Thursday, March 31, 2016

Most guarded secret of Check Point is revealed

For twenty two years humanity was puzzled by the most sophisticated mystery of all times: how Stateful Inspection was actually invented? How a bunch of young guys just after army service managed to create something that brilliant in December 1993?

Today, on April 1st 2016, the secret is finally out. In their joint interview to Israeli newspaper Calcalist Gil Shwed and Shlomo Kramer have disclosed that Stateful Inspection was "borrowed" from year 2005 and is in fact tied to foundation of Palo Alto that year.

The details are not clear, but according to the Calcalist experts, secret military time warp experiment at Weizmann Institute in Israel is involved. The full scientific details are classified. All we know is that in early 1993 there was an incident causing power surge in the atomic time chamber laboratory. The next day a janitor has found a note on the lab floor saying: "It's me, Shlomo, from year 2005, tell Gil to be ready any time now".

According to anonymous source from Weizmann Institute department of physics, the surge temporarily "welded" time-space positions in year 1993 and year 2005, creating a tiny wormhole in the universe. One end lead to Gil's grandma apartment in Jerusalem, year 1993, just behind the kitchen sink. The other end was open in a closet cabinet of an office building at Santa Clara CA, year 2005. The puncture in the space-time continuum was too small to pass large physical objects, but was big enough to slip in a thumbdrive.

Gil and Shlomo confessed to a journalist that they have used that wormhole to pass, by their own words, "the hottest security technology known in 2005". In fact, they only needed to find "Gil's own-to-be patent" and send it back in time. This is how Stateful Inspection was conceived.

Later on, to close the time-and-space loop, Shlomo had to drop out of Check Point together with Nir Zuk. Their mission was to fund a dummy IT company and buy that office space in Santa Clara to be able to pass the message back. Although the whole operation was done in secret, Nir almost slipped in his interview in 2008 hinting that he in fact was responsible for inventing of the modern FW.

One more hint we all have for years but never understood was that PAN term "NGFW" - Next Generation Firewall - was actually borrowed from  Check Point own VPN-1 NG , released in year 2001.

More details to follow in a year from, both founder fathers promised to Calcalist.

Blog author footnote: Okay, okay, I got it. Gil in early 1993 receives his patent record from 2005, writes it down and files a patent application in December 1993. I only have one question. Who invented Stateful Inspection, considering?

UPDATE: April fool, dudes :-)

To support Check Point Video Nuggets project send your donations to

To support this blog simply subscribe to Indeni tech news via this link.

Tuesday, March 29, 2016

One Management database parameter you never want to change

If you ever pushed Check Point policy, you know there is a verification process preceding compilation and installation stages.

Security Management Server needs to check rulebase and objects integrity before compilation. Sometimes, when you make an error in the rulebase, you will have a verification message about it. Most errors are about shadowing rules and broken rulebase logics.

However, there is a parameter in your Management Database that defines whether or not such verification even takes place. Yes, that's right, you can disable policy verification.

Important note: disabling policy verification is extremely dangerous. It may lead to a severe security breach or to a serious business continuity accident. I sincerely discourage you to change the parameter on any of your production security systems.

So, after the warning, let's take a look. There is a SecureKnowledge article sk31104 explaining the parameter in question. It is called "fw_light_verify". One can only access it through GUIDBEdit tool. I do not want to elaborate how the parameter works, SK article does it perfectly.

One might ask, why does it even exist? The answer is simple: there are some scenarios where controlled use of such parameter actually can help resolving issues. For example, when running vsx_util upgrade in a very complex environment, there can be a very rare case of process being stuck. the reason is that the tool eventually recompiles all VSX related policies on all Security Domains. If some of the policies are too big, and there are too many objects, verification takes too much time and times out, causing upgrade process to fail in the middle. There is an SK article describing this scenario: sk108693.

Final note: I have tried changing the parameter in the lab, and indeed it allows you to install some weird policies, for example, with the first ANY-ANY-DROP rule and more elaborate rules afterwards. I hope you understand the implications here. Never use this in production unless advised by your Check Point support engineer. 

To support Check Point Video Nuggets project send your donations to

To support this blog simply subscribe to Indeni tech news via this link.

Tuesday, March 22, 2016

Using Capsule Docs app on Mac

I am forced to use Check Point Capsule Docs application on my Mac the last couple of days, and to be honest, I do not like it.

User experience with it is below Mac standards. Vertical scrollbar only appears when scrolling and then disappears. Horizontal scrollbar never appears at all. Zoom only works with dual finger gesture on a touchpad. Never even try using your mouse. Zoom is not mentioned in the menu or in any other place in the application.

If you happen to mistype your password or email address, the app caches the credentials anyway and block your access. You can re-login through Preferences menu, but this step is not quite obvious.

However, the most annoying this is about those ugly gray fields on the sides of documents that cannot be removed ever and appear even in the full screen mode.

I have expressed my dislike of Check Point applications for Mac in the past. It is a personal thing, of course, but I want to tell this again:

Check Point Mac apps are below Apple user experience standards.  I wish it was done better. How hard can it be?

Update: Check Point has reacted promptly on this post, see the reply in the comments.

To support Check Point Video Nuggets project send your donations to

To support this blog simply subscribe to Indeni tech news via this link.

Monday, March 21, 2016

Central licensing and contracts on 61/41K with VSX

If you are using 61/41 chassis with VSX, make sure you understand caveats and pitfalls when applying central licensing.

Before I explain the issue in hands, let me remind you a couple of facts about the environment.

  1. Central license can only be applied from a Management Server, usually with SmartUpdate. You will fail to put it locally on the machine with "cplic..." command
  2. 61/41 appliances have multiple SGMs (Security Gateway Modules) running as a single logical GW from MGMT perspective. To do so, you have to configure so-called Security Group and populate it with SGMs.

Now, here is the catch. You can only apply central license successfully from SmartUpdate if there is a single SGM in the security group.

With multiple SGMs in the Security Group SmartCenter will only apply a new license to SMO (Single Management Object) i.e. the first SGM in the Security Group. All other SGMs will fail to get a license.

This does not make any issue if you never change your license. But if you do, prepare to inconsistencies.

The only workaround I have found is to use a local license and apply it on the chassis with CLI commands. Just in case you have a different way, please let me know.

One more thing is to apply contract file. It has to be applied on the GW locally with "cplic contract..." command. The pitfall is you need to distribute the contract file onto all SGMs in the Security Group before running CLI command. To copy files to all SGMs, use asg_cp2blades... command, as described in the admin manual.

To support Check Point Video Nuggets project send your donations to

To support this blog simply subscribe to Indeni tech news via this link.

Tuesday, March 15, 2016

R80 is not expected to make a dent, business analysts say

Cleveland Research Company (CRC) released a new security market research. The report is not available publicly but can be purchased at CRC web site.

R80 is mentioned there several times. In a nutshell, business research analysts are not impressed with R80 capabilities and do not expect a significant difference on Check Point market status after its being released.

Here are several quotes.

R80 not expected to be catalyst until 2017
R80 should be neutral or slightly positive for growth, if it is positive, great.

It seems Check Point should be more active and self explaining in highlighting the novelties and advantages of R80.

To support Check Point Video Nuggets project send your donations to

To support this blog simply subscribe to Indeni tech news via this link.

Wednesday, March 2, 2016

R80 is announced. What does it mean?

Check Point has issued a press release yesterday saying R80 "will be available this March". What does it mean, really?

Here are some questions and answers for the matter.

Q. Is it on time?
A. R80 is expected to be out since 2014. at CPX 2013 the company was mentioning a new version to be released after R77. Check Point delayed R80 for at least a couple of years.

Q. Why it is delayed?
A. R80 introduces completely new infrastructure of Check Point firewalls and management. It requires huge amount of work and testing to ensure flawless transition from previous versions. This work cannot be rushed. Quality and stability of security systems cannot be compromised. The company is apparently taking as much time as required to make sure the product is good, before releasing it publicly.

Q. What is in the release?
A. The announcement is talking about new management only. Corresponding gateway part is expected later this year as R80.10 release (allegedly)

Q. What is new in this release?
A. Management infrastructure and administrative tools are completely re-built. Expect quite different user experience with the new single SmartConsole application. Management architecture is now using an actual database, not a set of text files, as before. It is no longer limited for a single administrative session even within one SmartCenter. Multiple administrators will be able to make parallel changes.

Q. What are the expectations concerning R80 gateway release?
A. It is not clear at this point. CPX demos hint that R80 gateway will allow a new form of policy enforcement, so-called Unified Policy, where security administrators will be able to enforce not just traffic filtering, but also other security blade policies by creating rules sub-rules with different security settings.

Q. Why MGMT and GW parts are not released together, as usual?
A. These kind of revolutionary approach to firewalling requires substantial change of GW architecture and even more tests and validation that MGMT part. Hence the separation.

Q. Why Check Point changes architecture needs to be changed in the first place.
A. Latest rapid changes in security and threats landscapes require different architecture to deal with both performance and functionality changes. It is only natural to go for a new architecture to address both challenges.

Q. Should I upgrade to R80 management right after it is publicly available?
A. This is not a simple "yes" or "no" question. In general, some caution is advised when upgrading to a new release. You need to see if it has something valuable for you and then assess the risks. Lab tests and trials are must when moving between the main releases. Run R80 in the lab first, then decide.

Q. I am working with Check Point products for years. Is my experience still relevant for R80?
A. As already mentioned above, R80 introduces new experience and new architecture. Some learning curve is expected, but it should not be absolutely alien to any person working with other Check point products. It still has intuitive user interface, just different from what you are used to today.

Q. What should I do to prepare for R80 release for myself and my company? How can I learn the product?
A. Firstly, get on public EA and run it in the lab before it is released. Read documentation (yes, it is still mandatory). If you need any additional help, just know there should be new set of CCSA/CCSE courses for R80 later this year. I also hope there will be some books written about R80.

To support Check Point Video Nuggets project send your donations to

To support this blog simply subscribe to Indeni tech news via this link.