This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Helpdesk_Borken
Explorer
‎2021-02-23 07:15 AM

Experiences in Gateway on VMware

Hi,

I wasn't able to find a matching board entry, so I'm creating one here. I'm in need for your experience.

My company has everything virtualized. Only the Checkpoint Security Gateway is not. Now we are discussing the possible virtualization of this machine.

Has anybody experience with this solution? I'm currently torn. Does this method have enouth performance?

Currently we're using an OpenServer with multible VLANs on a Bond and 2 Core licensing.

Hopefully somebody out there has some experience since our reseller has none.

Thank you,

Stephan Kögler

0 Kudos
7 Replies
Vincent_Bacher
Advisor
Advisor
‎2021-02-23 07:31 AM

Security Gateway on VMWare works, We run dozens that way.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-02-23 09:16 AM

For your gateway VMs, I'd suggest creating the interfaces with interface type vxmnet3 (which supports Multi-Queue) instead of the standard e1000.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Kim_Moberg
Advisor
‎2021-02-23 09:47 AM
In response to Timothy_Hall

Tim, doesnt Cloudguard Vsec for vmware running R81 preinstalled with vmxnet3? Those that I spinned up in vCenter already had this config. Though I am wondering why it detects a 10G network adapter and not just unlimited link speed.

Do you have any recommend performance ideas? With 4 cores vsec I can with ngfw get almost 3.6gbps when testing with iperf with 1 mb data package over 1 hour.

 

Best Regards
Kim
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-02-24 04:40 AM
In response to Kim_Moberg

Yes it should use vmxnet3, but I have seen some VMWare implementations that still default to e1000 for some reason.  Just something to check.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-02-23 11:02 AM

Throughput is fine. Latency is maybe 10x higher, but that's going from tens of microseconds to hundreds of microseconds. Not really a noticeable difference in most situations. With VT-D, you can hand a whole PCIe card directly to a VM. In that case, latency is still higher than on dedicated hardware, but less so. Virtualization costs a lot of I/O latency.

The larger concern is the failure domain. If your VM environment goes down (e.g., your datacenter loses power and all hosts need to come up from scratch), do you need that firewall working to be able to get tech support and/or recover? With virtualization, it's entirely possible to set up your environment in such a way that it's impossible to recover from a full outage.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-28 10:40 AM

We have sold Check Point gateways in VMware and public clouds for years.
In the past, the solution went by such names a VE (Virtual Edition), vSEC, and CloudGuard IaaS.
Currently, it is called CloudGuard Network Security.
We even have spaces for it on CheckMates 🙂

Your existing Open Server licenses should work with virtualized gateways, though we sell specific licenses for it now.

0 Kudos
Helpdesk_Borken
Explorer
‎2021-03-02 10:45 PM

Thank you all for your insights.

I'll follow this solution further.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events