Wednesday, January 26, 2011

Merging two SmartCenter servers, quick HOWTO

Sometimes customers want to merge two or more SmartCenter servers into a single management server. The reasons for that are usually operational. I can't say I am a fan of this idea in general, but let's face it, from time to time we have to do something we do not like.

So, here is the way to do it right.

You will need:
  • Two SmartCenter Servers - provided by customer
  • VMware workstation or ESX server - find it yourself
  • Check Point installation media or ISO files and HFA files - download them in advance from Check Point site
  • Standard evaluation licenses (optional) - ask you partner
You will NOT need:

  • tools like ofiller or Confwiz. Wee will only use one classic Check Point DB utility

Things to take into consideration before you proceed:

  • SMC server versions
If servers are on different versions, you need some additional steps on the way. The best is to have them on the same version and HFA level, if possible.
  • Local users and user groups. 
They cannot be merged. Ones on the target machine will remain. The source machine's users and groups will be lost. Choose your source and target wisely, because you will have to recreate these settings manually.

Users and usergroups are merged by using fwm export and fwm import commands on the source an target SMC servers respectively. Thanks to Tore Solberg for pointing this out on LinkedIn.

  • VPNs

You will have to tune both Site to site and Remote Access VPN definitions during the migration. basically, keeping VPNs intact in many cases even more difficult then taking care of the users and groups.

Migration steps:

  • Backup everything. Then backup again.
  • Prepare DB export files on both SMC servers with upgrade_export
  • Install two new SmartCenter servers on your VMware. Choose any IP address you want. Use exact versions of your actual machines, so you could import DB later without any issue.
    License them with evaluation licenses, if you cannot use actual production IP addresses.
  • Import two databases on both VMware machines using upgrade_import. Check they are running, and you can connect to them with SmartDashboard without any problem.
    It is important you have both servers functional before you start messing around.
  • Now it is a good time to decide who will be the target machine, and who is to be source.
    It is all about complexity. Less FWs managed, less users defined, less policy packages configured. In some cases customer says you in advance, which SMC will be decommissioned. Choosing the right approach is important because you will have to redefine manually all local users and user groups from source SMC.
  • On target SMC prepare the files. You will need to copy Objects_5_0.C file to a certain folder. Then use cm_merge utility to export all policy packages you need. Usually there are more of them, so consult with your customer about things he wants to keep.
  • Copy these files (DB file and policies) to the target SMC. Use the same cp_merge to merge the objects. Then use it again to import all policy packages. Easy, right? By the end of this step you should have in on your VMware one operational SMC with merged objects databases and all necessary policy packages. Reminder: users and usergroups should be created before this step.
  • Export DB from this machine with upgrade_export utility. On this point you are done with labs and simulation, it is time to change your production systems.
  • Import DB prepared in the previous step to your target production server. Run regression tests. Its own FWs should continue sending logs. SIC should work, you must be able to push policy on those FWs.
  • Now it is time for more interesting task. You already have FW objects from your source SMC, but they are not responding. Reset and re-establish SIC with them. Voila!
  • Take care about VPNs. Tune communities, change all needed parameters. It might not be as easy as it sounds, but it is not different from building a new VPN system, so you will manage.
  • Once you have all GWs operational, all VPNs up and all logs coming, it is time to clean your database. Remove old source SMC object from it and, if necessary, double objects.
Please let me know if you have any further questions.

Stay tuned.

Friday, January 21, 2011

Dimension Data Switzerland to launch ATC

Hi all!

Sorry to be quiet for a while. I have just got back from CCSI (Check Point Certified Security Instructor) training provided by Ken Finley, Check Point. Without any exaggeration, that is the best training i have had in the last 10 years.

Thanks, Ken, I appreciate your effort.

The reason for me to attend this training was related to our new project in Switzerland.

It is official, we are now ATC (Authorized Training Center) with Check Point.

There are some formalities to fulfill before the courses schedule and price information is available.

We are planning to start with CCSA R71 course, followed by CCSE training. Both Provider-1 and VSX courses are also planned.

If you are interested, please contact me here before the officials channels are opened.

Stay tuned, guys, and thanks a million for your interest and support!

P.S. It seems that CCSI certification is stated as "retired" on Check Point site. Due to unofficial information, it is about to be re-launched, and the course I was attending recently is the first step in the process.

Wednesday, January 12, 2011

Check Point IPS is highly recommended by NSS Labs

NSS Labs has tested 13 different IPS appliances from 10 different vendors.

Check Point was one of them presenting new 11 Series Power-1 appliances with IPS blade. Other vendors are Cisco, IBM, Palo Alto, Juniper and others.

Although the full report can only be purchased for symbolic $1800, some results from it are available on Check Point web site.

It appears that Check Point IPS has the second highest score for effectiveness among other appliances.

This is great result, well done, Check Point.

Hopefully it will help customers to start trusting IPS technology of Check Point again, after the company scared some of them off with SmartDefense.

It is not clear who is the "Vendor A" on the diagram, but my money is on Palo Alto. What do you think?

I  was wrong, Palo Alto is vendor E here, according to their part of the report Wrong link, the report is of August 2010.

Thanks for gessing Vendor A, guys!

Tuesday, January 11, 2011

Check Point VE R71 is now available for download

Check Point releases the second VE version after R65. Now it is R71.

The important change is that both ESX Server 4.0/4.1 and ESXi Server 4.0/4.1 are now fully supported with the new version.

The VMware image can be downloaded here and takes less them 1 GB  in .tgz file.

Application control preview movie

My favorite Kellman just did it again.

Here is the short overview of new R75 Application Control feature. You may want to roll the video forward for about 1:30 to see the actual explanation. Do not do this if you like advertising and agent 007-like loud music.

Anyway, enjoy.

All the credits go to Kellman, my man, yo!

Monday, January 10, 2011

CCMA R71 prerequisites - CCMSE R71 is now required

Following my post about R71 CCMA changes, I have to say I did not manage yet to find any details about alleged simplified user experience.

Instead, I have found out CCMA R71 prerequisites have been changed. CCMSE R71 is now the prerequisite, which was not the case before. CCMSE certification was only recommended, not required, for CCMA R65. Here is the document describing the requirements, pdf only.

This is a logical step after Check Point discontinued CCSE plus certification. Yet candidates need to be aware that they will have to get one more certification before going to CCMA exams.

Check Point changes upgrade tools, silently, without documenting

You may not be aware of some major changes happening to Check Point management upgrade tools with R7x versions.

On R65 and bellow if was quite simple. You have had two different scripts in $FWDIR/bin/upgrade/tools, upgrade_export and upgrade_import.

Upgrade_export script packs your MGMT database, ICA and registry into a single .tgz file that you can import later on another HW, even on higher version of Check Point MGMT. The export files are also widely used as an alternative backup on the field. Check Point also mentions is as a backup tool in the SecureKnowledge case sk30571.

I love these tools for their flexibility and easiness, and you may too. But the strange thing is that the tools are only mentioned in upgrade guides. CLI reference guide does not mention them, same for Administration guides.

 Although Check Point recommends to use the latest upgrade tools from the target version, till R70 it did not matter. You could export your MGMT data from R55 without replacing the native upgrade tools and then import it to R65 almost without any trouble.

"Almost" here means that there are some known issues with MGMT plugins introduced with R65, but people get used to work them around.

But if you try to do the same between R65 and R75, the import will fail. You can only perform advanced upgrade between these versions if you have used R75 export tool on R65.

The reason for this is that Check Point silently replaced the utility with a new one, completely new. In fact, two utilities are replaced with a single migrate binary. To keep this issue quite there are three, not two binaries now: migrate, upgrade_export and upgrade_import. in fact they are the same. upgrade_export now just mimics migrate export command, and upgrade_import in fact performs migrate import.

The result file now looks completely different also. Instead of simple readable structure path like FWDIR or CPDIR is replaced with more generic variables. the famous .configuration file is different as well. It is the sole reason the migration files between the versions are now incompatible. The most important, this file now lies about MGMT version. Just two weeks ago I was troubleshooting migration issues and got scared hell when findind R75(!) version stamp in .configuration file made on R71.

For a moment I thought the customer has EA version of FOX.

So guys, be prepared for some surprises when doing advanced upgrades on the newest versions.

Friday, January 7, 2011

My CPUG Europe 2010 materials

In September we have had a privilege and honor to attend Check Point User Group conference in Chur, Switzerland.

I have provided there 6 technical sessions. All materials should be available on the Web, but unfortunately the organizers did not manage to upload them yet.

After getting a number of requests for these materials, I have decided to share my part with you before CPUG owners do that. That is not a sign of disrespect to Barry, but just one of the alternative ways to share the knowledge with ones who are interested.

Here are the files:

Provider-1 Troubleshooting, quick guide
DLP - how to make it right
ABRA - is the magic real?
Check Point road map
Provider-1 Licensing, quick guide
VSX Troubleshooting, quick guide

Please forgive me typos, there might be some.

Enjoy and let me know if any question.

SmartWorkflow Change Control howto movie

Hi all!

Believe it or not, there is Check Point support channel on Youtube.

They have quite interesting tutorials and howtos.

This time I would like to present you short but quite distinct SmartWorkflow howto movie. Enjoy

Thursday, January 6, 2011

R75 is out, did you hear?

I have just realized long time expected on the field R75 version is finally out. For some weird reason Check Point did not send an announcement about that. At least I and my colleagues in Dimension Data Switzerland, we did not get the letter concerning R75.

Anyway, I am downloading binaries as we speak.

You may want to know there are some interesting features coming with the release.

Two if them, Identity Awareness in the Check Point Security Gateway and Application Control Software Blade were already announced some time ago. In fact, these are two features we have heard a lot on CPX 2010. Finally we have them, hooray!

Identity Awareness is about ability to enforce user information as part of FW rules. Beware, it is not a software blade but a functionality enhancement of FW SB.

Application Control, according to the name, is the enforcement of Web 2.0 applications, such as Facebook, etc.

Both features are wanted on the field for some time, both are destined to compete with latest Palo Alto success on the corporate FW playground. I will be writing about both features, so stay tuned.

Nevertheless, the feature list is longer then just these two. We also have new integrated DLP, new Mobile Access feature of VPN blade and last but not least Multi-Domain Security Management.

Multi-Domain Security Management actually means that your Provider-1 after upgrade will be able to recognize Software Blade licensing. My customers are waiting for this for quite some time.

My view on the features will follow, stay tuned.

CCMA R71 changes

Hi all!

Unfortunately I did not manage to get any official information for the subject yet. There are some lucky individuals who have managed to pass R71 exam already, but the information is vague.

Apparently the Live virtual platform mentioned in the previous post is the way to give you remote access to CCMA lab from a local Check Point office. I am still waiting for an official comment on that.

Here are some more questions:
- What about theoretical written exam?
- Does Check Point provide online resources during the lab exam such as documentation and SecureKnowledge or these are still banned?

If you have any reliable information for the matter, please do not hesitate to let me know.