How to Size UTM-1 appliance

[tzeon]

We need to replace our existing firewall with UTM-1, my company main office have around 2000 users and UTM-1 will turn on AV and IPS features. Also the gateway will act as centre vpn hub(site-to-site IPSec VPN) to other remote offices.

I am thinking to choose either UTM-1 3070 or Power-1 5070, please give sme ome suggestion and comment.

Also anyone have on UTM-1 3070 specially the performance to share with me?

[Thorpuse]

AV is only rated for 500 users maximum - do NOT turn on this feature for 2000 users!

Beyond that, the key issues are connections and required bandwidth. A 3070 should be sufficient. Your next questions are around clustering, log management and whether you run management on box or invest in a SmartCenter server.

Note that the Power-1 5070 doesn't include management, so you definitely need an additional SmartCenter license for this. I would also strongly recommend that if you are going to use a UTM-1 3070 for management and gateway, that you invest an additional 1K in a CLM, and send your logging off the box.

[tzeon]

Hi Thorpuse,

Thank you for your reply, I know the limitation of 500 users AV is applied to old UTM-1 xx50 appliance so this limitation still apply to new xx70 and Power-1 applicane?

Can I use externalize SmartCenter UTM to manage both Power-1 and UTM-1 2070 instead of SmartCenter Power license? Do I lose the smartmonitor feature on UTM-1 2070 if I am using SmartCenter UTM?

[mcnallym]

I believe that the 500 for AV limit is a UTM software issue and you would need UTM-Power for more then that.

In honesty I can't see any of the appliances coping doing UTM with 500+ users anyway.

If you use a SMARTCenter UTM license then this does not include the SMARTView Monitor for other then the basic functionality that used to be in SMARTView Status.

You would need a SMARTCenter Power for the feature.

[hotice_]

Quote:

Originally Posted by tzeon

Can I use externalize SmartCenter UTM to manage both Power-1 and UTM-1 2070 instead of SmartCenter Power license? Do I lose the smartmonitor feature on UTM-1 2070 if I am using SmartCenter UTM?

Checkpoint TAC confirmed to me two weeks ago that a UTM SCS can manage a Power firewall

[Thorpuse]

Quote:

Originally Posted by tzeon

Hi Thorpuse,

Thank you for your reply, I know the limitation of 500 users AV is applied to old UTM-1 xx50 appliance so this limitation still apply to new xx70 and Power-1 applicane?

Can I use externalize SmartCenter UTM to manage both Power-1 and UTM-1 2070 instead of SmartCenter Power license? Do I lose the smartmonitor feature on UTM-1 2070 if I am using SmartCenter UTM?

The AV restriction is with the engine - I wouldn't trust it on a large system. If Gateway AV is that important, I'd be offloading it to a dedicated system.

The SmartCentre UTM license does NOT include SmartMonitor (or LDAP, or SmartPortal, or all sorts of other useful things that should be standard....). If you use a software SmartCenter UTM to manage a UTM-1 2070, you lose the extra things that are provided in the UTM-1's management license (like Monitor, LDAP, SmartPortal etc....). This is one of the stupidest things about the UTM-1 systems - that you need to compromise your security design due to CP's reluctance to allow decoupling of management features from running on-box. I've complained about this for 2 years now, but CP isn't interested in listening. Thanks guys....

[chillyjim]

Quote:

Originally Posted by mcnallym

I believe that the 500 for AV limit is a UTM software issue and you would need UTM-Power for more then that.

In honesty I can't see any of the appliances coping doing UTM with 500+ users anyway.

This is an OEM licensing issue. The system has been tested to >1000 users.
That said, I'd still go off-box for larger sites unless its low volume.

[tzeon]

Thanks for all your reply!!!