Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Calvin_Piggott
Contributor

R81 Open Server Gen V Sizing

@Timothy_Hall @Magnus_Holmberg @HeikoAnkenbrand 

 

Greetings gents...hope this post finds you well.

Hoping you guys can assist.

A client of mine wants to replace their Cisco ASA w/ Check Point - currently their network is flat and the ASA is just an Internet perimeter firewall.

I was looking at using R81 on Open Server and it will be in a Data Center and Internet perimeter role.

Basically there will be 5 unique network segments: servers, clients, WiFi guest, Internet and CluxterXL Sync.

The servers and clients segments will be 10Gb interfaces and most of the blades will be enabled Identity Awareness, IPS, AV, Antibot, VPN, HTTPS Inspection, Threat Emulation, Threat Extraction, essentially Gen V security.

Internet will be around 400Mbps symmetrical.

 

What hardware spec and software core count would you use in the above scenario?

 

Cheers,

Calvin.

0 Kudos
13 Replies
Magnus-Holmberg
Advisor

Generally for open server i go for the Gold Xeon CPU with the highest Ghz number for the amount of cores needed.
And i do split them out of 2CPU, The server it self is relatively cheap.
I dont think its worth it to go to the platinum cpu as the price increase is alot.

If you need 8 core i would go for something like 5222, its a 4 core cpu so 2 of them.
I do NOT user HT as those cores are slower then "real cores"
( For really small boxes like 4 core, i only use one cpu in this case the 5222 )

I also spec my servers out with alot of ram as check point normally has memory leaks.
So i put 192Gb ram in my boxes, i would not go below 64GB.
For discs i go for 2x480GB SSD disc, no need for more for a gw/vsx gw.

To figure out how many cores is actually needed, i try to compare to an appliance spec.
Is it really only 400Mbit traffic thats a small appliance, for checkpoint appliance sizing tool thats like a 3800.
And then compare it to https://lwf.fink.sh/check-point-appliance-hardware-lachmann-list-permanent/
to see what sort of hardware is needed to fix that requirement.

400Mbit sounds low if you have all of those segment and the need of 10Gbit will then be really low.
If the plan is to have all those blades for the internet and then send a few gbit thru the gw with normal firewall / IPS
I personally would go for an 8 core, the reason for this is that 2 cores will go for multiQ to be able to manage more then 3.5Gbit traffic on a 10Gbit card, that leaves you 6 cores to manage the traffic.

but if its really 400Mbit of traffic all in, 4 cores should do the trick 🙂
If this is plan for a VSX, then its much easier for you to give enough performance to each segment.
And you could also do VSLS and use both members at the same time.
(just dont oversubscribe stuff to much)

Regards,
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Calvin_Piggott
Contributor

Thank you for your insight Magnus - I forgot to mention that I'm subscribed to your YouTube channel and very much enjoy your videos!

 

With respect to the traffic between server and client segments, I anticipate around 30% to 40% utilization of 10Gb against FW, IPS, AV and AB using the Strict profile.

The 400Mbps internet will be used by all segments against all security blades except DLP and Content Awareness (for now).

 

I was thinking to maybe go w/ 2x 12-core Gold CPU for future growth in the event the customer decides to add more demand, perhaps additional 10Gb interfaces or increased internet bandwidth What do you think, worth it or not? Your points on the RAM and storage are noted.

 

This implementation will not be VSX though.

 

Cheers,

Calvin.

0 Kudos
Magnus-Holmberg
Advisor

Honestly i try to avoid buying openserver hardware "in advance".
So lets say you do need 1Gbit of traffic today and in 5 years you expecting to see 5Gbit of traffic.
If you are buying an appliance box lets say it cost 100.000 USD, then you can split that cost out on 60months.
These appliance boxes need to last 5 years so oyu do buy big enough for 5Gbit traffic. (normally check point software improve so you do get 20-40% performance between software generations on some sort of traffic)
And in 60month you know that you do need to make a new investment of 100.000 USD.

But if you are using openservers, first of all the vendors release the CPU more or less when intel release them.
So you dont need to wait for a new appliance model to use the nice and cool CPU. (you do need to change when its gen changes)
For arguments sake lets say this is also 100.000 USD that is 80.000 USD for CP and 20.000 USD for servers.
This means that you are able to count your CP licenses on 60months, because you are able to transfer them to new hardware.
but you can take the hardware for 36months. and after 36months you do buy new openservers for 20.000 USD.
this is 3 years newer most likely you do get x2 of the performance from the new CPU when it comes to thruput.
your running cost (OPEX) would remain the same as the software support/blades cost.

2 x 12 Core is a really fat box that would manage alot of traffic, just consider that all blades / functions cost more or the larger licenses. When it comes to growth on openservers when the customer have diffrente segments that are actuall seperate.
I personally go for smaller boxes with VSX and then inform the customer.
"if you want X amount of Gbit thruput more, then we add one more node and we dedicate that for Y"
This way am able to keep the CAPEX and OPEX cost down and actually only add performance when needed.

Its very hard to calculate how much a customer needs, and more or less noone knows.
So i try to build it as scalable as possible. Think about it similar to check point selling maestro
Ofc doing this with VSX actually require you to be able to split segments, and in some cases it may force you to process the same traffic multiple times depending on your setup.

Yes iknow am stuck in VSX thinking, but for me that gives great flexibility.
BUT there are limitations especially if running very cool and advance blades.
And thanks for watching my videos 🙂

/Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Calvin_Piggott
Contributor

Interesting points on the VSX but I've never implemented and maintained it so I'm a bit hesitant to go forward with this in the customer environment and make them my guinea pig

0 Kudos
Bob_Zimmerman
Advisor

Identity Awareness costs some RAM, but basically no processor time. Antibot costs RAM but also not a lot of processor time. A toaster could manage 400M of VPN throughput. Threat Emulation doesn't happen on the firewall itself, so again, doesn't take significant processor time.

The most costly part of what you're discussing from a performance standpoint would be the HTTPS inspection (read: TLS interception and decryption). If interior stuff is mostly clear, you avoid the big decryption hit. AV, and URL Filtering are pretty fast once the traffic is clear.

IPS is the next potentially-expensive thing. Certain protections force traffic off the fast path (SecureXL) in the firewall to the medium (PXL) or slow path. Look at the performance impact of the various protections, and consider if the ones with critical performance impact are really needed for your environment.

With only a little tuning, two eight-core processors should be plenty for 20G of mostly-clear throughput with most features enabled for the foreseeable future.

 

As an aside, I highly recommend thinking about VSX. Every firewall license includes the ability to enable VSX, which helps separate to-traffic (for managing the firewall, Identity Awareness, updates, etc.) from through-traffic. This makes the source of traffic the firewall sends more consistent and predictable. It also lets it act like ASAs, which have one routing table for the management interface and a totally separate routing table for all the other interfaces.

If you do use VSX, try to put everything in bonds. This makes moving between servers or adding interfaces in the future much easier.

0 Kudos
Calvin_Piggott
Contributor

Good points on the blades...

I think the 6600 appliance will work well and it's not that expensive

0 Kudos
Bob_Zimmerman
Advisor

For the 400M Internet connection, sure. For 20G interior throughput, maaaaybe if you don’t terminate TLS on the firewalls and mostly disable IPS for internal-to-internal traffic. That model’s power supply is only 300W, so the processor can’t be more than 100 by itself. I was thinking two processors at more like 150W each.

0 Kudos
_Val_
Admin
Admin

Why open server and not an appliance? This way your TCO will be higher.

0 Kudos
Magnus-Holmberg
Advisor

openservers are much more price efficient then appliances boxes in the long run.
Especially when you consider that you can move the licenses to new boxes every 3-4 years and dont need to do an large investment on new appliances every 4-5 years. Large investment normally means that you do need to compare products and take in offers from multiple vendors, there is always someone saying "why we dont buy this brand instead its cheaper".
Only needing to buy new openservers is a very low capex investment that is normally not large enough for ppl to really care.

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
_Val_
Admin
Admin

I disagree.

Even with a VERY good deal on open servers, you actually save money if going for an appliance. One of the exercises I had done for my customers was estimating savings. In one case, we did 3m savings for 200 appliances vs open server for 5 years. Not even talking about RMA hustle in this case, for servers older than 2-3 years.

This seems to be counter-intuitive and a first glance, I agree 🙂

However, my question was about something else. With an appliance, the local CP office will be happy to run a sizing calculations for you.

0 Kudos
Magnus-Holmberg
Advisor

Hehe its good that there are discussion and thankfully check point is normally happy to sell / rent out all of it 🙂
So there check point do have an edge over many vendors.

I can not speak for everyone but if we would not run openserver check point would be long gone in our environment.
In the companies that we have bought over the years check point appliances has been replaced with other vendors.
Better vendors, well thats questionably but its political and regarding a much bigger picture where check point is not competing. 

In our calculation with our prices openservers are cheaper, and we have been running the same licenses for 15years+
(or well they have been replaced for new versions of the licenses) Biggets point here with openservers is that we include one hardware change, so we actually calculate on longer timeframe than 5 years. so yes applainces boxes are cheaper for 3-5years but when its time to replace them here is normally with openserver shines.
(for check point this should be really good as it means we planning to keep the products for a long period of time)
And sure this is for central locations only ie datacenters, not small offices etc 🙂

RMA for servers? i get new in 4 hours. not really an issue.
But yes it really depends on size/location etc.
Issue here can be to actually get the same hardware of everything, those issue you do not have with appliances.
So that not NIC / storage cards etc has changed.

Sure with an appliance they would run calculations, but on what?
Here they will do a redesign of the network meaning they actually dont know the real traffic as its a flat network today.
So sizing something is hard 🙂

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
_Val_
Admin
Admin

This is a very much off-topic for the tread. Let's agree to disagree. We can create an additional post and discuss.

0 Kudos
Calvin_Piggott
Contributor

Well I was thinking about portability and flexibility to choose my own hardware

0 Kudos