Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sagar_Manandhar
Advisor

NGTX TE1000X series queries

Hi,

I need to implement the TE appliance and need answer to some query:

- can i make the 1000X as standalone (check gateway and management at initial setup) and make it Local TE devices so that log are store in same device.

- Do the gateway requires the NGTX license to point the dedicated TE 1000X appliance.

- Can two different gateway point the same TE appliance. 

- it is necessary that mail server should be NAT in same TE appliance (If standalone) to enable the MTA (Threat Extraction).

- how can i configure MTA if mail server is hosted in cloud, not internal.

Thank you

Regards,

Sagar Manandhar

3 Replies
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi Sagar,

  •  can i make the 1000X as standalone (check gateway and management at initial setup) and make it Local TE devices so that log are store in same device

Yes you can install a TE appliance as standalone gw with mgmt on-board.

  • Do the gateway requires the NGTX license to point the dedicated TE 1000X appliance

Do you want to point another CP gateway to this TE appliance for remote emulation ?

If so yes you need NGTX license on this GW and you also need to use the Multiple Private Cloud feature with SSL because your GW will not be in the same Mgmt domain as your TE appliance (if 1. is applicable).

Check Threat Emulation support for Multiple Private Cloud Appliances - Section 10.

  • Can two different gateway point the same TE appliance

Yes you can point multiple gateways to ine TE appliance

  • it is necessary that mail server should be NAT in same TE appliance (If standalone) to enable the MTA (Threat Extraction)

Can you elaborate on this ? I do not understand "should be NAT in same TE appliance" ...

  • how can i configure MTA if mail server is hosted in cloud, not internal.

 You mean MTA on the TE appliance ?

Regards Thomas

Sagar_Manandhar
Advisor

thank you for your time

We have 3 device two 15000 series gateway with NGFW(external/edge)  and NGTX(internal /DMZ Zone) license respectively and TE1000X appliance with NGTX license. Now, with discussion with checkpoint support i got to know that the gateway requires NGTX license to point the TE appliance. So now i am gonna implement inline environment for TE appliance where 1000x will act as standalone and emulate the files locally in same TE appliance . TE will be between external and internal firewall. 

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi Sagar,

while I understand your issue this is imho a bad approach.

Besides the emulation workload you are also putting the full FW routing traffic between your subnets on the TE1000X.

Remember the TE1000X is running the FW blade hence it will check all traffic that is running through the gateway with it causing load.

The TE1000X will never be able to cope with the bandwith 2x 15000 can generate. The performance outcome is highly unpredictable.

Also your network design gets very complicated.

I would rather suggest trading in the NGTX license of your TE1000X and get a proper NGTX license on your GWs.

You won´t need NGTX on the TE1000X if you are not putting it inline or run MTA,ICAP,API services on the TE itself.

Regards Thomas