Wednesday, June 27, 2012

Performance analysis for Check Point firewalls

Lately I have came across a brilliant SK article about performance analysis in Check Point environment, sk33781 

The article thoroughly discuss various indicators and parameters of FW configuration:

  • RAM and Kernel memory
  • CPU usage
  • SW and HW interrupts
  • sim affinity
  • FW connection table
  • NIC configuration and driver's settings

I am planning to use it as a reference in my Performance Optimization training.

Take a look, you may find it very useful. Ming you need User Center account to access the case.

Tuesday, June 26, 2012

Safari is not supported with Check Point client authentication

Have you ever tried to use Client Authentication through Safari browser? I have, and it does not work. Well, sometimes it does. There are even some SecureKnowledge cases about it, like sk40327.

But with one of my customer using VSX and SSL encyption instead of plain HTTP you could authenticate through any browser but Safari. The issue was platform independent. iPad, Mac or even Windows, Safari could not authenticate, period.

A user gets the initial auth page and types in a username, but instead of password prompt on gets an empty error page.

I have opened a support case, and guess what? Here is the official answer, quoted for my support case:

"...after consulting with R&D, I can officially assure you that using Safari on client authentication with VSX R67 version is not supported.

The only officially supported browser when using client authentication is Internet Explorer.
This statement is relevant for all Check Point versions."

Cool, right?

That said, I expect Check Point to make this statement publicly available as a new SK and/or part of the Release Notes.

Friday, June 22, 2012

DDOS Protector - details are public now

Check Point has finally published details about newest DDOS Protector appliances I was mentioning earlier.

There are 7 different models available.

As Check Point describes, DDoS Protector is capable of stopping today's advanced DDoS attacks including:

  • Vulnerability-based attacks that exploit server application weaknesses including Web, Mail, DNS, FTP, SIP, SQL server vulnerabilities
  • Non-vulnerability-based attacks that misuse server resources, such as
    • Application DoS – HTTP , SIP, and other flood attacks
    • Authentication defeat - brute force attacks
    • Information theft – application scanning
  • DoS/DDoS flood attacks that misuse network bandwidth resources
  • Rapid response and real-time update of custom filters to protect against emerging attacks
  Press Release and Data Sheet for the appliances are available on the product page.

Monday, June 18, 2012

ClusterXL: Sync on VLAN interfaces

We all know Sync network in cluster configuration should be isolated from the rest of production networks, or, as Check Point calls it in the documentation, "secured". Reason for that is that sync interfaces have no security policy enforced and can be used to penetrate your FW cluster.

Nevertheless sometimes you have to do Sync over VLAN interface instead of a physical NIC.

If you do so, you might bare in mind sk34574. As described there, ClusterXL requires to use the lowerst VLAN tag for Sync interface.

For example, if you are using eth.1.10, eth1.20 and eth.30, you can only configure eth1.10 for cluster synchronization.

In case you did it wrong, cphaprob -a if will report you the following:
Warning: Sync will not function since there aren't any sync(secured) interfaces 

 In this case it is not enough to re-configure VLANs and re-push policy. If you picked the wrong interface first, you will have to re-initialize ClusterXL on your physical machines. To do that, go to cponfig and remove clustering, then start it again from there. Reboots are required.

Thursday, June 14, 2012

Check Point to launch DDOS Protector

Check Point is having partner's session as we speak where it introduces DDOS Protector - HW based product, not available in SW form.

Press release is to be sent out soon.

Wednesday, June 13, 2012

Official upgrade matrix for Check Point products

As you may know, navigating between the major and minor versions of Check Point is not easy. Many of us, myself included, are using these maps, courtesy of Patrick Waters.

Although Patrick's maps are great, they are not official and a bit out dated, considering the author partied with check Point on 2011.

If you are looking for an official upgrade matrix, there is a better resource in the UserCenter. Please mind it is available for download to registered users only.

Good luck with your upgrades.