Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Amir_Ayalon
Employee
Employee

SMB - New Product announcement - 1500 Series Security Gateways

Hi All

We are happy to announce The release of the new 1500 series security gateways for SMBs.

Our first Models to be announced are the 1550 and 1590 gateways which set new standards of protection against the most advanced fifth-generation cyber attacks.

The 1550 and 1590 gateways are powered by Check Point’s R80 release. R80 is the industry’s most advanced security management software, and includes multi-layered next-generation protection from both known threats and zero-day attacks using the award-winning SandBlast™ Zero-Day Protection, plus antivirus, anti-bot, IPS, app control, URL filtering and identity awareness. 

 

The 1500 Security Gateways offer integrated, multi-layered security in a compact desktop form factor. Setup can be done in minutes using pre-defined security policies and our step-by-step configuration wizard. Check Point 1500 Security Gateways are conveniently manageable both locally via a Web interface and centrally by means of a cloud-based Check Point Security Management Portal (SMP) or R80 Security Management.

The new 1500 series empowers Small and Midsize businesses with Enterprise Grade Security:

  • 100% block score for malware prevention for email and web, exploit resistance and post-infection catch rate, as seen in the NSS Labs’ recent Breach Prevention Systems (BPS) Group Test
  • Up to 2 times more performance from previous generations. The 1550 Gateway offers 450Mbps of threat prevention performance, and the 1590 Gateway offers 660Mbps
  • The 1550 provides maximum firewall throughput of 2Gbps and the 1590 provides maximum firewall throughput of 4Gbps
  • The 1550 features six 1GbE ports and the 1590 features ten 1GbE ports.
  • Check Point WatchTower mobile application, enables IT staff to monitor their networks and quickly mitigate security threats on the go from their mobile device
  • Out-of-the-box zero-touch provisioning allows for under 1-minute setup
  • IoT devices discovery and recognition for accurate security policy definition.

 

Want to know more ?

Visit the 1500 Series Security Gateways SK

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

And the R80.20 for Small and Medium Business Appliances

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

 

For full product specifications, visit:  https://www.checkpoint.com/products/small-business-security/

 

 

Amir Ayalon | SMB Project Management Team Leader
Check Point SW Technologies. | ( +972-733-79-8629| Mobile: +972-545-787673 * amiray@checkpoint.com

54 Replies
HristoGrigorov

Well, congratulations on your new series of SMB appliances! 

As the current firmware state is more or less incomplete do you have a road map to share on what else will be implemented and when ? 

Any details on the hardware inside these boxes is welcome.

What about SecureXL? How is it different compared to Gaia ?

 

Timothy_Hall
Legend Legend
Legend

These 1500 series boxes are running R80.20 which is a HUGE leap forward in regards to VPN Multicore, the removal of various SecureXL limitations, support for inline policy layers, and IPS integration with the rest of Threat Prevention.   Nice!

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
HristoGrigorov

Meaning we have now Drop templates and the "new" packet scheduler ?
0 Kudos
G_W_Albrecht
Legend Legend
Legend

"We have now" is incorrect, i fear - currently we have local and cloud management only, and a couple of Limitations: 

These features are currently not available in the R80.20 release:

USB cellular modem

IPv6

ARP spoofing

MAC filtering

ThreatEmulation PrivateCloud Appliance

ADSL/VDSL

Internal LTE with SIM cards

1550k.png

 

 

 

 

 

 

 

R80.20 (992000668).png

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Pedro_Espindola
Advisor

Wow... Let's hope that their functionalities compensate for how ugly they look! 😅

PhoneBoy
Admin
Admin

I personally like how they look, having seen a pre-production unit in person.
HristoGrigorov

I like 1590 but without the antennas. But I'll be missing the many LED lights on the front panel.
0 Kudos
G_W_Albrecht
Legend Legend
Legend

1550:

NOTICE:  Cold boot
NOTICE:  Booting Trusted Firmware
NOTICE:  BL1: v1.5(debug): (Marvell-release-19.02.0)
NOTICE:  BL1: Built : 15:10:33, Jul 22 2019
NOTICE:  BL1: Booting BL2
NOTICE:  BL2: v1.5(debug): (Marvell-release-19.02.0)
NOTICE:  BL2: Built : 15:10:38, Jul 22 2019
BL2: Initiating SCP_BL2 transfer to SCP
NOTICE:  SCP_BL2 contains 2 concatenated images
NOTICE:  Skipping MSS CP1 related image
NOTICE:  Load image to AP0 MSS
NOTICE:  Loading MSS image from addr. 0x40242cc Size 0x4bfc to MSS at 0xf0580000
NOTICE:  Done
NOTICE:  BL1: Booting BL31
lNOTICE:  BL31: v1.5(debug): (Marvell-release-19.02.0)
NOTICE:  BL31: Built : 15:10:48, Jul 22 2019
 
U-Boot 2018.03-release-19.02.0 (Jul 22 2019 - 15:09:45 +0300)
 
Model: Marvell Armada 7040 Sunspear V0 Software 0.0.1
SoC: Armada7040-A2; AP806-A1; CP110-A2
Clock:  CPU     1400 [MHz]
DDR     800  [MHz]
FABRIC  800  [MHz]
MSS     200  [MHz]
LLC Enabled (Exclusive Mode)
DRAM:  2 GiB
 
 === V0 board_init ===
Comphy chip #0:
Comphy-0: SGMII1        1.25 Gbps 
Comphy-1: USB3_HOST0   
Comphy-2: SGMII0        1.25 Gbps 
Comphy-3: UNCONNECTED  
Comphy-4: UNCONNECTED  
Comphy-5: PEX2         
UTMI PHY 0 initialized to USB Host0
PCIE-0: Link up (Gen1-x1, Bus0)
MMC:   sdhci@6e0000: 0, sdhci@780000: 1
Loading Environment from MMC... OK
Model: Marvell Armada 7040 Sunspear V0 Software 0.0.1
Net:   eth0: mvpp2-0, eth1: mvpp2-1 [PRIME]
config_88E1512_init++
config_88E1512_led:miiphy_get_current_dev=cp0-mdio
config_88E6352_led:miiphy_get_current_dev=cp0-mdio
cp_set_board_vars started
switch to partitions #0, OK
mmc1(part 0) is current device
 
MMC read: dev # 1, block # 4096, count 512 ... 512 blocks read: OK
blob magic: a5a51234
blob crc: 8316a4d3
Verifying CRC for settings area... Done
cp_set_board_vars: dsl_annex is env_set to nothing
😎
CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend

1550 Security Gateway with the latest SMB R80 code alignment:
- Six (6) 1-Gigabit Ethernet ports (5 LAN Ports and 1 WAN)
- 3x3 Dual band 2.4Ghz / 5GHz Wi-Fi (802.11n/ac non-concurrent)
- Silicon Labs CP210x USB to UART bridge for microUSB Console port
 
uname -a :
Linux fifteenfifty 4.14.76-release-1.3.0 #1 SMP Sun Aug 11 16:18:56 IDT 2019 aarch64 arm GNU/Linux
 
fw ctl multik stat :
------------------------
ID | Active  | CPU    | Connections | Peak    
----------------------------------------------
 0 | Yes     | 0      |          17 |       84
 1 | Yes     | 1      |          12 |      965
 2 | Yes     | 2      |          17 |     2024
 3 | Yes     | 3      |          11 |       68
 
[    0.000000] Machine model: Marvell Armada 7040 Sunspear V0 Software 0.0.1
[    0.000000] CP product  = V0
[    0.000000] earlycon: uart8250 at MMIO32 0x00000000f0512000 (options '')
[    0.000000] bootconsole [uart8250] enabled
 
[    0.000000] Kernel command line: console=ttyS0,115200 earlycon=uart8250,mmio32,0xf0512000 crashkernel=30M mvpp2x.queue_mode=1 quiet blkdevparts=mmcblk1:48M@10M(kernel-1),1M(dtb-1),720M(rootfs-1),48M(kernel-2),1M(dtb-2),720M(rootfs-2),300M(default_sw),650M(logs),1M(preset_cfg),1M(adsl),-(storage)
[    0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[    0.000000] Memory: 1733240K/2078720K available (8636K kernel code, 716K rwdata, 3120K rodata, 6208K init, 371K bss, 83336K reserved, 262144K cma-reserved)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     modules : 0xffff000000000000 - 0xffff000010000000   (   256 MB)
[    0.000000]     vmalloc : 0xffff000010000000 - 0xffff7dffbfff0000   (129022 GB)
[    0.000000]       .text : 0xffff000010080000 - 0xffff0000108f0000   (  8640 KB)
[    0.000000]     .rodata : 0xffff0000108f0000 - 0xffff000010c00000   (  3136 KB)
[    0.000000]       .init : 0xffff000010c00000 - 0xffff000011210000   (  6208 KB)
[    0.000000]       .data : 0xffff000011210000 - 0xffff0000112c3200   (   717 KB)
[    0.000000]        .bss : 0xffff0000112c3200 - 0xffff00001131feb0   (   372 KB)
[    0.000000]     fixed   : 0xffff7dfffe7f9000 - 0xffff7dfffec00000   (  4124 KB)
[    0.000000]     PCI I/O : 0xffff7dfffee00000 - 0xffff7dffffe00000   (    16 MB)
[    0.000000]     vmemmap : 0xffff7e0000000000 - 0xffff800000000000   (  2048 GB maximum)
[    0.000000]               0xffff7e0000000000 - 0xffff7e0002000000   (    32 MB actual)
[    0.000000]     memory  : 0xffff800000000000 - 0xffff800080000000   (  2048 MB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000] RCU event tracing is enabled.
[    0.000000] CONFIG_RCU_FANOUT set to non-default value of 32
[    0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=4.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
 
[    0.000000] arch_timer: cp15 timer(s) running at 25.00MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x5c40939b5, max_idle_ns: 440795202646 ns
[    0.000002] sched_clock: 56 bits at 25MHz, resolution 40ns, wraps every 4398046511100ns
[    0.000153] Console: colour dummy device 80x25
[    0.000181] Calibrating delay loop (skipped), value calculated using timer frequency.. 50.00 BogoMIPS (lpj=100000)
[    0.000186] pid_max: default: 32768 minimum: 301
[    0.000221] Security Framework initialized
[    0.001009] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)
[    0.001424] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)
[    0.001448] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes)
[    0.001462] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes)
[    0.002079] ASID allocator initialised with 32768 entries
[    0.002114] Hierarchical SRCU implementation.
[    0.002337] EFI services will not be available.
[    0.002428] smp: Bringing up secondary CPUs ...
[    0.002748] Detected PIPT I-cache on CPU1
[    0.002783] CPU1: Booted secondary processor [410fd081]
[    0.003127] Detected PIPT I-cache on CPU2
[    0.003152] CPU2: Booted secondary processor [410fd081]
[    0.003491] Detected PIPT I-cache on CPU3
[    0.003508] CPU3: Booted secondary processor [410fd081]
[    0.003551] smp: Brought up 1 node, 4 CPUs
[    0.003554] SMP: Total of 4 processors activated.
[    0.003557] CPU features: detected feature: 32-bit EL0 Support
[    0.003560] CPU features: detected feature: Kernel page table isolation (KPTI)
[    0.011134] CPU: All CPU(s) started at EL2
[    0.011146] alternatives: patching kernel code
[    0.011584] devtmpfs: initialized
[    0.013315] random: get_random_u32 called from bucket_table_alloc+0x108/0x258 with crng_init=0
[    0.013544] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.013569] futex hash table entries: 1024 (order: 5, 131072 bytes)
[    0.016633] pinctrl core: initialized pinctrl subsystem
[    0.017068] DMI not present or invalid.
[    0.017220] NET: Registered protocol family 16
[    0.017776] cpuidle: using governor menu
[    0.018016] vdso: 2 pages (1 code @ ffff000011216000, 1 data @ ffff000011215000)
[    0.018019] vdso: 2 pages (1 code @ ffff0000108f7000, 1 data @ ffff000011215000)
[    0.018028] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.018708] DMA: preallocated 256 KiB pool for atomic allocations
[    0.018764] Serial: AMBA PL011 UART driver
 
[    7.934606] SIM: Linux kernel version 4.14.76 
[    7.934690] Sim: driver installed
[    9.590831] [sim4_0];FW-1: Linux kernel version 2.6.32--1 

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
HristoGrigorov

Thank you, thank you. 🙂 Keep the info coming in. I'll comment on it later...
0 Kudos
HristoGrigorov

If possible please paste output from commands bellow. Thank you.

# fwaccel stat

# df -h

# fw ctl affinity -l -a

#sim affinity -l

0 Kudos
G_W_Albrecht
Legend Legend
Legend

# fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |WAN,LAN1,wlan0 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

# df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 20.0M 9.9M 10.1M 50% /tmp
tmpfs 40.0M 21.7M 18.3M 54% /fwtmp
/dev/mmcblk1p8 623.8M 2.4M 575.8M 0% /logs
/dev/mmcblk1p11 1.2G 674.9M 469.2M 59% /storage
/dev/mmcblk1p3 692.7M 370.3M 272.0M 58% /pfrm2.0
tmpfs 14.0M 9.7M 4.3M 69% /tmp/log/local
tmpfs 500.0M 0 500.0M 0% /tetmp

# fw ctl affinity -l -a
wifi0: CPU 0
eth0: CPU 3
WAN: CPU 3
fw_0: CPU 0
fw_1: CPU 1
fw_2: CPU 2
fw_3: CPU 3
ted: CPU all
ted: CPU all

# sim affinity -l
Multi queue interfaces: WAN LAN

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend

I have been testing this model since end of August as locally and SMP managed device. Looks rather good to me - but i was not able to test management by SMS yet...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

There are good features but it is not what I expected. I will wait for the central management support and then give them a try. I am also more interested in 1590. Any idea what is the hardware there ?

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure these new appliances can be managed by regular Check Point management (not SMB).
The issue is more likely that a patch is likely required on management to push policy to these devices.
0 Kudos
Steffen_Appel
Advisor

When will the 1400s go end of sale?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This has not yet been announced - see http://www.checkpoint.com/support-services/support-life-cycle-policy for details about the usual life spans of products !

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Steffen_Appel
Advisor

Now the EOS is published 5/20/2020: https://www.checkpoint.com/press/2019/check-point-revamps-small-and-medium-businesses-security-to-pr...

 

For all except the VDSL ones.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This patch will be included in next R80.30 Jumbo Take (will take about a week from now) and in R80.40 GA.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend

Central management for 15x0 appliances is available now using R80.30 Jumbo Hotfix Accumulator - New Ongoing Take #107 and, in fact, SmartConsole R80.30 (GA Build 36) released !

Look at the new Advanced Settings for Central Managed 1550:

Additional Management Settings - Move temporary policy files to storage bool false Indicates whether the temporary policy installation files will be saved to the storage partition
Administrators RADIUS authentication - Local authentication (RADIUS inaccessible) bool false Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.
Anti ARP Spoofing - Anti ARP Spoofing mode options Off Mode for Anti ARP spoofing protection. The protection can be turned off, on or in detect only mode
Anti ARP Spoofing - Detection window time to indicate attack int 180 Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack
Anti ARP Spoofing - Number of IP addresses to indicate attack int 3 The number of IP addresses assigned to the same MAC address during the Detection window time that will indicate an ARP spoofing attack
Anti ARP Spoofing - Suspicious MAC block period int 1800 Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list
DHCP relay - Use internal IP addresses as source bool false Indicates if DHCP relay packets from the appliance will originate from internal IP addresses
Hotspot - Enable portal options Enabled Select 'Disabled' to disable the hotspot feature entirely
Hotspot - Prevent simultaneous log-in bool false The same user will not be allowed to login via hotspot portal from more than one machine in parallel
Internet - Reset Sierra USB on LSI error bool true Indicates whether Sierra type USB modems will be reset when they send an Invalid LSI signal
MAC Filtering settings - Log blocked MAC addresses options Enabled Indicates if blocked MAC addresses should be logged or not
MAC Filtering settings - Log suspension int 1 Indicates the suspension time (in seconds) between logs for blocked MAC addresses
Report Settings - Max period options Weekly Maximum period to collect and monitor data in central management. You must reboot your appliance to apply changes.
Serial port - Enable serial port options Enabled Indicates if the serial port is enabled
Serial port - Flow control options RTS/CTS Indicates the method of data flow control to and from the serial port
Serial port - Mode options Console Indicates if the serial port is used to connect to the appliance's console, a remote telnet server or allow a remote telnet connection to the device connected to the serial port.
Serial port - Port speed options 115200 Indicates the port speed (Baud Rate) of the serial connection
USB modem watchdog - Interval int 5 Indicates how often the USB modem watchdog probes the internet
USB modem watchdog - Mode options Disabled Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type (either hard-reset to shut down the power for the USB modem or gateway-reset to reboot the gateway itself).
USB modem watchdog - USB only bool false Monitor only USB modem connection
CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Still a lot of errors in new dashboard when inside the 1550 object:

IPS is flagged red and shows it is not working:

Error: IPS is not responding. verify that IPS is installed on the gateway

AV / ABOT look good , also TE:

dev.png

But in TP rules, only TE counts the 1550 in:

IPS.pngAccording to the enabled Blades, there are 5 GWs with TE, AV and IPS enabled and 4 GWs have the ABOT enabled also...

In the 1550 WebGUI i can see that IPS updates are unreachable...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

Device&Lic Info in SmartConsole has never been working properly for me. Like the device uptime is off by 2 hours (not respecting local time), Remote Users count is always 0, IPS and A/V update status is often not available at all, etc. Not that it bothers me 🙂

 

sc-funny-uptime.png

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I have successfully reconnected the SMB to my SMS - in between, it did believe to run 80.20SP ! Now the IPS issue is resolved as status and shown version are correct - only that Dashboard still only shows the GW in TE updates More Details... section - the More Details... list for ABOT, AV and IPS does not include the 1550. 

Next day update: Issue is here again, IPS is flagged although ips stat on SMB GW shows newest its update is installed.

And what we also have: SmartUpdate seems incapable of showing SW version as it did with 1200R, see details after Get Gateway Data !

SmartUpdate.png

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Pablo_Barriga
Advisor

Hello did you test it with Identity awareness blade, we had some issue with 910 gateways , the device had high cpu usage because of the Identity blade.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

No - but if you do enable all blades, you will mostly get some issues - resources are rather low here...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Pablo_Barriga
Advisor

I was thinking to install the 1590 for a 45  Mbps Internet and 110 Users with 100 devices.  Could it handle it ?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Hard to say, depends on:

- Traffic mix

- TP blades enabled

- https inspection

According to specs, it has NGTX performance - 660 Mbps (CPEnt) with 10x 1GbE Copper: See the Data Sheet 1500 Appliances Datasheet.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Pablo_Barriga
Advisor

The datasheet shows good specs, I think this gw is better than 910 , I'm going to test it on this project. Thanks for the tips.
0 Kudos
HristoGrigorov

1590 and 910 are not really comparable.. 

I have to add here that latest 14xx firmware I run is very stable and performance is surprisingly good. I have 100MBit/s WAN and more than 100 hosts behind it and it handles it very well. With some tweaks here and there of course 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events