Tuesday, August 27, 2013

Come to Munich to talk about Check Point

It is not too late to attend the most open and interesting technical discussion of the year - Check Point User Group conference in Munich. We have the best experts and we have beers, what could be a better combination?

Check the agenda, consider to stay two more days for custom training.

See you there, guys.

Tuesday, August 20, 2013

How to read some of Check Price licensing instructions (not a happy post)

Here is a logics exercise. Read the following quote from the Check Point licensing instruction:

"Starting from the 4800 model and above, each appliance running R75.40VS, R76 includes a total of 2 Virtual Systems (all SW Blades available on the GW are automatically supported on the free VS)"

Now, tell me, how many Virtual Systems can one run on a cluster of middle and high end appliances with the default, non VSX, licensing, according to Check Point?

Two, right?

Wrong. You can easily test it by yourself. Convert your physical cluster of R75.40VS or R76 to a VSX cluster. Once done, you will have your firewall converted to a Virtual System. That is VS number one. Now, try to add another VS. No, you cannot.

Why? Because there is only a single VS licensed, according to vsx stat:

Number of Virtual Systems allowed by license:     1

But where is the second one we should have? Where is our freebee FW?

Well, it was all just an illusion, according to a very recent Check Point SecureKnowledge case number 93415. Here is the quote from it (original orthography used): "the answer is that it comes with an initial gateway +1. so in the bottom line initial 2 vs license only covers VS0 and VS1."

Let me translate this for you from Checkpoint-ish. In plain English, that means you only have one VS licensed (VS1). VS0 is representing your physical cluster environment. After conversion to VSX it cannot route traffic anymore.

I wonder, how many customers have already misunderstood the quoted price list statement? R75.40VS is out for a year, and this confusion must be one year old. Then again, the mentioned SecureKnowledge case is only about two weeks old.

21.08.2013 - Update:

Peter Sandkuill, Check Point SE manager network security for Europe, was kind to reply to  this article. I am quoting his email:

"In the latest versions, starting R75.40vs, we consider VS0 to be the first virtual system. We can debate whether you want to use that exclusively for management (as a best practice) or deploy it as a full-fledged VS that runs just like other VS’s and happens to also accept management traffic as one of its interfaces is the management interface. If you convert a gateway all regular gateway interfaces become a member of VS0. This will route traffic just fine. Only if you decide to remove all interfaces and leave only a single one for management would it no longer route, as you would expect.
Especially when designing virtualization in smaller environments this is a compromise I have seen customers willing to make.

For the licensing part, VS0 is the licensed system. You get VS1 for free. Also note that when adding an additional VS package you lose that free VS. In example in a (to VSX) converted gateway you could have 2 * VS. VS0 and VS1. Adding a VS-10 package will give you a grand total of 11 * VS. VS0 and 10 additional ones."

Monday, August 12, 2013

Smart-1 upgrade to R75.40VS fails miserably with grub corruption and other issues

It is the second day on the row we are trying to upgrade two Smart-1 25 appliances from R75.10 to R75.40VS.

On the first trial we were doing SPLAT WebUI based upgrade. It has failed because of corruption of grab.conf that would not allow the machine to boot normally. Symptoms and solution are described in SK66029.

System was not bootable even after reverting to the original image of R75.10, so we have had to apply the solution anyway.

Hoping Gaia would be better, we have tried it now. Guess what? The machine is in a loop: booting and restoring image all the time.

grub.conf seems to be OK, but the system is no longer operational.

Hello, Check Point, any QA these days? We know the upgrade works on VMs, but what about testing your own alliance lines?

Friday, August 2, 2013

Personal invitation to Check Point Best Practices course

I will be teaching two days of Check Point Best Practices course in Munich as part of extended CPUG gathering.

I would like to use this opportunity to invite you to my class. We will be covering the following topics:

  • Disaster recovery, backup techniques and tricks around them
  • Upgrades and migrations done right
  • Design of Check Point security systems
  • Unknown and undocumented tools
  • SPLAT and GAIA tricks

The course was originally started as a series of internal trainings for my colleagues. In the last several years it evolved into by far most popular training in my portfolio. Come and see why.

You can register to the course on CPUGcon registration page.

Thanks a lot for your interest.