As I have mentioned recently, Check Point has release so called 3D Analysis tool to help partner in showing added values of Check Point technologies by analyzing live production traffic.
Although this tool is a great thing, there are some tips and tricks to make it work even better:
1. Licensing. The downloadable tool from Check Point has an expired license. Use your quick eval license on it.
2. Tapping. The official guide mentions tapping on the external interface of the cusotmer's FW. In this case bandwidth utilization will not show internal hosts. Identity Awareness information will also be unavailable. You may want to mirror the internal interface of the customer FW, in case topology in place is simple.
3. DLP policy is not set to customer's case. Do not forget to configure email domain properly before deploying the tool.
4. identity Awareness is not activated. If you want to enable it, mind p.2. Also do not forget to arrange connectivity to AD from the physical machine hosting 3D VM tool.
5. Policy installation. VM does not have any policy installed when you start it, do not forget this tiny detail.
If you have some other tips, please kindly share them in the comments.
This is a professional blog of Check Point Certified Master Architect (CCMA). It does not represent position of my current employer.
Tuesday, February 28, 2012
Monday, February 27, 2012
Friday, February 24, 2012
Gaia public EA, first impression
As you may already know, long expected Check Point Gaia has finally made the first public EA.
I am currently playing with it, and it seems quite interesting. Here are my first notes for the matter.
Finally, Google Chrome is support for WebUI, although my old Firefox 3.6 on OSX is not. The first time wizard loos quite nice, and it finally recognizes the platform, VMware Fusion in my case.
VRRP is indeed part of the release, all praise Check Point for that!
When installing, you can see much more detailed progress
Once system is up, you get WebUI overview page. It is too big to put it here, but there are some detais I would like to point out. There is a feedback area in the GUI. You can just mark something you like or not with the smiley faces, You can also send the text feedback form the tool.
Check Point listens, isn't it nice?
One last picture for today, in the use management section one is able to set a lot of accessibility and management roles. Each part of MGMT interface can be set to full rights or read only.
Now, what about kernel? It is still RH Linux based, 2.6 version. I have installed 64 Bit version, and it seems to do its job so far.
CLI is set to clish, and you get bash in expert mode. cpshell is still there, but some of the commands do not work. As I am still in the earliest curiosity stage, RTFM step is not done yet, so it might be a user error.
I am planning to dig into the most expected features: dynamic routing, VRRP, extended kernel memory, etc. New posts to come.
I am currently playing with it, and it seems quite interesting. Here are my first notes for the matter.
Finally, Google Chrome is support for WebUI, although my old Firefox 3.6 on OSX is not. The first time wizard loos quite nice, and it finally recognizes the platform, VMware Fusion in my case.
VRRP is indeed part of the release, all praise Check Point for that!
When installing, you can see much more detailed progress
Once system is up, you get WebUI overview page. It is too big to put it here, but there are some detais I would like to point out. There is a feedback area in the GUI. You can just mark something you like or not with the smiley faces, You can also send the text feedback form the tool.
Check Point listens, isn't it nice?
One last picture for today, in the use management section one is able to set a lot of accessibility and management roles. Each part of MGMT interface can be set to full rights or read only.
Now, what about kernel? It is still RH Linux based, 2.6 version. I have installed 64 Bit version, and it seems to do its job so far.
CLI is set to clish, and you get bash in expert mode. cpshell is still there, but some of the commands do not work. As I am still in the earliest curiosity stage, RTFM step is not done yet, so it might be a user error.
I am planning to dig into the most expected features: dynamic routing, VRRP, extended kernel memory, etc. New posts to come.
Monday, February 20, 2012
VSX - no logs from some of Virtual Systems
Last weekend I was assisting my customer in migrating VSX cluster to a new HW. The migration went smooth, but there was a weird problems - some Virtual Systems on the new cluster were not sending logs to their log servers.
I am facing this problem more than once, so I guess someone else can have this too. Here are some tips, what to do.
The issue itself might be related to VS creation process, as mentioned in sk43973 and sk61545 (both solutions are about the same problem). Although the case claims the issue is fixed in VSX R67 GA, I have experienced in on R67.10
First, check you do not have any issue with cpld process on bpth sides: VSX and CMA. Check the processes are up.
Then see if VS is actually talking to its CMA. To do that, run netstat -na. If logs are being sent, you will see an established connection between CMA and VS on port 257. Detailed explanation about how to do it can be found in sk38848.
Now, this is the key point. If you have the established connections, logs are coming. Install DB on your log server and re-open SmartView Tracker client, you should now see them.
If connection is not established, something is quite wrong with the logging process. In my last case, certain Virtual System was not sending logs, if active on the first cluster member, but was sending them after a failover. CPSTOP/CPSTART did not fix the issue, but the reboot of the cluster did.
If you cannot afford rebooting the cluster, you can try killing cplogd - special daemon responsible for logging in VSX environment. To do that use "kill -9 " command from the expert shell.
So, the recommendations are:
1. Check connectivity and communication on port 257.
2. If there is traffic from VS, install DB on the log server.
3. If there is no communication between VSX and CMA, reboot the cluster members one by one.
4. If neither one of the steps helped, open a support case and describe all you did thoroughly.
Good luck
I am facing this problem more than once, so I guess someone else can have this too. Here are some tips, what to do.
The issue itself might be related to VS creation process, as mentioned in sk43973 and sk61545 (both solutions are about the same problem). Although the case claims the issue is fixed in VSX R67 GA, I have experienced in on R67.10
First, check you do not have any issue with cpld process on bpth sides: VSX and CMA. Check the processes are up.
Then see if VS is actually talking to its CMA. To do that, run netstat -na. If logs are being sent, you will see an established connection between CMA and VS on port 257. Detailed explanation about how to do it can be found in sk38848.
Now, this is the key point. If you have the established connections, logs are coming. Install DB on your log server and re-open SmartView Tracker client, you should now see them.
If connection is not established, something is quite wrong with the logging process. In my last case, certain Virtual System was not sending logs, if active on the first cluster member, but was sending them after a failover. CPSTOP/CPSTART did not fix the issue, but the reboot of the cluster did.
If you cannot afford rebooting the cluster, you can try killing cplogd - special daemon responsible for logging in VSX environment. To do that use "kill -9
So, the recommendations are:
1. Check connectivity and communication on port 257.
2. If there is traffic from VS, install DB on the log server.
3. If there is no communication between VSX and CMA, reboot the cluster members one by one.
4. If neither one of the steps helped, open a support case and describe all you did thoroughly.
Good luck
Monday, February 13, 2012
Check Point releases new demo tool for partners
Check Point has released so-called 3D Security Analysis Report Tool. Partners can download this tool from the partners' portal.
The idea is to allow a simple and straight forward demonstration of Check Point most recent security features, such as IPS, DLP, Identity Awareness and others, without intrusive operation in the end customer's networks.
The tool includes a special GUI client and a virtual machine with pre-installed Check Point FW.
One can connect the virtual appliance to a mirrored port to inspect the passing traffic. Later on an automatic report can be generated from the collected information.
A sample report is available here.
The idea is to allow a simple and straight forward demonstration of Check Point most recent security features, such as IPS, DLP, Identity Awareness and others, without intrusive operation in the end customer's networks.
The tool includes a special GUI client and a virtual machine with pre-installed Check Point FW.
One can connect the virtual appliance to a mirrored port to inspect the passing traffic. Later on an automatic report can be generated from the collected information.
A sample report is available here.
Monday, February 6, 2012
CPUG Europe 2012 - are you coming?
Have you mentioned already that CPUG Europe 2012 registration is already open?
Annual CPUG European conference will take place in Chur, Switzerland starting 17th of September.
Early registration is available till July 17th, and you can save extra EU50, if attended the last year.
See you all in Chur, guys!
Thursday, February 2, 2012
Check Point releases R75.20 VE
Check Point has announced R75.20 VE release on its Twitter account . This means that (almost) the latest functionality is now available as Virtual Edition.
Just two days ago you could only download R70 VE lacking many of the recent and most interesting features such as Application Control, SSL inspection, etc.
Funny enough, R75.20 is not yet listed on the official page, but can be already downloaded form User Center.
Just two days ago you could only download R70 VE lacking many of the recent and most interesting features such as Application Control, SSL inspection, etc.
Funny enough, R75.20 is not yet listed on the official page, but can be already downloaded form User Center.
Subscribe to:
Posts (Atom)