Wednesday, July 26, 2017

Turning out of state drops on and off on your gateways without pushing policy

One of the regular issues I help my customers resolving is about out of state drops. there might be multiple causes, and those should be addressed by proper troubleshooting and network configuration changes.

However, there are cases when you just need a quick fix before addressing the root case of the problem.

The classic way to do that is to change Global Properties settings on your management and to install policy. The biggest problem with that approach is that the settings are global and will affect all FWs in the security domain after a policy push.

But no worries, there is a way around it, described in SK117374. Fw kernel has two parameter that define out of state drops for TCP and ICMP:

fw_allow_out_of_state_tcp
fw_allow_out_of_state_icmp

For example, by running fw ctl set int fw_allow_out_of_state_tcp 1  you can allow TCP traffic to pass through. Setting the same parameter to 0 will start dropping out of state TCP again.


-----------
Support CPET project and this blog with your donations to https://www.paypal.me/cpvideonuggets 

Tuesday, July 25, 2017

R80.10 debug documents are now public

Check Point has published a set of new documents describing kernel modules and debug flags, SecureXL and CoreXL debug details in R80.10. 

Although the documents are public, to download them you will need to log in to User Center.

Kernel Debug flags - R80.10 http://downloads.checkpoint.com/dc/download.htm?ID=56864 SecureXL Debug Flags - FWAccel (R80.10) http://downloads.checkpoint.com/dc/download.htm?ID=56865 SecureXL Debug Flags - SIM (R80.10) http://downloads.checkpoint.com/dc/download.htm?ID=56866

Special thanks to Sergei Shir for this publication.



-----------
Support CPET project and this blog with your donations to https://www.paypal.me/cpvideonuggets 

Sunday, July 23, 2017

CPET session 3 - it is on!

The next Check Point Expert Talks session will take place on Sunday 30th of July at 14:00 CET. You have chosen Kernel Debug Best Practices as the topic.

The session is limited to 100 participants. If you cannot join, video recording will be available later on.

To put the session in your calendar, use invitation link.

Otherwise, use this link information to join.

-----------
CPET project relies on your support. 
Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets 
Follow us on Facebook and Twitter. 




Monday, July 10, 2017

CPET session 3 - choose the topic and time

Do not miss the opportunity to choose what and when will be discussed on the third CPET live session.

This time I am proposing three different subjects:

1. Details of Policy Installation with Check Point
2. Kernel Debugging Best Practices  - Chosen
3. Open Questions and Answers discussion

Note: if option 3 is chosen, I will ask to submit questions in advance, so I could go through them. 10 minutes will be left for further discussion anyway.

The proposed times are:

1. Saturday, 29th of July, 18:00 CET
2. Sunday, 30th of July, 14:00 CET - Chosen


The pool is now closed. Session details and invitation are here.



-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets 
Follow us on Facebook and Twitter. 

Friday, July 7, 2017

45 day trial for Office 365 SandBlast Cloud - do not miss

Check Point just has announced an unprecedented 45 day trial program for SandBlast Cloud designed to protect your Office 365 environment.

It includes engineering support for deployment and tuning of the solution.

The program is only available by request.

Details are listed in the CP community post by Stephen Johnson.

-----------
Support this blog with your donations to https://www.paypal.me/cpvideonuggets 




Sunday, June 25, 2017

CPET session 2 recording is out there

Thanks all for a great talk. We have been discussing Unified policy, rulebase search in the GUI and gateway side rulebase match process.

Special thanks to Tim and Tomer for joining.





-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets 
Follow us on Facebook and Twitter. 

Monday, June 19, 2017

CPET session - R80.10 rulebase enforcement - IT IS ON!

Hi all, thanks for participating in the pool concerning upcoming CPET session.

The result are:

Topic:  R80.10 rulebase enforcement
Time: Sunday 25th of June, 3 PM CET

Connectivity details:

-----
Time: Jun 25, 2017 3:00 PM Zurich

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/753341892

Or iPhone one-tap (US Toll):  +14157629988,,753341892# or +16465687788,,753341892#

Or Telephone:
    Dial: +1 415 762 9988 (US Toll) or +1 646 568 7788 (US Toll)
    Meeting ID: 753 341 892
    International numbers available: https://zoom.us/zoomconference?m=oCHJKCpzvmT3TcGAXFmULg-2fIjikfHV
-----

Calendar invitation can be downloaded here.

Talk to you all on Sunday.

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets 
Follow us on Facebook and Twitter. 


Friday, June 16, 2017

Voting for the next CPET session is extended

Hello all, I have decided to extend the voting for the next CPET session.

R80.10 rulebase enforcement is a definite leader, but the timing is another matter. We are having Sunday 15:00 CET leading with just a single vote out of 27.

The pool will be closed on Sunday 19.06.2017 EOD, please use the last chance to define the time.

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets 
Follow us on Facebook and Twitter. 

Thursday, June 15, 2017

RIP Barry Stiefel

Earlier this week I have learned say news about Barry Stiefel's passing.



Barry, the founder and director of CPUG over so many years, was my friend. I have met him in person in 2008 on CPUGcon in Switzerland. He brought together so many different people and cultures, and made us talk and share.

His energy and enthusiasm were fueling Check Point Users Group. With his big personality, he gave the community both glory and challenges. He was always fighting a fight, fighting for something he saw dear, and true, and fair.

Your fight is now over, pal. Rest in peace...

Tuesday, June 6, 2017

CPET session time and subject - take your pick

Not so long ago I have asked your feedback concerning my CPET idea. To improve the game, I will be suggesting two different subjects and different times for live attendees.

So for the next time I am proposing two different topics:
  • New logic of rulebase search in R80.10 gateway - Final
  • R80.10 MDSM and VSX deployment - live demo
 and two different times:
  • Saturday 24th of June, 11:00 CET  
  • Sunday 25th of June, 15:00 CET    Final 


To vote simply leave your feedback in this Google form. You have time till 16th of June. Most popular time and topic will be presented. You also can suggest another topic for the future sessions. Please choose just one subject this time.


I also have to make an important clarification about the proposed time slots.

CPET is a private and free of charge initiative. Performing any kind of activities towards it during regular office hours is impossible. I can only make preparations and run the session on my private time. Also, as my day job duties may require some customer facing overtime during the working week, for time being we are stuck with weekends only for the live session, where you can participate in an actual discussion. That should not be a problem for those who cannot attend, as long as the recordings are available. You are always welcome to leave comments in the blog or in other media.

Thanks for your interest.

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets 
Follow us on Facebook and Twitter. 








Tuesday, May 16, 2017

VSX and local.arp - correction and follow up

Hi, in one of my previous posts I have mentioned that with Jumbo HFA 210 and up local.arp files are purged.

The issue was reported to me by a customer, and I was not personally involved in troubleshooting it. That was my oversight, which led to some erroneous statements in the original post.

Since several Check Point developers and RND managers reached out to me to investigate the details. After thorough analysis it has been found that the information reported is not 100% accurate.

Here are the results:

1. Check Point admits that after Jumbo installation local.arp on VS0 only will be purged. This issue will be corrected with the next HFA package.

2. Any VS other than VS0 will keep local.arp intact. That also means, the original warning about installing Jumbo package 216 was incorrect. With regular precaution, such as backups and local modifications saved aside, there is no showstopper for VSX, unless you filter your production traffic on VS0.

3. The actual customer's issue occurred on a physical FW and not on VSX. Here I have to remind all that the only supported way to configure Proxy ARP settings on physical Gaya based devices is through CLISH.

More info to follow.

I thank Gera Dorfman, Yigal Alexander and Sergei Shir for their time and efforts spent to investigate the issue.

Monday, May 15, 2017

Wcry lesson - we learn that we do not learn

Wannacry ransomware wreaked havoc around the globe, infecting and putting out of commission more than two hundred thousands computers. One could consider this as a brutal and effective crashtest for common security practices. Test that we have failed, miserably. Just look at the map of affected countries...



The situation could be completely different, if IT security adhered to a small set of very basic security practices, such as

Educate end users

One of the Wcry vectors is a phishing email. We all know that it is not wise clicking on email links, right? Wrong, apparently. People are still doing that. Teaching users simple security awareness practices is vital to avoid such incidents.

Scan incoming emails and downloads

One of the classic cases of Threat Emulation is scanning and detonating file attachments and downloads. Every decent security vendor has an appropriate offering in this field. 

Anti-phishing tools are also widely available, both onsite and cloud based.

Patch your systems timely

SMB vulnerability used by Wcry to propagate was patched by Microsoft in March 2017, two month before the event. Two month!

Use IPS for virtual patching

Okay, you say, we could patch all supported Windows machines, but how about XP, 8 and 2003? Even if there was no patched for unsupported Windows flavors, simple IPS virtual patching would do. How hard it can be, really?

Filter incoming traffic, segment your networks

To prevent the initial infection coming from Internet through SMB, one only needed to filter out incoming SMB traffic. Same to prevent lateral movement of the worm in segmented networks. Simple FW rules denying such traffic would do.

Backups, backups, backups

In case of infection, there is always a plan B - restoring systems from backups. If you have any. If you keep them safe. Safe in this context means offline. 



Simple and widely known best security practices could save the day. Yes, we have all seen recently that our networks are out there for anyone who wants to take them over. How sad is that?

-----------
To support this blog send your donations to https://www.paypal.me/cpvideonuggets





CPET feedback

Hi all,

Nobody showed up to the planned CPET session about pros and cons of Check Point Stateful Inspection, and I would like to understand what went wrong here.

Please kindly take your time to fill in a short questionnaire that would help me to plan better the next time.

Thanks a lot
VL

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter. 

Monday, May 8, 2017

Urgent! Your VSX proxy ARP settings might be broken with latest R77.30 Jumbo HFA

In 2014 I wrote an article about setting proxy arp on VSX bond interface

IMPORTANT: The information below is not 100% accurate. Please jump to the new post for more details


The problem occurred the first time during a sophisticated VSX setup with one of my customers. Although CP official documentation insisted doing it from Gaia clish, it was failing, and manual local.arp file was required.

Since then, Check Point corrected its recommendation, and in sk30197 local.arp is mentioned as the appropriate configuration.

Guess what? With R77.30 Jumbo HFA package 210 and above this is now broken

The last week my other VSX customer reported to me that installing Jumbo 216 caused four hour outage on their business critical system, and the reason was failing proxy ARP settings. They have used local.arp files, but after installing 216 Jumbo HFA package those files were purged.  They also needed to use Gaia clish to configure it, again. 

After some research, we are now convinced that this is the result of fixing bonding issue mentioned in sk111675. The fix is included in Jumbo packages version 201 and up. 

The ugly part of the issue is that it was not expected and apparently not tested on a system with pre-existing local.arp.

If you happen to have local.arp files in place and plan to install the latest R77.30 Jumbo HFA, take hypercare.

The documentation is not fixed yet, and I did not manage to find any new SK for the matter just yet. 

-----------
Support this blogs with your donations to https://www.paypal.me/cpvideonuggets

Session 2 - meeting details


As previously announced, we are having the second session of CPET this weekend.

It will happen on Sunday, 14th of May, at 3PM CET.

Zoom meeting will be available via this linkCalendar invitation for it is here.

As before, only 50 participants will be able to join. Mark your calendars and be on time.

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter. 

Sunday, April 30, 2017

CPET session 2, Stateful Inspection: the good, the bad, the ugly, the brilliant

I am glad to announce session 2 with the title: 

Stateful Inspection: the good, the bad, the ugly, the brilliant 


We will touch the following subjects:

1. Why is Stateful Inspection (SI) still the best way of securing network traffic?
2. What are the particular details about Check Point implementation of SI?
3. Pitfalls, drawbacks, and bottlenecks with SI
4. Does SI have a future?


Stay tuned, the date and time will be announced soon


-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter. 

Monday, April 24, 2017

CPET session 1 - video is ready

Video recording of the first session is now available


Thank you for your participation. Hope to see you soon.

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter. 

Thursday, April 20, 2017

Do not miss first CPET session

All, do not miss this session. Details are in one of my previous posts.

Calendar invitation is available here.

Only up to 50 participants, so be on time.

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter. You may also send us an email (cpvideonuggets (at) gmail.com).

Saturday, April 15, 2017

CPUG papers 2 - Architectural Principles of Check Point Firewals

CPUG papers project released the second paper - Architectural Principles of Check Point Firewalls


-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter. You may also send us an email (cpvideonuggets (at) gmail.com).

Thursday, April 13, 2017

CPET pilot session 1 - details

Introduction to R80 - meeting details


CPET is inviting you to a scheduled Zoom meeting.

Topic: Introduction to R80 -  Zoom Meeting
Time: Apr 23, 2017 3:00 PM Zurich

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/470434887

Or iPhone one-tap (US Toll):  +16465588656,470434887# or +14086380968,470434887#

Or Telephone:
    Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
    Meeting ID: 470 434 887
    International numbers available: https://zoom.us/zoomconference?m=PVf3OUjqIivIVlmuAnEjhItA5bQ6kCLh

Add this meeting to your calendar by this link

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter. You may also send us an email (cpvideonuggets (at) gmail.com).


Tuesday, April 11, 2017

CPET first pilot session - R80, the second biggest Check Point revolution

Mark you calendars, the very first CPET pilot session is planned to take place at 3PM CET on Sunday, 23rd of April.

The topic will be: 

R80, the second biggest Check Point revolution


We will discuss the following topics: 

  • tech and marketing drivers behind R80, 
  • a historical view on Check Point releases
  • what's new for both management and gateway
  • why it takes over three years to release full version of the product?
  • what are pros and cons of moving to R80
  • what to expect in the near future



We plan to record the session and to put video online later on. As we are using the free tools for the service at the moment, the seminar will be limited to 50 live participants and will last only 40 minutes.

The session links and invitation details are now available

Follow us on Facebook and Twitter. You may also send us an email (cpvideonuggets (at) gmail.com).

-----------
CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets


Thursday, April 6, 2017

CPET mission statement


The goal

CPET provides an innovative way to share knowledge and technology expertise for Check Point security professionals. We are going to address the full spectrum of Check Point related topics while focusing on architecture, optimization, troubleshooting and best practices. 

We do not want to replace other existing platforms and services, such as Check Point Education Services and Check Point User Group forum (CPUG). Instead, we help Check Point tech community by providing a new tool for social and professional interactions.

How

This is an independent technological initiative. We maintain integrity and transparency. We stick to the principles of CPUG community

- We tell the truth and help each other out.

What

We will run one hour long web seminars with an option to share a recorded version of events to those who could not participate. We plan to hold one or two seminars per month.

Who

CPET is created by Valeri Loukine (Val). Val is known for his CCMA blog and his role in CPUG community. He is also a CPUG ambassador in Europe.

We are open to other presenters and experts to help us share the load. Contact us if you want to be a speaker. 

How much does it cost?

We believe sharing knowledge is part of success. Our mission is to make CPET accessible and affordable for a wide audience. As of now, we allow free participation in the live seminars to everybody. We are also considering a subscription or a crowdfunding campaign later, for accessing the recorded sessions. We plan to figure out associated costs of CPET during the pilot phase. We reserve a right to change the CPET commercial model to provide a viable and affordable service.

Independence

We consider CPET a community service. We volunteer our personal time and efforts to the cause, freely and independently,  outside of our daily jobs and professional obligations, without affiliations with our employers and/or particular technology vendors. 


Community Support

To make the initiative a success, we need your support. Spread the word, participate in the sessions, provide your feedback, share your expertise, be proactive. 

If you want to back us up financially, make your donation.

Sponsorship

At this moment, we are open for sponsoring offers. If your company wants to support this initiative, please contact us.

Stay in touch

You can find us on Facebook and Twitter. Val’s CCMA blog will be the main tool to share information about events and to collect your feedback. You may also send us an email (cpvideonuggets (at) gmail.com).



When do we start?

The first pilot pilot will be announced in about a week from this moment. We will post the details in this blog and on social media. 

Stay tuned!

-------------
To support, send your donations to https://www.paypal.me/cpvideonuggets


Tuesday, April 4, 2017

CPUG papers - even better that R80 book

The last year I have made an announcement that four people decided to write a book about R80. Since then we, the authors, were working on multiple challenges, such as different writing styles, four time zone, variety of interests and preferred subjects, and finally, long delays around R80 management and gateway releases.

We have produced tons of content, we have spent multiple personal hours discussing the project, its structure, deadlines and its commercial models.

Finally, pushed back by long anticipated R80 gateway then is still not around, we have decided to revisit the original idea of a book. Then, we invented CPUG papers.

With the CPUG papers, we embrace different styles, interests and backgrounds. We are not able to release chapter, or papers, as we call them, gradually once each piece is ready. And, most importantly, we want our work to be available to the community free of charge. Today, the first CPUG paper is published: Brief History of Check Point Firewalls.

There are PDF and ePub version of the paper. All you need to access them is CPUG membership.

Thanks all for your interest and your comments.

--------------------
To support this blog send your donations to https://www.paypal.me/cpvideonuggets


Saturday, April 1, 2017

Check Point merges with Palo Alto Networks

Unimaginable happens. In the just released statement Check Point Software Technologies and Palo Alto Networks announce a merger. The new company will be called CPAN - Check Point Advanced Networks.

The merger will get into effect immediately. Two companies are also merging their stock shares, bringing total capitalization to incredible 25 billions. New CPAN shares will be traded both on NASDAQ and NYSE.


Finally, it all makes sense, guys. All these 11 years it smelled fishy, but I could not put a finger on it. Yet today, 1st of April, year 2017, the mystery is in the open, finally. We have all seen the writings on the wall, but the puzzle was too complex to predict this outcome. Oh, the drama, Shakespeare is really jealous.




So, let me outline it for you, all historical details, stage by stage.

Stage 1. Largo 


In 1999 Nir Zuk, a renown Check Point engineer and brilliant developer, leaves Check Point and founds his startup OneSecure. The trap is set, and NetScreen gets into it, eventually. NetScreen is later acquired by Juniper. In 2005 Nir leaves Juniper, but his elaborate conspiracy scheme to bring it down is not yet activated.

Stage 2. Andante 


Shlomo Kramer meanwhile prepare another scene. He seemingly severs his ties with Check Point founders and goes rogue. In 2005 he reconnects with Nir and two of them create Palo Alto Networks.

Stage 3. Allegro 


PAN goes to the market with NGFW scheme. Both Fortinet and Juniper are startled, Check Point also seems not to be amused. Same time Nir finally activates his mines at Juniper, and the company starts falling down.

Stage 4. Presto 


PAN ascends on the security market like a rocket, acquiring market share from crumbling legacy firewall vendors. Mind you, Check Point maintains its market share and seems to be unaffected PAN's ride to power.

Stage 5. Fuge

Once both Check Point and PAN rise to practically the same revenues, as I mentioned in one of my recent posts, everything is ready for the grand finale. The issue of PAN's capitalization being too high for the merger is corrected at the beginning of the year after announcing caution to investors. PAK share prices declined 25% after such announcement.

Then BOOM! Two titans merge!

What a ride, guys, what a ride... I have to confess. I did not see it coming. Probably, nobody did. We all have been fooled by apparent fight and very vocal competition between two companies. And yet again, that was the textbook deception trick. That was the perfect cover!

Starting today, the world of information security is irreversibly changed. Check Point has secured its future once more - the future of market domination.

UPDATE: Just in case, this was April's fools day, guys

--------------------
To support this blog send your donations to https://www.paypal.me/cpvideonuggets

Wednesday, March 29, 2017

Introducing Check Point Expert Talks - CPET

Hi all!

In my previous post I have asked you about willingness to participate in a live seminars around Check Point. I was surprised and humbled by your response. About 25 percent of people who read that post participated in the survey. That is much more than I would expect.

The most popular topics are troubleshooting, optimisation and best practices. Guess what, I am teaching those courses for more than 10 years now.

Teaching a class, even a virtual one, takes lots of effort and is still limited to just tens of participants. Yet, tens of thousands of security professionals could benefit.

There are some public knowledge sharing resources such as CPUG.org and (not so public) SecureKnowledge database. The issue with both is that most if the info there, although extremely valuable, addressing very particular and mostly limited topics. Making a big picture out of those puzzle pieces is an herculean task. One more challenge is that neither platform allows an effective conversation.

Check Point Education Services have a wide network of training partners delivering official courses such as CCSA and CCSE, but they only briefly address some of the mentioned topics.

Something has to be done about it, don't you think?

My goal is to start a new mission. It has to be affordable in terms of personal time investment. Something that I could do in my free time outside of my day job workframe. It should be public and approachable. It should be regular. It should be in a form of an actual discussion, with later ability to recap the touched topic for better understanding.

Here it is - Check Point Expert Talks - CPET



I want to commence running one hour web seminars once or twice a month, on Sundays. I am planning to record the sessions and to put it somewhere participants will be able to access them later.

This is still an open idea, and there are lots of unknown about it: platform choices for both seminar and hosting videos, particular times for the sessions, associated costs and even an amount of efforts to spin this out.

Mission statement and information about a pilot run will follow the next week. Thank you very much for your support and encouragement.

-------------
To support this blog send your donations to https://www.paypal.me/cpvideonuggets



Thursday, March 23, 2017

Web-based live sessions about Check Point - will you attend?

Hi all,

I am looking for new ways to share my experience and to help the community in being more comfortable with different aspects of Check Point technology and products.

What would you say about one hour web based (google hangout or similar service) video chat with shared materials and video recording for those who missed it?

To help me in doing it right and addressing the most popular subjects, please fill in a short survey by this link: https://goo.gl/forms/xO0vkuaX1ml4F4Hj2

Thanks a lot,
VL

-------------
To support this blog send your donations to https://www.paypal.me/cpvideonuggets


Wednesday, March 22, 2017

A phishing email - missed by mimecast, caught by Check Point

A friend of mine has got an email from his bank one day to his corporate mailbox. From the start he knew it was a phishing email. There were several clues.

Firstly, his bank does not know his corporate email address. Secondly, the only emails bank sends are the warnings not to open any emails with attachments from that bank, ever. And of course, the colleague got an email with an attached HTML file.

Being an IT guy, he is aware of the danger involved. Being a curious guy, he asked me to assist him with getting details of who attacks him and how. He asked me to assist. This is what we have done to get to the bottom of it.

1. Email headers info


The email has been sent from a private residential IP address in Spain and routed through a mail server belonging to a law firm in Santiago, Chile, most probably with weak security settings on its SMTP server. The sender's mail address was spoofed to look like the email sent from LinkedIn.

- Come on, guys, how stupid should your supposed victim be? Banking email sending messages through LinkedIn? Seriously?

My friend's company uses mimecast service to filter out  malicious emails. It was only partially effective in this particular case. In the mail header, the service flagged SMTP server as not trusted to belong to LinkedIn., Yet, the email was delivered nonetheless.

2. Attachment analysis


As mentioned, the email has an attachment with a suspicious HTML file. The file has a couple of lines of code, with obvious obfuscated payload in it. Before trying to open it, we have decided to scan it on VirusTotal. Out of 55 vendors, only Mcafee had this file previously scanned and marked malicious. That was more than suspicious, so at this point we have asked Vulnerability Research team at Check Point to assist. They have kindly agreed to help.

It turns out the obfuscated code is not a malware in a technical sense. Instead, it has a phishing page with a fake cardservice.ch dialog for collecting credit card details.



The actual link goes to a web site in Brazil, which is already closed by ISP for suspicious activity.


3. How that would look with Check Point phishing protection


One important note is that if my friend would use Check Point Anti-Phishing browser extension, even after opening an attached HTML file he would not possible fall a victim of this scam. Why? Because he would see a warning like that:



Special thanks to Oded Vanunu and Check Point Vulnerability Research team.

--------------------
To support this blog send your donations to https://www.paypal.me/cpvideonuggets




Thursday, March 16, 2017

PAN revenue is expected to surpass Check Point in 2017

At the beginning of the month I have mentioned that despite slower growth at the end of 2016, Palo Alto Networks still pose a serious competition to Check Point.

According to a new report from Cleveland Research Company (not publicly available), PAN is expected to surpass Check Point's revenue this year.

The graph below is quoted from the report. It present relative revenues for each for the mentioned vendors, as well as some others. Although the title says "Market Share", in reality we are talking about revenues.

 

It is quite interesting that both PAN and Fortinet have gained quite a momentum of growth. In the last six years both competitors have managed to increase their presence drastically while Check Point goes practically flat.

It is only my personal opinion, but it seems to me Check Point has to step up its game as soon as possible, both in marketing and in sales efforts. It looks like their time is running out quickly...


--------------------
To support this blog send your donations to https://www.paypal.me/cpvideonuggets


Wednesday, March 15, 2017

Azure test drive with Check Point vsec

Azure cloud service has Check Point now. You even can test-drive it
The whole operation is open for three hours free of charge.

All you can get is a standalone GW+Mgmt machine plus a Window based GUI client and a test Web server.

The pre-installed policy is autogenerated and looks quite odd. 

Azure also provides some limited testing capabilities. There are three built-in tests; two of them are failing. Since there is no documentation about how and what is tested, I could not figure out whether it is something expected.


IPS, Application control, Antivirus and Anti-bot are included and enabled on the gateway.

Once you stopped the test drive or run out of time, the environment is disassembled in about 5 minutes.

According to the market description, you will be able to manage Azure vsec from your production management and even use your own license.



All in all, it seems to be easy to deploy and manage. Try it on your own and share your thoughts here.



Friday, March 10, 2017

Policy installation, is it taking too long?

About a month ago I was dealing with a customer's complain about policy installation taking way too much time. It is a valid concern for many organizations, apparently. If you think your policy is taking too long to install, there are several things to consider.

How it is done

Policy installation is a bit more complex that some people think. Let's see what's happening when you press an Install button in the GUI:
  1. Policy package is saved
  2. If you have Management High Availability in place with automatic sync, MGMT HA synchronization is invoked. Your whole MGMT database is being collected, zipped and transferred to the standby Management Server and then unpacked. Only when it is done (or failed, depending on the conditions), you go to the next step.
  3. Policy Verification. Your rulebase is being checked for logic errors and shadowed rules.
  4. Policy compilation. Management server calls a compilation process, that collects the rulebase info, objects descriptions, security settings for IPS and Threat Prevention, Application Control, etc and prepares all necessary files to for transfer to a Security Gateway. Files are zipped for transfer.
  5. Now the policy files are sent to the gateway through SIC encrypted channel.
  6. Gateway receives the files and unzip them. Once done, actual policy installation is about to begin.
  7. Finally, GW is replacing existing security rules with the new one from the received package. Depending on the settings, this process may include all open connections to be re-matched with the new policy. Once done, GW reports to MGMT the success or failure
In summary, steps 1 to 5 are happening on the Management Server. Only the last three steps are happening on the Gateway side.

Why can it be slow?

There are several bottlenecks at the Management Server side: HDD access speed, RAM and CPU. All of them may slow down multiple operations with the files and compilation of the policy package. 

For example, if MGMT server is also doing logging, with high amount of logs disk access will be queued, and both verification and compilation may take significantly longer time than without logging. If your management CPUs are already running high (with logging, SmartLog indexing, any other CPU intensive operations) that would slow down policy installation. 

If by any chance you are running Windows based Management Server, a compulsory antivirus software will slow down policy installation enormously, scanning and rescanning again all MGMT database files that are being opened, created and changed on the way. 

Management HA sync adds five to ten minutes to the process. If this is your case, you may want to change MGMT HA settings to manual sync only. My customer mentioned at the beginning of this article was using fake management server objects for logging external FWs. Every time they were installing policies, MGMT HA process tried to talk to non-existing objects, finally failing and giving up. For that customer, the main pitfall was management high availability itself.

Bigger policy takes longer time to compile. More checks, more objects to touch, bigger files to create. 

File transfer from MGMT to GW may take some time if the connectivity between elements of your security system is slow.

Once the files are on the gateway, it usually takes less than a minute to install policy. Again, bigger the policy, slower the installation time. If your policy has more than 3000 rules, you may expect installation would take time. 

Will it be faster with R80?

Yes and no. 

For all R77.x and below it will be exactly the same process as before. 

With  some later R80.X version (but not R80.10, apparently), we expect that gateway will be able to receive only the delta changes of the policy package. In this case every consecutive policy push after the first one should take less time.

Want to know more?

All above is thoroughly discussed in my Troubleshooting course. If you are interested in it, do not hesitate to let me know. My email is varera (at) gmail. Looking forward to hear from you.

Monday, March 6, 2017

Commence the drum roll, R80.10 is coming

According to some rumors, R80.10 release is due in about two or three weeks. Are you excited?

I am biting my nails off, waiting to share with you something amazing about new GW architecture. I have hinted in 2015 something interesting is coming, cannot wait any longer.

Also, GW release is tied to something else that is long overdue...

How is it on your side? Are you ready for R80.10? What do you expect? Will you upgrade right away? Are you planning training your engineers or you just throw them into the deep to swim?

Please do not hesitate to share in the comments all your thoughts, expectations, reservations, you name it. 

Friday, March 3, 2017

PANW plunged 20%, should Check Point gloat?

Two days ago Palo Alto Networks share price has experienced a sharp fall, losing about 20% of its value in a single day, following second quarter results announcements and a warning towards the third quarter performance.




Some of my Check Point oriented friends would say reality is finally catching up with PAN, but I would not be that quick in judgement.

Being exposed to both vendors, I can say each one has its solid pros and cons, and technology competition is not only driving sales up (or down in some cases, lol) but also works for the best of information security in whole.

We all know that Wall Street indexes do not reflect directly the quality of the technology or even its market performance. It is all about making quick money, earning per share in this particular case. As FT explains, investors decided to get out of PANW because of the earning warning.

In reality we should be more interested in market share and its growth. During the last several years Check Point revenue grows organically with the market, plus or minus one percent, while its main competitors such as Fortinet and Palo Alto have double digit year to year growth numbers.

Yes, PAN growth is slowing down. It is not around 50%, as in 2015, but it is still estimated to reach more than 20% for 2017. Which is 2 or 3 times bigger than 7% to 9% growth achieved by Check Point through the last three years.

In other words, even while slowing down, Palo Alto Networks is catching up with Check Point market share.

Check Point still has a lot to do to change this tendency and start winning the market back.


Friday, February 24, 2017

Check Point breaks silence about CCSM issues

In my two previous posts I have I have shared my views about lack of continuity with CCSM certification and some other inconsistencies.

I have also reached out to Check Point Education Services for comments.  Wednesday afternoon new certification manager Jason Tugwell called me to make some comments of the situation. Following that call, hi has sent me an official response that I am happy to share with you now. This is what he has to say:


Valeri,

Thank you for speaking with me yesterday.  As a recap of our phone call, I would like to respond on behalf of Education Services to the issues we have had with the CCSM.

We agree that there are 2 primary issues:
1.       The inability to renew the CCSM since there is not a R80 CCSM currently
2.       Inconsistency of CCSM certification lengths of 2 years and 4 years

Response to #1 
·         We are aware that we have not released the R80 CCSM as intended.  As we await the official release of R80.10 we are currently working on an updated CCSE for R80.10 with a CCSM to follow.  Shortly after the release of R80.10 we will be releasing a CCSM with an update plan for the CCSM community.  In the interim, we have come up with a plan that will satisfy both the need for a quality CCSE and a way to extend the CCSM certification.  To any CCSM expired or not we have extended an offer to partner with CCSMs, via our email distribution group, to participate with the R80.10 CCSE exam question development.  This is an opportunity to contribute to the CCSE exam and extend the CCSM certification for 1 year.  We believe the CCSM community can contribute to make the exam a solid product with challenging skill.  If you are a CCSM and not part of our email distribution group, contact Jason Tugwell for more information.

Response to #2
·         We have identified that there have been the errors with CCSM certification listing two different validation dates, 2 year or 4 year.  This inconsistency is still undergoing investigation, however, it appears that it was a clerical error that has affected a small percentage of the CCSM’s.  We do apologize for the error and the confusion it has generated nevertheless, going forward all CCSM certifications will be a 2-year certification as intended.  (See the Check Point Certification FAQ: All professional certifications - those taken in a proctored exam environment - are good for, or considered “Current”, for two years.)  When the investigation is concluded, we will alert the community.

Let me express my sincere apologies for any issues this has caused and my gratitude to the network of Check Point Certified professionals that are interested in maintaining their certifications.

Regards,
Jason Tugwell “Tug” 

Thank you for your response, Jason. I will continue monitoring the situation and will share with the community any further development.