Re: Checkpoint 13500 Next Generation Firewall/Security

[Ian McDonald <iam () ST-ANDREWS AC UK>]

I've heard various excuses from various manufacturers where they claim that our traffic, or our networks, are somehow 
'different' from what they see 'anywhere' else.

It isn't. It's streams of packets. Probably more concurrent streams than their product was designed to handle, but 
nevertheless not unusual in networks the world over, in academia and ISP land.

I suspect that in many cases we're taking products designed for super locked down enterprise networks, with 'single 
mission' policies in place (which contain consequences for many activities we actively encourage) and trying to apply 
them to our 'multi-mission' open environments, where one finds that we're walking a line, where we need enterprise 
features at ISP-like performance levels (and vendors products which probably normally play in ISP land).

Has the vendor in question actually indicated what particular features of the flows or patterns in your traffic is 
causing the product to become impaired?

Best Regards,

--
ian

Sent from my phone, please excuse brevity and/or misspelling.
________________________________
From: Timothy Pierson<mailto:Timothy.Pierson () LIVE COM>
Sent: ‎05/‎12/‎2014 20:14
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Checkpoint 13500 Next Generation Firewall/Security

Greetings,

I am not sure if this is the place to post this query, however it seems the likely place to start.  We have purchased 
Checkpoint’s Next Generation Firewall/Security Appliance. The model is 13500 and we have the 11 software blade suite 
with application and DLP services.

Early September we turned the application security blade service on and it took our internet connection out, dropping 
the overall throughput from 750 Mbs to less than 50 Mbs.  Naturally this had us turning the application service off and 
engaging checkpoint.  After a couple of months, the issue, albeit somewhat improved, is not resolved to where it 
continues to significantly throttle our throughput, with massive packet drop and overall inferior end user experience.

We are not performing any blocking, we have merely turned the software blade feature.  Checkpoint had not been able to 
resolve the issue and spent a couple of months not even knowing what the problem was and were sure it is because of the 
unusual traffic patterns from our RESNET.

One of the things I asked was if there were any Institutions equal to or greater than 14,000 students, with a 
significant resident hall presence,  that was using the Checkpoint 13500, with the 11 security feature suite, with 
application and DLP services.  Their response was that they did in fact have customers, however none of them would care 
to share their experience with this product and feature set.  Knowing our constituencies, I am a little skeptical of 
this, as I have never had a circumstance where there was an unwillingness to share common experiences.

I would like to ask if anyone is using this product, configured similarly to above, and what your experience was in 
hopes of hearing of a work around or fix.  The feeling is that the resnet traffic, which is 29% Netflix and 24% 
software download (gaming, MS, Apple or other updates), and other student behavior is at the root of the Checkpoint 
system going “belly up” under minimal load.

I would appreciate hearing within this forum or privately, from anyone who might have some experience with this product.

Thank You,

Tim Pierson
DCIO
Tenn Tech University