nutanix Hypervisor (AHV)? Not supported as far as I know. 

If you only mean Nutanix HW with VMware ESX or Hyper-V, this should work for sure.

Dima_M
Employee
Employee
 
Alexandru_Costi
Explorer

Hi Dima,

Are there any news regarding having R80.20 Smart Center running on Nutanix AHV? We also have a customer that has this requirement.

Thank you,

Alex

PhoneBoy
Admin
Admin

We may be able to provide this through your local Check Point office.

aner_sagi
Contributor

Hi.

Any progress on the certification process?

Thanks in advance

aner.

af0e2c12-4d24-3
Participant

I had the same question recently and was told they stopped testing due to lack of a solid business case and there weren't many customers requesting this from checkpoint. I opened an RFE with checkpoint and notified my checkpoint team a couple weeks ago but haven't heard back yet if they will continue testing or not.  For us the business case would be pretty simple - we can put everything else in AHV but would have to keep a separate environment just for Checkpoint management VMs.  One cluster is sure easier than two (on different technologies).  Nutanix loses a lot if we instead do Nutanix on Hyper-V (ADS, windows stability, windows update issues,  etc) and I don't have any vmware admins sitting around.  It seems like management should be somehow easier to certify than gateways but I suppose it's more a matter of enough customers requesting AHV support.

dbritt
Explorer
We also would like to migrate our SmartCenter to Nutanix AHV. Our business case is similar to yours. In our case, everything else has been migrated from ESX to AHV, now we are stuck maintaining a VMware machine for one VM.
PhoneBoy
Admin
Admin
Your best bet is to engage with your local Check Point office on this requirement.
Garrett_DirSec
Advisor

update Sept20, 2019.    significantly more information has surfaced on this topic since original post.

The default GAIA R80.20/R80.30 network driver does not work well on Nutanix platform.   Check Point Solution Center has released an updated driver for Nutanix platform that is specifically for GATEWAY deployments.    You local Check Point field engineer can obtain this through internal process with Solution Center.

However, the development and testing for this NIC driver and Nutanix is ONLY for gateway and SmartCenter is not currently supported. 

 

>>> original <<<<

We have fielded similar query from customer "migrating SmartCenter virtual instance from VMware to Nutanix".

Our local CP engineer researched and was told "not officially supported but it should work".    In addition, there was suggestion to test operation thoroughly as possible to identify any obvious service-affecting issues.    If nothing awful, then issues encountered for production instance would be review on case-by-case basis. 

Ie -- software config issues would be supported as normal, but it something seems to be result of platform then customer on own.

Customer OK with this position.  We built Nutanix SmartCenter image (32G RAM, 8Cores, 500G disk) and have been playing to insure no surprises.

on side topic of GATEWAY on Nutanix, CP engineers have "internal" PDF that details how to deploy gateway on Nutanix.  This under the Cloudguard realm.    CP maintaining pre-build nutanix images that are downloaded internally and deployed on customer.

Best wishes.  -GA

 

Marcos_Vieira
Contributor

I have seen in the Check Point site, https://www.checkpoint.com/support-services/hcl/, that the Nutanix Acropolis Hypervisor (AHV/AOS), version AHV-20170830.184 & AOS-5.10 is supported by the version R80.30 (3.10 Kernel) to run the Security Gateway (not the SMS).

0 Kudos
Garrett_DirSec
Advisor

Nudging this topic to see if there's an update from @Tomer_Noy and team.

   I know it's a financial decision.     I understand the Nutanix platform supported in Cloudguard IaaS (gateway) with special NIC driver.

Customer would like to leverage Nutanix LEAP (DR-as-a-service).

In the LEAP environment they can deploy stand-alone VM image.    Customer wants to deploy CP SmartCenter in Nutanix LEAP environment to augment their existing Mgmt HA between primary and physical DR sites.     

Over time, physical DR moving to LEAP as some legacy apps tying them to physical DR are decomissioned.

Of course, a great alternative strategy would be to leverage MaaS (management-as-a-service) but it's unclear if/when MaaS will support Mgmt HA with on-premise SmartCenter. 

Yes, I understand target for MaaS is 99.9xxxxx% uptime, but Mgmt HA provides operational flexibility for network circuit issues.   Thus, the number of "9's" for MaaS does not solve all issues.

advise on thoughts. -GA

 

 

0 Kudos
Tomer_Noy
Employee
Employee

Regarding official driver support for Management as well as Gateway, that's really something for the OS team. If you need to promote it, then Solution Center may be the right path.

Regarding MaaS, we are looking into the option of allowing HA but it's not going to be immediate.

There are various challenges when MaaS is maintained by Check Point while the on-premise HA is maintained by the customer. For example, Management machines must be on the same version and JHF level for HF sync to succeed. If the secondary HA will be on-premise the sync will frequently break whenever we update / upgrade our side.

Also, the main benefit of MaaS is not having to deal with maintenance and sizing of the Management. It loses the impact a bit if the customer needs to take care of a secondary.

We are looking into other options such as the ability to fetch an export of the Management environment. A customer could periodically copy these on-premise and in a disaster case, install a new machine / VM, import and control his gateways.

Would be glad to hear thoughts / comments from the field on these directions.

Garrett_DirSec
Advisor

Hello @Tomer_Noy .  thanks for update and insight.     

Customer currently using SmartEvent onsite with dedicated appliance (in addition to HA Management between two physical SmartCenters). 

How does "logging" work with MaaS?    Is there a equivalent of Log Exporter to redirect MaaS logging to SIEM, etc.?

Can customer leverage MaaS with separate on-premise Log Server?    Is this recommended when using SmartEvent?

Thanks -GA

0 Kudos
Tomer_Noy
Employee
Employee

A main benefit of MaaS is that it takes care of the logging for you.
We also plan to support a way to use log exporter to export your logs from the cloud to you SIEM.

We've heard some requests for using an on-premise log server. We may offer such support going forward, but we are still evaluating the use-cases. If you are interested, you can take this discussion offline with @Amir_Jaron.

0 Kudos
PhoneBoy
Admin
Admin
The relevant Nutanix drivers need to be added to an OS image that support management.
This was done for a special R80.30-3.10 image for gateways.
Not sure why these aren't in the maintrain yet.

As Tomer said, your best bet is to engage with Solution Center.
This will need to be done through your local Check Point office.
Jan_Elbers
Participant

👍

Alexandru_Costi
Explorer

Hi,

 

When I started looking into it, I never got a clear answer regarding when/if Smart Management will be officially supported on Nutanix AHV.

In the meantime we have 3 x R80.20 Smart Center VMs running on our Nutanix clusters for the last 6-8 months. We didn't have any issues with network cards, the only problem we had was with no drivers for SCSI disk so we used a SATA disk for the VM instead.

We are running Nutanix AOS - 5.10.8.1 and AHV - 20170830.337. The installation of the Smart Center VMs was done using R80.20 - Build 095.

Recently we upgraded our Nutanix environment (to the versions mentioned above) and we didn't have any problems with the Check Point VMs: no issues with migration of VMs between nodes during the Nutanix upgrade and no downtime.

 

Thanks,

Alex 

PhoneBoy
Admin
Admin
I suspect if you use fairly generic virtual hardware, it should work fine in Nutanix, as Gaia generally does in many virtualized environments, but it may not be as performant as if the specific virtualized hardware Nutanix provides.
Formal support is, of course, a different matter.
0 Kudos
Garrett_DirSec
Advisor

Hello @PhoneBoy and @Tomer_Noy .   

For past Nutanix builds, @Timothy_Hall observed the following problems with SmartCenter open-server build. 

Per comments from @Alexandru_Costi , I plan to have (different) customer re-test and validate Nutanix versions.

>>

  1. [use] netstat -ni .   they were accumulating RX-DRPs when under no load whatsoever, the virtio network driver appears to suck.
  2. horrible disk I/O. 

 

Thanks to all.  -GA

0 Kudos
Amir_Arama
Advisor

how did you test the io?

did you find a way to install nutanix guest tools ? would love to know how

0 Kudos
Garrett_DirSec
Advisor

hello @Alexandru_Costi .   thanks for this very helpful insight.  -GA

0 Kudos
Dima_M
Employee
Employee

@aner_sagi @Garrett_DirSec @Alexandru_Costi  

Hi all,

We now support R80.40 Security Management on Nutanix AHV.

To install R80.40 on Nutanix AHV, please use qcow2 image files from sk158292 

image.png

Garrett_DirSec
Advisor

wow.  thanks @Dima_M 

0 Kudos
Garrett_DirSec
Advisor

Hello @Dima_M ,    any ideas if "overview" section of sk158292 will be updated to specifically mention Nutanix AHV?

At moment, here's the relevant portion from Overview section.   It seems somewhat ambiguous to think Nutanix support is present (unless you read checkmates!). 

////   sk158292 

The below tables show CloudGuard for Private Cloud R80.x releases for the following Cloud platfoms:

  • VMware ESXi
  • KVM/OpenStack
Dima_M
Employee
Employee
Hey Garret,

Thanks for heads up. Yes, already in progress...
0 Kudos
Garrett_DirSec
Advisor

Hello @Dima_M .     thanks for update.   

small topic that may be relevant to  sk158292  would be licensing.    Will a standard open-server container licenses work with these cloudguard builds or are there cloudguard-specific licenses (smartcenter, MDS, gateway, all-in-one, etc)?

thanks GA

0 Kudos
PhoneBoy
Admin
Admin
For Management, you can definitely use Open Server licensing.
For gateways, I believe you can still use Open Server licensing but the CloudGuard IaaS licensing may be cheaper.
0 Kudos
Herold
Contributor
Is there a timeline for R80.40 to suppport VMware VSphere?
0 Kudos
_Val_
Admin
Admin

It's in works

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events