Thank you for your insight Magnus - I forgot to mention that I'm subscribed to your YouTube channel and very much enjoy your videos!

With respect to the traffic between server and client segments, I anticipate around 30% to 40% utilization of 10Gb against FW, IPS, AV and AB using the Strict profile.

The 400Mbps internet will be used by all segments against all security blades except DLP and Content Awareness (for now).

I was thinking to maybe go w/ 2x 12-core Gold CPU for future growth in the event the customer decides to add more demand, perhaps additional 10Gb interfaces or increased internet bandwidth What do you think, worth it or not? Your points on the RAM and storage are noted.

This implementation will not be VSX though.

Cheers,

Calvin.

Honestly i try to avoid buying openserver hardware "in advance".
So lets say you do need 1Gbit of traffic today and in 5 years you expecting to see 5Gbit of traffic.
If you are buying an appliance box lets say it cost 100.000 USD, then you can split that cost out on 60months.
These appliance boxes need to last 5 years so oyu do buy big enough for 5Gbit traffic. (normally check point software improve so you do get 20-40% performance between software generations on some sort of traffic)
And in 60month you know that you do need to make a new investment of 100.000 USD.

But if you are using openservers, first of all the vendors release the CPU more or less when intel release them.
So you dont need to wait for a new appliance model to use the nice and cool CPU. (you do need to change when its gen changes)
For arguments sake lets say this is also 100.000 USD that is 80.000 USD for CP and 20.000 USD for servers.
This means that you are able to count your CP licenses on 60months, because you are able to transfer them to new hardware.
but you can take the hardware for 36months. and after 36months you do buy new openservers for 20.000 USD.
this is 3 years newer most likely you do get x2 of the performance from the new CPU when it comes to thruput.
your running cost (OPEX) would remain the same as the software support/blades cost.

2 x 12 Core is a really fat box that would manage alot of traffic, just consider that all blades / functions cost more or the larger licenses. When it comes to growth on openservers when the customer have diffrente segments that are actuall seperate.
I personally go for smaller boxes with VSX and then inform the customer.
"if you want X amount of Gbit thruput more, then we add one more node and we dedicate that for Y"
This way am able to keep the CAPEX and OPEX cost down and actually only add performance when needed.

Its very hard to calculate how much a customer needs, and more or less noone knows.
So i try to build it as scalable as possible. Think about it similar to check point selling maestro
Ofc doing this with VSX actually require you to be able to split segments, and in some cases it may force you to process the same traffic multiple times depending on your setup.

Yes iknow am stuck in VSX thinking, but for me that gives great flexibility.
BUT there are limitations especially if running very cool and advance blades.
And thanks for watching my videos 🙂

/Magnus

Interesting points on the VSX but I've never implemented and maintained it so I'm a bit hesitant to go forward with this in the customer environment and make them my guinea pig

Identity Awareness costs some RAM, but basically no processor time. Antibot costs RAM but also not a lot of processor time. A toaster could manage 400M of VPN throughput. Threat Emulation doesn't happen on the firewall itself, so again, doesn't take significant processor time.

The most costly part of what you're discussing from a performance standpoint would be the HTTPS inspection (read: TLS interception and decryption). If interior stuff is mostly clear, you avoid the big decryption hit. AV, and URL Filtering are pretty fast once the traffic is clear.

IPS is the next potentially-expensive thing. Certain protections force traffic off the fast path (SecureXL) in the firewall to the medium (PXL) or slow path. Look at the performance impact of the various protections, and consider if the ones with critical performance impact are really needed for your environment.

With only a little tuning, two eight-core processors should be plenty for 20G of mostly-clear throughput with most features enabled for the foreseeable future.

As an aside, I highly recommend thinking about VSX. Every firewall license includes the ability to enable VSX, which helps separate to-traffic (for managing the firewall, Identity Awareness, updates, etc.) from through-traffic. This makes the source of traffic the firewall sends more consistent and predictable. It also lets it act like ASAs, which have one routing table for the management interface and a totally separate routing table for all the other interfaces.

If you do use VSX, try to put everything in bonds. This makes moving between servers or adding interfaces in the future much easier.

Good points on the blades...

I think the 6600 appliance will work well and it's not that expensive

For the 400M Internet connection, sure. For 20G interior throughput, maaaaybe if you don’t terminate TLS on the firewalls and mostly disable IPS for internal-to-internal traffic. That model’s power supply is only 300W, so the processor can’t be more than 100 by itself. I was thinking two processors at more like 150W each.

Hi Calvin, how did you conclude that a 6600 will work well?

openservers are much more price efficient then appliances boxes in the long run.
Especially when you consider that you can move the licenses to new boxes every 3-4 years and dont need to do an large investment on new appliances every 4-5 years. Large investment normally means that you do need to compare products and take in offers from multiple vendors, there is always someone saying "why we dont buy this brand instead its cheaper".
Only needing to buy new openservers is a very low capex investment that is normally not large enough for ppl to really care.

I disagree.

Even with a VERY good deal on open servers, you actually save money if going for an appliance. One of the exercises I had done for my customers was estimating savings. In one case, we did 3m savings for 200 appliances vs open server for 5 years. Not even talking about RMA hustle in this case, for servers older than 2-3 years.

This seems to be counter-intuitive and a first glance, I agree 🙂

However, my question was about something else. With an appliance, the local CP office will be happy to run a sizing calculations for you.

Hehe its good that there are discussion and thankfully check point is normally happy to sell / rent out all of it 🙂
So there check point do have an edge over many vendors.

I can not speak for everyone but if we would not run openserver check point would be long gone in our environment.
In the companies that we have bought over the years check point appliances has been replaced with other vendors.
Better vendors, well thats questionably but its political and regarding a much bigger picture where check point is not competing. 

In our calculation with our prices openservers are cheaper, and we have been running the same licenses for 15years+
(or well they have been replaced for new versions of the licenses) Biggets point here with openservers is that we include one hardware change, so we actually calculate on longer timeframe than 5 years. so yes applainces boxes are cheaper for 3-5years but when its time to replace them here is normally with openserver shines.
(for check point this should be really good as it means we planning to keep the products for a long period of time)
And sure this is for central locations only ie datacenters, not small offices etc 🙂

RMA for servers? i get new in 4 hours. not really an issue.
But yes it really depends on size/location etc.
Issue here can be to actually get the same hardware of everything, those issue you do not have with appliances.
So that not NIC / storage cards etc has changed.

Sure with an appliance they would run calculations, but on what?
Here they will do a redesign of the network meaning they actually dont know the real traffic as its a flat network today.
So sizing something is hard 🙂

This is a very much off-topic for the tread. Let's agree to disagree. We can create an additional post and discuss.

Well I was thinking about portability and flexibility to choose my own hardware