Solved: Re: Upgrade R77.xx to R80 on Smart-1 205: relative...

Chris_Butler · ‎2016-05-19

Has anyone tried going from R77.30 or from an NGSE standalone event server (R77) to R80 on a Smart-1 205?

At our product specialist's advice, we purchased a Smart-1 205 in December 2015 to be deployed as an NGSE standalone event server.

This was to complement our 4210 Gateway and our preexisting Smart-1 205 Security Management appliance (taking the SmartEvent load off of it). Both of these are running R77.30

As happens in IT, other fires needed tending before we could deploy it and now is the time, in May 2016.

By this time, R80 had been released: I noticed the recommendation on the NGSE product page that NGSE functionality was now integrated in R80 and that was the recommended OS to install. Further linking said an R80 SmartEvent server in an R77.xx Security Management environment was supported and documented.

I was planning on installing R80 on our new 205 to run the integrated SmartEvent instead of NGSE, as the NGSE product page suggests.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I opened a ticket with Tech Support first to ask for help with the install. After an initial email from the ticket owner saying go ahead with my plan to install R80, I followed up by phone for help with the process. At that point, after the technician conferred with his colleagues, I was told it is SUPPORTED, but NOT RECOMMENDED on any Smart-1 series appliance from their experience. You'd gain the new features, but the performance would be terrible compared to R77.30

I asked if this would still be an issue when the only blade or feature I would run on the new appliance would be Smart Event, and was told emphatically yes it would be an issue, especially if running Smart Event, even if nothing else is running on the box.

Since I saw this admonition nowhere on any of the public facing R80 upgrade / installation / release notes documentation I was curious as to whether anyone else has made the move from 77.30 to R80 in any fashion and what your experience was in terms of comparative performance.

I have done a considerable amount of research and digging, but here are a couple of references within Exchange Point:

The following link indicates that it was not great with earlier Smart-1 appliance models, but I wanted to know concretely about the 205.

https://community.checkpoint.com/thread/1170#comment-1673

This table gives a comparison of what hardware is in each appliance model, it would seem that the 205 has a less powerful processor than the 50, less HDD space, and the same amount of RAM. I would imagine my experience would be even worse than his

Check Point Smart-1 Appliance series

Modell	CPU	RAM	HDD
Smart-1 3150	2x Intel Xeon E5-2630v2 2.60GHz (Six Core)	64	6 TB
Smart-1 3050	2x Intel Xeon E5-2609v2 2.50GHz (QuadCore)	32	4 TB
Smart-1 225	Intel Core i5-3550S 3.10GHz (Quad Core)	16	2 TB
Smart-1 210	Intel Pentium G2120 3.10GHz (Dual Core)	8	2 TB
Smart-1 205	Intel Celeron G1620 2.7GHz (Dual Core)	4	1 TB
Smart-1 150	2x Intel Xeon L5410 2.33GHz (Quad Core)	16	2 TB
Smart-1 50	Intel Xeon E5410 2.33GHz (DualCore)	4	2 TB
Smart-1 25b	Intel Core2 Duo Processor E7400 2.80 GHz	4	2 TB
Smart-1 25	Intel Core2 Duo Processor T7400 2.16 GHz	3	2 TB
Smart-1 5	Intel Celeron M 1.50GHz	2	500 GB

Here is a posting that suggests that indexing would not even come on by default on a system with only 2 cores (like a 205)

R80 SmartEvent Problem.

Again, any real world experience with a 205 would be greatly appreciated.

UPDATE: I have since taken the advice of an excellent technician who took over my ticket, and deployed NGSE instead of R80, but I am still very curious about any real world experience any of you might have. Because, though I know this is the best course of action at present, NGSE is not perfect.

A fork of the original R77.0 release, it seems that NGSE may be a developmental cul-de-sac:

No ISO available for a fresh install of what I would assume you would call the GA take on a smart-1
WinSCP transfers and manual bash commands required to get it up to GA if your smart-1 factory images are not new enough
At that point, the WebUI package update interface is pre-CPUSE and trying to use it to install the 944 build (containing CPUSE) breaks the tool, requiring another WinSCP transfer and manual update.
After that, a broken filtering process means that CPUSE recommends packages which are not NGSE compatible and fail at best, or ones that would break the server at worst (R77.30 upgrade shows up??)
After fully updating it to the latest and greatest manually, NGSE appliance still uses vulnerable TLS encryption methods for the WebUI. You have to bash in, chmod, edit, and chmod a config file to remove that method. (firefox, for example will keep popping down a notification bar from the top of the browser window telling you not to put any passwords or credit card information into the website)

Thanks all.

Chris.

Report Inappropriate Content · ‎2016-06-19

Hi,

This is not the information i needed but it is enough to clarify the situation ,

On your new Smart-1 205 I recommend to install R80 and not NGSE.

You should enable the blades:

1. Logging & Status,

2. Smart event Server,

3. Smart Event Correlation unit.

But also follow the release notes of SmartEvent R80 and enable SmartLog in the Logs tab and follow the steps of configuring R80 SmartEvent to R77 management.

https://sc1.checkpoint.com/documents/R80/CP_R80_LoggingAndMonitoring/html_frameset.htm

On the admin guide look for:

“To connect the R80 SmartEvent components to an R77.xx Security Management Server”

Your understanding is correct SmartEvent reads/create events from log servers via LEA protocol.

So you should connect only the management ( your log server ) to the new SmartEvent server. ( should be configured automatically as I know )

View solution in original post

Jim_Holmes · ‎2016-05-19

It is really going to depend on the utilization. A small site will probably be OK, but anything more then one or two clusters you probably won't like it. The issue with R80 is memory consumption. I really wouldn't recommend running with less than 8GB of RAM in most cases. More is better.

Aka, Chillyjim

Chris_Butler · ‎2016-05-19

That rules out the Smart-1 205 which is limited to 4GB, if I am not mistaken.

We would be running SmartEvent with indexing.

I would further assume that compared to R77.30 taking our Management Server 205 up to R80 would be similarly painful.

Report Inappropriate Content · ‎2016-06-09

Hi Chris,

R80 works on all Smart-1 appliances, I recommend you to go with R80 and not NGSE in any case because R80 SmartEvent was based on NGSE with many many improvements.

Additionally during Q3 we will publish a performance HF for SmartEvent / SmartLog that boost the indexing and reduce the resources usage!

About your specific case, can you share with me more information:

1. Are you going to use the 205 appliance as SmartEvent dedicated server? or with management? or with SmartLog?

2. Can you run CPLogLogInvestigator on customer environment and send it to me?

3. How much log servers are you going to connect to this SmartEvent server? ( How much LEA connections will be opened )

I need this information to give you a professional answer for your specific situation.

BR,

Nir Barel

SmartEvent / SmartLog Core R&D Team Leader

Chris_Butler · ‎2016-06-09

Hi Nir,

Thanks for the response!

Some of the info is in the original post, but here goes:

We have a 4200 series gateway running R77.30 and these Security blades:

Mobile Access, IPS, Anti-Bot, Anti Virus, Anti-Spam & email Security, Monitoring, Application Control, URL Filtering, and will be enabling Threat Emulation and Threat Extraction shortly

We have a Smart-1 205 running R77.30 and these Management blades

Logging and Status, Management Portal, Compliance.

We are disabling Smart Reporter, Smart Event Server and Smart Event Correlation Unit because...

The new Smart-1 205 in question was to be dedicated to running Smart Event (either NGSE or R80 with just that blade)

We implemented it as an NGSE per advice from TAC after careful consideration.

The Management blades on our current NGSE implementation are Logging & Status, Smart event Server, Smart Event Correlation unit.

Per the remote session installation help we got, SmartReporter is not enabled because it is integrated into NGSE.

My understanding is that the only log source is the Management Smart-1 appliance. The dedicated server is a correlation unit but not a log server. But I am a bit of a n00b and I am not sure if I understood that explanation from the TAC support guy who helped me through the install.

Thanks.

Report Inappropriate Content · ‎2016-06-19

Hi,