SMB - New Product announcement - 1500 Series Secur...

Amir_Ayalon · ‎2019-10-17

Hi All

We are happy to announce The release of the new 1500 series security gateways for SMBs.

Our first Models to be announced are the 1550 and 1590 gateways which set new standards of protection against the most advanced fifth-generation cyber attacks.

The 1550 and 1590 gateways are powered by Check Point’s R80 release. R80 is the industry’s most advanced security management software, and includes multi-layered next-generation protection from both known threats and zero-day attacks using the award-winning SandBlast™ Zero-Day Protection, plus antivirus, anti-bot, IPS, app control, URL filtering and identity awareness.

The 1500 Security Gateways offer integrated, multi-layered security in a compact desktop form factor. Setup can be done in minutes using pre-defined security policies and our step-by-step configuration wizard. Check Point 1500 Security Gateways are conveniently manageable both locally via a Web interface and centrally by means of a cloud-based Check Point Security Management Portal (SMP) or R80 Security Management.

The new 1500 series empowers Small and Midsize businesses with Enterprise Grade Security:

100% block score for malware prevention for email and web, exploit resistance and post-infection catch rate, as seen in the NSS Labs’ recent Breach Prevention Systems (BPS) Group Test
Up to 2 times more performance from previous generations. The 1550 Gateway offers 450Mbps of threat prevention performance, and the 1590 Gateway offers 660Mbps
The 1550 provides maximum firewall throughput of 2Gbps and the 1590 provides maximum firewall throughput of 4Gbps
The 1550 features six 1GbE ports and the 1590 features ten 1GbE ports.
Check Point WatchTower mobile application, enables IT staff to monitor their networks and quickly mitigate security threats on the go from their mobile device
Out-of-the-box zero-touch provisioning allows for under 1-minute setup
IoT devices discovery and recognition for accurate security policy definition.

Want to know more ?

Visit the 1500 Series Security Gateways SK

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

And the R80.20 for Small and Medium Business Appliances

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

For full product specifications, visit: https://www.checkpoint.com/products/small-business-security/

Amir Ayalon | SMB Project Management Team Leader
Check Point SW Technologies. | ( +972-733-79-8629| Mobile: +972-545-787673 * amiray@checkpoint.com

HristoGrigorov · ‎2019-10-17

Well, congratulations on your new series of SMB appliances!

As the current firmware state is more or less incomplete do you have a road map to share on what else will be implemented and when ?

Any details on the hardware inside these boxes is welcome.

What about SecureXL? How is it different compared to Gaia ?

Timothy_Hall · ‎2019-10-17

These 1500 series boxes are running R80.20 which is a HUGE leap forward in regards to VPN Multicore, the removal of various SecureXL limitations, support for inline policy layers, and IPS integration with the rest of Threat Prevention. Nice!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

HristoGrigorov · ‎2019-10-17

Meaning we have now Drop templates and the "new" packet scheduler ?

G_W_Albrecht · ‎2019-10-18

"We have now" is incorrect, i fear - currently we have local and cloud management only, and a couple of Limitations:

These features are currently not available in the R80.20 release:

USB cellular modem

IPv6

ARP spoofing

MAC filtering

ThreatEmulation PrivateCloud Appliance

ADSL/VDSL

Internal LTE with SIM cards

R80.20 (992000668).png

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Pedro_Espindola · ‎2019-10-23

Wow... Let's hope that their functionalities compensate for how ugly they look! 😅

PhoneBoy · ‎2019-10-24

I personally like how they look, having seen a pre-production unit in person.

HristoGrigorov · ‎2019-10-24

I like 1590 but without the antennas. But I'll be missing the many LED lights on the front panel.

G_W_Albrecht · ‎2019-10-18

1550:

NOTICE: Cold boot

NOTICE: Booting Trusted Firmware

NOTICE: BL1: v1.5(debug): (Marvell-release-19.02.0)

NOTICE: BL1: Built : 15:10:33, Jul 22 2019

NOTICE: BL1: Booting BL2

NOTICE: BL2: v1.5(debug): (Marvell-release-19.02.0)

NOTICE: BL2: Built : 15:10:38, Jul 22 2019

BL2: Initiating SCP_BL2 transfer to SCP

NOTICE: SCP_BL2 contains 2 concatenated images

NOTICE: Skipping MSS CP1 related image

NOTICE: Load image to AP0 MSS

NOTICE: Loading MSS image from addr. 0x40242cc Size 0x4bfc to MSS at 0xf0580000

NOTICE: Done

NOTICE: BL1: Booting BL31

lNOTICE: BL31: v1.5(debug): (Marvell-release-19.02.0)

NOTICE: BL31: Built : 15:10:48, Jul 22 2019

U-Boot 2018.03-release-19.02.0 (Jul 22 2019 - 15:09:45 +0300)

Model: Marvell Armada 7040 Sunspear V0 Software 0.0.1

SoC: Armada7040-A2; AP806-A1; CP110-A2

Clock: CPU 1400 [MHz]

DDR 800 [MHz]

FABRIC 800 [MHz]

MSS 200 [MHz]

LLC Enabled (Exclusive Mode)

DRAM: 2 GiB

=== V0 board_init ===

Comphy chip #0:

Comphy-0: SGMII1 1.25 Gbps

Comphy-1: USB3_HOST0

Comphy-2: SGMII0 1.25 Gbps

Comphy-3: UNCONNECTED

Comphy-4: UNCONNECTED

Comphy-5: PEX2

UTMI PHY 0 initialized to USB Host0

PCIE-0: Link up (Gen1-x1, Bus0)

MMC: sdhci@6e0000: 0, sdhci@780000: 1

Loading Environment from MMC... OK

Model: Marvell Armada 7040 Sunspear V0 Software 0.0.1

Net: eth0: mvpp2-0, eth1: mvpp2-1 [PRIME]

config_88E1512_init++

config_88E1512_led:miiphy_get_current_dev=cp0-mdio

config_88E6352_led:miiphy_get_current_dev=cp0-mdio

cp_set_board_vars started

switch to partitions #0, OK

mmc1(part 0) is current device

MMC read: dev # 1, block # 4096, count 512 ... 512 blocks read: OK

blob magic: a5a51234

blob crc: 8316a4d3

Verifying CRC for settings area... Done

cp_set_board_vars: dsl_annex is env_set to nothing

😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2019-10-18

1550 Security Gateway with the latest SMB R80 code alignment:

- Six (6) 1-Gigabit Ethernet ports (5 LAN Ports and 1 WAN)

- 3x3 Dual band 2.4Ghz / 5GHz Wi-Fi (802.11n/ac non-concurrent)

- Silicon Labs CP210x USB to UART bridge for microUSB Console port

uname -a :

Linux fifteenfifty 4.14.76-release-1.3.0 #1 SMP Sun Aug 11 16:18:56 IDT 2019 aarch64 arm GNU/Linux

fw ctl multik stat :

------------------------

ID | Active | CPU | Connections | Peak

----------------------------------------------

0 | Yes | 0 | 17 | 84

1 | Yes | 1 | 12 | 965

2 | Yes | 2 | 17 | 2024

3 | Yes | 3 | 11 | 68

[ 0.000000] Machine model: Marvell Armada 7040 Sunspear V0 Software 0.0.1

[ 0.000000] CP product = V0

[ 0.000000] earlycon: uart8250 at MMIO32 0x00000000f0512000 (options '')

[ 0.000000] bootconsole [uart8250] enabled

[ 0.000000] Kernel command line: console=ttyS0,115200 earlycon=uart8250,mmio32,0xf0512000 crashkernel=30M mvpp2x.queue_mode=1 quiet blkdevparts=mmcblk1:48M@10M(kernel-1),1M(dtb-1),720M(rootfs-1),48M(kernel-2),1M(dtb-2),720M(rootfs-2),300M(default_sw),650M(logs),1M(preset_cfg),1M(adsl),-(storage)

[ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)

[ 0.000000] Memory: 1733240K/2078720K available (8636K kernel code, 716K rwdata, 3120K rodata, 6208K init, 371K bss, 83336K reserved, 262144K cma-reserved)

[ 0.000000] Virtual kernel memory layout:

[ 0.000000] modules : 0xffff000000000000 - 0xffff000010000000 ( 256 MB)

[ 0.000000] vmalloc : 0xffff000010000000 - 0xffff7dffbfff0000 (129022 GB)

[ 0.000000] .text : 0xffff000010080000 - 0xffff0000108f0000 ( 8640 KB)

[ 0.000000] .rodata : 0xffff0000108f0000 - 0xffff000010c00000 ( 3136 KB)

[ 0.000000] .init : 0xffff000010c00000 - 0xffff000011210000 ( 6208 KB)

[ 0.000000] .data : 0xffff000011210000 - 0xffff0000112c3200 ( 717 KB)

[ 0.000000] .bss : 0xffff0000112c3200 - 0xffff00001131feb0 ( 372 KB)

[ 0.000000] fixed : 0xffff7dfffe7f9000 - 0xffff7dfffec00000 ( 4124 KB)

[ 0.000000] PCI I/O : 0xffff7dfffee00000 - 0xffff7dffffe00000 ( 16 MB)

[ 0.000000] vmemmap : 0xffff7e0000000000 - 0xffff800000000000 ( 2048 GB maximum)

[ 0.000000] 0xffff7e0000000000 - 0xffff7e0002000000 ( 32 MB actual)

[ 0.000000] memory : 0xffff800000000000 - 0xffff800080000000 ( 2048 MB)

[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1

[ 0.000000] Hierarchical RCU implementation.

[ 0.000000] RCU event tracing is enabled.

[ 0.000000] CONFIG_RCU_FANOUT set to non-default value of 32

[ 0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=4.

[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4

[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0

[ 0.000000] arch_timer: cp15 timer(s) running at 25.00MHz (phys).

[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x5c40939b5, max_idle_ns: 440795202646 ns

[ 0.000002] sched_clock: 56 bits at 25MHz, resolution 40ns, wraps every 4398046511100ns

[ 0.000153] Console: colour dummy device 80x25

[ 0.000181] Calibrating delay loop (skipped), value calculated using timer frequency.. 50.00 BogoMIPS (lpj=100000)

[ 0.000186] pid_max: default: 32768 minimum: 301

[ 0.000221] Security Framework initialized

[ 0.001009] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)

[ 0.001424] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)

[ 0.001448] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes)

[ 0.001462] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes)

[ 0.002079] ASID allocator initialised with 32768 entries

[ 0.002114] Hierarchical SRCU implementation.

[ 0.002337] EFI services will not be available.

[ 0.002428] smp: Bringing up secondary CPUs ...

[ 0.002748] Detected PIPT I-cache on CPU1

[ 0.002783] CPU1: Booted secondary processor [410fd081]

[ 0.003127] Detected PIPT I-cache on CPU2

[ 0.003152] CPU2: Booted secondary processor [410fd081]

[ 0.003491] Detected PIPT I-cache on CPU3

[ 0.003508] CPU3: Booted secondary processor [410fd081]

[ 0.003551] smp: Brought up 1 node, 4 CPUs

[ 0.003554] SMP: Total of 4 processors activated.

[ 0.003557] CPU features: detected feature: 32-bit EL0 Support

[ 0.003560] CPU features: detected feature: Kernel page table isolation (KPTI)

[ 0.011134] CPU: All CPU(s) started at EL2

[ 0.011146] alternatives: patching kernel code

[ 0.011584] devtmpfs: initialized

[ 0.013315] random: get_random_u32 called from bucket_table_alloc+0x108/0x258 with crng_init=0

[ 0.013544] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns

[ 0.013569] futex hash table entries: 1024 (order: 5, 131072 bytes)

[ 0.016633] pinctrl core: initialized pinctrl subsystem

[ 0.017068] DMI not present or invalid.

[ 0.017220] NET: Registered protocol family 16

[ 0.017776] cpuidle: using governor menu

[ 0.018016] vdso: 2 pages (1 code @ ffff000011216000, 1 data @ ffff000011215000)

[ 0.018019] vdso: 2 pages (1 code @ ffff0000108f7000, 1 data @ ffff000011215000)

[ 0.018028] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.

[ 0.018708] DMA: preallocated 256 KiB pool for atomic allocations

[ 0.018764] Serial: AMBA PL011 UART driver

[ 7.934606] SIM: Linux kernel version 4.14.76

[ 7.934690] Sim: driver installed

[ 9.590831] [sim4_0];FW-1: Linux kernel version 2.6.32--1

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

HristoGrigorov · ‎2019-10-18

Thank you, thank you. 🙂 Keep the info coming in. I'll comment on it later...

HristoGrigorov · ‎2019-10-18

If possible please paste output from commands bellow. Thank you.

# fwaccel stat

# df -h

# fw ctl affinity -l -a

#sim affinity -l

G_W_Albrecht · ‎2019-10-18

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

# df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 20.0M 9.9M 10.1M 50% /tmp
tmpfs 40.0M 21.7M 18.3M 54% /fwtmp
/dev/mmcblk1p8 623.8M 2.4M 575.8M 0% /logs
/dev/mmcblk1p11 1.2G 674.9M 469.2M 59% /storage
/dev/mmcblk1p3 692.7M 370.3M 272.0M 58% /pfrm2.0
tmpfs 14.0M 9.7M 4.3M 69% /tmp/log/local
tmpfs 500.0M 0 500.0M 0% /tetmp

# fw ctl affinity -l -a
wifi0: CPU 0
eth0: CPU 3
WAN: CPU 3
fw_0: CPU 0
fw_1: CPU 1
fw_2: CPU 2
fw_3: CPU 3
ted: CPU all
ted: CPU all

# sim affinity -l
Multi queue interfaces: WAN LAN

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2019-10-18

I have been testing this model since end of August as locally and SMP managed device. Looks rather good to me - but i was not able to test management by SMS yet...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

HristoGrigorov · ‎2019-10-18

There are good features but it is not what I expected. I will wait for the central management support and then give them a try. I am also more interested in 1590. Any idea what is the hardware there ?

PhoneBoy · ‎2019-10-19

Pretty sure these new appliances can be managed by regular Check Point management (not SMB).
The issue is more likely that a patch is likely required on management to push policy to these devices.

Steffen_Appel · ‎2019-10-23

When will the 1400s go end of sale?

G_W_Albrecht · ‎2019-10-23

This has not yet been announced - see http://www.checkpoint.com/support-services/support-life-cycle-policy for details about the usual life spans of products !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Steffen_Appel · ‎2019-10-23

Now the EOS is published 5/20/2020: https://www.checkpoint.com/press/2019/check-point-revamps-small-and-medium-businesses-security-to-pr...

For all except the VDSL ones.

G_W_Albrecht · ‎2019-10-23

This patch will be included in next R80.30 Jumbo Take (will take about a week from now) and in R80.40 GA.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2019-11-20

Central management for 15x0 appliances is available now using R80.30 Jumbo Hotfix Accumulator - New Ongoing Take #107 and, in fact, SmartConsole R80.30 (GA Build 36) released !

Look at the new Advanced Settings for Central Managed 1550:

Additional Management Settings - Move temporary policy files to storage	bool	false	Indicates whether the temporary policy installation files will be saved to the storage partition
Administrators RADIUS authentication - Local authentication (RADIUS inaccessible)	bool	false	Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.
Anti ARP Spoofing - Anti ARP Spoofing mode	options	Off	Mode for Anti ARP spoofing protection. The protection can be turned off, on or in detect only mode
Anti ARP Spoofing - Detection window time to indicate attack	int	180	Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack
Anti ARP Spoofing - Number of IP addresses to indicate attack	int	3	The number of IP addresses assigned to the same MAC address during the Detection window time that will indicate an ARP spoofing attack
Anti ARP Spoofing - Suspicious MAC block period	int	1800	Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list
DHCP relay - Use internal IP addresses as source	bool	false	Indicates if DHCP relay packets from the appliance will originate from internal IP addresses
Hotspot - Enable portal	options	Enabled	Select 'Disabled' to disable the hotspot feature entirely
Hotspot - Prevent simultaneous log-in	bool	false	The same user will not be allowed to login via hotspot portal from more than one machine in parallel
Internet - Reset Sierra USB on LSI error	bool	true	Indicates whether Sierra type USB modems will be reset when they send an Invalid LSI signal
MAC Filtering settings - Log blocked MAC addresses	options	Enabled	Indicates if blocked MAC addresses should be logged or not
MAC Filtering settings - Log suspension	int	1	Indicates the suspension time (in seconds) between logs for blocked MAC addresses
Report Settings - Max period	options	Weekly	Maximum period to collect and monitor data in central management. You must reboot your appliance to apply changes.
Serial port - Enable serial port	options	Enabled	Indicates if the serial port is enabled
Serial port - Flow control	options	RTS/CTS	Indicates the method of data flow control to and from the serial port
Serial port - Mode	options	Console	Indicates if the serial port is used to connect to the appliance's console, a remote telnet server or allow a remote telnet connection to the device connected to the serial port.
Serial port - Port speed	options	115200	Indicates the port speed (Baud Rate) of the serial connection
USB modem watchdog - Interval	int	5	Indicates how often the USB modem watchdog probes the internet
USB modem watchdog - Mode	options	Disabled	Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type (either hard-reset to shut down the power for the USB modem or gateway-reset to reboot the gateway itself).
USB modem watchdog - USB only	bool	false	Monitor only USB modem connection

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2019-11-20

Still a lot of errors in new dashboard when inside the 1550 object:

IPS is flagged red and shows it is not working:

Error: IPS is not responding. verify that IPS is installed on the gateway

AV / ABOT look good , also TE:

But in TP rules, only TE counts the 1550 in:

According to the enabled Blades, there are 5 GWs with TE, AV and IPS enabled and 4 GWs have the ABOT enabled also...

In the 1550 WebGUI i can see that IPS updates are unreachable...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

HristoGrigorov · ‎2019-11-20

Device&Lic Info in SmartConsole has never been working properly for me. Like the device uptime is off by 2 hours (not respecting local time), Remote Users count is always 0, IPS and A/V update status is often not available at all, etc. Not that it bothers me 🙂

G_W_Albrecht · ‎2019-11-25

I have successfully reconnected the SMB to my SMS - in between, it did believe to run 80.20SP ! Now the IPS issue is resolved as status and shown version are correct - only that Dashboard still only shows the GW in TE updates More Details... section - the More Details... list for ABOT, AV and IPS does not include the 1550.

Next day update: Issue is here again, IPS is flagged although ips stat on SMB GW shows newest its update is installed.

And what we also have: SmartUpdate seems incapable of showing SW version as it did with 1200R, see details after Get Gateway Data !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Pablo_Barriga · ‎2019-11-12

Hello did you test it with Identity awareness blade, we had some issue with 910 gateways , the device had high cpu usage because of the Identity blade.

G_W_Albrecht · ‎2019-11-12

No - but if you do enable all blades, you will mostly get some issues - resources are rather low here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Pablo_Barriga · ‎2019-11-12

I was thinking to install the 1590 for a 45 Mbps Internet and 110 Users with 100 devices. Could it handle it ?

G_W_Albrecht · ‎2019-11-12

Hard to say, depends on:

- Traffic mix

- TP blades enabled

- https inspection

According to specs, it has NGTX performance - 660 Mbps (CPEnt) with 10x 1GbE Copper: See the Data Sheet 1500 Appliances Datasheet.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Pablo_Barriga · ‎2019-11-12

The datasheet shows good specs, I think this gw is better than 910 , I'm going to test it on this project. Thanks for the tips.

HristoGrigorov · ‎2019-11-12

1590 and 910 are not really comparable..

I have to add here that latest 14xx firmware I run is very stable and performance is surprisingly good. I have 100MBit/s WAN and more than 100 hosts behind it and it handles it very well. With some tweaks here and there of course 🙂

Are you a member of CheckMates?

SMB - New Product announcement - 1500 Series Security Gateways