Sunday, June 25, 2017

CPET session 2 recording is out there

Thanks all for a great talk. We have been discussing Unified policy, rulebase search in the GUI and gateway side rulebase match process.

Special thanks to Tim and Tomer for joining.

CPET project relies on your support. Participate in the talks and help us with your donations to 
Follow us on Facebook and Twitter. 

Monday, June 19, 2017

CPET session - R80.10 rulebase enforcement - IT IS ON!

Hi all, thanks for participating in the pool concerning upcoming CPET session.

The result are:

Topic:  R80.10 rulebase enforcement
Time: Sunday 25th of June, 3 PM CET

Connectivity details:

Time: Jun 25, 2017 3:00 PM Zurich

Join from PC, Mac, Linux, iOS or Android:

Or iPhone one-tap (US Toll):  +14157629988,,753341892# or +16465687788,,753341892#

Or Telephone:
    Dial: +1 415 762 9988 (US Toll) or +1 646 568 7788 (US Toll)
    Meeting ID: 753 341 892
    International numbers available:

Calendar invitation can be downloaded here.

Talk to you all on Sunday.

CPET project relies on your support. Participate in the talks and help us with your donations to 
Follow us on Facebook and Twitter. 

Friday, June 16, 2017

Voting for the next CPET session is extended

Hello all, I have decided to extend the voting for the next CPET session.

R80.10 rulebase enforcement is a definite leader, but the timing is another matter. We are having Sunday 15:00 CET leading with just a single vote out of 27.

The pool will be closed on Sunday 19.06.2017 EOD, please use the last chance to define the time.

CPET project relies on your support. Participate in the talks and help us with your donations to 
Follow us on Facebook and Twitter. 

Thursday, June 15, 2017

RIP Barry Stiefel

Earlier this week I have learned say news about Barry Stiefel's passing.

Barry, the founder and director of CPUG over so many years, was my friend. I have met him in person in 2008 on CPUGcon in Switzerland. He brought together so many different people and cultures, and made us talk and share.

His energy and enthusiasm were fueling Check Point Users Group. With his big personality, he gave the community both glory and challenges. He was always fighting a fight, fighting for something he saw dear, and true, and fair.

Your fight is now over, pal. Rest in peace...

Tuesday, June 6, 2017

CPET session time and subject - take your pick

Not so long ago I have asked your feedback concerning my CPET idea. To improve the game, I will be suggesting two different subjects and different times for live attendees.

So for the next time I am proposing two different topics:
  • New logic of rulebase search in R80.10 gateway - Final
  • R80.10 MDSM and VSX deployment - live demo
 and two different times:
  • Saturday 24th of June, 11:00 CET  
  • Sunday 25th of June, 15:00 CET    Final 

To vote simply leave your feedback in this Google form. You have time till 16th of June. Most popular time and topic will be presented. You also can suggest another topic for the future sessions. Please choose just one subject this time.

I also have to make an important clarification about the proposed time slots.

CPET is a private and free of charge initiative. Performing any kind of activities towards it during regular office hours is impossible. I can only make preparations and run the session on my private time. Also, as my day job duties may require some customer facing overtime during the working week, for time being we are stuck with weekends only for the live session, where you can participate in an actual discussion. That should not be a problem for those who cannot attend, as long as the recordings are available. You are always welcome to leave comments in the blog or in other media.

Thanks for your interest.

CPET project relies on your support. Participate in the talks and help us with your donations to 
Follow us on Facebook and Twitter. 

Tuesday, May 16, 2017

VSX and local.arp - correction and follow up

Hi, in one of my previous posts I have mentioned that with Jumbo HFA 210 and up local.arp files are purged.

The issue was reported to me by a customer, and I was not personally involved in troubleshooting it. That was my oversight, which led to some erroneous statements in the original post.

Since several Check Point developers and RND managers reached out to me to investigate the details. After thorough analysis it has been found that the information reported is not 100% accurate.

Here are the results:

1. Check Point admits that after Jumbo installation local.arp on VS0 only will be purged. This issue will be corrected with the next HFA package.

2. Any VS other than VS0 will keep local.arp intact. That also means, the original warning about installing Jumbo package 216 was incorrect. With regular precaution, such as backups and local modifications saved aside, there is no showstopper for VSX, unless you filter your production traffic on VS0.

3. The actual customer's issue occurred on a physical FW and not on VSX. Here I have to remind all that the only supported way to configure Proxy ARP settings on physical Gaya based devices is through CLISH.

More info to follow.

I thank Gera Dorfman, Yigal Alexander and Sergei Shir for their time and efforts spent to investigate the issue.

Monday, May 15, 2017

Wcry lesson - we learn that we do not learn

Wannacry ransomware wreaked havoc around the globe, infecting and putting out of commission more than two hundred thousands computers. One could consider this as a brutal and effective crashtest for common security practices. Test that we have failed, miserably. Just look at the map of affected countries...

The situation could be completely different, if IT security adhered to a small set of very basic security practices, such as

Educate end users

One of the Wcry vectors is a phishing email. We all know that it is not wise clicking on email links, right? Wrong, apparently. People are still doing that. Teaching users simple security awareness practices is vital to avoid such incidents.

Scan incoming emails and downloads

One of the classic cases of Threat Emulation is scanning and detonating file attachments and downloads. Every decent security vendor has an appropriate offering in this field. 

Anti-phishing tools are also widely available, both onsite and cloud based.

Patch your systems timely

SMB vulnerability used by Wcry to propagate was patched by Microsoft in March 2017, two month before the event. Two month!

Use IPS for virtual patching

Okay, you say, we could patch all supported Windows machines, but how about XP, 8 and 2003? Even if there was no patched for unsupported Windows flavors, simple IPS virtual patching would do. How hard it can be, really?

Filter incoming traffic, segment your networks

To prevent the initial infection coming from Internet through SMB, one only needed to filter out incoming SMB traffic. Same to prevent lateral movement of the worm in segmented networks. Simple FW rules denying such traffic would do.

Backups, backups, backups

In case of infection, there is always a plan B - restoring systems from backups. If you have any. If you keep them safe. Safe in this context means offline. 

Simple and widely known best security practices could save the day. Yes, we have all seen recently that our networks are out there for anyone who wants to take them over. How sad is that?

To support this blog send your donations to