Appliance Comparison Chart
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 2
Appliance Comparison Chart
May 11, 2016
1 Aassumes maximum production throughput with real-world traffic blend, a typical rule-base size, NAT and logging enabled and the most secure threat prevention protection
2 Performance measured with default/maximum memory
3200 5200 5400 5600 5800
Branch Office Small Enterprise Mid-Size Enterprise
Production Performance (Real-World Traffic Blend)
SecurityPower 250 425 600 950 1750
Firewall (Gbps) 2.1 5.3 10 17.5 22
IPS Throughput (Gbps) 460 Mbps 810 Mbps 1.08 1.9 3.05
NGFW Throughput (Gbps) 260 Mbps 520 Mbps 690 Mbps 1.18 2
Threat Prevention (Gbps) 140 Mbps 250 Mbps 330 Mbps 540 Mbps 1
Ideal Testing Conditions Performance (RFC 3511, 2544, 2647, 1242 )
Firewall Throughput (Gbps) 4 16 22 25 35
Connections Per Second (K) 48 125 150 185 185
Concurrent Sessions (M)1 3.2 3.2/6.4 3.2/6.4 3.2/6.4 3.2/6.4
VPN Throughput (Gbps) 2.25 1.88 2.16 6.5 10
IPS Throughput (Gbps) 1.44 3 3.9 7.8 10
NGFW Throughput (Gbps) 1.15 2.7 3.4 5.8 8.1
Network
10/100/1000Base-T (Base/Max) 6/6 6/14 10/18 10/18 10/26
1000Base-F SFP (Base/Max) NA 0/4 0/4 0/4 0/8
10GBase-F SFP+ (Base/Max) NA 0/0 0/0 0/4 0/8
40GB QSFP (Base/Max) NA NA NA NA 0/4
Expansion Slot NA 1 1 1 2
Fail-Over NIC Option NA Yes Yes Yes Yes
Additional Features
Storage 1x 320 GB 1x 500 GB 1x 500 GB 1x 500 GB 1x 500 GB
Memory Options (GB) 8 8 8, 16 8, 16 8, 16
LOM Card NA Optional Optional Optional Included
Virtual Systems
Maximum (base/HPP)2 10 10/20 10/20 10/20 10/20
Physical
Enclosure Desktop 1U 1U 1U 1U
Weight 1.3kg (2.9 lbs) 6.22kg (13.7 lbs) 6.37kg (14 lbs) 7.95kg (17.53 lbs) 8.37kg (18.45 lbs)
Power
Dual, Hot-Swappable Power Supplies NA NA NA Optional Optional
Power Input 90-264V, 47-63 Hz
Single Power Supply Rating 40W 250W 250W 275W 275W
Power Consumption (Max) 29.5W 62.9W 76.5W 103W 110W
Security Gateway Appliances
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 3
Appliance Comparison Chart
May 11, 2016
1 Assumes maximum production throughput with real-world traffic blend, a typical rule-base size, NAT and logging enabled and the most secure threat prevention protection 2 Performance measured with default/maximum memory
15400 15600 23500 23800
Large Enterprise Data Center Grade
Production Performance (Real-World Traffic Blend)1
SecurityPower 2600 3850 4900 6200
Firewall (Gbps) 30 30 34 43
IPS Throughput (Gbps) 4.5 8 10 12
NGFW Throughput (Gbps) 3 5.2 6.3 7.2
Threat Prevention (Gbps) 1.5 2.5 2.9 3.6
Ideal Testing Conditions Performance (RFC 3511, 2544, 2647, 1242)
Firewall Throughput (Gbps) 58 77 116 128
Connections Per Second (K) 185 185 200 200
Concurrent Sessions (M)2 3.2/9.6 6.4/12.8 12.8/25.6 12.8/28
VPN Throughput (Gbps) 10.8 15.8 26 26
IPS Throughput (Gbps) 14 18 22 30
NGFW Throughput (Gbps) 12 17 20 27
Network
10/100/1000Base-T (Base/Max) 10/26 10/26 10/42 10/42
1000Base-F SFP (Base/Max) 0/12 0/12 0/20 0/20
10GBase-F SFP+ (Base/Max) 2/12 2/12 2/20 2/20
40GBase QSFP (Base/Max) 0/4 0/4 0/4 0/4
Expansion Slot 3 3 5 5
Fail-Open/Bypass NIC Option Yes Yes Yes Yes
Additional Features
Storage 1x 1TB 2x 1TB RAID1 2x 1TB RAID1 2x 1TB RAID1
Memory Options (GB) 8/24 16/32 16/64 32/64
LOM Card Included Included Included Included
LCD Display Graphic LCD Graphic LCD Graphic LCD Graphic LCD
Virtual Systems
Maximum (base/HPP)2 10/40 60/80 60/125 125/250
Physical
Enclosure 2U 2U 2U 2U
Weight 14.3kg (31.5 lbs) 14.3kg (31.5 lbs) 15.8kg (34.8 lbs) 15.8 kg (34.8 lbs.)
Power
Hot-Swappable Power Supplies Included Included Included Included
Power Input 90-264V, 47-63 Hz
Single Power Supply Rating 600W 600W 800W 800W
Power Consumption (Max) 263W 297W 383W 399W
Security Gateway Appliances continued
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 4
Appliance Comparison Chart
May 11, 2016
1 Assumes maximum production throughput with real-world traffic blend, a typical rule-base size, NAT and logging enabled and the most secure threat prevention protection
2 With memory upgrade and the GAiA OS 3 Via a Solutions Center request
2200 4200 4400 4600 4800
Small-Office Enterprise Grade
Production Performance (Real-World Traffic Blend)1
SecurityPower 121 121 230 405 673
Firewall (Gbps) 1.4 1.4 2.2 3.4 5.8
Firewall and IPS (Mbps) 150 165 360 630 1100
RFC 3511, 2544, 2647, 1242 Performance Tests (LAB)
Firewall Throughput (Gbps) 3 3 5 9 11
VPN Throughput (Gbps) 0.4 0.4 1.2 1.5 2
IPS Recommended Profile (Gbps) 0.3 0.3 0.7 1 1.5
Connections Per Second (K) 25 25 40 50 70
Concurrent Sessions (M) 1.2 1.2 1.2 1.2 3.32
Network
10/100/1000Base-T/Max Ports 6/6 4/8 8/12 8/12 8/16
1000Base-F SFP (MAX Ports) NA 4 4 4 4
10GBase-F SFP+ (MAX Ports) NA NA NA NA 2
Expansion Slot 0 1 1 1 1
Fail-Open/Bypass NIC Option No Yes Yes Yes Yes
Additional Features
Storage 250 GB 250 GB 250 GB 250 GB 250 GB
Memory / Max 4/4 GB 4/4 GB 4/4 GB 4/4 GB 4/8 GB
LOM Card NA NA NA NA Included
Virtual Systems
Default/Max VS Supported 3/3 3/3 10/10 10/10 25/25
Physical
Enclosure Desktop 1U 1U 1U 1U
Weight 2kg (4.4 lbs) 4kg (8.82 lbs) 7.5kg (16.53 lbs) 7.5kg (16.53 lbs) 7.6kg (16.76 lbs)
Power
Dual, Hot-Swappable Power Supplies No No No No Optional
Power Input 100-240VAC, 47-63Hz
Single Power Supply Rating 40W 100W 250W 250W 275W
Power Consumption (Max) 35W 57W 90W 90W 140W
DC Option No No No Optional3 Optional3
Security Gateway Appliances (released before 2016)
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 5
Appliance Comparison Chart
May 11, 2016
1 Assumes maximum production throughput with real-world traffic blend, a typical rule-base size, NAT and logging enabled and the most secure threat prevention protection
2 With memory upgrade and the GAiA OS 3 Via a Solutions Center request
12200 12400 12600 13500 13800
Enterprise Grade
Production Performance (Real-World Traffic Blend)1
SecurityPower 811 1185 2050 3200 3800
Firewall (Gbps) 6.2 9.1 14 23.6 27.2
Firewall and IPS (Gbps) 1.28 2.11 3.58 5.7 6.4
RFC 3511, 2544, 2647, 1242 performance tests (LAB)
Firewall Throughput (Gbps) 15 25 30 77 77
VPN Throughput (Gbps) 2.5 3.5 7 17 18.3
IPS Recommended Profile (Gbps) 2.5 3.5 6 7.8 9.6
Connections Per Second (K) 90 110 130 178 190
Concurrent Sessions (M) 52 52 52 282 282
Network
10/100/1000Base-T/Max Ports 8/16 10/26 14/26 14/26 14/26
1000Base-F SFP (MAX Ports) 4 12 12 12 12
10GBase-F SFP+ (MAX Ports) 4 12 12 12 12
40GBase-F MAX Ports NA NA NA NA NA
Expansion Slot 1 3 3 3 3
Fail-Open/Bypass NIC Option Yes Yes Yes Yes Yes
Additional Features
Storage 1+1 500 GB 1+1 500 GB 2x500 GB RAID 1 2x500GB RAID 1 2x500GB RAID 1
Memory / Max 4/12 GB 4/12 GB 6/12 GB 16/64 GB 16/64 GB
LOM Card Included Included Included Included Included
Virtual Systems
Default/Max VS Supported 25/502 25/752 75/1502 150/2502 150/2502
Physical
Enclosure 1U 2U 2U 2U 2U
Weight 7.6kg (16.76 lbs) 23.4kg (51.6 lbs) 23.4kg (51.6 lbs) 17.5 kg (38.6 lbs.) 17.5 kg (38.6 lbs.)
Power
Hot-Swappable Power Supplies Optional 2 AC 2 AC 2 AC 2 AC
Power Input 100-240VAC, 47-63Hz
Single Power Supply Rating 275W 300W 400W 600W 600W
Power Consumption (Max) 121W 132W 220W 431W 431W
DC Option Optional3 Optional3 Optional3 Optional Optional
Security Gateway Appliances (released before 2016 continued)
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 6
Appliance Comparison Chart
May 11, 2016
1 With Security Acceleration Module 2 With memory upgrade and the GAiA OS 3 Via a Solutions Center request
21400 21700 21800
Data Center Grade
Production Performance (Real-World Traffic Blend)1
SecurityPower 2175/29001 3300/35511 4100/43001
Firewall (Gbps) 17.1/44.31 25.4/44.51 30.4/44.51
Firewall and IPS (Gbps) 3.67 5.7 6.9
RFC 3511, 2544, 2647, 1242 performance tests (LAB)
Firewall Throughput (Gbps) 50/1101 78/1101 78/1101
VPN Throughput (Gbps) 7/501 11/501 23.5/501
IPS Recommended Profile (Gbps) 6 8 9.9
Connections Per Second (K) 130/3001 170/3001 198/3001
Concurrent Sessions (M) 102 132 282
Network
10/100/1000Base-T/Max Ports 13/37 13/37 13/37
1000Base-F SFP (MAX Ports) 36 36 36
10GBase-F SFP+ (MAX Ports) 12 13 13
40GBase-F MAX Ports NA NA NA
Expansion Slot 3 3 3
Fail-Open/Bypass NIC Option No No No
Additional Features
Storage 2x500 GB RAID 1 2x500GB RAID 1 2x500GB RAID 1
Memory / Max 12/24 GB 16/64 GB 16/64 GB
LOM Card Included Included Included
Virtual Systems
Default/Max VS Supported 125/2502 150/2502 150/2502
Physical
Enclosure 2U 2U 2U
Weight 26kg (57.4 lbs) 26kg (57.4 lbs) 26kg (57.4 lbs)
Power
Hot-Swappable Power Supplies 2 AC 2 AC 2 AC
Power Input 100-240VAC, 47-63Hz
Single Power Supply Rating 910W 1200W 1200W
Power Consumption (Max) 449W/744W1 489W/784W1 489W/784W1
DC Option Optional3 Optional3 Optional3
Security Gateway Appliances (released before 2016 continued)
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 7
Appliance Comparison Chart
May 11, 2016
1 Assumes maximum production throughput with real-world traffic blend, a typical rule-base size, NAT and logging enabled and the most secure threat prevention protection2 With 4 x SSM160
41000 61000
Data Center, Telco, Carrier Grade
Production Performance (Real-World Traffic Blend)1
SecurityPower 3200 to 11000 3200 to 33000
Firewall (Gbps) Up to 40 Up to 120
Firewall and IPS (Gbps) Up to 25 Up to 70
RFC 3511, 2544, 2647, 1242 performance tests (LAB)
Firewall Throughput (Gbps) Up to 80 Up to 400
VPN Throughput (Gbps) Up to 40 Up to 110
IPS Recommended Profile (Gbps) Up to 44 Up to 130
Connections Per Second (K) Up to 1100 Up to 3000
Concurrent Sessions (M) Up to 80 Up to 210
Network
10/100/1000Base-T/Max Ports 14 28
1000Base-F SFP (MAX Ports) 14 28
10GBase-F SFP+ (MAX Ports) 30 602
40GBase-F MAX Ports 4 82
Expansion Slot 6 14
Fail-Open/Bypass NIC Option No No
Additional Features
Storage - -
Memory 64 GB 64 GB
LOM Card Included Included
Virtual Systems
Max VS Supported 250 250
Physical
Enclosure 6U 15U
Weight Max: 38.6kg (84.9 lbs) Max: 65.84kg (145.2 lbs)
Power
Hot-Swappable Power Supplies 3 AC or 2 DC 4 AC or 2 DC
Power Input See data sheet
Single Power Supply Rating 1200W@110V; 1500W@220V
2500W @ 208V/230V, 1500W @ 110V (USA), 1300W @ 100V (Japan)
Power Consumption (Max) 2300W 4900W
DC Option Yes Yes
Security Systems
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 8
Appliance Comparison Chart
May 11, 2016
1120 1140 1180 1430 1450 1470 1490
Performance
SecurityPower 28 34 37 75 141 194 233
Firewall (Mbps) 20 50 100 900 1100 1600 1800
Threat Prevention (Mbps) 10 25 50 90 150 175 220
Lab (RFC 3511, 2544, 2647, 1242 Performance Tests)
Firewall Throughput (Gbps) 750 Mbps 1.0 1.5 2 2 3.2 4
Connections Per Second (K) 5 5 5 18 25 30 40
Concurrent Sessions (K) 200 200 200 500 500 500 500
VPN Throughput (Mbps) 140 175 220 250 500 500 1000
Network
Wireless Option 802.11 b/g/n 802.11 b/g/n/ac 802.11 b/g/n and 802.11 n/ac
ADSL2/ADSL2+ (Annex A or B) Yes - -
10/100/1000Base-T/Max Ports 10 8 18
Additional Features
Security Architecture Embedded GAiA Embedded GAiA Embedded GAiA
3G, 4G Modem Support Yes Yes Yes
SD Card Slot SD Micro SDHC slot Micro SDHC slot
Web-based Management Available Available Available
Central Management Model Enterprise Security Management Enterprise Security Management Enterprise Security Management
Physical
Enclosure Desktop Desktop Desktop
Weight 1.2kg (2.65 lbs) 1.3kg (2.8 lbs) 1.6kg (3.6 lbs)
Power
Power Input 100/240VAC, 50-60Hz 100/240VAC, 50-60Hz 100/240VAC, 50-60Hz
Single Power Supply Rating 12V/2A 24W - 12V/2.5A 30W (ADSL and Wi-Fi models) 12V/3.33A 40W desktop adaptor 12V/5.4A 65W desktop adaptor
Power Consumption (Max) 16.68W 25W (non-Wi-Fi), 30W (Wi-Fi option) 55W (non-Wi-Fi), 60W (Wi-Fi option)
Small Branch Office Security Appliances
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 9
Appliance Comparison Chart
May 11, 2016
1200R
Production Performance (Real-World Traffic Blend)1
SecurityPower 49
Firewall (Mbps) 700
Firewall and IPS (Mbps) 60
RFC 3511, 2544, 2647, 1242 performance tests (LAB)
Firewall Throughput (Gbps) 2
VPN Throughput (Mbps) 450
Connections Per Second (K) 10
Concurrent Sessions (K) 400
Network
10/100/1000Base-T (Max) 6
1000Base-F (Max) 2
Additional Features
3G/4G Yes
Serial Console Port Yes
Mount Options DIN rail
Central Management Model Enterprise Security Management
Certifications
Industrial IEC 61850-3, IEEE 1613, IEC 60068-2
Operating Environment
Temperature -40°to167°F / -40° to 75°C
Humidity 20%-90% (non-condensing)
Physical
Enclosure Desktop
Weight 1.2 kg (2.65 lbs.)
Power
AC 100-240V, 50–60 Hz
DC 12V-72V, -48V DC
Power Consumption (Max) 15W
Rugged Appliances1
1 Also see the [Siemens RUGGEDCOM APE (Application Processing Engine) Line Module]
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 10
Appliance Comparison Chart
May 11, 2016
X20 X30 X50 X60 X80-S
Performance
Firewall IMIX Chassis Throughput (Gbps) Up to 5 Up to 10 Up to 18 Up to 70 Up to 140
XOS Stateful Connections Per Second Up to 120K Up to 120K Up to 150K Up to 300K Up to 600K
XOS Stateless Connections Per Second NA (not enabled) NA (not enabled) Up to 220K Up to 550K Up to 1.1M
Maximum Concurrent Connections 8M 8M 18M 70M 100M
Network
Interfaces 10 x 1Gb SFP ports 10 x 1Gb SFP ports; 2 x 10Gb XFP ports Up to 16 x 10/1Gb SFP+ ports Up to 32 x 1Gb SFP/10Gb SFP+
(16 per NPM)Up to 64 x 1Gb SFP/10Gb SFP+
(16 per NPM)
Modules Support 1 NPM-x, up to 2 APM-x, and 1 CPM-x (included) Up to 2 NPM-x, up to 5 APM-x, up to 2 CPM-x
Up to 4 NPM-x, up to 10 APM-x, up to 2 CPM-x
Maximum Modules Up to 4 Up to 7 Up to 14
Application Processor Module (APM) Details
Processors (per APM) 8 core 4, 8 or 12 core options
System Memory (per APM) Up to 16 GB Up to 12 GB Up to 24 GB
Disk Size (per APM) Up to 2 x 500GB SATA Hard Drives with RAID 1 Up to 2 x 450GB SAS with RAID 1
Additional Features
Check Point Software Security Gateway R77, R76, R75.40, R75.40VS, R75.20, R75, R71.10; Firewall-1 GX 5.0
Supported Operating System XOS 9.0.x, 9.5.x, 9.6.x and 9.7.x
High Availability Options Dual Box High Availability (DBHA) with another chassis of the same model
System Management X-Series Management System (XMS), Greenlight Elelment Manager (GEM), Command line interface (CLI) with automated workflow system (AWS), SNMP v1 v2 v3 and NetFiow v5 v9 v10 support
Physical
Form Factor / Size 13.5” H, 17.5” W, 19” D 29” H, 17.5” W, 17.5” D
Environment Temperature 0 to 40’ C (32-104’F); Humidity: 10%- 90% non-condensing; Altitude: 3048m (10,000ft.)
Certification FIPS 140-2 Certified; Under evaluation for Common Criteria EAL4+ Network Equipment Building System (NEBS) Compliant; Under evaluation for Common Criteria EAL4+
Chassis Regulatory Compliance RoHS, UL 60950, IEC 950, FCC 47 CFR Part 15 Class A, EN 55022: EN 55024, VCCI V-3: AS/NZS 3548: 1995 : CNS 13438 Class A
Green IT Compliancy High-efficiency power system up to 91 percent, WEEE Directive, ISO 14001, RoHS compliant
Power
Power Specifications 100-240 VAC 2,700W Rated Maximum 100-240 VAC 5,100W Rated Maximum or 48V DC 100A
Hot-Swappable PSUs (per system) Ships with 2 x 1,200W 120-240 VAC PSUs 4 PSUs supported
Status Indicators Power Supply and Module Active I Failed status LED, Port Link (NPM, CPM), Minor/Major/Critical Alarm LEDs
X-Series Platforms
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 11
Appliance Comparison Chart
May 11, 2016
1 Actual performance figures may change per network configuration, traffic type, etc. 2 Throughput is measured with behavioral and signature protections using the eCommerce protection profile3 External fiber fail-open switch with SFP ports is available at additional cost 4 External fiber fail-open switches with SFP or XFP ports are available at additional cost
506 1006 2006 4412 8412 12412 10420 20420 30420 40420
Network Grade Enterprise Datacenter Carrier
Performance1
Capacity (Gbps)2 0.5 1 2 4 8 14 10 20 30 40
Throughput (Gbps)2 0.5 1 2 4 8 12 10 20 30 40
Max Concurrent Sessions (M) 2 2 2 4 4 4 6 6 6 6
Max DoS Flood Attack Prevention Rate (M)(pps) 1 1 1 10 10 10 25 25 25 25
Latency < 60 micro seconds
Real-time Signatures Detect and protect against attacks in less than 18 seconds
Network
Inspection Ports
10/100/1000 Copper Ethernet 4 4 4 8 8 8 - - - -
1GbE Fiber (SFP) 2 2 2 4 4 4 - - - -
10GbE Fiber (XFP) - - - 4 4 4 - - - -
1/10 GbE (SFP+) - - - - - - 20 20 20 20
40 GbE (QSFP+) - - - - - - 4 4 4 4
Management Ports
10/100/1000 Copper 2 2 2 2 2 2 2 2 2 2
RS-232 Console 1 1 1 1 1 1 1 1 1 1
Operation Mode
Network Operation Transparent L2 Forwarding
Deployment Modes In-line; span port monitoring; copy port monitoring; local out-of-path; out-of-path mitigation (scrubbing center solution)
Tunneling protocols support VLAN Tagging, L2TP, MPLS, GRE, GTP
IPv6 Support IPv6 networks and block IPv6 attacks
Policy Action Block and Report; Report Only
Block Actions Drop packet, reset (source, destination, both), suspend (source, source port, destination, destination port or any combination); Challenge-Response for HTTP and DNS attacks
High Availability
Fail-open / Fail-closeInternal fail-open/fail-close for copper ports;
internal fail-close for SFP ports; optional fail-open for SFP ports3
Internal fail-open/fail-close for copper ports; internal fail-close for SFP and XFP ports; optional fail-open for SFP and XFP ports4
Internal fail-close for SFP+ and QSFP+ ports; optional fail-open for SFP+ and QSFP+ ports4
Clustering Active-Passive Cluster
Physical
Enclosure 1U 2U
Power
Dual Power Supply Optional Yes - Hot Swappable
Power Consumption (Max) 177W 476W 634W
DDoS Protector
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 12
Appliance Comparison Chart
May 11, 2016
Virtual Systems Appliances4400
Single Unit4400 VSLS
4600 Single Unit
4600 VSLS
4800 Single Unit
4800 VSLS
5600 Single Unit
5600 VSLS
5800 Single Unit
5800 VSLS
12200 Single Unit
12200 VSLS
Performance
Firewall Throughput (Gbps) 5 9 9 16.2 11 19.8 25 45 35 63 15 27
VPN Throughput (Gbps) 1.2 2.1 1.5 2.7 2 3.6 6.5 11 10 18 2.5 4.5
Concurrent Sessions (M) 1.2 1.4 1.2 1.4 3.31 3.91 6.4 11 6.4 11 51 61
12400 Single Unit
12400 VSLS
12600 Single Unit
12600 VSLS
13500 Single Unit
13500 VSLS
13800 Single Unit
13800 VSLS
15400 Single Unit
15400 VSLS
15600 Single Unit
15600 VSLS
Performance
Firewall Throughput (Gbps) 25 45 30 54 77 138.6 77 138.6 58 104 77 139
VPN Throughput (Gbps) 3.5 6.3 6 10.8 17 30.6 18.3 32.9 10.8 19 15.8 28
Concurrent Sessions (M) 51 61 51 61 281 33.61 281 33.61 9.61 161 12.81 211
21400 Single Unit
21400 VSLS
21700 Single Unit
21700 VSLS
21800 Single Unit
21800 VSLS
23500 Single Unit
23500 VSLS
23800 Single Unit
23800 VSLS
Performance
Firewall Throughput (Gbps) 50 90 78 140.4 78 140.4 116 209 128 230
VPN Throughput (Gbps) 7 12.6 11 27 23.5 42.3 26 46 26 46
Concurrent Sessions (M) 101 121 131 15.61 281 33.61 25.6 42 28 46
Public and Private Cloud Virtual AppliancesVMware ESX
4.0/4.1VMware vSphere
5/5.1/5.5VMware vShpere
6.0/6.1VMware NSX Manager 6.1.x
KVM Microsoft Hyper-V Amazon AWS Microsoft Azure OpenStack
vSEC Network Mode vSEC Hypervisor Mode Security Management Multi-Domain Security Management
1 With memory upgrade and GAiA OS
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 13
Appliance Comparison Chart
May 11, 2016
= Available
Software Blades Appliance Comparison ChartNGFW NGDP NGSWG NGTP NGTX
23800 23500 21800 21700 21400 15600 15400 13800 13500 12600 12400 12200 5800 5600 5400 5200 4800 4600 4400 4200 3200 2200 1200R 1400 1100
©2016 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] — All rights reserved. | 14
Appliance Comparison Chart
May 11, 2016
NGFW NGDP NGSWG NGTP NGTX
Security Gateway Software Blades
Firewall Identity Awareness IPsec VPN Advanced Networking & Clustering Mobile Access IPS Application Control DLP URL Filtering Antivirus Anti-Spam Anti-Bot SandBlast Threat Emulation SandBlast Threat Extraction Security Management Software Blades
Network Policy Management Logging & Status SmartEvent
= Included
Optional Security Management Software Blades available: SmartWorkflow, Monitoring, Management Portal, User Directory, SmartProvisioning, SmartReporter, SmartEvent, Endpoint Policy Management, Compliance
Software Blades Appliance Comparison Chart (Continued)
Mobile Access Sofware Blade:The 23000, 21000, 15000, 13000, 12000, 5000, 4000, 3200 and 2200 include 5 users in the default package and this can be extended using the Mobile Access packagesThe 1200R includes Mobile Access for 20 usersThe 1430, 1450, 1470, 1490 includes Mobile Access for 100 usersThe 1120, 1140, 1180 includes Mobile Access for 5, 10 and 20 users respectively
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content | November 22, 2016 | Page 1
Check Point 15600 Appliance | Datasheet
Large enterprise security,
performance and reliability
Product Benefits
High performance protection against the most advanced cyber attacks
most sophisticated zero day attack
Optimized for inspecting SSL encrypted traffic
Future-proofed technology
Centralized control and LOM improves serviceability
Modular, expandable chassis with flexible I/O options
Product Features
3,850 Security
Simple deployment and management
Virtual Systems consolidates security onto one device
High port density with 40 GbE option
Redundant AC or DC power supplies, fans and disk drives eliminate single point of failure
The Check Point 15600 Next Generation Security Gateway combines the most
comprehensive security protections with data center grade hardware to maximize
uptime while safeguarding enterprise and data center networks. The 15600 is a 2U
Next Generation Security Gateway with three I/O expansion slots for high port
capacity, redundant AC or DC power supplies and fans, a 2x 1TB (HDD) or 2x 480GB
(SSD) RAID1 disk array, and Lights-Out Management (LOM) for remote management.
15600 Next Generation Security
Gateway with the 40 GbE IO card option.
The rapid growth of malware, growing attacker sophistication and the rise of new
unknown zero-day threats require a different approach to keep enterprise networks
and data secure. Check Point delivers fully integrated, comprehensive Threat
Prevention with award-
for complete protection against the most sophisticated zero-day threats.
Unlike traditional solutions that are subject to evasion techniques, introduce
unacceptable delays, or let potential threats through while evaluating files, Check
Point SandBlast stops more malware from entering your network. With our solution
their productivity.
Firewall IPS NGFW1 Threat Prevention
2
76 Gbps 18 Gbps 17 Gbps 5.7 Gbps
Performance measured under ideal testing conditions. Additional performance detailed on page 5.
1 Includes Firewall, Application Control, and IPS Software Blades.
2 Includes Firewall, Application Control, URL Filtering, IPS, Antivirus, Anti -Bot and SandBlast Zero-Day Protection Software Blades.
2 Includes Firewall, Application Control, URL Filtering, IPS, Antivirus, Anti -Bot and SandBlast Zero-Day Protection Software Blades.
5.7 Gbps
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content | November 22, 2016 | Page 2
Check Point 15600 Appliance | Datasheet
Check Point 15600 Next Generation Security Gateways offer
a complete and consolidated security solution available in
two complete packages:
NGTP: prevent sophisticated cyber-threats with
Application Control, URL Filtering, IPS, Antivirus,
Anti-Bot and Email Security.
NGTX: NGTP with SandBlast Zero-Day Protection,
which includes Threat Emulation and Threat
Extraction.
The 15600 Next Generation Security Gateway protects
organizations from both known and unknown threats with
Antivirus, Anti-Bot, SandBlast Threat Emulation
(sandboxing), and SandBlast Threat Extraction technologies.
As part of the Check Point SandBlast Zero-Day Protection
solution, the cloud-based Threat Emulation engine detects
malware at the exploit phase, even before hackers can apply
evasion techniques attempting to bypass the sandbox. Files
are quickly quarantined and inspected, running in a virtual
sandbox to discover malicious behavior before it enters your
network. This innovative solution combines cloud-based
CPU-level inspection and OS-level sandboxing to prevent
infection from the most dangerous exploits, and zero-day and
targeted attacks.
Furthermore, SandBlast Threat Extraction removes
exploitable content, including active content and embedded
objects, reconstructs files to eliminate potential threats, and
promptly delivers sanitized content to users to maintain
business flow.
NGTP NGTX
(SandBlast)
Prevent known threats
Prevent known and zero-day
attacks
Firewall
VPN (IPsec)
IPS
Application Control
URL Filtering
Anti-Bot
Anti-Virus
Anti-Spam
SandBlast Threat Emulation
SandBlast Threat Extraction
Customers with high connection capacity requirements can
purchase the affordable High Performance Package (HPP).
This includes the base system plus one 4x 10Gb SFP+
interface cards, transceivers and 32 GB of memory for high
connection capacity.
The Check Point 15600 Next Generation Security Gateway
delivers business continuity and serviceability through
features such as hot swappable redundant AC or DC power
supplies, hot-swappable redundant disk drives (RAID),
redundant fans and an advanced LOM card for out-of-band
management. Combined together, these features ensure a
greater degree of business continuity and serviceability when
A Lights-Out-Management (LOM) card provides out-of-band
remote management to remotely diagnose, start, restart and
manage the Next Generation Security Gateway from a
remote location. Administrators can also use the LOM web
interface to remotely install an OS image from an ISO file.
High speed connections are essential in modern enterprise
and data center environments, especially those with high-
40 GbE, so is the 15600 Next Generation Security Gateway.
The Check Point 15600 lets you connect your 10 GbE server
uplinks to your 40 GbE core network with up to 4x 40 GbE
ports.
Check Point Virtual Systems enable organizations to
consolidate infrastructure by creating multiple virtualized
security gateways on a single hardware device, offering
significant cost savings with seamless security and
infrastructure consolidation.
Base HPP Max
1 GbE ports (Copper) 10 10 26
10 GbE ports (Fiber) 2 6 12
Transceivers (SR) 2 6 12
40 GbE ports (Fiber) 0 0 4
RAM 16GB 32GB 64GB
HDD or SSD 2 2 2
AC or DC Power Units 2 2 2
Lights Out Management Included Included Included
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content | November 22, 2016 | Page 3
Check Point 15600 Appliance | Datasheet
BASE CONFIGURATION 1
15600 Next Generation Security Gateway Base Configuration, includes 10x1GbE copper ports, 2 10GbE SFP+ ports + 2 SR transceivers, 16GB RAM, 2 HDD, 2 AC Power Units, Lights Out Management (LOM), Next Generation Threat Prevention (NGTP) Security Subscription Package for 1 Year .
CPAP-SG15600-NGTP
15600 SandBlast Next Generation Security Gateway Base Configuration, includes 10x1GbE copper ports, 2 10GbE SFP+ ports + 2 SR transceivers, 16GB RAM, 2 HDD, 2 AC Power Units, Lights Out Management (LOM), SandBlast (NGTX) Security Subscription Package for 1 Year
CPAP-SG15600-NGTX
HIGH PERFORMANCE PACKAGES 1
15600 Next Generation Security Gateway with High Performance Package, includes10x1GbE copper ports, 6x10Gb SFP+ ports, 6 SR transceivers, 32 GB RAM, 2 HDD, 2 AC Power Units, Lights Out Management (LOM), Next Generation Threat Prevention (NGTP) Security Subscription Package for 1 Year
CPAP-SG15600-NGTP-HPP
15600 Next Generation Security Gateway with High Performance Package, includes10x1GbE copper ports, 6x10Gb SFP+ ports, 6 SR transceivers, 32 GB RAM, 2 HDD, 2 AC Power Units, Lights Out Management (LOM), Next Generation Threat Extraction (SandBlast) Security Subscription Package for 1 Year
CPAP-SG15600-NGTX-HPP
VIRTUAL SYSTEM PACKAGES 1
15600 Next Generation Security Gateway with High Performance Package, includes 10x1GbE copper ports, 6x10GbE SFP+ ports + 6 SR transceivers, 32GB RAM, 2 HDD, 2 AC Power Units, Lights Out Management (LOM), Next Generation Threat Prevention (NGTP) Security Subscription Package for 1 Year and 20 Virtual Systems
CPAP-SG15600-NGTP-HPP-VS20
Two 15600 Next Generation Security Gateways with High Performance Package, includes 10x1GbE copper ports, 6x10GbE SFP+ ports + 6 SR transceivers, 32GB RAM, 2 HDD, 2 AC Power Units, Lights Out Management (LOM), Next Generation Threat Prevention (NGTP) Security Subscription Package for 1 Year and 20 Virtual Systems
CPAP-SG15600-NGTP-HPP-VS20-2
15600 Next Generation Security Gateways with High Performance Package, includes 10x1GbE copper ports, 6x10GbE SFP+ ports + 6 SR transceivers, 32GB RAM, 2 HDD, 2 AC Power Units, Lights Out Management (LOM), Next Generation Threat Extraction (SandBlast) Security Subscription Package for 1 Year and 20 Virtual Systems
CPAP-SG15600-NGTX-HPP-VS20
Two 15600 Next Generation Security Gateways with High Performance Package, includes 10x1GbE copper ports, 6x10GbE SFP+ ports + 6 SR transceivers, 32GB RAM, 2 HDD, 2 AC Power Units, Lights Out Management (LOM), Next Generation Threat Extraction (SandBlast) Security Subscription Package for 1 Year and 20 Virtual Systems
CPAP-SG15600-NGTX-HPP-VS20-2
1SKUs for 2 and 3 years and appliances with an SSD option are also available, see the online Product Catalog
Graphic LCD display
2 x 1 TB (HDD) or 2x 480GB (SSD) RAID1
Three network card expansion slots (HPP)
USB ports for ISO installation
Console port
Lights-Out Management port
Sync 10/100/1000Base-T RJ45
Management 10/100/1000Base-T RJ45
4 3
1 2
5
6
7
8
1
2
3
4
5
6
7
8
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content | November 22, 2016 | Page 4
Check Point 15600 Appliance | Datasheet
INTERFACE CARDS AND TRANSCEIVERS
8 Port 10/100/1000 Base-T RJ45 interface card CPAC-8-1C-B
4 Port 1000Base-F SFP interface card; requires additional 1000Base SFP transceivers CPAC-4-1F-B
SFP transceiver module for 1G fiber ports - long range (1000Base-LX) CPAC-TR-1LX-B
SFP transceiver module for 1G fiber ports - short range (1000Base-SX) CPAC-TR-1SX-B
SFP transceiver to 1000 Base-T RJ45 (Copper) CPAC-TR-1T-B
4 Port 10GBase-F SFP+ interface card CPAC-4-10F-B
SFP+ transceiver module for 10G fiber ports - long range (10GBase-LR) CPAC-TR-10LR-B
SFP+ transceiver module for 10G fiber ports - short range (10GBase-SR) CPAC-TR-10SR-B
2 Port 40GBase-F QSFP interface card CPAC-2-40F-B
QSFP transceiver module for 40G fiber ports - short range (40GBase-SR) CPAC-TR-40SR-QSFP-300m
QSFP transceiver module for 40G fiber ports - long range (40GBase-LR) CPAC-TR-40LR-QSFP-10K
4 Port 1GE copper Bypass (Fail-Open) network interface card (10/100/1000 Base-T) CPAC-4-1C-BP-B
2 Port 10GE short-range Fiber Bypass (Fail-Open) network interface card (10GBase-SR) CPAC-2-10-FSR-B-BP
SPARES AND MISCELLANEOUS
Memory upgrade kit from 16GB to 32GB for 15600 appliance CPAC-RAM16GB-15600
Memory upgrade kit from 16GB to 64GB for 15600 appliance CPAC-RAM48GB-15600
Memory upgrade kit from 32GB to 64GB for 15600 appliance CPAC-RAM32GB-15600
Additional/Replacement 1 TB hard drive for 15000 and 23000 Appliances CPAC-HDD-1TB-B
Replacement AC power supply for 15000 Appliances CPAC-PSU-AC-15000
Dual DC power supplies for 15000 and 23000 appliances CPAC-PSU-DC-Dual-15000/23000
Replacement fan cartridge for 15000 and 23000 appliances CPAC-FAN-B
Slide rails for 15000 and 2 - CPAC-RAIL-L
Extended slide rails for 15000 and 23000 Appliances (26 - CPAC-RAIL-EXT-L
Redundant AC or DC power supplies
Cooling fans
1
2
1 2
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content | November 22, 2016 | Page 5
Check Point 15600 Appliance | Datasheet
Performance
Ideal Testing Conditions
76 Gbps of UDP 1518 byte packet firewall throughput
18 Gbps IPS
17 Gbps of NGFW1
5.7 Gbps of Threat Prevention2
15.8 Gbps of AES-128 VPN throughput
185,000 connections per second, 64 byte response
6.4 to 25.6 million concurrent connections, 64 byte response3
Real-World Production Conditions
3,850 SecurityPower Units
30 Gbps of firewall throughput
8 Gbps IPS
5.2 Gbps of NGFW1
2.5 Gbps of Threat Prevention2
Virtual Systems
Maximum VS (base/HPP/max memory): 60/80/125
Your performance may vary depending on different factors.
Contact a Check Point Partner to find an appliance that
matches your unique requirements.
1. Includes Firewall, Application Control and IPS Software Blades. 2. Includes Firewall, Application
Control, URL Filtering, IPS, Antivirus, Anti-Bot and SandBlast Zero-Day Protection Software
Blades. 3. Performance measured with default/maximum memory.
Expansion Options
Base Configuration (using 2 of 3 expansion slots)
2 on-board 10/100/1000Base-T RJ-45 ports
8x 10/100/1000Base-T RJ-45 IO card
2 x 10GBaseF SFP+ IO card
16 GB memory (32 and 64 GB options)
Redundant dual hot-swappable power supplies (AC or DC)
Redundant dual hot-swappable 1TB HDD or 480GB SSD
Lights-Out-Management (LOM)
Network Expansion Slot Options
8x 10/100/1000Base-T RJ45 port card, up to 24 ports
4x 1000Base-F SFP port card, up to 12 ports
4x 10GBase-F SFP+ port card, up to 12 ports
2x 40GBase-F QSFP port card, up to 4 ports
Fail-Open/Bypass Network Options
4x 10/100/1000Base-T RJ45 port card
2x 10GBase-F SFP+ port card
Network
Network Connectivity
Total physical and virtual (VLAN) interfaces per appliance: 1024/4096 (single gateway/with virtual systems)
802.3ad passive and active link aggregation
Layer 2 (transparent) and Layer 3 (routing) mode
High Availability
Active/Active and Active/Passive - L3 mode
Session failover for routing change, device and link failure
ClusterXL or VRRP
IPv6
NAT66, NAT64
CoreXL, SecureXL, HA with VRRPv3
Unicast and Multicast Routing (see SK98226)
OSPFv2 and v3, BGP, RIP
Static routes, Multicast routes
Policy-based routing
PIM-SM, PIM-SSM, PIM-DM, IGMP v2, and v3
Physical
Power Requirements
Single Power Supply rating: AC(600W), DC(800W)
AC power input: 90 to 264V (47-63Hz)
DC input current: -40.5V/24A -48V/19.2A, -60V/16.0A
Power consumption avg/max: AC200/297W, DC262.6/297W
Maximum thermal output: 1013.4 BTU/hr.
Dimensions
Enclosure: 2RU
Dimensions (W x D x H): 17.4x20.84x3.5 in.( 442x529x88mm)
Weight: 31.5 lbs. (14.3 kg)
Environmental Conditions
Operating: 0° to 40°C, humidity 5% to 95%
Storage: 40° to 70°C, humidity 5% to 95% at 60°C
Certifications
Safety: UL, CB, CE, TUV GS
Emissions: FCC, CE, VCCI, RCM/C-Tick
Environmental: RoHS, REACH1, ISO14001
1
1 factory certificate
US Worldwide Headquarters | 5 67897, Israel | 972-3-753-4555 | 972-3-624-1100 | [email protected]
U.S. Headquarters | 959 300, 94070 | 800-429-4391; 650-628-2000 | 650-654-4233 | www.checkpoint.com
hreat Prevention2
2.5 Gbps of Threat Prevention
1. Includes Firewall, Application Control and IPS Software Blades. 2. Includes Firewall, Application
Control, URL Filtering, IPS, Antivirus, Anti-Bot and SandBlast Zero-Day Protection Software
Blades. 3. Performance measured with default/maximum memory.
8 Gbps IPS
hreat Prevention2
5.7 Gbps of Threat Prevention
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
April 2016
Check Point Real World Performance Testing | White Paper
1
CHECK POINT REAL WORLD PERFORMANCE TESTING
NEXT GENERATION THREAT
PREVENTION DEMANDS REAL
WORLD METRICS
SECURITYPOWER IS A REAL
WORLD PERFORMANCE
METRIC
RFC BASED TESTING METRICS
LEAD TO NUMEROUS ERRORS
IN APPLIANCE SIZING
In the past, appliance selection was based on one criterion – firewall throughput. The
security appliance was tested in lab conditions with a simple firewall -only security
policy with only one allow-all traffic rule. Though the results of these tests yielded a
very high throughput number, it did little to forecast the capability to meet customers’
security requirements in real world conditions. In essence, it equated to measuring the
power of a car only by its maximum speed, driving downwind and downhill.
With increasing security threats and their sophistication in today’s world, threat
prevention appliances must perform advanced security functions under constantly
rising traffic volumes. In this new environment, it can be challenging to choose the
right appliance to meet your security objectives, performance requirements, and
growth expectations. CPU core counts, quantity of RAM, and Network Interface Card
(NIC) speed alone are not enough to determine how a given hardware appliance will
perform in the real world. We need a new metric that takes into account how
underlying components combine to deliver a realistic threat prevention work load .
SecurityPower is that new metric.
SecurityPower The new way to measure the real power of security appliances
Old Way
Firewall Throughput
Based on lab
conditions
Only Firewall Security
Single firewall
rule
New Way
SecurityPower
Based on real-world customer
traffic
Advanced security
functions
Typical security policy
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
April 2016
Check Point Real World Performance Testing | White Paper
2
REAL WORLD PERFORMANCE CAPABILITY AND CAPACITY OF SECURITY APPLIANCES
WHAT IS SECURITYPOWER? SecurityPower is a new measure of the real power of security appliances. A
benchmark measuring the capability and capacity of an appliance, SecurityPower
tests multiple advanced security functions (Software Blades) such as IPS, Application
Control, Antivirus, URL Filtering, and DLP, using real world traffic conditions and a
typical security policy. SecurityPower provides an effective metric in evaluating an
appliance, predicting its current and future behavior under security attacks and day-to-
day operation. SecurityPower capacity can be measured by third parties, both for
Check Point appliances as well as security appliances of other vendors.
REAL WORLD VS IDEAL TESTING When you examine the detail of performance testing figures on vendor datasheets
how often do you see the caveat “Performance and capacities are measured under
ideal testing conditions”? Sizing and capacity decisions based on such figures cannot
be trusted. In “Ideal testing conditions” the very security that you need to mitigate
threats to your organization may be disabled.
You need a meaningful benchmark to make an informed decision when purchasing
your new security appliance. The Check Point SecurityPower benchmark differs
distinctly from “Ideal testing conditions” benchmarks.
Real World Ideal Testing Conditions
Signatures Latest, up to date IPS
recommended signatures Out of the box signatures
Security Policy Realistic security policy with 100
rules matching test profile traffic Any-Any-Any-Accept
Traffic Blend A real life mix of HTTP, SMTP,
HTTPS, DNS, FTP and other
protocols derived from research
conducted over hundreds of
customer environments
Simple large, HTTP transactions
Traffic Content Real world content as seen in
customer environments, e.g.
HTTP traffic from popular web
pages; Google, Amazon,
Facebook, etc.
Simple repetitive content
Features Logging and NAT enabled Logging and NAT disabled
Recommended Signatures
The Check Point Security Research Group is responsible for our “Recommended IPS
Profile”. Emerging IPS signatures detect the most important and current attacks whilst
maintaining a relatively predictable performance impact. The Check Point
SecurityPower benchmark includes the latest available and recommended signatures.
This is used in the performance testing of our security appliances and available in our
published datasheets.
Appliance Performance
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
April 2016
Check Point Real World Performance Testing | White Paper
3
PRACTICAL APPLICATION OF SECURITY POWER UNITS LEVERAGE APPLIANCE SIZING TOOL TO CONVERT CUSTOMER NEEDS TO REQUIRED SPUs
HOW TO USE SECURITYPOWER UNITS (SPU)? Security requirements can be converted into a SecurityPower value. Each Check Point
appliance has a SecurityPower capacity as measured by our performance labs. We
compare your needs against the real-world capabilities of our appliances allowing you
to determine which appliances meet your needs today and in the future.
APPLIANCE SIZING TOOL Traditional stateful inspection requires relatively little processing power compared to
advanced security functions such as Application Control, Antivirus, or IPS which
requires much deeper analysis and consumes more system resources. With Check
Point you can consolidate these security functions into a single platform, reducing
costs and improving your security posture. Our Appliance Sizing Tool combines two
key metrics to help you select the correct appliance:
Throughput
Required security functions
We translate your environment and security requirements into a required
SecurityPower value. This value is then checked against the SecurityPower Capacity
offered by Check Point appliances. The end result of the comparison is a small set of
recommended appliances appropriate for you.
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
April 2016
Check Point Real World Performance Testing | White Paper
4
APPLIANCE SIZING TOOL PROVIDES ROOM TO GROW INTERNET TRAFFIC BLEND REFLECTS TYPICAL MIX OF TRAFFIC SEEN THROUGH AN INTERNET GATEWAY WITH PREDOMINANTLY WEB BROWSING TRAFFIC GROWING TREND IN HTTPS TRAFFIC DATA CENTER TRAFFIC BLENDS TYPICALLY CONSUME 20% MORE SPU
SECURITYPOWER TEST METHODOLOGY When assessing the capacity required from an appliance three key factors must be
consistent:
Configuration of the device under test (DUT)
The load testing apparatus
The traffic profile
The configuration of the device and the load testing apparatus is consistent for all
Check Point appliances. See our General Assumptions and Testing Methodology.
To reflect different deployment scenarios, we define two different traffic profiles: the
Data Center and Internet blends. These traffic blends are the result of in-depth
customer analysis.
Internet Traffic Blend
Represents the type of Internet traffic, security appliances handle on a day-
to-day basis.
Consists of the following Streams/Protocols: HTTP; HTTPS; SMTP; DNS;
POP3; FTP; Telnet.
The majority of the traffic is Internet Access (HTTP).
The growing trend in Internet traffic blend towards HTTPS encryption is built into the
Appliance Sizing Tool and we are able to factor a specific proportion of customer
traffic from the basic mix above (10% HTTPS) all the way up to 100% HTTPS.
Data Center Traffic Blend
The Data Center blend reflects the predominance of the following traffic
characteristics:
Web Services, File Stores, Authentication Services, Line-of-Business
Applications, Custom Applications and Data Intensive Applications.
Consists of the following Stream/Protocols: HTTP, HTTPS, SMTP,
SMB_CIFS, SQL, NFS, SMB_DCERPC, Oracle, DNS, LDAP, SSH, FTP.
The Data Center traffic blend consumes approximately 20% more SPU than the
Internet traffic blend.
©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
April 2016
Check Point Real World Performance Testing | White Paper
5
ENSURE POC EXERCISES COMPARE APPLES WITH APPLES
Internet Traffic Blend
Protocol Content Action Per Cent
HTTP Amazon Home Page HTTP GET -> 676K 16%
Yahoo Home Page HTTP GET -> 292K 16%
Facebook Home Page HTTP GET -> 271K 16%
Google Home Page HTTP GET -> 41K 17%
Google Mail HTTP GET of Gmail index.html file, 21K 2%
HTTP Post 100K PDF File 1%
SMTP SMTP 17K MIME Message with PDF attachment 7%
SMTP 100K MIME Message with Word attachment 6%
HTTPS HTTPS 10K HTTPS GET of 10K file 5%
HTTPS 100K HTTPS GET of 100K file 5%
Other DNS DNS Query 6%
POP3 Message size: 256-512 bytes 1%
Telnet Login; cd /disk/images; ls 1%
FTP FTP GET, 1MB file 1%
SECURITY SHORTCUTS Whilst we strive to introduce the real world to performance testing, we know the
playing field is not level. The configuration of modern security appliances has a
massive impact on performance and throughput capacity. If you remove or disable
certain aspects of traffic inspection, an appliance will perform better.
This is a problem in Proof of Concept (PoC) exercises. Frequently these exercises
comprise a sequence of tests, some of which focus on performance, whilst others on
the effectiveness of the security. It is crucial that all testing combines both of these
elements and delivers an accurate reflection of the relative capabilities of the solution .
The traffic load used for testing must include a variety of threat vectors e.g. transport
over HTTP, Email, and SMB etc. whilst also employing evasion techniques. Results
must measure both the throughput achieved and the number of threats detected for an
accurate reflection of the relative capabilities. Further information regarding PoC Best
Practice and security shortcuts can be found here: http://tiny.cc/poc-shortcuts.
SUMMARY Performance testing is a complex business; the permutations of configuration are so
vast that exact answers are impossible. Check Point provides a practical means to
assess your security and traffic throughput requirements, translating those into a
solution to meet your needs today and in the future.
CONTACT US Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected]
U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com
Internet Traffic Blend
HTTP
SMTP
HTTPS
OTHER