Has anyone tried going from R77.30 or from an NGSE standalone event server (R77) to R80 on a Smart-1 205?
At our product specialist's advice, we purchased a Smart-1 205 in December 2015 to be deployed as an NGSE standalone event server.
This was to complement our 4210 Gateway and our preexisting Smart-1 205 Security Management appliance (taking the SmartEvent load off of it). Both of these are running R77.30
As happens in IT, other fires needed tending before we could deploy it and now is the time, in May 2016.
By this time, R80 had been released: I noticed the recommendation on the NGSE product page that NGSE functionality was now integrated in R80 and that was the recommended OS to install. Further linking said an R80 SmartEvent server in an R77.xx Security Management environment was supported and documented.
I was planning on installing R80 on our new 205 to run the integrated SmartEvent instead of NGSE, as the NGSE product page suggests.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I opened a ticket with Tech Support first to ask for help with the install. After an initial email from the ticket owner saying go ahead with my plan to install R80, I followed up by phone for help with the process. At that point, after the technician conferred with his colleagues, I was told it is SUPPORTED, but NOT RECOMMENDED on any Smart-1 series appliance from their experience. You'd gain the new features, but the performance would be terrible compared to R77.30
I asked if this would still be an issue when the only blade or feature I would run on the new appliance would be Smart Event, and was told emphatically yes it would be an issue, especially if running Smart Event, even if nothing else is running on the box.
Since I saw this admonition nowhere on any of the public facing R80 upgrade / installation / release notes documentation I was curious as to whether anyone else has made the move from 77.30 to R80 in any fashion and what your experience was in terms of comparative performance.
I have done a considerable amount of research and digging, but here are a couple of references within Exchange Point:
The following link indicates that it was not great with earlier Smart-1 appliance models, but I wanted to know concretely about the 205.
https://community.checkpoint.com/thread/1170#comment-1673
This table gives a comparison of what hardware is in each appliance model, it would seem that the 205 has a less powerful processor than the 50, less HDD space, and the same amount of RAM. I would imagine my experience would be even worse than his
Check Point Smart-1 Appliance series
Modell | CPU | RAM | HDD |
Smart-1 3150 | 2x Intel Xeon E5-2630v2 2.60GHz (Six Core) | 64 | 6 TB |
Smart-1 3050 | 2x Intel Xeon E5-2609v2 2.50GHz (QuadCore) | 32 | 4 TB |
Smart-1 225 | Intel Core i5-3550S 3.10GHz (Quad Core) | 16 | 2 TB |
Smart-1 210 | Intel Pentium G2120 3.10GHz (Dual Core) | 8 | 2 TB |
Smart-1 205 | Intel Celeron G1620 2.7GHz (Dual Core) | 4 | 1 TB |
Smart-1 150 | 2x Intel Xeon L5410 2.33GHz (Quad Core) | 16 | 2 TB |
Smart-1 50 | Intel Xeon E5410 2.33GHz (DualCore) | 4 | 2 TB |
Smart-1 25b | Intel Core2 Duo Processor E7400 2.80 GHz | 4 | 2 TB |
Smart-1 25 | Intel Core2 Duo Processor T7400 2.16 GHz | 3 | 2 TB |
Smart-1 5 | Intel Celeron M 1.50GHz | 2 | 500 GB |
Here is a posting that suggests that indexing would not even come on by default on a system with only 2 cores (like a 205)
R80 SmartEvent Problem.
Again, any real world experience with a 205 would be greatly appreciated.
UPDATE: I have since taken the advice of an excellent technician who took over my ticket, and deployed NGSE instead of R80, but I am still very curious about any real world experience any of you might have. Because, though I know this is the best course of action at present, NGSE is not perfect.
A fork of the original R77.0 release, it seems that NGSE may be a developmental cul-de-sac:
- No ISO available for a fresh install of what I would assume you would call the GA take on a smart-1
- WinSCP transfers and manual bash commands required to get it up to GA if your smart-1 factory images are not new enough
- At that point, the WebUI package update interface is pre-CPUSE and trying to use it to install the 944 build (containing CPUSE) breaks the tool, requiring another WinSCP transfer and manual update.
- After that, a broken filtering process means that CPUSE recommends packages which are not NGSE compatible and fail at best, or ones that would break the server at worst (R77.30 upgrade shows up??)
- After fully updating it to the latest and greatest manually, NGSE appliance still uses vulnerable TLS encryption methods for the WebUI. You have to bash in, chmod, edit, and chmod a config file to remove that method. (firefox, for example will keep popping down a notification bar from the top of the browser window telling you not to put any passwords or credit card information into the website)
Thanks all.
Chris.