Archive for the ‘General’ Category

« Older Entries

new kernel modules starting with R70

Wednesday, August 25th, 2010

On a SPLAT machine, which is based on (RedHat) linux, the Check Point software is running as user mode process or as linux kernel module.

This modules can be shown using lsmod

[Expert@firewall]# lsmod
Module Size Used by Tainted: PF
rtmmod_smp.2.4.21.cp.i686 281120 1
bridge 27680 0 (autoclean) (unused)
vpnmod_smp.2.4.21.cp.i686 1269512 3
fwmod_smp.2.4.21.cp.i686 7858176 11
simmod_smp.2.4.21.cp.i686 827904 1
vpntmod_smp.2.4.21.cp.i686 13808 0 (unused)
e1000 126728 6
bnx2 79432 2
crc32 3592 0 [bnx2]
sg 38092 0 (autoclean) (unused)
microcode 7072 0 (autoclean)
ide-cd 35840 0 (autoclean)
cdrom 33248 0 (autoclean) [ide-cd]
dm-mod 59428 0
keybdev 3048 0 (unused)
mousedev 5688 0 (unused)
hid 22628 0 (unused)
input 5504 0 [keybdev mousedev hid]
ehci-hcd 20968 0 (unused)
usb-uhci 27308 0 (unused)
usbcore 79680 1 [hid ehci-hcd usb-uhci]
ext3 92840 5
jbd 54056 5 [ext3]
cciss 70432 12
sd_mod 14128 0 (unused)
scsi_mod 118312 2 [sg cciss sd_mod]

When Check Point is referring to the firewall kernel, they’re actually talking about this linux kernel modules.

The Check Point kernel itself is composed of several modules, which can be shown using the fw ctl debug -h command.

In NGX we had the following:

  • fw “Firewall Module”
  • VPN “VPN Module”
  • FG-1 “Floodgate-1 QoS Module”
  • H323 “VoIP H.323 Module”
  • BOA “Malicious Code Protection Module”
  • WS “SmartDefense Web Intelligence Module”
  • CPAS “Active Streaming Module”
  • CLUSTER “ClusterXL Module”
  • RTM “SmartView Monitor Module”

Now with R70 and Software Blades, we have some more kernel modules:

  • kiss ???
  • kissflow ???
  • multik ???
  • SFT ???
  • CI ???
  • fw “Firewall Module”
  • VPN “VPN Module”
  • FG-1 “Floodgate-1 QoS Module”
  • H323 “VoIP H.323 Module”
  • BOA “Malicious Code Protection Module”
  • WS “SmartDefense Web Intelligence Module”
  • CPAS “Active Streaming Module”
  • CLUSTER “ClusterXL Module”
  • RTM “SmartView Monitor Module”

In the moment I have not found any reference for the new modules, no explanation of the modules itself or the modul kernel debugging options.

I opened a service request with Check Point to get this information.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades | Comments Off

code generator for fw monitor and tcpdump

Wednesday, August 25th, 2010

Joost de Cock has a PHP application running on this site which allows you to easily create INSPECT code to use with the fw monitor command or an equivalent expressions to use with tcpdump.

A very handy tool, try it!

Tobias Lachmann

Posted in General, Troubleshooting | Comments Off

R70.40 released – use with care

Thursday, August 19th, 2010

Yesterday Check Point released R70.40 with some modifications for the new UTM-1 Edge N series and die Security Gateway 80 series, support for Embedded NGX 8.1 firmware, provisioning for IPSO 6.2 and enchanced vsx_util.

We have some improvements here, judging by the resolved issues.

This release is also the first one to handle SG80 gateways.

But, as the Release Notes state, the R70.40 cannot be upgraded to R71. You first have to uninstall it before upgrading. This is not very handy, so I would suggest to upgrade directly to R71.10 and wait for the upcoming R71.20 release, which should also contain the fixes and enhancements.

Tobias Lachmann

Posted in General | Comments Off

Disabling Anti-Spoofing

Wednesday, August 18th, 2010

When you want to disable Anti-Spoofing on a whole gateway you can use a specific kernel parameter for this.

fw_antispoofing_enabled=0

Please refer to sk26202 for changing kernel global parameters and sk20364 for making them survive a reboot.

Tobias Lachmann

Posted in General | Comments Off

Display errors in SmartView Monitor

Tuesday, August 17th, 2010

Sometimes SmartView Monitor gets confused and it displaying wrong (cached) information.

To clear this up you do the following:

- issue cpstop on the Security Management server
- delete $FWDIR/conf/applications.C,
$FWDIR/conf/applications.C.backup,
$FWDIR/conf/CPMILinksMgr.db
and $FWDIR/conf/CPMILinksMgr.db.private
- issue cpstart
- install policy again
- open SmartView Monitor again

Tobias Lachmann

Posted in General, Troubleshooting | Comments Off

Rumors, rumors….

Tuesday, August 10th, 2010

I heard some rumors recently that I’d like to share with you. True or not, nobody can tell. But sure interesting ;-)

First, we can expect R75 GA by the end of the year. No idea what will be included, but maybe we see more improvements from software blades. As Dorit Dor stated some time ago, the introduction of software blades with R70 was the first step in a three-step-approach of a complete architecture re-design within the Check Point products. So personally I think that every new GA release will bring us closer to the goal and will give us additional performance and/or more features.

Second, Check Point seems to plan the content inspection of HTTPS traffic, availability should be around end of Q1/2011. This is a very interesting feature and I’m really locking forward to it. We had lot’s of projects where the customer choose not to use Check Point content scanning but rather a solution like WebWasher, which could inspect also SSL encrypted traffic. I wonder how the handling will be done in detail and how easy the setup will be in comparison with WebWasher etc.

That’s all for now. Wait and see, if these rumors have a valid background.

If you know more details, please do not hesitate and write an email to blog@lachmann.org

Tobias Lachmann

Posted in General, Software Blades | Comments Off

R71.10 available

Thursday, July 15th, 2010

The new R71.10 update is available. Find all the resources on this page within UserCenter.

We now have Abra support on all gateway platforms, support for Outlook Web Access (OWA) 2010 over SSL VPN and R71.10 includes the hotfix for the SSL VPN blade, that was mandatory when using this blade with R70.

Please note that the R71.10 upgrade package cannot be installed on gateways with DLP.

Check Point also released complete packages for a fresh installation with R71.10 but they sadly don’t include UTM-1 images.

Tobias Lachmann

Posted in General, R71, SSL VPN, Software Blades | Comments Off

Database Revision in R71

Wednesday, July 7th, 2010

R71 brings us an improvement in the handling of database revision.
Now it is possible to define how long old version should be kept.
Criteria can be number of versions, age of versions, storage consumption of versions of free diskspace.

Automatic Deletion of Database Revisions

I think this is a very nice improvement and worth noticing.

Tobias Lachmann

Posted in General, Software Blades | Comments Off

Certificate Signing Request (CSR) key size

Monday, June 21st, 2010

In a recent blog entry I described how you can use 3rd party certificates within your Check Point gateway.

Now I was informed by Brian that some commercial CA don’t sign any longer if the key size is only 1024 bit, you need at least 2048 bit.

How can we change the behaviour of the Check Point while issuing the CSR?

Just go to Global Properties -> SmartDashboard Customination -> Configure -> Certificates and PKI properties.

Global Properties -> SmartDashboard Customization

There we have an option the define the key size for the certificates. Available values are 1024, 2048 and 4096 bit.

Certificate and PKI properties

Change this value according to your need and the requirements of the CA you chose for signing.

Starting with R71 they standard key size 2048.

Tobias Lachmann

Posted in General, SSL VPN | Comments Off

Using 3rd party certificates for your SSL VPN

Tuesday, June 8th, 2010

With Check Point software it’s very easy to configure client authentication over https or SSL VPN with the SSL Network Extender (SNX).

But unfortunately, Check Point presents a self-signed certificate from the internal CA to the users.

This warning message can be confusing for the users and even might not work, depending on the company policy and settings in the browser.

The better way is to have a certificate on the gateway that was issued from one of the big CA like Verisign, Thawte etc. and present this to the users.

Because these CAs are known to the browser as trustworthy, no error message appears while connecting.

I’m going to show you how to configure your gateway with a certificate from a 3rd party CA.

1. First, we need to create a trusted CA object under the Servers and OPSEC Applications section.

Creating a trusted CA object

2. Then we give a name to the CA object and choose OPSEC PKI as CA type.

CA properties

3. On the next tab you can import the CA certificate from a file.

OPSEC PKI properties

Here you can also choose to do an automatic enrollment for certificate renewal over three different protocols. However, this isn’t supported by all CA. Personally I don’t do automatic renewals but do it by hand instead every time.

If you uncheck CRL retrieval from HTTP servers, all certificates will be trusted, wether revoked or not. For our purpose it’s ok to have this unchecked.

4. While importing the CA certificate you have to approve it.

Accept CA certificate

5. Now we’re done with the CA object and can actually go to the gateway object.

Gateway properties

6. Click on Add to create a new certificate. You’re asked for a Nickname of the certificate which is used in various places in the GUI and in config files. I would suggest to keep it short and descriptive. Choose to enroll this certificate from the CA created in the steps before.

Certificate properties

7. At this point a CSR (certificate signing request) is going to be generated. The DN (Distinguished Name) has to be correct for the certificate to be created by the CA, so take good care here!

Generate CSR

In our example we sign the certificate by United Internet CA and we have to use this DN for a gateway with the DNS name of fw.test.de

CN=fw.test.de,OU=Comodo InstantSSL,OU=Authorized by United SSL,OU=Authorized by United SSL,O=TEST GmbH,STREET=Test Straße 90,L=Hamburg,ST=Hamburg,OID.2.5.4.17=22159,C=DE
Alternatives DNS are defined as FQDN.

8. After filling in the details a CSR is presented. Copy it to the clipboard are save it to a file and hand it over to the CA you chose for signing. Make sure that the text is copied completely.

CSR view

9. When the CA give you back your signed certificate, complete the process by selecting the appropriate nickname and click on Complete.

Gateway properties

10. Load the certificate, accept it and attach it to the gateway.

Accept certificate

11. Now you can choose this certificate to be presented when connecting to SSL Network Extender etc.

Clientless VPN configuration


VPN Clients configuration

To use this certificate in client authentication you have to configure the file $FWDIR/conf/fwauthd.conf.

Change the entry to

900 fwssd in.ahclientd wait 900 ssl:fw.test.de

Tobias Lachmann

Posted in General, SSL Network Extender, UTM-1, VPN-1 | Comments Off

UTM-1 hardware

Tuesday, May 25th, 2010

Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.
If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on UTM-1 appliances, feel free to send them to blog@lachmann.org

UTM-1 130

  • Intel Celeron M 600 MHz
  • 1 GB RAM
  • 80 GB ATA HDD

UTM-1 270

  • Intel Celeron M 600 MHz
  • 1 GB DDR2 RAM 400 MHz
  • 160 GB ATA HDD

UTM-1 450

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 80 GB ATA HDD

UTM-1 570

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD

UTM-1 1070

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD

UTM-1 2050

  • Intel Pentium 4 3.4 GHz
  • 2 GB RAM
  • 80 GB ATA HDD

UTM-1 2070

  • Intel Celeron 440 2.00GHz
  • 2 GB RAM
  • 160 GB ATA HDD

UTM-1 3070

  • Intel Core2 Duo E6400 2.13GHz
  • 3 GB RAM
  • 160 GB ATA HDD

Power-1 5070

  • Intel Xeon E5410 2.33GHz (QC)
  • 2 GB RAM
  • 80 GB ATA HDD

Smart-1 25

  • Intel Core2 Duo CPU T7400 2.16GHz
  • 3 GB RAM
  • 4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Posted in General, OpenServer, Power-1, Secure Platform, Smart-1, UTM-1 | Comments Off

Delete old log files on SPLAT machines

Monday, May 10th, 2010

There is no way to configure your SPLAT box or UTM-1 appliance in a way, that only logs for the last X days were kept.

The only work-around would be to configure on the firewall object -> Logs and Masters -> Required Free Disc Space together with the option Do not delete log files from the last X days.

By configuring a very high value for required free disc space you could have the script run every day and with the other option prevent it from deleting the needed logs.

OR – you could implement a short script:

[Expert@fw1]# cat /usr/bin/del_logs.sh
#!/bin/bash
/usr/bin/find /var/log/opt/CPsuite-R65/fw1/*.log* -ctime +217 -print -exec rm -f {} \;

The parameter ctime is the amount of days for the logs to keep.

Run the script with cron:

[Expert@fw1]# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.19431 installed on Mon May 10 10:21:33 2010)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
42 11 * * * /usr/bin/del_logs.sh
50 2 * * 1,2,3,4,5,6,7 backup_util sched

Now you’re able to delete the old logs as you like. If you backup your firewall or SmartCenter to your local disc, maybe you want to do this with your backups, too?

Tobias Lachmann

Posted in General, Secure Platform | Comments Off

How to build an UTM-1 cluster with SmartCenter HA (aka Full Cluster)

Sunday, May 9th, 2010

Maybe you’ve seen my presentation on CPUGCON 2009 about migration to an UTM-1 cluster from a distributed environment.

Now I was asked to provide a how-to about building this kind of UTM-1 Full Cluster from scratch.

Actually this is very easy. Building UTM-1 clusters was supported from the start, but the SmartCenter could only reside on one appliance. With the introduction of NGX R65 with Messaging Security, we also got SmartCenter High-Availability for free.

In our setup we assume that we have two appliances, one primary and one secondary. Setup both with the normal First Time Configuration Wizard.

Make sure to install the primary on as locally managed and primary cluster member.

The secondary appliance is also installed as locally managed but as secondary cluster member.

On the secondary appliance you also have to fill in a SIC secret to establish the communication later.

After completing the First Time Configuration Wizards on both appliances, connect with the SmartDashboard to the primary UTM-1 appliance.

Now the wizard for configuring the cluster pops up. When defining the secondary cluster member, fill in the SIC secret entered in the WebUI wizard.

Fill in all the details that reflect your cluster. Make sure to have at least one dedicated sync network.

Topology could look like this afterwards:

Now you can define rules, push the policy and make the cluster work. After that check the Management HA in the SmartDashboard:

This picture shows that both cluster members have a SmartCenter installed and are working in Management High-Availability mode.

That’s it for building an UTM-1 cluster with Management High Availability – also known as UTM-1 Full Cluster.

Tobias Lachmann

Posted in CPUG, General, Secure Platform, UTM-1 | Comments Off

R71 performance on UTM-1 appliances

Tuesday, May 4th, 2010

As mentioned before, the UTM-1 appliance had performance trouble when doing content scanning and I would not recommend doing this in this machines. Now R71 claimes to give a big boost by new methods of scanning. I tested the performance improvement of the new R71 release with the following setup:

UTM-1 270 mit GigabitEthernet-Uplink to the Internet and GigabitEthernet-Link to the internal network. 4 Servers mit GigabitEthernet as clients running HTTrack website copier in the internal network. I used HTTrack to download several website at the same time, creating a mixture of HTML, graphic, archives and executables content.

The UTM-1 270 was installed out-of-the box using the wizard. I activated VPN, SmartView Monitor and Antivirus in addition the moduls already activated as standard.

The rulebase had two rules, on allowing access to the systems from a management client outside the network and one rule for allowing access to the Internet for the servers. No NAT was used, no additional settings.

With NGX R65 with Messaging Security (HFA25) I had an average throughput of 1,026,474 Bytes / sec while running with 100% CPU load for a couple of minutes.

With NGX R65 with Messaging Security (HFA70) I had an average throughput of 1,094,563 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R70 I had an average throughput of 1,647,257 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R71 I had an average throughput of 1,999,611 Bytes / sec while running with 100% CPU load for a couple of minutes.

My test maybe not so accurate as the ones that Check Point is doing, but I thing the traffic blend reflects the behaviour of normal users really good.

And, having 2x the performance with Antivirus scanning on the same hardware is pretty impressive! The improvement really shows, how nice! I also recognized that R71 comes with a new AV engine with has the name KSS, maybe Kaspersky?

This is enough performance to use modern DSL lines or direct links completely, not only partial. So I would recommend this release to everyone who still uses content scanning on an UTM-1 appliance and has performance problems.

Tobias Lachmann

Posted in Content Inspection, General, Software Blades, UTM-1 | Comments Off

New UTM-1 Edge N-Series appliances

Tuesday, May 4th, 2010

Check Point is launching a new series of UTM-1 Edge appliances, the N-Series. Looks like the rumours from years ago came true and they finally build the “Edge Arrow”.

Here’s the baseline from what we know by now:

- 5x more firewall throughput than X-series appliances
- 5x more VPN throughput than X-Series appliances
- 7x more concurrent connections than X-series appliances
- GigabitEthernet-Ports instead of FastEthernet
- 3G connectivity build-in
- two flavours: 32 users and unlimited users, 8 users and 16 user only with X-series
- 4x more VPN tunnels (SA)
- unlimited Remote Access profiles
- 802.11b/b/n support (UTM-1 Edge NW)
- 802.11z wireless security support
- no build-in ADSL-modem available
- new 8.1 firmware for all models (not available by now on support pages)

The complete specification can be found here.

An UTM-1 Edge N32 is $200 more expensive as an old X32 and costs $1400 instead of $1200, same applies to the NU which is now $2200 instead of $2000 for XU.

If you take in consideration how much more power you can get, the $200 more are totally fine with me.

Will be interesting to see how the firmware developed from 8.0.42 to 8.1. Hopefully it’s available soon.

Tobias Lachmann

Posted in General, UTM-1 Edge | Comments Off

Well done, Royi!

Monday, May 3rd, 2010

Just had an amazing “support experience” with Check Point:
My customer suffered from sudden loss of VPN connectivity as the SmartCenter CA died because of a database corruption.
Check Point needed only 30 minutes from answering my call to providing a hotfix that solved the problem!
Well done, guys! Very well done!

Tobias Lachmann

Posted in General, Troubleshooting | Comments Off

URL Filtering update error

Monday, May 3rd, 2010

When you receive continous update errors within the URL Filtering modul, maybe it’s a good idea to delete the whole database and rebuild it via the update database function in SmartDashboard. Was helpful for me several times…

  • First change to the directory $FWDIR/uf/sc/update/incoming.
  • Delete all the files beginning with “sfcontrol”. The file “sfcontrol” itself is the database, all the others are differentials and status infos.
  • Run cpstop and cpstart for a restart of the services that controll URL Filtering.
  • Go to your SmartDashboard, change to the “Content Inspection” tab and click on “Update Databases Now”.

It will take awhile to download to whole database, but you can watch this process while checking the files and sizes in the directory.

While debugging URL Filtering in general, you may stumble over sk35196 which describes several procedures with the avsu_client command and optional parameters. Please note that Check Point changed the URL Filtering provider, I think with HFA50, from SurfControl to SecureComputing. This engine change comes together with a change in the parameters when you call avsu_client. The application name “URL Filtering” does not provide valid output when you use the SecureComputing engine, you have to use “URL Filtering2″ to get actual results from the installation.

avsu_client -app "URL Filtering" fetch
failed to fetch signature update
err_str=Failed. Message from module: "Server has no available updates".
info=
Local version is date

avsu_client -app "URL Filtering2" fetch
signature file up to date
err_str=Succeeded. Existing signature is up-to-date.
info=
Local version is date

Sadly just calling avsu_client gives no explanation about the changed parameters, it only lists “URL Filtering”.

Tobias Lachmann

Posted in Content Inspection, General, Secure Platform | Comments Off

R71 released

Friday, April 30th, 2010

The version R71 was released. See this article for details. The release notes can be found here.

I will test the upgrade from R70.30 to R71 today and get back to you with more feedback.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, UTM-1, VPN-1 | Comments Off

Don’t shoot the messenger

Thursday, April 22nd, 2010

Some days ago I was informed by a friend of mine that he nearly lost his status as a Check Point partner.

What has happened?

Well, he was openly speaking in the Check Point User Group (CPUG) forum about the new software blade licensing and what he liked and disliked about it. Instead of appreciating open feedback, Check Point got angry about this.

We had hard times selling the advantages of software blades to the customers and nearly no one bought the upgrade.
That’s why Check Point changed the cost for upgrades in the end, because of all the negative feedback.

So, what’s my point about this?

Like Shakespeare said: “Don’t shoot the messenger!”

Partners and also certified professionals are brand ambassadors for Check Point in front of the customers.

So maybe it’s a good idea to get their feedback before major changes are announced and involve them as soon as possible in the process of development.

As for me, I had some really good conversations with guys from product management and development. They asked me about my customers, how they use the products and what I can and cannot sell to the customers. About the necessity of certain features and so on. And I appreciate this and I think this is the absolutely right way.

But unfortunately, as events have shown, this is not the way Check Point is following with everybody…. sad.

Tobias Lachmann

PS: The make the picture complete: since upgrade to software blades is free and we have great new features with the R70.x versions, we can easily argue the upgrade to the customer.

Posted in CPUG, General, Software Blades | Comments Off

Criticial error messages and logs

Thursday, April 22nd, 2010

Today I want to bring your attention to SecureKnowledge article sk33219, which deals with “Critical error messages and logs”.

There we have a nice list of possible error messages together with a short explanation why this error occured.

I’m missing hints on how to resolve the issue or to a related sk. But all in all a very usefull article you should bookmark for further reference.

Tobias Lachmann

Posted in General, Troubleshooting | Comments Off

Abra is USB-1 is Abra

Sunday, April 18th, 2010

I wrote before about the new settings in R70 relase labeled USB-1. It turns out that I was right and this is refering to a Mobile VPN/Workplace solution. This was officially announced on CPX last week.

By now I got some inside info about the name, very funny. Abra was the original code name for this project. The final product should stick with the naming convention and be a “something-1″. So it came to USB-1. This was decided by a high level authority within Check Point, so the name was brought into the GUIs. But after a while they discovered that Abra was the better name to place the product in the market and so it was allowed to stay. But at this time, it was to late to change the GUIs as they were delivered with HFA of R70.

Will be interesting to see how the market reacts to Abra, but I would predict good feedback for this product. Better and easier as setting up notebooks and vpn clients for users or external contractors, just give them a stick and there they go.

Only the import/export feature could be better. In my opinion the stick should act transparent on a PC with Endpoint Security Media Encryption installed, as normal USB sticks do. So in the company transfer data to Abra and work on them later at home. And if you loose the stick, everything is still encrypted.

I’m curious how the product will evolve but I’m expecting more good things to come.

Tobias Lachmann

Posted in General | Comments Off

DLP = Data Loss Prevention

Wednesday, April 14th, 2010

Check Point announced DLP as a product at the CPX2010. DLP stands for Data Loss Prevention and is a solution to make sure that specific data is not leaving the company – wether it’s intended or unintended.

Basically it’s an extension of the gateways capability to intercept and scan emails, http and ftp traffic and react to the content found. Works kinda like the antivirus scanning that we know for some time now. So it’s transparent to the users and the mail/web servers that are part of the communication.

The administrator defines a policy for his content and the direction where it is send. For example you can block mails to recipients outside your organisation if an attachment to that mail derives from a template which is used for confidential content. Or the attachment or the mail itself contains some keywords that are suspicios if they are used too many times. Because of the predefined data-types, Check Point speaks of 250 by now, I found it very easy to be going with this in a short period of time.

The action for the rules can be just logging, prevention of sending the content or asking the user what to do. As always, Check Point has a client for Windows operating systems only by now. This clients notifies the user with a popup that something has been blocked. The user can decide to send it anyway, discard or review the incident. Also it can be configured that the user has to type a justification for sending, if the mail is caught by the policy at first.

If you’re not using a resident client on your machine, an email notification is the second way to notify the user. The email informs you and is offering links where you can click. The links points to an application on the gateway, reachable over a webserver. Depending on your decision, the content is released or held back. As an alternative you can reply to this notification email and add keywords to the subject. The gateway will see this keyword when the mail goes through it and follow your decision.

All in all I find this solution easy to configure and implement. But to be sure we have to wait until GA of DLP. Interesting will be, how good the custom configuration of data types and rules will be. DLP has the possibility to create own types by using regular expressions. But as you might know, working with RE can be a pain in the ass.

So, in what flavors is this DLP solution offered? Well, we have two appliances, DLP-1 2571 and DLP-1 9571. The smaller one states that it can process 70.000 messages per hour and has a througput of 700 MBit/s. The bigger one 350.000 messages ans 2.5 GBit/s. As this are marketing numbers, we should cut them in half – at least. To be sure, we should assume only 1/4 the capacity stated, judging by the experience with UTM-1 appliances and Messaging Security in the past. The smaller appliances has a price of $14990 for the first year and $7000 for the following years, the bigger $49990 for the first and $12000 for the following years.

Or you have your DLP solution on your normal perimeter gateway, which I find more useful. We have three blades, CPSB-DLP-500, CPSB-DLP1500 and CPSB-DLP-U. The last part stands for the number of recommended users, but I’m not sure if there’s some kind of enforcement like with ip addresses at the gateway blades. We’ll have to wait for licensing info on that topic. The 500 user blade is $3000, the 1500-blade is $7000 and unlimited users come for $12000. The DLP is a service blade, so the numbers are per year.

If someone want’s to use this, and I bet many companies will, I think that the best solution is to buy a software blade container together with the DLP-blade and run it on an OpenServer under SPLAT. SPLAT is the only supported platform by the way. The server is about $4000 for a HP DL360, IBM 3350 M2 or similar, $12500 for a 4 core container and $3000-$12000 for the desired blade. For the first year this is starting at $19500 and $5250 for the following years. The advantage that I see in contrast to the appliances is more performance through cores, memory and hard discs. Especially hard dics performance was the bottleneck that we saw on most appliances running other content inspection software like Messaging Security etc.

So, what’s the bottom line:
First of all, I’m excited and think this is a good product. Unlike other new releases like SmartProvisioning, SmartWorkflow etc. I think this solution is ready to be used from the start. And second I’m curios how customers will use this solution. I think we can expect some demanding requirements for rules we havn’t even thought of by now ;-)

Start checking out DLP here or in the pricelist.

As soon as I get this to work in an live environment, I will post my findings!

Tobias Lachmann

Posted in General, Software Blades | 1 Comment »

R70.30 is there

Monday, April 12th, 2010

Folks,

the new R70.30 is available. See the release notes here
All in all some minor fixes. The biggest point is the possibility to use sub-CAs for SSL-VPN, which was not possible in the past.

Other improvements include Windows 7 support for SmartWorkflow and some Non-English regional formats for map visualization.

Tobias Lachmann

Posted in General | Comments Off

I’m back!

Friday, April 2nd, 2010

Hello everybody!

I’m back from my parental leave, which lasted till the end of March. During that period, I spend all the time with my son but no time with this blog.

Now I’m back at work and I see interesting things everyday that give me inspirations for articles, so expect new content soon.

What also happended is that I gained the CCSE R70 certification for contributing to the new CCSE exam. Thanks Ken Finley, this is greatley appreciated! Now I’m done with re-certification until CCSE+ comes out.

Bye for now

Tobias Lachmann

Posted in Certification, General | Comments Off

Backup error in R70.20 SPLAT

Friday, January 15th, 2010

Yesterday we did an inplace-upgrade of a SPLAT box to R70.20 from NGX R65. Since then, the scheduled backup was broken. When I tried to edit the settings through the WebUI, I got the message GENERAL ERROR.

Fix for this was to disable the scheduled backup on the command line with backup -e off.
Then I was able to edit all the settings through the WebUI again and backup is working now.

This seems to be an error in R70.20, because we had another customer with this error who upgraded from R70.1 to R70.20 and it was working with R70.1

Tobias Lachmann

Posted in General, Secure Platform | Comments Off

USB-1 is coming

Monday, January 11th, 2010

I just found a new section in the Global Properties of my R70.20 SmartConsole labeled “USB-1″.

Judging by the settings, this USB-1 is the SecureWorkspace/VPN-Client that comes on a secured USB stick and enables you to connect securely to your company without the need to install software on a client computer.

Will be interessting to see when this is officially released and what the feature set will look like.

Tobias Lachmann

Posted in General, Software Blades | Comments Off

New SK regarding error with SIC renewal in R70

Sunday, January 10th, 2010

Just found the new sk43744, which describes that the automatic certificate renewal will fail in R70, R70.1 and R70.20. This is a problem when you upgraded from an older installation in-place, where the CA is kept. Since certificates are fundamental for the way Check Point software works, please take this seriously. Otherwise policy installation, log receiving and SmartConsole connections to SmartCenter are affected.

Normally SIC certificates are automatically renewd 15 month before expiration.To determine if you have a problem that needs to be fixed, verify the expiration date of your SIC certificates and follow the procedure in the sk43744.

Please note that the command line cpca_client lscert -stat Valid -kind SIC is not a valid alternative, as it produces an ouput with wrong dates, so you have to use the ICA web.

Tobias Lachmann

Posted in General, Software Blades | Comments Off

Identity Logging with R70.20

Friday, January 8th, 2010

I just installed the R70.20 update on our SmartCenter Server. We can now use the Identity Logging feature, which is very cool. It is an update of Logging & Status blade and is used to associate IP addresses of workstations to users, working on this machine. It works only with Active Directory servers running on Windows Server 2003 and 2008, but this is ok with me. SmartCenter has to run SPLAT/Linux or Windows Server 2003/2008.

After configuration, a table with the association of IP and user name is held on the SmartCenter and this information, if available, is displayed in the log entries on SmartView Tracker.

Configuration is done an SmartCenter object -> Logs and Masters -> Identity Logging. Only a few things to fill in.

Configuration of Identity Logging in SmartCenter

It’s easy, but I would have expected to find an LDAP accounting unit here, like you configure AD servers within SmartDirectory.
Just for using Identity Logging, this is easy to implement. When you have already a SmartDirectory configuration, you’re doing the job twice.

This feature is only available with R70.20 on a SmartCenter which works with Software Blade licenses. A little incentive for those who changed to the new licenses ;-)

Tobias Lachmann

Posted in General, Software Blades | Comments Off

Migration to Software Blades with CPVP-VCT-U license

Thursday, January 7th, 2010

Following the current promotion, you can trade-in your old license with no additional cost for a Software Blade license that has equivalent functionality. Now I discovered that with the CPVP-VCT-U license you’re not getting a proper equivalent, as SecureXL is missing in the new license.

This error was reported to Check Point and is acknowledged. They will fix it in the next days and publish new Upgrade calculator and Upgrade matrix.

No big deal really, as you always get CoreXL accelleration with R70. SecureXL might no be necessary for most users, taking the aspect of performance.

Tobias Lachmann

Posted in General, Software Blades | Comments Off

Determine UTM-1 appliance series from CLI

Thursday, January 7th, 2010

If you want to know which appliance series you have, you can use a command line tool to determine this information.

Just run /usr/sbin/dmidecode | grep "Product Name"

Sample output:

[Expert@xxx-fw1]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: U-30-00
Product Name:

[Expert@yyy-cp1]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: C6P_UTM
Product Name: NSA-1086

Here are the translation for the information under the field Product Name:

  • P-20-00 -> Power-1 9070 Appliance
  • P-10-00 -> Power-1 5070 Appliance
  • U-40-00 -> UTM-1 3070 Appliance
  • U-30-00 -> UTM-1 2070 Appliance
  • U-20-00 -> UTM-1 1070 Appliance
  • U-15-00 -> UTM-1 570 Appliance
  • U-10-00 -> UTM-1 270 Appliance
  • U-5-00 -> UTM-1 130 Appliance
  • C6P_UTM -> UTM-1 2050 Appliance
  • C6_UTM -> UTM-1 1050 Appliance
  • C2_UTM -> UTM-1 450 Appliance

Tobias Lachmann

Posted in General, UTM-1 | Comments Off

« Older Entries