Check Point SMB Solutions. New models for small companies and branches
Relatively recently (in 2016), Check Point presented its new devices (both gateways and management servers). The key difference from the previous line is significantly increased performance.
In this article we will focus exclusively on the younger models. We describe the advantages of new devices and possible pitfalls, which are not always spoken of. Also share your personal impressions of their use.
')
As you can see from the picture, Check Point divides its devices into three large categories:
In this case, one of the main characteristics is the so-called SPU - Security Power Units . This is the Check Point's own measure, which characterizes the actual performance of the device. For example, let's compare the traditional method of measuring the performance of Firewalls (Mbps) with the “new” method from Check Point (SPU).
Thus, when choosing a suitable Check Point model, it is better to rely on the Security Power Unit setting. It is indicated in any datasheet on the device. Independently calculate the appropriate SPU for your network will not work. This can be done only with the help of a partner to whom the Check Point Appliance Sizing Tool is available :
For the selection of the optimal solution, it is necessary to take into account such parameters as:
There are more advanced settings that describe the traffic to which these blades will be applied:
After specifying all the characteristics, you can get a report with a description of suitable devices:
Here you can see the required SPU (72 in our case) and recommended (144). As well as the models themselves with a description of their download and “stock” of traffic and blades. When choosing a model, it is always recommended to take the device from the green zone (ie, load up to 50 percent):
This ensures that there are no problems with peak load or a planned increase in the width of the Internet channel. When choosing a device, always ask a partner to provide a similar report. An example can be downloaded here .
Having dealt with the main parameter characterizing the performance of devices, it is possible to consider in more detail new models for small and medium businesses. As mentioned above, Check Point has a whole segment - Small and Medium Enterprise (models 3200, 3100, 1490, 1470, 1450, 1430, 1200R). These devices can be called the update of the old series of 2012 (2200, 1180, 1140, 1120). To understand the key differences, consider the image below:
(prices are in the GPL, excluding VAT and technical support)
As can be seen, the performance of the 2016 series significantly increased its performance (SPU), while prices remained at about the same level (with the exception of the 3200 model). The model 3100 also appeared in the new line, but there is still no notification for it and import into Russia is prohibited! Remember this!
If you recalculate the cost of one SPU, then the Model 1450 is the most balanced. Below we take a closer look at the new Check Point series.
As can be seen from the figure, for SMB devices there are two main implementation scenarios:
For the 3000 and 1400 series, there are some features in each of the modes. We will look at them below.
At the moment there are two "glands" - 3200 and 3100 . As mentioned earlier, the 3100 cannot yet be brought into the country. As for the 3200, this is an excellent replacement for the old 2200 series. A full-fledged version of Gaia works on board (both the R77.30 and R80.10). In the case of using the device as the main gateway in a small enterprise, you can count on the following performance:
As you can see, the device load in this case is 47% and this is under local management, i.e. Standalone configuration (read more about standalone and distributed here ). From personal experience, I can say that with local management it is not recommended to exceed the load by 50%, since There may be problems with management (will slow down).
If the device is considered as a branch office (that is, with a separate centralized management), then the indicators will be much higher. And you can already go into the yellow zone in sizing (ie, with a load of 50% to 70%). Datashit device can be viewed here .
This series includes several devices at once: 1490, 1470, 1450, 1430 (Logical replacement of the outdated 1120, 1140 and 1180).
Despite the fact that these are the youngest Check Point models, they have all the necessary functionality:
However, it is worth warning about some limitations / features:
The last points are probably the most important restrictions that are often silent. For a full HTTPS inspection, you will be forced to use a traditional dedicated Management server. In this case, you will manage the device as a gateway with a full (almost full) version of Gaia.
Other limitations of Gaia Embedded can be found here . Be sure to check them out before making your purchase decision.
For example, consider a small office with the following parameters:
As can be seen from the sizing, model 1490 successfully copes with this task with a load of 46% (without getting out of the green zone). With dedicated management, 1470 will cope with this task.
Datasheet on the 1400 series devices can be found here .
This model is hardly SMB. This is an industrial solution and probably deserves a separate article. Now we will not consider this model in detail.
For more information about SMB devices, see our previous webinar:
In my opinion, the new SMB models turned out pretty good. Significantly increased device performance while maintaining the price level. At the expense of the high cost / low cost of devices, I am not ready to argue, because for different companies, these concepts are very different.
Model 3200 I would recommend to small companies that are interested in the maximum level of protection for reasonable money. Plus, this is a good choice for those who are already used to working with a full-fledged version of Gaia. Version R80.10 is also available here. When the notification for 3100 is received, the price tag will drop a little more. For affiliates this is ideal.
Devices of the 1400 series are a good compromise and have the best price / quality ratio (especially in terms of the price for 1 SPU). These devices are great for affiliates with a limited budget. Using centralized management, you can manage devices like ordinary gateways with a full version of Gaia. But, I repeat, you should not forget about the limitations that you should definitely read.
PS I would like to thank Alexey Matveev ( RRC company ) for help in preparing the material.
In this article we will focus exclusively on the younger models. We describe the advantages of new devices and possible pitfalls, which are not always spoken of. Also share your personal impressions of their use.
')
Check Point Lineup
As you can see from the picture, Check Point divides its devices into three large categories:
- High End Enterprise and Data Center (models 23800, 23500 , 15600, 15400 )
- Enterprise (models 5900, 5800, 5600, 5400, 5200, 5100 )
- Small and Medium Enterprise ( 3200 , 3100 , 1490 , 1470 , 1450 , 1430 , 1200R models)
In this case, one of the main characteristics is the so-called SPU - Security Power Units . This is the Check Point's own measure, which characterizes the actual performance of the device. For example, let's compare the traditional method of measuring the performance of Firewalls (Mbps) with the “new” method from Check Point (SPU).
Traditional method - Firewall Throughput
- Measurements are carried out under laboratory conditions on “artificial” traffic.
- Only Firewall functions are evaluated, without additional modules such as IPS, Application Control, etc.
- Testing is usually done with one rule Firewall.
Check Point Method - Security Power
- Measurements on real user traffic.
- The performance of the entire functionality is estimated (Firewall, IPS, Application Control, URL-filtering, etc.).
- It is tested on a standard policy, which includes many rules.
Check Point Appliance Sizing Tool
Thus, when choosing a suitable Check Point model, it is better to rely on the Security Power Unit setting. It is indicated in any datasheet on the device. Independently calculate the appropriate SPU for your network will not work. This can be done only with the help of a partner to whom the Check Point Appliance Sizing Tool is available :
For the selection of the optimal solution, it is necessary to take into account such parameters as:
- The width of the Internet channel;
- The total bandwidth of the gateway (may differ from the Internet channel, if you for example segment a local network using Check Point);
- The number of users on the network;
- Required functions (Firewall, Anti-Virus, Anti-Bot, Application Control, URL Filtering, IPS, Threat Emulation, etc.).
There are more advanced settings that describe the traffic to which these blades will be applied:
After specifying all the characteristics, you can get a report with a description of suitable devices:
Here you can see the required SPU (72 in our case) and recommended (144). As well as the models themselves with a description of their download and “stock” of traffic and blades. When choosing a model, it is always recommended to take the device from the green zone (ie, load up to 50 percent):
This ensures that there are no problems with peak load or a planned increase in the width of the Internet channel. When choosing a device, always ask a partner to provide a similar report. An example can be downloaded here .
Old vs New
Having dealt with the main parameter characterizing the performance of devices, it is possible to consider in more detail new models for small and medium businesses. As mentioned above, Check Point has a whole segment - Small and Medium Enterprise (models 3200, 3100, 1490, 1470, 1450, 1430, 1200R). These devices can be called the update of the old series of 2012 (2200, 1180, 1140, 1120). To understand the key differences, consider the image below:
(prices are in the GPL, excluding VAT and technical support)
As can be seen, the performance of the 2016 series significantly increased its performance (SPU), while prices remained at about the same level (with the exception of the 3200 model). The model 3100 also appeared in the new line, but there is still no notification for it and import into Russia is prohibited! Remember this!
If you recalculate the cost of one SPU, then the Model 1450 is the most balanced. Below we take a closer look at the new Check Point series.
SMB Device Deployment Schemes
As can be seen from the figure, for SMB devices there are two main implementation scenarios:
- In the main gateway mode. In this case, Check Point is installed as a perimeter device and is administered locally.
- Branch office gateway In this case, the branch “hardware” is managed centrally (using the Management Server) from the head office.
For the 3000 and 1400 series, there are some features in each of the modes. We will look at them below.
SMB 3000 series
At the moment there are two "glands" - 3200 and 3100 . As mentioned earlier, the 3100 cannot yet be brought into the country. As for the 3200, this is an excellent replacement for the old 2200 series. A full-fledged version of Gaia works on board (both the R77.30 and R80.10). In the case of using the device as the main gateway in a small enterprise, you can count on the following performance:
- Internet channel - 50 Mbit;
- Total bandwidth - 300 Mbit;
- Number of users - 200.
As you can see, the device load in this case is 47% and this is under local management, i.e. Standalone configuration (read more about standalone and distributed here ). From personal experience, I can say that with local management it is not recommended to exceed the load by 50%, since There may be problems with management (will slow down).
If the device is considered as a branch office (that is, with a separate centralized management), then the indicators will be much higher. And you can already go into the yellow zone in sizing (ie, with a load of 50% to 70%). Datashit device can be viewed here .
SMB Series 1400
This series includes several devices at once: 1490, 1470, 1450, 1430 (Logical replacement of the outdated 1120, 1140 and 1180).
Despite the fact that these are the youngest Check Point models, they have all the necessary functionality:
- SMB devices can be assembled into HA cluster (Acitive / Standby);
- almost all software blades are available (as on “large” pieces of hardware);
- can be managed both locally and centrally (using the traditional Management Server);
- there are modifications with WiFi, ADSL and PoE;
- 3G modems can be connected;
- There are rack mounting kits.
However, it is worth warning about some limitations / features:
- On board the device is a defective Gaia, and Gaia 77.20 Embedded . This limitation is due to the device architecture (ARM processors are used). In the case of local control (standalone), you will not be able to use the familiar SmartConsole. Instead, there is a web interface. You can read it in this video:
In the example, the 700 series is considered, but in principle it is not for sale in Russia. - The Threat Extraction feature does not work. Only Threat Emulation. About what it is, you can see here.
- You cannot build a cluster in Load Sharing mode. Those. cheating by buying two “cheap” pieces of iron and distributing the load between them in a cluster will not work.
- With local management there are serious limitations in terms of HTTPS inspection.
- The scanning of archives by Anti-Virus does not work.
- No DLP function.
The last points are probably the most important restrictions that are often silent. For a full HTTPS inspection, you will be forced to use a traditional dedicated Management server. In this case, you will manage the device as a gateway with a full (almost full) version of Gaia.
Other limitations of Gaia Embedded can be found here . Be sure to check them out before making your purchase decision.
For example, consider a small office with the following parameters:
- Internet channel - 50 Mbit;
- Total bandwidth - 200 Mbit;
- Number of users - 200;
- Local management (web interface).
As can be seen from the sizing, model 1490 successfully copes with this task with a load of 46% (without getting out of the green zone). With dedicated management, 1470 will cope with this task.
Datasheet on the 1400 series devices can be found here .
Model 1200R
This model is hardly SMB. This is an industrial solution and probably deserves a separate article. Now we will not consider this model in detail.
Webinar
For more information about SMB devices, see our previous webinar:
findings
In my opinion, the new SMB models turned out pretty good. Significantly increased device performance while maintaining the price level. At the expense of the high cost / low cost of devices, I am not ready to argue, because for different companies, these concepts are very different.
Model 3200 I would recommend to small companies that are interested in the maximum level of protection for reasonable money. Plus, this is a good choice for those who are already used to working with a full-fledged version of Gaia. Version R80.10 is also available here. When the notification for 3100 is received, the price tag will drop a little more. For affiliates this is ideal.
Devices of the 1400 series are a good compromise and have the best price / quality ratio (especially in terms of the price for 1 SPU). These devices are great for affiliates with a limited budget. Using centralized management, you can manage devices like ordinary gateways with a full version of Gaia. But, I repeat, you should not forget about the limitations that you should definitely read.
PS I would like to thank Alexey Matveev ( RRC company ) for help in preparing the material.
Source: https://habr.com/ru/post/336298/
All Articles