PDA

View Full Version : Checkpoint 13500 Device Performance



Dsen123
2015-10-29, 02:42
Hi Guys,

I'm here for some advice, I'm new to checkpoint blade products. I have experience in Firewall and VPN blades and no exposure to any other blades. I would like to know ho 13500 device would perform with followings blades turned and how easy is to manage these blades. Currently running Splat 77.20 and would like to move to GAIA. We are looking to move all the users behind this device to access local services. (5000 Users)

Identity Awareness Blade
Web Security Blade
Advanced Networking & Clustering Blade (Currently ON and running BGP and OSPF)
Anti-Bot Software Blade
Application Control Blade
IPS Blade
Threat extraction and Threat Prevention
EMAIL Gateway Blade
QOS


Also anyone got suggestions for other vendors to perform this level of work on the next gen devices. (Such as Fortinet, Palo Alto, McAfee, Sophos, SonicWall)

All your suggestions are welcome.

Please let me know you experience with these these blades and issues you have come across.

Thanks

mcnallym
2015-10-29, 14:53
Biggest problems I have had with those Blades has been Identity Awareness. However normally has come down to bad information been given or not been updated of changes, ie not told of ALL of the Domain Controllers. Customer adds AD Servers later and doesn't tell you.

AppCtrl/URL has usually been where people moved a policy from another vendor and wandered why doesn't work as it did before, as opposed to looking at how it works and writing a policy appropriate for how Check Points AppCtrl/URL works. Good example being someone allowed URL category of Computers and Internet which covers www.webex.com then wandering why lower in the rulebase the drop webex app wasn't working when the webex app still has a url of www.webex.com so matched the URL category in a higher placed rule.

IPS blade is usually the same general management of IPS that normally have. Is ANYONE brave enough to set the download protections set to Prevent based on the Profile.

Avoid the Anti-Spam blade, not heard anyone say anything good about it so never turned on.

Cory Webb
2015-10-29, 21:15
Identity Awareness Blade - not really a blade in the sense that some of the other blades are. usually used in tandem with other blades like application control & url filtering for setting up access roles or smartevent/smartreporter for running reports

Web Security Blade - have never used

Advanced Networking & Clustering Blade (Currently ON and running BGP and OSPF) - i try to steer clear of using dynamic routing on any firewall if possible but havent had any major issues with it when I have had to use

Anti-Bot Software Blade/EMAIL Gateway Blade - just configure, setup auto downloads and set and forget

Application Control Blade - usually run in tandem with url filtering and https inspection

IPS Blade - can be very resource intensive if not configured correctly. meaning dont just use the recommended profile out the box.

Threat extraction and Threat Prevention - another resource intensive blade. needs correct config or will run gw resources a muck especially if IPS and other resource intensive blades are running as well

QOS - have never used

Dsen123
2015-11-16, 21:29
Hi Guys,

Any recommendations & advice from anyone?

Thanks