I am going to upgrade my gateway from R77.20 to R80.10. I am only running the FW blade.
Is R80.10 more demanding in terms of CPU on the gateways? How much demanding could I expect?
Assuming the gateway appliance appears on this list as supporting R80.10 on the "Appliances Support" tab:
Support Life Cycle Policy | Check Point Software
You should be fine with R80.10 gateway, especially with just the firewall blade enabled. As always, installing the latest GA Jumbo HFA is recommended. I like to wait until the GA Jumbo HFA has been continuously available for at least 2 weeks prior to installing it, but that's just my personal preference.
-- My Book "Max Power: Check Point Firewall Performance Optimization" Second Edition Coming Soon
It is an open server. By the way, how do you take the hardware compatibility list? https://www.checkpoint.com/support-services/hcl/
There is only a column for R80 and there are only a few notes about R80.10. My guess is that if it is supported by R80, it will be supported by R80.10 too.
I have two cores of 2.6 Ghz. The usage is usually less than 20% and there are occasional peaks to 70% caused by individual flows.
I guess that with R80.10 these individual flow will be spread between the cores, right?
As long as your open server is just a firewall (i.e. distributed - the SMS is separate), 4GB RAM should be OK with so few blades enabled, 8GB preferred. If it is standalone (i.e. self-managed) I'd strongly recommend at least 16GB of RAM, however management operations will be very very slow with only two cores and some advanced management features will not be available. I can pretty much guarantee you will not be happy with the performance of the management tools like SmartConsole in that case, even though you are technically meeting the minimum hardware requirements for R80.10.
As long as the HCL says R80 is supported, R80.10+ should be too.
The Dynamic Dispatcher will be enabled by default in R80.10 so the heavy traffic flows should get spread out fairly well.
The official performance numbers for a given appliance running R77.x and R80.10 are basically the same.
That said, additional features now qualify for SecureXL acceleration (Domain, Time, Dynamic Objects).
Also, inline policies can be leveraged to do further policy optimization.
So it's possible, with some work, R80.10 will perform better in your specific situation than R77.x.
According to minimum requirements section for an open server at the R77 and R80 release notes, I have made the assumption that I would need at least twice CPU in R80. But anyway, good to know that shouldn't be necessary the case.
Retrieving data ...