I know that virtualizing Check Point's FW-1 and VPN-1 products is officially supported, but is anyone doing this in practice?
My largest reservation is plugging raw Internet into our ESX hosts. This just raises a huge red flag in my mind. I'd like to hear from others who are doing this, and especially those users who may be subject to any type of external auditing and what the response was from those audits.
I believe that with my clustered ESX hosts, I could drop the support for the Check Point Clustering and save some Y2Y costs.
I guess I'm just looking for others experiences before making a decision on this.
Thanks,
Don
Indeed from a technical standpoint, it should be possible as long as you're separating the traffic with a dedicated NIC or VLANs (obviously). I too was considering this and even though our security audit signed off on the architecture, I still don't think I would try it unless I was dealing with dedicated ESX hosts (all they run is the clustered FW). Checkpoint has always run well on smaller hardware, so it wouldn't take beefy hosts to handle it (depending on your load of course). I'll be curious if anyone else has this running in production as well, but I'm too squeamish personally...
Indeed from a technical standpoint, it should be possible as long as you're separating the traffic with a dedicated NIC or VLANs (obviously). I too was considering this and even though our security audit signed off on the architecture, I still don't think I would try it unless I was dealing with dedicated ESX hosts (all they run is the clustered FW). Checkpoint has always run well on smaller hardware, so it wouldn't take beefy hosts to handle it (depending on your load of course). I'll be curious if anyone else has this running in production as well, but I'm too squeamish personally...
what would be the point of virtualising the firewall in that case? you might as well keep it phyiscal and take full advantage of the hardware.
Tom Howarth
VMware Communities User Moderator
That's my other issue with virtualizing a firewall App. Once you get through the security concerns, you're pretty much back to local hardware. I think the base architecture though would be to utilize VMware clustering instead of Checkpoint clustering. Just because you don't get the benefit of increased utilization on the hardware, it might still be worth doing the alternate clustering method...
I agreed with Tom. Virtualization would indeed be possible
and depending on the number pNIC’s you have installed, you may save a box or 2.
While most shops scoff at the idea of having multiple tiers tie into one (ESX)
box, once you get past misconceptions/misunderstandings of Virtualization it’s
going to come down to cycle isolation or redundancy. In this scenario, I tend to
think Para-virtualization might be a better fit for this, but off the top of my
head I’m not sure how that ties into your redundancy wants/needs.