Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dario_Ferroni
Participant

Max. Number of Security Gateways per Management Server

Hello community,
Some times ago we completed  a migration from an ESX VM Security Management Server R77.30 to an R80.10 Appliance Smart-1 3150 with 264GB RAM to manage more than 250 Gateway in our environment, ranging from 1100 to 15600 appliances.

Before the Migration, as we asked Check Point for an advice regarding our environment, we were told that, if we were satified with our configuration and our main need was just to have concurrent Administrator,
we did not need to move to a Multi-Domain implementation, since that feature was already supported in R80.10.

After moving to the new R80.10 Appliance Smart-1 3150, we begun having memory issues, with the the FWM process increasing day by day till 4GB, and than crashing once to twice a week and creating a core dump.

After opening a Case for this issue, we were provided an hotfix, which actually just slowed down the time till we had anyway the FWM issue and the core dumps were created, not solving the problem.
Furthermore during the case handling we were told that, actually, with our environment of more then 250 GWs, a Multi-Domain implementation should be highly recomended, even if before with R77.30 we did not have that issue, because of the difference in the Operating System. We were in fact aware of the changes between R77.30 and R80.10, and of FWM and JAVA Processes difference.

Now, I'd like to know what is your experience with the maximal number of Gateways and/or Cluster managed by a single Security Management Server, and if you know, if there is a real best practice to advice when a Multi-Domain environment is really needed. I mean that from a performance point of view, since the benefits of MDS from Management and organizational point of view are obvious and pretty clear.
I have here the feeling that on Check Point side, there is a mismatch between "on the field - hands on" experience, for which number of gateway is not a mandatory precondition to go with MDS, and a more or less Official best practice, which would advice to go with MDS already with 50 gateway.

Thank you

Dario

4 Replies
PhoneBoy
Admin
Admin

Is logging and SmartEvent also running on your management server/VM as well?

Because if you're running 250 gateways AND having logging/reporting on the same server, that might be a bit much.

When running as a VM, Disk I/O can be a real issue. 

You may wish to consult with the TAC to get access to sk104848 which talks about performance optimizing Security Management in VMware. 

0 Kudos
Dario_Ferroni
Participant

Hello Dameon,

Thanks for your reply.

No. We just have Appliances, and a part from the primary Security Management Server (which is also a "secondary" Log Server ), we also have two additional Smart-1 3150: one is Primary for Logging and Secondary for Policy Management, the other is dedicated to SmartEvent.

0 Kudos
PhoneBoy
Admin
Admin

Oh, you're coming FROM ESX

Where I've seen issues with, let's say "hundreds" of gateways, is pushing policies to all of them at once (with R77.x anyway)--without using SmartProvisioning.

SmartProvisioning (if appropriate) helps deal with hundreds or thousands of gateways in some use cases.

Most of the arguments I've seen around Multi-Domain aren't related to the number of gateways being managed, though usually if you have that many gateways, you have the sort of requirements that Multi-Domain is a good fit for.

0 Kudos
Sven_Glock
Advisor

I am experiencing the same FWM problem on R80.10 MDM.

The problem is still under investigation of R&D.

I'll keep you posted once I have new outcome.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events