Archive for the ‘R71’ Category

UTM-1 1050 and 2050 network problems

Wednesday, July 21st, 2010

So, what is the problem about? Well, NIC connections stay up for about 1 or 2 minutes, then they’re down for about 5 minutes.

We made an upgrade of an UTM-1 2050 series appliance to R71 and got massive connectivity problems. Two days later sk42174 came out which helped us fix the problem. Seems that the Linux Kernel starting with R70 assigns new drivers to the NICs, which are incorrect.
The solution for that problem is to change the settings back to the old driver.

For details please refer to the SK and have it in mind when you’re updating older appliances.

Posted in R71, Secure Platform, UTM-1 | Comments Off

R71.10 available

Thursday, July 15th, 2010

The new R71.10 update is available. Find all the resources on this page within UserCenter.

We now have Abra support on all gateway platforms, support for Outlook Web Access (OWA) 2010 over SSL VPN and R71.10 includes the hotfix for the SSL VPN blade, that was mandatory when using this blade with R70.

Please note that the R71.10 upgrade package cannot be installed on gateways with DLP.

Check Point also released complete packages for a fresh installation with R71.10 but they sadly don’t include UTM-1 images.

Tobias Lachmann

Posted in General, R71, SSL VPN, Software Blades | Comments Off

Proactive detection mode vs. Stream detection mode

Sunday, July 11th, 2010

As I wrote a while ago, we had great performance improvements with Antivirus Scanning and the R71 release. On the same UTM-1 hardware the throughput doubled. While this was true for my lab testing, real world testing didn’t show the same results. Upgraded systems had no better AV performance and only slightly more overall performance was showing.

The reason for that is that an upgraded systems keeps the old way of detecting viruses, the Proactive detection mode. In this mode, the traffic is trapped by the kernel and forwarded to the security server. The security server then forwards the traffic to the Antivirus engine and the traffic is allowed or blocked, depending on the response of the Antivirus engine. It is necessary to store the whole file first before scanning it.

The new Stream detection mode doesn’t need to store the file for scanning. Stream detection is able to scan uncompressed and compressed traffic while it is passing through the gateways kernel, doing decompression on the fly.

Stream detection mode works only signature-based, whereas Proactice detection mode works with Antivirus signatures and in addition with a sandbox where heuristic behaviour scans are done to detect malware, even if there no signature available at the moment.

Stream detection is default on fresh installations, so that’s why you can see great performance improvement on R71.

The mode can be changed within SmartDasboard -> Antivirus & URL Filtering tab -> Antivirus -> Security Gateway and then choose the desired protocol.

Configuration of Antivirus detection mode

HTTP and SMTP can work with Stream detection mode and Proactive detection mode, POP3 and FTP only work with Proactive detection mode.

While I appreciate the performance improvement which can be gained using Stream detection mode, I think we lower security a little bit by abstain from using Proactive detection mode.

This decission should be made with careful consideration of the specific setup and customer need. If you use solely Stream detection mode, make sure to have a good Antivirus solution from another vendor running on the end user’s desktop to double-check for malware.

What do you think about the two Antivirus modes? Mail your thoughts to blog@lachmann.org

Tobias Lachmann

Posted in Content Inspection, R71 | Comments Off