CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 18 of 18

Thread: VE HA

  1. #1
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default VE HA

    Hi guys

    Researched sk forums but not a clear solution yet.


    ###
    Requirements
    ###

    Deploy Checkpoint solution in HA active passive at edge.

    Checkpoint solution: Customer insists on the virtual solution

    >>> virtual appliance

    1) virtual appliance (vSEC or Gaia .iso ) deployed in two Esxi hosts.

    Doing HA Cluster XL between this appliances

    2) vSec or Gaia .iso in two esxi hosts.
    Doing HA with Esxi cluster. ( what will be checkpoint virtual appliance config?)

    >>> two physical appliances (5000 series) with Cluster XL Active Passive.

    This is our recommended solution. As the virtual one depends on Esxi hosts in performance,bugs etc.

    ###
    Topology
    ###

    Internet -> Checkpoint HA solution-> internal zone LAN
    |
    DMZ





    Has anyone done this implementation?

    What are your recommendations suggestions?

    Differences between virtual appliance ova and .iso Gaia in performance?

    Thanks.

    Tsubasa

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    865
    Rep Power
    12

    Default Re: VE HA

    The option 2 is the best.

    Main concerns about VE are that it does not have its own clustering and it is designed to control communications through VMware environment and not anything else. Regular Gaia on Vmware is not supported.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: VE HA

    Thanks for the answer.


    >>> Normal Gaia is not supported.
    You mean it's not officially supported?

    Can you please point to such document?

    Thank you.

  4. #4
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: VE HA

    Quote Originally Posted by varera View Post
    The option 2 is the best.

    Main concerns about VE are that it does not have its own clustering and it is designed to control communications through VMware environment and not anything else. Regular Gaia on Vmware is not supported.

    I installed VE network mode from ovf file. Its the same as normal .iso , also looks like it can do cluster XL with it. (can choose ClusterXl ID and see it from cpconfig )
    sk 101441 ; sk104859


    ###
    OVF
    ###
    Check_Point_Security_Gateway_R77.30_T204_OVF_Templ ate_Gaia.tgz

    Thanks.

  5. #5
    Join Date
    2014-09-02
    Posts
    261
    Rep Power
    10

    Default Re: VE HA

    Quote Originally Posted by Tsubasa View Post
    Customer insists on the virtual solution
    It's your job to educate your customer, and make sure they understand what they're asking for. While they may love the idea of virtualizing everything they can, it doesn't always make sense. The fact that Check Point offers a "Virtual Edition" often leads to misinterpretation of its intent.

    At the risk of oversimplifying (don't flame me, guys), let me try and clarify a few terms:

    .ovf vs. .iso
    The only real difference here is deployment method. An .ovf is simply a pre-packaged VM template that's a bit easier to deploy, and easier for Check Point to support (since they have made all of the deployment choices for you). It can sill be customized a bit, but in the end you have something that you could build yourself with an iso. Deploying from .iso allows you more flexibility (and is also useful for deploying on physical hardware).

    Security Gateway
    Here we're most often referring to physical "firewalls" that are handling network level traffic. When you refer to these gateways being at "the edge", I infer that you're talking about perimeter firewalls. The solution here would almost always be to use physical devices (like the 5000's you've suggested), forcing your perimeter traffic to traverse physically network devices. While it's possible to install and deploy this in a VM (and we often do for lab/testing/training purposes), this would expose production environments to performance, stability, and misconfiguration issues (like exposing guest VM's by connecting them to the wrong virtual networks). As Val said, this would also most likely not be supported.

    vSEC
    Check Point's vSEC offering is distinctly different than a standard Security Gateway. vSEC aims to address the complex task of extending your security inside of the virtual environment - reliably securing "East/West" traffic between VM's. It does this by hooking into the hypervisor in ways that a virtualized gateway cannot. This is a very cool solution, and your customer may be interested in it along with the physical gateways they likely need.

    One more note: It's not uncommon to see management devices (SMS, SmartEvent) deployed as VM's, since they are simply servers/hosts and don't handle network traffic. You just need to be careful to allocate enough resources for those systems to perform properly. Also, compare costs of open server vs. the appropriate appliance. This may help appease your clients desire for virtualization.

    Hope that helps.

    -E
    Last edited by EricAnderson; 2016-12-18 at 23:49.

  6. #6
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: VE HA

    Thanks for the answer.

    WOW..its very clear now.

    Arigatou Gozaimasu.

    >>> One more note: It's not uncommon to see management devices (SMS, SmartEvent) deployed as VM's, since they are simply servers/hosts and don't handle network traffic. You just need to be careful to allocate enough resources for those systems to perform properly
    We are planning to do this.

    Also, compare costs of open server vs. the appropriate appliance

    Thank you very much.

    Tsubasa

  7. #7
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    865
    Rep Power
    12

    Default Re: VE HA

    Quote Originally Posted by Tsubasa View Post
    I installed VE network mode from ovf file. Its the same as normal .iso , also looks like it can do cluster XL with it. (can choose ClusterXl ID and see it from cpconfig )
    sk 101441 ; sk104859


    ###
    OVF
    ###
    Check_Point_Security_Gateway_R77.30_T204_OVF_Templ ate_Gaia.tgz

    Thanks.
    In addition to Eric's explanation,

    the only supported GW on VMware is vSEC, e.i. special Vmware release. Having clustering there does not make sense, as Vmware already has its own redundancy mechanisms.

    Although you can technically deploy a regular Check Point GW via ISO on vmware, this is not a supported deployment. You can check that yourself in HCL table: https://www.checkpoint.com/support-services/hcl/#vm

    The only supported gateway versions on Vmware are marked "Virtual Edition", e.i. VE or vSEC.

    Vmware deployment is just fine for management servers and lab GW trials. Yet having a regular production GW on vmware will render your system unsupported, unless it is VE/vSEC. Check Point will reject your support calls if Vmware markers are found in CPINFO of your GW.
    Last edited by varera; 2016-12-19 at 10:08.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  8. #8
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: VE HA

    Thanks for your answers guys.

    You helped me a lot.

    Tsubasa

  9. #9
    Join Date
    2014-09-02
    Posts
    261
    Rep Power
    10

    Default Re: VE HA

    Quote Originally Posted by varera View Post
    In addition to Tim's explanation
    Val, I know all of us Americans look the same to you, but I'm not Tim. I won't take it as an insult, but he may. ;)

    -E

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    865
    Rep Power
    12

    Default Re: VE HA

    Quote Originally Posted by EricAnderson View Post
    Val, I know all of us Americans look the same to you, but I'm not Tim. I won't take it as an insult, but he may. ;)

    -E
    Damn, I am so stupid today :-( Corrected. Apologies...
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  11. #11
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,066
    Rep Power
    10

    Default Re: VE HA

    Just to add another opinion to this.
    Where would we deploy which type of gateway?
    1. VE or vSec in an environment that is a part of a bigger environment, where the VMWare environment itself, is completely isolated from the VM's and all the VE protects is some specific VM's with limited Internet access. You should not use it to provide access from the internet to your VMWare setup as you might lock yourself out. (Obviously)
    2. Appliance/Open server anything where internet access is needed in or outbound
    3. VSX (not yet mentioned) in environments where you need multiple firewalls at the same location to protect different networks / companies / departments and completely separate their individual needs/policies etc.


    On the clustering part, do keep in mind a cluster will give you flexibility when you need to install patches/upgrades or anything like that, BUT it will also come with some challenges regarding configuration of the virtual switches either VMWare's or Cisco's Nexus.
    As an MSP we have all different flavors running.
    Regards, Maarten.
    Dual P1 R77.30, VSX, IPSO, SPLAT, GAIA mostly.

  12. #12
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,249
    Rep Power
    14

    Default Re: VE HA

    There are actually seven solutions that are called vSEC (see product page):
    • vSEC for Cisco ACI
    • vSEC for VMware NSX
    • vSEC for OpenStack
    • vSEC for Amazon Web Services
    • vSEC for Microsoft Azure
    • vSEC for VMware vCloud Air
    • vSEC Virtual Edition


    The rest of this will focus on vSEC Virtual Edition.
    This is the Check Point product in a virtual machine that runs on VMware ESX without the use of NSX.
    It's what we used to call Check Point Virtual Edition (VE) Network Mode and should operate like a regular, Layer 3 gateway.
    The old VE Hypervisor Mode product relies on components that VMware has deprecated--no further versions of this product will be produced.

    The vSEC for X products all have their own image files in their relevant formats in their appropriate marketplaces (public cloud) or User Center (private cloud).
    vSEC Virtual Edition can either be installed in VMware either as an OVF or using the regular installation ISO (though OVF is recommended).

    You can run management virtualized in VMware, AWS, Azure, or vCloud Air using regular Open Server licenses.
    For gateway use in VMware, you must use vSEC Virtual Edition licensing; Regular Open Server licenses are NOT supported and will generate license errors.

    Hopefully that clears things up.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  13. #13
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: VE HA

    Thanks all.
    It's clear now.

  14. #14
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: VE HA

    Will be deploying two physical 5400 in HA active passive.
    SMS + smart event ( same machine) will be virtual .

    Do you recommend VMware HA (two different esxi servers) for SMS , smart event?

  15. #15
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    14

    Default Re: VE HA

    We always recommend management HA, but as to if it is required in a given environment it depends on your level of risk tolerance.
    As long as you keep good documentation and perform [i]migrate exports[i] on a regular basis, you can recover management pretty fast.

  16. #16
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    558
    Rep Power
    4

    Default Re: VE HA

    Quote Originally Posted by chillyjim View Post
    We always recommend management HA, but as to if it is required in a given environment it depends on your level of risk tolerance.
    As long as you keep good documentation and perform [i]migrate exports[i] on a regular basis, you can recover management pretty fast.
    What's the point of having Management HA if using ESX? ESX have a very good redundancy level and if backups are up to date on mgmt. server then why 2 VMs?

  17. #17
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: VE HA

    Quote Originally Posted by laf_c View Post
    What's the point of having Management HA if using ESX? ESX have a very good redundancy level and if backups are up to date on mgmt. server then why 2 VMs?
    Will go with one VM and everyday backups.

    VM = management + SmartEvent ;
    VM RAM 16Gig
    CPU 4 core

    SmartEvent license its little bit unclear though. :)

  18. #18
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: VE HA

    >>> SmartEvent license its little bit unclear though. :)

    Found sk106494.
    What license is required for a Next Generation SmartEvent?
    If you have older SmartReporter/SmartEvent licenses, can you still use the Next Generation SmartEvent?

    The license required for NGSE is the same license used for SmartEvent R77.x and earlier versions, so older perpetual Software Blade licenses will work with the new versions and no additional licenses would be required.

    For Check Point Smart-1 appliances: Smart-1 SmartEvent appliance, or Next-Generation Smart-1 Appliance.
    For Open Servers: Management Container + SmartEvent software blade

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •