Tuesday, May 15, 2012

Next Generation security features - are you using them?

Next Generation firewalls - this term is buzzing for some time now. In Check Point world it is presented by the following features:

DLP
Application Control
Identity Awareness
Anti-Bot

What features from the list are used in your security systems? What about your customers? Thanks for sharing

Thursday, May 10, 2012

GAiA: ClusterXL magic mac settings - same as before

GAiA is Linux RH based, and it has system 2.6.18 kernel.  And Check Point ClusterXL is still the same as before.

If you are upgrading to GAiA or installing in fresh in a cluster configuration, you may need to take care of so-called "magic mac" settings.

To remind you briefly, "magic mac" is an artificial MAC address used in CCP, Cluster Control Protocol, responsible for probing, messaging and sync communications in ClusterXL. Once you have more than one cluster in the same network, you have to change magic mac settings starting from the second cluster and up.

Some details about the change is mentioned in SK66527.

GAiA or SPLAT, it makes no difference. If you are using ClusterXL and not VRRP, follow the mentioned solution.

For those who do not have the access, here is a quick HOWTO:

First, make sure your magic mac are default. To check that, run fw ctl get int fwha_mac_magic and fw ctl get int fwha_mac_forward_magic commands, as in the example bellow:

# fw ctl get int fwha_mac_magic
fwha_mac_magic = 254
# fw ctl get int fwha_mac_forward_magic
fwha_mac_forward_magic = 253

The default settings are, as shown 254 and 253.

On the second cluster you will have to do the following:

On each of the Cluster Modules
1. cd $FWDIR/boot/modules
2. create the fwkern.conf file by: # vi fwkern.conf
3. Add the required parameters and values as given below:
fwha_mac_magic=250
fwha_mac_forward_magic=251


Mind the numbers marked bold should be unique on each cluster you are making changes and non equal to default.
4. Save the fwkern.conf
5. Verify the fwker.conf is correctly configured by: # more fwkern.conf
6. Reboot the Module
7. Verify the new mac magic setups correctly configured by:
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
8. Verify the Cluster Module status by:
# cphaprob stat

 And just a reminder, if you are using VRRP instead of ClusterXL, you do not have to do any of the above.

Tuesday, May 8, 2012

GAiA: sysconfig disabled, migration tools are still there

If Google is correct, some of you are looking for details about GAiA in this blog.

In particular, about sysconfig. On SPLAT it is "one script for all" tool, that allows  you configuring most of OS and Check Point parameters. But is you are trying to get it on GAiA, here is what you get:

This command is not active

This is made by design, as GAiA provides you IPSO-like experience. Although sysconfig binary is still present, it seems to be completely disabled. CLI is configured to use CLISH instead.

If you are new to CLISH, I advise you to start reading "GAiA Administration manual", chapter 3 or" IPSO 6.2 CLI reference guide" for the matter.

Concerning more advanced tools, like migrate export/import scrypts, there are not too many changes. You find them in the usual place, $FWDIR/bin/updrade_tools, with unchanged syntax.




Care to learn CCSA R75 in my ATC?

Hi all!

I still have some places available in CCSA R75 class planned to start on 19.06.2012. Please feel free to register through our ATC site.

If you need accommodation in the area, just let me know here or through contact form on the web site, I will ask our office coordinator to provide you some options.

We cannot provide any visa support in case you require one, sorry.

Thursday, May 3, 2012

CCMSE is not required to pass CCMA after all

Hi all!

For some time I have been posing about CCMA prerequisites in this blog, more than once. Forget what has been said.

I have got a message from Ken Finley, Check Point Certification Program Manager. It is about my inquiry about CCMSE being a prerequisite for CCMA certification. The final official answer is CCMSE NOT REQUIRED.

Here is the short email conversation we have had:

VL: What are the prerequisites for CCMA? It is stated on the web site that CCSA, CCSE and CCMSE are all required. Is this indeed the case? Is CCMSE mandatory for CCMA?
 
KF: To be eligible for CCMA now, requires CCSA and CCSE r70 series. CCMSE is not required but highly recommended. CCMSE is now both MDM and MDS.

VL:Website still has CCMSE as a prerequisite. Is it an error? 


KF: Affirmative!

So, lads and gents, this sums it.

CCMSE is recommended but not required, Check Point Web site states it wrong after all.