Indeed from a technical standpoint, it should be possible as long as you're separating the traffic with a dedicated NIC or VLANs (obviously). I too was considering this and even though our security audit signed off on the architecture, I still don't think I would try it unless I was dealing with dedicated ESX hosts (all they run is the clustered FW). Checkpoint has always run well on smaller hardware, so it wouldn't take beefy hosts to handle it (depending on your load of course). I'll be curious if anyone else has this running in production as well, but I'm too squeamish personally...

what would be the point of virtualising the firewall in that case? you might as well keep it phyiscal and take full advantage of the hardware.

Tom Howarth

VMware Communities User Moderator

That's my other issue with virtualizing a firewall App. Once you get through the security concerns, you're pretty much back to local hardware. I think the base architecture though would be to utilize VMware clustering instead of Checkpoint clustering. Just because you don't get the benefit of increased utilization on the hardware, it might still be worth doing the alternate clustering method...

I agreed with Tom. Virtualization would indeed be possible

and depending on the number pNIC’s you have installed, you may save a box or 2.

While most shops scoff at the idea of having multiple tiers tie into one (ESX)

box, once you get past misconceptions/misunderstandings of Virtualization it’s

going to come down to cycle isolation or redundancy. In this scenario, I tend to

think Para-virtualization might be a better fit for this, but off the top of my

head I’m not sure how that ties into your redundancy wants/needs.