I have worked with Checkpoint gateways for about 6 years now but they all have been Layer 3 Cluster deployments. I am now working with a customer who has L2 Bridge interfaces in a ClusterXL setup; as they mainly were using the GWs for threat inspection only (IPS/Bot/Virus).
I have two main questions that I am hoping I can get some clarity on:
Performance:
- When it comes to overall throughput performance ratings, how does the bridging of the interfaces affect the calculations?
Example: Switch 1G copper => eth1 CP bridged to eth2 => router
if you hit max on this flow, does it count as 1G of throughput or 2G? The bridge to my understanding acts like a 'switch'. While data between the switch and router between the CP GW would only get 1G throughput.....does the CP count it as 2G in a bridge mode....therefore needing to size a gateway with that understanding before any future purchases?
Flow:
Using the same topology:
Example: Switch 1G copper => eth1 CP bridged to eth2 => router
The switch/router here has VLAN tags during its initial deployment. At that time, those VLANs didn't really need to speak with each other until recently for some remote management issues. I 'think' that we are being hit with SK172204 and going to schedule a window to disable SecureXL to confirm. There is no policy rules that is blocking these flows and it works fine when we bypass the CP altogether.
If its this SK, the thought of running with SecureXL disabled doesn't sound like a good idea and would cause a performance hit (Correct?).
The SK mentions about a feature enhancement can be requested and affecting R80.20 through R81. Does anyone know if this limitation is present in R81.10 or added into its release? I can't find any docs saying yes or no but I figure it there was a 'feature enhancement' option, maybe R&D wrapped it in.
Just trying to gather all of the info before I might have to tell my customer that we might have an architectural design issue.
Thanks in advance