AnsweredAssumed Answered

Upgrade R77.xx to R80 on Smart-1 205: relative performance?

Question asked by Chris Butler on May 19, 2016
Latest reply on Jun 19, 2016 by nirba0074e12f-4b72-482e-b5be-27e7729dd7a7

Has anyone tried going from R77.30 or from an NGSE standalone event server (R77) to R80 on a Smart-1 205?

 

At our product specialist's advice, we purchased a Smart-1 205 in December 2015 to be deployed as an NGSE standalone event server.

 

This was to complement our 4210 Gateway and our preexisting Smart-1 205 Security Management appliance (taking the SmartEvent load off of it). Both of these are running R77.30

 

As happens in IT, other fires needed tending before we could deploy it and now is the time, in May 2016.

 

By this time, R80 had been released: I noticed the recommendation on the NGSE product page that NGSE functionality was now integrated in R80 and that was the recommended OS to install. Further linking said an R80 SmartEvent server in an R77.xx Security Management environment was supported and documented.

 

I was planning on installing R80 on our new 205 to run the integrated SmartEvent  instead of NGSE, as the NGSE product page suggests.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98767

 

 

I opened a ticket with Tech Support first to ask for help with the install. After an initial email from the ticket owner saying go ahead with my plan to install R80, I followed up by phone for help with the process. At that  point, after the technician conferred with his colleagues, I was told it is SUPPORTED, but NOT RECOMMENDED on any Smart-1 series appliance from their experience. You'd gain the new features, but the performance would be terrible compared to R77.30

 

I asked if this would still be an issue when the only blade or feature I would run on the new appliance would be Smart Event, and was told emphatically yes it would be an issue, especially if running Smart Event, even if nothing else is running on the box.

 

Since I saw this admonition nowhere on any of the public facing R80 upgrade / installation / release notes  documentation I was curious as to whether anyone else has made the move from 77.30 to R80 in any fashion and what your experience was in terms of comparative performance.

 

I have done a considerable amount of research and digging, but here are a couple of references within Exchange Point:

 

The following link indicates that it was not great with earlier Smart-1 appliance models, but I wanted to know concretely about the 205.

https://community.checkpoint.com/thread/1170#comment-1673

 

This table gives a comparison of what hardware is in each appliance model, it would seem that the 205 has a less powerful processor than the 50, less HDD space, and the same amount of RAM. I would imagine my experience would be even worse than his

 

Check Point Smart-1 Appliance series

 

ModellCPURAMHDD
Smart-1 31502x Intel Xeon E5-2630v2 2.60GHz (Six Core)646 TB
Smart-1 30502x Intel Xeon E5-2609v2 2.50GHz (QuadCore)324 TB
Smart-1 225Intel Core i5-3550S 3.10GHz (Quad Core)162 TB
Smart-1 210Intel Pentium G2120 3.10GHz (Dual Core)82 TB
Smart-1 205Intel Celeron G1620 2.7GHz (Dual Core)41 TB
Smart-1 1502x Intel Xeon L5410 2.33GHz (Quad Core)162 TB
Smart-1 50Intel Xeon E5410 2.33GHz (DualCore)42 TB
Smart-1 25bIntel Core2 Duo Processor E7400 2.80 GHz42 TB
Smart-1 25Intel Core2 Duo Processor T7400 2.16 GHz32 TB
Smart-1 5Intel Celeron M 1.50GHz2500 GB

 

Here is a posting that suggests that indexing would not even come on by default on a system with only 2 cores (like a 205)

R80 SmartEvent Problem.

 

 

Again, any real world experience with a 205 would be greatly appreciated.

 

UPDATE: I have since taken the advice of an excellent technician who took over my ticket, and deployed NGSE instead of R80, but I am still very curious about any real world experience any of you might have. Because, though I know this is the best course of action at present, NGSE is not perfect.

 

A fork of the original R77.0 release, it seems that NGSE may be a developmental cul-de-sac:

  • No ISO available for a fresh install of what I would assume you would call the GA take on a smart-1
  • WinSCP transfers and manual bash commands required to get it up to GA if your smart-1 factory images are not new enough
  • At that point, the WebUI package update interface is pre-CPUSE and trying to use it to install the 944 build (containing CPUSE) breaks the tool, requiring another WinSCP transfer and manual update.
  • After that, a broken filtering process means that CPUSE recommends packages which are not NGSE compatible and fail at best, or ones that would break the server at worst (R77.30 upgrade shows up??)
  • After fully updating it to the latest and greatest manually, NGSE appliance still uses vulnerable TLS encryption methods for the WebUI. You have to bash in, chmod, edit, and chmod a config file to remove that method. (firefox, for example will keep popping down a notification bar from the top of the browser window telling you not to put any passwords or credit card information into the website)

 

Thanks all.

 

Chris.

Outcomes