- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello!
Check Point released a new appliance line of 6000 series and here comes the new challenge. For a customer who wants NGTP functionality and in the scenario where based on sizing 15600 is a perfect match for them, should we go for it or it is even better to go with 6800 model? You see NGTP performance of 6800 is far better by datasheet and price is much lower too.
Enterprise Testing Conditions:
- 8.9 Gbps of Threat Prevention
- 7.4 Gbps of Threat Prevention2
Both numbers are provided with R80.20
Your opinions?
BR
Vato
Agree with @Maarten_Sjouw here, the 6000 series does have an impressive price/performance profile with slightly more limited expandability than a 15600. The only drawback for now is the lack of AES-NI support in Gaia even though the underlying 6000 processor architecture supports it, so if IPSec VPNs are heavily used on the prospective gateway that could be a consideration. (Thanks to @HeikoAnkenbrand for discovering this) The AES-NI limitation should go away once the 3.10 kernel is available on the various Check Point gateway appliances including the 6000 series, and the 3.10 kernel version of R80.30 is already available in EA here: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-30-3-10-EA-Program-is-now-ava...
@Timothy_Hall So far I do not have information about processors used in 6000 series appliances. Here DS says they have Augmented SSL Inspection - do they manage encryption/decryption on hardware base also? I need to find out HTTPS inspection capabilities - to compare 6800 and 15600, which model processes encrypted traffic better?
BR
Vato
I'm not able to determine what "Augmented SSL" actually means for the 6000 series; it may just refer to software improvements in SSL decryption as I don't think there are any special hardware modules in the 6000 series beyond what Intel put in them. It also could be a reference to the upcoming Falcon accelerator card; supposedly the 6000 uses the same line cards as the 5000 series and the 5000 series will support Falcon. Although I haven't seen an explicit statement anywhere that the 6000 series will be able to use Falcon. It is a bit concerning that AES-NI is not currently supported on the 6000 series with kernel 2.6.18 as SSL decryption could definitely take advantage of that.
Here are the processors, along with their SPU benchmarks:
15600: 2x Intel Xeon E5-2630v3, 2.40GHz (Eight-Core), 7400 SPU
6500: Intel(R) Core(TM) i7-4790S CPU @ 3.20GHz (Eight-Core), 3400 SPU
6800: Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz (Ten-Core), 8900 SPU
As far as 15600 vs. 6800 you can see that they use practically the same processor, the 6800 just uses a newer version with 2 extra cores which accounts for the performance bump. All the other specs at ark.intel.com (bus/memory speed etc) between the two are about the same, with slightly faster bus/memory speeds for the 6800 and some extra SmartCache.
Thanks for the info!
As you mentioned 15600 used 2x CPUs, 16x physical cores, 32x virtual cores in total. So it has 6x more cores 12x more vcores than 6800. So for me, it is still a bit strange that it has lower SPU.
Still waiting for official info regarding Falcon release date.
BR
Vato
When the 15600 was released & originally benchmarked for SPUs, I believe SMT/Hyperthreading was disabled by default. I think the 6000 series has it enabled by default so that might account for the discrepancy.
Yes, that makes sense
BR
Vato
Timothy,
Can you confirm what CPU / cores are in a 6400, and if there is a difference between a 6400 and 6400 plus from a CPU prospective.
I'm pretty sure the CPU for the "Plus" edition of the 6400 is the same as the base 6400; 4 cores (8 hyperthreaded) although I don't know the specific CPU type. The Plus edition includes redundant components, additional memory and network I/O for less than purchasing these items separately.
At this date, 08 of june 2019, 6800-plus is gone from the price list. Now we have 6800-turbo with a higher price. This one does not include any service package (NGTP or NGTX), so you have to add one (there is now the NGFW too) which means an extra cost. In terms of price 15600 is better.
We noticed this as well. I really wish there was some official information on the reasoning behind the change in licensing and pricing considering these appliances have only be available for a few months.
I just had a call with checkpoint about this earlier in the week. We are/were in the market for the 6500 appliance but then it jumped in price. If the blades/licensing were included in the price of the appliance for the first year, like the previously were, I wouldn't have any issues with the change. According to the sales guy we talked with the reason for the pricing bump is due to the new flexibility (whatever that means) that comes with these appliances.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY