AV on the BlueCoat v.s. enabling in Checkpoint firewall

Posted on 2014-07-28
Medium Priority
Last Modified: 2014-08-13
Hello EE,

I have a checkpoint firewall and my Bluecoat AV Appliance is coming up on maintenance renewal.
I am wondering as I heard the Checkpoint firewall can do Anti Virus as well if this is at the same level.
What are the pro/con of going with it all in one v.s. maintaining the separate appliance?
Question by:operationsIT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 64

Expert Comment

ID: 40226526
For Checkpoint, it is actually its part of their UTM offering. They termed it under as "Antivirus Software Blade" which can be either within the box and augment with checking online with their Cloud intelligence e.g. ThreatCloud. User's Service Contract File does need to include the relevant "Anti-Virus update" SKU for the device e.g. their Secure Web Gateway Appliance and Threat Prevention Appliance.

CP claimed for their for antivirus and URL filtering software blades
a) Up to 20 times antivirus throughput improvement, with over 1Gbps for a 2-core system and 3Gbps for a 4-core system
b) Up to 80 times antivirus and URL filtering connection capacity improvements with over 500,000 concurrent connections

One use case they shared in value of the AV s/w blade is detecting the Eurograbber banking Zeus trojan. It detects the bad URLs and block the requests at the network before it infects the user’s computer, and  calculate the MD5 hash of the reply, recognize it as bad and will block the download of the malicious application.
@ http://www.checkpoint.com/products/downloads/whitepapers/Eurograbber_White_Paper.pdf

Coming to Bluecoat it has one appliance called ProxyAV, which works in tandem with Blue Coat ProxySG appliances. As an inline scanning device, the ProxyAV appliance analyzes all file downloads from user-authenticated Web 2.0 sites, webmail, file sharing and other methods of content delivery.

BC ProxyAV  can scan files up to 2GB in size and analyze compressed archives up to 99 layers deep. ProxyAV integrates with multiple threat awareness clouds, including Blue Coat
WebPulse. in specific, ProxyAV supports four modes of content analysis, including traditional object analysis, trickle first or last stream analysis, and deferred scan.


As a whole comparing to CP and BC AV, the differences may not lie in the AV but the capability of the appliance to scale up to layer other security services such as IPS, Content filter, Cloud services and Appl aware filtering in either single box or external web interface (RESTful or JSON etc).

There are Gartner on secure gateway and NSS lab which you may find the specific but i do suggest engage both sales to better advice the values and difference wrt to those 3rd party assessment reports so that it is not a "Apples" vs "Orange" situation as well as flashed out the limitation explicitly based on the assessment criteria


LVL 22

Accepted Solution

eeRoot earned 1000 total points
ID: 40228377
Can you monitor the CPU & memory resources on the Checkpoint?  Adding AV duties will increase its workload, but will allow you to simplify your network design.
LVL 64

Expert Comment

ID: 40228495
probably the past assessment from 3rd party can be useful on testing the CP UTM. Indeed performance will be key considerations and having a all in one box will required to factor in the single point of failure as well e.g. any modules failure should not render box malfunction or stoppage unnecessary to ongoing traffic e.g. fail open or for some if fail close (or fail secure)
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 40229165

So if CP detected Eurograbber, did BlueCoat not?

Does BlueCoatAV not work with BlueCoatSG.  We have both but I'm trying to determine if I move the AV and SG to the CheckPoint or just the AV to the Checkpoint, or keep separate.

I see the report overview but no detail @breadtan

We plan to cluster the firewall which would eliminate single point of failure but the BC are currently one appliance so single point of failure, yet I am concerned with loading the firewall resources to doing all these other things.  I am curious what others would do as I've engaged sales on both sides and of course both can give you the world.  Any other questions to help me get to the real details?
LVL 64

Assisted Solution

btan earned 1000 total points
ID: 40229190
report required subscription and if the vendor can share the accreditation that will help and strengthen their ground. Eurograbber is just one instance - BC has their own use case and strength esp in caching  (or all vendor has such esp with an R&D team backing - for BC they has threat lab which contribute with the Webpulse feeds collected) - see https://bto.bluecoat.com/doc/7430 (specific to BC use of their content policy language (CPL) ) - see the anti malware section

Each time a browser request is received, the ProxySG checks its object store for a cached copy, if one is found that was analyzed with the most recent AV-heuristics engine version, it can be delivered immediately. If the object in cache was analyzed before an update to the AV-heuristics engine, then the object is re-analyzed before delivery to the user. For non-cacheable objects, a finger print cache is kept to avoid analyzing the same file on frequent requests. Once an AV-heuristics engine update occurs, the finger print cache for non-cacheable objects restarts. Note that ProxyAV has four options for analysis, it can scan, trickle first, trickle last or defer scan (for long load objects).

Note: ICAP can be used for both inbound and outbound traffic analysis. Typically ProxyAV is deployed for inbound traffic analysis while a data loss prevention solution is deployed for outbound traffic analysis. Multiple ProxyAVs can be load balanced from a ProxySG device.
For BC, you may want to note their threatblade suite and how ProxySG come into the deployment with those content / malware analysis blade appliances

Author Closing Comment

ID: 40258427
Excellent points!

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question