AV on the BlueCoat v.s. enabling in Checkpoint firewall

Posted on 2014-07-28
Last Modified: 2014-08-13
Hello EE,

I have a checkpoint firewall and my Bluecoat AV Appliance is coming up on maintenance renewal.
I am wondering as I heard the Checkpoint firewall can do Anti Virus as well if this is at the same level.
What are the pro/con of going with it all in one v.s. maintaining the separate appliance?
Question by:operationsIT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 64

Expert Comment

ID: 40226526
For Checkpoint, it is actually its part of their UTM offering. They termed it under as "Antivirus Software Blade" which can be either within the box and augment with checking online with their Cloud intelligence e.g. ThreatCloud. User's Service Contract File does need to include the relevant "Anti-Virus update" SKU for the device e.g. their Secure Web Gateway Appliance and Threat Prevention Appliance.

CP claimed for their for antivirus and URL filtering software blades
a) Up to 20 times antivirus throughput improvement, with over 1Gbps for a 2-core system and 3Gbps for a 4-core system
b) Up to 80 times antivirus and URL filtering connection capacity improvements with over 500,000 concurrent connections

One use case they shared in value of the AV s/w blade is detecting the Eurograbber banking Zeus trojan. It detects the bad URLs and block the requests at the network before it infects the user’s computer, and  calculate the MD5 hash of the reply, recognize it as bad and will block the download of the malicious application.

Coming to Bluecoat it has one appliance called ProxyAV, which works in tandem with Blue Coat ProxySG appliances. As an inline scanning device, the ProxyAV appliance analyzes all file downloads from user-authenticated Web 2.0 sites, webmail, file sharing and other methods of content delivery.

BC ProxyAV  can scan files up to 2GB in size and analyze compressed archives up to 99 layers deep. ProxyAV integrates with multiple threat awareness clouds, including Blue Coat
WebPulse. in specific, ProxyAV supports four modes of content analysis, including traditional object analysis, trickle first or last stream analysis, and deferred scan.

As a whole comparing to CP and BC AV, the differences may not lie in the AV but the capability of the appliance to scale up to layer other security services such as IPS, Content filter, Cloud services and Appl aware filtering in either single box or external web interface (RESTful or JSON etc).

There are Gartner on secure gateway and NSS lab which you may find the specific but i do suggest engage both sales to better advice the values and difference wrt to those 3rd party assessment reports so that it is not a "Apples" vs "Orange" situation as well as flashed out the limitation explicitly based on the assessment criteria
LVL 22

Accepted Solution

eeRoot earned 250 total points
ID: 40228377
Can you monitor the CPU & memory resources on the Checkpoint?  Adding AV duties will increase its workload, but will allow you to simplify your network design.
LVL 64

Expert Comment

ID: 40228495
probably the past assessment from 3rd party can be useful on testing the CP UTM. Indeed performance will be key considerations and having a all in one box will required to factor in the single point of failure as well e.g. any modules failure should not render box malfunction or stoppage unnecessary to ongoing traffic e.g. fail open or for some if fail close (or fail secure)
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!


Author Comment

ID: 40229165

So if CP detected Eurograbber, did BlueCoat not?

Does BlueCoatAV not work with BlueCoatSG.  We have both but I'm trying to determine if I move the AV and SG to the CheckPoint or just the AV to the Checkpoint, or keep separate.

I see the report overview but no detail @breadtan

We plan to cluster the firewall which would eliminate single point of failure but the BC are currently one appliance so single point of failure, yet I am concerned with loading the firewall resources to doing all these other things.  I am curious what others would do as I've engaged sales on both sides and of course both can give you the world.  Any other questions to help me get to the real details?
LVL 64

Assisted Solution

btan earned 250 total points
ID: 40229190
report required subscription and if the vendor can share the accreditation that will help and strengthen their ground. Eurograbber is just one instance - BC has their own use case and strength esp in caching  (or all vendor has such esp with an R&D team backing - for BC they has threat lab which contribute with the Webpulse feeds collected) - see (specific to BC use of their content policy language (CPL) ) - see the anti malware section

Each time a browser request is received, the ProxySG checks its object store for a cached copy, if one is found that was analyzed with the most recent AV-heuristics engine version, it can be delivered immediately. If the object in cache was analyzed before an update to the AV-heuristics engine, then the object is re-analyzed before delivery to the user. For non-cacheable objects, a finger print cache is kept to avoid analyzing the same file on frequent requests. Once an AV-heuristics engine update occurs, the finger print cache for non-cacheable objects restarts. Note that ProxyAV has four options for analysis, it can scan, trickle first, trickle last or defer scan (for long load objects).

Note: ICAP can be used for both inbound and outbound traffic analysis. Typically ProxyAV is deployed for inbound traffic analysis while a data loss prevention solution is deployed for outbound traffic analysis. Multiple ProxyAVs can be load balanced from a ProxySG device.
For BC, you may want to note their threatblade suite and how ProxySG come into the deployment with those content / malware analysis blade appliances

Author Closing Comment

ID: 40258427
Excellent points!

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question