UTM-1 M450 Appliance

[jobroco]

Would anyone happen to have any opinions or experiences on these devices (the M450 or 1050)? From what I've seen and heard, Checkpoint co-developed them with Crossbeam. We're looking to implement a couple of these, and I was curious if anyone has tested or played around with either one of them. I'll be receiving an M450 to evaluate in the next few days. I'll post my findings.
-jj

[MarioL]

Got one last friday. It's not as sexy as I was expecting, the case is quite bland and the spec isn't that impressive (I guess you have the other models for a reason).

The initial setup is much easier for "non-check point" ppl, since it's webified and you don't have the normal cpconfig questions, it just asks if you are stand alone or distributed, really.

I "found" that it runs CA AV engine and that URL filtering isn't there yet.

Had never seen the web version of the GUI, doesn't look too bad.

My account doesn't have AV features (need to check how to get this), so I couldn't really test the bit I wanted... :(

One odd thing I noticed was that in "Policy->Global properties", the TCP out of state packets drop tick-box wasn't enabled, which was a surprise.

All-in-all need to have a better look this week.

Cool bits:
- The USB key to reset to factory settings (didn't use it yet)

Uncool:
- Looks. Even if iPod has made white fashionable, the box looks ugly and cheap

[jobroco]

Thanks for the reply. I was just curious how much more robust they were in comparison to the Edge's. I have used mainly Splat running on HP DL360's on my other gateways, but this would be for a new network for a different company that only has around 150 users in 11 district offices. I was hoping that by using the 450's I could create vpns between the offices, provided that the appliances could handle the traffic. I noticed from the specs it says 400mbps is the throughput, have you had a chance to stress test it yet? I'd love to find out if that figure is theoretical, or actual. :o) Thanks again for your input.
-jj

[MarioL]

I won't be stress testing them, but I doubt that with all the features on it can do 400Mbit/sec. Anyway, small offices tend to have limited bandwidth, so unless you have a private DMZ with loads of servers that needs quick access, it should be a non-issue.

This has nothing to do with the Edge boxes... for all intents and purposes this is a Check Point certified PC, running SPLAT and a few more bits.

[jobroco]

Cool. I think that these should work out pretty well for this particular net setup. They'll probably have a DMZ, but with the minimal number of users, it should be sufficient. Thanks again.

[RayPesek]

I was at a conference yesterday where CP discussed these new boxes a bit. There were a couple of interesting items:

They are hard drive based with a single drive, but HA is available. They are running a slightly modified version of SPLAT.

They can be self-managed, or can manage other UTM boxes or can be managed by a SmartCenter.

If you factor in the cost of buying hardware plus the regular CP license, one of these boxes is priced the same as just the software license. The claim was that you get the hardware for free, however I doubt many people pay the full list price for the CP software. If these boxes get discounted as much as the software can, they do look attractive.

Very interesting was the licensing. They are not licensed by a hard number of users. Rather the different models have specs attached saying how many users are recommended. For example, a 250-user sized unit can be used with 1,000 users behind it without violating the license terms.

I don't remember the exact throughput specs, but they looked realistic. They had one spec of "all SmartDefense & Web App enabled" which is what I would take as a realistic way of presenting it.


The confusing part to me is just how these boxes are being positioned. It looks like the solid-state Edge's are being positioned for the smaller offices and protection of industrial networks (process control, etc.), these UTM boxes are being positioned for mid-sized locations, and "real" installations are for the main office.

But without a license limit restriction on the UTM boxes, they could easily replace the full-blown "Power" boxes unless you need gobs of bandwidth.

Ray

[chillyjim]

Answering a few of these in line...

Quote:

Originally Posted by jobroco

From what I've seen and heard, Checkpoint co-developed them with Crossbeam.

Crossbeam is doing the logistics they did not develop the system. The hardware is manufactured by the same company that does the manufacturing for the low-end Crossbeams which is why it looks the same, but it is not the same hardware.

Quote:

Originally Posted by MarioL

I "found" that it runs CA AV engine and that URL filtering isn't there yet.

[...]
My account doesn't have AV features (need to check how to get this), so I couldn't really test the bit I wanted... :(

you want an SDAV-U subscription for it (SmartDefense and AV+Content filtering Updates).

The content filtering comes with R65 which has been in public EA for a while now so I guess it will be out soon.

Quote:

Originally Posted by RayPesek

I was at a conference yesterday where CP discussed these new boxes a bit. There were a couple of interesting items:

They are hard drive based with a single drive, but HA is available. They are running a slightly modified version of SPLAT.

The hard drives are suppose to be "industrial" drives that will run 24x7 for several years. We'll see.

Quote:

The confusing part to me is just how these boxes are being positioned. It looks like the solid-state Edge's are being positioned for the smaller offices and protection of industrial networks (process control, etc.), these UTM boxes are being positioned for mid-sized locations, and "real" installations are for the main office.

But without a license limit restriction on the UTM boxes, they could easily replace the full-blown "Power" boxes unless you need gobs of bandwidth.

Ray

Edge for 5-100 user offices
UTM/UTM-1 for 50-1000 user offices
Power for 500+ user offices

These are the guidelines, but they don't really mean anything as you can get unlimited licenses for any of these.

The big difference between UTM and Power is features like QOS, and SecureXL for high performance.

UTM licenses are just fine for most people.

[jobroco]

Thanks for all of your thoughts. I found out that the SmartDefense is a line item cost ($2750 us$ per box unlimited users license), although I haven't seen whether the av and web filtering is part of that subscription.

Jim, since web content filtering ships with R65, does it behoove one to just get the the SD license without the AV, so that we can utilize our existing corporate AV solution (a CP partner), or do you know if it's the same cost either way (haha)?

I was also a bit worried about running the SmartCenter on the gateway. I prefer to have a separate server for the gateway management, nice to know that you can do either. Also, nice to know that HA is available. I'm looking forward to testing the box this week.
-jj

[abusharif]

as someone mentioned out of state tcp packets are allowed by default. Anyone with more info that knows why its done this way?

It doesn't seem to be just a "miss", since it's documented in release notes:

Quote:

Out of state TCP packets are not dropped by default. To enable this feature, go to
Global Properties > Stateful Inspection and select Drop out of state TCP packets.

[jobroco]

I spoke with my CP rep about the box that I'm receiving. The $2750 sdav-u is for both SmartDefense and AV, and can be purchased separately (1750 for SD, 1000 for av). Unfortunately though, that since R65 is still in EA status, it has not been approved for install on the new appliances (dang). R62 is the latest stable build for these.

[chillyjim]

Quote:

Originally Posted by jobroco

Jim, since web content filtering ships with R65, does it behoove one to just get the the SD license without the AV, so that we can utilize our existing corporate AV solution (a CP partner), or do you know if it's the same cost either way (haha)?

My personal opinion is clear out the virus as soon as possible.