Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fjulianom
Collaborator

About the NGFW Check Point Three Tier Architecture

Hi,

 

I am completely new on Check Point. Can someone explain why Check Point use the Three Tier Architecture components? Here there is the explanation what each component does and their functions, ok, that's clear... but why this three tier architecture? What are the advantages and disadvantages? I feel more complex this architecture to manage. You configure through the SMS (in fact, through the Smart Console, so you need an application GUI instead of an HTTP GUI), although I think you also need to access the SG for some initial configuration like networking. What can't all the three components/functions be on the same appliance? For instance, there are other security very good vendors (I won't say the names) which you have these three components on the same appliance and it works very well. You access the GUI of the firewall (through HTTP), you manage the policies, and the firewall scans the traffic crossing through and applies the firewall policies, and with good performance. Don't misunderstand me, as I said just I am new on Check Point and I have already work with other vendors which don't use this three tier architecture. Thanks in advance.

 

Regards,

Julián

0 Kudos
11 Replies
_Val_
Admin
Admin

Once again, as I mentioned in your first discussion, start here: https://community.checkpoint.com/t5/custom/page/page-id/CommunityBeginnersChild?cat=2

We have CP4B for exactly that reason. The concept, terminology, and methods are descriped in Check Point for Beginners space, with the relevant labs for your benefits. 

0 Kudos
fjulianom
Collaborator

Hi Val,

 

I have already read "Part 1 - Network Defense. Three Tier Architecture components", and as said there is the explanation what each component does and their functions, but not the reason of this three tier architecture, neither the advantages.

 

Regards,

Julián

0 Kudos
Chris_Atkinson
Employee
Employee

Scalability & efficiency come to mind.

Check Point does provide a combined (standalone) deployment option for "small" environments. In recent versions we also have a Web UI for performing SmartConsole functions.

Logging into many different gateways to configure policy separately is inefficient versus a centralised approach.

Running reporting & logging functions on a gateway at scale takes away from what it should be doing protecting against threats / enforcing policy etc.

fjulianom
Collaborator

Hi Chris,

 

It makes sense. But for clients with only one or two firewalls is it worthwhile? Because I have read for clients with only one firewall CP doesn't recommend the standalone deployment either. In addition to the SG, if you have to add the SMS I guess the price of the solution will increase as well. As said, other vendors as Fortinet or Palo Alto that are leaders as well, don't use this type of deployment and they work pretty fine. Fortinet can use FortiManager, but it doesn't say that having all the functions in the firewall itself is not recommended. I don't know Palo Alto much.

 

Regards,

Julián

0 Kudos
_Val_
Admin
Admin

One big advantage, on top of what Chris said above, is management experience, especially if compared with the competitors. Try Agony Meter if you need proof 🙂

Of course,  as you mentioned, advantages of a dedicated management server are more obvious for larger environments. This is the main reason why Check Point is the leader for enterprise FWs for 22 years in the row, according to Gartner.

However, if you have a single FW and do not want to grow at all, standalone deployment (GMGT + GW in a single appliance) is also a good option.

Depending on your bandwidth requirements, Quantum Spark SMB appliances can also be an option. They can be locally managed through a WebUI, policy included. 

the_rock
Legend
Legend

As @_Val_ indicated and I agree 100%, CP management solution can't compare to anything out there, its best by far! Now, he makes good point...if you will only end up using only single firewall, you can do gateway + management install in one (standalone deployment) OR you can opt for smaller SMB Appliances and set them up as self managed, so you don't need management server. However, if you decide to use multiple firewalls, then you would need dedicated management server, which would let you deploy policies, control threat prevention, create objects, set up VPN sites...pretty much anything you need to do, except for default fw stuff (routes, bop, rip, ospf...)

Chris_Atkinson
Employee
Employee

Depending on your requirements Smart-1 Cloud is a SaaS option with lower costs and maintenance overheads.

Also as Val said Quantum Spark appliances come with included SMP cloud management depending on the experience that you're looking for.

Personally I don't see cost as a barrier here. Buy a firewall to do just that, what cost do you place on reducing its performance with mgmt tasks?

_Val_
Admin
Admin

You probably wanted to start here: https://community.checkpoint.com/t5/custom/page/page-id/CommunityBeginnersChild?cat=3

The previous link is for how to work with, not

0 Kudos
fjulianom
Collaborator

Hi all,

I was wondering this kind of things because sometimes I saw just one CP firewall with the distributed architecture, and I thought what a weird architecture CP has... and as the above link says "having a Management Server as a separate component of the security system is a defining and integral characteristic of Check Point security products". Thank you guys.

Regards,

Julián

the_rock
Legend
Legend

No problem, we are happy to help! As I mentioned yesterday, I have very basic lab with layered rules on latest version, so its not an issue for me to show you how it works in essence, if you are interested. I really believe it would help you.

Cheers,

Andy

fjulianom
Collaborator

Hi the_rock

 

Many thanks for your interest. Let me find some time to do the labs and I will contact you. Many thanks again.

 

Regards,

Julián

0 Kudos