Thursday, December 22, 2011

Some aspects of HHTPS inspection

There is a nice review of different SSL inspection aspects and (potentially) issues made my Kishin Fatnani over here.

Take a look, it is quite interesting.

Found through LinkedIn

Wednesday, December 21, 2011

upgrade_export fails if MGMT interface is down

Just a short note.

I have come across a weird issue. When you are trying to export your Management server configuration with migrate export (or upgrade_export, if you like doing it old fashion way), you have to make sure your machine is actually on the network. Trying to do this when it is disconnected will lead to the script failure.

I do not remember this kind of issue when working with R65, but it is definitely a case with R7X. Corresponding SK is sk63126.


Error message to look in the migrate log: Failed to get machine's IP address

Tuesday, December 20, 2011

Appliance Selection Tool never made it out of Beta?

Remember Appliance Selection tool, guys?


















It was announced Beta in September, and then disappeared. The link is dead now. The idea was to let you size appliances according to your traffic requirements. It was quite interesting when it was announced. When coming out as Beta, it looked good, at least beta good. And it was promised to be officially released in Q4 2011.

There are some traces of it on Check Point site. For example, it is mentioned in Security Power description. But nothing is out yet.

Too bad, my sales would love it. I would love it.

Would you?

Gartner puts Check Point to Leaders' quadrant in 2011

Gartner has positioned Check Point in the Leader’s quadrant in the Enterprise Network Firewalls Magic Quadrant. Check Point gets the highest ability to execute mark way ahead of the other vendors.




Only two companies, Palo Alto and Check Point, made the Leaders' quadrant this year. Most of the competitors are now in Challengers' area.

Palo Alto, according to Gartner, still has the best technology vision. Nevertheless it is bellow Check Point, Fortinet, Ciso and Juniper when it comes to ability to execute.

Based on CHKP press release.

Wednesday, December 14, 2011

Enforcing PC identity with Endpoint Connect client

One of the common challenges one can face concerning Remote Access VPN is necessity to enforce identity of end point client.  In other words, sometimes it is necessary to deny VPN access from non-corporate PCs.

It comes naturally if Microsoft Remote Access is in use, because there you could check the machine certificate. With Check Point clients, such as SecureClient or Endpoint Connect that is not so straight forward. Although you can make thorough compliance checks with SCV scripts, you cannot use machine certificates directly.

Of course, there is a way to create a script or a binary that would check certificate and report to SCV, but this is a complex task.

There is a simpler way to work the machine identity through SCV process. RegMonitor is part of SCV functionality. It allows you checking various parameter in the registry for existence and values. So if we could find a unique key entry or a string value in registry, then SVC would be able to decide whether an endpoint machine is part of the corporate domain or not.

If you look onto "Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership" entries in Windows Registry, you will see a number of groups defined for users. Each one of them has a unique SID. At least one group is common for all domain users. It means at least one of the group SID entries will be the same through the domain. Spoofing this entry is possible, but also not easy, as it can make non-domain PC unusable after default group SID changed.

SID group entries are also version independent. They will be the same for all domain users from XP to Windows 7.

A simple SVC RegMonitor script would give you a fair indication of an endpoint being a managed PC. It will work on both SecureClient and Enpoint Connect client.

This way is not ideal, but quite a good one, in my humble opinion.

Thursday, December 8, 2011

Japan is number three in this month readers list

I was checking my statistics the other day, and have found that Japanese readers are now in the third place for this month after Germany and USA. Switzerland is on the fourth.

I thank you all guys, but especially those from Japan. I love that country, and frankly, I would not expect my blog to be popular there. That is a pleasant surprise.

Thanks a lot for your interest.

私はあなたの興味のために非常に感謝

IPS Blade training is released

Check Point just have released a new training blade for IPS. As with other "blade" training modules, it consists of one hour Web-based lecture and practical lab.

Just a reminder. Starting with CCSE R75 PearsonVue based CCSE exam will give you only two years of benefits. After that you will have to take two blade trainings every year to maintain your CCSE status.

Wednesday, November 30, 2011

First CCSA R75 course in Switzerland, possibly in continental Europe is over

Yesterday I have finished teaching my first CCSA R75 course. It is not only my personal first, it is also the very first course in Switzerland. Due to my knowledge it is the first ever in continental Europe.

Hope my students are happy, because I am.

Course is much better then the previous R71/70 ones. I have spotted only a few errors in the books, minor ones. It is well timed, we have managed to go through all the labs thoroughly.

I hope to see the participants again in my classroom.

I appreciate Dimension Data and Computerlinks to give me this opportunity. Thanks a lot everybody, and especially Yasushi and Mykhaylo from Computerlinks for effective and reliable lab platform.

Update: I have been informed that there was at least one CCSA R75 course provided in UK in early November.  Changing the subject accordingly :-)

Thursday, November 24, 2011

about to teach my first CCSA R75

I will be teaching CCSA R75 class in Bern the next week.

This class is a cooperation of Computerlinks and Dimension Data ATCs.

I had started my CCSA courses about 7 years ago, internally in Check Point Israel; for new hired. It was R60 by then. Now it is R75, and it seems to be the first ever CCSA R75 course in Switzerland.

While working through the course materials, I have to admit books are much better than some time ago. Of course, there are some things I would describe differently, but there are no obvious mistakes in the books, at least I have not spotted them yet.

Well done, Check Point!

Dimension Data will be providing both CCSA and CCSE R75 courses in 2012, so you are welcome in my class. You can subscribe on our ATC Web portal any time.


See you in our training class, guys.

Wednesday, November 2, 2011

more than 100K hits on this blog

I have started this blog just before the last Christmas, on December 23, 2010. Since then there are more that 100 000 hits on this blog, in average around 300 hits  per day.

This is not too much, but I sincerely appreciate your interest, guys.

Here are some interesting (at least to me) statistics.

The most viewed post is one about changes in migration tools between R6x and R7x. It got almost 1600 pageviews.

The second popular is one with the links to upgrade paths diagrams, almost 700 pageviews till now.

NSS lab results for IPS solutions is the third most viewed post in this blog.

Germany, USA and Russia host most of the reader, in the mentioned order. 48% of the visitors use Firefox browser.

70% visitors are are working on Windows, 13% on Linux and 10% on Macs. The rest of the audience is accessing these pages from smart phones and other mobile devices. 

Hope you find here what you are looking for. If not, let me know how I can help you.

And again, thank you all very much.

Monday, October 31, 2011

Check Point to reinforce GRC with a new acquisition

Check Point has just issues a press release about acquiring Dynasec Ltd., provider of Governance, Risk Management and Compliance (GRC) solutions, more known as easy2comply.

Dynasec Ltd is Israeli based privately owned company. Looking on their products' UIs, I could say it is quite close to Check Point vision and user experience.


 It looks like the usual players on this field, Tufin and Algosec will be challenged soon when it comes to Check Point GRC related tasks.

Friday, October 28, 2011

Impressive demo of 61000 in Paris

Tuesday this week I was lucky to attend Check Point road show dedicated to the new 61000 series appliance.



I has been genuinely impressed by the box.

New chassis are designed and manufactured in Israel by a company which name is not disclosed. Chassis includes 2 Security Switch Module (SSM) blades and up to 12 SGM blades - Security Gateway Modules. Each SGM is equivalent to 11000 series appliance.

Chassis has 3 power supplies and two management modules. Two chassis can run in an HA cluster.

It does not matter how many SGMs you have in your system, one or twelve. You define just one gateway object in SmartDashboard for the whole chassis.

If you start with a couple of blades, you do not need to change configuration to add more. Just plug in your new SGM, and it will be automatically populated and added to the system to share the load with others.

Performance ability is just amazing. We have performed live stress tests with for Spirent Avalanche boxes:



We could barely reach around 50% CPU usage with firewall rules, logs and IPS set to recommended protections. Spirent was not powerful enough to push the box further!!!

Load sharing on this chassis is another great thing. SSM shares the load between SGMs by creating flows. Each flow is defined by IP addresses and/or SPIs. Service ports can be added to this logic, if required. There is a new technology, SyncXL to provide redundancy between SGMs in case of failure.

Once more, from management perspective this is not a cluster. Sync and load sharing are all taken care by the appliance internally. Sync communications are performed on chassis backbone, no user intervention is required to configure it.

There are some limitations, like VSX not being supported for the moment. But guys, even considering all downsides, this is most probably the best and most performant security appliance in the world.

Well done, Check Point, really well done!

Thursday, October 27, 2011

CPUG materials are posted online

I am getting regular requests to share my presentations from CPUG conferences.

Thanks to Barry, all the materials from CPUG Europe from 2008 till today are available now online here.



Enjoy, everybody!

Tuesday, October 11, 2011

Hello, Check Point training revolution!

So guys, it's just happened.

With official launch of R75 CCSA course and availability of so-called training blades Check Point has finished reforming the whole training and certification mechanism.

You can get the full details on CP education page, or just see the latest Check Point training newsletter here.

The key points are:


  • Both CCSA and CCSE official training courses are now three, not five, days only.
  • All update courses, both new and old "acceleration" ones are now called Training blades.
  • Core certification (CCSA/E) benefits are valid for two years only.
  • To extend R7x certification benefits for one more year must take two additional training blades.


This scheme may cause some business issues for ATCs, and all training blades for R7x are now directly available from Check Point.

There are only two blades published fro the moment, Application Control and DLP, some others to follow.

Each blade contains 1 hour web-based training, 6 hours of labs and costs $245 only. Web based certification exam is included.

Important: CCSA/E R75 exams are not yet available.

Wednesday, October 5, 2011

CCSA R75 materials are available for ATC partners

Check Point has started distributing R75 CCSA instructor kits and other training materials to ATC partners. This  means CCSA R75 official training will soon be available publicly.

There are no news about CCSA R75 certification exam just yet.

Sunday, September 18, 2011

Going to CPUG 2011 Europe

In a couple of hours I will be in my car driving north to Chur, Switzerland, where CPUG 2011 Europe starts tomorrow at 8:00.

In my opinion this is the best technical Check Point oriented event of the year. Transparent, frank and and truthful discussions - these are the core values of the event. It is not vendor sponsored, it is not marketing controlled.

100% professional, 100% independent. This is the way to get the full picture, good knowledge, way to improve your skills and meet friends and colleagues.

See you there, guys.

Friday, September 16, 2011

Rumors - CCSA R75 courseware to be available in October

There are some talks behind the scene about having CCSA R75 courseware available quite soon. Sources are talking about  books being available in October for ATCs to order.

There are no news yet about exams being available for both CCSA and CCSE R75.

I am not sure about policy in other ATCs, but in my training center in Lausanne I am holding R75 courses just because there is no ETA for the tests.

We provide free PearsonVue test vouchers for all our students valid for half a year to take an exam in our test center. Without clear availability dates it is not possible to do for CCSA/E R75.

More news to come, I will keep you posted, guys.

Thursday, September 1, 2011

CCSE R75 course - be careful, exam is not out yet

I have been mentioned already Check Point releasing R75 CCSE training.

There is one warning I have missed the last time. Guys, R75 CCSE exam is not yet available and expected to be released in the fourth quarter. If you are planning to take R75 CCSE, remember to take R75, not R71 exam. This means you will have to wait after course for an exam to be available.

R71 CCSE course is quite different from R75 one. So is the exam! Most of R71 exam topics are moved to Blade modules with R75.

If you have to certify soon, go for R71 course and exam. If you can wait till the end of the year for certification, you can safely take R75 CCSE course.

CPUG Europe 2011 - are you coming? Second call


Come to CPUG CON 2011 EUROPE!

This is your invitation to the upcoming CPUG Check Point Administrators Conference in Chur ("Koor"), Switzerland on September 19th-21st (plus optional two days of Workshop/Training on September 22nd-23rd).
This will be our fourth year and we're planning to make it bigger and better than ever!
Register Now!
By attending, you'll receive all these benefits:
  • Learn how to save hours of trouble and debugging in our Technical Sessions.
  • Learn about Check Point's new products, including version R75, Endpoint Security E80, Application Control and IPv6.
  • Meet and have a beer with fellow Check Point administrators from all over the world.
  • Learn how to improve security against new and emerging threats.
  • Meet with industry experts and vendors.
  • Enjoy three or five days in the beautiful Swiss Alps.
     
New This Year!  Two-day workshop/training in:
Join us for our Mentor's Dinner (it's included with registration), we'll be having a tour and dinner at a local brewery!
CPUG CON 2011 EUROPE is the #1 European conference for Check Point firewall administrators and end-users.
This year we're being sponsored by Wuerth Itensis, ComputerLinksSwitzerlandDimension Data, Crossbeam, and Tufin.
Save money by registering soon!

Thursday, August 25, 2011

Multiple issues with R71 upgrades

Hi all!

I was thinking about writing this post for some time now, hesitating to do this. I am trying to stay positive towards Check Point, but it looks I get enough of it now.

Certainly, my experiences may not be objective, especially considering I am usually dealing with complex environments and high profile customers. But here is something:

During the last year I am facing all kind of issues with R71 upgrades. Most of them are on MGMT side. This affects both simple SmartCenter servers and Multi-Domain systems. These are all kind of troubles:

  • systems cannot be upgraded in place from R65, 
  • HFA 40 cannot be applied
  • migrations fail
  • previously working migration paths become non usable
  • policies cannot be compiled or installed, etc.

It fact, during the year I have not seen a single painless R71 upgrade. It works fairly well with R70 and R75, but not with R71. That is a shame, especially considering most of the customers tend to stay on X-1 release, considering that a good practice.

Please share your R71 experience with  me. Thanks.


Monday, August 15, 2011

Multi-Domain Security and VSX training in beautiful Switzerland

Hi all!

I am planning to run a set of five days training for Multi-Domain Security Management (former Provider-1) and VSX R67. The formal course names are CCMSE and CCMSE + VSX.

The training will take place in our ATC in Lausanne this autumn (sometime in late October or mid-November). The final date will be defined a bit later.

The courses will be provided in English. We will have lots of hands on labs. There will be some extras not included in the original course, such as Multi-Domain Security Management and VSX troubleshooting and best practices.

If you are traveling, we will assist you with accommodation.

The places are limited. We do not accept more than 8 students in the class to provide the best quality training, and some sits are already taken.

To sign in, please use our ATC contact form or just send us an email. Please kindly state "CCMSE + VSX CH" in the subject.

Come over, guys, let's have some fun here.




Friday, August 12, 2011

Highest End Appliance customer presentation is now available for Partners

Check Point has posted new marketing presentation to Partners portal. This presentation is almost identical to one Gil Shwed was giving on NASDAQ opening ceremony.

Although the presentation is not marked confidential, I cannot post a link to it here, as the access to the portal is for Check Point partners only.

If you are a partner, get it by yourself. If you are not, ask your Check Point reseller to do it for you.


Wednesday, August 10, 2011

CMA migration is blocked on R71 if done on the same MDS

I have come across yet another issue with the latest migration tools on Multi-Domain management.

Once upon a time, with R6X it was possible to migrate CMAs between platforms freely, except for VSX case. You had to copy 5 directories: $FWDIR/conf, $FWDIR/database, $CPDIR/conf, $CPDIR/database and $CPDIR/registry from one place to another and then run cma_migrate script from MDG or command line.

It was working like a charm. It does not anymore.

R71 documentation is still talking about similar way of migration.  Do not be fooled. The documentation is not exactly correct.

The one and only way of migrating CMAs is described in sk60563. The described procedure works, but with limitations. The limitations are: same name and IP address of the CMA!


I had to learn this the hard way while trying to split one existing CMA for my customer.

There is no migration failure. It all finishes successfully. The fun begins when you start the new migrated CMA.

You can still see it on CLI with mdsstat command. But not in MDG. In fact, it starts showing up there, but then is removed from GUI when started. The reason for it is that in the MGMT DB of the CMA the "old" pre-migration name is used for CMA object. MDG gets confused of having two different CMAs with the same name.

More, it is quite not obvious how to remove this CMA, if you want to roll back. I have ended it with deleting the whole customer folder.

Something so simple and effective got broken with SB versions. The question is, how to fix it? I do not have an answer for the moment.

Yet another Support Call has been opened.

Will keep you posted, folks.

Wednesday, August 3, 2011

Event Analysis issue with R75.10

Hi folks!

I have just faced a bit unpleasant bug with Event Analysis on R75.10 SPLAT SmartCenter server.

One just cannot define any custom event. The process fails with the following error: "The policy refers to objects that don't exist"

Strange, especially considering event definition works flawless on plain R75, but seems to be broken after upgrade to R75.10.

Once again, I have to ask: dear Check Point, do you have any QA these days?

All, I have a support case open, will keep you posted.

Tuesday, August 2, 2011

Two super High End appliances from Check Point

For those who missed this historical event, Gil Shwed just announced two new Check Point appliances in the NASDAQ opening ceremony.

One is 21400 series, new two-U modular device with fully redundant HW and exchangeable cards.

The other one is full blown chassis based monster with up to 1 TBPS throughput -  61000 appliance.
It is looking quite familiar. If you ask me, its resemblance to Crossbeam X series hard to miss.

Now Check Point owns the full jazz starting from SOHO with SG 80 and going to the highest end imaginable with 65000.
The other interesting things announced were R75.20 with SSL inspection, well expected integration of URL filtering and Application Control and my favorite: new SecurityPower calculator to choose the best appliance for your need.

Well done, Gil! I am positively interested.

Thursday, July 28, 2011

R75 CCSE is ready, CCSA to come the next quarter

I have got today my official Instructor Manual for CCSE R75 training.

Thank you, Check Point for listing my name the first of contributors. I can even forgive you misspelling my company name for that.

For the rest of us this means something quite important: CCSE R75 is out there.

I am still looking into the context, but it is very likely Dimension Data ATC will be able to provide  these courses to you already in October.


CCSA R75 materials are on the way as well and will be available on Q3.

Sunday, July 24, 2011

R75 Blade training, clarification

Hi all!

I have been contacted by nice Check Point people correcting my post about R75 training.

Let me just quote the email concerning R75 Streaming Blades trainings:

The will come in two modes: Self-Study, or ATC Delivered.

The Self-Study course will have some very basic hands-on GUI based practice exercises. While the ATC delivered course will have more in-depth hands on labs. The idea is that ATCs can delivery a CCSA or CCSE course in 3 days, and offer one or two of the one-day blade/streaming courses to fill in the week's instruction schedule.





Thanks to Mark Hoefle for this clarification

Thursday, July 21, 2011

R71.40 - Plugin pain is back

If you have ever tried to use advanced upgrade path within  R65.X family, you might remember, that in many cases MGMT migration with export/import scripts was sometimes failing due to plug-ins mismatch between the source and target installations.

I was quite happy when Check Point introduced R7X migration tools. It seemed to cure the issue completely.

Apparently this is not true. My customer has just tried to import R71.20 MGMT DB into R71.40

Here is the output he gets:

[20 Jul 16:01:32] [ReadFwsetFile] Going to read file '/opt/CPsuite-R71/fw1/bin/upgrade_tools/plugin_pack.conf'
[20 Jul 16:01:32] [ReadFwsetFile] Succeeded to read file
[20 Jul 16:01:32] ..<-- ReadFwsetFile
[20 Jul 16:01:32] [PluginPackCompatibilityChecker::GetPluginPackId] Plugin pack id is: 'R71.40'
[20 Jul 16:01:32] .<-- PluginPackCompatibilityChecker::GetPluginPackId
[20 Jul 16:01:32] [PluginPackCompatibilityChecker::exec] ERR: Failed to get plugin pack ids for source/destination machines
[20 Jul 16:01:32] <-- PluginPackCompatibilityChecker::exec
[20 Jul 16:01:32] [ActivitiesManager::exec] ERR: Activity 'PluginPackCompatibilityChecker' failed
[20 Jul 16:01:32] [ActivitiesManager::exec] WRN: Activities execution finished with errors
[20 Jul 16:01:32] [ActivitiesManager::exec] WRN: Activities 'PluginPackCompatibilityChecker' have failed
[20 Jul 16:01:32] [ActivitiesManager::exec] Designated exit code is 1


 R71.40 migration tool was used on the source. Nevertheless there is a new plugin error, and the import fails.

Hello, Check Point, do you do QA these days?
 

Monday, July 18, 2011

Check Point starts reselling ATC's courses

There is an interesting turn of events in Check Point training and certification system.

Apparently, Check Point starts to resell ATC courses on its site. If you go to the "About us/Events and Training" link on companies Web site, you can see there a list of standard courses provided in several locations in USA and Europe.

The navigation to this new engine is not yet obvious, and I doubt there will be many people using it at the beginning.

But this means a lot for the whole training and certification structure of Check Point educations. The revolution is already started. Being centralized, is it good or bad for ATCs' business?

What do you think?

Monday, July 11, 2011

Dimension Data is sponsoring CPUG conference in Switzerland

Have you seen already that CPUG 2011 registration is already open?

I am proud to mention that my company, Dimension Data, is sponsoring the even, as usual.


Come alone, guys, let's have some talks and fun in September!

R75 training and certification to be launched this quarter

It has been brought to my attention that CCSA and CCSE R75 are about to be released very soon.

The courses and exams will be quite different from what we have known before. Please mind the information bellow is not yet confirmed by official sources.

The whole training train is now built on two standard trainings for CCSA and CCSE and some online modules for advanced topics.

CCSA is dedicated to general management subjects, such as basic architecture, management and control principles.

CCSE, on the other hand, will have in depth review of VPN-1 under the hood as well as troubleshooting techniques, CLI and debugging of different products.

All the blades are to be pushed to the additional streaming modules. IPSO and Dynamic Routing are expected to be there as well.

Exams will be held in mixed mode. CCSA and CCSE will remain with PearsonVue. Streaming module exams are expected to be held directly by Check Point and to be provided online.

The most interesting rumor is that to maintain your certification you will have to take one or two streaming modules every year without necessity to do CCSA/E, accelerated or not.

I am looking forward to have this information confirmed officially. We do not have to wait for too long now.

If all this is true, we face yet another Check Point training revolution, affecting both certified professionals and ATCs.

I bet not every ATC will be happy to have Check Point taking business from them with streaming modules.

Will see it very soon, guys.

Monday, June 27, 2011

CPUG Europe 2011 - are you coming?



I am exited to let you know that CPUG Europe conference will take place in Chur, Switzerland on the week of 19th of September.

The site is already up, and agenda will be hopefully be fulfilled quite soon.

Two last days are reserved for custom training.

See you there guys.

Tuesday, May 31, 2011

Advanced migration of Provider-1 R7x

Check Point listens, guys.

One of the most demanded features for years was an ability to migrate Provider-1 systems not only between different pieces of hardware but also between OS platforms.

It became quite hot when decent SPLAT was out. Once upon a time it was only possible with CMA migration. It was a painful and long procedure. And you could not do this if you had VSX managed.

This is not the case anymore. With new Multi-domain systems of R7x you can do it fast and easy.

First, insert Provider-1 target version installation CD to your MDS. Mount cdrom and go to linux folder on it. Run the usual mds_setup script from there.

You will have 4 options, and the last one is to export your existing MDS configuration. Choose it and continue. As a result you will get MDS export file.

On the target machine install the desired version from the CD. Pre-configure it as required (Primary MDS, etc).

Copy the export file to it.

To import go to $MDSDIR/system/install and run mds_import script from there pointing to your export file.

Say, your export file is placed in /var/tmp and called export_mds_12345.tgz. Then your import command will look ./mds_import /var/tmp/export_mds_12345.tgz.

The script will re-build your MDS on the new machine and will upgrade database, if necessary.

In about  ten to twenty minutes you will have new migrated and upgraded system. No more mds_backup and mds_restore hassle, no more upgrade in place and disk space wasted by old versions. You can easily use it with VSX, you can finally change your old Solaris MDS to a shiny new SPLAT box without spending 10 days migrating CMAs with stopped production management operations.

Hooray! Check Point, thanks a lot!

Friday, May 27, 2011

Mobile Access Software Blade platform support

I am regulary getting the same question from my sales: "Can one add Mobile Access Software Blade functionality on IP appliance?"

The answer is:

No, Mobile Access is only supported on Secure Platform. It means it is applicable to UTM-1, Power-1 and open server based systems, but not to IPSO based ones.

You can find the answer on Check Point site, under Specification tab.

Thursday, May 19, 2011

R65.4 is still dead end

As you may mentioned already, R75.10 is recently released.

There were some hopes on the field that this release would unblock some dead end upgrade paths for versions such as R65.4 and R71.30.

That did not happen. There is no direct upgrade to R75.10 from any version bellow R75. You can check out the updated upgrade diagram from fileserve.org here.

It means that someone having R65.4 is still blocked. 

This is quite painful considering R65 is out of support for some time now. Check Point, what's going on?

Wednesday, May 18, 2011

Migration problems with SmartMap, R75

I have encountered today an interesting problem while migrating MGMT server from R65 to R75 Smart-1 appliance.

The customer has enormous network setup with lots and lot different subnets. He has had SmartMap disabled on R65, but after migration to R75 it is enabled again. As a result, we just could not start SmartDashboard, it was taking forever to build SmartMap on the GUI client machine.

There is a quick and dirty solution for that. Instead of starting with SmartDashboard, you can open GUIDBEdit. Find there totally_disable_VPE parameter and set it to true. That will disable SmartMap on the client side.

I have found this on CPUG in this discussion. Well done, guys!

Tuesday, May 17, 2011

SmartSPLAT - new release is available

One more follow-up post.

SmartSPLAT utility that I was recommending in March has a new release, 4.0. There are lots of improvements.

Check it out here.

CCMA's requirements - CCMSE is not one of them

In January this year I have posted some info about CCMA prerequisites. I have mentioned there that CCMSE was a new requirement before taking CCMA certification.

This information was based on official Check Point statement of that time. Since then some things changed. In particular, Check Point lifted CCMSE prerequisite.

For the record, you do not have to have active CCMSE status to start CCMA certification. It is back to the way it was originally designed.

Tuesday, May 10, 2011

Mystery of propagated static routes on VSX (solved)

Two last weeks I was dealing with an unpleasant case where VSX customer of mine could not provision some changes on VSX cluster.

The issue seemed to be MGMT DB corruption. There were some "wrong" static routes propagated to iVR and eVR from a Virtual System. The funny part was that these routes were not defined on VS itself, at least that what we thought at the beginning.

We have tried to adjust DB manually, to remove warp links, etc. Nothing helped. As soon as we have touched the VS in question, all these deleted routes were back on VRs again.

It was absolutely weird, because we could not find any reference for propagated networks in any of MGMT databases, neither on Main CMA, nor on Target one.

Finally when playing with the system we have mentioned that system is pushing new static routes to VRs if VS NAT Addresses definition is touched.

Here is the deal. If VS is connected to VR and has some static NAT rules, to make them work you can define explicit static routes on VS and then propagate them to adjacent VRs to make NAT work. On physical system a similar case would be to create static APR entries on an adjacent router to point it to FW.

On VSX there is a better way to make the same. If you go to VS topology tab, there is "NAT Addresses" button just bellow static routes table. If you press the button, you can add all static NAT IP addresses there. Once you are done, the system will calculate the closest IP network to cover the defined IP addresses and then will propagate this network static route to VRs.

That was our problem. Someone put there some IP addresses but then decided to go on with explicit static routes instead. There were two conflicting static routes, on explicitly defined, the other one manually added on VS and propagated. Provisioning did not catch an error, but VSX behavior after both routes were getting there was... well.. was not ideal.

Check Point PS engineer involved in the resolution has promised to add a new SK entry for the matter.

Friday, April 29, 2011

News abour R75 courses and certification

Finally I have managed to get some solid information about R75 training and certification.

According to my sources, Check Point is going to release R75 CCSE training by the end of Q2. CCSA R75 will be released a bit later. In addition, CCSE plus certification will be reinstated. There will be additional blade certification with R75, and plus status will be function of that.

Thursday, April 28, 2011

Simulating VSX provisioning process in the lab

Sometime while troubleshooting VSX or working on proof of concept, you need to build some VS objects without actual VSX physical cluster objects connected to your management system.

For example, I am working on some support issues with a customer, and we do not intend to mess around our production system. We could build a physical lab, but having extra VSX 9090 just sitting there is too expensive. VMware seems to be a good option, but there are two blocking issues:
  • you cannot create a VMware machine with more then 10 interfaces,
  • it is impossible to restore VSX appliance to VM.

What to do then?

There is a way to run some simulations without physical VSX machines, using your MGMT only.

Usually if you are touching VSX objects, pressing OK button starts a provisioning script that runs on the Main CMA. This script is supposed to push configuration changes to your physical machines and all relevant VSX objects: virtual systems, routers and switches. If your physical machines are not available, the script will fail.

But you can bypass actual provisioning scripts being sent to VSX members by using some specific debug flags.

On the Main CMA run “fw debug fwm on” with the following flags:

TDERROR_ALL_VSXM_DBG_SKIP_PING=INFO
TDERROR_ALL_VSXM_DBG_SKIP_INSTALL=INFO
TDERROR_ALL_VSXM_DBG_SKIP_PULL_SIC=INFO


These flags will suppress connectivity checks and scripts' execution on VSX, if the cluster members are not available.

It means you can re-create your MDS on VMware and then play with it before making any change on production. With this commands having VSX machines on VMware lab is not required.

I have to make some warnings before wraping this up.
  • Remember, all provisioning happens on the Main CMA, so mind your Provider-1 context before executing these debug commands. 
  • Avoid using this technique on production environment unless advised by Check Point support to do so. 
  • Close any GUI clients before executing the commands. MDG can still be open, but having SmartDashboard or even GUIdbedit running while you are putting these debug flags affect the outcome.
If you are looking for highly technical training on VSX and other Check Point products, please check out our ATC in Lausanne. We run our courses in English. We welcome all participants, from and outside of Switzerland.  Please go to this web page and choose "Contact us" tab if you are willing to make an inquiry or would like to register to the announced courses.

We are masters of customized training. If you do not find your subject in our schedule, contact us anyway, we will tailor a training session specifically for you. You will not be disappointed.

Tuesday, April 26, 2011

No news on R75 certification just yet

Hi all!

I have mentioned that fair amount of visitors in this blog are coming from Google search about R75 courses and certification.

Unfortunately for the moment I do not have any news on this subject. It seems that Check Point is working internally to come up with such activities, but nothing surfaced yet. I do not have any ETA, and rumors are inconclusive.

There are some voices saying R75 will have CCSE plus certification revived, but I cannot confirm or deny this information.

Let's wait till CPX, there might be some insights for the matter. I will keep you posted, guys.

Tuesday, April 12, 2011

Check Point gloats over NSS firewall test results

Forbs has published an interesting article about the latest NSS Firewall testing. Apparently Check Point is the only vendor passed the full range of tests. The rest: Cisco; Juniper, Fortinet and even Palo Alto (!), failed on TCP split handshake tests.


Additional reference: Check Point press release

Good job, Check Point!

Monday, April 11, 2011

There is no CCSE plus R7x

Strange, but I am getting several hits on this blog every day originated by Google search on "CCSE plus R71" and similar.

Guys, please remember: there is no CCSE Plus anymore, neither for R70 nor for R71.

Current Check Point certification/education only has CCSA and CCSE exams and courses. There are rumors that it might change with R75, but no material proof for that just yet.

Check Point gives away free Identity Awareness licenses

I am sincerely surprised today.

My Check Point SE just told me that just this year Check Point is giving away free permanent licenses for Identity Awareness Software Blades.

Apparently these licenses are not only have zero price tag, but also have free lifetime maintenance.

I am still waiting for an official document, but it is about time to call all your customers who are even remotely interested in the feature.

The action is limited till the end of the year.

Friday, April 1, 2011

how to visualize your rulebase

One of security admin tasks is document the security system. Sometimes it is necessary to print out your rulebase, objects and users. How to do that?

There are many different ways, but one of the least known is Check Point standard Web Visualization Tool.

The comprehensive history and recent documentation can be found in sk30765. The tool is actually a script that creates HTML file with your rulebase, NAT, objects and users. It is quite useful for printing out the data.

This tools only exists for R65 and R70. I have tried it on R75 MGMT server, and there are some funny bugs, but it still does its job, most of it.

And Check Point... If you read this, please patch the tool for your own latest versions, pretty please.

R7x upgrade path diagrams

Originally found here.

If you are wondering what would be your upgrade path from R6x to R7x, these three diagrams will help you to understand dependencies and supported paths.




Upgrade to R70


Upgrade to R71


Upgrade to R75


Credits to filereverse

Thursday, March 31, 2011

SmartSPLAT - yet another SMART way to manage SecurePlatform

You are considered to be an expert if you can effectively work with SPLAT CLI. It usually takes knowledge and expertize to operate with fw monitor, kernel debug, and ClusterXL commands.

But is it indeed that complicated? Apparently not. There is a brilliant tool out there called SmartSPLAT.


It allows you just almost everything you might dream of: getting traces, collecting debug information, managing interfaces, preparing SCP transfer, changing cluster parameters, etc. The full list might actually take a couple of pages.

And can you imagine this tool is free of charge?

The author is Çağdaş Ulucan, and we all are grateful for his tremendous job.

Tuesday, March 29, 2011

Good word about me

Two my good friends and colleagues, Tobias and Robert surprised me yesterday by endorsing our new ATC in Lausanne on new and growing CPshared forum.

Thanks you guys for these warm words :-)

To remind you all, you can find our Check Point course schedule here.

Friday, March 25, 2011

R75 Multi Domain Management - changes in CMA migration

It worth mentioning that CMA migration has been changed since R71.

If you remember, the old way was to collect 5 folders ($FWDIR/conf, $FWDIR/database, $CPDIR/conf$CPDIR/database and registry) and then import the results with cma_import or through MDG.

Nowadays if you try this on R75 you will fail. New operation requires using migrate tool I have mentioned in one of my previous posts.

The process is documented in R75 Installation and Upgrade guide, page 114 and bellow.

In brief, you have to export CMA to .tgz file with migrate export command. The result file will be processes with cma_migrate script used in the command line.

To be fair, this path works from R71 already.

Thursday, March 24, 2011

UTM-1 and Smart-1 fail to reboot after upgrade to R71.30

I have seen something strange today. The customer has had three R71.10 boxes, two UTM-1s and Smart-1. All with original factory images, no funky business.

We have made a routine upgrade via WebUI to R71.30. All three appliances failed to reboot after being "successfully" upgraded. They were stuck with "loading" messages on LCD screens.

We only could boot them after shutting them down with power switch.

I have checked all forums I know and SK DB for this kind of failure I did not find anything relevant. Did you see this kind of issues, guys?

Monday, March 14, 2011

Our Check Point ATC web site is now online

It is my pleasure to inform that our ATC web pages are finally available online, thanks to DD corporate web masters.

Please feel free to browse them any time.

Courses schedule and description are also available.



You should be able to register and/or request additional details there, so please do not hesitate.

See you in my classroom!

Tuesday, March 8, 2011

Check Point reads my blog

I have got a call yesterday from Check Point Israel regarding my recent post about R65 to R71 upgrade failure.

That is sweet, guys. A nice "bachura" (hebrew for "girl" or "young woman") asked me for some details and even debug messages on the issue. I will try to get those, but the case is now cold, and the customer is taking another upgrade path.

I wish Check Point support did the same when I have called them.

Anyway, thanks guys, I can see some of my words are making through the filters.

Monday, March 7, 2011

R75 courses are almost here

Some sources inform that R75 instructor kits are now being distributed to Check Point qualified ATC instructors.

Instructor kit is a special books set with the course materials and instructor notes. It allows ATCs to prepare the courses.

Instructor kits are not available for sale.

If this is true, then official R75 CCSA and CCSE courses are to be available very soon.

Stay tuned.

Check Point visual release map

Hi all!


Navigating through multiple Check Point releases may not be easy. The usual questions are: when released, what's new, what is integration with previous releases.

Check Point seems to care about us, here is the visual release map link with PDF document describing all mentioned above.



Thanks, Check Point, I am impressed.

Thursday, February 24, 2011

Mobile Access Software Blade public demo

Check Point Mobile Access Software Blade public demo is now available.

All you need is to download iPhone/iPad Mobile Access client.

Check Point demo site name is idemo.checkpoint.com. Activation key is demo-1234.

Once it is done, you will be able to connect. Use cpdemo for both username and password.


Once connected, you are able to see the mobile portal applications.


If you tap on "Introduction to iDemo", you will see short system configuration explanation.

Easy, right?

As any other SSL portal-based application.

MGMT direct upgrade from R65 to R71.10 - beware

I have had an exiting weekend working with one of my customers in Geneva to upgrade Provider-1 system to R71.10 from R65.

While the lab test were showing success, the actual production upgrade failed badly.



The failure was only detected when we started pushing policy from the upgraded system. Suddenly we have started getting syntax errors during policy compilation. These error did not make any sense, they seem to be just random lines of INSPECT code failing. There we no actual problem with syntax, at least I have not managed to find any obvious one.

Rest of the functionality, including VSX provisioning ad logging, was perfectly fine.

We have tried to update IPS definitions, because the problem seemed similar to old R55 to R60 errors. No luck, the problem remained even after IPS update.

With service windows closing on us we had to roll back to R65.

The problem is reproducible in the lab. Nevertheless new lab tests we made this week show that while R65 to R71 upgrade fails, R65 to R70 upgrade path seems to be still working.

So here is my recommendation: do not skip major versions while going up from R65 on your management system. Otherwise you have a good chance to pull some extra hours as I have done. Guys, it is no fun.

Friday, February 18, 2011

How to use ISO image on SPLAT instead of a CD for upgrade

In some cases it is easier to use ISO image file instead of an actual CD to upgrade SPLAT device. There are several reasons for that: no physical access to your server, upgrading SMART-1 or any other appliance where CDROM is not installed, etc.

Remember, you only need a CD for major upgrade, such as going from R65 to R70.

Let's see how it is done.

First, check if you have enough space on the hard drive. Use  df -h command to see where you have enough space. Mind some extra for upgrade operations.

Then create a folder to put ISO file. The best place is  /var partition. Run the  mkdir /var/temp/"your ISO folder". Transfer your CD image there.

Now it is time to mount it. Run  mount -t iso9660 -o loop /var/temp/"your ISO folder"/"your ISO file".iso /mnt/cdrom.

Check it is mounted OK with   ls /mnt/cdrom.

Now you can run   patch add cd and do the upgrade. Good luck.

Just one last note. You may not want to use snapshot during the upgrade procedure. If you absolutely need to make a snapshot, do it before transferring ISO and mounting it. Do not forget to save it on an external server.

Tuesday, February 15, 2011

Dates and prices for Check Point courses in Lausanne

We have schedule and prices for Check Point training courses in our ATC in Lausanne

Prices are in Swiss Franks.

 
Starting Date Course Language Price, VAT exc. Registration status
04.04.2011 CCSA R71 English 4750 Open
16.05.2011 CCSA Upgrade R71 English 3210 Open
18.04.2011 CCSE R71 English 4750 Open
04.07.2011 CCSA R71 English 4750 Open
18.07.2011 CCSE Upgrade R71 English 2400 Open
08.08.2011 CCSA Upgrade R71 English 3210 Open
22.08.2011 CCSE Upgrade R71 English 2400 Open
03.10.2011 CCSA R71 English 4750 Open
17.10.2011 CCSE R71 English 4750 Open
21.11.2011 CCSA upgrade R71 English 3210 Open
05.12.2011 CCSE upgrade R71 English 2400 Open
Ask CCMSE (Provider-1) English 2400 Open
Ask CP VSX English 3210 Open
Ask CCEPE (EndPoint Security) English 4750 Open

 Dates are subjects of change, registration is subject of availability. We will not accept more then 10 persons in the course.

Interested? Please contact me here. Web registration will be available in a week as part of official Dimension Data web site functionality.

Wednesday, February 9, 2011

Check Point IPS enforces iPhone Web browsing on corporate WiFi

From today's Check Point Security Advisory:

Security Best Practice: Blocking Apple iPhone Browsing. That is one nasty feature, my friends.


But I think I have some ideas where the whole idea comes from. Check Point employers in Israel like iPhones, but have quite limited data plan with local GSM provider for company phones.

I bet they all use WiFi when in the office. But no more, dudes, no more...

Monday, February 7, 2011

Identity Awareness quick HOWTO movie



As before, all credit is to kellmant

Check Point training and certification group on LinkedIn

Hi all!

I have created a group on LinkedIn dedicated to all aspects of training and certification with Check Point Software Technologies.

You are all welcome to join.

Changes in R71 CCSA and CCSE courses

I have been able to go over new R71 CCSA and CCSE manuals.

Here is a short summary of changes from R70-based courses.

CCSA: R71
  • Better info about CoreXL
  • IPS chapter removed (pushed to Expert course)
  • Reporter chapter removed (pushed to Expert course)
  • Check Point MGMT DB files better reviewed then before


CCSE R71:
  • IPS chapter added (was on CCSA with R70)
  • Reporter chapter added (same as above)
  • SmartEvent chapter added
  • DLP chapter added (expected)
  • Troubleshooting and Debugging supplement chapter added (not expected)

To summarize, CCSA gets lighter and CCSE - heavier then before. It is strange that Check Point continues to recommend same amount of days for both courses as before: 4 to five days per course.

As for the exams, there is no information yet, but I would expect them to be changed in the same manner.

I am particulate interested about troubleshooting and debugging questions on CCSE R71 exam. If they are there, it is not so great. Personally I think these subjects to be overkill on CCSE with is already overweight with the new blades.

Friday, February 4, 2011

Dimension Data's Swiss ATC is now official

Our office in Kloten near Zurich has received yesterday Check Point ATC in paper. It is a bit strange, because we are registered with our address in Crissier, near Lausanne.

We are not planning to provide Check Point courses in Zurich area. But we are the first and only ATC in Swiss Romandie area.

Althoughwe do not have any official schedule for the moment, we are planning to start CCSA and CCSE R71 classes in March. Provider-1 and VSX official Check Point courses are also planned, but no estimation for the moment.

If you guys are interested, please send me an email to valeri.loukine AT eu.didata.com. I will send you the exact dates and the registration details.

I can assure you get the best price in the region if mentioned this blog when registered.

We will be happy to assist you to find the suitable accommodation in the area.

We are planning to launch official ATC Web site very soon, then you will be able to get the schedule there and register directly on the web page.

Stay tune!

Wednesday, January 26, 2011

Merging two SmartCenter servers, quick HOWTO

Sometimes customers want to merge two or more SmartCenter servers into a single management server. The reasons for that are usually operational. I can't say I am a fan of this idea in general, but let's face it, from time to time we have to do something we do not like.

So, here is the way to do it right.

You will need:
  • Two SmartCenter Servers - provided by customer
  • VMware workstation or ESX server - find it yourself
  • Check Point installation media or ISO files and HFA files - download them in advance from Check Point site
  • Standard evaluation licenses (optional) - ask you partner
You will NOT need:

  • tools like ofiller or Confwiz. Wee will only use one classic Check Point DB utility


Things to take into consideration before you proceed:

  • SMC server versions
If servers are on different versions, you need some additional steps on the way. The best is to have them on the same version and HFA level, if possible.
  • Local users and user groups. 
They cannot be merged. Ones on the target machine will remain. The source machine's users and groups will be lost. Choose your source and target wisely, because you will have to recreate these settings manually.

Users and usergroups are merged by using fwm export and fwm import commands on the source an target SMC servers respectively. Thanks to Tore Solberg for pointing this out on LinkedIn.

  • VPNs

You will have to tune both Site to site and Remote Access VPN definitions during the migration. basically, keeping VPNs intact in many cases even more difficult then taking care of the users and groups.

Migration steps:

  • Backup everything. Then backup again.
  • Prepare DB export files on both SMC servers with upgrade_export
  • Install two new SmartCenter servers on your VMware. Choose any IP address you want. Use exact versions of your actual machines, so you could import DB later without any issue.
    License them with evaluation licenses, if you cannot use actual production IP addresses.
  • Import two databases on both VMware machines using upgrade_import. Check they are running, and you can connect to them with SmartDashboard without any problem.
    It is important you have both servers functional before you start messing around.
  • Now it is a good time to decide who will be the target machine, and who is to be source.
    It is all about complexity. Less FWs managed, less users defined, less policy packages configured. In some cases customer says you in advance, which SMC will be decommissioned. Choosing the right approach is important because you will have to redefine manually all local users and user groups from source SMC.
  • On target SMC prepare the files. You will need to copy Objects_5_0.C file to a certain folder. Then use cm_merge utility to export all policy packages you need. Usually there are more of them, so consult with your customer about things he wants to keep.
  • Copy these files (DB file and policies) to the target SMC. Use the same cp_merge to merge the objects. Then use it again to import all policy packages. Easy, right? By the end of this step you should have in on your VMware one operational SMC with merged objects databases and all necessary policy packages. Reminder: users and usergroups should be created before this step.
  • Export DB from this machine with upgrade_export utility. On this point you are done with labs and simulation, it is time to change your production systems.
  • Import DB prepared in the previous step to your target production server. Run regression tests. Its own FWs should continue sending logs. SIC should work, you must be able to push policy on those FWs.
  • Now it is time for more interesting task. You already have FW objects from your source SMC, but they are not responding. Reset and re-establish SIC with them. Voila!
  • Take care about VPNs. Tune communities, change all needed parameters. It might not be as easy as it sounds, but it is not different from building a new VPN system, so you will manage.
  • Once you have all GWs operational, all VPNs up and all logs coming, it is time to clean your database. Remove old source SMC object from it and, if necessary, double objects.
Please let me know if you have any further questions.

Stay tuned.

Friday, January 21, 2011

Dimension Data Switzerland to launch ATC

Hi all!

Sorry to be quiet for a while. I have just got back from CCSI (Check Point Certified Security Instructor) training provided by Ken Finley, Check Point. Without any exaggeration, that is the best training i have had in the last 10 years.

Thanks, Ken, I appreciate your effort.

The reason for me to attend this training was related to our new project in Switzerland.

It is official, we are now ATC (Authorized Training Center) with Check Point.



There are some formalities to fulfill before the courses schedule and price information is available.

We are planning to start with CCSA R71 course, followed by CCSE training. Both Provider-1 and VSX courses are also planned.

If you are interested, please contact me here before the officials channels are opened.

Stay tuned, guys, and thanks a million for your interest and support!

P.S. It seems that CCSI certification is stated as "retired" on Check Point site. Due to unofficial information, it is about to be re-launched, and the course I was attending recently is the first step in the process.

Wednesday, January 12, 2011

Check Point IPS is highly recommended by NSS Labs

NSS Labs has tested 13 different IPS appliances from 10 different vendors.

Check Point was one of them presenting new 11 Series Power-1 appliances with IPS blade. Other vendors are Cisco, IBM, Palo Alto, Juniper and others.

Although the full report can only be purchased for symbolic $1800, some results from it are available on Check Point web site.

It appears that Check Point IPS has the second highest score for effectiveness among other appliances.



This is great result, well done, Check Point.

Hopefully it will help customers to start trusting IPS technology of Check Point again, after the company scared some of them off with SmartDefense.

It is not clear who is the "Vendor A" on the diagram, but my money is on Palo Alto. What do you think?

I  was wrong, Palo Alto is vendor E here, according to their part of the report Wrong link, the report is of August 2010.

Thanks for gessing Vendor A, guys!

Tuesday, January 11, 2011

Check Point VE R71 is now available for download

Check Point releases the second VE version after R65. Now it is R71.

The important change is that both ESX Server 4.0/4.1 and ESXi Server 4.0/4.1 are now fully supported with the new version.

The VMware image can be downloaded here and takes less them 1 GB  in .tgz file.

Application control preview movie

My favorite Kellman just did it again.


Here is the short overview of new R75 Application Control feature. You may want to roll the video forward for about 1:30 to see the actual explanation. Do not do this if you like advertising and agent 007-like loud music.

Anyway, enjoy.



All the credits go to Kellman, my man, yo!

Monday, January 10, 2011

CCMA R71 prerequisites - CCMSE R71 is now required

Following my post about R71 CCMA changes, I have to say I did not manage yet to find any details about alleged simplified user experience.

Instead, I have found out CCMA R71 prerequisites have been changed. CCMSE R71 is now the prerequisite, which was not the case before. CCMSE certification was only recommended, not required, for CCMA R65. Here is the document describing the requirements, pdf only.

This is a logical step after Check Point discontinued CCSE plus certification. Yet candidates need to be aware that they will have to get one more certification before going to CCMA exams.

Check Point changes upgrade tools, silently, without documenting

You may not be aware of some major changes happening to Check Point management upgrade tools with R7x versions.

On R65 and bellow if was quite simple. You have had two different scripts in $FWDIR/bin/upgrade/tools, upgrade_export and upgrade_import.

Upgrade_export script packs your MGMT database, ICA and registry into a single .tgz file that you can import later on another HW, even on higher version of Check Point MGMT. The export files are also widely used as an alternative backup on the field. Check Point also mentions is as a backup tool in the SecureKnowledge case sk30571.

I love these tools for their flexibility and easiness, and you may too. But the strange thing is that the tools are only mentioned in upgrade guides. CLI reference guide does not mention them, same for Administration guides.

 Although Check Point recommends to use the latest upgrade tools from the target version, till R70 it did not matter. You could export your MGMT data from R55 without replacing the native upgrade tools and then import it to R65 almost without any trouble.

"Almost" here means that there are some known issues with MGMT plugins introduced with R65, but people get used to work them around.

But if you try to do the same between R65 and R75, the import will fail. You can only perform advanced upgrade between these versions if you have used R75 export tool on R65.



The reason for this is that Check Point silently replaced the utility with a new one, completely new. In fact, two utilities are replaced with a single migrate binary. To keep this issue quite there are three, not two binaries now: migrate, upgrade_export and upgrade_import. in fact they are the same. upgrade_export now just mimics migrate export command, and upgrade_import in fact performs migrate import.

The result file now looks completely different also. Instead of simple readable structure path like FWDIR or CPDIR is replaced with more generic variables. the famous .configuration file is different as well. It is the sole reason the migration files between the versions are now incompatible. The most important, this file now lies about MGMT version. Just two weeks ago I was troubleshooting migration issues and got scared hell when findind R75(!) version stamp in .configuration file made on R71.

For a moment I thought the customer has EA version of FOX.

So guys, be prepared for some surprises when doing advanced upgrades on the newest versions.