SecureClient NG-AI R56 HFA 2 for Mac OS X 10.6 (Snow Leopard) is now officially available through the Support Portal. I tested the EA versions (Build 8 and 15) and had good results.
It’s sad that it took so long for Check Point to come up with a VPN client for 10.6 and also SNX support for Snow Leopard is not here at the moment.
Hope they’ll fix that soon.
Tobias Lachmann
So, what is the problem about? Well, NIC connections stay up for about 1 or 2 minutes, then they’re down for about 5 minutes.
We made an upgrade of an UTM-1 2050 series appliance to R71 and got massive connectivity problems. Two days later sk42174 came out which helped us fix the problem. Seems that the Linux Kernel starting with R70 assigns new drivers to the NICs, which are incorrect.
The solution for that problem is to change the settings back to the old driver.
For details please refer to the SK and have it in mind when you’re updating older appliances.
I will be travelling to the Check Point Usergroup Conference (CPUGCON) in Chur this September!
Thanks to my employer MCS for giving me the opportunity.
Barry Stiefel accepted my presentations for “Best Practices For The Check Point Appliances” and “Check Point Troubleshooting” and I’m happy to speak again in front of such a great audience.
It turned out last year that half of the attendees were working for Check Point partners, so enormous amount of knowledge and experience there.
Make sure to attend, too!
Where else can you meet people like yourself, dealing with the same topics and the same problems? Benefit from their experience and their solutions.
Check out the conference presentations (work in progress) and meet the speakers.
And please don’t hesitate to speak to me and share some feedback about this blog when you see me in Chur.
Tobias Lachmann
The new R71.10 update is available. Find all the resources on this page within UserCenter.
We now have Abra support on all gateway platforms, support for Outlook Web Access (OWA) 2010 over SSL VPN and R71.10 includes the hotfix for the SSL VPN blade, that was mandatory when using this blade with R70.
Please note that the R71.10 upgrade package cannot be installed on gateways with DLP.
Check Point also released complete packages for a fresh installation with R71.10 but they sadly don’t include UTM-1 images.
Tobias Lachmann
As I wrote a while ago, we had great performance improvements with Antivirus Scanning and the R71 release. On the same UTM-1 hardware the throughput doubled. While this was true for my lab testing, real world testing didn’t show the same results. Upgraded systems had no better AV performance and only slightly more overall performance was showing.
The reason for that is that an upgraded systems keeps the old way of detecting viruses, the Proactive detection mode. In this mode, the traffic is trapped by the kernel and forwarded to the security server. The security server then forwards the traffic to the Antivirus engine and the traffic is allowed or blocked, depending on the response of the Antivirus engine. It is necessary to store the whole file first before scanning it.
The new Stream detection mode doesn’t need to store the file for scanning. Stream detection is able to scan uncompressed and compressed traffic while it is passing through the gateways kernel, doing decompression on the fly.
Stream detection mode works only signature-based, whereas Proactice detection mode works with Antivirus signatures and in addition with a sandbox where heuristic behaviour scans are done to detect malware, even if there no signature available at the moment.
Stream detection is default on fresh installations, so that’s why you can see great performance improvement on R71.
The mode can be changed within SmartDasboard -> Antivirus & URL Filtering tab -> Antivirus -> Security Gateway and then choose the desired protocol.
HTTP and SMTP can work with Stream detection mode and Proactive detection mode, POP3 and FTP only work with Proactive detection mode.
While I appreciate the performance improvement which can be gained using Stream detection mode, I think we lower security a little bit by abstain from using Proactive detection mode.
This decission should be made with careful consideration of the specific setup and customer need. If you use solely Stream detection mode, make sure to have a good Antivirus solution from another vendor running on the end user’s desktop to double-check for malware.
What do you think about the two Antivirus modes? Mail your thoughts to blog@lachmann.org
Tobias Lachmann
R71 brings us an improvement in the handling of database revision.
Now it is possible to define how long old version should be kept.
Criteria can be number of versions, age of versions, storage consumption of versions of free diskspace.
I think this is a very nice improvement and worth noticing.
Tobias Lachmann
Under SPLAT with 2.4 linux kernel (NGX R65) you had to follow a slightly complicated procedure to resize the partitions and the filesystems on an UTM-1 appliance.
Now the R7x releases bring us the 2.6 kernel with lots of improvements. A very nice one it the ability to resize (meaning increase!) the partitions and filesystems online, without the need of unmounting them.
[Expert@volvo]# lvresize -L 12GB vg_splat/lv_current
Extending logical volume lv_current to 12.00 GB
Logical volume lv_current successfully resized
[Expert@volvo]# resize2fs /dev/mapper/vg_splat-lv_current
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required
Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3145728 (4k) blocks.
The filesystem on /dev/mapper/vg_splat-lv_current is now 3145728 blocks long.
Please note: this can only be done while increasing the filesystems. Reducing the filesystems requires them to be unmounted!
In that case go with this procedure.
Tobias Lachmann
The Edge gets its policy from the SmartCenter server over the SofaWare Management Server process (sms).
The interval of pulling the policy is defined over Global Properties -> UTM-1 Edge Gateway -> Update configuration settings every XX minutes
If you want to update an Edge immideately, you can do this be using the WebUI (access your SmartCenter over http://
The directory /opt/CPEdgecmp-R7x/bin contains the tool swcmd which can be used to issue commands directly to the Edge appliance.
swcmd UpdateNowAll will tell the Edges to update their policy immediately.
swcmd Reboot will reboot the gateway.
Tobias Lachmann
In a recent blog entry I described how you can use 3rd party certificates within your Check Point gateway.
Now I was informed by Brian that some commercial CA don’t sign any longer if the key size is only 1024 bit, you need at least 2048 bit.
How can we change the behaviour of the Check Point while issuing the CSR?
Just go to Global Properties -> SmartDashboard Customination -> Configure -> Certificates and PKI properties.
There we have an option the define the key size for the certificates. Available values are 1024, 2048 and 4096 bit.
Change this value according to your need and the requirements of the CA you chose for signing.
Starting with R71 they standard key size 2048.
Tobias Lachmann
In one of my previous blog entries I described a way to enlarge partitions of UTM-1 appliances. This was necessary especially for the older x50 series appliances, as they had a smaller hard drive and a bad partition layout.
In the past I only enlarged the partition that held the log files because that’s were you have the most data. The procedure was working just fine and I was happy.
A couple of days ago I started updating x50 series appliances from R65 to R71. Even with cleaning up the system of unused files right before the update I got into serious trouble. The cause was that the root partition was nearly about full.
The update process itself came up with no error, but while operating the appliance the root partition was completely full in no time. Especially updating the URL Filterung database, which is now about 370MB, filled the root partition quickly.
When I tried enlarging the root partition with the described procedure I failed.
Resizing requires to unmount the partition before – but you can’t unmount the root partition.
So I had to find another way to modify the partition sizes of the appliance.
Here’s what I did:
I downloaded an ISO-Image of grml, a Linux Live system for sysadmins. Then I modified the ISO to display output on the serial console. You can download this modified ISO here.
I connected an USB-DVD-Drive to the appliance and booted the ISO image.
On the boot screen I added some parameters for the startup process:
Some information and boot options available via keys F2 - F10. http://grml.org/
grml 2010.04 - Release Codename Grmlmonster 2010.04.29
boot: serial debug=noscreen lang=de lvm
When grml was finished, it gave me a console with all the needed tools. LVM was loaded already and I was good to go.
I checked for the volume groups on the hard drive with the vgscan command:
root@grml ~ # vgscan -v
Wiping cache of LVM-capable devices
Wiping internal VG cache
Reading all physical volumes. This may take a while...
Finding all volume groups
Finding volume group "vg_splat"
Found volume group "vg_splat" using metadata type lvm2
Then I activated the logical volumes with vgchange:
root@grml ~ # vgchange -a y
6 logical volume(s) in volume group "vg_splat" now active
You can display the volume group with vgdisplay:
root@grml ~ # vgdisplay
--- Volume group ---
VG Name vg_splat
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 7
VG Access read/write
VG Status resizable
MAX LV 255
Cur LV 6
Open LV 0
Max PV 255
Cur PV 1
Act PV 1
VG Size 72.47 GiB
PE Size 4.00 MiB
Total PE 18553
Alloc PE / Size 7424 / 29.00 GiB
Free PE / Size 11129 / 43.47 GiB
VG UUID dCQA6u-z70X-LIsE-Xhmb-n5ho-ZMrX-JyBePy
You can display the logical volumes with lvscan:
root@grml ~ # lvscan
ACTIVE '/dev/vg_splat/lv_current' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_log' [10.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit
Then I did the resizing of the volumes groups to better values:
root@grml ~ # lvresize -L 11GB /dev/vg_splat/lv_current
Extending logical volume lv_current to 11.00 GiB
Logical volume lv_current successfully resized
root@grml ~ # lvresize -L 25G /dev/vg_splat/lv_log
Extending logical volume lv_log to 25.00 GiB
Logical volume lv_log successfully resized
Keep in mind that you will need some free space for imaging purposes, so don’t use up all the space on the hard drive!
Then a file system check has to be done, followed by the resizing of the file system.
root@grml ~ # e2fsck -f /dev/vg_splat/lv_current
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vg_splat/lv_current: ***** FILE SYSTEM WAS MODIFIED *****
/dev/vg_splat/lv_current: 26973/655360 files (0.1% non-contiguous), 384238/1310720 blocks
root@grml ~ # resize2fs /dev/vg_splat/lv_current
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_current to 2883584 (4k) blocks.
The filesystem on /dev/vg_splat/lv_current is now 2883584 blocks long.
root@grml ~ # e2fsck -f /dev/vg_splat/lv_log
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vg_splat/lv_log: ***** FILE SYSTEM WAS MODIFIED *****
/dev/vg_splat/lv_log: 56/1310720 files (3.6% non-contiguous), 49409/2621440 blocks
root@grml ~ # resize2fs /dev/vg_splat/lv_log
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_log to 6553600 (4k) blocks.
The filesystem on /dev/vg_splat/lv_log is now 6553600 blocks long.
To finish, deactive the logical volumes:
root@grml ~ # vgchange -a n
0 logical volume(s) in volume group "vg_splat" now active
root@grml ~ # lvscan
inactive '/dev/vg_splat/lv_current' [11.00 GiB] inherit
inactive '/dev/vg_splat/lv_log' [25.00 GiB] inherit
inactive '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit
That’s it. Reboot again and start the Secure Platform.
Check with df -h that you have the desired partition layout:
[Expert@cpmodule]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
11G 1.4G 8.9G 14% /
none 11G 1.4G 8.9G 14% /dev/pts
/dev/hdc1 145M 13M 125M 9% /boot
none 502M 0 502M 0% /dev/shm
/dev/mapper/vg_splat-lv_log
25G 33M 24G 1% /var/log
Tobias Lachmann
I’m not sure if anyone noticed it, but R71 comes with a brandnew SSL VPN blade. And I really like how quickly you can do the setup. After a few clicks it is running, providing a demo-application (world clock). Setting up the rest is a piece of cake.
Well done guys, well done!
Tobias Lachmann
I stumpled about the process keepup2date8, which was running after a R71 upgrade for quite a while on the machine.
Took me some time to find out that it is nothing to worry, but the Kaspersky process for updating the antivirus-database.
Tobias Lachmann
With Check Point software it’s very easy to configure client authentication over https or SSL VPN with the SSL Network Extender (SNX).
But unfortunately, Check Point presents a self-signed certificate from the internal CA to the users.
This warning message can be confusing for the users and even might not work, depending on the company policy and settings in the browser.
The better way is to have a certificate on the gateway that was issued from one of the big CA like Verisign, Thawte etc. and present this to the users.
Because these CAs are known to the browser as trustworthy, no error message appears while connecting.
I’m going to show you how to configure your gateway with a certificate from a 3rd party CA.
1. First, we need to create a trusted CA object under the Servers and OPSEC Applications section.
2. Then we give a name to the CA object and choose OPSEC PKI as CA type.
3. On the next tab you can import the CA certificate from a file.
Here you can also choose to do an automatic enrollment for certificate renewal over three different protocols. However, this isn’t supported by all CA. Personally I don’t do automatic renewals but do it by hand instead every time.
If you uncheck CRL retrieval from HTTP servers, all certificates will be trusted, wether revoked or not. For our purpose it’s ok to have this unchecked.
4. While importing the CA certificate you have to approve it.
5. Now we’re done with the CA object and can actually go to the gateway object.
6. Click on Add to create a new certificate. You’re asked for a Nickname of the certificate which is used in various places in the GUI and in config files. I would suggest to keep it short and descriptive. Choose to enroll this certificate from the CA created in the steps before.
7. At this point a CSR (certificate signing request) is going to be generated. The DN (Distinguished Name) has to be correct for the certificate to be created by the CA, so take good care here!
In our example we sign the certificate by United Internet CA and we have to use this DN for a gateway with the DNS name of fw.test.de
CN=fw.test.de,OU=Comodo InstantSSL,OU=Authorized by United SSL,OU=Authorized by United SSL,O=TEST GmbH,STREET=Test Straße 90,L=Hamburg,ST=Hamburg,OID.2.5.4.17=22159,C=DE
Alternatives DNS are defined as FQDN.
8. After filling in the details a CSR is presented. Copy it to the clipboard are save it to a file and hand it over to the CA you chose for signing. Make sure that the text is copied completely.
9. When the CA give you back your signed certificate, complete the process by selecting the appropriate nickname and click on Complete.
10. Load the certificate, accept it and attach it to the gateway.
11. Now you can choose this certificate to be presented when connecting to SSL Network Extender etc.
To use this certificate in client authentication you have to configure the file $FWDIR/conf/fwauthd.conf.
Change the entry to
900 fwssd in.ahclientd wait 900 ssl:fw.test.de
Tobias Lachmann
Check Point offers 25% discount on R70 exams. You can find the VUE promotion code on this webpage.
Tobias Lachmann
Don’t forget to register for the Check Point User Group Conference 2010 in lovely Chur.
Barry will update the site ongoing to keep you informed about agenda, speakers and other details.
I’m not sure if I can attend CPUGCON this year, but I will try. If I get accepted again as speaker, I might afford the trip.
At the moment I submitted presentations about troubleshooting, DLP, VPN-1 VE and UTM-1 appliances.
We’ll see how many of those can make it to the agenda.
Tobias Lachmann
Check Point now has an open EA for the Discovery VPN client, which is the successor of the well-known SecureClient. Based on the documentation, it’s a mixture of Endpoint Connect when it comes to the VPN client engine and Endpoint Security Secure Access when it comes to the build-in personal firewall. The good part is, that the personal firewall rules can be managed the old-fashioned way through the SmartDashboard, like today with SecureClient. So no change her and the ability to use all the existing object in your database.
To access this EA, log into your UserCenter account, go to Products -> Early Availability and choose to register for Discover VPN client.
In the moment the Discovery VPN client is only available for NGX R65 HFA60, a release for R70/R71 will follow shortly. Supported gateway platforms are SecurePlatform, Windows and IPSO 4.2.
The client has support for Windows XP 32 bit with SP2 or SP3, Windows Vista 32 and 64 bit with SP1 and Windows 7 32 and 64 bit, so most of the operating system platforms found in companies are covered.
The following features are not supported at the moment:
But this is OK as it is an EA on the GA version will surely have all those features.
In addition, Discovery VPN client has features that Endpoint Connect is offering, like better Location Awareness, Automatic Site Detection, better Roaming etc.
A hotfix has to be installed on the gateway to enable Discovery support, no changes at the SmartCenter are needed. The configuration has no Discovery specific details, just a normal SecureClient configuration. If you have an exisiting deployment, nothing has to be changed.
I will test this client in the next weeks. If you have done so, please feel free to send comments to blog@lachmann.org and share your experience.
Personally I miss support for Mac OS 10.4, 10.5 and 10.6 very much. Especially media related companies such as advertisement agencies, print and TV producers use Mac OS as operating system, so this is a significant number of users.
Sadly, Check Point hasn’t these operating systems in the same focus as the Windows OS. This leads to the point where the customers change from SecureClient to IPSecuritas, a freeware VPN client. Using this client means more work for the client administrators, as settings can’t be distributed in the way it is done with SecureClient for Mac OS.
Tobias Lachmann
Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.
If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.
The details can be determined from the command line.
For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.
If you have more details on UTM-1 appliances, feel free to send them to blog@lachmann.org
UTM-1 130
UTM-1 270
UTM-1 450
UTM-1 570
UTM-1 1070
UTM-1 2050
UTM-1 2070
UTM-1 3070
Power-1 5070
Smart-1 25
Thanks to all the contributors for their info!
Tobias Lachmann
Check Point opened the public EA for the successor of VPN-1 VE, codename Avatar. Avatar is designed to run with vSphere 4.
Register for the EA within your Usercenter account. Go to Products and then Early Availability. Register for Avatar EA and download the software and documentation.
I have waited for this EA for a while and I’m very curious. There are rumours that the licensing will also be changed and I hope it’s more affordable than the current pricing.
Tobias Lachmann
We stumbled over this one yesterday: some servers behind a gateway had a problem with ARP resolution and we wanted to make sure that ARP worked. To verify this we tried to delete all ARP entries and see if the ARP cache was filled up again (and correctly).
While Windows has arp -d * as a working command to delete all entries at once, under Linux and therefor SPLAT you have to try something different.
This little script will do the job for you:
#!/bin/bash
for arpentries in `awk -F ' ' '
{ if ( $1 ~ /[0-9{1,3}].[0-9{1,3}].[0-9{1,3}].[0-9{1,3}]/ )
print $1 }' /proc/net/arp`
do
arp -d $arpentries
done
Tobias Lachmann
Check Point changed the benefits for their Check Point Certified Security Expert (CCSE) certification.
In the past we had
Now they added
I’m not sure what this means. I deal a lot with the TAC in Israel as part of my daily work, but never encountered a “level-3″ engineer. Normally your call is handled by a support engineer and, if escalated, handed over to an escalation engineer. And maybe a diamond engineer from the diamond support team assists. Would we interesting to know what “level-3″ means.
Anyway, the goal is clear: give the higher certified people direct access to support engineers that have the same level.
In addidtion, Check Point changed the handling of calls from Check Point Certified Master Architects (CCMA). Now they get escalation priority while opening a case. Also a good thing, as a CCMA is so highly trained that he could easily work as escalation support engineer with Check Point. If a CCMA opens a case, it must be severe.
The community demanded such priviliges for skilled people a long time (see CPUG board for the discussion) I’m glad that Check Point now made a step forward!
Tobias Lachmann
UPDATE: Pierre Lamy, Technical Lead of Ottawa TAC, pointed out what tiers/levels exist. A level-3 engineer is the normal support engineer who’s handling a case opened with Israel TAC.
We had this before, now it’s back: the problem with not working scheduled backups after upgrading to a R70.xx version. Seen on R70.20, now I upgraded a environment from R70.10 to R70.30 – and the error is still there. The backup files are not correctly transfered to the SCP server configured.
The solution is to disable scheduled backup through the WebUI.
Then go to the /var/CPbackup/conf directory and delete the file backup_sched.conf.
Afterwards open the WebUI again and re-configure scheduled backup.
Next time the backup runs everything will be OK and files are transfered to another server with SCP.
Tobias Lachmann
Check Point released a new firmware for the UTM-1 Edge appliance series.
As the release notes show, modifications were made for the new N-series appliances, along with some bug fixing.
The most interesting details:
- support for Endpoint Connect clients
- support for new USB modems
- times based rules are now supported
In the release notes some more features are listed, but with a reference that they will only work with hardware version 1.4.
I guess that is the hardware version of the new N-series appliances.
Nice features supporting hardware version 1.4
- 802.11n support
- GigabitEthernet support
- ore firewall throughput
- more VPN tunnels
- support for some more USB modems
Tobias Lachmann
It has taken a long time to get information from Check Point how to license the DLP blade, but now I got an answer:
For the 500 and 1500 user DLP blade a 2-Core-Container is needed. For the unlimited user DLP blade you need a 8-Core-Container.
The size of the blade is determined by the number of users behind the gateway!
So that would mean you need an SG201 container (included: gateway for up to 500 users) for the CPSB-DLP-500 blade.
For the CPSB-DLP-1500 blade a SG203U pre-defined system is needed, to allow more than 500 users.
For the CPSB-DLP-U blade a SG801 container is needed.
So the solution for 500 users will cost $3000 for the blade and $6500 for the container, so $9500 in total.
The solution for 1500 users will cost $7000 for the blade, $14000 for the container, so $21000 in total.
The unlimited solution will cost $12000 for the blade and $18000 for the container, so $30000 in total.
This is the pure software side, you will also need hardware, for example an open server for additional $4000.
If we look at the appliance solution DLP-1 2571 we’ll find that it is limited to 1500 users but costs only $14990.
In case your organization need DLP protection for up to 500 users, a solution with software running on an open server is about $1500 cheaper. If you need up to 1500 users, you pay $10000 more with an open server solution than for the DLP-1 2571. Lot’s of money….. but still worth thinking about it because of the higher performance you will get from an open server.
More easy with the DLP-1 9571 that you need for unlimited users, as the appliances costs $49900. The software solution on an open server is only $34000, that is about $16000 cheaper.
What’s the baseline here? Well, carefully think about your setup before you buy. Think about performance limitations you may encounter with an appliance. Think about the cost for the 2nd and 3rd year… and then make your decision!
Tobias Lachmann
There is no way to configure your SPLAT box or UTM-1 appliance in a way, that only logs for the last X days were kept.
The only work-around would be to configure on the firewall object -> Logs and Masters -> Required Free Disc Space together with the option Do not delete log files from the last X days.
By configuring a very high value for required free disc space you could have the script run every day and with the other option prevent it from deleting the needed logs.
OR – you could implement a short script:
[Expert@fw1]# cat /usr/bin/del_logs.sh
#!/bin/bash
/usr/bin/find /var/log/opt/CPsuite-R65/fw1/*.log* -ctime +217 -print -exec rm -f {} \;
The parameter ctime is the amount of days for the logs to keep.
Run the script with cron:
[Expert@fw1]# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.19431 installed on Mon May 10 10:21:33 2010)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
42 11 * * * /usr/bin/del_logs.sh
50 2 * * 1,2,3,4,5,6,7 backup_util sched
Now you’re able to delete the old logs as you like. If you backup your firewall or SmartCenter to your local disc, maybe you want to do this with your backups, too?
Tobias Lachmann
Maybe you’ve seen my presentation on CPUGCON 2009 about migration to an UTM-1 cluster from a distributed environment.
Now I was asked to provide a how-to about building this kind of UTM-1 Full Cluster from scratch.
Actually this is very easy. Building UTM-1 clusters was supported from the start, but the SmartCenter could only reside on one appliance. With the introduction of NGX R65 with Messaging Security, we also got SmartCenter High-Availability for free.
In our setup we assume that we have two appliances, one primary and one secondary. Setup both with the normal First Time Configuration Wizard.
Make sure to install the primary on as locally managed and primary cluster member.
The secondary appliance is also installed as locally managed but as secondary cluster member.
On the secondary appliance you also have to fill in a SIC secret to establish the communication later.
After completing the First Time Configuration Wizards on both appliances, connect with the SmartDashboard to the primary UTM-1 appliance.
Now the wizard for configuring the cluster pops up. When defining the secondary cluster member, fill in the SIC secret entered in the WebUI wizard.
Fill in all the details that reflect your cluster. Make sure to have at least one dedicated sync network.
Topology could look like this afterwards:
Now you can define rules, push the policy and make the cluster work. After that check the Management HA in the SmartDashboard:
This picture shows that both cluster members have a SmartCenter installed and are working in Management High-Availability mode.
That’s it for building an UTM-1 cluster with Management High Availability – also known as UTM-1 Full Cluster.
Tobias Lachmann
Documentation and software for the Abra stick is now available in the Check Point suppport center. I stumbled over two things in the known limitations. First, Office mode is not supported on Abra. And second, CIFS is not supported over a VPN tunnel that was established with Abra.
By now I don’t know why these limitations exist, but I would rate them as servere. Especially Office Mode is a must-have while working with Client-2-Site VPNs.
Pricing seems to be $140 for a 4GB Abra stick and $210 for a 8GB Abra stick. I’m not sure if we have to purchase an additional Endpoint Security license (container + VPN) when Abra is able to do Office mode, but I think so. That’s the way you have to license Endpoint Connect at the moment.
I will now play around with Abra a little bit and come back with more information in a couple of days.
Tobias Lachmann
As mentioned before, the UTM-1 appliance had performance trouble when doing content scanning and I would not recommend doing this in this machines. Now R71 claimes to give a big boost by new methods of scanning. I tested the performance improvement of the new R71 release with the following setup:
UTM-1 270 mit GigabitEthernet-Uplink to the Internet and GigabitEthernet-Link to the internal network. 4 Servers mit GigabitEthernet as clients running HTTrack website copier in the internal network. I used HTTrack to download several website at the same time, creating a mixture of HTML, graphic, archives and executables content.
The UTM-1 270 was installed out-of-the box using the wizard. I activated VPN, SmartView Monitor and Antivirus in addition the moduls already activated as standard.
The rulebase had two rules, on allowing access to the systems from a management client outside the network and one rule for allowing access to the Internet for the servers. No NAT was used, no additional settings.
With NGX R65 with Messaging Security (HFA25) I had an average throughput of 1,026,474 Bytes / sec while running with 100% CPU load for a couple of minutes.
With NGX R65 with Messaging Security (HFA70) I had an average throughput of 1,094,563 Bytes / sec while running with 100% CPU load for a couple of minutes.
With R70 I had an average throughput of 1,647,257 Bytes / sec while running with 100% CPU load for a couple of minutes.
With R71 I had an average throughput of 1,999,611 Bytes / sec while running with 100% CPU load for a couple of minutes.
My test maybe not so accurate as the ones that Check Point is doing, but I thing the traffic blend reflects the behaviour of normal users really good.
And, having 2x the performance with Antivirus scanning on the same hardware is pretty impressive! The improvement really shows, how nice! I also recognized that R71 comes with a new AV engine with has the name KSS, maybe Kaspersky?
This is enough performance to use modern DSL lines or direct links completely, not only partial. So I would recommend this release to everyone who still uses content scanning on an UTM-1 appliance and has performance problems.
Tobias Lachmann
Check Point is launching a new series of UTM-1 Edge appliances, the N-Series. Looks like the rumours from years ago came true and they finally build the “Edge Arrow”.
Here’s the baseline from what we know by now:
- 5x more firewall throughput than X-series appliances
- 5x more VPN throughput than X-Series appliances
- 7x more concurrent connections than X-series appliances
- GigabitEthernet-Ports instead of FastEthernet
- 3G connectivity build-in
- two flavours: 32 users and unlimited users, 8 users and 16 user only with X-series
- 4x more VPN tunnels (SA)
- unlimited Remote Access profiles
- 802.11b/b/n support (UTM-1 Edge NW)
- 802.11z wireless security support
- no build-in ADSL-modem available
- new 8.1 firmware for all models (not available by now on support pages)
The complete specification can be found here.
An UTM-1 Edge N32 is $200 more expensive as an old X32 and costs $1400 instead of $1200, same applies to the NU which is now $2200 instead of $2000 for XU.
If you take in consideration how much more power you can get, the $200 more are totally fine with me.
Will be interesting to see how the firmware developed from 8.0.42 to 8.1. Hopefully it’s available soon.
Tobias Lachmann
Last week the R71 software version was released. One of the most interesting things for me was the performance improvement they promised on appliances.
The use now SecureXL to accelerate connections and state that they now can deliver up to 4 time more firewall throughput and connection rate and up to 3 times more IPS throughput. Some limitations apply to SecureXL as described in the R70 Performance Optimization Guide so we have to see how this works with real life rulebases.
But the biggest change to me is the performance enhancement with Antivirus, where Check Point speaks of up to 15! times more throughput and up to 80 times more connection rate.
This is done by the new Stream Detection Mode. As you may remember from my previous post, AntiVirus suffered from the bad HDD performance on UTM-1 appliances, as every file had to be downloaded to the disc, scanned and then delivered to the client. Now the inspection is done as the traffic passes through the gateway and they do a pattern matching as far as I understood. Makes perfectly sense that this way of traffic inspection improves performance. Unclear is for me at the moment how compressed content is handled. I can’t see now other way than storing the archive to disc, uncompress it and then scan the content. Not sure how they handle this – on the fly seems unlikely.
Anyway, I will test this in the next days to get my own results and will check the processes and disc accesses while doing so, which will hopefully gives an explanation.
By the way: URL Filtering is handled differently, too. Now the connections are handled in the kernel space and no longer folded into the security server. This will improve performance and will change the way we can debug this blade.
If Check Point can keep the promises on performance while running R71 on UTM-1 appliances, I will be deeply impressed. Remember that the appliances are sold for some years now and have less powerful hardware, compared to standard OpenServers. Would be a great thing for all of us the protect the investment in the appliances!
Tobias Lachmann
This is an old problem, but maybe not everyone knows this:
If you work with NTP servers sync on SPLAT, you should also set the timezone to get correct date/time and daylight saving. Unfortunately, this can’t be done in the WebUI. So first configure your NTP servers in the WebUI. Then access the command line and execute sysconfig. Use option 4 to go to time settings and then option 1 for setting the time zone according to your location.
Verify that you got the correct time using the WebUI.
Tobias Lachmann