Appliance hardware – Updated 08. May 2012

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell	SPU	FW	VPN	IPS	CPU	RAM
21400	2003	50	7	21	2x Intel Xeon E5645 2.40GHz (Six-Core)	6
12600	1861	30	7	17	2x Intel Xeon E5645 2.40GHz (Six-Core)	?
12200	738	15	2.5	8	Intel Core i5 750 2.67GHz (QuadCore)	4
4800	623	11	2	6	Intel Core2 Quad CPU Q9400 2.66GHz	4
4600	374	9	1.5	4	Pentium Dual-Core E6500 2.93GHz	4
4200	114	3	0.4	2	Intel Atom D525 1.80GHz Dual-Core	4
2200	114	3	0.4	2	Intel Atom D525 1.80GHz Dual-Core	2

Check Point Power-1 Appliance series

Modell	SPU	FW	VPN	IPS	CPU	RAM
11075	up to 1222	20	4	12	2x Intel Xeon E5530 2.40GHz(QC)	6
9075	1006	16	3.7	10	2x Intel Xeon E5410 2.33GHz (QC)	4
5075	596	9	2.4	7.5	Intel Xeon E5410 2.33GHz (QC)	2

Check Point UTM-1 Appliance series

Modell	SPU	FW	VPN	IPS	CPU	RAM
3070	298	4.5	1.1	4	Intel Core2 Duo E6400 2.13GHz	3
2070	101	3.5	0.45	2.7	Intel Celeron 440 2.00GHz	2
1070	101	3	0.35	2.2	Intel Celeron M 1.5 GHz	1
570	101	2.5	0.3	1.7	Intel Celeron M 1.5 GHz	1
270	50	1.5	0.12	1	Intel Celeron M 600 MHz	1
130	50	1.5	0.12	1	Intel Celeron M 600 MHz	1

Check Point Smart-1 Appliance series

Modell	CPU	RAM	HDD
Smart-1 5	Intel Celeron M 1.50GHz	2	500 GB
Smart-1 50	Intel Xeon E5410 2.33GHz (DualCore)	4	2 TB

Old Appliances

Smart-1 25

Intel Core2 Duo T7400 2.16GHz
3 GB RAM
4x 500 GB SATA HDD in RAID 10

UTM-1 2050

Intel Pentium 4 3.4 GHz
2 GB RAM
80 GB ATA HDD
Firewall Throughput (R65): 2.4 Gbps
VPN Throughput: (R65) 380 Mbps

UTM-1 450

Intel Celeron M 1.5 GHz
1 GB RAM
80 GB ATA HDD
Firewall Throughput (R65): 400 Mbps
VPN Throughput: (R65) 200 Mbps

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

RSS feed for this blog

I was asked a couple of times to provide a RSS feed for this blog.

The feed was available all the time, just access http://blog.lachmann.org/?feed=rss

Tobias Lachmann

Passed my CCSA R75 exam

…….. I really don’t know what to think about the CCSA R75 exam I passed right now.

I’m working with Check Point products since 2001 and I was certified ever since, highest certification was CCSE+.

I installed, updated, migrated and configured a lot of different systems from 4.1 to R75.30.

I’d like to think that I have quite some knowledge about Check Point products….. but why wasn’t I able to score only 80% in CCSA exam, the first and easiest one?

It’s kind of frustrating……

Tobias Lachmann

GAIA – Configuring EA Take 5

After we finished installation, it is time to configure the system over the WebUI using the First Time Configuration Wizard.

Step 1 – Login

Here we use the passwort defined during installation instead of “admin/admin” as in old installations.

Step 2 – Welcome Screen

Step 3 – Configure Date and Time

Step 4 – Device Name and DNS

Step 5 – Network Connection

Note that you can configure a DHCP Server for this interface to serve the clients

Step 6 – Product Selection

Here you can choose wether to do a standalone installation with gateway and management on the same machine, or a distributed installation. When your system is a security gateway and part of a cluster, you can choose wether to use ClusterXL for clustering or have a VRRP cluster. The later is a feature that Check Point took from the IPSO.

If you install a security management, you can choose if this a primary or secondary server – or a Log Server / SmartEvent Server.

Step 7 – Create a cpconfig_administrator for use in SmartConsole

Step 8 – Define the IP addresses of GUI clients

Step 9 – Review and Finish

Step 10 – Installation and configuration

I like that at this point the system gives you feedback what kind of action it is performing at the moment and what the progress is.

Step 11 – Configuration is finished

On this point you setup your system, in our case a Security Management server.

Now we can install SmartConsole and login to the server.

Tobias Lachmann

CCSA R75 practice exam available

For all of you who want to certify or re-certify as CCSA R75, there is great news.

Check Point published a CCSA R75 pratice exam for you to train for the VUE exam.

The question pool is nearly 40 questions and you will have to answer 20 within the practice exam.

The real VUE exam has 100 question that have to be answered in 100 minutes, so much more information here.

But I recommend the practice test to everyone to get used to the way Check Point asks the questions.

Tobias Lachmann

GAIA – Installing EA Take 5 on VMware ESX

I want to share with you my experiences on the Early Availability version of GAIA, the new Check Point operating system.

Besides some upgrade testing I did a new installation in a virtual machine on a VMware ESX server.

Step 1 – Welcome screen

Step 2 – Hardware Scan Details

Please note that GAIA recognizes that it is running on VMware and will automatically installed the VMware tools!

Step 3 – Keyboard selection

Step 4 – Disk information

The installer detected my disks and is automatically creating a software RAID 1 out of it. Very nice. If you want to use a hardware RAID instead, you have to leave the installer at this point, configure your hardware RAID and start over again. Then the hardware RAID will be presented to the installer as one single drive.

Step 5 – Partitipons Configuration

We waited so long for that kind of feature! Especially working with UTM-1 appliance led to problems during software upgrades when some partitions where heaviley used. I wrote some articles about this in my blog on how to enlarge partitions to solve the problems while upgrading. Good that we can now change/correct the partition layout.

Step 6 – Passwort for “admin” account

In SPLAT you had the pre-defined account “admin” with the password “admin” when the installation was done. Change of password had to be done while using the first time configuration wizard over the WebUI. From a security perspective this approach is much better.

Step 7 – Management Interface

Step 8 – Confirmation before formatting and installing

Step 9 to 12 – Formatting and installing

You’re done!

First boot into GAIA

Please note that you can boot into 32 bit mode and also 64 bit mode.

Starting the system – now whith “colored” progress bar

Console login screen

The system doesn’t reveal any longer the version information and IP address and port for management access. Instead you can disply a banner, like in this screenshot

After logging into the system with the password defined in step 6 you will get the message that the configuration has to be done through the First Time Wizard in WebUI.

That’s it for installing GAIA EA take 5. Quite nice. Quite easy. Lot’s of changes under the hood and a really good approach.

Tobias Lachmann

Come to the dark side – we have cookies!

Recently Palo Alto approached me with a job offer.

I replied that I’m a guy with deep knowledge in Check Point products.

The reply was: “We don’t hold this against you.” which proofs that they have humor.

But I decided not to go to the dark side

Tobias Lachmann

Reset CA certificate for HTTPS inspection

With the introduction of R75.20 Check Points offers HTTPS inspection for different blades, namely DLP, IPS, Application control, URL Filtering and AntiVirus.

Once you created a CA certificate on a gateway for HTTPS inspection, there is no way to remove or renew this certificate.

But maybe you chose the wrong name for the CA certificate or you’d like to change the date where the cert is valid or just start the configuration process all over again.

Then you can delete the CA certificate following these steps.

1. Open GUIDBedit and connect to your Security Management

2. Locate the table for ssl_inspection

3. Choose the object general_confs_obj

4. Go to the field ssl_cert_ref. The value in this field points to a certificate in the table ssl_certificates

5. Empty the values ssl_cert_ref and ssl_cert_key by right-clicking on the value field and select reset.

6. Save and exit GUIDBedit

7. Connect to the Security Management with SmartDashboard and start with your new configuration.

Please note that this is not an official way documented by Check Point, so use at your own risk

Tobias Lachmann

CPX 2012 in Berlin

Check Point announced the place and time for the EMEA Check Point Experience 2012, which is Berlin from 30-31 of May.

Check out the CPX website!

The agenda shows three session for GAIA so that I think we’ll have GAIA released before or right at the date of the CPX in Orlando, which is 17-18 April.

It is really nice to have CPX in Germany again. If I recall it correctly the last one was 2007 in Munich.

Hotel is already booked and I got one of the last rooms in the conference hotel. Very comfortable.

Hope to see lot’s of you guys there and have some nice get-together.

Tobias Lachmann

GAIA early availability take 4

Today I received an E-Mail with the download links for the GAIA early availability packages.

It took Check Point over two weeks to check my “application” for the EA program.

I wonder how the select the ones who will get access to this program.

Still pissed that I had to wait until this day to get hands on GAIA.

Tobias Lachmann

PS.: my friend Valeri Loukine has a review on the GAIA EA in his blog

Early Availability for Endpoint Security VPN for Mac

Check Point opened the early availability program for Endpoint Security VPN for Mac.

You can apply over the UserCenter and choose Early Availability under My Products.

The new client supports MacOS 10.6 (Snow Leopard) and 10.7 (Lion) in 32 and 64 bit.

Tobias Lachmann

Thumbs up for Endpoint Security E80.30

For whatever reason I forgot to share my experience about the latest installation of Endpoint Security E80.30 with you.

Our customer had 750 seats and wanted to deploy mainly Anti-Malware blades, along with some VPN blades.

The longest part in setting up the Endpoint Security Management server was the installation of the operating system. The Endpoint part itself was taking only about 1 and a half hours.

After about 4 hours we had the system up and running and started to deploy clients!

I think this is a brillant example on how much the Endpoint management has improved with E80.x.

We make some use of a newly introduced feature called Virtual Groups. In environments when you have to deal with clients that are not part of any directory, you had to define IP addresses or ranges for them. Now you can group single objects from different locations into one virtual group and apply a policy to them. Very handy and easy to use.

Only some things need to be improved in future versions:
- limit the CPU usage of Anti-Malware blade while doing a system scan
- limit the bandwidth of the Endpoint management while distributing new packages to the clients
- setup proper E-Mail notification on various events in a readable format instead of using sk65437

Tobias Lachmann

Cool performance report for your Security Gateway

I already wrote a post about this fantastic Performance Evaluation Utilitiy provided by Check Point.

Now they added a bonus on top of this tool to encourage people to send in their actual gateway data.

You will get a report in PDF format that show deep insides of your gateways performance. For example not only the average throughput but the high average throughput where they take any numbers above the average into account. This will show you how your gateway performs when it is actively processing traffic.

Check Point Performance Evaluation Utility Sample Report

Check Point Performance Evaluation Utility Example Report

Please take a look at the Check Point Performance Evaluation Utility Example Report.

Everyone who can provide data should do so to improve the Check Point database from real world installations. I think that all Check Point users will benefit from this and we will see improvements in sizing recommendations and future releases.

Tobias Lachmann

Registration for GAIA Early Availability is open

Check Point opened the registration for the GAIA public EA.

No actual information can be found on the pages as for now, but will be provided when the binaries are available in a few weeks.

Tobias Lachmann

Install on London Gateways?

There is an interesting bug in the Check Point Smart Dashboard.
Normaly the implied rules are not displayed, but you can enable the view.

What we can see now is that for three rules with have the entry London Gateways in the Install On column. Click on the picture to enlarge it.

I wonder if this is just a bug while displaying the implied rules or if there’s an error in the implied rules and their enforcement itself.

Until now I couldn’t find an answer to that question, maybe someone of you has any information about that?

Tobias Lachmann

Check Point Performance Evaluation Utility released

Check Point released a Performance Evaluation Utility for their appliances.

Purpose of this utility is to gather information about CPU and memory consumption, throughput etc. in combination with your appliance model and the activated blades.

This information is analyzed by Check Point and used for the Appliance Selection Tool and other projects where they need to verify their assumptions about real world appliance behaviour against actual live environments.

If something suspicious is found, they will contact you and give you feedback about their findings.

Also, if you’re just curious about how your appliances is doing throughout a normal day, run this script and check the summary. If necessary you can dig into the raw data for troubleshooting.

Output looks like this:

Measured Data ============= * Maximum gateway throughput: 785.340831 Mbps * Maximum packet rate: 79343 Packets/sec * Maximum CPU: 99% * Maximum CPU core #0: 100% * Maximum kernel CPU: 45% * Maximum kernel CPU core #0: 45% Number of unique IPs behind gateway: 85 Maximum concurrent connections: 1000 Maximum memory utilization: 1240 MB Accelerated packets: 100.00% VPN traffic: 0.08% Detected interface packet drops: no Detected install policy: no ===================================

I like this tool very much and there has been enormous improvement since the first versions.

I would like to encourage all readers of this blog to download this script, run it on all available appliances and send the data back to Check Point. This will help them to make products better and performance numbers more accurate.

Tobias Lachmann

GAIA rumor

I heard a rumor that GAIA will be delivered along with R75.40 release.

Since R75.30 came out recently, we’re very close to GAIA.

Will be interesting to see what GAIA really brings us. Personally I expect SPLAT base, hopefully 64bit, with recent Linux kernel but with CLISH command line interface. Would mean that I have to learn quite a bunch of new things

Tobias Lachmann

Update to Problems with SCP and Secure Platform while copying large files

OK, I stumbled about a known issue. We have sk66195 and sk45048 for this. Sadly these entries are only visible if you have Expert access or higher. I wonder why Check Point hides this info for normal users.

Here’s they explanation from Check Point why they use such an old version of OpenSSSH: “In order to keep SecurePlatform secure, an older build of OpenSSH is used that does not have dependencies to packages not included in SecurePlatform.”

You have to contact Support to get a fixed version of OpenSSH. At the moment they have a fix for R71.30 through R75.40 which will be also included in GAIA. The package version numbers differ slightly. Old: openssh-server-3.6.1p2-33.30.39cp. New: openssh-server-3.6.1p2-33.30.976075001cp.

As a work around, if you can’t or won’t install the package, you can use the old version 4.1.9 of WinSCP from 2009.

Tobias Lachmann

Problems with SCP and Secure Platform while copying large files

Today I stumbled about a problem with file transfer from or to a Secure Platform system using SCP.

I tried to copy a large backup file from the system, which failed.

C:\Program Files\Putty>pscp -v -scp -l tlachmann 10.1.1.1:/var/CPbackup/backups/backup.tgz . Looking up host "10.1.1.1" Connecting to 10.1.1.1 port 22 Server version: SSH-2.0-OpenSSH_3.6.1p2 Using SSH protocol version 2 We claim version: SSH-2.0-PuTTY_Release_0.61 Doing Diffie-Hellman group exchange Doing Diffie-Hellman key exchange with hash SHA-1 Host key fingerprint is: ssh-rsa 1024 5d:05:8a:64:7c:2f:ed:1d:f3:6b:aa:bb:cc:dd:ee:fb Initialised AES-256 CBC client->server encryption Initialised HMAC-SHA1 client->server MAC algorithm Initialised AES-256 CBC server->client encryption Initialised HMAC-SHA1 server->client MAC algorithm Using username "tlachmann". Keyboard-interactive authentication refused tlachmann@10.1.1.1's password: Sent password Access granted Opened channel for session Started a shell/command Using SCP1 Connected to 10.1.1.1 Sending file modes: C0644 1277213515 backup.tgz backup.tgz | 32 kB | 32.0 kB/s | ETA: 10:49:36 | 0% Server unexpectedly closed network connection Fatal: Server unexpectedly closed network connection

On the SPLAT machine there was the following message under /var/log/secure

Jan 26 10:02:53 fwm sshd[13480]: Accepted password for tlachmann from 10.1.1.2 port 4845 ssh2 Jan 26 10:03:05 fwm sshd[13480]: fatal: buffer_append_space: alloc 10518528 not supported Jan 26 10:08:07 fwm sshd[13515]: Did not receive identification string from 10.1.1.2 Jan 26 10:12:22 fwm sshd[13526]: Accepted password for tlachmann from 10.1.1.2 port 4926 ssh2 Jan 26 10:12:23 fwm sshd[13526]: fatal: buffer_append_space: alloc 10498048 not supported

Seems that this is an OpenSSH error described here.

The entry describes that this is “Fixed in openssh-3.9p1-8.RHEL4.18″

On SPLAT we have older OpenSSH packages:

[Expert@fwm]# rpm -qa | grep openssh openssh-3.6.1p2-33.30.39cp openssh-server-3.6.1p2-33.30.39cp

Even R75.30 has this old package, so I opened a SR with Check Point. Will be interesting do see what they write back.

I’ll keep you informed.

Tobias Lachmann

Release of R75.30

Check Point released R75.30 recently for updating R75.20.

This release doesn’t introduce new features but solves a lot of bugs and known limitations. This page gives you an overview about this release.

The Release Notes can be found here, please take also note of the Resolved Issues and Known Limitations.

Tobias Lachmann

Nearly 90.000 visits of this blog

Folks, I just looked over the stats for this blog.

It reached nearly 90.000 visits since the beginning!

Thank you all for reading my posts and making this blog a success.

Tobias Lachmann

Appliance hardware – request for help

Over one and a half year ago I posted the updated appliance hardware list.

From the feedback I got so far I know that customers and security engineers from partners love this list because it gives them the ability to do a better sizing for OpenServer hardware – just by comparing their throughput needs to the appropriate appliance and the hardware inside it.

And I also know from some comments at CPX that Check Point doesn’t like my list. They don’t want us to talk about hardware inside the appliances because the may seem to small and out of date.

Also, Check Point now changes from “what is the maximum throughput” to “how much power is needed for a special purpose, blade combination and desired throughput” with their Security Power measurement.

This is a very good approach and I can assure you that Check Point is putting enormous effort into the upcoming Appliance Selection Tool (AST) to make it accurate and based on real world experience as I contributed some appliance data myself and discussed it with them.

But still – I think we should update the appliance hardware list since there are so many new appliances out there.

For that I need your help!

The details can be determined from the command line: for the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

What I know so far is that every new appliance from the 2012 series is supposed to have at least 2GB of memory and a Dual-Core CPU.

Please submit data from your own appliances to this list.

Tobias Lachmann

Check Point leads the new Garnter Magic Quadrant for Enterprise Network Firewalls

This december a new Magic Quadrant on Enterprise Network Firewalls was released by Gartner Group.

Check Point is clearly in the lead, followed by Palo Alto. These two are the only companies in the leader quadrant. All others are challengers (Fortinet, Cisco, Juniper, McAfee) or niche players.

It is interesting to see how the market changed and that the competitors are loosing ground.

Tobias Lachmann

Check Point forbidden characters and reserved words

When you create objects in your SmartDashboard just should avoid using some special characters or reserved words.

Check Point has an article about this in the Knowledge Base.

I put the info from this article into a cheat sheet for you.

Check Point reserved words and forbidden character

Tobias Lachmann

No support cost for appliance slide rails

In a previous post I was talking about the fact that the Check Point quote tools charged a yearly 10% support cost for the new slide rail kit for appliances.

Check Point now reported back to me that this was an error and that they changed all their tools accordingly.

I can quote them on the following:

"Our policy is to charge support only for electronic components that may require assistance in case of failure break. We changed our tools accordingly and now we will not charge for support for the rails" Ofer Or, Product Manager at Check Point

Check Point, thanks for listening.

Tobias Lachmann

Installing a Check Point appliance from USB flash drive

The Check Point appliances come pre-installed with 1-2 SPLAT images for the current and some older release. If you have a new appliance with R75.20 you will also get R71.30 as well.

Normaly the “reset to factory defaults” mechanism work pretty well. If an appliance is screwed up you can restore an image stored on the machine.

For some reasons you may want to install an appliance from scratch which can be done using an external USB DVD drive connected to the appliance. You can boot from this device into an installer and re-image the whole machine.

But working with an external drive is not sufficient in all situations and handling can be complicated.

USB flash drives are quite easy to handle and don’t consume that much space in the technical engineers bag.

Since the days of appliances with NGX R65 with Messaging Security there was a sk article which described how to create a bootable USB flash drive either for NGX R65 or NGX R65 w/ MS fresh installation.

Sadly this was somewhat complicated and you had to have in mind a couple of things.

During the release of R70 I tried to build a bootable USB flash drive using some tools available. Namely I used a tool provided by HP for making USB flash drives bootable in combination with ISO files, but without success.

Then I stumpled about Unetbootin which is a nice tool to create bootable devices. Comes with a variety of pre-configured Linux distributions and is also to use ISO files.

What is does when working with ISO files is to extract the boot sequence from the ISO and use it for the flash drive. Then everything from the ISO is extracted to the drive.

Works for Linux distributions on my PC but not for a SPLAT ISO in combination with an UTM-1 appliance.

But now Check Point released a very cool new tool called ISOmorphic which makes bootable flash drives for the appliances from the ISO images provided by Check Point.

With an USB flash drive created by ISOmorphic I was able to boot an UTM-1 appliance directly without the need to make any changes.

From now on I will use this sweet new tool to pre-load my new appliances with the latest software image instead of upgrading older ones or upgrading with DVD drives.

Tobias Lachmann

OIDs for Check Point SNMP system monitoring

When you have configured SNMP and Check Point SNMP Extensions on your systems, you can start with system monitoring.

For Nagios we have some plugins available and other vendors also have pre-installed checks for Check Point equipment build into their products.

If you don’t want to use extra plugins you may use the check_snmp plugin command that is delivered with Nagios.

SVN Status
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1" -o 1.3.6.1.4.1.2620.1.6.102.0 -s "\"OK\"" -l "SVN Status"

Security Gateway Policy Status
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.1.1.0 -s "\"Installed\"" -l "Security Gateway Policy Status"

Security Gateway High Availability Status
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.5.102.0 -s "\"OK\"" -l "Security Gateway High Availability Status"

Security Gateway High Availability Modus
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.5.6.0 -s "\"active\"" -l "Security Gateway High Availability Modus"

Security Gateway High Availability Modus
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.5.6.0 -s "\"passive\"" -l "Security Gateway High Availability Modus"

Security Management Status
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.7.102.0 -s "\"OK\"" -l "Security Management Status"

Security Management Modus
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.7.5.0 -s "\"active\"" -l "Security Management Modus"

If your monitoring system is using just simple SNMP queries, here are some OIDs to check for.

SVN Status – to be checked on every system

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.6.102.0 SNMPv2-SMI::enterprises.2620.1.6.102.0 = STRING: "OK" SNMPv2-SMI::enterprises.2620.1.6.102.0 = STRING: "Problem"

Security Gateway Policy Status

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.1.1.0 SNMPv2-SMI::enterprises.2620.1.1.1.0 = STRING: "Installed"

Security Gateway HA Status

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.5.102.0 SNMPv2-SMI::enterprises.2620.1.5.102.0 = STRING: "OK"

Security Gateway High Availability Mode

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.5.6.0 SNMPv2-SMI::enterprises.2620.1.5.6.0 = STRING: "active" SNMPv2-SMI::enterprises.2620.1.5.6.0 = STRING: "standby"

Security Management Status

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.7.102.0 SNMPv2-SMI::enterprises.2620.1.7.102.0 = STRING: "OK" SNMPv2-SMI::enterprises.2620.1.7.102.0 = STRING: "Problem"

Security Management Mode

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.7.5.0 SNMPv2-SMI::enterprises.2620.1.7.5.0 = STRING: "active"

Tobias Lachmann

Exclude the external address of VPN peer gateway from encryption domain

When you define a peer gateway for a VPN community, you also have to define the topology of the gateway that is used for VPN connections. This is the encryption domain.

What you don’t see is that the encryption domain does not only include the IP addresses of networks associated with the gateway, but also the gateway IP address itself.

This behaviour is not shared by others vendors like Cisco for example, they only use the explictly defined encryption domains.

Common scenario:

You have a VPN with a partner and exchange encrypted traffic. In addition, the partner offers you webpages available over the Internet and reachable over the official IP address of his VPN gateway.

When you try for example to access this webpage from within your network, the traffic will be send encrypted to the remote gateway, let’s say a Cisco ASA Firewall.

The Cisco ASA does not see it’s outside IP address as within the own encryption domain and refuses to create a SA. So your connection attempt will fail.

The solution to this is to exclude the external IP address of the remote VPN peer gateway from VPN.

For this purpose edit the file $FWDIR/lib/crypt.def on the Security Management and change the line
#define NON_VPN_TRAFFIC_RULES 0
to:
#define NON_VPN_TRAFFIC_RULES (dst= IP_Address_Of_VPN_Peer)

Please be aware that this is the way for version R70 and above.

If you have a R75 Security Management that is managing R70 or R71 gateways, you have to edit the file in the compatibility package directory instead.
/opt/CPR71CMP-R75/lib/crypt.def

Tobias Lachmann

SSL Network Extender E75 available

The SSL Network Extender E75 is now available.

sk65210 has all the information about it.

We have now support for MacOS from 10.6.8 up to 10.7.2, both 32 bit and 64 bit. Also some Linux distributions are now supported for 32 bit and 64 bit.

I was testing the EA2 version of this software and had no problems. So I suggest that you update asap if you want to enjoy the new OS support.

Release Notes can be found here.

Known Limitations are here.

Tobias Lachmann

Endpoint Security E80.30 is available

The new release E80.30 for Endpoint Security is now officially available.

I already wrote about the cool new features before.

Check out the sk65376 for details.

The Release Notes can be found here.

Tobias Lachmann

Mount USB stick on appliance or SPLAT

Ever wanted to use an USB stick on OpenServer using SPLAT or an appliance?

Just connect the device to an USB port of your choice.

1. Load the appropriate kernel module for handling the USB device
modprobe usb-storage

2. Check which new device was bound, for example /dev/sda1
fdisk -l

3. Create a mount point
mkdir /mnt/usbdisk

4. Mount USB device
mount /dev/sdb1 /mnt/usbdisk

5. Use the device to transfer data as you like

6. Unmount USB device
umount /mnt/usbdisk

Tobias Lachmann

UTM-1 Edge firmware 8.2.44 with security fix

Check Point reported that security vulnerabilities were detected in the WebUI of UTM-1 Edge appliances, related to “XSS, CSRF, information disclosure and offsite redirection”.

All firmware version in 6.x, 7.x and 8.x are affected.

The only firmware with this error resolved is 8.2.44 which is available for download.

I would suggest that everyone should apply the latest firmware as soon as possible.

Release Notes can be found here.

See all downloads here.

Tobias Lachmann

New Appliances support slide rails. How about slide rail support?

Starting with the new Check Point 4200 appliance you can get slide rails instead of fixed rack mounting, which is quite nice. The price for a pair of slide rails is $300,–. Quite high, but I can life with it.

Now here’s the funny thing: when you use the Quote Tool from Check Point and have the slide rails picked, it will offer you SUPPORT for it. Rate is 10% of the list price. Per year!

Guys…… seriously: why should someone buy support for a slide rail???? What do you offer to the customer for the money? And how likely is it that a slide rail has to be replaced or serviced. Or can we expect hardware updates for this part in the next time so that the money for support is legitimate?

Any comments on this greatly appreciated!

Tobias Lachmann

SSL Network Externer E75 is now EA2

Check Point updated the EA version of SNX, which is now called EA2.

We have a better support of current MacOS Lion for 32 bit and 64 bit.

To enroll for the EA program, log into your UserCenter -> My Products -> Early Availability

Tobias Lachmann

Configuring system monitoring with SNMP for Check Point security gateways and security management

If you want to monitor your Check Point environment, for example with Nagios or Icinga, you need to activate SNMP.

Here’s a quick How-To for Secure Platform (SPLAT):

1. Enable SNMP

1.1 Show existing users (=community string)
[Expert@firewall]# snmp user show public

1.2 Delete user “public”

[Expert@firewall]# snmp user del public Stopping snmpd: [ OK ] /usr/sbin/snmpmonitor: Trap Server is not defined [ OK ] [Expert@firewall]#

1.3 Create new user

[Expert@firewall]# snmp user add noauthuser YOURCOMMUNITYHERE Stopping snmpd: [ OK ] Starting snmpd: [ OK ] [Expert@firewall]# /usr/sbin/snmpmonitor: Trap Server is not defined [Expert@firewall]#

1.4 Enable service

[Expert@firewall]# snmp service enable /usr/sbin/snmpmonitor: Trap Server is not defined [ OK ] [Expert@firewall]#

[Expert@firewall]# snmp service stat SNMP service enabled and listening on port 161. [Expert@firewall]#

2. Enable Check Point SNMP extension

2.1 Check status

[Expert@firewall]# cp_conf snmp get Currently SNMP Extension is NOT active [Expert@firewall]#

2.2 Enable extensions

Please note that this will cause a restart of Check Point services!

[Expert@firewall]#cp_conf snmp activate (...) Restart messages for cpstop / cpstart [Expert@firewall]#

[Expert@firewall]# cp_conf snmp get Currently SNMP Extension is active

3. Check for correct SNMP configuration

The SNMP daemon is running on port 161, the Check Point SNMP daemon runs on port 260. The Check Point daemon can be queried by the normal SNMP daemon as he acts as a proxy.

[Expert@firewall]# netstat -an | egrep -e "(:260|:161)" udp 0 0 0.0.0.0:260 0.0.0.0:* udp 0 0 0.0.0.0:161 0.0.0.0:*

4. Restart snmp daemon

[Expert@firewall]# snmp service disable Stopping snmpd: [ OK ] [Expert@firewall]# snmp service enable /usr/sbin/snmpmonitor: Trap Server is not defined [ OK ]

5. Generate an access rule for SNMP polling from the firewall in your rule base.

6. Configure your system monitoring as you like.

For Nagios/Icinga I recommend the check_snmp_cpfw.pl plugin.

Tobias Lachmann

Endpoint Security E80.30 is coming

In November we can expect the new version of Endpoint Securiy – E80.30.

With this release we’ll see the usual bug fixing as well as some really interesting new features:

Virtual directories – used to group for example unmanaged clients without AD
Support for smart cards in FDE pre-boot user authentication
Client support for Windows Server 2003 and 2008 – limited to AV, Compliance and Firewall blade

Personally I’m excited about virtual directories as I need this features for non-AD managed environments.

And the possibility to install Endpoint Security with AV blade on a Windows Server gives you the power to have a company wide security solution with a single management. Very nice.

Can’t wait to test the new release.

Tobias Lachmann

My thoughts about CPUGCON2011

Last month I attended my third Check Point User Group Conference in Chur.

To go from Hamburg to Chur you first have to travel by plane to Zurich and then go by train to Chur. All in all about 5 hours of travel.

This is quite a distance but I really enjoy the swiss landscape and the alps.

The conference was held at Würth ITensis AG, the IT company of Würth AG. Within the building and right in front of the conference rooms we have a nice museum with all kind of modern art.

The atmosphere there is really nice and I enjoyed it very much.

The first day started with Silvia Hagen, chairman of Swiss IPv6 Council, and her presentation on IPv6. Silvia advised us again to prepare for IPv6 and begin with the planing. I really enjoyed this presentation because Silvia is a very talented speaker and know how to attract peoples attention.

A lot of presentations were done by Valeri Loukine, CCMA #19 and one of the most skilled IT security people I know. He’s an intense guy – as you can tell by his look – and gave very intense presentations with lot’s of knowledge.

Sadly I have to say that I wasn’t satisfied with the presentations overall. We had sponsors speaking within the normal schedule (Tufin, Crossbeam) and therefore conference attendees paid for this presentations. It is okay with me if sponsors present within a parallel session and one can decide to attend or not. But being the only presentation in the normal schedule is not the right way.

Also I missed a broad variety of themes and speakers. In 2009 we had Rob Mitch, Valeri Loukine, Martin Hoz, Carsten Löhn, Yasushi Kono and myself presenting. Different topics, different styles of presentation, different focus on products, different opinions. Quiet interesting. But in 2010 it started to go down, we had less speakers and the topics didn’t seem to reflect what the crowd wanted to hear.

I presented my impressions to Barry Stiefel along with ideas on how to improve the conference so that everyone can get more out of it. But sadly I have to say that I couldn’t see real improvement this year. In my impression it’s getting worse. And as last year you won’t find the presentation of the speakers on the CPUGCON webpage by now. And I wouldn’t expect them to be published. Barry also recorded all presentation on camera to put them on a webpage. But again there’s no such material – not from last year, not from this year. It stays in Barry’s private collection, I guess. Sad thing.

What I did enjoy was meeting fellow administrators and consultants from many different countries. Always nice to see these guys.

Also the presentation of the swiss cheese maker Mike Glauser was very interesting and full of things I wasn’t aware of when it comes to cheese.

We were allowed to try his cheese, which was a great experience. Rich of different flavors.

On the second day we visited a mountain brewery for dinner which was quite nice.

But besides from meeting people and enjoying non-technical presentations (cheese maker, brewery) I think I did not get enough out of the conference to justify the money spend. The lowest conference fee is nearly €600,–. Together with travel expenses you have to invest about € 1100,– to attend – not counting the three days out of office where you can’t earn any money for the company.

And after all it is the “Barry Stiefel Show”. He’s in charge of everything and decides what to do and what not to do. He claims to cultivate the community aspect and to speak for thousands of CPUG members but I honestly think he lost contact to the base of the CPUG community. Mostly I see this as a money earning activity for Barry more than a community event.

The fact that Check Point isn’t attending or supporting the conference is due to the (in my opinion purely personal) conflicts Barry has with Check Point. This year we had a Check Point employee attending “undercover”. It is no good sign that this seems to be necessary…. From a Check Point User Group Conference I would expect that the vendor is attending and also presenting deeply technical stuff. But Barry want’s Check Point only to attend if they pay for the employees going to the conference or even sponsor the whole event. Very sad…… Imagine how much in-depth knowledge guys from Check Point could deliver to the Administrators and Consultants who use the products every day. Imagine the feedback from both sides that could be exchanged. Imagine even the possibility that we might see some EA version (GAIA?) if the vendor would attend. But because Barry’s only contact at Check Point is Phoneboy, we cannot expect things to change.

Sadly I can’t see any improvements in the conference organisation, the variety of presentation and in the collaboration with the vendor. Not in 2010, not in 2011.

This leads me to the point that I think I will not attend the next CPUGCON. Although I would like to meet all the guys and to give some presentations for myself. But I cannot justify the costs for the event to my employer any longer if I don’t get as much out of it as I should.

Tobias Lachmann

Endpoint Security E80.20 – works like a charme

Just wanted to report that I installed a new Endpoint Security environment for a customer with E80.20.

Took me 3 hours for the Windows Server 2008 R2 as base and another 3 hours for the initial installation and configuration of the Endpoint Management Server.

Now we’re distributing the Endpoint Clients to the users and it works like a charme.

If I compare this to the old R7x solution of Endpoint Security, Check Point made a great step forward.

I really enjoy the product in the way it is right now!

Tobias Lachmann

can’t find ::cpsb-ia in cp.macro. license version might be not compatible

Maybe some of you enabled the Identity Awareness license in their UserCenter, as Check Point is offering this for free this year.

If you did so, you may receive the error can't find ::cpsb-ia in cp.macro. license version might be not compatible after you re-licensed again and installed the license in your environment.

Don’t be scared, there is no serious error behind this message.

But some older version (and also R71.30 for example) have a cp.macro file installed that don’t have the necessary informations about the IA blade license strings, as the product was not available when the file was build.

And: you don’t need the license until R75.10 anyway.

So just ignore the message. Or contact Check Point support to get an updated cp.macro file for your installation.

Refer to sk30478 for more information.

Tobias Lachmann

Exciting news – new appliances from Check Point

This week Check Point announced a new set of appliances as well as a new software solution for dealing with botnet infected clients.

The most interesting part from my point of view are the appliances.

2200 series appliance

We now have the 2200 appliance, which has a desktop form factor. It comes with 6 Gigabit Ethernet ports and has a SecurityPower of 114. This is more power than an UTM-1 570 appliance has for less than half the price.
This model starts at $ 3600,–. Very interesting approach.

I would see this as branch office firewall, but for direct internet access. A lot of companies deploy firewalls in the branch offices but route all traffic over a VPN to the central site to have it checked for malware because the central site has much more capable hardware.

With the new 2200 appliance I see the oportunity to give all branch offices direct internet access and scan the traffic for malware directly at the local site instead of central scanning.

Based on the security power I would say the 2200 appliance is good for up to 20 Mbit/s real world traffic fully scanned. Maybe even more, as this appliance has 2 GB of RAM installed. Something that was really needed for the UTM-1 models.

4000 series appliances

Check Point calls this series Enterprise Grade, which is quiet reasonable. This series is rack mountable and there’s an optional slide rail kit available.

The 4200 and 4600 appliances have 114 and 374 SPU with 4 and 8 Gigabit Ethernet ports respectivley. No LOM card, no optional redundant power supplies. – but at least 4 GB of RAM. Pricing starts with model 4205 at $ 4900 and at $ 11.000 for model 4607.

The 4800 appliance has 623 SPU and comes with 4 GB of RAM together with 8 Gigabit Ethernet ports. But with this model you can get a LOM card, redundant power supplies and memory extension to 8 GB. However, no redundant disc drivers. Pricing starts at $ 21.000 for model 4807.

12000 series appliance

These are the Datacenter Grade appliances. It starts with the 12200 model with SPU of 738. It has 8 Gigabit Ethernet ports and 4 GB of RAM, upgradable to 12 GB. For this machine you can have an additional redundant hard drive and an additional redundant power supply. Pricing starts at $ 29.000 for model 12207.

The 12400 has 1046 SPU and starts at $ 45.000 for model 12407.

The 12600 has 1861 SPU and starts at $ 59.000 for model 12607. The standard configuration delivers 14 Gigabit Ethernet ports, 6 GB of RAM, two redundant hard drives with RAID 1 and redundant power supplies. LOM card however is optional.

For a full overview of the new line of appliances I recommend that you consult with the comparion chart.

Along with the appliance you can get a fair priced set of packages: Extended Threat Protection, Web Control, UTM+, DLP+ and Extended Security. These are bundles of service blades which are cheaper than the sum of every single blade price in the package.

All in all Check Point is on the right way. The hardware is more up to date than the current UTM-1 series for example. It will be interesting to see what kind of hardware is actually inside the machines.

We have more memory, which is a good thing and will help a lot. But still the integrated management license cannot be installed seperatley and by this taking away some performance intensive operations from the machine itself. Maybe in the next iteration.

As for the botnet blade: I have to investigate a little bit more and will hopefully cover this in one of the next posts.

Tobias Lachmann

Are you kidding me – what happened next….

In my last post I wrote about licensing fun with Check Point.

Someone made a small mistake that led to issuing 1001 endpoint container licenses with one seat instead of one license with 1001 seats.

My distributor was sorting out things with Account Services from Check Point and I had no doubt that this issue would be fixed quickly.

I just thought it was a funny thing to post!
But damn, did Check Point take this one serious!

I was contacted directly by Endpoint Product Management as well as Account Services and they fixed this issue within one hour!

Guys, thank you for your quick response. I was totally relaxed about this issue and fixing it within days would have been sufficient for me.

But with fixing it within one hour, you really nailed it

Good work!

Tobias Lachmann

Are you kidding me?

Licensing fun with Check Point……

I ordered for a new installation Endpoint container for 1001 users.

Guess what I got? 1001 single licenses for an Endpoint container with 1 seat.

Can’t find words to describe how messed up my UserCenter account looks right now

What does Account Services says to this? Everythings okay, it is the way it should be.

Guys…… how can I attach my one Endpoint Antimalware blade license which is for 1001 seats to the appropriate container?

Seems very unlikely to me that this is the way it should be.

Will be interesting to see how this is sorted in the end.

Tobias Lachmann

PS: Added the new category “Fun” to this blog. No other category where this post would fit in

Identity Awareness ≠ User Directory ?

In a previous blog post I reported that you can use the Identity Awareness feature to get the functionality for authenticating your VPN user against your Microsoft Active Directory for free.

Check Point now contacted my to state that this is only limited to certain features.
Only Check Point Account Service can tell you for sure if the required features are enabled / usable when using IA instead of User Directory.
Contact your local Check Point partner and let him clarify your demand against Account Services.

To be sure, just buy User Directory blade and you’ll get the features you need for sure.

Tobias Lachmann

Abra is becoming Check Point GO

While checking out the new training blades for Check Point certification, I visited the eStore by Check Point.

Turns out that not only trainings manuals and blades are available, but also Starter Kits.

This Starter Kits are labeled Check Point GO but are clearly Abra sticks.
So we can expect a renaming soon.

I like the new name better as it reflects the mobility you have with this product.

Tobias Lachmann

Appliance performance

Oh, I love the new Appliance Selection Tool! And one get so interesting numbers from it!

If you look at the Appliance Comparison Chart you’ll see that the max throughput for a UTM-1 270 with IPS is 1 Gbit/s. When you play around with the Appliance Selection Tool you’ll see that with Firewall and IA blades (both mandatory) and additional IPS blade you can only get 77 Mbit/s throughput.

So in real live we can only have less then 10% of the numbers published so far.

Just with the firewall blade it is 390 Mbit/s real world traffic against 1.5 Gbit/s max throughput from the “old” datasheet.

On the one side is was time to have some numbers on real world traffic but on the other side it is very brave from Check Point to make this tool available to the customers.

Hopefully other vendors will do the same.

Tobias Lachmann

Appliance Selection Tool is online as Beta [Update]

We waited some time, but now the Appliance Selection Tool is online!

It’s not supporting all blades by now, but enough to play around and get a first impression.

Also they published information about the test method.

Very nice from what I can see for the moment.

Tobias Lachmann

UPDATE: Sadly it is like I supposed: the tool wasn’t supposed to be publicly available on the Internet. Check Point has taken it down and will re-release it in Q4.

CPUGCON 2011 presentation: IPv6 on Check Point Security Gateways

I’m not sure if the presentations will be published this year on the website, so here’s my presentation on IPv6 for CPUGCON 2011.

Enjoy.

Tobias Lachmann

New book on IPv6 from Silvia Hagen

Today we had the speakers dinner before the CPUG conference 2011.

Silvia Hagen was there, which delivered very good presentations on IPv6 last year and is going to speak again this year. Silvia is publishing a new book on IPv6 with O’Reilly: Planning for IPv6. The book will be in stores starting from 27th September but I was lucky to get one copy from her today as a present.

I can really recommend this book, having read half way through it by now. It’s fully packed with information and best practices on how to plan for IPv6, special things that you should have in mind and considerations for long termin strategies.

Tobias Lachmann

Only one day until CPUG CON 2011 in Chur

I just arrived in Chur today. While we had excellent weather the last two years, it’s raining at the moment. But the forecast says that we’ll get some nice sun and I’m really looking forward to it.

Just finished my last slides for the presentation tomorrow, some minor changes had to be made. Hopefully I did a good job here.

The speaking schedule is already published, I’m going to present right after Silvia Hagen who is opening the conference with an one hour introduction about IPv6. Since we have no other presentation at the same time, I can expect to have the full attention of all conference participants.

Silvia’s presentation in the last year opened some perspectives for all of us on IPv6 and it will we interesting to see how many to played around with it by now or are even using it in production.

More of CPUG CON 2011, IPv6 and my presentation in the next days.

Tobias Lachmann

Some numbers….

This blog is now running for about two years and I gathered some numbers:

At the moment we have 166 posts and 46 categories.

Per month we have about 2400 visitors.

The most references come from cpug.org, cpshared.com and google.com

Thank you all for making my blog a success and for your comments that give me inspiration and something to think about.

Tobias Lachmann

IPv6 on Check Point Security Gateways

During the preparation of my speech for the upcoming CPUG conference I did research on the roadmap for IPv6 on Check Point Security Gateways.

I couldn’t believe that you still have to use the IPv6Pack for R70.1 for getting at least some features in combination with IPv6, because this version will be out of support in about 18 month according to Check Point support life cycle.

But according to Check Point we will have a new IPv6Pack “somewhere in the future” – but not in the R75 release train.

I would think that we’ll see their next step when introducing GAIA.

Check out my slides from the IPv6 presentation in one of the next posts during the next two weeks.

Tobias Lachmann

DigiNotar incident

As you all may have read in the news, the CA DigiNotar suffered from a severe security breach. Hundreds of certificates were forged including well known web sites.

Since the use of certificates is based on trust, the CA certificates from DigiNotar have to be removed because you can’t trust them anymore.

Check Point has published sk65277 with instructions on how to remove the certificates.

The sk is valid for all versions from R65 to R75 and I strongly recommend to implement it fast.

Tobias Lachmann

R75.20 GUI enhancements – and old legacies

R75.20 brings us some nice GUI improvements with SmartDashboard. The design is more up-to-date and stylish then before, I really like it.

And we have nice features like to ability to get notified when write access to Security Management is possible.

This is really an improvement.

But still we can find some old legacies like the peek holes at various places.

For example in SmartView Tracker while selecting an object for your filter where you can’t see the whole object names as the field is way to small.

Or in the Global Properties window; still not sizeable and therefore you have to scroll a lot.

I really hope they would fix this.

Tobias Lachmann

Identity Awareness = UserDirectory?

I got confirmation from Check Point Germany that the use of the Identity Awareness blade is enabling also the ability for authenticate remote access users for VPN against an Active Directory.

This means that a customer can obtain the IA blade which is free of charge at the moment. You can get it through the UserCenter by the way. After licensing and enabling this blade you can also configure an MS AD LDAP server to authenticate. Either use the wizard of the IA blade or do it by hand.

Very nice because you don’t need the expensive UserDirectory blade as long as you only want to authenticate against Active Directory.

For writing and changing the Active Directory you still need the UserDirectory blade, also for accessing LDAP directories from other vendors.

But most likely you will find AD in the field so the customer get’s a nice feature for free.

Hopefully this feature will remain accessible in the next versions as it is now, Check Point may change licensing or technical details without advanced notice. So we carefull when using IA blade for authentication remote access users and be prepared to buy UserDirectory blade, when something goes wrong

Tobias Lachmann

GAIA

Since a couple of month I wanted to write something about GAIA, the upcoming Check Point OS.

The reason that I did not post anything is because I don’t know much more than the information shown on the offical website.

In the beginning of 2009 I had contact to the responsible product manager for GAIA and VPN-1 VE and we had a telefon call for several hours where he asked me for my experience with SPLAT and the UTM-1 appliances which run a modified SPLAT. I gave tons of input and we agreed to work together in the developing process.
But because of the fact that this guy left Check Point a couple of month later I was cut off of any information. No screenshots, no alpha version, no beta testing……

So by know I can only tell you that GAIA will the derived from SPLAT and is Linux based. We can expect it to be 64 Bit which will solve some memory limitations. The CLISH from the IPSO is still there and there is a very granular rights management. You can define which administrator has which rights on the system and which commands he can issue.

Seems that they have a focus on this feature, but I cannot see so much benefits from this one for my clients.

I hope for more hardware support including 10GE cards from all major vendors on OpenServer systems.
Also I’d like to see LVM on normal SPLAT together with enhanced USB handling (backup on a stick for example).

During the CPX in Barcelona in May I found out that even the german guys at Check Point did not have a EA version of GAIA at that time. Personally I think this is a shame.

There were rumors that one can propose customers to become part of the EA program….. but hey: how can I propose a customer when I don’t know what features your new OS will have?

All in all I’m not happy about the way Check Point is handling GAIA and the information regarding details and features.

Tobias Lachmann

Check Point 61000 appliance

Just to let you know: the list price for a 61000 appliance system with 1x Chassis Management Module , 2x Security Switch Module with 6x 10 GE fiber ports and 2x Security Gateway Module along with power supplies and license for 5 blades is starting at $ 195.000,– according to my sources. But in this pricing area you will always have NSP pricing within a project.

Tobias Lachmann

Check Point 21400 appliance

I just had a look at the datasheet and the pricelist of the Check Point 21400 appliance.

I can’t believe that the system starts at $ 115.000,– for just the box with license, 12 GB RAM, 13x Gigabit Ethernet-Ports and redundant drives, fans and power supplies.

If you buy an HP DL380 G7 server fully loaded with 12 cores, 24 GB RAM, redundant hard drives, fans and power supplies it costs about $ 10.000,–. And the SG1207 with additional blades is about $ 54.000,–.

So the Check Point appliance is $ 115.000,– compared to OpenServer for $ 64.000,–.
We don’t know the insides of the appliance by now, but I would bet that it is not faster than 2x Xeon X5690 running with 12 cores at 3.45 GHz which are inside the OpenServer.

Besides from the fact that a low-latency acceleration card is coming 2012 for the appliance there seems to be no reason to buy such a high-price appliance instead of OpenServer hardware which can deliver the same or better performance.

Still searching for the reason why anyone would do this…… any hints?

Tobias Lachmann

Thinking about Security Power…..

Check Point introduced a new metric called Security Power. They want to provide more useful information about the realistic performance of their appliance beside from “show off” numbers which claim high throughput.

This is a good and valid approach because max. throughput is measured with just one rule in the rulebase (any-any-any-accept) and the traffic consist only of 1500 byte long UDP packets. Plain and simple traffic, nothing really to do here for the firewall.

On the other hand we can have the worst case which would be 64 byte TCP packets. Here we have only small numbers when it comes to throughput, nothing worth to be found in a marketing slide.
But even this number is important as is defines to lower end of performance for a system.

Short story about this: once we had massive performance problems at a customer site. Some web-based application was running very slowly and the firewall was nearly at 100% CPU. We couldn’t find anything at first as the firewall was operating within normal parameters besides from high CPU load. Was this a bug in the software? A hardware failure? After some unsuccessful searching I did a traffic capture with fw monitor and analysed it with WireShark. The disposition of packet sizes showed me a very high appearance of really small packets. Looking further into the dump I realized that they derived from short LDAP queries that were going through the firewall. In terms of throughput is was not that significant. But in terms of number of packets it was significant. Gladly I had some information from inside Check Point about the performance of appliances in best and worst case scenarios. We could match the hardware from one of the appliances to the OpenServer system the customer firewall was running on, they were nearly the same. Then we compared the numbers for LDAP queries we had seen on the live system to the number of 64 byte TCP packets that could be handled by the appliance at best. And we found out that the 100% CPU load on the customer system was not coming from a software bug or hardware issue but from the firewall operating at the maximum performance it could deliver for that kind of traffic.

So coming back to Security Power: Check Point claimes that it is measured with a rulebase consisting of 100 rules which is fairly the amount of rules the normal customer has in it’s rulebase. The traffic used for measuring is a real-world traffic mix for whatever that means. Hopefully it’s mostly HTTP, some FTP, SMTP, SNMP along with DNS, NTP and ICMP. That’s what I would expect to be real-world traffic.

Based on the rulebase, the traffic-mix and the throughput needed a value is calculated called Security Power Unit (SPU). A UTM-1 3070 can deliver a max SPU of 298 whereas a Power-1 5070 delivers 596 SPU.

The online tool that will be available shortly takes into consideration which blades you use to calculate the SPU needed. In the example Check Point provided during the webcast the key numbers were 200 Mbit/s max throughput with three blades enabled (FW, IPS, AC). The traffic type was “Internet” for whatever that means. Maybe they take into account that different real-world traffic profiles arise from the use of the Security Gateway at the perimeter or internally. When deployed internally I would expect more SMB traffic for example. The tool calculated that 205 SPU were needed to fulfill the requirements.

Let’s compare the numbers: 205 SPU are needed for 200 Mbit/s real-world traffic with FW, IPS and AC. The appliance UTM-1 3070 is capable of nearly 300 SPU, so the hardware will be about 66% loaded.

In the pricelist you will find that the max throughput measured the old way is 4.5 Gigabit/s. So assuming a linear progress in CPU consumption linked to traffic this means that a UTM-1 3070 with 66% load is capable of 2.97 Gbit/s max throughput.

FW with one rule = 2.97 Gbit/s
FW with 100 rules, IPS and Application Control = 200 Mbit/s.

Really different numbers, aren’t they?

Some CCIE told me that with Cisco Routers he divides the performance numbers given by Cisco by half for every feature he implements. Using NAT? 50% performance left. Using ACL? 25% left. Using VPN? 12,5% performance left. Meaning you go from 1 Gbit/s routing performance to 125 Mbit/s while using 3 additional features.

This show that it’s not only Check Point that has only marketing numbers out there while real-world performance is something completely different.

So I appreciate the approach of Check Point to give us something to choose the right Security Gateway for the desired environment and it’s needs. On CPX someone from Check Point whom I trust told me that the tool is really accurate.

It will be interesting for me to check if I chose the right appliances in the past according to the appliance selection tool.

But there’s still one thing missing with Security Power: the ability to measure also OpenServer systems.
I know that Check Point is focusing on appliances, but there are still good reasons to deploy OpenServer hardware instead of appliances. You can’t expect Check Point to deliver SPU numbers for all server / NIC combinations found in the HCL, as CPU, memory as harddrives differ from system to system and each component has influence of the performance. But some testing tool to measure the max SPU of an OpenServer would be really great. I would guess that SPU is calculated by something like instrustions per second on specific hardware and that Check Point knows how much computing power is necessary to process a certain amount of traffic with selected blades. In this case you can transfer this into the OpenServer world.

Is this likely to happen? I guess not. Check Point want’s to sell appliances instead of licenses, judging by their recent activities.

So we still have to stick with our appliance hardware list that can be found on this blog. And by comparing appliance hardware with your OpenServer you can estimate the performance that this system is capable of.

Also on CPX I learned that Check Point is not happy about my hardware list for the appliances. They prefer to talk about performance numbers instead of hardware that is build into an appliance. I can totally understand them – but please try to understand our position as technical people. First of all we’re curious and we CAN find out what hardware is in the box…. and therefore we will DO it
Second we need to choose the right solutions for our customers day by day. And when it comes to real world security requirements and traffic mix the Check Point performance numbers or far from being realistic. Wonderfully shown by Check Point itself in the example above with the UTM-1 3070 appliance were the tool calculates that a fully loaded appliance will only deal with 300 Mbit/s instead of 4.5 Gbit/s under realistic conditions. So we compare the appliances, were we have Security Power numbers and a tool, to OpenServer hardware based on the components inside the appliances.

Check Point, please understand: we need to know! Appliances are only 65% of real customers environments, the rest is OpenServer and we as CP partners have to cover this as well. Please give us a benchmark tool for measuring SPU on OpenServer!

And I would also prefer to have the number of max throughput with 1500 bytes UDP packets as well as 64 byte TCP packets for the appliances. This helps us also to get the right solution / core license.

Tobias Lachmann

R75.20 is available

During the live webcast today Check Point announced the release of R75.20.

The sk64361 tells you all the details, including the Release Notes.

Now they re-coded the URL Filtering, which is now connected to a “cloud service” for the update of the URL categories. I think I heard about this feature already from Bluecoat several month ago, so Check Point tries to close the gap. URL Filtering is now in the same policy with Application Control. This makes sense, as AC is kind of an bigger URL Filter anyway.

We have now support for inspection of SSL encrypted traffic, which is not limited to HTTPS. This feature is used in all blades and doesn’t require an extra license. We’ll see how this works in real live, maybe this is a topic worth a speech at CPUGCON 2011?

DLP is making use of the SSL inspection and extends it’s features to an internal DLP solution. The involves an Exchange agent who is also in charge for checking SMTPs mails send outbound.

The logging clients such as SmartView Tracker now allow to hide usernames for specially created administrators which is very important for avoiding unnecessary user tracking.

The SmartDashboard now let’s you change the mode, also if you’re already connected. And you can get a notification if you’re locked in read-only and the database locked is available since the other administrator is now locked out. Very useful. I wonder if they fixed the various “peek holes” in the SmartDashboard or SmartViewTracker, meaning not sizable windows that make it easy to see all the content.
Reminder for myself: do a posting about this later on.

Something very important about R75.20: you can update the R71.30 release, so no dead-end here any longer. This is due to the fact that R75.20 derives from the code base of R71.30.

Tobias Lachmann

New announcements from Check Point

Check Point presented some news in form of a webcast from New York.

The presentation has three main topics, first the new release R75.20 which comes with all-new URL Filtering and SSL Inspection within all the blade.

Second they introduced a new measurement of security performance called Security Power with the new unit SPU (Security Power Units). This should make the Check Point appliances more comparable and is not based solely on throughput. There will be an online tool called appliance selector where you define which blades you want to use and which throughput or users should be secured/inspected. Then, based on your input, the system calculates the number of SPU needed to fulfill your demands.

Third Check Point introduced some new very high performance appliances for data center needs, as Check Point points out. As you may rember from one of my previous posts, I don’t see the need in data centers the way Check Point sees it. But anyway, now we have a 21400 appliance which has up to 100 Gbit/s throughput and the 61000 system which delivers up to 1 Terrabit/s on throughput. Both appliances are highly customizable and redundant in itself.

I think I will post me thoughts about all of the topics in separate posting.

Tobias Lachmann

Endpoint Security E80.20 available

Endpoint Security E80.20 is available in Support Center.

All ressources can be found in sk62880.

Check out the Release Notes, Known Limitations and Resolved Issues.

Tobias Lachmann

R71.40 available

The R71.40 release is now officially available within Support Center.

Check out the Release Notes, Known Limitations and Resolved Issues.

All ressources can be found in sk63761.

Tobias Lachmann

Two new EA programs available

There are two new open EA programs available. One for R71.40 and one for E75.20.

You can register yourself for the EA in the UserCenter from the products menu.

As for R71.40 I see some improvements in IPS checks including GeoIP and enhanced operating system support for the remote access clients / mobile clients.

E75.20 brings us the long awaited secondary connect feature which allows you to connect to two sites at the same time. Also you can pre-package the client with a initial desktop security policy which is enforced right after installation.

Tobias Lachmann

The reason why we need LDAP profiles

When we configure a LDAP connection from Security Management to a directory server, we need to specify a LDAP profile in the account unit properties.

What’s the use of these LDAP profiles? They’re kind of translation tables to match UserDirectory LDAP request with the specific singularity of the directory server.

For example the Microsoft Active Directory has the attribute memberOf which describes the group membership of a user. In the standard LDAP scheme the attribute member is used.

So the LDAP profile Microsoft_AD has the field GroupMembership which contains the value memberOf and therefore the UserDirectory can find the groups correctly.

We have some pre-defined profiles for Microsoft_AD, Netscape_DS, Novell_DS and OPSEC_DS. They’re visible in the drop down menu of LDAP account unit properties but cannot be shown or modified anywhere else.

The documentation states that you can define your own profile, but doesn’t explain how. As the profiles are inside the object_5_0.C I would not encourage anyone to insert information directly in this file.

The safest way seems to be if you modify an existing profile using GUIDBedit. This way you can change values, but there’s no high risk of messing up with the structure of objects_5_0.C.

Tobias Lachmann

Inside Edge X

Every wondered what is inside an UTM-1 Edge X appliance?
What kind of hardware, what kind of software?

Well, thanks to my friend Mikael I can share some information with you.

The Edge X runs with a MIPS CPU from Brecis with 166 MHz.

The operating system is a uCLinux running kernel 2.4.20.

As filesystem SquashFS is used along with LZMA compression.

WiFi is provided by Atheros.

Interesting to know, don’t you think?

Tobias Lachmann

Content Scanning on UTM-1 appliances

Dear Check Point,

why do you sell really small appliance together with blades that allow content inspection?

Honestly, it’s a pain in the ass to have antivirus activated and then for example push a policy.
You will wait forever!

And it’s damn slow even on a UTM-1 57x series appliance, which is in the middle of the UTM-1 hardware variants.
Nobody should try this with an appliance smaller than UTM-1 57x, it will simply not work.
By the way, this is also a statement that you will get inofficially from your support engineers!

I think I need to elaborate here a little bit more about what I mean.

When I do the sizing for a customer, a 57x appliance with Antivirus, AntiSpam and URL Filtering is only sufficient for max. 4 Mbit/s throughput.
The box can do some more MBit/s, but then is nearly at 100% cpu…. and everybody want’s his system to have some reserves, right?
The box itself is fine when running with Firewall, VPN and Antivirus alone, but nowhere near the official Check Point numbers.

Small customers do not have a separate management, they use UTM-1 appliances because you can do all with one box: Gateway, Content Inspection, Management.
And every time you push a policy or view logs or do another action related to firewall management, this will have dramatic performance impacts.
Compiling a policy leads to massive CPU usage (load of 15 and more), massive memory usage (nearly no free memory and about 800MB used swap) and massive hard drive activity.

In the field I’ve even seen connection drops while pushing a policy due to heavy load. This is not supposed to happen. And is also happended on 207x series appliances when this machines were handling more traffic.

Yes, using the appliance with a separate security management don’t bring up these problems. In this case operation is quite normal and the numbers (besides from memory) are OK.
But nobody does this…. UTM-1 is meant to be managed by itself. That’s the beauty of the concept.

So but do I expect from Check Point here?

First I would not advertise the smaller appliances for Content Inspection with the hardware that is in place today. Start with a 57x when managed by itself.
Second, pimp the hardware. Enhancing the memory from 1GB to 2GB would help a lot to prevent swapping and therefore decrease performance because of IO waits.
And using a solid state drive would also help a lot while writing and reading files when doing Content Inspection, starting programs and installing policies.
Would cost about $ 150 then the hardware in place right now, so it’s neglectable.

When it comes to the CPU used, it’s understandable that Check Point uses smaller processors that limit the throughput. Otherwise no one would buy the bigger appliances or use licenses on OpenServers.
I can live with that…. just improof IO and I’m glad.

Would do you think about this issue? Comments are welcome at tobias@lachmann.org

Tobias Lachmann

UTM-1 Edge Firmware 8.2.42 available

We have a new firmware version 8.2.42 for UTM-1 Edge appliances available.

Checking the Release Notes I found mostly bug fixing, nothing exciting new.

But I’m glad to see that Check Point / Sofaware is constantly improving the firmware to make it more stable.

See the product page in support center for all resources.

Tobias Lachmann

Endpoint Security E80.20 available

We have a new version E80.20 of Endpoint Security, check out sk62880 for details.

A lot has been done on the server side like improved OS support, multi Endpoint management servers for large installations. On client side we have improved OS support and my favorite, the syncronisation of the uninstall password from the server to the client. You do not longer need to specify the password while creating the package, just deploy the package and the client will sync the uninstall password with the configuration on the management server. Very sweet.

Check out the Release Notes and the Known Limitations.

Tobias Lachmann

CPX 2011: Security Gateways in the data center

On CPX 2011 I listened to some presentations which dealt with the security gateways in data centers.

I got the impression that Check Point is only looking at high-end facilities of large companies because they were only talking about multi Gigabit firewalls and Crossbeam, VSX, Multidomain Management and so on.

Since 1997 I’ve seen a couple of data centers ranging from 250m² to 2000m² and different network sizes and I worked for MSPs the last years. I’ve seen that the service providers have multi-gigabit uplinks to the internet and that the backbone has 10 GigabitEthernet, but these are pure routers and at this point there’s no firewall or IPS functionality.

Depending on the customer there are some different setups.

First one is a dedicated type:

Connected to the backbone are smaller networks that represent a customer or a customer project, such as a web shop. And these smaller networks are protected with a perimeter firewall that is handling all the traffic. Normally a FastEthernet-Uplink is enough, some go with GigabitEthernet. And also inside the different network segments FastEthernet is most likely enough.

An UTM-1 27x appliance can handle these traffic without problems, if you’re doing the backup over the firewall using GigabitEthernet interfaces an UTM-1 57x will do the job and give you full performance for your network interfaces.

Then we have the second type, also dedicated:

Here we have a front end segment that contain for example the webservers. They have additional network interfaces that connect to the backend network segment where the database or application servers are located and an interface to the backup network. The firewall in this scenario has only to protect the whole environment against access from outside, so it just needs to handle an amount of traffic that corresponds to the uplink. Here you can easily go with a UTM-1 27x appliance.

The last type of infrastructure in a data center is the one where the users access resources which are all protected by firewalls.

The perimeter firewall protecting the passage to the internet can be small, there’s no difference to type one scenario. But the internal firewall that is shielding high traffic servers like file servers or backup servers needs to be multi gigabit capable. And this is the scenario Check Point only refers to when it comes to data center firewalls.

But to be honest, this is not so common in the real world. Most companies don’t run internal firewalls or they don’t protect the servers that produce high network load like file servers. Or, also widely seen, these servers have only GigabitEthernet connections and so the firewall don’t need to be that big.

So, what’s my bottom line? Well: data center firewalls are not only about high performance and multi gigabit. The vast majority of SME customers have other needs.

But what are requirement from a MSP perspective? First the solution has to be cost effective. At the moment customers are price sensitive and we have strong competitors like Cisco with their ASA solutions in the market.

When I look at our first setup we can have a firewall and management solution that consists of two UTM-1 272 appliances in a full cluster for $ 8.640. The same setup with two UTM-1 574 appliances is $ 16.200.

Check Point positions its VSX and P-1 as the product of choice for a data center / MSP solution. But if we look at the numbers, what do we see? VSX 2 core license with 10 virtual systems is $ 24.000, the HA license is $ 19.200. OpenServers like the HP DL360 server are about $ 5.000 each. So just the firewalls are $ 53.200 in total, per customer this would be $ 5.320. But now we also need a management. A proper multi domain management is at $ 100.000 on a Smart-1 50 appliance for 10 domains. So the management per customer is $ 10.000. In total we have a price of $ 15.320 for a virtual firewall instance running in HA mode on a 2 core system including management. In comparison the UTM-1 272 cluster is at $ 8.640.

A UTM-1 574 cluster costs $ 16.200 – the VSX cluster is cheaper by $ 880. But do we get the same performance for out money? Remember that the VSX is running on a 2 core license. So with actual server hardware and the proper amount of memory I would estimate a performance a little bit over a UTM-1 307x appliance, which is at 4.5 Gbps throughput. Divided by our 10 customers this would be about 500 Mbps per customer for $ 15.320. The dedicated solution would we running with 2.5 Gbps for only $880 more. I know that in real live customers have different traffic profiles and so the real available performance would be higher, but still. Remember Check Points point for data center firewalls: multi gigabit high performance.

It really needs a high amount of virtual firewall instances running on a powerful hardware along with a big multi domain management to create a cheaper solution (per customer) than a dedicated environment with appliances. Even taken in consideration the additional effort for power consumption, rack space, clima control…. for the dedicated solution.

And remember that the invest for a VSX / multi domain management solution is really high, you quickly need the customers that use and pay for this in order get your finances right.

That puts me to the point when it is usefull to have the “Check Point way” for data center firewalls and when not:
if you are running a huge data center as an MSP with lot’s of customers (100 and up) that all require a Check Point firewall solution for their environment, then it will make sense to use VSX and P-1 because it’s cheaper and the managment effort is less than with dedicated solutions which also saves money. At best you’re operating this as managed service.

If your data center consists of smaller customer installations and you don’t have that high amount of customers that requires Check Point protection (or that are willing to pay so much money) you are better with dedicated installations based on appliances. And also the invest are smaller and you can make them when needed.

Multi Gigabit is needed but can also be satisfied by small appliances. The need for Crossbeams and huge multi core firewalls with number of 15 Gbps and up is rare and most likely needed when you operate interal firewall systems that protect servers that are producing high network load.

To sum up: it would like to see Check Point moving their focus from purely high end when it comes to data centers. There are lot’s of MSP and data center provider out there that would love to have Check Point solutions in place when they would be affordable. Or when Check Point would provide a pay-as-you-grow model for licensing. The invest for hardware capable of multi gigabit is not the big thing, the license is. Maybe start with the desired number of IP addresses and just one core? Add another core(s) if you need more performance and then pay for it. Install a VSX system with P-1 for only two customers and only pay for these two. Add more customer licenses when you sold the firewalls to new customers. I know that would complicate licensing…. but it already is really complicated, so no big deal here.

Would be interesting to see if Check Point is adapting it’s thinking in the future…

Tobias Lachmann

R75.10 is here

I know that I’m late on this one, but anyway: R75.10 is available since a couple of days.

The release page shows all the info.

We have some known limitations (in addition to R75) – for example that you need to have a software blade license installed to upgrade to R75.10 or a trial license. There’s a new sk62950 stating that it is not enough to run on the 15 days trial license you get when you freshly install the system. You need to have a permanent software blade license or an evaluation license to succeed with upgrade. This is very important and requires some preparation while installing systems as an eval license may need to be aquired.

Luckily, for Power-1, UTM-1, Smart-1 appliances and IPSO 6.2 we have fresh install packages.

The resolved issues show that most of the improvement has been done in the field of DLP.

The release notes also list improvements in the Mobile Access Software Blade.

As always, make sure to read all the documents carefully and check with your existing infrastructure.

Tobias Lachmann

I just moved my blog to a virtual server hosted at Alfahosting

Nearly done, so you can expect more posts in the near future.

CPX in Barcelona was exciting and I have some interesting news.

Tobias Lachmann

Using your Microsoft Active Directory for user authentication

The Check Point products have the ability since years to authenticate users using a LDAP server.

In former times this was called SmartDirectory(LDAP), now it is the User Directory Software Blade.

The pricelist states that you have to pay $4000 for it and you may say that this is an awfull lot of money.

But today I’m going to show you the cool things you can do with that blade and how to use this in your enterprise environment your enhanced user experience.

First we should have a look at the Actice Directory structure.

For my lab environment I build the test domain hamburg.local.

The OU (LDAP term for organisational unit) Employees is containing another two OUs which hold the endusers.

We place external users in the OU ext and internal users in the OU int. This is a pure example of how OUs can be used for grouping users into logical units for better administration.

All the users belong to one or more groups. We have built-in groups and custom groups. In my Active Directory I keep the groups created by myself in the OU Groups.

The normal Actice Directory Users and Computers plugin for the management console shows the AD structure in a tree view, but does not reveal the underlying LDAP structure.

Since the Check Point User Directory/SmartDirectory is a LDAP connector, we need to deal with the LDAP structure and attributes.

A good tool for displaying the LDAP structure of an Active Directory is ADSI EDIT, which is part of the support tools in Windows 2003 server and built-in with Windows 2008 server.

When a complete path is needed, this is called DN or distinguished name. The DN for the built-in administrator for example is
cn=administrator,cn=users,dc=hamburg,dc=local.

OK, our Activce Directory is ready, let’s configure the Check Point Security Management.

Now we login to SmartUpdate and add the Software Blade license for User Directory, either eval license or normal license for your environment. Then we enable the blade and the functionality in SmartDashboard.

On your security management object, enable User Directory blade.

In global properties, enable SmartDirectory(LDAP).

We then have to create a user template which contains information about how the user is able to authenticate. Select Check Point Password as authentication scheme.

Now we’re going to create a node object which represents the Active Directory Domain Controller.

Then we create the object for a LDAP account unit.

On the Server tab click Add and select the newly created node object from the drop down menu.

If you’re using unencrypted LDAP, the TCP port is 389 so leave this unchanged.

Under Username you fill in the credentials of a user that is able to do operation within the Active Directory.

Within my simple setup I chose the Administrator account.

Under Login DN you have to specify the full path to the user account within the directory.

The built-in Administrator is

cn=Administrator,cn=users,dc=hamburg,dc=local,

the newly created user John Doe is

cn=John Doe,OU=ext,OU=Employees,dc=hamburg,dc=local.

Fill in a password and submit with OK.

Then change to the tab Objects Management and say Fetch branches.

This is the first test if the security management can communicate with the Active Directory domain controller and if you supplied the right credentials. If so, you will see some branches.

Normaly, these brances are not usefull because you created some of your own. In that case delete the fetched branches and create new ones.

These branches can be seen as container or folders that hold your users and/or groups.
Create all the branches you might need.

In our example we want to check for existing user accounts locted under OU Employees and sub-OUs and for security groups located under OU Groups so we need these branches.

Change to the Authentication tab and enable the checkbox for Use user template. Choose the newly created template from the beginning.

Click OK.

Now you will find an object in the tree which represents the LDAP account unit. When you click on it, the account unit is accessed.

The data that is found in the directory is displayed in a tree view. Note that you see only the branches you configured.

We’re only seconds away from using accounts from the Actice Directory!

Next create a LDAP Group which represent the users as only groups can be used in the rulebase.

I want to give this group VPN access so my group is named ldap-grp_vpn_access.

Then you have to select the account unit that should be queried for the user accounts, so choose the one created before.

At last we need to define the scope of the group. A very simple approach is to use the setting All Account-Unit’ Users. With this, all users found in the Active Directory belong to this group.

But most of the time this is not the right solution as you want to limit the user access to a specific group of individuals.

So you can focus with your group on a special OU which is located in a sub tree. At this point we have the predefined branches again, that we created while adding the account unit object.

The drop down menu has the defined branches ready. Take special notice that you can’t change the branch configuration at the account unit if the branch is in use in a group!

If you configure your group this way, every user that is in or beneath this OU is considered to belong to this group.

In my example setup I want to give selective access to the VPN, so the approach with all users in one OU is not the right one.

I’m going to build a security group in the Active Directory and assign the users as members to this group, which should get access to the VPN.

The group is called VPNUser and I configure the Group in branch option to check for the users here.

Now every user that belong to VPUser can authenticate and access the VPN.

Not only the VPN, actually. This groups can be used anywhere in the rulebase, for example authentication rules etc.

That’s all for now – in a new blog entry I will cover dynamic filters, LDAP templates and so on.

Tobias Lachmann

Problems deleting node object

Last week I encountered a problem when I tried to delete the node object for an unused DNS server in a customer configuration.

Deleting the node failed because a message box told me, that the object was still in use. The reference says that it was used as “om_back_dns1″, which means as DNS server for office mode (Gateway properties -> IPSec VPN -> Office Mode -> Optional Parameters).

The catch here was that the referenced object was a security management. And a security management has no options to configure something like Office Mode through SmartDashboard.

I found the solution with GUIDBEdit in the objects_5_0.c file.

The security management HAD configured options for Office Mode DNS, although they didn’t show in the SmartDashboard.

I was able to reset the values using GUIDBEdit and after saving I could complete my action in SmartDashboard.

The best explanation that I have for this is a former upgrade some while ago. The customer had a stand-alone installation that was converted to a distributed installation some 6 years ago. Seems that the tools at that time didn’t check the configuration properly and migrated also some values that should not have been there.

I know that this kind of setup is hard to test while doing QA for a new product, but this is not uncommon in the field. Having one configuration that is upgraded and converted over and over again, from version to version. The error was created with version NG in production, now we have to deal with it while using R71 software blades.

Tobias Lachmann

Next Generation Firewall Test by NSS Labs

The NSS Labs performed a Next Generation Firewall Test, the first of it’s kind. It’s not a group test but purely about Check Point.

You can download the report here.

Interesting to see how a NGFW is defined and which tests have been done.

The Check Point appliance has some pretty good scorings and aces nearly all test with 100%.

Only the IPS test is using the out-of-the-box values and so we see the same results as from the NSS Lab IPS group test, where the policy without tuning is doing OK, but the tuned policy has the seconds best scoring of all tested systems.

I see this as another proof that Check Point is the product of choice and mostly everything is working into the right direction.

Tobias Lachmann

SecureClient End-of-Support

The SecureClient is End-of-Support in June 2011!

Time to change to the all new Endpoint Security VPN E75.10, which is a really great piece of software:

runs on Windows XP, Windows Vista and Windows 7, regardless of Service Pack and 32/64 bit
has improved stability for connections
integrates in the Windows Security Center for SCV checking

Check out sk61286 for all details.

Tobias Lachmann

Bye Bye UTM-1 Edge X…..

Now we have an official date for End-of-Sales of the UTM-1 Edge X appliance series, which is June 30th.

I think I got my first own Edge in 2004 during a promotion event and it’s running ever since. Constantly upgraded with the latest firmware, which is still running smoothly.
This is something that really impressed me all the time, the ability to run the latest firmware with all cool features on a 7 year old hardware. Nice work, Sofaware!

But now it’s time for a change to a new hardware generation and the Edge N series steps into place.

If we look at the list price, the Edge XW8 was at $800,–, the new NW8 is at $875,–.
This is OK and I think it will also be OK with most of my customers.

Tobias Lachmann

Support for MacOS X 10.7 is coming!

Dear Folks,

I’m really glad to inform you that we can expect Check Point to support the upcoming release MacOS X 10.7 with both SNX and SecureClient right along with the release of this new MacOS version.

This is great news, as we waited for 10.6 support quite a long time after the release of this version.

Now Check Point listened to our requests, which is really great!

Thank you guys!

Tobias Lachmann

Security Management R75 now supported under ESX/ESXi 4.1

In their facebook feed Check Point announced some technical updates, including “Security Management R75 (standalone and Provider-1) is now officially supported in ESX/ESXi Server 4.1.”.

I couldn’t see that this information is reflected in the documentation anywhere at the moment, but I’m sure this will follow.

We’re seeing the combination of security management and ESX virtual machine in the field a lot, so I’m really glad that’s now officially supported.

Tobias Lachmann

UPDATE: Thanks to Phoneboy for the link to the new Hardware Compability List (HCL) which includes the Virtual Platforms.

Maximum concurrent gateway tunnels

Under some circumstances you can see flapping device states concerning the VPN tunnel to the security gateway. This is caused by problems with a kernel table:

A gateway is exchanging constant tunnel test packets (UDP 18234) between itself and the remote gateway when a permanent VPN tunnel is configured, standard value is sending the packets every 10 seconds. Every successful exchange is kept in a kernel table named tnlmon_life_sign.

[Expert@fw1]# fw tab -t tnlmon_life_sign -------- tnlmon_life_sign -------- dynamic, id 303, attributes: keep, sync, expires 60, limit 200, hashsize 512, free function c35ca9b0 0, post sync handler c35ca7e0 <91fda452, 00000001; 00000001; 34/40> <91fd6d4a, 00000001; 00000001; 31/40>

A new permanent VPN tunnel creates an entry in the table, every succesful exchange refreshes the entry. If the lifetime of 60 seconds for the entry is exhausted, the entry will be deleted.

The information from this kernel table is send to the security management, which derives the status information about the VPN tunnels from it, which are displayed in SmartView Monitor.

By default the kernel table is configured to keep 200 entries. Depending on the number of tunnel you configured this can be not enough and can lead to the situation that the newer entries overwrite older ones when there are more than 200 entries. And as a result the security management cannot display correct status information, although everything is fine with the tunnel itself.

The table limit can be edited using GUIDBedit, just alter the value max_concurrent_gw_tunnels within the gateway object. To avoid unnecessary memory consumption, make sure to correlate the numer you enter with the number of VPN sites that you have.

Tobias Lachmann

When you think about taking a Check Point course….

…consider to travel to Switzerland and have the course at Dimension Data!

Valeri Loukine, one of the few Check Point Certified Master Architects worlwide and the most skilled professional I’ve met so far, is teaching now the official Check Point curriculum.

Besides from all the stuff in the courseware you can expect to get an extra portion of knowledge and hands-on experience from Valeri.

If there’s no Authorized Training Center (ATC) near you and you have to travel anyway, fly to Switzerland and train at DD!

I have to express that I’m not getting paid by Dimension Data for writing this, I’m purely stating my opinion and admiration about Valeri.

Tobias Lachmann

Upcoming tests from NSS dealing with Check Point products

Most of you might have seen the latest IPS Group Test from NSS Labs with Check Point IPS scoring the 2nd best result.

In the next couple of weeks we can expect others tests from NSS Labs, dealing with firewalls and next generation firewalls. Next generation firewalls mean that the functionality of firewall, IPS, application control and so on is bundled into one solution.

Will be really exciting to see how Check Point rangs in comparison with other vendors when the new blades are compared.

Tobias Lachmann

New Endpoint Access Clients E75.10 are available for everyone

The E75.10 clients have left the EA (early availability) stage and are now GA (general availability).

Check Point has an sk article that describes the release.

Check out the Release Notes.

I currently brought the E75 client into production and was impressed of it. Now with E75.10 we have a new cool feature, the integration of Windows Security Center into SCV (Secure Configuration Verification). Now we can test the presence of antivirus software, enabled windows updates, presence of firewall etc. via the mechanisms integrated into windows.
This is a big relief, as checking presence of virus scan software processes was a pain in the ass sometimes.

If you’re running a R71.30 system, you’re instantly good to go with the new release when it comes to Endpoint Security VPN and SecuRemote. Support for Check Point Mobile for Windows is coming with R71.40.

R75 systems are ready for Endpoint Security VPN clients, Check Point Mobile for Windows on R75 needs a hotfix and support for SecuRemote comes with R75.10.

To be sure about your system, check the release notes.

Now we also have full support for Windows XP, Windows Vista and Windows 7 with 32 Bit and Windows Vista and Windows 7 with 64 bit.

I’m very happy to have this new release finally available.

Tobias Lachmann

Something to think about

I did a lot of reading this evening, mainly in CPUG forum. Sad things are happening there.

Now I fully see why some senior members of CPUG forum came up with CPshared as an alternative.

At the moment I’m undecided what to do….. go 100% with CPshared forum or split 50:50 to CPUG and CPshared?
Just stick with my blog and ignore the rest?

One of my first thought was that we have to be really thankful for Barry Stiefel, hosting the CPUG forum all the years and keeping it going. It really takes time and effort, so THANK YOU BARRY!

What I know from Barry is that he tried several times to get Check Point as a vendor involved into CPUG. Officially, I might say. Because many CP employees are reading and posting in CPUG forum on their own, but not wearing the CP batch and only speaking for themselfs. Nevertheless, really good content from those guys. So THANK YOU CP EMPLOYEES!

The request for support or sponsoring of CPUG was not succesful, Check Point didn’t react as expected by Barry.

So, what does this mean? Is Check Point not interested in the user group? I don’t think so.

From what I’ve seen in the past years, Check Point really listens to us. I was contacted several times from Check Point directly regarding things I posted in this blog. Changes were made upon my feedback. I talk quite often with guys from product management and we discuss upcoming technology, pricing models and enduser experience with their products.
Really appreciated, by the way, so THANK YOU CP PRODUCT MANAGMENT.

Maybe it’s not about Check Point supporting their users, administrators, partners in general, but about the fact that CPUG is represented by only one person. And maybe they both had a very bad start and now things are stuck because of egos on both sides?

Having that in mind, the CPshared approach becomes even more valid. Starting over with a community site. Engaging from the beginning with CP employees, CP partners and really experienced users alltogether. Trying to get in touch with the vendor, confronting him not only with criticism, but with realistic feedback and the wish to participate and be a part of the solution.

I really have mixed feelings:

CPUG is running for so many years now and I really love the CPUGCON. Where else can you get in touch with fellow administrators, partners, instructors? CPX is a different type of event, that’s for sure.

But CPshared could be a new start for the community together with the vendor and I’d really like to see that happening.

Let’s hope that both community sites will stay respectivley become successful!

Tobias Lachmann

Check Point Open Technical Forum

Since a couple of days there a new forum available under www.cpshared.com

It’s a Check Point Open Technical Forum and want’s to connect the CP community as a whole: CP users, CP partners, CP employees and the vendor itself.

It was initiated by one of the most active members on CPUG forum and is supported by heavy weight senior members (in terms of CP knowledge) with lot’s of experience.

We will see how this forum develops, but I like the idea behind it.

Together with CPUG forum there will be an enormous amount of technical knowledge for the CP community.

Really like that idea.

Tobias Lachmann

Security Servers

There is an article, sk25766, which lists the security servers and the corresponding processes. Very useful as a reference.

Tobias Lachmann

UPDATE: Thanks to Jonathan for bringing this up: we also have in.geod as the Geo Protection part of the IPS engine. Not a real security server, but still….

New naming scheme for Endpoint

Phoneboy commented (by sending an email to blog@lachmann.org) on my previous blog entry where I complained about version numbering.

For Endpoint, they’re changing the naming scheme with the upcoming version. Instead of R80.20 it’s now E80.20 for this Endpoint Release. The gateway releases still have the “R” at the beginning.

I think this is a good way of differentiating releases, really like it.

Tobias Lachmann

Comment on this blog

Many people complained to me about the missing possibility to comment on the articles in my blog.

Well, this was done on purpose. Sadly I don’t have the time to check on comments, delete spam and make sure that everything works out well.

But that doesn’t mean that you don’t have the opportunity to comment: just send an email to blog@lachmann.org and tell me what you think about the post, what is missing and what is wrong in the blog entries. I will change it shortly and post corrections, if necessary.

I’m greatful for every sort of feedback.

Tobias Lachmann

Impressed of Endpoint Security R80.1

I have to admit that for a long time, I guess since version R71, I haven’t looked at Endpoint Security.

Back then I found it to hard to manage, not efficient enough and full of errors. Also, from a resellers point of view, not so much money to get out of it while selling this product.

But yesterday I was encouraged by Check Point to at least install R80.1 Endpoint Security Concole and play along with it in demo mode. I’ve done that and I was impressed. The console is clearly structured and now it is possible to use your exisiting objects to create firewall policies. All the tasks to get it running are shown in a getting started panel for easy access.

All in all it seems that from the management side they took a big step forward and now it looks like a really great product.

Hopefully I find the time to play along with it in the next weeks to get the full picture.

Tobias Lachmann

Release Map R70 -> R71 -> R75

While searching the SecureKnowledge I found a nice document that describes the releases from R70 until R75.

Very nice to have a graphical overview how the version are connected and following each other.

Tobias Lachmann

How to backup an UTM-1 without the Check Point backup utility

Someone confronted me with the following scenario:

An UTM-1 appliance is crashed and can’t boot properly.

Before resetting the device to factory defaults, a backup should be performed to restore the configuration afterwards.

How can you do this without booting the device and using the Check Point backup utility?

Well, the backup .tgz file you produce with backup utility is just a collection of configuration files from your local filesystem.

The backup utility uses the configuration in /var/CPbackup/schemes to determine which files to include and which files to exclude.

If you need to backup the configuration, just go for these files:

UAG

$UAGDIR/database/*
$UAGDIR/conf/*
$UAGDIR/boot/modules/*
$UAGDIR/log/*

SYSTEMCONFIG

/etc/sysconfig/*
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/resolv.conf
/etc/passwd
/etc/shadow
/etc/localtime
/etc/localtime.tz
/etc/snmp/*
/var/net-snmp/*
/home/*
/etc/cpshell/*
/etc/ethers
/etc/raddb
/etc/dhcpd.conf
/opt/spwm/conf/cp_http_admin_server.conf
/var/CPbackup/conf/backup_sched.conf
/var/spool/cron

SVN

/var$CPDIR/registry/*
/var$CPDIR/conf/*
$CPDIR/database/*
/var$CPDIR/log/*

$RTDIR/scripts/*
$RTDIR/conf/*
/var$RTDIR/Database/*
$RTDIR/log/*

PERFORMANCEPACK

$PPKDIR/boot/modules

FWLOGS

/var$FWDIR/log

FW1

/var$FWDIR/conf/*
/var$FWDIR/database/*
/var$FWDIR/state/*
$FWDIR/lib/*.pf
$FWDIR/boot/

FG1

$FGDIR/conf/*
$FGDIR/scripts/*
$FGDIR/boot/modules/*
$FGDIR/log/*

CVPN

$CVPNDIR/conf/*
$CVPNDIR/var/*
$CVPNDIR/sync_files/*
$CVPNDIR/mgmt_conf_files/*
$CVPNDIR/htdocs/Mail/data
$CVPNDIR/htdocs/Mail/attachments
$CVPNDIR/htdocs/Login/images/CompanyLogo.gif
$CVPNDIR/htdocs/sre/descr/
$CVPNDIR/htdocs/sre/data/manual_rules.xml
$CVPNDIR/htdocs/sre/ICSScanner.cab
$CVPNDIR/htdocs/sre/SetupBrowser.exe
$WEBISDIR/conf/*

Since the device is not running, the variables are not filled with the correct values. For a R71 installation the variables have to be substituted with the following values:

CPDIR=/opt/CPshrd-R71 CPMDIR=/opt/CPsuite-R71/fw1 CVPNDIR=/opt/CPcvpn-R71 FGDIR=/opt/CPsuite-R71/fg1 FWDIR=/opt/CPsuite-R71/fw1 RTDIR=/opt/CPrt-R71 WEBDIR=/opt/CPportal-R71/webis PPKDIR/opt/CPppak-R71/

You can boot an UTM-1 appliance from a live Linux CD or DVD, using an USB-DVD drive connected to the appliance.

While SPLAT is using normal partitions, the UTM-1 appliances use the Logical Volume Manager lvm. So the operating system you use should be able to deal with these LVM partitions. I use this modified grml system for this purpose.

On the boot screen you have to add some parameters for the startup process:

Some information and boot options available via keys F2 - F10. http://grml.org/ grml 2010.04 - Release Codename Grmlmonster 2010.04.29 boot: serial debug=noscreen lang=de lvm
When grml was finished, it has a console with all the needed tools. LVM is loaded already.

Check for the volume groups on the hard drive with the vgscan command:

root@grml ~ # vgscan -v Wiping cache of LVM-capable devices Wiping internal VG cache Reading all physical volumes. This may take a while... Finding all volume groups Finding volume group "vg_splat" Found volume group "vg_splat" using metadata type lvm2

Activate the logical volumes with vgchange:

root@grml ~ # vgchange -a y 6 logical volume(s) in volume group "vg_splat" now active

Now you can display the volume group with vgdisplay:

root@grml ~ # vgdisplay --- Volume group --- VG Name vg_splat System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 7 VG Access read/write VG Status resizable MAX LV 255 Cur LV 6 Open LV 0 Max PV 255 Cur PV 1 Act PV 1 VG Size 72.47 GiB PE Size 4.00 MiB Total PE 18553 Alloc PE / Size 7424 / 29.00 GiB Free PE / Size 11129 / 43.47 GiB VG UUID dCQA6u-z70X-LIsE-Xhmb-n5ho-ZMrX-JyBePy

You can display the logical volumes with lvscan:

root@grml ~ # lvscan ACTIVE '/dev/vg_splat/lv_current' [5.00 GiB] inherit ACTIVE '/dev/vg_splat/lv_log' [10.00 GiB] inherit ACTIVE '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit ACTIVE '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit ACTIVE '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit ACTIVE '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit

Mount the logical volume lv_current in /tmp

mkdir /tmp/utm1/ mount /dev/vg_splat/lv_current /tmp/utm1/

Change to /tmp/utm1 and you’re in the root directory of your UTM-1 appliance.

From there go to the directories listed above and get your files.
Transfer them over the network with scp or copy them to a USB stick.

After you did a backup of all the files you can do the factory reset.
When the initial system and software installation is done, just boot into maintenance mode and copy the backup files to the appropriate location on the appliance.

After a restart of the system you have your old configuration working.

Tobias Lachmann

Endpoint Security R80.10 available

Endpoint Security is now available in version R80.10.

Check out sk61022 for details.
Make sure to read the release note and known limitations.

Man, I wish Check Point would be clearer in version numbering. Sometimes it here to track which versions work together…

Tobias Lachmann

Check Point and support for Apple products

Some of you may have already discovered it by themselfs, other may have read it in Valeri Loukine’s latest blog entry:

Check Point has a VPN solution for iPhone and IPad and now there’s also a public demo available.

To be precise, Check Point had support for iPhone from the beginning, the client is not new.

But what bothers me is the fact that the Check Point solution is not recognized in the market and by the customers. See the latest Gartner Maquic Quadrant for SSL VPN to have it black on white.

Why’s that? Well I think in the first place there’s an iPhone VPN client because Gil Shwed has gotten himself an iPhone and wanted to connect to his company. This may be the reason we have this solution. But besides from that, I can’t see no real platform strategie for VPN clients. Check Point has Windows clients which are really way ahead. But when it comes to Mac OSX and Linux, nothing really comparable to Cisco or Juniper.

I have stressed it before, customers want support for all their operation systems when they make a decision for a new VPN solution. And it is not uncommon that a Check Point gateway is securing the perimeter and has the site-2-site VPN connections, but a gateway from another vendor is doing the remote access.

Would be really interesting to discuss this issue with some guys from Check Point directly. But I’m not working for a platinum Check Point partner or have massive sales volume with this kind of products…. so I don’t think I will get the chance to talk to someone on CPX.

If any of you has some information or rumours, please let me know

Tobias Lachmann

Check Point Experience (CPX) in Barcelona

Check Point will have two CPX events this year, one in Chicago and one in Barcelona.

I will attend the CPX in Barcelona and I’m really looking forward to it.

If you’re solely technical oriented, CPX will not provide so much new stuff for you.

But it’s one of the precious moments where you can have a deep inside look on upcoming strategies from Check Point.

And, above all, you can meet with the guys from Check Point in real life you might know by now only from phone or mail.

Hopefully many of my CP contacts can manage to attend, all the beers are on me

Also I hope that some of you guys who read this blog are around. If you see me, make sure to pass by and have a little chat and a drink. I’m really interested in sharing experience, opinions and thoughts with all of you.

C U in Barcelona!

Tobias Lachmann

Keep up-to-date with SecureKnowledge and documentation

A very good tool for keeping up with changes in SecureKnowledge and documentation is the subscription in your UserCenter account.

Simply click within the UserCenter on “My Profile” and then on “My Subscriptions”. Here you can add all the topics you’re interested in.

If, for example, you subscribed to Secure Knowledge articles on Secure Platform, you will get a summary mail every week that contain a list of all articles that are new or modified and deal with this topic.

Personally I addedd all the topics and all the fields, SecureKnowledge, Documentation and Downloads.

So I’m always up to date and sometimes discover new or forgotten informationen that are relevant for me.

Tobias Lachmann

Performance analysis

There is a nice article in SecureKnowledge which points out how to analyze the system performance. See sk33781 for details.

The article isn’t only about performance, but also gives good troubleshooting hints and explanations about values and possible errors (especially true for the memory section).

Really worth reading. And you should try to understand every part of the sk, if something is unclear, investigate. Knowing this stuff is important.

Tobias Lachmann

Snow Leopard support with SNX available

It’s a shame that Check Point doesn’t see the potential in the Mac OSX operating system at the moment. I know that by numbers the Windows operating system family is much more attractive when it comes to developing clients version.

But today most companies are facing heterogeneous environments with a mixture of clients, windows clients as well as Mac OS and even Linux. And when it comes to choosing a new VPN solution, a key factor is the ability to support all operating systems existing in the company.

Luckily for us Check Point now has support for Mac OSX 10.6 aka Snow Leopard. See sk32162 for details.

Now that we have support for the current versions of Windows and Mac OSX, I hope this situation will last.
At the moment Apple is announcing Mac OX 10.7 aka Lion for summer 2011 and I don’t think that we will have a current VPN solution for it ready at the release date of closely afterwards. If so, it would be a big step forwards towards customer acceptance.

Tobias Lachmann

Recent changes….

Dear reader,

lately I haven’t been writing as much as I used to. This is because I switched to a new employer, the

akquinet system integration GmbH in Hamburg

Currently I’m busy with developing the enhanced network and network security portfolio and establishing product partnerships. As you might imagine, this is a time consuming process and a lot of work. But I’m very confident that I’m able to blog more frequently in the near future and I also have material ready for upcoming articles.

By the way: if you need any kind of help with Check Point products, you can hire me for projects or troubleshootings all over Europe. You can contact me directly over tobias.lachmann@akquinet.de

Tobias Lachmann

R75 HFA1 EA for Remote Access Client available

Check Point offers a public early availability version of the new R75 HFA1 Remote Access Clients.

We now have Endpoint Security VPN which replaces SecureClient and Endpoint Connect, giving you VPN funtionality along with SCV and desktop firewall.

Check Point Mobile for Windows is the successor of Endpoint Connect on mobile devices.

SecuRemote R75 is the long-awaited VPN-only client with support for Windows 7.

In general, all the clients are available for the following operating systems:

Windows XP 32 bit with SP2 or SP3
Windows Vista 32 bit or 64 bit with SP1
Windows 7 32 bit or 63 bit with all editions

You can apply for the EA over the UserCenter -> Products -> Early availability.

The Release Notes can be found here.

Please take special notice that the clients are supported on R71.30 and R75 platforms without the need of a special hotfix. However, SecureRemote R75 is not supported on Check Point R75 installations, but will be with R75.10.

Tobias Lachmann

R71.30 available

The new R71.30 packages are available since the beginning of January.

We have the first customer running this build without problems.

New for this release are some modification to the Provider-1 SmartConsole for better object handling, support for new VPN clients, such as iPhone and iPad, as well as support for Windows 7 (32/64 bit) and finally support for MacOS 10.6 on SNX.

The rest are smaller improvements that will not affect most of us in daily business.

Check out the release notes , known limitations and resolved issues.

Tobias Lachmann

Upgrade from R70.40 to R71.20

As described in a previous blog entry systems running R70.40 could not be upgraded without uninstalling R70.40 before.

Check Point know published the knowledge base entry sk59481 which describes a way to update such systems to R71.20 using R71.20 migration tools.

Seems that Check Point learned a lesson from the dead end with R65.4 and found a way to prevent stressful migrations for the admins.

Tobias Lachmann

Failed to parse topology: Missing node MgmtInternalCA inside set in the topology

This week we had a very strange error concerning UTM-1 Full-HA clusters.

As you may remember, an UTM-1 Full-HA cluster contains of two UTM-1 appliances running as cluster concerning the gateway part and with primary and secondary management installed on them running with management high availability.

We had the error that all our VPN connections to remote sites broke suddenly. The UTM-1 Edge appliances on the locations showed the following error message in the logs:

Error: Failed to parse topology: Missing node MgmtInternalCA inside set in the topology

Together with Check Point TAC in Israel we found out that the root cause of this issue was our SmartConsole client. While accessing the management with the client, it changed the value of the two UTM-1 objects from utm_cluster_member to cluster_member in the background.

This ment that the appliances were still considered to have gateway functionality on them, but the management part was not recognized and so Mgmt-HA broke. And, since there was no InternalCA in the objects_5_0.C, the parsing on the UTM-1 Edge appliances went wrong and VPN could not be established.

This can only be fixed by changes made by Check Point programmers by hand, unless you have a valid backup from before the changes.

Luckely for us, we found a valid object_5_0.C file on the secondary UTM-1, which didn’t contain the wrong information as this was not replicated from the primary UTM-1 due to broken MgMt-HA.

As far as I’m aware of, there is no other reference to this error message anywhere to be found and there’s no SK at the moment for it.

We believe that the SmartConsole client was acting that way for one of the two reasons:

a) it was running on a Windows Terminal Server
b) lot’s of different SmartConsoles clients from various version were installed on the system, causing interferrences with each other

Tobias Lachmann

New blog dealing with Check Point

For some reason lately I was not publishing as intense as I did in the past.

But still there is a good news for all you guys dealing with Check Point products out there.

Valeri Loukine, CCMA from Switzerland, started this own blog about Check Point.

I met Valeri on CPUGCON 2009 and I look up to him for being such an expert on Check Point products with so much experience.

Check out his blog!

Tobias Lachmann

R75 was released!

The brandnew R75 version was released today.

Check out the info page with all the relevant information!

Tobias Lachmann

Problem with SmartCenter fix from sk58360

When you install the Netfix package mentioned in sk58360 there’s the possibility that you run into a problem under certain conditions.

If your system is running R71(.x) and you did an in-place upgrade from R70 instead of a fresh install, then you will find that you still have the directory /opt/CPEdgecmp-R70.

With a fresh install the directory is /opt/CPEdgecmp-R71.

The you run commands on the upgraded R71 system, you will find this versions:

[Expert@fw]# $FWDIR/bin/sms -version SofaWare Management Server version 8.1.0.18

[Expert@fw]# /opt/CPEdgecmp-R70/bin/SofawareLoader -version SofaWare Loader version 8.1.0.6

If you do the same on a freshly installed system the versions are:
[Expert@fw]# $FWDIR/bin/sms -version SofaWare Management Server version 8.1.0.18

[Expert@fw]# /opt/CPEdgecmp-R71/bin/SofawareLoader -version SofaWare Loader version 8.1.0.11

Because of the very small change in the version of SofawareLoader, Check Point leaves this package untouched in the process of upgrading.

Now here lies the problem with the upgrade script that you need to run when you want to use the new 8.2.x Edge firmware.

The script checks for the version using the fwm -ver command.
When it finds R71 installed it assumes that the files that need to be modified are under /opt/CPEdgecmp-R71 instead of /opt/CPEdgecmp-R70.

Since this directory does not exist, the script will fail.

Bad QA done by Check Point here I have to say ;-(

The solution here can be one of the following two:

modify the update script to choose the right directory according to your system

create a symbolic link for the /opt/CPEdgecmp-R71 directory that points to the /opt/CPEdgecmp-R70 directory.

With this modifications the script will execute right and you can start using the new firmware together with a SmartCenter.

Tobias Lachmann

New UTM-1 Edge firmware 8.2.26 available

Check Point has a new firmware for the Edge series available since 6th of December.

If you look into the release notes you’ll find some interesting new features.

The UTM-1 Edge N-Series appliances can now be equiped with a cellular modem inserted into the ExpressCard slot and can also handle Gigabit SFP ports. A nice feature when you want to connect the appliance using fiber instead of copper.

Then, routing support on the N-series has been enhanced für PIM-SM, DVMRP and RIP.

A very nice feature for all platforms is the ability to do full URL logging and enhanced URL filtering.

And for troubleshooting purposes it is now possible to select the interface from which you want to run Ping and Traceroute tool.

Please be advised that you need to install the SmartCenter upgrade package when the Edge is connected to a Management. Refer to sk58360 for details.

When you look for the download in the Check Point Support center, please note that we have three versions of firmware images: one for the X-series, one for the X-series with ADSL-support and one for the new N-series.

Tobias Lachmann

UTM-1 Edge firmware 8.1.47 available

There’s a new UTM-1 Edge appliance firmware available, release 8.1.47.

Some minor fixes, check out the release notes.

Don’t forget to update your libsw on the security management when updating the firmware.

Tobias Lachmann

Monitoring physical and virtual cluster interfaces from one host

This one bit me some days ago. My freshly installed cluster was intended to be monitored from a system within the internal LAN.
But for some reason I didn’t got a PING back from the master on one or the other interface.

Then I found the sk38623 which described the behaviour. Short explanation: the connection table may contain two entries with same source and destination ip address as well as same source and destination port. This creates an error and the second connection is dropped.

What can be done to solve this issue is to issue

fw ctl set int fw_allow_simultaneous_ping 1

on the CLI and/or setting this in the $FWDIR/boot/modules/fwkern.conf file.

See sk26202 for details on how to do this.

Tobias Lachmann

Edge reboot suddenly due to time problem

I just saw the sk56641 and like to quote from it:

“The cause of this problem is related to a specific counter that elapses every 13.6 years and is not expected to happen again in the life time of the device.”

Doesn’t Check Point believe in the Edge as a product? Why shouldn’t we experience this again
13.6 years is no time!!!!

Really, that one made my day. LOL.

Tobias Lachmann

R71.20

Ok ok…. I know I’m a little late for this one…. but R71.20 was released a week ago.

Check out the Release Notes, the Known Limitations and the Resolved Issues.

As you can see, quite a few fixed bugs. Especially the swap process running wild hit me a few times on customer equipment, so I’m glad that it is now fixed.

If you don’t experience any problems and dont want to manage SG-80 appliances, it think it’s safe to skip this update. Or at least wait until others have found the bugs in it

Tobias Lachmann

IPv6 testing (part 1) – let the games begin

As promised, I’m going to write about the experiences I make while testing Check Point security gateways and IPv6.

First I’d like to introduce you to the lab setup that I chose:

IPv6 test environment

We have a Windows 7 PC as client which also has the SmartConsoles installed. The PC is connected to a Cisco router which is doing some basic routing. In the network right behind the router we have the Security Management server (aka SmartCenter) and the external interfaces of our two Security Gateway nodes, all connected to a Cisco Switch.

Behind the Security Gateways we have another Cisco Switch and a server which will be accessed by our client PC.

First I started with getting my equipment running with IPv4 addresses.
There is a need for this as some limitations apply. Every interface needs to have an IPv4 address when you want to configure IPv6 on it. And, on sync interfaces for ClusterXL you can only use IPv4.

When installing the SPLAT on the Security Gateways and Security Management, first you must check out the R70 IPv6Pack Release Notes.

For the setup of the R70 IPv6Pack on the gateways there’s a prerequisite of having version R70.1 installed.

On the Security Management however, IPv6Pack Management hotfix with R70.1 is only supported in a stand-alone environment. For the distributed installation you need R70.30 or R71.

This information is very important and at the moment I’m not sure how future version are supported by IPv6 pack (R71.10, R71.20, R71.30, R75??).

My production environment has R71.10 installed on the management, so no IPv6 here ;-(

But let’s move on with the lab environment.

First we install the IPv6 pack add-on on the Security Management. I chose R71 for the management and needed to download this file.
Precise installation instructions can be found in the Release Notes starting at page 15.

Then I generated IPv6 licenses for the gateways and the management. The IPv6 license is free of charge and can be created within the UserCenter. Just go to your products and select “Activate Advanced Features” tab to proceed.

After licensing was done in UserCenter, I attached the licenses to the gateways and management using SmartUpdate. After closing all SmartConsoles and opening them again, IPv6 options became available in SmartDashboard.

The rulebase is plain and simple for testing, ANY-ANY-ANY-ACCEPT.

Then I downloaded and installed the IPv6 Pack add-on on the gateways.

After a reboot I had to create a script int /etc/rc.d/rc3.d for setting up IPv6 during startup. Details on how to do that can be found in the Relase Notes or SecureKnowledge as well. Then run $FWDIR/scripts/fwipv6_enable on to enable IPv6 within the gateway. As far as I understood, we’re having two firewall kernel then, one handling IPv4, the other handling IPv6.

Finally I turned off Stateless Address Auto Configuration so that no IPv6 enabled router in the same segment as the firewall could lead to auto-configuration security breaches.

Having setup the gateways interfaces I now configured my Windows 7 PC and the Cisco Router with the desired IPv6 addresses from the subnets I chose.

Then I did a IPv6 ping from the Windows 7 to the inner interface of the router to check connectivity, which worked. Then I ping-ed the outer router interface, leading to the firewall, which also worked. Then I did a ping to the ip addresses of the cluster members – and this failed. I first had a look to the routing table of the Cisco router:

Router#sho ipv6 route IPv6 Routing Table - 8 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 S 2B02:AD0:1800::/37 [1/0] via 2B02:AD0:2000:0:26:E8FF:FE08:768E C 2B02:AD0:2000::/37 [0/0] via ::, FastEthernet0 L 2A02:AD0:2000:0:26:E8FF:FE08:778E/128 [0/0] via ::, FastEthernet0 S 2B02:AD0:2800::/37 [1/0] via 2B02:AD0:2000:0:26:E8FF:FE08:768E C 2B02:AD0:3000::/37 [0/0] via ::, Ethernet0 L 2B02:AD0:3000:0:26:E8FF:FE08:778E/128 [0/0] via ::, Ethernet0 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0

Seemed ok, all needed network were there. But obviousley the packets were not routed to the firewall. Then I realised that a Cisco router needs to be configured for doing IPv6 routing with the command ipv6 unicast-routing. After that command I was able to ping the ip addresses of my gateways.

In the next article we will have a look at the IPv6 from the Check Point gateways side and what is different from IPv4.

Tobias Lachmann

Error connecting to SmartCenter with GUI

I encountered an error while connecting with SmartDashboard to a NGX R65 SmartCenter server. The error message indicated a problem with the $FWDIR/conf/gui-clients and I checked for the right IP address in there. Even setting it to Any didn’t solve the problem.

While looking with fw ctl zdebug drop on the gateway after the connection attempt from the GUI client, no drops were seen.

Debugging with fw debug fwm on and examining $FWDIR/log/fwm.elg didn’t show any error or a reason for requection, it just seemed that the SmartCenter closed the connection right after login.

How did I solve this? Simple: cpstop; cpstart

The system was running for more than 450 days and it just seemed that some part of the fwm process had trouble.

Just remember that sometimes it can be a good idea to restart the software and/or the server

Tobias Lachmann

SecureClient Next Generation – Endpoint Security VPN R75 is available

The new SecureClient Next Generation is now officially available. It is called Endpoint Security VPN R75 and is replacing the old SecureClient and also Endpoint Connect.

The look and feel of the client is quite nice, it connected without problems (or hotfix) to an environment running NGX R65 gateways with R71.10 management and to an UTM-1 cluster running R71.10.

Check out the overview page for the new client and the release notes.

Personally I think I will wait till more recent version of the hotfix are available or until the support for this client is build into the next service pack.

NGX R65 is end-of-support next march, so why bother with this old version? And R70.40 is a dead end and cannot be upgraded easily, so I will not operate a gateway with that version.

Better wait for R71.30 and use this HFA when it is known to have no severe errors.

Tobias Lachmann

Getting in contact with me

If you want to contact me, there are several ways:

just write to blog@lachmann.org
contact me on XING (invitation link if you’re not yet on XING)
contact me on LinkedIn

XING is preferred for business contacts. And I’d love to get any kind of feedback via email.

Don’t hesitate to contact me in any way

Tobias Lachmann

IPv6 reading suggestions

Silvia Hagen wrote two brilliant books on IPv6 and I recommend to read at least one when you’re trying to work with IPv6.

IPv6 Essentials by O’Reilly (english)
IPv6. Grundlagen – Funktionalität – Integration by Sunny Edition (german)

I started with the german version and now I’m trying to figure out how to operate a Check Point gateway correctly with IPv6.

At the moment I see lot’s of burden and it seems that Check Point is not quite IPv6-ready yet.

Will post my findings in the next weeks in detail.

Tobias Lachmann

Adding routes on an UTM-1 over the command line

I recently became aware that some people searched for a way to add routes on an UTM-1 not over the WebUI but on the command line.

Well, this can be done using the normal OS related commands:

Example:

route add route add -net 192.168.1.0/24 gw 192.168.2.1 route --save

Please refer to SecurePlatform Administration Guide for reference.

Tobias Lachmann

Inside SG-80

I got some info about the hardware of the new SG-80 appliance from Check Point, thanks to Marko.

The processor is a ARM926EJ-S so we’re leaving the x86 world with this appliance. The hardware is quite capable and ok for smaller branches, so no problem here.

After reviewing the SG-80 known limitations I wonder why these exist? Is it that hard to adapt the Check Point code to this platform?

Why is AntiVirus on POP3 and content based AntiSpam not supported? These two seem essential for the desired positioning of this gateway as all-in-one solution for remotes offices.

Why is there no SNMP-Monitoring and no SmartUpdate, no SmartProvisioning?
How are we supposed to manage and monitor this appliance in an enterprise environment?

As a first approach, the SG-80 is ok for some deployment situations.
But the software needs to evolve and present all the features that we’re used to.

Hopefully GAIA will sort these kind of things……

Tobias Lachmann

My presentations from the Check Point User Group Conference 2010 in Chur/CH

After finishing the CPUGCON2010 I arrived back in Hamburg.

Here are the slides for my presentations:

Tobias Lachmann

IPv6 Extension Headers support

After hearing two great presentations about IPv6 delivered by Silvia Hagen yesterday, I digged into the IPv6 capabilities of Check Point software.

Really quick I came up that Check Point isn’t supporting all Extension Headers in IPv6.

As standard only Fragmentations Headers are supported, by editing the $FWDIR/lib/table.def also more Extension Headers were enabled. Enabled means here that these headers are accepted but no content inspection is performed on this headers.

I’m fairly new to IPv6 at the moment, but letting packets through with no inspection on specific parts of the packet doesn’t seem to be a good idea.

Hopefully I will find out more and then I will present my findings to you.

Tobias Lachmann

Learned something new – or again?

Checking the current number of connections can be done with the command fw tab -t connections -s

Especially when you do a Full Connectivity Update in a ClusterXL environment, you need to verify that both members have nearly the same amount of connections.

When I did this in the past, I opened SSH connections to both nodes and issued the command.

Thanks to the presentation of Yasushi Kono yesterday I now know (again?), that this command can be issued also on the management server to get values from both firewall nodes. Just add the target(s) as option to the command:

[Expert@fwm]# fw tab -t connections -s fw1 fw2 HOST NAME ID #VALS #PEAK #SLINKS fw1 connections 58 137867 250322 508451 fw2 connections 8158 137560 250310 507258

Much more comfortable…

Tobias Lachmann

Upcoming book on R75

Yasushi Kono, Check Point Trainer at Computerlinks, will update his brilliant book Check Point VPN-1 Power to the R75 version in the beginning of the next year.

Make sure to check it out, it’ll be the perfect reference book!

Tobias Lachmann

In Chur again

It’s the night before the Check Point User Group conference 2010 and I just returned from a nice dinner with Barry, the guys from Würth and all the others speakers.

I’m excited to see who’s attending this years and I’m thrilled about the upcoming discussion and our favorit products.

Tobias Lachmann

Antivirus

All applications like SmartView Monitor get the information about the Anti Virus version running on the Security Gateway by reading the following one of the following files:

R70 – $FWDIR/av/ca/update/incoming/Anti_Virus.entitlement.C
R71 – $FWDIR/av/kav/update/incoming/KSS_AV.entitlement.C

Tobias Lachmann

Emulation of UTM-1 appliance in VMware with R70

With NGX R65, you could install the UTM-1 ISO image into a VMware machine for testing purposes.
Starting with R70, the installation worked, but no network connectivity afterwards.

The reason for this is that a script probes if the hardware running the UTM-1 image is an appliance or not.

For that purpose the following commands are issued:

[Expert@cpfw01]# dmiparse "System Information" "Manufacturer:" Crossbeam Systems Inc. [Expert@cpfw01]# dmiparse "System Information" "Product Name:" C2_UTM

This information is used to parse the file /etc/sysconfig/ethmap.database which contains information about the interface setup of the specific appliance.

This leads to the creation of a corresponding /etc/sysconfig/ethmap file, derived from ethmap.appliance.advance, ethmap.appliance.plus or ethmap.appliance.regular.

This could look like this:

[Expert@cpmodule]# cat ethmap Internal eth0 External eth1 DMZ eth2 Lan1 eth3 Lan2 eth4 Lan3 eth5 Lan4 eth6 Lan5 eth7 Lan6 eth8 Lan7 eth9

This information is also used when netconf.C is created. Since the dmiparse command doesn’t give the information that we’re dealing with an appliance from Check Point, the mapping goes wrong and we have wrong information in netconf.C.

[Expert@cpmodule]# cat netconf.C.backup (conf : (conns : (conn :ifname (Internal) :type (1) :ipaddr ("192.168.1.1/24") :s-code (0) ) : (conn :ifname (lo) :type (6) :ipaddr ("127.0.0.1/8") :s-code (0) ) ) : (routes : (route :dest (default) :via (192.168.1.254) :metric (0) ) ) )

The solution to that problem is to simply change the ifname in netconf.C to the appropriate interface name like eth0.

For that purpose, login to the console over the VMware client, using admin/admin as username / password combination. Change to expert mode and edit the netconf.C like this:

[Expert@cpmodule]# cat netconf.C (conf : (conns : (conn :ifname (eth0) :type (1) :ipaddr ("212.1.57.221/23") :s-code (0) ) : (conn :ifname (lo) :type (6) :ipaddr ("127.0.0.1/8") :s-code (0) ) ) : (routes : (route :dest (default) :via (192.168.1.254) :metric (0) ) ) )

Now you can access the WebUI of your UTM-1 in the VMware and continue configuring like normal. There’s no problem configuring also all remaining interfaces, which are not in the netconf.C in the moment.

Tobias Lachmann

Documents related to troubleshooting

The Check Point knowledge base contains a lot of useful documents related to troubleshooting. Here’s a selection. Feel free to send an email to blog@lachmann.org when you think that a document is missing in the list.

SmartSPLAT – very nice SSH GUI client for SPLAT

I’d like to share with you that today I got aware of the project SmartSPLAT.

Cagdas Ulucan, CCSE+ from Turkey, developed a nice GUI that uses a simple SSH connection to login into your SPLAT-based box and display, change and collect a lot of useful information.

The three shell windows show output of fw monitor, actual fw logging and the main commands, parameters for them can be set using the GUI.

When you click on a button (for example “debug vpn”), you can actually see what commands are issued to the shell, so here you have a learning effect.

The tool has a build-in ftp and syslog server, so produced debug files can the uploaded easily.

At the first moment you’re overwhelmed of all the tabs that address different (troubleshooting) topics, but I think the GUI will improve and Cagdas will find a way to enhance the presentation of his tool.

What is really cool is the cluster view, where you have a windows with two panes, each representing one cluster member. An easy way to send commands to both cluster members and compare the results!

Try his tool, it’s completely free and very very useful.
Send him his suggestion for improvement and make it even better.

Tobias Lachmann

resize2fs: Operation not permitted While trying to add group #128

Today I tried to increase the logical volume on a UTM-1 appliance as described before in this blog.

I got the error
resize2fs: Operation not permitted While trying to add group #128
when issuing the resize2fs command.

The solution to this problem: the journal was to small and had to be re-created:

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal size
Journal size: 32M

[Expert@firewall]# tune2fs -O ^has_journal /dev/vg_splat/lv_log

[Expert@firewall]# tune2fs -j /dev/vg_splat/log
Creating journal inode:
done

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal size
Journal size: 128M

After that do a filesystem check and issue the resize2fs command, which will succeed.

Tobias Lachmann

Increasing HTTP connection buffer for Anti Virus scanning

Just stumbled about sk36090 which describes that Anti Virus scanning for HTTP traffic can significantly slows down browsing.
The resolution is easy, just increase the buffer assigned to each HTTP connection.

Go to Policy -> Global Properties -> SmartDashboard Customization. Click on Advanced Configuration.

Change the http_buffers_size from 4096 bytes to a higher value. Since the default number of concurrent connections is 1000 for HTTP, changing the parameter to the maximum of 65500 bytes would only allocate ~ 63 MB for all buffers together, so why not go with the max?

Tobias Lachmann

Application Control – the next big thing?

Check Point announced their new Application Control software blade.

Not it is not only possible to use URL filtering for blocking or allowing specific sites, but also to determine what exactly is allowed or denied.
For example: allow Facebook in general, but block Facebook games.

The AppWiki database is listing several thousand webbased applications to choose from for use in your policy.

Like DLP, this blade comes with UserCheck technology. This resident (Windows) client allows the gateway to interact with the user. If for example access to YouTube is allowed only for business use and not for personal use, UserCheck can present a dialog to the user asking what’s the intended purpose of visiting the site. If the user confirms that it’s for business, he is allowed to access the site.

At the moment I’m wondering if this is the next big thing….. will customers buy this blade and enforce their very own policy? Will this be a considerable alternative to pure content inspection products like WebWasher? What are the implications for the company security policy? Who’s defining the allow/block lists?

To be honest, I’m not sure at the moment how customers will use the technology.

Maybe for them it’s enough to block one or two specific apps as reason to buy this blade.

Maybe it’s getting as complex as a full-blown IPS solution with a security engineer defining policies and checking logs all day…. and how many companies can afford that?

I guess we have to wait some time to see where it’s going…

Tobias Lachmann

new kernel modules starting with R70

On a SPLAT machine, which is based on (RedHat) linux, the Check Point software is running as user mode process or as linux kernel module.

This modules can be shown using lsmod

[Expert@firewall]# lsmod Module Size Used by Tainted: PF rtmmod_smp.2.4.21.cp.i686 281120 1 bridge 27680 0 (autoclean) (unused) vpnmod_smp.2.4.21.cp.i686 1269512 3 fwmod_smp.2.4.21.cp.i686 7858176 11 simmod_smp.2.4.21.cp.i686 827904 1 vpntmod_smp.2.4.21.cp.i686 13808 0 (unused) e1000 126728 6 bnx2 79432 2 crc32 3592 0 [bnx2] sg 38092 0 (autoclean) (unused) microcode 7072 0 (autoclean) ide-cd 35840 0 (autoclean) cdrom 33248 0 (autoclean) [ide-cd] dm-mod 59428 0 keybdev 3048 0 (unused) mousedev 5688 0 (unused) hid 22628 0 (unused) input 5504 0 [keybdev mousedev hid] ehci-hcd 20968 0 (unused) usb-uhci 27308 0 (unused) usbcore 79680 1 [hid ehci-hcd usb-uhci] ext3 92840 5 jbd 54056 5 [ext3] cciss 70432 12 sd_mod 14128 0 (unused) scsi_mod 118312 2 [sg cciss sd_mod]

When Check Point is referring to the firewall kernel, they’re actually talking about this linux kernel modules.

The Check Point kernel itself is composed of several modules, which can be shown using the fw ctl debug -h command.

In NGX we had the following:

fw “Firewall Module”
VPN “VPN Module”
FG-1 “Floodgate-1 QoS Module”
H323 “VoIP H.323 Module”
BOA “Malicious Code Protection Module”
WS “SmartDefense Web Intelligence Module”
CPAS “Active Streaming Module”
CLUSTER “ClusterXL Module”
RTM “SmartView Monitor Module”

Now with R70 and Software Blades, we have some more kernel modules:

kiss ???
kissflow ???
multik ???
SFT ???
CI ???
fw “Firewall Module”
VPN “VPN Module”
FG-1 “Floodgate-1 QoS Module”
H323 “VoIP H.323 Module”
BOA “Malicious Code Protection Module”
WS “SmartDefense Web Intelligence Module”
CPAS “Active Streaming Module”
CLUSTER “ClusterXL Module”
RTM “SmartView Monitor Module”

In the moment I have not found any reference for the new modules, no explanation of the modules itself or the modul kernel debugging options.

I opened a service request with Check Point to get this information.

Tobias Lachmann

code generator for fw monitor and tcpdump

Joost de Cock has a PHP application running on this site which allows you to easily create INSPECT code to use with the fw monitor command or an equivalent expressions to use with tcpdump.

A very handy tool, try it!

Tobias Lachmann

Determine current Antivirus version

We’ve seen problems with updating the AntiVirus patterns in the past on UTM-1 appliances.
Somehow the reported version numbers seemed wrong.

But where to check what’s the current version?

Easy answer to that:
http://sigcheck.checkpoint.com/Siglist2.txt

Compare your version from SmartView Monitor or avsu_client to the version you see on the above page.

Tobias Lachmann

DLP again

Well, some thoughts about DLP were in my mind for some time and I want to write them down.

First, DLP is about unintentional data loss. There are always ways to get data out of a secure area, if it’s by USB drives, HTTPS upload, CD-Rs, steganography or what so ever. It’s nearly impossible to prevent data leaks completely.

But that’s not what DLP is aiming for… it’s for the user that accidental chooses the wrong email-adress or picks the wrong file for uploading on a website. And for that purpose, it’s totally sufficient.

The underlaying engine which does the processing is amazing and you can do all kinds of stuff with the data types. For most of your requirements Check Point brings build-in datatypes, if it’s credit card numbers or social security numbers.

Second: the hard part with DLP is to define a company policy and a list of data that should not leave the company. This is were technical and organizational security meet and the biggest challenge.

Concerning the DLP-1 appliances that I mentioned before, I have some information about the hardware.

The DLP-1 2571 has Dual Core CPU, 4 GB RAM and 500 GB HDD, so it’s pretty much a UTM-1 3070 series appliance with more memory and HDD.

The DLP-1 9571 is based on the Power-1 9075 and comes with 2x QuadCore CPU, 8 GB RAM and 2x 1 TB HDD.

Internal Check Point sources say that by now it’s safe to assume that for real live traffic you have to divide the performance numbers by 4. This will change with the next releases that improve performance.

If you haven’t noticed, DLP-1 appliances come with UserDirectory blade to allow easy connectivity to Activce Directory domains or LDAP directories.

DLP-1 will be able to scan also HTTPS traffic in the near future (Q1/11) and I’m really looking forward to that feature.

If someone has solid hands-on experience with a DLP implementation, please share them with me: blog@lachmann.org

Tobias Lachmann

New Check Point Series 80 Appliance

Check Point released a new appliance, the SG80 or Series 80 appliance.
It is aimed for branch offices and it is positioned between UTM-1 appliances and UTM-1 Edge appliances.
Performance-wise it is very close to the bigger UTM-1 appliances, if we can trust die datasheets.
The specs are:

Firewall Throughput 1500 Mbps
VPN Throughput 220 Mbps
IPS Throughput 720 Mbps
AV Throughput 100 Mbps

Since I measured only 20 Mbps AV scanning throughput with R71 on a UTM-1 270 appliance, I don’t trust this figures for real rule bases and real live traffic. But anyway, at least good enough for comparison to other Check Point appliances.

The management of this gateway has to be done over a Security Management server of Provider-1, it is not self-managed unlike UTM-1 appliances.

The desktop form factor is quite nice, I’m just wondering about the cooling. The UTM-1 130 appliances use passive cooling, too, and can get pretty hot sometimes.

What’s nice for smaller offices are the build-in 8 LAN ports with GigabitEthernet, so under some circumstances you can eliminate an additional switch in the office. The SG80 has one additional Gigabit WAN port and a Gigabit DMZ port.

As for now I have no info about the hardware in this appliance, nor the operating system. But I think that it is SPLAT based, deriving from the feature set.

The SG80 is comparably low cost for the performance, as it starts at $2500,–

At the moment this appliance can only be configured over the R70.40 version management / SmartConsole.

The wizard is a little bit different than for normal gateways, but very straight forward.
They changed the SIC handling here. At creation of the object in SmartDashboard you enter a secret and you can install the policy for this device.
But SIC is not established right away, but status of this object is ‘waiting’.
The administrator in the remote office can install the appliance later and connect to the Security Management with this secret, establishing SIC completely.
It’s a mixture of handling normal gateways and Edge appliances and very nice.
Also the most needed configuration option can be chosen when creating the SG80 object using the wizard.

All in all it’s a very nice approach with this new appliance and I can’t wait to get my hand on one of this boxes to test it.

If you had the possibility to test one, please send your findings to blog@lachmann.org

Tobias Lachmann

UPDATE: The SG80 runs Secure Platform Embedded as operating system. Sounds like a striped down version of SPLAT to me.

R70.40 released – use with care

Yesterday Check Point released R70.40 with some modifications for the new UTM-1 Edge N series and die Security Gateway 80 series, support for Embedded NGX 8.1 firmware, provisioning for IPSO 6.2 and enchanced vsx_util.

We have some improvements here, judging by the resolved issues.

This release is also the first one to handle SG80 gateways.

But, as the Release Notes state, the R70.40 cannot be upgraded to R71. You first have to uninstall it before upgrading. This is not very handy, so I would suggest to upgrade directly to R71.10 and wait for the upcoming R71.20 release, which should also contain the fixes and enhancements.

Tobias Lachmann

Disabling Anti-Spoofing

When you want to disable Anti-Spoofing on a whole gateway you can use a specific kernel parameter for this.

fw_antispoofing_enabled=0

Please refer to sk26202 for changing kernel global parameters and sk20364 for making them survive a reboot.

Tobias Lachmann

Manual failover between ClusterXL members

A Check Point security gateway cluster running under ClusterXL uses certain devices that must be running on the cluster member for the member to be considered active.

The devices can be displayed using cphaprob -ia list. A normal ouput will look like this:

[Expert@firewall]# cphaprob -ia list


Built-in Devices:
Device Name: Problem Notification

Current state: OK
Device Name: Interface Active Check

Current state: OK
Device Name: HA Initialization

Current state: OK
Device Name: Load Balancing Configuration

Current state: OK
Registered Devices:
Device Name: Synchronization

Registration number: 0

Timeout: none

Current state: OK

Time since last report: 13212.1 sec
Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 13201.4 sec
Device Name: cphad

Registration number: 2

Timeout: 2 sec

Current state: OK

Time since last report: 0.1 sec

Device Name: fwd Registration number: 3 Timeout: 2 sec Current state: OK Time since last report: 0.1 sec

If one or more of the devices have a problem, ClusterXL will do a failover from the active member to the standby member. This is only true as long as the second member has no problem itself. If this is happening, the cluster mechanism decides by its own which is the more suitable machine to handle the traffic and will or will not do a failover.

Failover will also occur if the issue cpstop or cphastop on the active member, stopping all Check Point services or just the ClusterXL related service.

For the purpose of maintenance it can be necessary to move away all the traffic from the active member to the secondary member through initiating a failover, leaving the security policy and services active on the machine.

This can be done by registering a new device and adding it to the list of the processes that must be running for the cluster member to be considered active and putting the new device in the problem state.

Use this command line: cphaprob -d STOP -s problem -t 0 register

If you want to unregister the problematic device and make the cluster member available and active again, just use this: cphaprob -d STOP unregister.

Learn more about the usage of cphaprob from the CLI manual.

Tobias Lachmann

Determine version of Anti Virus

All applications like SmartView Monitor get the information about the Anti Virus version running on the Security Gateway by reading the following file $FWDIR/av/ca/update/incoming/Anti_Virus.entitlement.C

Tobias Lachmann

Display errors in SmartView Monitor

Sometimes SmartView Monitor gets confused and it displaying wrong (cached) information.

To clear this up you do the following:

- issue cpstop on the Security Management server
- delete $FWDIR/conf/applications.C,
$FWDIR/conf/applications.C.backup,
$FWDIR/conf/CPMILinksMgr.db
and $FWDIR/conf/CPMILinksMgr.db.private
- issue cpstart
- install policy again
- open SmartView Monitor again

Tobias Lachmann

Appliance hardware – updated

Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to blog@lachmann.org

All throughput values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Have a close look of the throughput values of the UTM-1 450 in comparison to the UTM-1 570. The processor power is identical, also the memory. But the throughput values for the UTM-1 450 were measured with NGX R65, the values for the UTM-1 570 were measured with R71. See what a performance boost R71 can be, even on the “old” hardware. Sweet!

UTM-1 130

Intel Celeron M 600 MHz
1 GB RAM
80 GB ATA HDD
Firewall Throughput: 1.5 Gbps
VPN Throughput: 120 Mbps
IPS Troughput: 1.0 Gbps

UTM-1 270

Intel Celeron M 600 MHz
1 GB DDR2 RAM 400 MHz
160 GB ATA HDD
Firewall Throughput: 1.5 Gbps
VPN Throughput: 120 Mbps
IPS Troughput: 1.0 Gbps

UTM-1 450

Intel Celeron M 1.5 GHz
1 GB RAM
80 GB ATA HDD
Firewall Throughput (R65): 400 Mbps
VPN Throughput: (R65) 200 Mbps

UTM-1 570

Intel Celeron M 1.5 GHz
1 GB RAM
160 GB ATA HDD
Firewall Throughput: 2.5 Gbps
VPN Throughput: 300 Mbps
IPS Troughput: 1.7 Gbps

UTM-1 1070

Intel Celeron M 1.5 GHz
1 GB RAM
160 GB ATA HDD
Firewall Throughput: 3 Gbps
VPN Throughput: 350 Mbps
IPS Troughput: 2.2 Gbps

UTM-1 2050

Intel Pentium 4 3.4 GHz
2 GB RAM
80 GB ATA HDD
Firewall Throughput (R65): 2.4 Gbps
VPN Throughput: (R65) 380 Mbps

UTM-1 2070

Intel Celeron 440 2.00GHz
2 GB RAM
160 GB ATA HDD
Firewall Throughput: 3.5 Gbps
VPN Throughput: 450 Mbps
IPS Troughput: 2.7 Gbps

UTM-1 3070

Intel Core2 Duo E6400 2.13GHz
3 GB RAM
160 GB ATA HDD
Firewall Throughput: 4.5 Gbps
VPN Throughput: 1100 Mbps
IPS Troughput: 4.0 Gbps

Power-1 5075

Intel Xeon E5410 2.33GHz (QC)
2 GB RAM
160 GB ATA HDD
Firewall Throughput: 9.0 Gbps
VPN Throughput: 2.4 Gbps
IPS Troughput: 7.5 Gbps

Power-1 9075

2x Intel Xeon E5410 2.33GHz (QC)
4 GB RAM
2x 160 GB HDD
Firewall Throughput: 9.0 Gbps
VPN Throughput: 2.4 Gbps
IPS Troughput: 7.5 Gbps

Smart-1 25

Intel Core2 Duo T7400 2.16GHz
3 GB RAM
4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Rumors, rumors….

I heard some rumors recently that I’d like to share with you. True or not, nobody can tell. But sure interesting

First, we can expect R75 GA by the end of the year. No idea what will be included, but maybe we see more improvements from software blades. As Dorit Dor stated some time ago, the introduction of software blades with R70 was the first step in a three-step-approach of a complete architecture re-design within the Check Point products. So personally I think that every new GA release will bring us closer to the goal and will give us additional performance and/or more features.

Second, Check Point seems to plan the content inspection of HTTPS traffic, availability should be around end of Q1/2011. This is a very interesting feature and I’m really locking forward to it. We had lot’s of projects where the customer choose not to use Check Point content scanning but rather a solution like WebWasher, which could inspect also SSL encrypted traffic. I wonder how the handling will be done in detail and how easy the setup will be in comparison with WebWasher etc.

That’s all for now. Wait and see, if these rumors have a valid background.

If you know more details, please do not hesitate and write an email to blog@lachmann.org

Tobias Lachmann

Behaviour of Data Loss Prevention

Mmmh…. the DLP software acts as a proxy between internal mail server and external mail server.

It accepts the mail from the internal system and in the same time sends the data out to the external system besides the last package to complete the mail. When the mail is received by the DLP gateway from the internal server completely, it is scanned for compliance to the DLP policy and if the check is ok, the last packet is transmitted to the external mail server, finishing mail delivery.

If the check is not ok, the last packet is withheld and the gateway shuts down the connection to the external mail server. So basically the mail has left the company, but because of the interrupted transfer, the external mail server is discarding the temp mail that has been deliverd by now.

I’m not sure at the moment that I like this behaviour… I’m thinking about better ways to handle this…. not finished thinking it through by now…. will let you know my thougts.

Tobias Lachmann

Secure Client for Mac OS 10.6 (Snow Leopard) available

SecureClient NG-AI R56 HFA 2 for Mac OS X 10.6 (Snow Leopard) is now officially available through the Support Portal. I tested the EA versions (Build 8 and 15) and had good results.

It’s sad that it took so long for Check Point to come up with a VPN client for 10.6 and also SNX support for Snow Leopard is not here at the moment.

Hope they’ll fix that soon.

Tobias Lachmann

UTM-1 1050 and 2050 network problems

So, what is the problem about? Well, NIC connections stay up for about 1 or 2 minutes, then they’re down for about 5 minutes.

We made an upgrade of an UTM-1 2050 series appliance to R71 and got massive connectivity problems. Two days later sk42174 came out which helped us fix the problem. Seems that the Linux Kernel starting with R70 assigns new drivers to the NICs, which are incorrect.
The solution for that problem is to change the settings back to the old driver.

For details please refer to the SK and have it in mind when you’re updating older appliances.

Back to Chur in September – CPUGCON 2010

I will be travelling to the Check Point Usergroup Conference (CPUGCON) in Chur this September!

Thanks to my employer MCS for giving me the opportunity.

Barry Stiefel accepted my presentations for “Best Practices For The Check Point Appliances” and “Check Point Troubleshooting” and I’m happy to speak again in front of such a great audience.

It turned out last year that half of the attendees were working for Check Point partners, so enormous amount of knowledge and experience there.

Make sure to attend, too!

Where else can you meet people like yourself, dealing with the same topics and the same problems? Benefit from their experience and their solutions.

Check out the conference presentations (work in progress) and meet the speakers.

And please don’t hesitate to speak to me and share some feedback about this blog when you see me in Chur.

Tobias Lachmann

R71.10 available

The new R71.10 update is available. Find all the resources on this page within UserCenter.

We now have Abra support on all gateway platforms, support for Outlook Web Access (OWA) 2010 over SSL VPN and R71.10 includes the hotfix for the SSL VPN blade, that was mandatory when using this blade with R70.

Please note that the R71.10 upgrade package cannot be installed on gateways with DLP.

Check Point also released complete packages for a fresh installation with R71.10 but they sadly don’t include UTM-1 images.

Tobias Lachmann

Proactive detection mode vs. Stream detection mode

As I wrote a while ago, we had great performance improvements with Antivirus Scanning and the R71 release. On the same UTM-1 hardware the throughput doubled. While this was true for my lab testing, real world testing didn’t show the same results. Upgraded systems had no better AV performance and only slightly more overall performance was showing.

The reason for that is that an upgraded systems keeps the old way of detecting viruses, the Proactive detection mode. In this mode, the traffic is trapped by the kernel and forwarded to the security server. The security server then forwards the traffic to the Antivirus engine and the traffic is allowed or blocked, depending on the response of the Antivirus engine. It is necessary to store the whole file first before scanning it.

The new Stream detection mode doesn’t need to store the file for scanning. Stream detection is able to scan uncompressed and compressed traffic while it is passing through the gateways kernel, doing decompression on the fly.

Stream detection mode works only signature-based, whereas Proactice detection mode works with Antivirus signatures and in addition with a sandbox where heuristic behaviour scans are done to detect malware, even if there no signature available at the moment.

Stream detection is default on fresh installations, so that’s why you can see great performance improvement on R71.

The mode can be changed within SmartDasboard -> Antivirus & URL Filtering tab -> Antivirus -> Security Gateway and then choose the desired protocol.

HTTP and SMTP can work with Stream detection mode and Proactive detection mode, POP3 and FTP only work with Proactive detection mode.

While I appreciate the performance improvement which can be gained using Stream detection mode, I think we lower security a little bit by abstain from using Proactive detection mode.

This decission should be made with careful consideration of the specific setup and customer need. If you use solely Stream detection mode, make sure to have a good Antivirus solution from another vendor running on the end user’s desktop to double-check for malware.

What do you think about the two Antivirus modes? Mail your thoughts to blog@lachmann.org

Tobias Lachmann

Database Revision in R71

R71 brings us an improvement in the handling of database revision.
Now it is possible to define how long old version should be kept.
Criteria can be number of versions, age of versions, storage consumption of versions of free diskspace.

I think this is a very nice improvement and worth noticing.

Tobias Lachmann

Online partition resizing on UTM-1 appliances

Under SPLAT with 2.4 linux kernel (NGX R65) you had to follow a slightly complicated procedure to resize the partitions and the filesystems on an UTM-1 appliance.

Now the R7x releases bring us the 2.6 kernel with lots of improvements. A very nice one it the ability to resize (meaning increase!) the partitions and filesystems online, without the need of unmounting them.

[Expert@volvo]# lvresize -L 12GB vg_splat/lv_current Extending logical volume lv_current to 12.00 GB Logical volume lv_current successfully resized

[Expert@volvo]# resize2fs /dev/mapper/vg_splat-lv_current resize2fs 1.39 (29-May-2006) Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3145728 (4k) blocks. The filesystem on /dev/mapper/vg_splat-lv_current is now 3145728 blocks long.

Please note: this can only be done while increasing the filesystems. Reducing the filesystems requires them to be unmounted!

In that case go with this procedure.

Tobias Lachmann

Control UTM-1 Edge appliances from command line

The Edge gets its policy from the SmartCenter server over the SofaWare Management Server process (sms).

The interval of pulling the policy is defined over Global Properties -> UTM-1 Edge Gateway -> Update configuration settings every XX minutes

If you want to update an Edge immideately, you can do this be using the WebUI (access your SmartCenter over http://:9283/) or you can use the command line.

The directory /opt/CPEdgecmp-R7x/bin contains the tool swcmd which can be used to issue commands directly to the Edge appliance.

swcmd UpdateNowAll will tell the Edges to update their policy immediately.

swcmd Reboot will reboot the gateway.

Tobias Lachmann

Certificate Signing Request (CSR) key size

In a recent blog entry I described how you can use 3rd party certificates within your Check Point gateway.

Now I was informed by Brian that some commercial CA don’t sign any longer if the key size is only 1024 bit, you need at least 2048 bit.

How can we change the behaviour of the Check Point while issuing the CSR?

Just go to Global Properties -> SmartDashboard Customination -> Configure -> Certificates and PKI properties.

There we have an option the define the key size for the certificates. Available values are 1024, 2048 and 4096 bit.

Change this value according to your need and the requirements of the CA you chose for signing.

Starting with R71 they standard key size 2048.

Tobias Lachmann

Update to R71 – enlarging UTM-1 appliance root partitions

In one of my previous blog entries I described a way to enlarge partitions of UTM-1 appliances. This was necessary especially for the older x50 series appliances, as they had a smaller hard drive and a bad partition layout.

In the past I only enlarged the partition that held the log files because that’s were you have the most data. The procedure was working just fine and I was happy.

A couple of days ago I started updating x50 series appliances from R65 to R71. Even with cleaning up the system of unused files right before the update I got into serious trouble. The cause was that the root partition was nearly about full.

The update process itself came up with no error, but while operating the appliance the root partition was completely full in no time. Especially updating the URL Filterung database, which is now about 370MB, filled the root partition quickly.

When I tried enlarging the root partition with the described procedure I failed.

Resizing requires to unmount the partition before – but you can’t unmount the root partition.

So I had to find another way to modify the partition sizes of the appliance.

Here’s what I did:

I downloaded an ISO-Image of grml, a Linux Live system for sysadmins. Then I modified the ISO to display output on the serial console. You can download this modified ISO here.

I connected an USB-DVD-Drive to the appliance and booted the ISO image.

On the boot screen I added some parameters for the startup process:

Some information and boot options available via keys F2 - F10. http://grml.org/ grml 2010.04 - Release Codename Grmlmonster 2010.04.29 boot: serial debug=noscreen lang=de lvm

When grml was finished, it gave me a console with all the needed tools. LVM was loaded already and I was good to go.

I checked for the volume groups on the hard drive with the vgscan command:

Then I activated the logical volumes with vgchange:

root@grml ~ # vgchange -a y 6 logical volume(s) in volume group "vg_splat" now active

You can display the volume group with vgdisplay:

You can display the logical volumes with lvscan:

Then I did the resizing of the volumes groups to better values:

root@grml ~ # lvresize -L 11GB /dev/vg_splat/lv_current Extending logical volume lv_current to 11.00 GiB Logical volume lv_current successfully resized

root@grml ~ # lvresize -L 25G /dev/vg_splat/lv_log Extending logical volume lv_log to 25.00 GiB Logical volume lv_log successfully resized
Keep in mind that you will need some free space for imaging purposes, so don’t use up all the space on the hard drive!

Then a file system check has to be done, followed by the resizing of the file system.

root@grml ~ # e2fsck -f /dev/vg_splat/lv_current e2fsck 1.41.11 (14-Mar-2010) Superblock last mount time is in the future. (by less than a day, probably due to the hardware clock being incorrectly set) Fix? yes


Pass 1: Checking inodes, blocks, and sizes

Pass 2: Checking directory structure

Pass 3: Checking directory connectivity

Pass 4: Checking reference counts

Pass 5: Checking group summary information

/dev/vg_splat/lv_current: ***** FILE SYSTEM WAS MODIFIED *****

/dev/vg_splat/lv_current: 26973/655360 files (0.1% non-contiguous), 384238/1310720 blocks
root@grml ~ # resize2fs /dev/vg_splat/lv_current

resize2fs 1.41.11 (14-Mar-2010)

Resizing the filesystem on /dev/vg_splat/lv_current to 2883584 (4k) blocks.

The filesystem on /dev/vg_splat/lv_current is now 2883584 blocks long.
root@grml ~ # e2fsck -f /dev/vg_splat/lv_log

e2fsck 1.41.11 (14-Mar-2010)

Superblock last mount time is in the future.

        (by less than a day, probably due to the hardware clock being incorrectly set)  Fix? yes
Pass 1: Checking inodes, blocks, and sizes

Pass 2: Checking directory structure

Pass 3: Checking directory connectivity

Pass 4: Checking reference counts

Pass 5: Checking group summary information
/dev/vg_splat/lv_log: ***** FILE SYSTEM WAS MODIFIED *****

/dev/vg_splat/lv_log: 56/1310720 files (3.6% non-contiguous), 49409/2621440 blocks

root@grml ~ # resize2fs /dev/vg_splat/lv_log resize2fs 1.41.11 (14-Mar-2010) Resizing the filesystem on /dev/vg_splat/lv_log to 6553600 (4k) blocks. The filesystem on /dev/vg_splat/lv_log is now 6553600 blocks long.

To finish, deactive the logical volumes:

root@grml ~ # vgchange -a n 0 logical volume(s) in volume group "vg_splat" now active

root@grml ~ # lvscan inactive '/dev/vg_splat/lv_current' [11.00 GiB] inherit inactive '/dev/vg_splat/lv_log' [25.00 GiB] inherit inactive '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit inactive '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit inactive '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit inactive '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit
That’s it. Reboot again and start the Secure Platform.

Check with df -h that you have the desired partition layout:

[Expert@cpmodule]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current 11G 1.4G 8.9G 14% / none 11G 1.4G 8.9G 14% /dev/pts /dev/hdc1 145M 13M 125M 9% /boot none 502M 0 502M 0% /dev/shm /dev/mapper/vg_splat-lv_log 25G 33M 24G 1% /var/log

Tobias Lachmann

R71 SSL VPN blade – how sweet is this?

I’m not sure if anyone noticed it, but R71 comes with a brandnew SSL VPN blade. And I really like how quickly you can do the setup. After a few clicks it is running, providing a demo-application (world clock). Setting up the rest is a piece of cake.

Well done guys, well done!

Tobias Lachmann

Keep up 2 date? Why 8?

I stumpled about the process keepup2date8, which was running after a R71 upgrade for quite a while on the machine.
Took me some time to find out that it is nothing to worry, but the Kaspersky process for updating the antivirus-database.

Tobias Lachmann

Using 3rd party certificates for your SSL VPN

With Check Point software it’s very easy to configure client authentication over https or SSL VPN with the SSL Network Extender (SNX).

But unfortunately, Check Point presents a self-signed certificate from the internal CA to the users.

This warning message can be confusing for the users and even might not work, depending on the company policy and settings in the browser.

The better way is to have a certificate on the gateway that was issued from one of the big CA like Verisign, Thawte etc. and present this to the users.

Because these CAs are known to the browser as trustworthy, no error message appears while connecting.

I’m going to show you how to configure your gateway with a certificate from a 3rd party CA.

1. First, we need to create a trusted CA object under the Servers and OPSEC Applications section.

2. Then we give a name to the CA object and choose OPSEC PKI as CA type.

3. On the next tab you can import the CA certificate from a file.

Here you can also choose to do an automatic enrollment for certificate renewal over three different protocols. However, this isn’t supported by all CA. Personally I don’t do automatic renewals but do it by hand instead every time.

If you uncheck CRL retrieval from HTTP servers, all certificates will be trusted, wether revoked or not. For our purpose it’s ok to have this unchecked.

4. While importing the CA certificate you have to approve it.

5. Now we’re done with the CA object and can actually go to the gateway object.

6. Click on Add to create a new certificate. You’re asked for a Nickname of the certificate which is used in various places in the GUI and in config files. I would suggest to keep it short and descriptive. Choose to enroll this certificate from the CA created in the steps before.

7. At this point a CSR (certificate signing request) is going to be generated. The DN (Distinguished Name) has to be correct for the certificate to be created by the CA, so take good care here!

In our example we sign the certificate by United Internet CA and we have to use this DN for a gateway with the DNS name of fw.test.de

CN=fw.test.de,OU=Comodo InstantSSL,OU=Authorized by United SSL,OU=Authorized by United SSL,O=TEST GmbH,STREET=Test Straße 90,L=Hamburg,ST=Hamburg,OID.2.5.4.17=22159,C=DE
Alternatives DNS are defined as FQDN.

8. After filling in the details a CSR is presented. Copy it to the clipboard are save it to a file and hand it over to the CA you chose for signing. Make sure that the text is copied completely.

9. When the CA give you back your signed certificate, complete the process by selecting the appropriate nickname and click on Complete.

10. Load the certificate, accept it and attach it to the gateway.

11. Now you can choose this certificate to be presented when connecting to SSL Network Extender etc.

To use this certificate in client authentication you have to configure the file $FWDIR/conf/fwauthd.conf.

Change the entry to

900 fwssd in.ahclientd wait 900 ssl:fw.test.de

Tobias Lachmann

Discount on Check Point exams

Check Point offers 25% discount on R70 exams. You can find the VUE promotion code on this webpage.

Tobias Lachmann

Check Point User Group Conference 2010

Don’t forget to register for the Check Point User Group Conference 2010 in lovely Chur.

Barry will update the site ongoing to keep you informed about agenda, speakers and other details.

I’m not sure if I can attend CPUGCON this year, but I will try. If I get accepted again as speaker, I might afford the trip.

At the moment I submitted presentations about troubleshooting, DLP, VPN-1 VE and UTM-1 appliances.

We’ll see how many of those can make it to the agenda.

Tobias Lachmann

New EA for Discovery VPN client

Check Point now has an open EA for the Discovery VPN client, which is the successor of the well-known SecureClient. Based on the documentation, it’s a mixture of Endpoint Connect when it comes to the VPN client engine and Endpoint Security Secure Access when it comes to the build-in personal firewall. The good part is, that the personal firewall rules can be managed the old-fashioned way through the SmartDashboard, like today with SecureClient. So no change her and the ability to use all the existing object in your database.

To access this EA, log into your UserCenter account, go to Products -> Early Availability and choose to register for Discover VPN client.

In the moment the Discovery VPN client is only available for NGX R65 HFA60, a release for R70/R71 will follow shortly. Supported gateway platforms are SecurePlatform, Windows and IPSO 4.2.

The client has support for Windows XP 32 bit with SP2 or SP3, Windows Vista 32 and 64 bit with SP1 and Windows 7 32 and 64 bit, so most of the operating system platforms found in companies are covered.

The following features are not supported at the moment:

Single Sign-on (SSO)
“Suggest Connect” Mode (Auto Connect)
Pre/Post Connect Script
Entrust Entelligence Support
Diagnostic Tools
Compression
VPN Connectivity to VPN-1 VSX
DNS Splitting
“No Office Mode” Connect Mode

But this is OK as it is an EA on the GA version will surely have all those features.

In addition, Discovery VPN client has features that Endpoint Connect is offering, like better Location Awareness, Automatic Site Detection, better Roaming etc.

A hotfix has to be installed on the gateway to enable Discovery support, no changes at the SmartCenter are needed. The configuration has no Discovery specific details, just a normal SecureClient configuration. If you have an exisiting deployment, nothing has to be changed.

I will test this client in the next weeks. If you have done so, please feel free to send comments to blog@lachmann.org and share your experience.

Personally I miss support for Mac OS 10.4, 10.5 and 10.6 very much. Especially media related companies such as advertisement agencies, print and TV producers use Mac OS as operating system, so this is a significant number of users.

Sadly, Check Point hasn’t these operating systems in the same focus as the Windows OS. This leads to the point where the customers change from SecureClient to IPSecuritas, a freeware VPN client. Using this client means more work for the client administrators, as settings can’t be distributed in the way it is done with SecureClient for Mac OS.

Tobias Lachmann

UTM-1 hardware

Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.
If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on UTM-1 appliances, feel free to send them to blog@lachmann.org

UTM-1 130

Intel Celeron M 600 MHz
1 GB RAM
80 GB ATA HDD

UTM-1 270

Intel Celeron M 600 MHz
1 GB DDR2 RAM 400 MHz
160 GB ATA HDD

UTM-1 450

Intel Celeron M 1.5 GHz
1 GB RAM
80 GB ATA HDD

UTM-1 570

Intel Celeron M 1.5 GHz
1 GB RAM
160 GB ATA HDD

UTM-1 1070

Intel Celeron M 1.5 GHz
1 GB RAM
160 GB ATA HDD

UTM-1 2050

Intel Pentium 4 3.4 GHz
2 GB RAM
80 GB ATA HDD

UTM-1 2070

Intel Celeron 440 2.00GHz
2 GB RAM
160 GB ATA HDD

UTM-1 3070

Intel Core2 Duo E6400 2.13GHz
3 GB RAM
160 GB ATA HDD

Power-1 5070

Intel Xeon E5410 2.33GHz (QC)
2 GB RAM
80 GB ATA HDD

Smart-1 25

Intel Core2 Duo CPU T7400 2.16GHz
3 GB RAM
4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Avatar – the gateway, not the film!

Check Point opened the public EA for the successor of VPN-1 VE, codename Avatar. Avatar is designed to run with vSphere 4.

Register for the EA within your Usercenter account. Go to Products and then Early Availability. Register for Avatar EA and download the software and documentation.

I have waited for this EA for a while and I’m very curious. There are rumours that the licensing will also be changed and I hope it’s more affordable than the current pricing.

Tobias Lachmann

Delete all ARP entries on SPLAT

We stumbled over this one yesterday: some servers behind a gateway had a problem with ARP resolution and we wanted to make sure that ARP worked. To verify this we tried to delete all ARP entries and see if the ARP cache was filled up again (and correctly).

While Windows has arp -d * as a working command to delete all entries at once, under Linux and therefor SPLAT you have to try something different.

This little script will do the job for you:

#!/bin/bash for arpentries in `awk -F ' ' ' { if ( $1 ~ /[0-9{1,3}].[0-9{1,3}].[0-9{1,3}].[0-9{1,3}]/ ) print $1 }' /proc/net/arp` do arp -d $arpentries done

Tobias Lachmann

More benefits for recent CCSE certification

Check Point changed the benefits for their Check Point Certified Security Expert (CCSE) certification.

In the past we had

Expert Access to SecureKnowledge
Newsletter
Logo rights

Now they added

Access to level-3 TAC support engineers

I’m not sure what this means. I deal a lot with the TAC in Israel as part of my daily work, but never encountered a “level-3″ engineer. Normally your call is handled by a support engineer and, if escalated, handed over to an escalation engineer. And maybe a diamond engineer from the diamond support team assists. Would we interesting to know what “level-3″ means.

Anyway, the goal is clear: give the higher certified people direct access to support engineers that have the same level.

In addidtion, Check Point changed the handling of calls from Check Point Certified Master Architects (CCMA). Now they get escalation priority while opening a case. Also a good thing, as a CCMA is so highly trained that he could easily work as escalation support engineer with Check Point. If a CCMA opens a case, it must be severe.

The community demanded such priviliges for skilled people a long time (see CPUG board for the discussion) I’m glad that Check Point now made a step forward!

Tobias Lachmann

UPDATE: Pierre Lamy, Technical Lead of Ottawa TAC, pointed out what tiers/levels exist. A level-3 engineer is the normal support engineer who’s handling a case opened with Israel TAC.

Again backup problems after R70.30 upgrade when using SCP

We had this before, now it’s back: the problem with not working scheduled backups after upgrading to a R70.xx version. Seen on R70.20, now I upgraded a environment from R70.10 to R70.30 – and the error is still there. The backup files are not correctly transfered to the SCP server configured.

The solution is to disable scheduled backup through the WebUI.

Then go to the /var/CPbackup/conf directory and delete the file backup_sched.conf.

Afterwards open the WebUI again and re-configure scheduled backup.

Next time the backup runs everything will be OK and files are transfered to another server with SCP.

Tobias Lachmann

New firmware 8.1.37 for UTM-1 Edge X series

Check Point released a new firmware for the UTM-1 Edge appliance series.

As the release notes show, modifications were made for the new N-series appliances, along with some bug fixing.

The most interesting details:

- support for Endpoint Connect clients
- support for new USB modems
- times based rules are now supported

In the release notes some more features are listed, but with a reference that they will only work with hardware version 1.4.
I guess that is the hardware version of the new N-series appliances.

Nice features supporting hardware version 1.4

- 802.11n support
- GigabitEthernet support
- ore firewall throughput
- more VPN tunnels
- support for some more USB modems

Tobias Lachmann

Details on Data Loss Prevention (DLP) blade licensing

It has taken a long time to get information from Check Point how to license the DLP blade, but now I got an answer:

For the 500 and 1500 user DLP blade a 2-Core-Container is needed. For the unlimited user DLP blade you need a 8-Core-Container.
The size of the blade is determined by the number of users behind the gateway!

So that would mean you need an SG201 container (included: gateway for up to 500 users) for the CPSB-DLP-500 blade.

For the CPSB-DLP-1500 blade a SG203U pre-defined system is needed, to allow more than 500 users.

For the CPSB-DLP-U blade a SG801 container is needed.

So the solution for 500 users will cost $3000 for the blade and $6500 for the container, so $9500 in total.

The solution for 1500 users will cost $7000 for the blade, $14000 for the container, so $21000 in total.

The unlimited solution will cost $12000 for the blade and $18000 for the container, so $30000 in total.

This is the pure software side, you will also need hardware, for example an open server for additional $4000.

If we look at the appliance solution DLP-1 2571 we’ll find that it is limited to 1500 users but costs only $14990.

In case your organization need DLP protection for up to 500 users, a solution with software running on an open server is about $1500 cheaper. If you need up to 1500 users, you pay $10000 more with an open server solution than for the DLP-1 2571. Lot’s of money….. but still worth thinking about it because of the higher performance you will get from an open server.

More easy with the DLP-1 9571 that you need for unlimited users, as the appliances costs $49900. The software solution on an open server is only $34000, that is about $16000 cheaper.

What’s the baseline here? Well, carefully think about your setup before you buy. Think about performance limitations you may encounter with an appliance. Think about the cost for the 2nd and 3rd year… and then make your decision!

Tobias Lachmann

Delete old log files on SPLAT machines

There is no way to configure your SPLAT box or UTM-1 appliance in a way, that only logs for the last X days were kept.

The only work-around would be to configure on the firewall object -> Logs and Masters -> Required Free Disc Space together with the option Do not delete log files from the last X days.

By configuring a very high value for required free disc space you could have the script run every day and with the other option prevent it from deleting the needed logs.

OR – you could implement a short script:

[Expert@fw1]# cat /usr/bin/del_logs.sh #!/bin/bash /usr/bin/find /var/log/opt/CPsuite-R65/fw1/*.log* -ctime +217 -print -exec rm -f {} ;

The parameter ctime is the amount of days for the logs to keep.

Run the script with cron:

[Expert@fw1]# crontab -l # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/crontab.19431 installed on Mon May 10 10:21:33 2010) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) 42 11 * * * /usr/bin/del_logs.sh 50 2 * * 1,2,3,4,5,6,7 backup_util sched

Now you’re able to delete the old logs as you like. If you backup your firewall or SmartCenter to your local disc, maybe you want to do this with your backups, too?

Tobias Lachmann

How to build an UTM-1 cluster with SmartCenter HA (aka Full Cluster)

Maybe you’ve seen my presentation on CPUGCON 2009 about migration to an UTM-1 cluster from a distributed environment.

Now I was asked to provide a how-to about building this kind of UTM-1 Full Cluster from scratch.

Actually this is very easy. Building UTM-1 clusters was supported from the start, but the SmartCenter could only reside on one appliance. With the introduction of NGX R65 with Messaging Security, we also got SmartCenter High-Availability for free.

In our setup we assume that we have two appliances, one primary and one secondary. Setup both with the normal First Time Configuration Wizard.

Make sure to install the primary on as locally managed and primary cluster member.

The secondary appliance is also installed as locally managed but as secondary cluster member.

On the secondary appliance you also have to fill in a SIC secret to establish the communication later.

After completing the First Time Configuration Wizards on both appliances, connect with the SmartDashboard to the primary UTM-1 appliance.

Now the wizard for configuring the cluster pops up. When defining the secondary cluster member, fill in the SIC secret entered in the WebUI wizard.

Fill in all the details that reflect your cluster. Make sure to have at least one dedicated sync network.

Topology could look like this afterwards:

Now you can define rules, push the policy and make the cluster work. After that check the Management HA in the SmartDashboard:

This picture shows that both cluster members have a SmartCenter installed and are working in Management High-Availability mode.

That’s it for building an UTM-1 cluster with Management High Availability – also known as UTM-1 Full Cluster.

Tobias Lachmann

Abra documentation and software available

Documentation and software for the Abra stick is now available in the Check Point suppport center. I stumbled over two things in the known limitations. First, Office mode is not supported on Abra. And second, CIFS is not supported over a VPN tunnel that was established with Abra.

By now I don’t know why these limitations exist, but I would rate them as servere. Especially Office Mode is a must-have while working with Client-2-Site VPNs.

Pricing seems to be $140 for a 4GB Abra stick and $210 for a 8GB Abra stick. I’m not sure if we have to purchase an additional Endpoint Security license (container + VPN) when Abra is able to do Office mode, but I think so. That’s the way you have to license Endpoint Connect at the moment.

I will now play around with Abra a little bit and come back with more information in a couple of days.

Tobias Lachmann

R71 performance on UTM-1 appliances

As mentioned before, the UTM-1 appliance had performance trouble when doing content scanning and I would not recommend doing this in this machines. Now R71 claimes to give a big boost by new methods of scanning. I tested the performance improvement of the new R71 release with the following setup:

UTM-1 270 mit GigabitEthernet-Uplink to the Internet and GigabitEthernet-Link to the internal network. 4 Servers mit GigabitEthernet as clients running HTTrack website copier in the internal network. I used HTTrack to download several website at the same time, creating a mixture of HTML, graphic, archives and executables content.

The UTM-1 270 was installed out-of-the box using the wizard. I activated VPN, SmartView Monitor and Antivirus in addition the moduls already activated as standard.

The rulebase had two rules, on allowing access to the systems from a management client outside the network and one rule for allowing access to the Internet for the servers. No NAT was used, no additional settings.

With NGX R65 with Messaging Security (HFA25) I had an average throughput of 1,026,474 Bytes / sec while running with 100% CPU load for a couple of minutes.

With NGX R65 with Messaging Security (HFA70) I had an average throughput of 1,094,563 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R70 I had an average throughput of 1,647,257 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R71 I had an average throughput of 1,999,611 Bytes / sec while running with 100% CPU load for a couple of minutes.

My test maybe not so accurate as the ones that Check Point is doing, but I thing the traffic blend reflects the behaviour of normal users really good.

And, having 2x the performance with Antivirus scanning on the same hardware is pretty impressive! The improvement really shows, how nice! I also recognized that R71 comes with a new AV engine with has the name KSS, maybe Kaspersky?

This is enough performance to use modern DSL lines or direct links completely, not only partial. So I would recommend this release to everyone who still uses content scanning on an UTM-1 appliance and has performance problems.

Tobias Lachmann

New UTM-1 Edge N-Series appliances

Check Point is launching a new series of UTM-1 Edge appliances, the N-Series. Looks like the rumours from years ago came true and they finally build the “Edge Arrow”.

Here’s the baseline from what we know by now:

- 5x more firewall throughput than X-series appliances
- 5x more VPN throughput than X-Series appliances
- 7x more concurrent connections than X-series appliances
- GigabitEthernet-Ports instead of FastEthernet
- 3G connectivity build-in
- two flavours: 32 users and unlimited users, 8 users and 16 user only with X-series
- 4x more VPN tunnels (SA)
- unlimited Remote Access profiles
- 802.11b/b/n support (UTM-1 Edge NW)
- 802.11z wireless security support
- no build-in ADSL-modem available
- new 8.1 firmware for all models (not available by now on support pages)

The complete specification can be found here.

An UTM-1 Edge N32 is $200 more expensive as an old X32 and costs $1400 instead of $1200, same applies to the NU which is now $2200 instead of $2000 for XU.

If you take in consideration how much more power you can get, the $200 more are totally fine with me.

Will be interesting to see how the firmware developed from 8.0.42 to 8.1. Hopefully it’s available soon.

Tobias Lachmann

When to use UTM-1 appliances – and when not – Part II

Last week the R71 software version was released. One of the most interesting things for me was the performance improvement they promised on appliances.

The use now SecureXL to accelerate connections and state that they now can deliver up to 4 time more firewall throughput and connection rate and up to 3 times more IPS throughput. Some limitations apply to SecureXL as described in the R70 Performance Optimization Guide so we have to see how this works with real life rulebases.

But the biggest change to me is the performance enhancement with Antivirus, where Check Point speaks of up to 15! times more throughput and up to 80 times more connection rate.

This is done by the new Stream Detection Mode. As you may remember from my previous post, AntiVirus suffered from the bad HDD performance on UTM-1 appliances, as every file had to be downloaded to the disc, scanned and then delivered to the client. Now the inspection is done as the traffic passes through the gateway and they do a pattern matching as far as I understood. Makes perfectly sense that this way of traffic inspection improves performance. Unclear is for me at the moment how compressed content is handled. I can’t see now other way than storing the archive to disc, uncompress it and then scan the content. Not sure how they handle this – on the fly seems unlikely.

Anyway, I will test this in the next days to get my own results and will check the processes and disc accesses while doing so, which will hopefully gives an explanation.

By the way: URL Filtering is handled differently, too. Now the connections are handled in the kernel space and no longer folded into the security server. This will improve performance and will change the way we can debug this blade.

If Check Point can keep the promises on performance while running R71 on UTM-1 appliances, I will be deeply impressed. Remember that the appliances are sold for some years now and have less powerful hardware, compared to standard OpenServers. Would be a great thing for all of us the protect the investment in the appliances!

Tobias Lachmann

SecurePlatform and NTP

This is an old problem, but maybe not everyone knows this:

If you work with NTP servers sync on SPLAT, you should also set the timezone to get correct date/time and daylight saving. Unfortunately, this can’t be done in the WebUI. So first configure your NTP servers in the WebUI. Then access the command line and execute sysconfig. Use option 4 to go to time settings and then option 1 for setting the time zone according to your location.

Verify that you got the correct time using the WebUI.

Tobias Lachmann

Well done, Royi!

Just had an amazing “support experience” with Check Point:
My customer suffered from sudden loss of VPN connectivity as the SmartCenter CA died because of a database corruption.
Check Point needed only 30 minutes from answering my call to providing a hotfix that solved the problem!
Well done, guys! Very well done!

Tobias Lachmann

URL Filtering update error

When you receive continous update errors within the URL Filtering modul, maybe it’s a good idea to delete the whole database and rebuild it via the update database function in SmartDashboard. Was helpful for me several times…

First change to the directory $FWDIR/uf/sc/update/incoming.
Delete all the files beginning with “sfcontrol”. The file “sfcontrol” itself is the database, all the others are differentials and status infos.
Run cpstop and cpstart for a restart of the services that controll URL Filtering.
Go to your SmartDashboard, change to the “Content Inspection” tab and click on “Update Databases Now”.

It will take awhile to download to whole database, but you can watch this process while checking the files and sizes in the directory.

While debugging URL Filtering in general, you may stumble over sk35196 which describes several procedures with the avsu_client command and optional parameters. Please note that Check Point changed the URL Filtering provider, I think with HFA50, from SurfControl to SecureComputing. This engine change comes together with a change in the parameters when you call avsu_client. The application name “URL Filtering” does not provide valid output when you use the SecureComputing engine, you have to use “URL Filtering2″ to get actual results from the installation.

avsu_client -app "URL Filtering" fetch failed to fetch signature update err_str=Failed. Message from module: "Server has no available updates". info= Local version is date

avsu_client -app "URL Filtering2" fetch signature file up to date err_str=Succeeded. Existing signature is up-to-date. info= Local version is date

Sadly just calling avsu_client gives no explanation about the changed parameters, it only lists “URL Filtering”.

Tobias Lachmann

R71 released

The version R71 was released. See this article for details. The release notes can be found here.

I will test the upgrade from R70.30 to R71 today and get back to you with more feedback.

Tobias Lachmann

Don’t shoot the messenger

Some days ago I was informed by a friend of mine that he nearly lost his status as a Check Point partner.

What has happened?

Well, he was openly speaking in the Check Point User Group (CPUG) forum about the new software blade licensing and what he liked and disliked about it. Instead of appreciating open feedback, Check Point got angry about this.

We had hard times selling the advantages of software blades to the customers and nearly no one bought the upgrade.
That’s why Check Point changed the cost for upgrades in the end, because of all the negative feedback.

So, what’s my point about this?

Like Shakespeare said: “Don’t shoot the messenger!”

Partners and also certified professionals are brand ambassadors for Check Point in front of the customers.

So maybe it’s a good idea to get their feedback before major changes are announced and involve them as soon as possible in the process of development.

As for me, I had some really good conversations with guys from product management and development. They asked me about my customers, how they use the products and what I can and cannot sell to the customers. About the necessity of certain features and so on. And I appreciate this and I think this is the absolutely right way.

But unfortunately, as events have shown, this is not the way Check Point is following with everybody…. sad.

Tobias Lachmann

PS: The make the picture complete: since upgrade to software blades is free and we have great new features with the R70.x versions, we can easily argue the upgrade to the customer.

Criticial error messages and logs

Today I want to bring your attention to SecureKnowledge article sk33219, which deals with “Critical error messages and logs”.

There we have a nice list of possible error messages together with a short explanation why this error occured.

I’m missing hints on how to resolve the issue or to a related sk. But all in all a very usefull article you should bookmark for further reference.

Tobias Lachmann

Abra is USB-1 is Abra

I wrote before about the new settings in R70 relase labeled USB-1. It turns out that I was right and this is refering to a Mobile VPN/Workplace solution. This was officially announced on CPX last week.

By now I got some inside info about the name, very funny. Abra was the original code name for this project. The final product should stick with the naming convention and be a “something-1″. So it came to USB-1. This was decided by a high level authority within Check Point, so the name was brought into the GUIs. But after a while they discovered that Abra was the better name to place the product in the market and so it was allowed to stay. But at this time, it was to late to change the GUIs as they were delivered with HFA of R70.

Will be interesting to see how the market reacts to Abra, but I would predict good feedback for this product. Better and easier as setting up notebooks and vpn clients for users or external contractors, just give them a stick and there they go.

Only the import/export feature could be better. In my opinion the stick should act transparent on a PC with Endpoint Security Media Encryption installed, as normal USB sticks do. So in the company transfer data to Abra and work on them later at home. And if you loose the stick, everything is still encrypted.

I’m curious how the product will evolve but I’m expecting more good things to come.

Tobias Lachmann

When to use UTM-1 appliances – and when not

In the year 2007 Check Point introduced the UTM-1 appliances. We sold a lot of these, because they had a good value for the money and they were an easy way to quickly deploy stand-alone cluster setups.
The old software license for a gateway with unlimited IP addresses was more expensive than a UTM-1, when you included also the hardware to run the gateway on. And UTM-1 appliances brought more with them for free. On example is SmartDirectory to get user data out of LDAP-Directories/ADs, another is Management High-Availability to sync primary and secondary SmartCenter running on the appliances.

So, why did I choose this headline? Why asking the question, when not to use UTM-1 appliances?

Well, Check Point promoted Messaging Security at the beginning, later one the Total Security Package which offered Antispan, Antivirus and URL-Filtering. The idea to have all this functions together on one gateway that has to deal with the network traffic anyway sounded smart. And it is, believe me. What was not smart was to ability to use these functions on every gateway… which customers did.
The UTM-1 270 for example has a Celeron M 60 MHz CPU in it, together with only 1 GB of RAM. The 570 series has a Celeron M with 1.5 GHz CPU and also 1 GB RAM. Could you really believe that this hardware is capable of dealing with Firewall rules, VPN, SmartCenter functions and all the Content Inspection at once? Turns out they can’t. We’ve seen enormous CPU loads in the field, together with tremendous utilisation of I/O. The installation of a policy nearly took down the systems and users experienced connection loss from that. The reason for the later seems to be that at the beginning Check Point started to many instances of the security servers for the scanning. This was fixed in a HFA and is actually no longer existing. But the bad I/O performance still remains. Well, every intercepted download has to be writen to the harddrive and scanned. If it’s compressed, it had to be uncompressed before scanning. This creates high load for sure.

Even the bigger UTM-1 2050 appliances had only a Pentium 4 mit 3.4 GHz and 2 GB of RAM in it. More powerful, true. But not really enough power anyway. And I/O still sucked.

Ok, let’s get back to the initial question. When should I use an UTM-1 appliance?

I think that these appliances do their best job purely as Firewall and/or VPN gateway. We like to use them in dedicated customer environments like Web Shops our web server housings. Depending on customers need and prerequisits you can deploy the appliances a single gateway or HA-cluster. Managed by a bigger SmartCenter or self-managed, together with Management HA.

When should I not use an UTM-1 appliance?

In case you want to use content inspection, stick with a software license and run it on an OpenServer. There you can increase the memory and use dual-core CPUs. You can get better harddisc performance with specialised controllers and maybe just add more discs and have a RAID 0. Since they introduced the new Multi-Core licensing where you pay for the amount of CPUs you want to use, this is getting really affordable. The SG203-U license togehter with the desired content inspection blades is the best combination, even for demanding environments.

Oh, I forgot one thing: when you buy an UTM-1 appliance, you have to stick with the number of network interface. On an OpenServer, just add additional network cards as needed until all slots are filled. Even GE or 10GE is no big deal.

So, the use of an UTM-1 appliance depends on the scenario where you want to deploy it. Carefully think about it and then choose your solution. Have in mind that an appliance may be cheaper thaen software plus OpenServer hardware. But if your users complain about the performance, handling only a few service calls can eat up the safings from an appliance.

Finally I want to mention some things that are unique to the UTM-1 appliances and that you loose when choosing SPLAT on OpenServer. First the image management, which is quite good. Easy to use and perfect for rollback operations after major changes in your environment. Second the ability to crash recover an appliance through the front panel and the use of a prepared USB stick to deploy the initial configuration. Very cool feature for remote locations.

Hopefully we’ll see performance improvements with upcoming GAIA even on single core machines through new code, so that we can use the UTM-1 appliances with all features again. Wait and see..

Tobias Lachmann

DLP = Data Loss Prevention

Check Point announced DLP as a product at the CPX2010. DLP stands for Data Loss Prevention and is a solution to make sure that specific data is not leaving the company – wether it’s intended or unintended.

Basically it’s an extension of the gateways capability to intercept and scan emails, http and ftp traffic and react to the content found. Works kinda like the antivirus scanning that we know for some time now. So it’s transparent to the users and the mail/web servers that are part of the communication.

The administrator defines a policy for his content and the direction where it is send. For example you can block mails to recipients outside your organisation if an attachment to that mail derives from a template which is used for confidential content. Or the attachment or the mail itself contains some keywords that are suspicios if they are used too many times. Because of the predefined data-types, Check Point speaks of 250 by now, I found it very easy to be going with this in a short period of time.

The action for the rules can be just logging, prevention of sending the content or asking the user what to do. As always, Check Point has a client for Windows operating systems only by now. This clients notifies the user with a popup that something has been blocked. The user can decide to send it anyway, discard or review the incident. Also it can be configured that the user has to type a justification for sending, if the mail is caught by the policy at first.

If you’re not using a resident client on your machine, an email notification is the second way to notify the user. The email informs you and is offering links where you can click. The links points to an application on the gateway, reachable over a webserver. Depending on your decision, the content is released or held back. As an alternative you can reply to this notification email and add keywords to the subject. The gateway will see this keyword when the mail goes through it and follow your decision.

All in all I find this solution easy to configure and implement. But to be sure we have to wait until GA of DLP. Interesting will be, how good the custom configuration of data types and rules will be. DLP has the possibility to create own types by using regular expressions. But as you might know, working with RE can be a pain in the ass.

So, in what flavors is this DLP solution offered? Well, we have two appliances, DLP-1 2571 and DLP-1 9571. The smaller one states that it can process 70.000 messages per hour and has a througput of 700 MBit/s. The bigger one 350.000 messages ans 2.5 GBit/s. As this are marketing numbers, we should cut them in half – at least. To be sure, we should assume only 1/4 the capacity stated, judging by the experience with UTM-1 appliances and Messaging Security in the past. The smaller appliances has a price of $14990 for the first year and $7000 for the following years, the bigger $49990 for the first and $12000 for the following years.

Or you have your DLP solution on your normal perimeter gateway, which I find more useful. We have three blades, CPSB-DLP-500, CPSB-DLP1500 and CPSB-DLP-U. The last part stands for the number of recommended users, but I’m not sure if there’s some kind of enforcement like with ip addresses at the gateway blades. We’ll have to wait for licensing info on that topic. The 500 user blade is $3000, the 1500-blade is $7000 and unlimited users come for $12000. The DLP is a service blade, so the numbers are per year.

If someone want’s to use this, and I bet many companies will, I think that the best solution is to buy a software blade container together with the DLP-blade and run it on an OpenServer under SPLAT. SPLAT is the only supported platform by the way. The server is about $4000 for a HP DL360, IBM 3350 M2 or similar, $12500 for a 4 core container and $3000-$12000 for the desired blade. For the first year this is starting at $19500 and $5250 for the following years. The advantage that I see in contrast to the appliances is more performance through cores, memory and hard discs. Especially hard dics performance was the bottleneck that we saw on most appliances running other content inspection software like Messaging Security etc.

So, what’s the bottom line:
First of all, I’m excited and think this is a good product. Unlike other new releases like SmartProvisioning, SmartWorkflow etc. I think this solution is ready to be used from the start. And second I’m curios how customers will use this solution. I think we can expect some demanding requirements for rules we havn’t even thought of by now

Start checking out DLP here or in the pricelist.

As soon as I get this to work in an live environment, I will post my findings!

Tobias Lachmann

R70.30 is there

Folks,

the new R70.30 is available. See the release notes here
All in all some minor fixes. The biggest point is the possibility to use sub-CAs for SSL-VPN, which was not possible in the past.

Other improvements include Windows 7 support for SmartWorkflow and some Non-English regional formats for map visualization.

Tobias Lachmann

I’m back!

Hello everybody!

I’m back from my parental leave, which lasted till the end of March. During that period, I spend all the time with my son but no time with this blog.

Now I’m back at work and I see interesting things everyday that give me inspirations for articles, so expect new content soon.

What also happended is that I gained the CCSE R70 certification for contributing to the new CCSE exam. Thanks Ken Finley, this is greatley appreciated! Now I’m done with re-certification until CCSE+ comes out.

Bye for now

Tobias Lachmann

Geo Protection – new in R70.20

A cool feature was introduced with R70.20 which is called Geo Protection. It is part of the IPS blade and you need to have a proper IPS blade license for that.

What it does is the mapping from IP addresses to countries over a database (not sure yet which database CP bought) and then block connections by countries.

You can block connections TO or FROM a specific country and you can also define exceptions for that rules, like with other IPS protections. The actual policy of blocking/allowing is displayed in a world map overview and gives an easy overview.

When traffic is examined and blocked by Geo Protection, we get nice logs entries in SmartView Tracker.

This feature is also good for logging, as you can just accept any traffic but log the connections and determine this way, what countries access the resources behind the firewall or were your users get their webpages from.

Only catch here is licensing: this only works with R70.20 SmartCenter und Gateways which have both proper R70 Software Blade licensing. But hey, it’s free of charge and some sort of bonus to those who converted their licenses already

I hope they put more features into Geo Protection or link it to normal IPS protections and/or the rulebase. Cool scenarios we can think of….

Tobias Lachmann

Neighbour table overflow

Under SecurePlatform you can sometimes see the following message in /var/log/messages

Jan 15 13:44:08 fw1 kernel: Neighbour table overflow.

This refers to the ARP cache a.k.a. Neighbour table.

If you’re running a gateway with lot’s of interfaces or big subnets, you might see many nodes over Layer-2, so communication to them fills your ARP table and sometimes overflows it, which can lead to connectivity errors.

The ARP cache table has a maximum size, which can be displayed with cat /proc/sys/net/ipv4/neigh/default/gc_thresh3.
You can verify the actual amount of ARP entries either with arp -an | wc -l or with ip neighbor show |wc -l. Proxy ARP entries are only displayed when using the arp command.

Periodically and automatically the entries in the ARP cache are verified. At a specified interval, a garbage collector is running and removes entries that are no longer used. The interval can be verified with cat /proc/sys/net/ipv4/neigh/default/gc_interval, by default it’s 30 seconds.

The garbage collector is controlled by three variables:
gc_thresh1, which is the minimum number of entries in the ARP cache. If the actual number of entries are below this value, the garbage collector will not run.

gc_thresh2, which is the soft maximum number of entries. If the actual number of entries is above this value for more than 5 seconds, the garbage collector will run.

gc_thresh3, which is the hard maximum number of entries. If the actual number of entries is above this value, the garbage collector with immediately run.

gc_thresh3 is also the maximum value of ARP entries that can be kept in the table.

The default values are quite low, so you might want to increase them.

You can do this on the fly with the following CLI commands:

sysctl -w net.ipv4.neigh.default.gc_thresh3=4096 sysctl -w net.ipv4.neigh.default.gc_thresh2=2048 sysctl -w net.ipv4.neigh.default.gc_thresh1=1024

This does not survice a reboot.

To survive a reboot, add this lines in the /etc/sysctl.conf file
net.ipv4.neigh.default.gc_thresh3 = 4096 net.ipv4.neigh.default.gc_thresh2 = 2048 net.ipv4.neigh.default.gc_thresh1 = 1024

Afterwards run the command sysctl -p for the changes to take effect and then reboot.

Tobias Lachmann

Backup error in R70.20 SPLAT

Yesterday we did an inplace-upgrade of a SPLAT box to R70.20 from NGX R65. Since then, the scheduled backup was broken. When I tried to edit the settings through the WebUI, I got the message GENERAL ERROR.

Fix for this was to disable the scheduled backup on the command line with backup -e off.
Then I was able to edit all the settings through the WebUI again and backup is working now.

This seems to be an error in R70.20, because we had another customer with this error who upgraded from R70.1 to R70.20 and it was working with R70.1

Tobias Lachmann

USB-1 is coming

I just found a new section in the Global Properties of my R70.20 SmartConsole labeled “USB-1″.

Judging by the settings, this USB-1 is the SecureWorkspace/VPN-Client that comes on a secured USB stick and enables you to connect securely to your company without the need to install software on a client computer.

Will be interessting to see when this is officially released and what the feature set will look like.

Tobias Lachmann

New SK regarding error with SIC renewal in R70

Just found the new sk43744, which describes that the automatic certificate renewal will fail in R70, R70.1 and R70.20. This is a problem when you upgraded from an older installation in-place, where the CA is kept. Since certificates are fundamental for the way Check Point software works, please take this seriously. Otherwise policy installation, log receiving and SmartConsole connections to SmartCenter are affected.

Normally SIC certificates are automatically renewd 15 month before expiration.To determine if you have a problem that needs to be fixed, verify the expiration date of your SIC certificates and follow the procedure in the sk43744.

Please note that the command line cpca_client lscert -stat Valid -kind SIC is not a valid alternative, as it produces an ouput with wrong dates, so you have to use the ICA web.

Tobias Lachmann

Identity Logging with R70.20

I just installed the R70.20 update on our SmartCenter Server. We can now use the Identity Logging feature, which is very cool. It is an update of Logging & Status blade and is used to associate IP addresses of workstations to users, working on this machine. It works only with Active Directory servers running on Windows Server 2003 and 2008, but this is ok with me. SmartCenter has to run SPLAT/Linux or Windows Server 2003/2008.

After configuration, a table with the association of IP and user name is held on the SmartCenter and this information, if available, is displayed in the log entries on SmartView Tracker.

Configuration is done an SmartCenter object -> Logs and Masters -> Identity Logging. Only a few things to fill in.

It’s easy, but I would have expected to find an LDAP accounting unit here, like you configure AD servers within SmartDirectory.
Just for using Identity Logging, this is easy to implement. When you have already a SmartDirectory configuration, you’re doing the job twice.

This feature is only available with R70.20 on a SmartCenter which works with Software Blade licenses. A little incentive for those who changed to the new licenses

Tobias Lachmann

Migration to Software Blades with CPVP-VCT-U license

Following the current promotion, you can trade-in your old license with no additional cost for a Software Blade license that has equivalent functionality. Now I discovered that with the CPVP-VCT-U license you’re not getting a proper equivalent, as SecureXL is missing in the new license.

This error was reported to Check Point and is acknowledged. They will fix it in the next days and publish new Upgrade calculator and Upgrade matrix.

No big deal really, as you always get CoreXL accelleration with R70. SecureXL might no be necessary for most users, taking the aspect of performance.

Tobias Lachmann

Determine UTM-1 appliance series from CLI

If you want to know which appliance series you have, you can use a command line tool to determine this information.

Just run /usr/sbin/dmidecode | grep "Product Name"

Sample output:

[Expert@xxx-fw1]# /usr/sbin/dmidecode | grep "Product Name" Product Name: U-30-00 Product Name:

[Expert@yyy-cp1]# /usr/sbin/dmidecode | grep "Product Name" Product Name: C6P_UTM Product Name: NSA-1086

Here are the translation for the information under the field Product Name:

P-20-00 -> Power-1 9070 Appliance
P-10-00 -> Power-1 5070 Appliance
U-40-00 -> UTM-1 3070 Appliance
U-30-00 -> UTM-1 2070 Appliance
U-20-00 -> UTM-1 1070 Appliance
U-15-00 -> UTM-1 570 Appliance
U-10-00 -> UTM-1 270 Appliance
U-5-00 -> UTM-1 130 Appliance
C6P_UTM -> UTM-1 2050 Appliance
C6_UTM -> UTM-1 1050 Appliance
C2_UTM -> UTM-1 450 Appliance

Tobias Lachmann

Check Point is listening!

On December 21st I wrote about my latest experience with Software Blade licenses, a couple of days later I received an email from Check Point about this posting. They asked me if I would be willing to share my experience with this incident and licensing in general with them to generate some improvement in the process. Today we had a long phone conference with a very good and productive discussion and I can see the effort at Check Point in improving.

I also had a couple a phone calls with developers and product managers in the past month, were they wanted me to share my experience with specific products and also my opinion about new products and recent changes with them.

So you can really say: Check Point is listening!

I’m really glad they’re doing this and I think this is the right way to be more sucessful – side by side with the partners and customers, listening to their needs.

Check Point: keep on with the good work!

Tobias Lachmann

Enlarging UTM-1 partitions

Some users may experience problems with full partitions on Check Point UTM-1 appliances, most likely with the partition holding the log files as this partition is small, especially at the first appliance series.

When you install SecurePlatform, all partitions have fixed sizes except for /var which gets the remaining free space after the creation of the other partitions. Because logs are stored in /var/opt/CPsuite-R70/fw1/log, there’s rarely trouble with disc space.

The UTM-1 appliance work different as they use the Logical Volume Manager (LVM) for handling the partitions. The LVM is assigning the hard disc space to the partitions and allows resizing of partitions.

However, the filesystem is untouched when you resize a partition. So following sk33179 doesn’t give you additional space for your logs.

To achieve this goal you first have to resize the partitions:

View the name of the log partition with lvdisplay, most likely, this name is /dev/vg_splat/lv_log.
Then resize with
lvresize -L 30GB /dev/vg_splat/lv_log.
In this example the partition is resized to 30GB.

Reboot the appliance with serial console attached. Access the boot menu by pressing a key when prompted and boot into maintenance mode.

Then execute this commands:

umount /dev/mapper/vg_splat-lv_log e2fsck -f /dev/mapper/vg_splat-lv_log resize2fs /dev/mapper/vg_splat-lv_log

This modifies the filesystem and brings it to the new partition size.
Reboot the appliance afterwards and verify with the df -h command that you accomplished the resizing of partition and filesystem correctly.

Tobias Lachmann

Great R70 Performance Optimization Guide

Check Point has a great Performance Optimization Guide that describes the technology of SecureXL, CoreXL and ClusterXL. It also gives good explanations and hints on how to improve performance. Highly recommended for reading.

Tobias Lachmann

Inside Check Point licensing

One of our customer bought a new UTM-1 2070 appliance. This device comes with 3 managed sites.

Now he wants to manage more sites and brought up the question, if he can use a SmartCenter unlimited license he already owns. Just purchasing normal support for SCT-U is cheaper than buying an SXA license and the needed support for this license.

I don’t know if Check Point license policy is allowing that use, but from a technical point of view we can verify if this works.
For that reason, we have to take a look inside the cp.macro file. This file has all the definitions of features and licenses.
On SecurePlatform, you find this file under /var/opt/CPshrd-R70/conf/cp.macro

If we look in the license for an UTM-1 2070, we find these two strings: CPMP-UAPP-1-NGX CPXP-SXA-2-NGX
The first is for the appliance itself, the second is the management extension for two additional sites.

Let’s break down the first one:
For CPMP-UAPP-1-NGX, we have the following relevant entry:
MACRO ::CPMP-UAPP-1-NGX CPMP-UAPP-module-base-NGX CPMP-UAPP-management-base-NGX CPVP-UAPP-1-NGX

That means that actually the string is a macro itself and consists of CPMP-UAPP-module-base-NGX, CPMP-UAPP-management-base-NGX and CPVP-UAPP-1-NGX.

Let’s focus on CPMP-UAPP-management-base-NGX:
cp.macro has this definition for it:
MACRO ::CPMP-UAPP-management-base-NGX CPMP-SCT-1-NGX CPFW-AM-U-NGX CPMP-HA-MGMT-NGX CPMP-SMPO-NGX CPMP-EVRX-U-NGX

So this is another macro for the SmartCenter (CPMP-SCT-1), SmartDirectory (CPFW-AM-U), Management-HA (CPMP-HA-MGMT), SmartPortal (CPMP-SMPO) and Eventia Reporter (CPMP-EVRX-U).

We go for the SmartCenter part:
MACRO ::CPMP-SCT-1-NGX CPMP-EMC-1-NGX

Again a macro, so we need to investigate CPMP-EMC-1-NGX:
MACRO ::CPMP-EMC-1-NGX fw1:6.0:lcontrol fw1:6.0:vpnmgmt fw1:6.0:vpnstrong fw1:6.0:remote1 fw1:6.0:cluster-u

Now we’re close to the final answers

The macro fw1:6.0:lcontrol has this definitions:
MACRO fw1:6.0:lcontrol mgmtcore fwmgmt cpui qosmgmt cmpmgmt dbvr_unlimit cluster-u
This breaks down to:

MACRO fw1:6.0:mgmtcore cmd +--#DESCRIPT#fw1:6.0:cmd#Saving a file from the log viewer


MACRO fw1:6.0:fwmgmt    fwc filter

+--#DESCRIPT#fw1:6.0:fwc#INSPECT compiler

+--#DESCRIPT#fw1:6.0:filter#INSPECT code generation
MACRO fw1:6.0:cpui      policyui lvui sstui rtmui

+--MACRO fw1:6.0:policyui  ui

+--#DESCRIPT#fw1:6.0:ui#Policy User Interface

+--MACRO fw1:6.0:lvui      fwlv

+--#DESCRIPT#fw1:6.0:fwlv#FireWall-1 Log Viewer

+#DESCRIPT#fw1:6.0:sstui#System Status User Interface

+#DESCRIPT#fw1:6.0:rtmui#RTM User Interface  
MACRO fw1:6.0:qosmgmt   fgmgmt rtmmgmt

+--#DESCRIPT#fw1:6.0:fgmgmt#FloodGate-1 Management

+--#DESCRIPT#fw1:6.0:rtmmgmt#RTM Management
MACRO etm:6.0:cmpmgmt

+--#DESCRIPT#etm:6.0:cmpmgmt#Compression management
dbvr_unlimit

+--#DESCRIPT#fw1:6.0:dbvr_unlimit#Policy Versioning

cluster-u +--#DESCRIPT#fw1:6.0:cluster-u#Unlimited number of clusters for HA

Finally, we have found out the management related features hidden in the license:

But it is not said, how many sites can be managed.
This information is in the last “big” macro CPMP-EMC-1-NGX, coded in
fw1:6.0:remote1 #DESCRIPT#fw1:6.0:remote#Allows remote management

So you can manage one site with this license, e.g. the UTM-1 appliance can manage itself.
But the UTM-1 2070 comes with a 3 managed sites license.

This is defined in the CPXP-SXA-2-NGX addition to the UTM-1 license:
MACRO ::CPXP-SXA-2-NGX fw1:6.0:remote2 fw1:6.0:cpxmgmt #DESCRIPT#CPXP-SXA-2-NGX#SmartCenter Extension for 2 additional sites; version: NGX; 3DES

We have remote1 and remote2, which comes to the count of 3 managed sites.

So, back to the initial question: can we use a SCT-U license for extending the managed sites of an UTM-1?

MACRO ::CPMP-SCT-U-NGX CPMP-EMC-U-NGX #DESCRIPT#CPMP-SCT-U-NGX#SmartCenter for an unlimited number of gateways;version: NGX; 3DES

Again, look into the next macro CPMP-EMC-U-NGX

MACRO ::CPMP-EMC-U-NGX fw1:6.0:controlx fw1:6.0:vpnstrong #DESCRIPT#CPMP-EMC-U-NGX#Enterprise Management Console for an unlimited number of gateways; version: NGX; 3DES

From there we go into fw1:6.0:controlx:

MACRO fw1:6.0:controlx control vpnmgmt

And further onto control:

MACRO fw1:6.0:control remote lcontrol

We know the “lcontrol” macro from our investigation before, also the “remote” keyword.

#DESCRIPT#fw1:6.0:remote#Allows remote management
As “remote” comes without any number, this means unlimited management.

To answer the question we began with: YES, you can use an unlimited SmartCenter license as an extension of the management capabilities of an UTM-1 appliance.
From a technial point of view.

I will open a call with Check Point to make sure that this is actually permitted within the license regulations.

As you can see, licensing within Check Point products is complicated through the use of so many macros, but in the end it comes to a limited number of features that are encoded in the licenses.

If you will, you can chase down also the new Software Blade licenses with this scheme to see, what is actually enforced.

Tobias Lachmann

UPDATE: Check Point just confirmed that the use of a SmartCenter license on a UTM-1 appliance is not permitted to extend the amount of managed sites. You have to stick with the SXA extensions or build up a separate SmartCenter.

“It’s Christmas, Theo. It’s the time of miracles, so be of good cheer…” – Hans Gruber in Die Hard

Since Christmas is the time for kids making their wishlists, I will also give it a try and make my personal wishlist to Check Point. And as Christmas is also the time for miracles, maybe some of my wishes will come true in the next year…. we’ll see.

SecurePlatform
Image Management / Snapshots
Well, we have Gaia coming sooner or later. What I really would like to see in there is the Image Management of the UTM-1 Appliances. Better to handle as Snapshots for most tasks. A really great evolution would be a combination of both. Being able to create and store images locally, as well as taking snaphots/images and storing them over the net using SSH.
Could make data recovery even more easy.
Why not add a dialog during SPLAT installation, where you can choose to use Image Management with LVM or stay with the old partitioning. If Image Management is chosen, you should decide for yourself, how the space should be divided between /var and the image partition.

Time and Date settings
Why can I set NTP parameters together with the GMT in the WebUI, but need to go to the CLI to set time zone?
This should also appear in the WebUI.

Administrator Accounts
I’d like to choose on creation which shell the accounts should use (bash or cpshell) and what the idle timeout of a session should be. Also the ability to scp something to the box using this account should be an option to enable here.

SNMP
The SNMP settings should be configured using the WebUI. Also I’d like to have a download link to the current MIB on the box.

SmartConsole
Adding objects
The new icon with the “+” sign on each cell is very helpful for quick-adding of objects. I’d like to have the opportunity to add a new object, too

Window resizing
Some dialog boxes can’t be resized. Normally these fixed size dialog boxes have too much content and you must use scroll bars to see the content. Examples: Global Properties, Firewall object page, network object page. All windows should be resizable.

Gateway Topology
I have to maintain a gateway cluster with more then 150 interfaces. Whenever I need to make a change to the interface configuration, I have to scroll to the entire list to find the right entry, since the list is unsorted. Not funny.
I’d like to have the ability to sort the list by clicking on the column header.

Troubleshooting
InfoView
We really need a more up to date and stable version of InfoView. Normally I need to try 2-3 times before I can open a cpinfo file because the tool crashes. As far as I known it’s not maintained any longer, but all support partner really need this!

Endpoint Security
SecureClient / Endpoint Connect
Endpoint Connect should be the successor of SecureClient, but it isn’t really. EC lacks the personal firewall feature. For most SME customers the old SecureClient Desktop Policy feature was all they needed. Check Point should understand that Endpoint Security is not the answer to all demands.

Licensing
Check Point does not offer a maintained, up to date VPN client without any costs. For using Endpoint Connect, a Endpoint Security Secure Access license is necessary if you want to use OfficeMode.
Like Cisco, also Check Point should give away a full blown VPN-Client for free!

OS support
Parts of Endpoint Security run on Windows 7? Congratulations. But why do we still have to struggle with VPN clients for MacOS or Linux? Why do we have to use an actual OS like Snow Leopard with a very, very old VPN client like SecureClient?
I think that before integrating new features into Endpoint Security and all other products that have to be installed on clients, you should make sure that you have support for all common OS. Windows XP, Vista, 7 as well as MacOS 10.4, 10.5 and 10.6. Also a client for Linux (Debian, RedHat/CentOS, Ubuntu) should be available.

Version numbering
I nearly lost it with the Endpoint Security version numbers, since it’s not any longer corresponding to the other products. Keep the version numbering more simple.

That’s it for now, but for sure I will extend my wish list in the next days… so much things CP needs to take care of.

Happy XMAS, everybody.

Tobias Lachmann

My trouble with Software Blade licenses

My latest experience was with our first customer that used all R70 licenses, instead of just upgrading to R70 but sticking with NGX licenses.

Ok, what happened? In the User Center I found a container and some blades. I checked the container and licensed it by assigning an IP address to the container. Then I attached the blades to the container. Afterwards I clicked on “Get license” and had my license file. I also got my contract file, too.

Then the nightmare happened when I installed the license to the customer system during our installation. Nothing worked! And by saying “nothing”, I mean “nothing”. Not even firewall was working! A total disaster, we had to rollback the whole stuff.

After spending 3 days with Support and Account Services from Check Point we found the error: through my procedure I had just licensed a container, without any blades. Attaching blade to a container and issuing “Get license” does nothing to the license. You have to attach the blades to the container and then license the whole package. Only this creates an valid license.

At the moment I haven’t made up my mind completely. Was it my fault? Am I to stupid to understand how to produce a correct license? Or is the User Center just working unexpected?

By the way: Total Security licenses are a total mess, too. We had several cases were (using NGX licenses) the AntiSpam, AntiVirus or URL Filtering module stopped working or updating because of license issues. The sad part is here, that all customers bought proper licenses and the User Center displayed all items correctly.

I really wish they will fix that….

Tobias Lachmann

Check Point R70.20 is now available

The release R70.20 is now available. I checked the documentation and found that it contains many important fixes as well as new features. Especially it takes care of the new multicore licensing scheme, that has been introduced by Check Point.

Check out the What’s new page, the Release Notes, the Known Limitations and the Resolved Issues.

R70.20 is like the HFA60 for NGX R65 from the bugfixing side plus some added features.
Highly recommended for installation.

Tobias Lachmann

Short article about CPUGCON 2009

My employer released the new customer magazin recently.
We have a short article about the CPUG conference 2009 and my presentations. Writen in german.

Tobias Lachmann

Re-Certification R70

Today I passed the first part of my re-certification. Since the R70 CCSA exam is now available, I started with this one and will later on go for CCSE and CCSE+. I took the Accelerated CCSE exam once, wasn’t funny. I’m not going to do that again with R70!

The R70 exam is under NDA restriction, so I can’t go into detail or tell you about specific question.

But some general things can be said:

- we now have a tough time frame – 130 questions in 120 minutes!
- the questions are now more detailed and have good pictures which help a lot; but the scenarios are more complex
- you actually have real live questions which occur in the daily work
- all topics from the course are covered and you have to know more details about the product and general security methods
- it’s not like to old CCSA exam, it’s more like the CCSE actually

Sadly, some things haven’t changed:

- still questions that can’t be answered correctly
- questions with two! answers that have the same text -> which one will be judged as correct?
- answers like “1,2 and 4 are correct” -> here I found that no answer had the number X in it, which is also correct; kind of misleading
- lot’s of questions that need to be re-phrased to make sense; especially for non-native speakers some of them are very hard to understand

I took the exam without practicing and passed. But this is truly not recommended! At least you should buy the student handbook from the training courses to know all the topics. Remember, the course has now 5 days instead of the 2 it had before.

Will be interesting to see, how the CCSE goes.
I submitted some questions for this exam to Check Point. If I’m lucky, they will accept some of this questions. The promised reward was gaining the CCSE R70 certification.
If this works, I’m of the hook

Tobias Lachmann

Project Gaia – the new Check Point OS

Check Point will come up with a new OS platform that will succeed Secure Platform (SPLAT) and IPSO.

Judging by the features that are shown on the project page, it will be based on Linux / SPLAT and many features of the Nokia Voyager will the transfered to the WebUI.
I was able to get some rumours from Check Point, that acknowledge this guess.

At the moment there’s no code available for customers or partners, but I’ll keep you posted as things develop in the next month.

Tobias Lachmann

CPUG On Tour – One day Check Point User Conferences

Barry Stiefel, founder of Check Point User Group CPUG, is putting together a tour of one day conferences in the US. These are kind of “small” CPUGCON events for all the folks from the states that couldn’t make their way to Switzerland in september.

I thing this is very cool indeed and everyone should considering visiting one of the events, either in Atlanta, New York City or Chicago.

Find more details on the conference website: CPUG On Tour

Tobias Lachmann

PS: Barry, thanks for having my picture on the frontpage. I like the caption of the photo

Update: Hardware Monitoring on UTM-1 appliances

Check Point found the error and described it as follows:
While installing NGX R65 HFA50, the net-snmp packages are updates to 5.3.1.0 version. When upgrading to R70.1, it tries to upgrade to net-snmp-5.0.9 version, which fails since newer packages are installed.

Check Point provided me with a new R70.1 upgrade package which I will test in the next days. Sadly, the updated package hasn’t made it to the download page so far, there you can still get the old -buggy- version.

Hopefully they re-relase this upgrade package soon.

If they don’t and you experience problems while upgrading, please ask support for the fix and refer to SR 11-72334871.

UPDATE: Check Point released a SecureKnowledge article for this issue: sk43340

UPDATE 2: Today I spoke to the support guys again. I convinced them that this fix is interesting for everybody with a UTM-1 installation and HFA50 out there, which are quite a lot people, I guess. Now they’re thinking about changing the SK entry and adding a direct download link to the fixed packet.

UPDATE 3: Support will release a new article for this issue including the download links: sk43350. At the moment the sk is not publicly available

Tobias Lachmann

NGX R65 HFA60 available

The latest Hotfix Accumulator, HFA60 for NGX R65 is available.
At the moment only for Check Point partner, but public release will follow shortly.
The release notes show a huge amount of fixed issues, including some content scanning problems I’ve seen before in the wild.
So the installation of HFA60 is greatly recommended!

Tobias Lachmann

Disconnect after one hour when using UTM-1 Edge build-in DSL Modem

This is an old one, but still valid:
When you use the build-in ADSL modem in an UTM-1 Edge, it will disconnect approx. after one hour.
To avoid this, connect to the command line of the appliance and issue set port adsl auto-sra mode disabled.

Tobias Lachmann

Instabil SPLAT system after upgrading to R70

Check Point released an important new article in SecureKnowledge, sk43247.

This article states that in SPLAT there’s a recursive soft link (/opt/CPsuite-R65/fw1/PA/conf/PA/PA) after installing two of the following HFAs to the machine: HFA30, HFA40 or HFA50.

When upgrading to R70, this softlink causes the error leading the software to become instable.
The solution is to delete the link before upgrading to R70 (rm -f /opt/CPsuite-R65/fw1/PA/conf/PA/PA).

Please have that in mind when you plan to upgrade to R70.

Tobias Lachmann

Hardware Monitoring on UTM-1 appliances

The hardware monitoring feature on UTM-1 appliances, available since R70.1, is missing when upgrading the appliance from NGX R65 with Messaging Security HFA50.

Check Point just confirmed this and stated, that some rpm packages are not updated which produces the error.
When you upgrade directly from NGX R65 with Messaging Security, the error is not occuring.

We’ll see what the solution from the developers for this problem will be. Since this is a general problem, I hope for new upgrade packages instead of some fixes to be applied afterwards. Seems cleaner to me….

I keep you informed

Tobias Lachmann

My favorite troubleshooting command

Do you know how to troubleshoot connection issues the easy way? Instead of looking into SmartView Tracker for the reason of a connection drop, just enter the shell. Then issue fw ctl zdebug drop and you’ll see the dropped packet in realtime with the reason for the drop. This is an undocumented command, which is actually a shortcut for a couple of debugging commands. A developer from Check Point was to tired of typing the needed debug lines again and again and so he introduced the zdebug command. His first name began with the letter Z, so this is why the command is zdebug.

The output is very nice, shows the reason for the drop and can easily be filtered with the grep command for IP addresses:

fw_log_drop: Packet proto=17 10.255.253.21:20031 -> 10.255.253.255:20031 dropped by fw_antispoof_log Reason: Address spoofing


fw_log_drop: Packet proto=17 192.243.100.205:58999 -> 224.0.0.1:9996 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 243
fw_log_drop: Packet proto=1 10.68.111.2:1281 -> 10.68.111.5:1669 dropped by fw_icmp_stateless_checks Reason: ICMP redirect packets are not allowed

fw_log_drop: Packet proto=6 192.243.119.238:80 -> 91.96.46.174:49543 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN

Since this is realtime debug output, you need to have live traffic through the firewall to see if a packet is dropped. When you try to investigate the reason for a drop of an older connection, you have to go the SmartView Tracker.

Tobias Lachmann

Edge disconnect while using embedded ADSL modem

The UTM-1 Edge appliance may show the error that the Internet connections is continuously disconnected after about an hour when the embedded DSL modem is used.

There’s an easy way to solve this problem. Just issue the command set port adsl auto-sra mode disable on the CLI or over the WebUI following Setup->Tools->Command.

BTW: after updating the DSL firmware, it is recommended to totally disconnect the appliance from power instead of just rebooting.

Tobias Lachmann

Idle Timeouts in SPLAT

Ever wondered, how to get a longer timeout when working on SPLAT CLI?

If you use the CPshell as login shell, the command is

IDLE 999

When you are in expert mode or changed the login shell to bash, the command is

UNSET TMOUT

The first command sets the timeout to 999 seconds, the second one disables the timeout.

Tobias Lachmann

Capazity Optimization

Because one of my customers run recently in this problem, maybe it’s a good idea to mention this again.

The firewall has a limit for it’s maximum concurrent connections. This is necessary to limit the amount of memory allocated.

But if you reach the limit, the firewall stops to accept new connections. You may experience this as a partial loss of connectivity.

To check the number of actual connections and the peak value, run fw tab -t connections -s on the command line

[Expert@fw1]# fw tab -t connections -s HOST NAME ID #VALS #PEAK #SLINKS localhost connections 8158 108437 166360 378754

The memory allocation and use of connections can also be shown with fw ctl pstat.

[Expert@fw1]# fw ctl pstat

Machine Capacity Summary: Memory used: 12% (203MB out of 1604MB) - below low watermark Concurrent Connections: 15% (79242 out of 499900) - below low watermark Aggressive Aging is not active

If your concurrent connections are near the limit, you can increase the number using the SmartDashboard. Just edit the properties of the gateway object under capacity optimization and set a higher value. Please note that the memory allocation will also increase when you change something here, so make sure you’ve got enough free memory.

capacity_optimization

Tobias Lachmann

UMTS / HSDPA connection with UTM-1 Edge Appliance an T-D1 SIM card

A nice feature that comes with the UTM-1 Edge Appliances is the ability to establish an internet connection trough an USB modem.

I bought a used Huawei E220 from eBay and connected it the the box.

usb_modem_overview

usb_modem

Then you go to the WebUI and choose Network -> Ports. There you can see that a USB device is connected to the UTM-1 Edge Appliance.

1network_ports

Click on Edit.

Now you can verify that the modem is recognized.

2network_ports_usb_devices

Click on Edit again to get to the properties of the USB modem.

Choose the right modem type from the Drop-Down menu. A list of all supported modem can be found here.

The APN is specific for the telecom provider you’re using, in this example it’s Deutsche Telekom T-D1 and the value is “internet.t-d1.de”

The PIN is specific for the SIM card that you’re using.

3usb_modem_setup

After applying the settings to the USB modem, you configure the device as primary Internet Connection.

The username for T-D1 is “t-d1″.

The password is also “t-d1″.

The number to be dialed is *99#

4internet_setup

After a few seconds the box has logged into the internet through the USB modem and you can use the connection like any other internet access.

5network_internet_connected

I find this very useful, for example for temporay access on an exhibition or for home users where no DSL is available.

VSX R65 NGX HFA10 to be released

Just received notice that the VSX NGX R65 HFA10 will be released soon. See the release notes for detailed infos.

Since it includes many fixed issues, it should be considered worth installing.

Tobias Lachmann

Some stuff posted in MCS customer mag

My employer MCS Moorbek Computer Systeme GmbH publishes a customer magazine on a regular basis.

I had same articles about Check Point topics in this magazine, written in german:

Really basic stuff, actually, but worth noticing.

I’ve you’re into Solaris or MySQL, check out the “Admin Tipps & Tricks” in the other issues of the magazine. Usually they’re located on the last pages. Use the link above to access current and older magazines.

Tobias Lachmann

ETA for NGX R65 HFA60

Today I was informed that HFA60 for NGX R65 will be available at the end of this quarter.

I expected this HFA earlier, but for some reasons the deployment was postponed again

Tobias Lachmann

Error in upgrade process from NGX R65 to R70.1 on UTM-1

Today I got the confirmation that Check Point was able to reproduce an error reported by me.

With R70.1 the new feature of hardware monitoring for appliances was introduced. The was missing for so long and I’m glad is had been build into the WebUI now. But unfortunately this is only working when you do a completely new installation.

When you upgrade a NXG R65 installation on a UTM-1 to R70 and then onwards to R70.1 some files get corrupted.

Support is currently working on this, I’ll keep you posted.

Tobias Lachmann

Presentations from Check Point User Group Conference (CPUGCON) 2009

I think I get started with this blog by posting links to the presentations I held on the Check Point User Group Conference in Chur, Switzerland.

The first presentation is purely for beginners: Troubleshooting in the Check Point environment, Part I

The second one, which was more liked by the crowd at CPUGCON, is really advanced troubleshooting: Troubleshooting in the Check Point environment, Part II

I benefit from my daily work with a Check Point Collaborative Support Provider (CCSP) for these two presentations, as they reflect the things I’m constantly facing.

From the project side, I did lot’s of migrations from distributed Check Point installations to Check Point UTM-1 Full-Cluster. This means that the firewall / vpn part is working in active/standby cluster and we have also Management High Availability with the two SmartCenters. This is described in the presentation: Migration from a Distributed Environment to a UTM-1 Cluster

Best regards

Tobias Lachmann

Welcome to my Check Point blog!

Hello everyone!

After spending more than 8 years working with Check Point products, I thought it may be a good idea to let the world know my findings from time to time.

Becoming an expert means making errors and trying out things… but who says that two persons need to make the same (bad) experience? Maybe someone can just read this blog and find the solution he’s looking for….

For more information about myself, check out the speakers page on CPUGCON website.

Tobias Lachmann

Me at Check Point User Group Conference 2009