PDA

View Full Version : Smart-1 Appliances



marklar
2009-06-10, 19:35
Mods: feel free to create a new category for this if you like.

Smart-1 Appliances - Security Management Appliance (http://www.checkpoint.com/products/smart-1/index.html)

New product looks interesting, in the past pre-sales have suggested using VMWare for management 'appliances'.

Guess it makes sense for environments where you don't want to be managing a mix of CP/Nokia & Dell/HP/IBM hardware. I wonder how flexible the 'Secure OS' actually is for local customisations.

m.

chillyjim
2009-06-10, 20:47
The "SecureOS" is SPLAT appliance edition.
The bundles looks good for mid-size deployments, but the Hardware is good (The 150 anyway) for a LOT larger deployments than we currently have SKUs for.

I'll let you know what I think in a few weeks after my first one goes into production.

Thorpuse
2009-06-11, 03:38
Has pricing and availability for these been announced yet? They're only a year late.... :P

Barry J. Stiefel
2009-06-11, 08:03
Mods: feel free to create a new category for this if you like.

Smart-1 Appliances - Security Management Appliance (http://www.checkpoint.com/products/smart-1/index.html)

New product looks interesting, in the past pre-sales have suggested using VMWare for management 'appliances'.

Guess it makes sense for environments where you don't want to be managing a mix of CP/Nokia & Dell/HP/IBM hardware. I wonder how flexible the 'Secure OS' actually is for local customisations.

m.New forum created.

chillyjim
2009-06-12, 11:32
Has pricing and availability for these been announced yet? They're only a year late.... :P

Yes. They are on the price list (although some SKUs are missing still).
If you don't see combos you want, ask. We're still trying to figure out what combos we need.

Tan Da Boss
2009-07-27, 12:18
I still have some issues to understand the interests of this solution.
Ok, there won't be any driver issue but can someone have answers to the following questions?
Is it cheaper than a traditional Splat configuration?
When customers are already running their management on VMWare, what are the benefits of this appliance?
What are the other advantages?

serlud
2010-04-05, 04:05
I still have some issues to understand the interests of this solution.
Ok, there won't be any driver issue but can someone have answers to the following questions? -You will have it driver issues....
Is it cheaper than a traditional Splat configuration? No
When customers are already running their management on VMWare, what are the benefits of this appliance? More Support rates for CP only
What are the other advantages? Very Slow ..

Even here CP has again produce an not supported CP Appliance with CPU 1.5 Celeron mobile > Security Management Hardware Requirements >MINIMUM Intel Pentium IV CPU 2GHz

chillyjim
2010-04-05, 09:32
I still have some issues to understand the interests of this solution.
Ok, there won't be any driver issue but can someone have answers to the following questions?
Is it cheaper than a traditional Splat configuration?

It depends, but in general yes, epically on the low end


When customers are already running their management on VMWare, what are the benefits of this appliance?

Cost mostly. Also support should be in lock steep.

chillyjim
2010-04-05, 09:41
Even here CP has again produce an not supported CP Appliance with CPU 1.5 Celeron mobile > Security Management Hardware Requirements >MINIMUM Intel Pentium IV CPU 2GHz

If the appliance is used as specified it is just fine. I have had ZERO performance problems and a lot of customers moving to Smart-1s. I have to have at least 50 S1/5s in the field and they work just fine. The S1/150s I have out there are running well so far (The big pair is at >50 CMAs and climbing as they are moved from the Solaris systems).

The appliance is FULLY supported. To imply otherwise is misleading. Just because an open server wouldn't be supported, doesn't mean that when we control the whole system we won't support it.

pat13b
2010-04-09, 16:24
One point of interest (we found out the hard way) The RAID array cannot be monitored. The only indication given when a drive goes bad or out of sync in the RAID, is an audible alarm.

Check Point is working on this, but in my opionion this is huge. and we are reluctant to put these into service in our data centers because of this reason.

-pat13b

boldin
2010-04-09, 21:00
You're kidding me.
We just submitted a request for quote on 2 S1/150s. As minor as the RAID alarm problem sounds, it is not an acceptable enterprise solution when everything is monitored from half a country away from one data center and a whole country away from the other. Yes, someone from ops *may* hear it over the other system-generated white-noise - but it would be hard to figure out which one so they know who to call to fix it...

pat13b
2010-04-10, 16:11
Exactly my point, these enterprise class devices will be placed in a computer room somewhere far away from the management stations and people maintaining them.

My experience is with the "50" I'm not sure if the "150" has the same problem. I would assume so, but you may want to double check that.

The 50 is using an LSI Mega RAID adapter.

-pat13b

dsb.nepo
2010-04-10, 16:37
I don't have such a device, but maybe you can get the raid status from
a) mpt-status tools (LSI raid tools)
b) values from /proc/...
c) 'sysctl' query's

Hopefully CP has build in the mpt-status tools if they use LSI controllers in the device, else it seems like a pure assemble/design.

Maybe you can get values over b) or c) and setup a cron job to check the status and if anything is suspect send an mail/snmptrap.

serlud
2010-04-13, 06:12
If the appliance is used as specified it is just fine.
The appliance is FULLY supported. To imply otherwise is misleading. Just because an open server wouldn't be supported, doesn't mean that when we control the whole system we won't support it.

Could you just answer a simple question :
1. Why CP produce an Appliances which have low Hardware (CPU) than CP Software team has already write for Secure Platform R70?
It is not SUPPORT Question

We have already ask the same question CP SE, CP TAC, CP TAC esc. Managerer and have got (wie usual) nothing in responce.

Does they use a Spetial Secure Platform with low hardware request?

Please do not make again answer they are FULLY supported > just read a question again and again (it can help some times)..

2. RE If the appliance is used as specified it is just fine.
If appliance do not comfort with Minimum Security Management Hardware Requirements - just replace it to new one which will comfort, Ah , Yes it is too much money should CP invest..

chillyjim
2010-04-20, 21:12
The appliances have very specific usage e.g. A Smart-1/5 can support 5-10 gateways. If you were to load more on it, it wouldn't be a supported configuration.

With Open Server platforms we do not have as tight of control of the hardware and configuration and limits of the platform so the "Supported" numbers have to be much more conservative.

serlud
2010-04-22, 15:03
The appliances have very specific usage e.g. A Smart-1/5 can support 5-10 gateways. If you were to load more on it, it wouldn't be a supported configuration.

With Open Server platforms we do not have as tight of control of the hardware and configuration and limits of the platform so the "Supported" numbers have to be much more conservative.
AGAIN and AGAIN:

Could you just answer a simple question :
1. Why CP produce an Appliances which have low Hardware (CPU) than CP Software team has already write for Secure Platform R70?
It is not SUPPORT Question

2. Do you realy think it will support 5 Gateways with more than 1Gb/s REAL Througput , 50000 new connections/s , full IPS , VPN , FW logs (50000x5 logged connections per second), ..?

northlandboy
2010-04-22, 16:40
2. Do you realy think it will support 5 Gateways with more than 1Gb/s REAL Througput , 50000 new connections/s , full IPS , VPN , FW logs (50000x5 logged connections per second), ..?

Do you really think that is the target market for that device?

Thorpuse
2010-04-22, 19:40
AGAIN and AGAIN:

Could you just answer a simple question :
1. Why CP produce an Appliances which have low Hardware (CPU) than CP Software team has already write for Secure Platform R70?
It is not SUPPORT Question

2. Do you realy think it will support 5 Gateways with more than 1Gb/s REAL Througput , 50000 new connections/s , full IPS , VPN , FW logs (50000x5 logged connections per second), ..?

Dude, it's a management station. Throughput, connections, bandwidth, IPS, VPN are irrelevant. The boxes have a rating for log processing. That's the only relevant criteria that you've mentioned here.

The products are what they are. If they don't fit your environment, then buy your own open servers and make it fit. If it doesn't fit from a budget perspective, then take your budget to another vendor, or improve your budget(!). If your business case is significant enough, take your case to CP or their disti and see if you can do deal.

I don't disagree that the hardware used on UTM Appliances could be better, but frankly, constant flames like this which add no value aren't going to help anyone. If you want this stuff to change, take your grievances directly to Check Point. Seeing the same thing here isn't helping.

lammbo
2010-04-23, 10:26
Dude, it's a management station. Throughput, connections, bandwidth, IPS, VPN are irrelevant. The boxes have a rating for log processing. That's the only relevant criteria that you've mentioned here.

The products are what they are. If they don't fit your environment, then buy your own open servers and make it fit. If it doesn't fit from a budget perspective, then take your budget to another vendor, or improve your budget(!). If your business case is significant enough, take your case to CP or their disti and see if you can do deal.

I don't disagree that the hardware used on UTM Appliances could be better, but frankly, constant flames like this which add no value aren't going to help anyone. If you want this stuff to change, take your grievances directly to Check Point. Seeing the same thing here isn't helping.


I almost never read his posts anymore. They're worse than the 'please send me dumps' posts.

serlud
2010-04-24, 09:05
Dude, it's a management station. Throughput, connections, bandwidth, IPS, VPN are irrelevant.
I don't disagree that the hardware used on UTM Appliances could be better, but frankly, constant flames like this which add no value aren't going to help anyone. If you want this stuff to change, take your grievances directly to Check Point. Seeing the same thing here isn't helping.


Doesn't this place it below the minimum spec to run R70???? <<UTM-1 130 thread

Throughput, connections, bandwidth, IPS, VPN are relevant -> you have limit from management to GWs:
1.you should never produce more than 7500 logs (for all 5/10 Gateways)
2.you should never use a big policy too much objects (Yes , there are not specification how long should you wait till policy will be compiled ..)
3.you can not use SmartMonitoring (optional) (not enougth resources)
4.you should buy an new aplliance for any new Blades.. (DLP, EVNT ... - see CP Price list ..) .... and so on,

It just will help CP to undrestand a problem and stop produce an *low* level appliances.. (offical channal is already in use...)

Sometimes even CP should read a Software specification before installing it on UTM-1 or Smart CP Appliances.


It is also very *smart* for CP to produce an new Blades an sold them as new Appliances (just due to hardware limit for old one)

Smart-1 5 $6,000
Smart-1 5 with 4 blades includes Network Policy Management, Endpoint Policy Management, Logging & Status and Provisioning.

New!Smart-1 5 for SmartEvent $6,000
Smart-1 5 SmartEvent appliance for centralized, real-time, security event correlation and management. Includes Logging & Status, SmartEvent and SmartReporter blades.

https://pricelist.checkpoint.com/pricelist/US/PLUSswblades/GeneralPL.jsp


I almost never read his posts anymore. They're worse than the 'please send me dumps' posts.
Please try to read thread first , before making any comments....

Thorpuse
2010-04-24, 10:17
Throughput, connections, bandwidth, IPS, VPN are relevant -> you have limit form management to GWs , 1.you should never produce more than 7500 logs (for all 5/10 Gateways) 2.you should never use a big policy too much objects (Yes , there are not specification how long should you wait till policy will be compiled ..) 3.you can not use SmartMonitoring (not enougth resources) .... and so on, That's 7500 logs *per second*. If you have 5 gateways generating that many logs *per second*, then you probably have an environment where getting your own custom kit is better anyway (or a real need to review what you are logging!). Policy compilation can be affected by resources, but again, if you have a policy that is that big and complex (and, let me just say that I've seen some very underpowered SmartCentres compile some extremely large and complex policies!) then the odds are you'll also have a budget to get appropriate custom hardware. Ditto resources for monitoring etc.

Again, the most relevant criterion for sizing the SmartCenter here is log processing. 1 connection can generate 1 Gig of traffic and create 1 log entry. Or you can have thousands of DNS requests, all logged (perhaps even at a rate of thousands a second...) but generating negligible bandwidth. As far as the SmartCenter's concerned, only in one of these cases may the SC hit load, oh, and that's because it's receiving lots of logs... Hmmm... Objects and Policy compilation is an occasional event, and yes, the larger and more complex the policy, the slower this will be (particularly if IPS is involved, as we're all finding out now...). But - you will need to be at an extraordinarily large and complex policy before this becomes a serious bottleneck, even on a Smart-5.

It just will help CP to undrestand a problem and stop produce an *low* level appliances.. (offical channal is already in use...) Sometimes even CP should read a Software specification before installing it on UTM-1 or Smart CP Appliances. Please try to read thread first , before making any comments.. , do not produce Spam.. Again, don't disagree that the specs on these boxes could be improved, but reading the thread, of more concern are things like HW and RAID Management then the CPU specs. It's a manager, not a gateway, so the role it performs and its requirements are different. If the boxes perform that badly, people won't buy them, and commerce will do the job much better to educate CP than anything we say here.

And as far as the spam comment goes, this is advice you could just as well heed.... raising the same point in multiple threads gets tired, especially when it's not really on topic.

serlud
2010-04-24, 13:26
. or a real need to review what you are logging!

.. raising the same point in multiple threads gets tired, especially when it's not really on topic.

1.We should make logging for all traffic - just current LAW..

2.Sorry, I could not help with this >> CP produce so many very underpowered CP applianaces and all of them (low level /exept Power..) have different threads.
Some people could not get right information if they using only Smart-1 and cound not find thread.

This one was just for advantages and disadvantages for new Smart-1 Appliance.



I almost never read his posts anymore.
lammbo . I will never read your posts anytime, I promise you, this one was the last one....... :(

lammbo
2010-04-26, 08:47
lammbo . I will never read your posts anytime, I promise you, this one was the last one....... :(

I'm not trolling here or trying to start a flame war. I just want you to understand that your overabundance of negative posts is not productive in any way. People come here for answers and to help others in return. This is not an official CheckPoint forum, most of us are just other CP Admins who do not work for CP. There's nothing most of us can do for you to fix the issues you are having with CP and I feel certain that we all know what your beef is at this point, because nearly every post is about the same thing. I may be one of the few people here actually willing to say this, but I assure you that most of the other 'regulars' here are sick of it as well.

With the exception of good folks like chillyjim and phoneboy, who I feel certain have passed on your complaints, we're not CP employees and can't do anything for you. If I were a gambler, I would bet that there are people at CP who do nothing but read this forum and make management aware of the content posted here.

my last comment on this (if you even read this post) is that I didn't say I completely ignore your posts, just the ones where you repeat your same complaints... which is up to about 90&#37; now in the last 6 months. If I start reading your post and you start to bash, I move on. I just don't want to waste my time on it anymore. We all have issues with the way CP does some things. We will usually state our case and continue on but you cannot seem to do so.

belvdr
2010-04-26, 10:36
I'm not trolling here or trying to start a flame war.

For the record, me either.


I just want you to understand that your overabundance of negative posts is not productive in any way. People come here for answers and to help others in return. This is not an official CheckPoint forum, most of us are just other CP Admins who do not work for CP.

Very much agreed. It's one thing to vent on an issue. It's another to vent continuously on the same issue.


There's nothing most of us can do for you to fix the issues you are having with CP and I feel certain that we all know what your beef is at this point, because nearly every post is about the same thing. I may be one of the few people here actually willing to say this, but I assure you that most of the other 'regulars' here are sick of it as well.

I believe I made the same point. (http://www.cpug.org/forums/dlp-data-loss-prevention/13356-record-blade-price-dlp-blade-12000-12-500-sg401-container.html#post57224)

serlud, I read your constructive advice, such as here (http://www.cpug.org/forums/dlp-data-loss-prevention/13405-anyone-know-if-can-fed-proxy.html#post57457) but the complaints about processor cores and pricing does not appear to be having the effect you desire. Those types of posts aren't really helping anyone at all.

PhoneBoy
2010-04-26, 20:01
With the exception of good folks like chillyjim and phoneboy, who I feel certain have passed on your complaints, we're not CP employees and can't do anything for you. If I were a gambler, I would bet that there are people at CP who do nothing but read this forum and make management aware of the content posted here.

It's part of my job to take feedback from CPUG and pass it to the people that need to hear it. There are other people inside Check Point who read things here for sure (because they talk to me).

While we do appreciate your feedback, we can't always share what we might be doing to address it, at least here on CPUG. Your local Check Point SE can sometimes provide more information one-on-one.

Barry J. Stiefel
2010-04-26, 21:57
It's part of my job to take feedback from CPUG and pass it to the people that need to hear it. There are other people inside Check Point who read things here for sure (because they talk to me).

While we do appreciate your feedback, we can't always share what we might be doing to address it, at least here on CPUG. Your local Check Point SE can sometimes provide more information in a more intimate setting.A candlelight dinner?

PhoneBoy
2010-04-27, 01:13
I meant one-on-one. Poor word choice.

northlandboy
2010-04-27, 01:21
I meant one-on-one. Poor word choice.

Just watch yourself when the Check Point SE puts his hand on your knee...

chillyjim
2010-04-29, 23:16
Just watch yourself when the Check Point SE puts his hand on your knee...

All depends on the SE...Phoneboy and me...well maybe not so much...

tohhwee72
2011-02-07, 05:05
Is it possible to have schdeule job to run on Smart-1 Appliance? l have a customer that is doing log file rotation on a hourly basis and the requirement is to export the closed log file to a syslog format and ftp to an external server.

Can Smart-1 Appliance do it?

northlandboy
2011-02-07, 05:16
Write a script, put it into cron.