CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 30

Thread: Power-1 appliance 9075 vs Splat gateways...

  1. #1
    Join Date
    2011-02-17
    Posts
    81
    Rep Power
    10

    Default Power-1 appliance 9075 vs Splat gateways...

    Can anyone based on experiences give me some PRO and Cons about upgrading from a SPLAT gateways to Checkpoint Power-1 9075 appliances.

    We are at a crossoroad right now, where I either upgrade the old Dell Hardware 6850 that has worked flawlessly for the last 4 years or migrate to Checkpoint appliances....
    since I also need to migrate Software to the R71.30

    If staying with Splat, I was thinking about using a Dell PowerEdge R910.

    http://www.dell.com/downloads/global...0-specs-en.pdf


    Any input is greatly appreciated.
    Thanks,

  2. #2
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    11

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Per http://www.cpug.org/forums/check-poi...formation.html, the Power-1 9075 has 2x Quad-Core Xeon DP E5410 8x 2.33GHz processors. If the Dell server has better CPUs (which it looks like it does), then go with the 'open server' route. However, it doesn't look like the Dell R910 is on the Check Point HCL, but the R900 is. You might want to double-check with Check Point to be sure. Also, buy Intel NICs and forget about using onboard Broadcom ones.

  3. #3
    Join Date
    2011-02-17
    Posts
    81
    Rep Power
    10

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Quote Originally Posted by bmolnar View Post
    Per http://www.cpug.org/forums/check-poi...formation.html, the Power-1 9075 has 2x Quad-Core Xeon DP E5410 8x 2.33GHz processors. If the Dell server has better CPUs (which it looks like it does), then go with the 'open server' route. However, it doesn't look like the Dell R910 is on the Check Point HCL, but the R900 is. You might want to double-check with Check Point to be sure. Also, buy Intel NICs and forget about using onboard Broadcom ones.

    Thanks bmolnar,
    Yes, I only used Intel NIC(s) on my previous Dell 6850 bought 4+yrs ago...and I plan on purchase new ones, if we go that route.
    I am not too much concerned regarding the hardware not being on the Checkpoint HCL list since our previous hardware was not in the list eitheir when I purchased back then...
    I will try to stay as close as I can with a supported DISK array as possible.

    I was just wondering if there was any special reason to move into appliances instead.
    Thanks again

  4. #4
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Quote Originally Posted by Eros_G View Post
    I was just wondering if there was any special reason to move into appliances instead. Thanks again
    yes, there is a special reason to move into appliances (i.e. Power-1 appliances). That reason is someone stupid enough to listen to Checkpoint Sale/SE guys that power-1 appliances is the greatest thing since the invention of the slice bread. an ILOM card cost 3K and practically useless. Need I say more?

    you can count me as one of those "stupid" customers.

  5. #5
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    I'll third that.

    You get more flexibility from an Open Server. When you're done with it, you can recycle the open server into a different role.

    I understand the OOB/BMU is very limited as compared to an HP iLO, Dell Drac, etc.

    You retain the license for the next Open Server; which will be much cheaper than the fork lift upgrade to a new appliance.

    If you're datacenter utilizes some standard platform (Dell, HP, IBM), then spare hardware (power supplies, HDDs, memory, whole platforms etc.) might already be ready onsite; and the hardware is well understood by many onsite techs; firmware upgrades are more easily done given an already established build/unpacking process.

    In short, the see-saw is severely weighted in favor of the Open Server.

  6. #6
    Join Date
    2007-02-19
    Posts
    120
    Rep Power
    14

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    In large part, the decision comes down to your preference for doing the work yourself vs paying someone else to do the work.

    1) licensing is completely different between splat and appliances, which has significant impact on refresh cost.
    -- Appliances ship with a built-in-license, which must be "repurchased" when
    you refresh hardware (although CP has trade in programs).
    -- SPLAT you move your existing license to new hardware

    2) maintenance
    -- Appliance SW maintenance is less expensive. CP hires someone that will
    rack, and configure the IP with a replacement is necessary.
    -- SPLAT makes it easier to keep spare hardware around, allowing you to forgo
    HW maintenance. You have to fix the broken box.

    3) out-of-band management
    If you do not sit close to your firewalls (e.g. different city), a remote access card that
    allows you to mount a DVD from your desktop onto a broken firewall can be priceless.
    -- Appliances (at least my 3070) has only a serial console with no xmodem uploads.
    -- SPLAT, DRAC enterprise is priceless.

    4) compatibility
    -- appliances, what comes in the box is "always is compatible". What does not is unavailable to you. forever.
    -- SPLAT, must pay attention to the HCL; can purchase smaller license and "turn on" cores later if needed.

    I do recommend sticking with the HCL if you are making "new model" purchases. I once ordered a "Dell 2950", but got a "Dell 2950 III" (ordering error). To get compatible drivers, I had to upgrade to Splat 2.6 before I was ready. If you have existing test hardware, this is much less of an issue.

    To minimize checkpoint licensing costs (and therefore SW maintenance costs), invest in faster CPUs and more RAM before you invest in more cores.

  7. #7
    Join Date
    2008-11-23
    Location
    Atlanta, GA
    Posts
    542
    Rep Power
    12

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    I'll agree with the part about you doing the work or someone else, only in a different way...

    If you are on site or have capable eyes/hands on site to support the system, definitely go for the Dell/IBM/HP open-server platform. Definitely more bang-for-the-buck when it comes down to it (see previous posts).

    We have multiple sites, with a vast majority (about 40 firewalls out of 50 total) being in a remote site that has limited experience on site. The firewall is internal to our network and is used as a choke point for the region. Therefore, we went with UTM 1070, 2070 and 3070 appliances. If it fails miserably and we can't get the system back up and running relatively quickly, we route around it while we submit an RMA. A few days later, the FW shows up, we configure it and ship it to them. They're usually down for no more than a few days. Again, this is only for internal firewalls on sites that have limited technical resources or "lesser quality" resources on hand to assist. The other sites are at data center locations that have quality resources to assist us remotely.
    - boldin
    CISSP
    CCSE/R65

  8. #8
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    11

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    All but two of our firewalls are open servers. We recently bought two high-end Power-1 appliances since they were guaranteed to do X amount of traffic and X packets-per-second. Now that we know the hardware these platforms run, we'll probably go back to open servers

  9. #9
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    The major advantage to the appliances is the 17% support rate IMHO. There is no "technical" advantage, and you may well be able to "roll your own" for less. That said a lot of people like the appliances (one point of contact for support, no questions as to if the hardware is "supported", etc).

    This was true even before Check Point sold appliances. The success of Nokia's IP appliances made that clear.

    I think it really comes down to what is right for you more than what is "technicals" a better option. I have customers that are very happy running on open servers as well as happy appliance customers. If you are a big Dell/HP/IBM/SUN/etc shop with the in-house folks to deal with the hardware, the service contracts in place, spares available, no political challenges to the security team controlling a "server" and running SPLAT instead of Windows (yes this is an issue in a lot of places), then an open server platform probably does make sense.

    Check Point started the "appliances" because of customer demand not because they are "better" than a high-end IBM at running the code.

    So back to the original question. I've had few failures of appliances I have not been able to trace to outside problems (e.g. power). I have had a lot of issues with people not understanding the specs (Yes I know, publishing "marketing" numbers is the source of this, but that is another well discussed topic).

    Personally I would like a better LOM for the Power-1 line and a LOM for the UTM-1 line (I do like the Smart-1/50 LOM), but then again, if I have a terminal server I mostly don't need one.

    My suggestion is to run the numbers with your account team and think about how you want to support them.

  10. #10
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Quote Originally Posted by chillyjim View Post
    The major advantage to the appliances is the 17% support rate IMHO.
    That is NOT entirely true very misleading. Checkpoint makes appliances because it thinks it can "suckers" people into buying appliances.

    For those who have not used Checkpoint Power-1 appliances. The hardware is made from very cheap materials. Take the Power-1 11065 appliances as an example with a Dell R710,

    #1: the paper box that shipped the Power-1 appliances is very soft and could easily damage the Power-1 appliance. With the dell Server R710, the paper box that the R710 is shipped from, you can drop the box from a UPS truck and the server is still OK. Can't say that about the paper box that come with Power-1 appliances,

    #2: The Power-1 appliances were built on very cheap hardware. Just base on the look of it, you can see why, the hard drive holder is made of really cheap plastic and I mean really cheap. The rail that uses to mount the firewall into the rack is ridiculous as well. I've never seen anything so cheap in my life. I feel like if I drop the Power-1 appliance onto the floor, it will get damage. The Dell R710 is a very sturdy server. I've dropped this server several times and it is still running fine.

    #3: ILOM card looks very cheap.

    In summary, the whole thing looks very cheap. Look like checkpoint is cutting a lot of corner to make some extra $$$.

    Comparing checkpoint Power-1 appliances to a Dell R710 or Nokia IP appliances is like comparing a cheap Hyndai to a German Porsche.

    Now you know why you're getting a %17 support rate.

  11. #11
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    15

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Quote Originally Posted by denbesten View Post
    In large part, the decision comes down to your preference for doing the work yourself vs paying someone else to do the work.
    1) licensing is completely different between splat and appliances, which has significant impact on refresh cost.
    --Appliances ship with a built-in-license, which must be "repurchased" when you refresh hardware (although CP has trade in programs).
    --SPLAT you move your existing license to new hardware

    To minimize checkpoint licensing costs (and therefore SW maintenance costs), invest in faster CPUs and more RAM before you invest in more cores.
    Absolut correct..

    Quote Originally Posted by chillyjim View Post
    The major advantage to the appliances is the 17% support rate IMHO. There is no "technical" advantage, and you may well be able to "roll your own" for less. That said a lot of people like the appliances (one point of contact for support, no questions as to if the hardware is "supported", etc).
    This is a major disadvantage of the CP appliances..!!!!

    Please add an full appliances price to support rates like in the folliwing >>

    Example 10 Years ROI (just to compare) :
    UMT 3070 First 5 years: $27,900
    5years SS >> $27,900*0,17*5 +$27,900 = 51615 and now you should buy new UTM-1 or Power-1
    Second 5 Years Power-1 5xxx $41,900*0,17*5=$35615
    Average SS: (51615+41900+35615)/10 =12913 per year.

    Open Server 4 core: SG407i $17,250 + Open Server 5000$ (first 5 years) + Open Server 5000$ (Second 5 years)
    Averaga SS : 17,250*0.3*10 +10000 = 6175 per year

    Same hardware for all 10 years
    UMT 3070 for 10 years $27,900 FULL SS >> $27,900*0,17*10 = 47430
    Average SS: (47430+27,900)/10 =7533 per year. and now you should buy new or UTM35xx or Power-1..

    Open Server 2 core 10 years:
    SG205i $15,000 + Open Server 5000$ (for 5 years)
    Averaga SS : ($15,000*0.3*10 +5000)/10= 5000 per year. and you still have 2 core Lic (70% can be used to conver to SG4xx) !!! just buy new Open Server
    Last edited by serlud; 2011-02-27 at 07:27.

  12. #12
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Quote Originally Posted by chillyjim View Post
    Personally I would like a better LOM for the Power-1 line and a LOM for the UTM-1 line (I do like the Smart-1/50 LOM).
    I think you need to point all the short coming of the ILOM on the Power-1 appliances, even with the Smart-1. Checkpoint appliances are the only appliances that I've come across that one has to configure the IP address of the ILOM through browser. Everyone else allows you to access through the BIOS (DELL, IBM, HP, etc...) Pure stupid on Checkpoint part.

    my 2c

  13. #13
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default

    serlud, this isn't really an apples to apples comparison. What are you paying for your hardware? What are you paying fir support on your open hardware? How much have you spent on spare hardware to replace potentially failed equipment? What are your traffic levels like? Are they going up? What other functionality do you plan to use? Why is it realistic to run an Open Server for 10 years but not a Check Point appliance?

    To be clear, I'm not arguing with your premise, serlud. There are going to be cases where Open Servers are going to make more sense financially than using our appliances. It's an option you have as Check Point customer, something our major competitors don't offer. Just make sure when you run the numbers for your situation, ensure you include all the relevant numbers in your analysis so you get an accurate picture.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  14. #14
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    15

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Quote Originally Posted by PhoneBoy View Post
    serlud, this isn't really an apples to apples comparison.
    What are you paying for your hardware? € 2.623,95
    What are you paying fir support on your open hardware? additional 10 Year 2x1153,11 €
    How much have you spent on spare hardware to replace potentially failed equipment? 0 $ , 4 hours replacement on your place.
    What are your traffic levels like? Absolut usual traffic with only one default gateway
    Are they going up? This does not depend on HW
    What other functionality do you plan to use? This does not depend on HW

    Why is it realistic to run an Open Server for 10 years but not a Check Point appliance? Please see above or now bellow my second comparation for the same HW and 10 years .
    10 Years comparation by using the same hardware for all 10 years:

    UMT 3070 for 10 years (standart CP support, do not provide 4 hour replacement on site., no Ilo board ,no redundant power.and so on.)
    One time $27,900
    FULL SS >> $27,900*0,17*10 = 47430
    Average SS: (47430+27,900)/10 =7533 per year. and now you should buy new or UTM35xx or Power-1..

    Open Server 2 core 10 years:
    SG205i $15,000
    HP ProLiant DL320 G6 E5530 6 GB-R P410/256 BBWC Hot-Plug SAS 400 W RPS € 2.623,95 (3Years support)
    2xHP On site Support (HW) 4 Hours. (24x7), 5 years 2x1153,11 € (€ will be converted to US $ , Total 13 years HW support with 4 hours on site replacements..)
    Averaga SS : ($15,000*0.3*10 +6999)/10= 5200 per year. and you still have 2 core Lic (70% can be used to conver to SG4xx)

    Conlusion :You will pay 2300$ less per year , have more stable HW , better support (4 Hours) , and also will have at the end of 10 year, unlimited Lic and 70% of initial Lic prise( can be used to convert to SG4... or more...) if you will use Open Server Platform.

    Should I make a 4 or 8 core comparation? or some more questions?
    (all prises can be found on official HP web...)
    Last edited by serlud; 2011-02-27 at 16:47.

  15. #15
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default

    Actually, serlud, I wasn't interested in your exact numbers. Clearly you've made the decision to go with Open Servers. No criticism here, just want to make sure when (potential) customers run the numbers for themselves, they take into account all the relevant costs.

    You may have other reasons for choosing Open Servers versus appliances that have nothing to do with money, either. Again, unlike with most of our competition, you have that option.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  16. #16
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Serlud's numbers for server acquisition costs are accurate.

    You can get a tier 1 server platform with dual quad core mid level CPUs, 2 Quad Intel NIC cards, 4 Gigs RAM, hardware RAID with 2 drives, top tier OOB/BMU/iLO/Drac for approximately 4 1/2 to 5 grand.

    Long story short, if an organization has any sort of an IT dept/team, Open Servers are a better and cheaper choice for CheckPoint deployments.

    Now watch as CheckPoint leadership rejumbles the price lists to make this less so.
    Last edited by alienbaby; 2011-02-27 at 21:22.

  17. #17
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    If you are going to go with standard support the appliance support rate if 12% in the US.

    As I said, YOU have to run the numbers and do what's right for YOU. Not everyone is the same.
    I do a lot of business with government and if they use servers, then they have to have a different team managing the hardware instead of the security team, politics.

    Some people want appliances and some want servers and the costs don't matter.

    As to why the support rate is lower on appliances than software only

    1. List price is higher (at the high-end anyway)
    2. We control the hardware so it makes diagnostics easier

    LOM on the S1 vs other appliances.
    So how do you set the IP address of the LOM in your ASA or Juniper? Ohh that's right they don't have one.

    Comparing checkpoint Power-1 appliances to a Dell R710 or Nokia IP appliances is like comparing a cheap Hyndai to a German Porsche.
    I guess I should point out that Nokia sold it's appliance division to Check Point a while back and all the same pricing structure is in place for IP Appliances as well.

    As for a Dell R710, more like a Jetta than a Porsche. Oh and the RAID controller and system BIOS will be different on every one they ship you, but you get do get a nice box. That's a major advantage if you are shipping your firewalls all over the place several times a year.

    Get real cciesec2006. You're triads are not very helpful. You don't like Check Point appliances, Software, Support, sales, SE's or anything else about the company and product, but you still seem to be using it.

    Eros_G -- Buy the hardware that is the best fit for your environment. If you have a three year replacement schedule, like most US companies, then plan for that. Your reseller should be able to help you run the costs for your environment with any discounts (Note the numbers given in previous posts for Check Point products are list price, not street price like the open server numbers posted). Also stick to the HCL for systems. My personal preference for open servers are IBM and Fujitsu. They seem to be much better built and the hardware support is top noch.

  18. #18
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    16

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    (Bolded for emphasis but no other editing)
    Quote Originally Posted by boldin View Post
    Therefore, we went with UTM 1070, 2070 and 3070 appliances. If it fails miserably and we can't get the system back up and running relatively quickly, we route around it while we submit an RMA. A few days later, the FW shows up, we configure it and ship it to them. They're usually down for no more than a few days.
    Unacceptable amount of time to run without an HA backup IMO. That there are no other options available says it all. I have 4 hour parts from HP and Cisco. I've seen it in action and had my servers back up in 4 hours or less. One time, when a chassis failed and HP came to replace it (at a lights-out data center in another state), they moved my NICs and my hard drives to the same slots on the new chassis and all I had to do was re-configure my SYNC interface (since it's the only thing I'll use the built-in HP NICs for and the only MACs that changed).


    And as for the rest of it from other posters... I agree with those other long-time CP admins. Open Source hardware cannot be beat for all of the reasons previously stated by them.


    PS - Almost forgot to add in that with an open server (like HP w/ ILO) I can mount a bootable CD remotely and do a completely remote install from another state. It took 4 hours to install SPLAT because of the slow wan link, but it did install and was up and running shortly after install finished and I dumped a config on it.
    Last edited by lammbo; 2011-02-28 at 09:11.
    There's no place like 127.0.0.1

  19. #19
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    Quote Originally Posted by lammbo View Post
    Unacceptable amount of time to run without an HA backup IMO. That there are no other options available says it all. I have 4 hour parts from HP and Cisco. I've seen it in action and had my servers back up in 4 hours or less.
    To be clear, Check Point provides the delivery and basic installation of replacement hardware by a certified engineer within 4 hours from RMA determination by the TAC (geographic restrictions apply) if you have Premium Onsite Support. Even with just regular Premium support, we can do advanced replacement on RMAs next business day.

    These programs are similar or better to the ones we used to offer at Nokia.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  20. #20
    Join Date
    2008-11-23
    Location
    Atlanta, GA
    Posts
    542
    Rep Power
    12

    Default Re: Power-1 appliance 9075 vs Splat gateways...

    And to be clear on my part, the reason it takes a few days is because we get the replacement appliance shipped to us (off-site) for us to configure and then ship to the off site location.

    Again, these are internal firewalls with a separate IPS in line to offer attack protection. The sites are on a dedicated circuit back to their data centers. There are hardening procedures that the DoD requires be performed on a system (STIG - Google it) prior to it ever being plugged into our network.

    And yes, I completely agree that the amount of time is unacceptable. If it were a perimeter system or another high-priority system this would be an unacceptable solution. Unfortunately, my team and I were handed this architecture when we got here. We were just moved from a 3 year purchase cycle to a 5 year cycle so we won't be making any purchases for another year or so. When we do, I'll be recommending a different solution, primarily because we are redesigning our data centers and WAN from the ground up. We'll be going from over fifty firewalls to somewhere around 15, while providing the same or better protection. (Doing our part to save some tax-payer dollars).
    - boldin
    CISSP
    CCSE/R65

Page 1 of 2 12 LastLast

Similar Threads

  1. Power-1 appliance 9075 and NGx R70.30
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2015-06-11, 11:24
  2. Power-1 appliance 9075 weird issue
    By cciesec2006 in forum Check Point Power-1 Appliances
    Replies: 1
    Last Post: 2010-08-09, 14:26
  3. Power-1 appliance 9075 weird issue
    By cciesec2006 in forum SecureClient/SecuRemote
    Replies: 0
    Last Post: 2010-07-16, 20:02
  4. Power-1 9075 appliance and throughput
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 11
    Last Post: 2010-07-06, 12:39
  5. Power-1 appliances 5070/9075 questions
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 5
    Last Post: 2009-10-27, 09:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •