Thursday, August 25, 2011

Multiple issues with R71 upgrades

Hi all!

I was thinking about writing this post for some time now, hesitating to do this. I am trying to stay positive towards Check Point, but it looks I get enough of it now.

Certainly, my experiences may not be objective, especially considering I am usually dealing with complex environments and high profile customers. But here is something:

During the last year I am facing all kind of issues with R71 upgrades. Most of them are on MGMT side. This affects both simple SmartCenter servers and Multi-Domain systems. These are all kind of troubles:

  • systems cannot be upgraded in place from R65, 
  • HFA 40 cannot be applied
  • migrations fail
  • previously working migration paths become non usable
  • policies cannot be compiled or installed, etc.

It fact, during the year I have not seen a single painless R71 upgrade. It works fairly well with R70 and R75, but not with R71. That is a shame, especially considering most of the customers tend to stay on X-1 release, considering that a good practice.

Please share your R71 experience with  me. Thanks.

Monday, August 15, 2011

Multi-Domain Security and VSX training in beautiful Switzerland

Hi all!

I am planning to run a set of five days training for Multi-Domain Security Management (former Provider-1) and VSX R67. The formal course names are CCMSE and CCMSE + VSX.

The training will take place in our ATC in Lausanne this autumn (sometime in late October or mid-November). The final date will be defined a bit later.

The courses will be provided in English. We will have lots of hands on labs. There will be some extras not included in the original course, such as Multi-Domain Security Management and VSX troubleshooting and best practices.

If you are traveling, we will assist you with accommodation.

The places are limited. We do not accept more than 8 students in the class to provide the best quality training, and some sits are already taken.

To sign in, please use our ATC contact form or just send us an email. Please kindly state "CCMSE + VSX CH" in the subject.

Come over, guys, let's have some fun here.

Friday, August 12, 2011

Highest End Appliance customer presentation is now available for Partners

Check Point has posted new marketing presentation to Partners portal. This presentation is almost identical to one Gil Shwed was giving on NASDAQ opening ceremony.

Although the presentation is not marked confidential, I cannot post a link to it here, as the access to the portal is for Check Point partners only.

If you are a partner, get it by yourself. If you are not, ask your Check Point reseller to do it for you.

Wednesday, August 10, 2011

CMA migration is blocked on R71 if done on the same MDS

I have come across yet another issue with the latest migration tools on Multi-Domain management.

Once upon a time, with R6X it was possible to migrate CMAs between platforms freely, except for VSX case. You had to copy 5 directories: $FWDIR/conf, $FWDIR/database, $CPDIR/conf, $CPDIR/database and $CPDIR/registry from one place to another and then run cma_migrate script from MDG or command line.

It was working like a charm. It does not anymore.

R71 documentation is still talking about similar way of migration.  Do not be fooled. The documentation is not exactly correct.

The one and only way of migrating CMAs is described in sk60563. The described procedure works, but with limitations. The limitations are: same name and IP address of the CMA!

I had to learn this the hard way while trying to split one existing CMA for my customer.

There is no migration failure. It all finishes successfully. The fun begins when you start the new migrated CMA.

You can still see it on CLI with mdsstat command. But not in MDG. In fact, it starts showing up there, but then is removed from GUI when started. The reason for it is that in the MGMT DB of the CMA the "old" pre-migration name is used for CMA object. MDG gets confused of having two different CMAs with the same name.

More, it is quite not obvious how to remove this CMA, if you want to roll back. I have ended it with deleting the whole customer folder.

Something so simple and effective got broken with SB versions. The question is, how to fix it? I do not have an answer for the moment.

Yet another Support Call has been opened.

Will keep you posted, folks.

Wednesday, August 3, 2011

Event Analysis issue with R75.10

Hi folks!

I have just faced a bit unpleasant bug with Event Analysis on R75.10 SPLAT SmartCenter server.

One just cannot define any custom event. The process fails with the following error: "The policy refers to objects that don't exist"

Strange, especially considering event definition works flawless on plain R75, but seems to be broken after upgrade to R75.10.

Once again, I have to ask: dear Check Point, do you have any QA these days?

All, I have a support case open, will keep you posted.

Tuesday, August 2, 2011

Two super High End appliances from Check Point

For those who missed this historical event, Gil Shwed just announced two new Check Point appliances in the NASDAQ opening ceremony.

One is 21400 series, new two-U modular device with fully redundant HW and exchangeable cards.

The other one is full blown chassis based monster with up to 1 TBPS throughput -  61000 appliance.
It is looking quite familiar. If you ask me, its resemblance to Crossbeam X series hard to miss.

Now Check Point owns the full jazz starting from SOHO with SG 80 and going to the highest end imaginable with 65000.
The other interesting things announced were R75.20 with SSL inspection, well expected integration of URL filtering and Application Control and my favorite: new SecurityPower calculator to choose the best appliance for your need.

Well done, Gil! I am positively interested.