Tuesday, December 6, 2016

CP vs PAN - time for big words

I have mentioned in the past Check Point starting a new game against competitors, much more aggressive and less hesitant when it comes to calling names.

It has just got even more interesting. There is a jpeg chart circulating on LinkedIn where PAN is attacked as never before.

 See full size


I could not trace this pic to its source, actually. Check Point people are distributing it as is, without any link to an origin. The URL below its title leads to the old "facts vs hype" page on the Check Point web site. Google search also does not recognise the image yet.

What is interesting here is that several PAN marketing statements are called lies.

In my 20 years in this business I have never seen this word used in a marketing campaign or in a competitive analysis materials. Does it mean someone at Check Point snapped? I am also curious if this is something official, or yet another vague attempt to stay civil while being outraged, like in case of anti-PAN videos in the middle of 2016.

I wonder if this is even something Check Point would be able to acknowledge as its own graphics...

UPDATE: the author of the picture is Nick McKerrall, according to his own words.

Monday, November 7, 2016

Ken Finley is no longer CP certification manager

As I have learned the last week, Kenneth Finley is no longer with Check Point.

For many years Ken was a certification manager in the Educational Services. He started working with Check Point in 1999. He was behind most of our certification exams, feedback collection and statistics.

I am lucky enough to meet him in person on several occasions. He is a highly intelligent individual and a very nice person.

I would like to give him my regards for all these long years of hard work to make Check Point certification better.

We appreciate you efforts, Ken. I wish you all the best in his future endeavours. Take care and see you around.

With respect,
Val

Monday, October 24, 2016

Software Blade licensing is no more

Check Point has quite rough and dramatic history of changing the licensing models. We have seen licensing per feature and then licensing bundles. Not so long ago Check Point had put in place so called "Software Blade" licensing model, where each security device required so-called container and blade licenses.

As some experts predicted, that licensing model did not last.

Just a few days ago Check Point has renewed the price list that renders Software Blade licensing model obsolete.

Effectively, there are no more licensing blades and containers. Instead, the new licenses exist as a set of simplified and bundled functionality packages, breaking  down for management, gateways and endpoint security.

Let's have a quick look on what's changed for management and gateway functionality.

1. Management


Management licenses allow customers to manage only a limited amount of gateways: 5, 10, 25, 50 and 150. These licenses are not additive, except for 150 GWs option, where add-ons of 50 GWs are available.

Multi-domain options have 5 and 10 domains variants and allow adding more domains with additional license.

All management features (software blades) are available for any of the management license out of the box. It is also important to mention that both Compliance and SmartEvent features are not based on subscription. Just one year is included in the original MGMT license.

2. Security Gateway


There are no significant changes for GW appliances, but open server licenses are now mimicking appliance licensing model.

Although licensing does not have container notion anymore, it actually defined amount of allowed CPU cores for open servers. According to CP, total amount of CPU cores on your open server is now enforced by license. It will be impossible to use 16-core machine with 8-core license. Of course, amount of CPU cores is not additive.

GW functionality is no longer flexible and comes with two packages (NGTP and NGTX)*. NGTX package is mandatory for all variants of inline Threat Extraction implementations.

The new licensing is already in the price list, although the license guide document is not updated.

According to some semi-official information, Check Point will allow customers to run on pre-existing licenses for some time. It is unclear if current implementations will have to go through license conversion. It is also likely that such conversion will be compulsory in case of extending existing functionality with some new features and licenses.

Personally, I am wondering if Check Point has any plans to retire Software Blades terminology once and for all. Without licensing component, it is very unreasonable to call security features and functionalities Software Blades.



*there is an exception for 2 core open server licensing, where FW only option is also available.

Wednesday, June 29, 2016

Check Point new game - front assault on competitors

In my previous post I have mentioned some early signs that Check Point is going ready to confront its competitors more actively.

Today's Check Point main page starts with a link to a very strong competitive message.


Following the link, one gets to a page where multiple security vendors are mentioned openly. although the actual detailed report is available only after registering one's name and email.


This is definitely a new page in Check Point fight for its market share. 



------------
To support this blog and Check Point Video Nuggets project, send your donations to https://www.paypal.me/cpvideonuggets

You can also subscribe to Indeni tech news via this link.


Thursday, June 16, 2016

Who is behind Check Point in a "bash-a-competitor" game?


There is marketing and aggressive marketing.

As you know, some security companies do the latter, with miraculous results. One known company not only managed to usurp "Next Generation" name used by Check Point back in 2000, but also claim even bolder things, like invention of stateful inspection and modern firewalls.

Not surprisingly, market responds positively to your one's bold messages regardless of actual technological superiority behind them.

Some ask, why Check Point is not doing something similar? Doesn't it have something bold to talk about and to show? Where is all competitive bashing and crashing information?  

I personally think that most of CP decision makers seem it beneath them, letting technology to talk for itself. We all know that does not really work.

It is still to early to say whether the company is ready to change its marketing  strategy, but apparently there are some modest attempts to go into "hit it with a stick" type of game. Here are some examples.

Moti Sagey, a celebrated security evangelist at Check Point, posted some time ago a link to a video bashing efficiency of PAN firewalls. That stirred long discussion where Moti was accused of running "anonymous"  YouTube channel with some other similar videos of that kind.

Apparently there is another YouTube channel, also seeming to be anonymised, comparing different security vendors ATP features with Check Point.

My question is whether those attempts are some personal efforts or they are authorised by CP. And if latter, why the company is keeping it on a low flame. Is there a wish to enter "bash-a-competitor" game after all? I wish I knew.

Anyhow, if you go by the links, you can enjoy some recent and very educational videos.




------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog subscribe to Indeni tech news via this link.

Monday, June 13, 2016

Check Point adds R80 hardware recommendations to the Release Notes

Last month I have mentioned that R80 Release Notes document does not mention HW details for R80 installation.

I am glad to let you know this is no longer the case. Last week Check Point added a small section "Open Server Hardware Recommendations" to the document.



Well done, Check Point. Also, thanks to Dan Suleiman for bringing this to my attention.



------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog subscribe to Indeni tech news via this link.




Tuesday, May 17, 2016

R80 minimal hardware requirements?

R80 (management only) was released on the last day of March this year. Since then it is slowly crawling into the field. On 25th of April Check Point released the first HFA for it and also replaced ISO installation image with the build T109.

Yet, hardware requirements of R80 management remain a mystery.

We know that R80 management is using a new infrastructure that requires more of everything: CPU power, RAM, disk space. But how much more? What is the absolute minimum? What are the recommended settings? How can one scale an actual management installation? What are the tools to make sure new R80 management platform is good enough and powerful enough to run this latest and greatest version?

These are the question one struggles when considering moving to R80. When can Check Point answers them?

Share your thoughts, please.


------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog subscribe to Indeni tech news via this link.

Friday, May 6, 2016

Gaia OS kernel, what kind of future it has?

Check Point Gaia OS is based on RHEL 5.2 distribution and kernel.

All supported FW versions today are using 2.6.18-92 kernel. According to RH release dates, it is almost 8 years old now. Since then, Red Hat released two major versions and numerous minor releases.

Most disturbing, RHEL support for production systems only lasts 10 years, according to RH Life Cycle policies. In reality that means less and less drivers being supported with older kernels, thus fewer compatible open server options available.

I would hope to see kernel changed with the last main release, R80, but apparently it is not the case.

Does Check Point plan to use a modern Linux kernel any time soon? I do not know. Do you?


--------------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.

Tuesday, April 26, 2016

CPX 2016 quick summary

Check Point Experience was a bit boring two last years for my personal taste. Finally we have had a good one this year.

In my list there are three interesting things:




R80 is released as management only, as you know. GW part will come later this year, if Check Point keeps its promise. Meanwhile you can start getting used to the new UI of SmartConsole as a single application, benefit from multiple admin access to the same database and start working on new MGMT API that is much more powerful than old and almost obsolete OPSEC.

Sandboxing and threat detection solutions are expanding. Sandblast agent for both PCs and mobile devices looks very promising.

And to have more firepower on your security devices, you may want to start looking into new fully refreshed line of Check Point appliances.




--------------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.

Monday, April 11, 2016

Book about R80 to be released soon


I’m pleased to announce that a new book covering Check Point R80
has been in production for 5 months now and is nearing completion. This
new book is the first of a series and has a working title of “New
Frontier: Check Point R80”. It is a collaborative effort featuring
four recognised professionals with quite a lot of Check Point
expertise (in alphabetic order):


- Valeri Loukine - Switzerland (author of this blog)

More information will be available soon, stay tuned!





--------------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.

Saturday, April 2, 2016

Friday, April 1, 2016

Most guarded secret of Check Point is revealed

For twenty two years humanity was puzzled by the most sophisticated mystery of all times: how Stateful Inspection was actually invented? How a bunch of young guys just after army service managed to create something that brilliant in December 1993?

Today, on April 1st 2016, the secret is finally out. In their joint interview to Israeli newspaper Calcalist Gil Shwed and Shlomo Kramer have disclosed that Stateful Inspection was "borrowed" from year 2005 and is in fact tied to foundation of Palo Alto that year.

The details are not clear, but according to the Calcalist experts, secret military time warp experiment at Weizmann Institute in Israel is involved. The full scientific details are classified. All we know is that in early 1993 there was an incident causing power surge in the atomic time chamber laboratory. The next day a janitor has found a note on the lab floor saying: "It's me, Shlomo, from year 2005, tell Gil to be ready any time now".

According to anonymous source from Weizmann Institute department of physics, the surge temporarily "welded" time-space positions in year 1993 and year 2005, creating a tiny wormhole in the universe. One end lead to Gil's grandma apartment in Jerusalem, year 1993, just behind the kitchen sink. The other end was open in a closet cabinet of an office building at Santa Clara CA, year 2005. The puncture in the space-time continuum was too small to pass large physical objects, but was big enough to slip in a thumbdrive.

Gil and Shlomo confessed to a journalist that they have used that wormhole to pass, by their own words, "the hottest security technology known in 2005". In fact, they only needed to find "Gil's own-to-be patent" and send it back in time. This is how Stateful Inspection was conceived.

Later on, to close the time-and-space loop, Shlomo had to drop out of Check Point together with Nir Zuk. Their mission was to fund a dummy IT company and buy that office space in Santa Clara to be able to pass the message back. Although the whole operation was done in secret, Nir almost slipped in his interview in 2008 hinting that he in fact was responsible for inventing of the modern FW.

One more hint we all have for years but never understood was that PAN term "NGFW" - Next Generation Firewall - was actually borrowed from  Check Point own VPN-1 NG , released in year 2001.

More details to follow in a year from, both founder fathers promised to Calcalist.


Blog author footnote: Okay, okay, I got it. Gil in early 1993 receives his patent record from 2005, writes it down and files a patent application in December 1993. I only have one question. Who invented Stateful Inspection, considering?


UPDATE: April fool, dudes :-)

--------------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.

Tuesday, March 29, 2016

One Management database parameter you never want to change

If you ever pushed Check Point policy, you know there is a verification process preceding compilation and installation stages.

Security Management Server needs to check rulebase and objects integrity before compilation. Sometimes, when you make an error in the rulebase, you will have a verification message about it. Most errors are about shadowing rules and broken rulebase logics.

However, there is a parameter in your Management Database that defines whether or not such verification even takes place. Yes, that's right, you can disable policy verification.

Important note: disabling policy verification is extremely dangerous. It may lead to a severe security breach or to a serious business continuity accident. I sincerely discourage you to change the parameter on any of your production security systems.

So, after the warning, let's take a look. There is a SecureKnowledge article sk31104 explaining the parameter in question. It is called "fw_light_verify". One can only access it through GUIDBEdit tool. I do not want to elaborate how the parameter works, SK article does it perfectly.

One might ask, why does it even exist? The answer is simple: there are some scenarios where controlled use of such parameter actually can help resolving issues. For example, when running vsx_util upgrade in a very complex environment, there can be a very rare case of process being stuck. the reason is that the tool eventually recompiles all VSX related policies on all Security Domains. If some of the policies are too big, and there are too many objects, verification takes too much time and times out, causing upgrade process to fail in the middle. There is an SK article describing this scenario: sk108693.


Final note: I have tried changing the parameter in the lab, and indeed it allows you to install some weird policies, for example, with the first ANY-ANY-DROP rule and more elaborate rules afterwards. I hope you understand the implications here. Never use this in production unless advised by your Check Point support engineer. 


--------------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.

Tuesday, March 22, 2016

Using Capsule Docs app on Mac

I am forced to use Check Point Capsule Docs application on my Mac the last couple of days, and to be honest, I do not like it.



User experience with it is below Mac standards. Vertical scrollbar only appears when scrolling and then disappears. Horizontal scrollbar never appears at all. Zoom only works with dual finger gesture on a touchpad. Never even try using your mouse. Zoom is not mentioned in the menu or in any other place in the application.

If you happen to mistype your password or email address, the app caches the credentials anyway and block your access. You can re-login through Preferences menu, but this step is not quite obvious.

However, the most annoying this is about those ugly gray fields on the sides of documents that cannot be removed ever and appear even in the full screen mode.










I have expressed my dislike of Check Point applications for Mac in the past. It is a personal thing, of course, but I want to tell this again:

Check Point Mac apps are below Apple user experience standards.  I wish it was done better. How hard can it be?

Update: Check Point has reacted promptly on this post, see the reply in the comments.


--------------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.

Monday, March 21, 2016

Central licensing and contracts on 61/41K with VSX

If you are using 61/41 chassis with VSX, make sure you understand caveats and pitfalls when applying central licensing.

Before I explain the issue in hands, let me remind you a couple of facts about the environment.


  1. Central license can only be applied from a Management Server, usually with SmartUpdate. You will fail to put it locally on the machine with "cplic..." command
  2. 61/41 appliances have multiple SGMs (Security Gateway Modules) running as a single logical GW from MGMT perspective. To do so, you have to configure so-called Security Group and populate it with SGMs.


Now, here is the catch. You can only apply central license successfully from SmartUpdate if there is a single SGM in the security group.

With multiple SGMs in the Security Group SmartCenter will only apply a new license to SMO (Single Management Object) i.e. the first SGM in the Security Group. All other SGMs will fail to get a license.

This does not make any issue if you never change your license. But if you do, prepare to inconsistencies.

The only workaround I have found is to use a local license and apply it on the chassis with CLI commands. Just in case you have a different way, please let me know.

One more thing is to apply contract file. It has to be applied on the GW locally with "cplic contract..." command. The pitfall is you need to distribute the contract file onto all SGMs in the Security Group before running CLI command. To copy files to all SGMs, use asg_cp2blades... command, as described in the admin manual.


--------------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.

Tuesday, March 15, 2016

R80 is not expected to make a dent, business analysts say

Cleveland Research Company (CRC) released a new security market research. The report is not available publicly but can be purchased at CRC web site.

R80 is mentioned there several times. In a nutshell, business research analysts are not impressed with R80 capabilities and do not expect a significant difference on Check Point market status after its being released.

Here are several quotes.

R80 not expected to be catalyst until 2017
R80 should be neutral or slightly positive for growth, if it is positive, great.

It seems Check Point should be more active and self explaining in highlighting the novelties and advantages of R80.


--------------------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.



Wednesday, March 2, 2016

R80 is announced. What does it mean?

Check Point has issued a press release yesterday saying R80 "will be available this March". What does it mean, really?

Here are some questions and answers for the matter.

Q. Is it on time?
A. R80 is expected to be out since 2014. at CPX 2013 the company was mentioning a new version to be released after R77. Check Point delayed R80 for at least a couple of years.

Q. Why it is delayed?
A. R80 introduces completely new infrastructure of Check Point firewalls and management. It requires huge amount of work and testing to ensure flawless transition from previous versions. This work cannot be rushed. Quality and stability of security systems cannot be compromised. The company is apparently taking as much time as required to make sure the product is good, before releasing it publicly.

Q. What is in the release?
A. The announcement is talking about new management only. Corresponding gateway part is expected later this year as R80.10 release (allegedly)

Q. What is new in this release?
A. Management infrastructure and administrative tools are completely re-built. Expect quite different user experience with the new single SmartConsole application. Management architecture is now using an actual database, not a set of text files, as before. It is no longer limited for a single administrative session even within one SmartCenter. Multiple administrators will be able to make parallel changes.

Q. What are the expectations concerning R80 gateway release?
A. It is not clear at this point. CPX demos hint that R80 gateway will allow a new form of policy enforcement, so-called Unified Policy, where security administrators will be able to enforce not just traffic filtering, but also other security blade policies by creating rules sub-rules with different security settings.

Q. Why MGMT and GW parts are not released together, as usual?
A. These kind of revolutionary approach to firewalling requires substantial change of GW architecture and even more tests and validation that MGMT part. Hence the separation.

Q. Why Check Point changes architecture needs to be changed in the first place.
A. Latest rapid changes in security and threats landscapes require different architecture to deal with both performance and functionality changes. It is only natural to go for a new architecture to address both challenges.

Q. Should I upgrade to R80 management right after it is publicly available?
A. This is not a simple "yes" or "no" question. In general, some caution is advised when upgrading to a new release. You need to see if it has something valuable for you and then assess the risks. Lab tests and trials are must when moving between the main releases. Run R80 in the lab first, then decide.

Q. I am working with Check Point products for years. Is my experience still relevant for R80?
A. As already mentioned above, R80 introduces new experience and new architecture. Some learning curve is expected, but it should not be absolutely alien to any person working with other Check point products. It still has intuitive user interface, just different from what you are used to today.

Q. What should I do to prepare for R80 release for myself and my company? How can I learn the product?
A. Firstly, get on public EA and run it in the lab before it is released. Read documentation (yes, it is still mandatory). If you need any additional help, just know there should be new set of CCSA/CCSE courses for R80 later this year. I also hope there will be some books written about R80.


-------
To support Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

To support this blog simply subscribe to Indeni tech news via this link.


Thursday, February 18, 2016

VSX deployment on High-End chassis. Part 3. Changing chassis ID

This is the third and last part of the topic started in the couple of previous posts.

When deploying 61/41K chassis as a cluster, you get a pair of devices marked as Chassis 1 and Chassis 2. The numbers are not just voluntary marks. They are used to generate and sustain quite complex system of internal addressing and communications: provisioning, sync, clustering, Security Groups management, and so on.

There are multiple SKs describing different architectural aspects of the system and its internal addressing.

By default, chassis 1 is active, and chassis 2 is standby. Although you can change that, it is custom to keep chassis #1 in the main Data Center, while putting #2 to your secondary one. But what if the logistics people made a mistake, and the chassis were swapped, leaving you with chassis 1 in the secondary Data Center?

The solution is standard, you just need to change the chassis ID numbering. The appropriate procedure is described in the Admin Guide (page 181 for R76.30SP version of the document). If you catch the error soon enough and if there is no security setup on the chassis yet, the procedure works like a charm.

However if you already have VSX deployed and provisioned, the story is not so simple anymore. The mentioned Admin Guide omits something quite important: unique role of SMO in a Security Group.

I have described this role in my first post for the matter. In combination with the internal addressing as function of the chassis IDs, the process becomes a bit peculiar.

Chassis ID change requires "hacking" into CMM config files and changing ID parameter on both ends. Chassis ID is used to form internal addressing. Each element of the chassis has a unique IP address based on it logical position and chassis ID. So you have to disconnect the chassis to cease intercommunication for a while, change ID numbers, rebooting each and every blade in the system and reconnecting the environment.

The catch is about Security Group addressing. As mentioned, the very first SGM added to the group becomes SMO. Other SGMs use SMO internal IP address to pull the config from it.

The main issue with changing chassis ID while having Security Group with non-default settings is about SMO swapping the place. Indeed, when addressed by IP, SMO is changing logical place from one physical chassis to another one, after ID change. In a particular scenario when you start the new chassis 1 first, its first SMO after the first boot tries to pull SMO config and fails. The reason of the failure is about that SGM trying to access another one by an IP address that belongs to itself after the change.

As the result, all other SGMs are also failing to pull config os Security Group, leading to total collapse of the chassis clustering. If you already have some traffic running through your system, that is inacceptable.

To avoid such situation, there are some actions to be done:


  1. Mind chassis ID from the beginning of deployment. It is quite easy to change IDs if nothing is configured yet.
  2. If you have Security Group and/or VSX setup on the system, plan for some downtime. The solution is to dissolve a Security Group and reconfigure it after the ID change. 

Good luck with your 61/41K system. The solution is actually quite nice, although complex.


-------
To support this blog and Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

Sunday, February 14, 2016

VSX deployment on High-End chassis. Part 2. Control connections and VSX provisioning

In my previous post I have explained why one needs just a single SGM in the Security Group while defining VSX object.

The second pitfall is about control connections during provisioning. When converting GW to VSX, management server pushes an automatically compiled policy to the GW before and after conversion. Users have some limited options to add to that policy, mostly about HTTPS, SSH and SNMP connectivity to the gateway. Control connections are not explicitly mentioned.

It is assumed that control connections are allowed by Global Policy settings in the implied rules. On the field this assumption does not really work. If a customer disabled control connections, the auto-generated VSX policy will cut of provisioning after the first push.

It would be very unwise to try unloading policy on the gateway. In this case it will be converted to VSX, rebooted, and then the same auto-compiled policy will be pushed again, cutting VSX GW out of MGMT server the second time, now for good.

In any case you will be stuck in the middle of provisioning, with VSX object created on the MGMT side, with SGM side provisioning either not started or only partially completed.

If that would be R77 VSX environment, you should be able to run reset_gw command, described in SK101690. Unfortunately, 61/41K VSX deployment is using R76.x0 SP versions, where this command is not available.

In this particular situation you will have to re-image your SMO SGM again. If so, do not forget to reapply Jumbo hotfix package after installing the main version.

So, the bottomline here is: before starting VSX provisioning in general, and especially when dealing with 61/41K chassis, make sure you re-enable, even temporarily, control connections, before starting VSX object creation.

I can only imagine why Check Point assumes that control connections are always enabled by default, especially in case of complex security systems where it is mostly not the case. I hope in the future releases Check Point will be able to take this issue into consideration and will at least add a warning to VSX wizard or, better, allow administrators to modify default VSX object policy to some extend.

Some additional info about 41/61K deployment to follow.



-------
To support this blog and Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets





Friday, February 12, 2016

VSX deployment on High-End chassis. Part 1. SMO and VSX provisioning

After being exposed to a couple of VSX deployments with 41000 chassis, I have to share with you some important points.

Deployment of 61000 or 41000 based firewalls is quite different from the regular Gaia appliances. The CPU blades called SGMs (Security Gateway Module) are acting as a single gateway. They load-share the traffic, they have a single GW configuration, including topology, IP addresses and even SIC. To achieve that, you need that, you need to define so-called Security Group and populate it with SGM blades. The first SGM added to the group becomes SMO - Single Management Object. It will perform SIC communications with Management and will maintain later on control connections on behalf of the Security Group. If it fails, another SGM takes over the function of SMO, maintaining logical GW functionality intact. It will take me just a moment to explain, why mentioning SMO is so important while talking about.

If you are deploying 61/41K as a regular GW without virtualization, there are virtually no pitfalls. That is not exactly the case with VSX.

The main VSX object provisioning can only be properly done if you have just a single SGM in the Security Group. Although this requirement is mentioned in the Administration guide, you can easily miss it. It is also not clear at the first sight, why this is so important.

If you ever deployed VSX on a regular appliance or or an open server with R75 and up, the process is quite complex. MGMT server pushes a provisioning scripts to the GW just after establishing SIC, forcing GW machine to reboot and come up as VSX GW.

The situation with 61/41K is not different, except that on those chassis it is a group of SGMs. Each SGM is in fact a Gaia machine.

So imagine we have a couple of SGMs in the security group before starting VSX provisioning. It is only SMO talking to your management server and then rebooting after establishing SIC. The second SGM blade will not do so, but will assume a role of SMO, considering the first blade in fault. The last known configuration pulled from the original SMO does not have any mentioning of VSX. On this point the provisioning will fail.

There are also some other potential issues with VSX provisioning. I will address them in a separate post.


-------
To support this blog and Check Point Video Nuggets project send your donations to https://www.paypal.me/cpvideonuggets

Monday, February 1, 2016

Next phase of Check Point Video Nuggets series needs your support

Hi all!

You may have seen already the first series of videos in the Check Point Video Nuggets series. Up to date these short videos were viewed almost more than 2200 times.

I received lots and lots of your emails with praise, criticism, suggestions and questions. That you all very much for your support.

In some of your emails you have asked about the promised Troubleshooting series. I am still planning to do those, but it is clear I cannot produce them at the same pace as before. They require much more work and preparations.

For the previous nuggets it was taking me about three days to compile 3 minute video. It will take even more for troubleshooting, as the material is more advanced and requires lots of preparations.

I am also not exactly happy with the quality of the video materials I am able to produce today. I am learning on the way, but it is not only lack of skills. It is also about tools.

I need better mikes and sound processor, a decent 4K camera, good video editing software and lots of disk space for storage of the materials. Some of that I have purchased already, but that is not enough.

My budget estimation for the tools as around $5000. It is materials only, my efforts are still free of charge. I was trying to find an interested partner who would support the project financially, but it did not work out, and least not yet. I have even considered starting a crowd financing project on one of the well-known sites that would allow funds to be released even if the goal was not achieved.

Any kind of support, although minimum, will help the cause. If you like the series and want to see continuation, please consider donating via Paypal.me:

https://www.paypal.me/cpvideonuggets

UPDATE: some people tell me that paypal.me is not available in some countries. If this is the case for you and you still want to make a donation, please use regular paypal money transfer with the following email: cpvideonuggets(at)gmail.com

Thanks a lot,
yours truly...




Thursday, January 14, 2016

Check Point promises an interesting year

I have just returned from Check Point Sales Kick-Off event in Barcelona. Although most of the news we have heard there will be public later on, one thing is clear: year 2016 will be quite exciting for Check Point partners and customers.

Some big things are just around the corner, and R80 is only one of them. New mobile security solution is fantastic. Software-defined-anything is moving forward quite fast. Security policy logics are about to change. More products and solutions, more power.

I also expect lots of work around learning new tools and products. Check Point is working on new CCSA for R80, and more advanced courses are to follow later.

If you want to catch the wave, do not hesitate to sign into R80 public EA. More feedback we could provide to Check Point better will be the product.