HTTPS inspection is something only feasible on high-end devices.  I've repeated asked what the strategy is to ensure https inspect can be used on medium sized appliances, I've seen nothing suggesting Checkpoint can deliver this.
The only way forward is to radically rethink about the hardware platforms to ensure dedicated https inspection resource is built in (The NVidia card is likely to be utilised for this function, but this is high-end appliances).

So basically, if you have a regional office why buy checkpoint when other vendors have an appliance that is targeted at medium sized offices while ensuring all blades can actually be used without compromising on performance.  

Keep in mind business want security but they are not going to spend an unrealistic amount for a regional site installation.

Please Checkpoint can we understand what the road map will be for this targeting medium sized deployments.

Have you also noted that in the sizing tool, there is no https inspection option...ummm wonder why!

Never really paid attention to it, but no need to wonder any longer : - )

I would argue that many of those competitors compromise on security that they provide and/or the security of their own platforms.
Regardless, I understand the concern.
We've made some performance improvements in the most recent releases and more are planned for the next release (R82).
I presume some details about this will be covered at CPX.

It might be better to have a conversation with your local Check Point office with your precise performance requirements. 

You can argue that but there is a moment when the renewal time is there, the prices of CP and the competition are in and we explain the customer that it will be better in the next release of the next platform when some are still only upgrading to R81.10 from R80.X because of cost, operational and hotfix maturity reasons, especially with VSX and advanced platforms.

Now I understand we'll be in a mix of R80.40, R81, R81.10, R81.20 and then R82 which each have their own set of capabilities, some of which might be ported back or not.

Some customers don't even know what version they run, they trust us integrators to make the best out of their installation base.

They don't ask for a new OS each year.

I might be naive but I'd rather see R81.10 as a long-term R81 release with all the features integrated along in jumbo's as long as it's feasible (IoT, Hyperflow, SD-WAN, the announced HTTPSi auto-detect) and R82 as a major stepstone with future improvements which really can't be ported back in R81.10.

That would be much clearer to customers.

Very logical points @Alex- 

Mellanox (acquired by Nvidia, but ConnectX predates that acquisition) makes programmable switch chips. ConnectX-6 adds AES-XTS hardware to offload the symmetric portion of TLS, and you can toss the asymmetric parts onto the card's CPU, but it's not great at the kinds of operations needed for TLS interception (generating new key pairs and low-latency signing operations). From the description of the Lightspeed cards, they sound more like ConnectX-5 (my bet would be the same chip as the MCX516A-CCHT), which does not have the AES-XTS hardware. I know Check Point's other cards like the 2x40g and 2x100g are ConnectX-4 and ConnectX-5.

For HTTPS Inspection acceleration, I would actually expect a Marvell (formerly Cavium) Nitrox V, which is the product line used by most load balancers with hardware TLS. Maybe an Intel QuickAssist card. Check Point gets their hardware from Lanner. Many of Lanner's 1U network-focused boxes have a fully-internal slot for a custom-form-factor PCIe card. I know of at least one load balancer vendor which also gets their hardware from Lanner, and they offer a Nitrox V card which goes in that internal slot.

Great insight on the hardware side of things, thanks!

This is way off topic, but if you want to see some other interesting hardware, check out Barefoot's (acquired by Intel in 2019) Tofino line. The Tofino 2 has up to 256x 56g SerDes lanes, allowing up to 128x100g interfaces per switch chip. Fully programmable data path with P4, which is a fascinating language. Essentially, you define a set of headers, the parsing logic to populate them, then stateful forwarding actions to take based on header values. It can do really fancy forwarding at line rate across all ports. The chip itself is HUGE. BGA4432 with roughly 1/2 the pins for ground, 1/4 for V+, 1/4 for all the SerDes lanes.

I haven't taken a Maestro orchestrator apart, but my understanding is they use a Broadcom Tomahawk. Intel bought Barefoot to compete with Broadcom in that space. The acquisition seems to have been connected with Omni-Path's discontinuation.

Oxide is using Tofino 2 to do some extremely cool stuff in their switches. Incidentally, their sleds use 100g network interfaces from Chelsio, which is a whole other rabbit hole.

Turns out I was wrong about the Maestro orchestrators. I had completely missed that Mellanox has their own semi-whitebox Ethernet switch line (now that they're owned by Nvidia, they sell them directly with Cumulus preinstalled, but they're also available with ONIE) which they call Spectrum. The MHO-140 appears to be an Nvidia SN2410 and the MHO-175 appears to be an Nvidia SN3700 or possibly SN3700C. Not sure about the MHO-170.

Given the normal interface cards from Mellanox and the "lightspeed" accelerated data path cards also from Mellanox, this makes sense.

I finally got a chance to poke a QLS250. It has a nearly identical PCIe topology to the 16200. The only difference is the 16200 has four PCIe 3.0 x8 root ports going to the slots, while the QLS250 has two PCIe 3.0 x8 root ports and the other two are combined into one PCIe 3.0 x16 root port. The specialized network card has the PCIID 15b3:101d (find the card in 'lspci -vv', take note of the address, then find it in 'lspci -nv'), which is a Mellanox ConnectX-6 Dx. Nice to see I underestimated the hardware used for the specialized forwarding path.

This is what we thought and were afraid of. However, I suppose I just assumed IPS was smarter and able to detect more somehow.

Check Point firewalls do support SSH Deep Inspection and the cool ability to block port forwarding, but this feature can only be configured from the CLI of the gateway which is why few people know about it.

Any links or references ? 8)

Module "CPSSH" (SSH Inspection) (checkpoint.com)

SSH Deep Packet Inspection (checkpoint.com)

SSH Deep Packet Inspection got a mention in my IPS/AV/ABOT Immersion course and the relevant page is below.  There is no SK article for this feature; it is only documented in the Threat Prevention Administration guide starting in R80.40 when it was introduced.

and thats my point hardware base https inspection should be in all the models a vendor has; now clearly if you have a 6200 the real work performance level will difference to say a 16200.
So it would make sense that hardware https inspection would be rated to say 500Mbps on a 6200 but 2GBps on a 16200 because the hardware https module would be spec'ed according to the gateway appliance used.
Without https inspection you realistically can only just use the firewall blade if this is just an internet gw., which makes Checkpoint expensive and negates all the real cool blades that justify the costs.

From the recent CheckMates Fest:

While it clear that HTTPS Inspection is needed to inspect traffic up fully, there are challenges with both implementation and the fact not all traffic can be inspected. What are we doing to improve these challenges?

We are addressing both performance and usability challenges during the coming year, some of which will land in the next major release (R82). We are also developing a "learning mode" which will help identify potential issues during deployment and provide recommendations.

You can see what Gera has to say about this in the video, and I suspect we'll have more to say about it at CPX.
Note that at this point, we're focused on software-level changes.

R82? I expect SPECTACULAR things out of that version...I mean it : - ). And, if I may, here is the name suggestion...Hercules ; )

Appreciate the generalization but what about non-HTTPs traffic? 

Also controls such as Anti-bot & DNS security for example...