Re: Checkpoint 13500 Next Generation Firewall/Security

[Robert Rudloff <Robert.Rudloff () DU EDU>]

We do not use Checkpoint, but we’ve had similar issues which we handle through several different layers of network and 
security design.  We are 10Gbps to the internet – using a fairly beefy, but simple, firewall (lots of throughput, but 
not many features), an in-line malware blocking system, and then most of our other security systems (e.g, DMCA, 
IDS/IPS, etc.) are in passive mode.  Our IPS is a soft IPS, so it receives traffic passively, but it can issue blocks 
through the soft-blocking mechanism.  So far the soft IPS is highly effective for us – it has some limitations on 
blocking, but it monitors effectively, so for the few items it has trouble blocking we have procedures in place to 
leverage firewall capabilities or other solutions.

Tuning the monitoring/blocking rules and traffic controls are still the big areas of focus – once we cached to the edge 
of our network traffic jumped dramatically in all the same categories you mention.  Then it is a matter of having solid 
search and isolation features of the security system combined with security engineers/analysts who can spend the time 
deciding what to monitor/block/etc.  We’ve found that doing the tuning in-house with advise/support from the vendor 
works the best.

Good luck – post again if you work your way through the issues.

Rob



Robert Rudloff
AVC Service Assurance & CISO
University of Denver

From: Timothy Pierson <Timothy.Pierson () LIVE COM<mailto:Timothy.Pierson () LIVE COM>>
Date: Friday, December 5, 2014 at 1:03 PM
Subject: Checkpoint 13500 Next Generation Firewall/Security

Greetings,

I am not sure if this is the place to post this query, however it seems the likely place to start.  We have purchased 
Checkpoint’s Next Generation Firewall/Security Appliance. The model is 13500 and we have the 11 software blade suite 
with application and DLP services.

Early September we turned the application security blade service on and it took our internet connection out, dropping 
the overall throughput from 750 Mbs to less than 50 Mbs.  Naturally this had us turning the application service off and 
engaging checkpoint.  After a couple of months, the issue, albeit somewhat improved, is not resolved to where it 
continues to significantly throttle our throughput, with massive packet drop and overall inferior end user experience.

We are not performing any blocking, we have merely turned the software blade feature.  Checkpoint had not been able to 
resolve the issue and spent a couple of months not even knowing what the problem was and were sure it is because of the 
unusual traffic patterns from our RESNET.

One of the things I asked was if there were any Institutions equal to or greater than 14,000 students, with a 
significant resident hall presence,  that was using the Checkpoint 13500, with the 11 security feature suite, with 
application and DLP services.  Their response was that they did in fact have customers, however none of them would care 
to share their experience with this product and feature set.  Knowing our constituencies, I am a little skeptical of 
this, as I have never had a circumstance where there was an unwillingness to share common experiences.

I would like to ask if anyone is using this product, configured similarly to above, and what your experience was in 
hopes of hearing of a work around or fix.  The feeling is that the resnet traffic, which is 29% Netflix and 24% 
software download (gaming, MS, Apple or other updates), and other student behavior is at the root of the Checkpoint 
system going “belly up” under minimal load.

I would appreciate hearing within this forum or privately, from anyone who might have some experience with this product.

Thank You,

Tim Pierson
DCIO
Tenn Tech University