View Full Version : Best Practices for Large Deployment?

2015-08-28, 17:16
Hi All,

I want to know what would be considered a best practice for a deployment. Would you recommend a separate Policy Package for each set of devices or include all Rulebase policies in a single policy package? The issue is we have two 12400's acting in a cluster as the VPN concentrators, two 4800's sitting in front of them between the corporate network and the internet acting as Gateway Firewalls, and approximately two thousand 1140's going to be deployed to store locations. Do we create one large Rule base with all policies and push to all devices or do we create separate Policy Packages? We have smart-1 appliances acting as separate management and logging devices (both are remote from the datacenter where the 12400/4800's are located.

2015-08-28, 18:09
Separate Policy Packages for the 12400's and 4800's.

I would hazard a guess that the 1100's are basically going to be the same , in that VPN back to the 12400, with fairly standard sets of requirements so I would suggest that look at using SmartProvisioning and Profiles to create an easy way of managing the 1100's.

Dynamic Objects would allow you to create fairly standard profiles to allow to manage the 1100's without having to create too much in the way of policies.

2015-08-29, 08:01
I have deployment close to this number. If you centrally manage from Checkpoint, definitely Smartpro using security and provisioning profile (as mentioned above), usually one security policy on 1100s installed to profile. But remember that Smartpro is not a feature on VSX...
Also 77.30 with Add-on (specifically made for 1100) on mgmt server and 77.20 on 1100s. For redundancy consider two Datacenters (Route Injection with MEP) or two ISPs in one Datacenter (using ISP redundancy).