CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 6 of 6

Thread: Smartprovisioning being used for large rollouts ?

  1. #1
    Join Date
    2007-05-25
    Posts
    202
    Rep Power
    11

    Default Smartprovisioning being used for large rollouts ?

    Hello;
    We are faced with rolling out a few hundred gateways. They have not been purchased yet but they will most likely be full Gaia devices not the embedded ones. We are at R77.30 at the moment and will probably still be at this version for this roll out.

    Is Smart Provisiong still a better way to go and would we be able to manage policy installs better with provisioning vs. using the normal smartcenter method ?

    I have looked over some of the documentation on Check Point site but I thought I would post this to hear of any good or bad experience using this feature.

    Thanks
    -pat

  2. #2
    Join Date
    2014-10-10
    Posts
    248
    Rep Power
    4

    Default Re: Smartprovisioning being used for large rollouts ?

    Yeah I think smartpro is better to manage large number of gateways (never used it with regular gaia). But it doesn't make provisioning any easier. Zero touch provisioning (Zero touch portal) is destined only for embedded gaia SMB

  3. #3
    Join Date
    2017-03-08
    Posts
    2
    Rep Power
    0

    Default Re: Smartprovisioning being used for large rollouts ?

    Quote Originally Posted by Irek_Romaniuk View Post
    Yeah I think smartpro is better to manage large number of gateways (never used it with regular gaia). But it doesn't make provisioning any easier. Zero touch provisioning (Zero touch portal) is destined only for embedded gaia SMB
    Indeed SmartProvisioning is the right choice when managing hundreds of gateways (whether regular Gaia or Gaia Embedded).

    BTW, regarding Zero Touch that you mentioned, it works very nicely with SmartProvisioning and you can use APIs to orchestrate the entire rollout process of the gateways and the management:
    https://supportcenter.checkpoint.com...rtProvisioning

    In addition, we've already started working on Zero Touch support for full Gaia appliances :)
    We'll be happy to speak with customers / partners that are interested. Please drop me a private message if anyone would like to get more info or participate in an EA.


    Tomer Noy | Check Point Director of SMB & Device Operations
    Last edited by noytomer; 2017-09-04 at 02:06.

  4. #4
    Join Date
    2007-05-25
    Posts
    202
    Rep Power
    11

    Default Re: Smartprovisioning being used for large rollouts ?

    Thanks for the info and the SK. Very much appreciated.

    -pat

  5. #5
    Join Date
    2015-08-26
    Posts
    81
    Rep Power
    3

    Default Re: Smartprovisioning being used for large rollouts ?

    I "believe" SmartPro may be the way to go. When configuring devices in SmartDashboard, the FWM process will start to consume all cpu and go 100% once you get over approx 225 or more devices (in our case devices are 1430's). You also can't push policy to more than 15 devices at a time. We have experienced this 1st hand. Also be aware that failover to a backup circuit is not as intuitive as in SmartDash. If you are doing any Dynamic Nat, it has issues when you need to define a unique subnet and apply it to the encryption domain, it doesn't seem to work.

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: Smartprovisioning being used for large rollouts ?

    The big question is whether a large number of the gateways will be effectively identical. SmartProvisioning is an extension of SmartLSM, the old large-scale management platform. It's designed to push exactly the same rules to hundreds (or thousands) of identical gateways, plugging in unique values for each one. Using retail stores as an example, each store has the registers, the WiFi, the back-of-house inventory system, and so on. With SmartProvisioning, you can write a policy which says "the inventory system" can talk to your central inventory, then Provisioning plugs in the value for each firewall. It takes the "pets versus livestock" distinction and applies it to the firewalls you manage.

    Some of the actual gateway config (like interface IPs) can be managed through SmartProvisioning, but that isn't really its strength or a big selling point. If you don't have a large number of effectively-identical firewalls, SmartProvisioning can add some convenience. Probably not a huge amount over configuring the boxes directly, though.

    If you do have hundreds of identical firewalls, SmartProvisioning is indispensable.
    Zimmie

Similar Threads

  1. SmartLSM / Smartprovisioning error in DHCP settings
    By jerryroy1 in forum SmartProvisioning
    Replies: 2
    Last Post: 2015-11-11, 09:40
  2. SmartProvisioning and static IP on EDGE
    By _MKrol_ in forum SmartProvisioning
    Replies: 2
    Last Post: 2011-02-14, 15:10
  3. how to change default time setup update interval in SmartProvisioning
    By susik in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 0
    Last Post: 2010-12-22, 04:01
  4. SmartProvisioning and eval licence
    By cloehn in forum Miscellaneous
    Replies: 1
    Last Post: 2009-12-04, 12:20
  5. NGX large FTP failures
    By petronius in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 1
    Last Post: 2006-07-28, 10:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •