Monday, July 16, 2012

Check Point announces R75.40VS - new VSX

You may know already that long waited VSX with Software Blades support is finally out.

It is called now Check Point Virtual Systems. It is based on GAiA R75.40 and supports almost all Software Blades, except for Mobile Access Portal.

There are many other interesting features, such as physical-to-virtual conversion wizard and SNMP monitoring per VS.

Mind while it is GAiA based, clustering is only ClusterXL.

UPDATE: apparently it is not exactly OUT yet, nothing is available for download...

Tuesday, July 10, 2012

How to reset SIC for a Virtual System

In a very rare occasion you may have SIC issues with a VSX-based security system. In most of the cases it surfaces as a communication failure for one or several Virtual Systems.

It would be quite easy to fix failing SIC in case of a physical FW: you just need to reset in on both MGMT and GW side and to re-initialize it from the SmartDashboard.

In case of VS it is not that easy. You should follow the procedure, explained in SK34098. But before I will give you a short overview of the procedure, there are three important points to mention:

1. Do not try to reset SIC with the physical members of your VSX cluster. It will lead to even bigger problems, and will not help to restore SIC on a particular VS.
2. Follow the procedure bellow only if you are absolutely sure these is no communication problems, and local time settings on both GW and MGMT are fine. Remember, this procedure is the last resort, and if you do not follow it carefully, you may cause even more damage.
3. If any of the mentioned bellow does not seem familiar to you or if you have any doubt, call your support contact and ask them for help.

Said that, let's fix the issue.

Step 1: Identify ID number of the failing VS.
Step 2: Reset SIC for this VS on GW side. To do that, run the following command:

fw vsx sic reset {VS_ID}

Step 3: SIC reset on MGMT side. Go to the target CMA (one managing the problematic VS) by typing the following command on MDS console:

mdsenv {CMA_NAME}

Identify SIC name for the VS. To do that, run

cpca_dbutil print InternalCA | grep {Virtual_System_Name}

Note: the SK mentioned above describes an alternative way involving ICA Management tool Web-UI. You can do that, it does not matter. I believe my way is faster.

Once you get the full SIC name, run the following command:

cpca_client revoke_cert -n CN={VS_SIC_Name}

Step 4: Recreating SIC. Open SmartDashboart to target CMA and double-click on the problematic VS. Press OK button. On this step SIC should be re-created successfully.

You may want to install policy on this VS once all's done.

Wednesday, July 4, 2012

CPUG Europe materials are available online

It will be the fifth time for CPUG Europe Conference this year. We have started in 2008, and each time it is great fun and lots of things to learn.

I hope to see this year in Switzerland.

Sincerely yours,

Valeri Loukine

Monday, July 2, 2012

Firewall race - who will be a winner?

We all remember announcement of Check Point 61000 appliance the last year.

The specs were quite impressive that time: up to 200 Gbps throughput, 70M concurrent connections. Who could possibly need more that that?

Apparently someone does need more. Otherwise how would you explain the latest Fortigate announcement of new updated 5000 series?

The highest model, FortiGate-5140B, according to its specs, is capable of  getting up to 480 Gbps throughput and 132M sessions.

The question is what nest to expect. Would Check Point retaliates with even bigger box or someone else steps into the race, like PAN, Juniper of even Cisco?

What do you think?