Thursday, March 30, 2017

Introducing Check Point Expert Talks - CPET

Hi all!

In my previous post I have asked you about willingness to participate in a live seminars around Check Point. I was surprised and humbled by your response. About 25 percent of people who read that post participated in the survey. That is much more than I would expect.

The most popular topics are troubleshooting, optimisation and best practices. Guess what, I am teaching those courses for more than 10 years now.

Teaching a class, even a virtual one, takes lots of effort and is still limited to just tens of participants. Yet, tens of thousands of security professionals could benefit.

There are some public knowledge sharing resources such as and (not so public) SecureKnowledge database. The issue with both is that most if the info there, although extremely valuable, addressing very particular and mostly limited topics. Making a big picture out of those puzzle pieces is an herculean task. One more challenge is that neither platform allows an effective conversation.

Check Point Education Services have a wide network of training partners delivering official courses such as CCSA and CCSE, but they only briefly address some of the mentioned topics.

Something has to be done about it, don't you think?

My goal is to start a new mission. It has to be affordable in terms of personal time investment. Something that I could do in my free time outside of my day job workframe. It should be public and approachable. It should be regular. It should be in a form of an actual discussion, with later ability to recap the touched topic for better understanding.

Here it is - Check Point Expert Talks - CPET

I want to commence running one hour web seminars once or twice a month, on Sundays. I am planning to record the sessions and to put it somewhere participants will be able to access them later.

This is still an open idea, and there are lots of unknown about it: platform choices for both seminar and hosting videos, particular times for the sessions, associated costs and even an amount of efforts to spin this out.

Mission statement and information about a pilot run will follow the next week. Thank you very much for your support and encouragement.

To support this blog send your donations to

Thursday, March 23, 2017

Web-based live sessions about Check Point - will you attend?

Hi all,

I am looking for new ways to share my experience and to help the community in being more comfortable with different aspects of Check Point technology and products.

What would you say about one hour web based (google hangout or similar service) video chat with shared materials and video recording for those who missed it?

To help me in doing it right and addressing the most popular subjects, please fill in a short survey by this link:

Thanks a lot,

To support this blog send your donations to

Wednesday, March 22, 2017

A phishing email - missed by mimecast, caught by Check Point

A friend of mine has got an email from his bank one day to his corporate mailbox. From the start he knew it was a phishing email. There were several clues.

Firstly, his bank does not know his corporate email address. Secondly, the only emails bank sends are the warnings not to open any emails with attachments from that bank, ever. And of course, the colleague got an email with an attached HTML file.

Being an IT guy, he is aware of the danger involved. Being a curious guy, he asked me to assist him with getting details of who attacks him and how. He asked me to assist. This is what we have done to get to the bottom of it.

1. Email headers info

The email has been sent from a private residential IP address in Spain and routed through a mail server belonging to a law firm in Santiago, Chile, most probably with weak security settings on its SMTP server. The sender's mail address was spoofed to look like the email sent from LinkedIn.

- Come on, guys, how stupid should your supposed victim be? Banking email sending messages through LinkedIn? Seriously?

My friend's company uses mimecast service to filter out  malicious emails. It was only partially effective in this particular case. In the mail header, the service flagged SMTP server as not trusted to belong to LinkedIn., Yet, the email was delivered nonetheless.

2. Attachment analysis

As mentioned, the email has an attachment with a suspicious HTML file. The file has a couple of lines of code, with obvious obfuscated payload in it. Before trying to open it, we have decided to scan it on VirusTotal. Out of 55 vendors, only Mcafee had this file previously scanned and marked malicious. That was more than suspicious, so at this point we have asked Vulnerability Research team at Check Point to assist. They have kindly agreed to help.

It turns out the obfuscated code is not a malware in a technical sense. Instead, it has a phishing page with a fake dialog for collecting credit card details.

The actual link goes to a web site in Brazil, which is already closed by ISP for suspicious activity.

3. How that would look with Check Point phishing protection

One important note is that if my friend would use Check Point Anti-Phishing browser extension, even after opening an attached HTML file he would not possible fall a victim of this scam. Why? Because he would see a warning like that:

Special thanks to Oded Vanunu and Check Point Vulnerability Research team.

To support this blog send your donations to

Thursday, March 16, 2017

PAN revenue is expected to surpass Check Point in 2017

At the beginning of the month I have mentioned that despite slower growth at the end of 2016, Palo Alto Networks still pose a serious competition to Check Point.

According to a new report from Cleveland Research Company (not publicly available), PAN is expected to surpass Check Point's revenue this year.

The graph below is quoted from the report. It present relative revenues for each for the mentioned vendors, as well as some others. Although the title says "Market Share", in reality we are talking about revenues.


It is quite interesting that both PAN and Fortinet have gained quite a momentum of growth. In the last six years both competitors have managed to increase their presence drastically while Check Point goes practically flat.

It is only my personal opinion, but it seems to me Check Point has to step up its game as soon as possible, both in marketing and in sales efforts. It looks like their time is running out quickly...

To support this blog send your donations to

Wednesday, March 15, 2017

Azure test drive with Check Point vsec

Azure cloud service has Check Point now. You even can test-drive it
The whole operation is open for three hours free of charge.

All you can get is a standalone GW+Mgmt machine plus a Window based GUI client and a test Web server.

The pre-installed policy is autogenerated and looks quite odd. 

Azure also provides some limited testing capabilities. There are three built-in tests; two of them are failing. Since there is no documentation about how and what is tested, I could not figure out whether it is something expected.

IPS, Application control, Antivirus and Anti-bot are included and enabled on the gateway.

Once you stopped the test drive or run out of time, the environment is disassembled in about 5 minutes.

According to the market description, you will be able to manage Azure vsec from your production management and even use your own license.

All in all, it seems to be easy to deploy and manage. Try it on your own and share your thoughts here.

Friday, March 10, 2017

Policy installation, is it taking too long?

About a month ago I was dealing with a customer's complain about policy installation taking way too much time. It is a valid concern for many organizations, apparently. If you think your policy is taking too long to install, there are several things to consider.

How it is done

Policy installation is a bit more complex that some people think. Let's see what's happening when you press an Install button in the GUI:
  1. Policy package is saved
  2. If you have Management High Availability in place with automatic sync, MGMT HA synchronization is invoked. Your whole MGMT database is being collected, zipped and transferred to the standby Management Server and then unpacked. Only when it is done (or failed, depending on the conditions), you go to the next step.
  3. Policy Verification. Your rulebase is being checked for logic errors and shadowed rules.
  4. Policy compilation. Management server calls a compilation process, that collects the rulebase info, objects descriptions, security settings for IPS and Threat Prevention, Application Control, etc and prepares all necessary files to for transfer to a Security Gateway. Files are zipped for transfer.
  5. Now the policy files are sent to the gateway through SIC encrypted channel.
  6. Gateway receives the files and unzip them. Once done, actual policy installation is about to begin.
  7. Finally, GW is replacing existing security rules with the new one from the received package. Depending on the settings, this process may include all open connections to be re-matched with the new policy. Once done, GW reports to MGMT the success or failure
In summary, steps 1 to 5 are happening on the Management Server. Only the last three steps are happening on the Gateway side.

Why can it be slow?

There are several bottlenecks at the Management Server side: HDD access speed, RAM and CPU. All of them may slow down multiple operations with the files and compilation of the policy package. 

For example, if MGMT server is also doing logging, with high amount of logs disk access will be queued, and both verification and compilation may take significantly longer time than without logging. If your management CPUs are already running high (with logging, SmartLog indexing, any other CPU intensive operations) that would slow down policy installation. 

If by any chance you are running Windows based Management Server, a compulsory antivirus software will slow down policy installation enormously, scanning and rescanning again all MGMT database files that are being opened, created and changed on the way. 

Management HA sync adds five to ten minutes to the process. If this is your case, you may want to change MGMT HA settings to manual sync only. My customer mentioned at the beginning of this article was using fake management server objects for logging external FWs. Every time they were installing policies, MGMT HA process tried to talk to non-existing objects, finally failing and giving up. For that customer, the main pitfall was management high availability itself.

Bigger policy takes longer time to compile. More checks, more objects to touch, bigger files to create. 

File transfer from MGMT to GW may take some time if the connectivity between elements of your security system is slow.

Once the files are on the gateway, it usually takes less than a minute to install policy. Again, bigger the policy, slower the installation time. If your policy has more than 3000 rules, you may expect installation would take time. 

Will it be faster with R80?

Yes and no. 

For all R77.x and below it will be exactly the same process as before. 

With  some later R80.X version (but not R80.10, apparently), we expect that gateway will be able to receive only the delta changes of the policy package. In this case every consecutive policy push after the first one should take less time.

Want to know more?

All above is thoroughly discussed in my Troubleshooting course. If you are interested in it, do not hesitate to let me know. My email is varera (at) gmail. Looking forward to hear from you.

Monday, March 6, 2017

Commence the drum roll, R80.10 is coming

According to some rumors, R80.10 release is due in about two or three weeks. Are you excited?

I am biting my nails off, waiting to share with you something amazing about new GW architecture. I have hinted in 2015 something interesting is coming, cannot wait any longer.

Also, GW release is tied to something else that is long overdue...

How is it on your side? Are you ready for R80.10? What do you expect? Will you upgrade right away? Are you planning training your engineers or you just throw them into the deep to swim?

Please do not hesitate to share in the comments all your thoughts, expectations, reservations, you name it. 

Friday, March 3, 2017

PANW plunged 20%, should Check Point gloat?

Two days ago Palo Alto Networks share price has experienced a sharp fall, losing about 20% of its value in a single day, following second quarter results announcements and a warning towards the third quarter performance.

Some of my Check Point oriented friends would say reality is finally catching up with PAN, but I would not be that quick in judgement.

Being exposed to both vendors, I can say each one has its solid pros and cons, and technology competition is not only driving sales up (or down in some cases, lol) but also works for the best of information security in whole.

We all know that Wall Street indexes do not reflect directly the quality of the technology or even its market performance. It is all about making quick money, earning per share in this particular case. As FT explains, investors decided to get out of PANW because of the earning warning.

In reality we should be more interested in market share and its growth. During the last several years Check Point revenue grows organically with the market, plus or minus one percent, while its main competitors such as Fortinet and Palo Alto have double digit year to year growth numbers.

Yes, PAN growth is slowing down. It is not around 50%, as in 2015, but it is still estimated to reach more than 20% for 2017. Which is 2 or 3 times bigger than 7% to 9% growth achieved by Check Point through the last three years.

In other words, even while slowing down, Palo Alto Networks is catching up with Check Point market share.

Check Point still has a lot to do to change this tendency and start winning the market back.