Wednesday, May 29, 2013

Check Point announces End of Sales for IP Appliances

Check Point will discontinue sales of the remaining IP appliances by the end of year 2013. That concludes the long and somewhat dramatic history of Nokia Security Appliances Business which was sold to Check Point almost 5 years ago.

Check Point customers may finally concentrate on a single appliance line, with GAIA as the main choice of OS.

With all its ups and downs, IPSO was quite interesting OS. For starters, it is based on BSD kernel while SPLAT and GAIA are based on RH Linux. In my personal opinion, GAIA still has some distance to cover before being as good as IPSO in terms of stability and features.

Anyhow, yet another page of network security history is about to be closed.


Thursday, May 9, 2013

VSX provisioning bypass actually works on R75.40VS

In my previous post I have said VSX bypass debug commands do not work. I was wrong.
The trick works perfectly on R75.40VS Management, both SmartCenter and MDM.

Nevertheless, the weird part is that it only works if one types the commands manually and not by copy / paste. I guess it was only about some weird corruption when pasted from the buffer.

I am sorry for being wrong before and for all time spent on this topic by David Bar, Shahar Solomon, Eran Ashkenazi and other Check Point engineers. I appreciate the assistance.

Wednesday, May 8, 2013

VSX provisioning bypass trick does not seem to work on R75.40VS MGMT


WRONG, THIS WORKS. PLEASE SEE MY NEXT POST

I am doing lab trials for all kind of management and enforcement side upgrades for my customers, especially for ones usen VSX and MDM. As part of the MGMT sanity checklist, there are VSX provisioning checks to be sure there is no corruption of VSX objects and topology scripts.

Before R75.40VS there was a way to bypass actual connections to VSX clusters in case you are checking MGMT side only.

To do so, once would put the following set of debug commands in the Main CMA context on MDS machine:

fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_PING=INFO 
fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_INSTALL=INFO
fw debug fwm on TDERROR_ALL_VSXM_DBG_SKIP_PULL_SIC=INFO 


Once done, you could simulate topology changes for Virtual Systems to be sure scripts are properly handled. MGMT would generate a script without trying to connect to VSX cluster members and/or executing it on VSX cluster members.

Well, not anymore. With R75.40VS this trick is no longer working. It is even more interesting, just because it seems Check Point specialists are not aware of that. I have asked around and even opened a support call to get an answer.

I will keep you posted about the outcome.