AV on the BlueCoat v.s. enabling in Checkpoint firewall

Hello EE,

I have a checkpoint firewall and my Bluecoat AV Appliance is coming up on maintenance renewal.
I am wondering as I heard the Checkpoint firewall can do Anti Virus as well if this is at the same level.
What are the pro/con of going with it all in one v.s. maintaining the separate appliance?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
For Checkpoint, it is actually its part of their UTM offering. They termed it under as "Antivirus Software Blade" which can be either within the box and augment with checking online with their Cloud intelligence e.g. ThreatCloud. User's Service Contract File does need to include the relevant "Anti-Virus update" SKU for the device e.g. their Secure Web Gateway Appliance and Threat Prevention Appliance.

CP claimed for their for antivirus and URL filtering software blades
a) Up to 20 times antivirus throughput improvement, with over 1Gbps for a 2-core system and 3Gbps for a 4-core system
b) Up to 80 times antivirus and URL filtering connection capacity improvements with over 500,000 concurrent connections

One use case they shared in value of the AV s/w blade is detecting the Eurograbber banking Zeus trojan. It detects the bad URLs and block the requests at the network before it infects the user’s computer, and  calculate the MD5 hash of the reply, recognize it as bad and will block the download of the malicious application.
@ http://www.checkpoint.com/products/downloads/whitepapers/Eurograbber_White_Paper.pdf

Coming to Bluecoat it has one appliance called ProxyAV, which works in tandem with Blue Coat ProxySG appliances. As an inline scanning device, the ProxyAV appliance analyzes all file downloads from user-authenticated Web 2.0 sites, webmail, file sharing and other methods of content delivery.

BC ProxyAV  can scan files up to 2GB in size and analyze compressed archives up to 99 layers deep. ProxyAV integrates with multiple threat awareness clouds, including Blue Coat
WebPulse. in specific, ProxyAV supports four modes of content analysis, including traditional object analysis, trickle first or last stream analysis, and deferred scan.


As a whole comparing to CP and BC AV, the differences may not lie in the AV but the capability of the appliance to scale up to layer other security services such as IPS, Content filter, Cloud services and Appl aware filtering in either single box or external web interface (RESTful or JSON etc).

There are Gartner on secure gateway and NSS lab which you may find the specific but i do suggest engage both sales to better advice the values and difference wrt to those 3rd party assessment reports so that it is not a "Apples" vs "Orange" situation as well as flashed out the limitation explicitly based on the assessment criteria


Can you monitor the CPU & memory resources on the Checkpoint?  Adding AV duties will increase its workload, but will allow you to simplify your network design.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
probably the past assessment from 3rd party can be useful on testing the CP UTM. Indeed performance will be key considerations and having a all in one box will required to factor in the single point of failure as well e.g. any modules failure should not render box malfunction or stoppage unnecessary to ongoing traffic e.g. fail open or for some if fail close (or fail secure)
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

operationsITAuthor Commented:

So if CP detected Eurograbber, did BlueCoat not?

Does BlueCoatAV not work with BlueCoatSG.  We have both but I'm trying to determine if I move the AV and SG to the CheckPoint or just the AV to the Checkpoint, or keep separate.

I see the report overview but no detail @breadtan

We plan to cluster the firewall which would eliminate single point of failure but the BC are currently one appliance so single point of failure, yet I am concerned with loading the firewall resources to doing all these other things.  I am curious what others would do as I've engaged sales on both sides and of course both can give you the world.  Any other questions to help me get to the real details?
btanExec ConsultantCommented:
report required subscription and if the vendor can share the accreditation that will help and strengthen their ground. Eurograbber is just one instance - BC has their own use case and strength esp in caching  (or all vendor has such esp with an R&D team backing - for BC they has threat lab which contribute with the Webpulse feeds collected) - see https://bto.bluecoat.com/doc/7430 (specific to BC use of their content policy language (CPL) ) - see the anti malware section

Each time a browser request is received, the ProxySG checks its object store for a cached copy, if one is found that was analyzed with the most recent AV-heuristics engine version, it can be delivered immediately. If the object in cache was analyzed before an update to the AV-heuristics engine, then the object is re-analyzed before delivery to the user. For non-cacheable objects, a finger print cache is kept to avoid analyzing the same file on frequent requests. Once an AV-heuristics engine update occurs, the finger print cache for non-cacheable objects restarts. Note that ProxyAV has four options for analysis, it can scan, trickle first, trickle last or defer scan (for long load objects).

Note: ICAP can be used for both inbound and outbound traffic analysis. Typically ProxyAV is deployed for inbound traffic analysis while a data loss prevention solution is deployed for outbound traffic analysis. Multiple ProxyAVs can be load balanced from a ProxySG device.
For BC, you may want to note their threatblade suite and how ProxySG come into the deployment with those content / malware analysis blade appliances
operationsITAuthor Commented:
Excellent points!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.