Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Amir_Ayalon
Employee
Employee

SMB - New Product announcement - 1500 Series Security Gateways

Hi All

We are happy to announce The release of the new 1500 series security gateways for SMBs.

Our first Models to be announced are the 1550 and 1590 gateways which set new standards of protection against the most advanced fifth-generation cyber attacks.

The 1550 and 1590 gateways are powered by Check Point’s R80 release. R80 is the industry’s most advanced security management software, and includes multi-layered next-generation protection from both known threats and zero-day attacks using the award-winning SandBlast™ Zero-Day Protection, plus antivirus, anti-bot, IPS, app control, URL filtering and identity awareness. 

 

The 1500 Security Gateways offer integrated, multi-layered security in a compact desktop form factor. Setup can be done in minutes using pre-defined security policies and our step-by-step configuration wizard. Check Point 1500 Security Gateways are conveniently manageable both locally via a Web interface and centrally by means of a cloud-based Check Point Security Management Portal (SMP) or R80 Security Management.

The new 1500 series empowers Small and Midsize businesses with Enterprise Grade Security:

  • 100% block score for malware prevention for email and web, exploit resistance and post-infection catch rate, as seen in the NSS Labs’ recent Breach Prevention Systems (BPS) Group Test
  • Up to 2 times more performance from previous generations. The 1550 Gateway offers 450Mbps of threat prevention performance, and the 1590 Gateway offers 660Mbps
  • The 1550 provides maximum firewall throughput of 2Gbps and the 1590 provides maximum firewall throughput of 4Gbps
  • The 1550 features six 1GbE ports and the 1590 features ten 1GbE ports.
  • Check Point WatchTower mobile application, enables IT staff to monitor their networks and quickly mitigate security threats on the go from their mobile device
  • Out-of-the-box zero-touch provisioning allows for under 1-minute setup
  • IoT devices discovery and recognition for accurate security policy definition.

 

Want to know more ?

Visit the 1500 Series Security Gateways SK

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

And the R80.20 for Small and Medium Business Appliances

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

 

For full product specifications, visit:  https://www.checkpoint.com/products/small-business-security/

 

 

Amir Ayalon | SMB Project Management Team Leader
Check Point SW Technologies. | ( +972-733-79-8629| Mobile: +972-545-787673 * amiray@checkpoint.com

54 Replies
Pedro_Espindola
Advisor

Which build are you running?

0 Kudos
HristoGrigorov

This is Check Point's 1470 Appliance R77.20.87 - Build 973

Pedro_Espindola
Advisor

Good to know, but it seems that build is not GA yet.

0 Kudos
Mark_Halsall
Employee Alumnus
Employee Alumnus

I've not seen anything about it - will the new units be manageable via API?

0 Kudos
PhoneBoy
Admin
Admin

Using R80.30+ central management? Yes.
Self managed? No.
0 Kudos
HristoGrigorov

Btw, I started to be a bit confused here. May be there shall be two forum sections under SMB. One for those running R77.20 and one for R80.20 ?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Then we need much more flavors - locally managed SMB, SMP managed SMB.... Better just mention in the post what you talk about 😊 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kevin_Zeitler
Contributor

Hristo,

What version of code are you running on the 14xx?  We have a couple in production with all blades enabled and I have had both of them lock up no access from internal/external, very hard to troubleshoot because I do not currently have OOB connected

0 Kudos
Kevin_Zeitler
Contributor

Hi Hristo,

What blades do you have running on the 14xx and do you use identity awareness?

We have a couple 14xx and they have locked up in the field and we have to reboot to bring them back.

0 Kudos
HristoGrigorov

Hello Kevin,

Yes, I am using IA blade. Also IPS one. What firmware are you using ? Also, are there any *core* or *panic* files in /logs directory after reboot ?

0 Kudos
HristoGrigorov

I am running  R77.20.87 - Build 973. Centrally managed. Depending on the traffic, enabling all blades might be overkill. Think if you can disable some of them until you resolve the problem.

0 Kudos
John_Fleming
Advisor

 

root@CP1550:/# lscpu
Architecture: aarch64
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
NUMA node(s): 1
Vendor ID: ARM
Model: 1
Model name: Cortex-A72
Stepping: r0p1
BogoMIPS: 50.00
L1d cache: 32K
L1i cache: 48K
L2 cache: 512K
NUMA node0 CPU(s): 0-3
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 cpuid
root@CP1550:/#

 

After opening mine (no wifi) I discovered a micro sd card reader (hurray!) and a unpopulated mini pcie slot. I'm assuming this is where a wifi nic would go. I of course tried putting in a pcie to msata board with a msata EVO 860. no joy so far.

0 Kudos
John_Fleming
Advisor

oh and here is the SD card populated.

Mine has a single partition with ext4 on it.

[Expert@CP1550]# mount | grep kali
/dev/mmcblk0p1 on /mnt/kali type ext4 (rw,relatime,data=ordered)
proc on /mnt/kali/kali-chroot/proc type proc (rw,relatime)
sysfs on /mnt/kali/kali-chroot/sys type sysfs (rw,relatime)
devpts on /mnt/kali/kali-chroot/dev/pts type devpts (rw,relatime,gid=4,mode=620,ptmxmode=000)
[Expert@CP1550]#

0 Kudos
HristoGrigorov

Insert that SSD drive and paste last few lines from 'dmesg' output here. 

0 Kudos
John_Fleming
Advisor

Its not that easy. I've been reading a lot on arm. Basically arm doesn't have a PNP pci buss like x86 does. Arm has something called Device Tree which if I understand correctly mean you basically pre-map out all the io and memory locations for each device.

 

That being said.. before and after doesn't show any difference. lspci always shows the same output as well.

 

root@CP1550:/# lspci -v
00:00.0 PCI bridge: Marvell Technology Group Ltd. Device 0110 (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 50
Memory at f8000000 (64-bit, non-prefetchable) [size=1M]
Bus: primary=00, secondary=01, subordinate=ff, sec-latency=0
Capabilities: [40] Power Management version 3
Capabilities: [50] MSI: Enable- Count=1/32 Maskable+ 64bit+
Capabilities: [70] Express Root Port (Slot-), MSI 00
Capabilities: [b0] MSI-X: Enable- Count=1 Masked-
Capabilities: [100] Advanced Error Reporting
Capabilities: [158] #19
Capabilities: [1a8] Transaction Processing Hints
Capabilities: [23c] L1 PM Substates
Kernel driver in use: pcieport
lspci: Unable to load libkmod resources: error -12

root@CP1550:/#

 

The libkmod error is due to missing information in /lib/modules/$(uname -a)/ dir.

here is a lsblk. Bold is Micro SD.

root@CP1550:/# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
mmcblk0 179:0 0 29.7G 0 disk
`-mmcblk0p1 179:1 0 29.7G 0 part
mmcblk1 179:32 0 3.7G 0 disk
|-mmcblk1p1 179:33 0 48M 0 part
|-mmcblk1p2 179:34 0 1M 0 part
|-mmcblk1p3 179:35 0 720M 0 part
|-mmcblk1p4 179:36 0 48M 0 part
|-mmcblk1p5 179:37 0 1M 0 part
|-mmcblk1p6 179:38 0 720M 0 part
|-mmcblk1p7 179:39 0 300M 0 part
|-mmcblk1p8 179:40 0 650M 0 part
|-mmcblk1p9 179:41 0 1M 0 part
|-mmcblk1p10 179:42 0 1M 0 part
`-mmcblk1p11 179:43 0 1.3G 0 part
mmcblk1boot0 179:64 0 2M 0 disk
mmcblk1boot1 179:96 0 2M 0 disk
mmcblk1rpmb 179:128 0 512K 0 disk
root@CP1550:/#

I'll post some pics of the tear down shortly.

HristoGrigorov

@G_W_Albrecht I noticed NAT templates are enabled on your 1550. Was it like that by default or you activated it explicitly ?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I do not think i did enable it myself - but it has been a while now i since did my explorations 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend

A final stage of testing was changing from SMP managed to centrally managed (and back and forth...) - now it is centrally managed, the acceleration settings are default and fwaccel stat shows: 
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |WAN,LAN1,wlan0 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

So it seems Accept and NAT Templates are on by default.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

Nice. But I wonder if Drop templates can be enabled ?

0 Kudos
Timothy_Hall
Legend Legend
Legend

NAT Templates are enabled by default starting in R80.20, regardless of fresh install or upgrade.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
genisis__
Leader Leader
Leader

Does anyone have any details for the 1800 appliances ie. CPU information and generally usage?  I'm looking at this as an alternative to a pair of 3800s (which are about $2,000 more expensive).  They would be managed via the SMS, and not locally.

My requirement is about 1.5Gbps of NGFW throughput with a maximum CPU utilisation of 65% with this load; presently a pair of 2200 appliances are being used and CPU utilisation hits 100% frequently.

0 Kudos
Steffen_Appel
Advisor

Personally I would go for the 3800, as they have the "real" GAIA instead of the embedded ARM-based one.

0 Kudos
genisis__
Leader Leader
Leader

I've not really used either model, but there is a noticeable cost difference, and so far apart from embedded GAIA and no hit count support when centrally managed, the 1800 (with an SD card) is looking very attractive. 

0 Kudos
PhoneBoy
Admin
Admin

As a general rule, we don't publish the precise CPUs used in our appliances.
That said, our SMB line uses ARM CPUs, which have somewhat different performance characteristics than the Intel ones we use in the other appliances.
It's also a different codebase which has some different features and limitations.
You may wish to review the known limitations: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
genisis__
Leader Leader
Leader

Has anyone actually used both these appliances and have a real world view on performance?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events