2. Typical use cases for Check Point Maestro

More recently, Check Point introduced the new scalable Maestro platform. We have already published an entire article on what it is and how it works . In short - it allows you to almost linearly increase the performance of the Security Gateway by combining several devices and balancing the load between them. Surprisingly, the myth still remains that this scalable platform is suitable only for large data centers or for giant networks. This is completely wrong.



Check Point Maestro was developed at once for several categories of users (we will consider them a bit later), among which there is also medium-sized business. In this short series of articles I will try to reflect the technical and economic advantages of Check Point Maestro for medium-sized organizations (from 500 users) and why this option may be better than the classical cluster .

Target Audience Check Point Maestro

First of all, let's look at the user segments for which Check Point Maestro was developed. There are 4 of them:



1. Companies that lacked chassis capabilities . Check Point Maestro is not the first scalable Check Point platform. We already wrote that previously there were such models as 64000 and 44000. Although they had GREAT performance, they still had companies that were LITTLE. Maestro eliminates this drawback, as allows you to collect up to the 31st device into one high-performance cluster. At the same time, you can assemble a cluster from top-end devices (23900, 26000), thereby achieving tremendous bandwidth.







In fact, in the field of security gateways, Check Point is the only one that implements this feature.



2. Companies that want to be able to choose hardware . One of the drawbacks of older scalable platforms is the need to use strictly defined “blade modules” (Check Point SGM). The new Check Point Maestro platform allows you to use a huge number of different devices. You can choose both models from the middle segment (5600, 5800, 5900, 6500, 6800), and from the High End segment (15000 series, 23000 series, 26000 series). Moreover, you can combine them, depending on the tasks.







This is very convenient from the point of view of optimal use of resources. You can buy only the performance you need, by choosing the right model.



3. Companies for which the chassis is too much, but scalability is still needed . Another “drawback” of the old scalable platforms (64000, 44000) was the high entry threshold (from an economic point of view). For a long time, scalable platforms were available only for large businesses with “good” IT budgets. With the advent of Check Point Maestro, everything has changed. The cost of the minimum bundle (orchestrator + two gateways) is comparable (and sometimes lower) to the classic active / standby cluster. Those. the entry threshold has decreased significantly. When choosing a solution, a company can immediately lay down a scalable architecture, while not overpaying for a possible subsequent increase in needs. Are there more users one year after the introduction of Check Point Maestro? Just add one or two gateways, without any existing replacements. You don’t even have to change the topology. Just connect the new gateways to the orchestra and apply the settings to them in just a couple of clicks.







4. Companies that want to optimally use existing devices . I think many are familiar with the Trade-In procedure. When the performance of existing devices is no longer enough and to meet current needs, you need to update the hardware. Pretty expensive procedure. Plus, quite often there is a situation when a customer has several Check Point clusters for different tasks. For example, a cluster for perimeter protection, a cluster for remote access (RA VPN), a cluster for VSX, etc. Moreover, one cluster may not have enough resources, while the other has them in abundance. Check Maestro is a great opportunity to optimize the use of these resources by dynamically distributing the load between them.







Those. You get the following benefits:

• There is no need to “discard” the existing iron. You can buy one or two gateways, or ...
• Set up dynamic load balancing between other existing gateways, for more optimal use of resources. If the load on the perimeter gateway increases sharply, then the orchestrator can use the “bored” resources of the remote access gateways and vice versa. This helps smooth out seasonal (or temporary) load peaks.

As you probably understood, the last two segments are just about the medium-sized business, which now also can afford the use of scalable security platforms. However, a reasonable question may arise: “ Why is Check Point Maestro better than a conventional cluster? ”We will try to answer this question.

Classic Cluster vs Check Point Maestro

If we talk about the classic Check Point cluster, then two operating modes are supported: High Availability (i.e. Active / Standby) and Load Sharing (i.e. Active / Active). We briefly describe their meaning of work, as well as their pros and cons.

High Availability (Active / Standby)

As the name implies, in this mode of operation, one node passes all the traffic through itself, and the second in standby mode and picks up traffic if the active node begins to experience any problems.

Pros:

• The most stable mode;
• Proprietary SecureXL mechanism is supported to speed up traffic processing;
• In case of failure of the active node, the second one is guaranteed to be able to “digest” all the traffic (because it is exactly the same).

Minuses:

In fact, only one minus - one node is completely idle. In turn, because of this, we are forced to buy more powerful hardware so that it can cope with traffic alone.







Of course, HA mode is more reliable than Load Sharing, but resource optimization leaves much to be desired.

Load Sharing (Active / Active)

In this mode, all nodes in the cluster process the traffic. You can combine up to 8 devices into such a cluster (more than 4 are not recommended ).

Pros:

• You can distribute the load between the nodes, due to which less efficient devices are required;
• Possibility of smooth scaling (adding up to 8 nodes to a cluster).

Minuses:

• Oddly enough, but the pros immediately fall out into the cons. They like to use the Load Sharing mode even when the company has only two nodes. In order to save money, devices are bought, each of which is loaded at 40-50%. And everything seems to be fine. But if one node falls, we get a situation where the entire load goes to the remaining one, which simply can not cope. As a result, fault tolerance in such a scheme is absent as such.
  
  
• Add to that a bunch of Load Sharing restrictions ( sk101539 ). And the most important limitation is that SecureXL is not supported, a mechanism that significantly speeds up traffic processing;
• As for scaling by adding new nodes to the cluster, unfortunately Load Sharing is far from ideal here. If more than 4 devices are added to the cluster, then the performance starts to fall dramatically .

Considering the first two minuses, to implement fault tolerance when using two nodes, we are also forced to purchase more efficient hardware so that it can “digest” traffic in a critical situation. As a result, we do not have any economic benefits, but we get a large number of restrictions . Moreover, it is worth noting that, starting with version R80.20, Load Sharing mode is not supported. This restricts users to the necessary updates. Whether Load Sharing will be supported in newer releases is still unknown.

Check Point Maestro as an Alternative

From a cluster point of view, Check Point Maestro took the main advantages of High Availability and Load Sharing modes:

• Gateways connected to the orchestrator can use SecureXL, which ensures the maximum speed of traffic processing. There are no other restrictions inherent to Load Sharing;
• Traffic is distributed between gateways in one Security Group (a logical gateway consisting of several physical ones). Thanks to this, less efficient devices can be built, because we no longer have idle gateways, as in High Availability mode. At the same time, you can increase power almost linearly, without such serious losses as in Load Sharing mode (more on that later).

All this is great, but let's look at two specific examples.

Example No. 1

Let company X intend to install a gateway cluster on the perimeter of the network. They have already familiarized themselves with all the limitations of Load Sharing (which are unacceptable for them) and are considering exclusively High Availability mode. After sizing, it turns out that the 6800 gateway is suitable for them, which should not be loaded by more than 50% (so that there is at least some margin in performance). Since this will be a cluster, you need to buy a second device, which will be in standby mode just “smoke” the air. A very expensive "smokehouse" comes out.

But there is an alternative. Take the bundle from the orchestra and three gateways 6500. In this case, the traffic will be distributed between all three devices. If you look at the characteristics of the two models, you will see that three 6500 gateways are more powerful than one 6800.







Thus, company X, when choosing Check Point Maestro, receives the following benefits:

• The company immediately lays a scalable platform. The subsequent increase in productivity will be reduced to the simple addition of another “piece of hardware” 6500. What could be simpler?
• The solution is still fault tolerant, as if one node fails, the remaining two will be able to cope with the load.
• An equally important and surprising advantage is cheaper! Unfortunately, I can not post prices in the public domain, but if interested, you can contact us for calculations

Example No. 2

Suppose company Y already has an HA cluster of 6500 models. The active node is 85% loaded, which at peak loads leads to losses in productive traffic. A logical solution to the problem is updating the iron. The next model is 6800. i.e. the company will need to pass the gateways under the Trade-In program and purchase two new (more expensive) devices.

But there is an alternative. Purchase an orchestra and another one exactly the same node (6500). To assemble a cluster of three devices and “smear” these 85% of the load already at three gateways. As a result, you will get a huge margin in performance (on average, three devices will be loaded by only 30%). Even if one of the three nodes “dies”, the remaining two will still cope with traffic with an average load of 45%. At the same time, for peak loads, a cluster of three active 6500 gateways will be more powerful than one 6800 gateway located in the HA cluster (i.e. active / standby). In addition, if in a year or two the company Y needs increase again, then all they need to do is add one / two nodes 6500. I think the economic benefit here is obvious.

Conclusion

Yes, Check Point Maestro is not a solution for SMB. But even medium-sized businesses can already think about this platform and at least try to calculate economic efficiency. You will be surprised when you discover that scalable platforms can be more profitable than a classic cluster. At the same time, there are advantages not only economic, but also technical. However, we will talk about them already in the next article, where in addition to the technical “chips” I will try to show some typical cases (topology, scenarios).



You can also subscribe to our publics ( Telegram , Facebook , VK , TS Solution Blog ), where you can monitor the emergence of new materials on Check Point and other security products.