Figuring out NSF Specs with licensing

[jps42]

I'm brand new to the forumns, we have installed/configured a few UTM-1s...but my question is pertaining to the Nortel NSF's.

We are a Nortel reseller, and some of our customers are interested in a switched firewall with checkpoint running on it. Unfortuntately, Nortel itself seems to be confused about the pricing/licensing and I was hoping someone here had a good answer.

How would you spec out and price an NSF for a medium size school district: around 2000 PCs, possibly 8-12 natted devices, including the checkpoint licenses? When Nortel gives us a response, it ends up being around twice the price of any equivalent, non-Nortel, solution....which seems insane....especially considering many environments are using the NSFs in production.

Any help would be appreciated.

[mcnallym]

I'd say at that size the the NSF is overkill.

The only places I know that tend to use NSF are places where you are talking top end Nokia / X series Crossbeam.
Thats the sort of market that the NSF is aimed at. In the small/medium market then the NSF just isn't competitive as not aimed there.

For the size you are looking at then I would figure something like an IP390 or 560 etc which will probably make even the entry level NSF expensive.

I don't believe that there are that many NSF users here on the forum, certainly seems to be a quiet forum the Nortel/ASF. I have only ever worked with NSF's once, and that turned out to be purely because the chap putting them in originally was using Nortel Load Balancers and so decided to use Nortel as he knew Nortel products. The boxes were way over kill and didn't even register any usage in SMARTView Monitor, ie less then 1%.

[Sidney]

Hello,

I second mcnallym on that.

NSF and especially accelerated ones (6000 series) are used in big businesses or in operator environment. The ability to scale by adding directors on the cluster prevent your firewall to become obscolete as your business grows up.

It's also a good choice in a complete Nortel Lan environment (PASSPORT + BAYSTACK) with the ability to use SMLT (Nortel link agregation technology).

[jps42]

We began integrating the Checkpoint UTM-1 devices in a few places now, and people like them....but we are still getting enquiries for NSF...especially considering the ability to load balance ISPs (I'm assuming they can?)....and a couple of places would like the passport blade version.

What I'm having difficulty understanding is the needs for Checkpoitn licensing....I get how checkpoint itself sells its software....we deal with that consistently with the UTM devices...what I can't figure out is the Nortel product.

If I boot an NSF straight out of the box, will it act as a firewall and VPN ...or is it basically an expensive paperweight until licenses are installed?

Our networks are all Passport/5510/baystack lans..making it useful to be able to offer an NSF and the ability to extend SMLT's to the bastion network.

Thanks for all your responses, and I appreciate your help..

[mcnallym]

When you buy the UTM appliances you are buying the Check Point license as well, so you don't have the license to apply as such you just active the feature you want.

With Check Point I had to apply a license to the ASF which was a standard Check Point license, as such out of the box is a paperweight. Not sure if they are licensed per director or per switch tbh.

Nortel ASF's tend to be a very specialist area, I have even spoken with Check Point people who aren't clued up on them.

There is very little about them on the Check Point website other then the Release notes and all of that refers you to Nortel for support and documentation.

As such I would say either Nortel or Nortel Distributor that specialises in the ASF is probably your best bet.

[ngsud]

All,

First of all don't ever think of this platform for any Enterprise Setup , i am having 7 of these maily 6 6426 ( 5026 Director and 6400 Acc ) and 1 6626 ( 5026 Director and 6600 Acc ) . Trust me all the 6 6426 are not able to handle a traffic for more than 5000 users -- CPU usage more than 60 - 70 % with Smart Defence and web Defence disable , if i enable them with most basic feature for http then the firewall will be more than 85 - 95 % utalized , all of these are cluster and these cluster have a problem with VPN , none of the tunnels will going to be a stable with cluster working as load sharing , ( one very lage draw back of these ASF cluster as you don't have any config option like nokia where you can opt to run 2 boxes in Active / Active or Active / Standby senario .) .

For Licensing , this is how its configured , have one smart managment Server ( any linux , windows or splat ) , get a central license - go to smart update and attach the license ,this licence will be based on smart mgmt IP address .