My Check Point Blog

I heard some rumors recently that I’d like to share with you. True or not, nobody can tell. But sure interesting

First, we can expect R75 GA by the end of the year. No idea what will be included, but maybe we see more improvements from software blades. As Dorit Dor stated some time ago, the introduction of software blades with R70 was the first step in a three-step-approach of a complete architecture re-design within the Check Point products. So personally I think that every new GA release will bring us closer to the goal and will give us additional performance and/or more features.

Second, Check Point seems to plan the content inspection of HTTPS traffic, availability should be around end of Q1/2011. This is a very interesting feature and I’m really locking forward to it. We had lot’s of projects where the customer choose not to use Check Point content scanning but rather a solution like WebWasher, which could inspect also SSL encrypted traffic. I wonder how the handling will be done in detail and how easy the setup will be in comparison with WebWasher etc.

That’s all for now. Wait and see, if these rumors have a valid background.

If you know more details, please do not hesitate and write an email to blog@lachmann.org

Tobias Lachmann

R71 brings us an improvement in the handling of database revision.
Now it is possible to define how long old version should be kept.
Criteria can be number of versions, age of versions, storage consumption of versions of free diskspace.

I think this is a very nice improvement and worth noticing.

Tobias Lachmann

Check Point announced DLP as a product at the CPX2010. DLP stands for Data Loss Prevention and is a solution to make sure that specific data is not leaving the company – wether it’s intended or unintended.

Basically it’s an extension of the gateways capability to intercept and scan emails, http and ftp traffic and react to the content found. Works kinda like the antivirus scanning that we know for some time now. So it’s transparent to the users and the mail/web servers that are part of the communication.

The administrator defines a policy for his content and the direction where it is send. For example you can block mails to recipients outside your organisation if an attachment to that mail derives from a template which is used for confidential content. Or the attachment or the mail itself contains some keywords that are suspicios if they are used too many times. Because of the predefined data-types, Check Point speaks of 250 by now, I found it very easy to be going with this in a short period of time.

The action for the rules can be just logging, prevention of sending the content or asking the user what to do. As always, Check Point has a client for Windows operating systems only by now. This clients notifies the user with a popup that something has been blocked. The user can decide to send it anyway, discard or review the incident. Also it can be configured that the user has to type a justification for sending, if the mail is caught by the policy at first.

If you’re not using a resident client on your machine, an email notification is the second way to notify the user. The email informs you and is offering links where you can click. The links points to an application on the gateway, reachable over a webserver. Depending on your decision, the content is released or held back. As an alternative you can reply to this notification email and add keywords to the subject. The gateway will see this keyword when the mail goes through it and follow your decision.

All in all I find this solution easy to configure and implement. But to be sure we have to wait until GA of DLP. Interesting will be, how good the custom configuration of data types and rules will be. DLP has the possibility to create own types by using regular expressions. But as you might know, working with RE can be a pain in the ass.

So, in what flavors is this DLP solution offered? Well, we have two appliances, DLP-1 2571 and DLP-1 9571. The smaller one states that it can process 70.000 messages per hour and has a througput of 700 MBit/s. The bigger one 350.000 messages ans 2.5 GBit/s. As this are marketing numbers, we should cut them in half – at least. To be sure, we should assume only 1/4 the capacity stated, judging by the experience with UTM-1 appliances and Messaging Security in the past. The smaller appliances has a price of $14990 for the first year and $7000 for the following years, the bigger $49990 for the first and $12000 for the following years.

Or you have your DLP solution on your normal perimeter gateway, which I find more useful. We have three blades, CPSB-DLP-500, CPSB-DLP1500 and CPSB-DLP-U. The last part stands for the number of recommended users, but I’m not sure if there’s some kind of enforcement like with ip addresses at the gateway blades. We’ll have to wait for licensing info on that topic. The 500 user blade is $3000, the 1500-blade is $7000 and unlimited users come for $12000. The DLP is a service blade, so the numbers are per year.

If someone want’s to use this, and I bet many companies will, I think that the best solution is to buy a software blade container together with the DLP-blade and run it on an OpenServer under SPLAT. SPLAT is the only supported platform by the way. The server is about $4000 for a HP DL360, IBM 3350 M2 or similar, $12500 for a 4 core container and $3000-$12000 for the desired blade. For the first year this is starting at $19500 and $5250 for the following years. The advantage that I see in contrast to the appliances is more performance through cores, memory and hard discs. Especially hard dics performance was the bottleneck that we saw on most appliances running other content inspection software like Messaging Security etc.

So, what’s the bottom line:
First of all, I’m excited and think this is a good product. Unlike other new releases like SmartProvisioning, SmartWorkflow etc. I think this solution is ready to be used from the start. And second I’m curios how customers will use this solution. I think we can expect some demanding requirements for rules we havn’t even thought of by now

Start checking out DLP here or in the pricelist.

As soon as I get this to work in an live environment, I will post my findings!

Tobias Lachmann

I just found a new section in the Global Properties of my R70.20 SmartConsole labeled “USB-1″.

Judging by the settings, this USB-1 is the SecureWorkspace/VPN-Client that comes on a secured USB stick and enables you to connect securely to your company without the need to install software on a client computer.

Will be interessting to see when this is officially released and what the feature set will look like.

Tobias Lachmann

Just found the new sk43744, which describes that the automatic certificate renewal will fail in R70, R70.1 and R70.20. This is a problem when you upgraded from an older installation in-place, where the CA is kept. Since certificates are fundamental for the way Check Point software works, please take this seriously. Otherwise policy installation, log receiving and SmartConsole connections to SmartCenter are affected.

Normally SIC certificates are automatically renewd 15 month before expiration.To determine if you have a problem that needs to be fixed, verify the expiration date of your SIC certificates and follow the procedure in the sk43744.

Please note that the command line cpca_client lscert -stat Valid -kind SIC is not a valid alternative, as it produces an ouput with wrong dates, so you have to use the ICA web.

Tobias Lachmann

I just installed the R70.20 update on our SmartCenter Server. We can now use the Identity Logging feature, which is very cool. It is an update of Logging & Status blade and is used to associate IP addresses of workstations to users, working on this machine. It works only with Active Directory servers running on Windows Server 2003 and 2008, but this is ok with me. SmartCenter has to run SPLAT/Linux or Windows Server 2003/2008.

After configuration, a table with the association of IP and user name is held on the SmartCenter and this information, if available, is displayed in the log entries on SmartView Tracker.

Configuration is done an SmartCenter object -> Logs and Masters -> Identity Logging. Only a few things to fill in.

It’s easy, but I would have expected to find an LDAP accounting unit here, like you configure AD servers within SmartDirectory.
Just for using Identity Logging, this is easy to implement. When you have already a SmartDirectory configuration, you’re doing the job twice.

This feature is only available with R70.20 on a SmartCenter which works with Software Blade licenses. A little incentive for those who changed to the new licenses

Tobias Lachmann

Following the current promotion, you can trade-in your old license with no additional cost for a Software Blade license that has equivalent functionality. Now I discovered that with the CPVP-VCT-U license you’re not getting a proper equivalent, as SecureXL is missing in the new license.

This error was reported to Check Point and is acknowledged. They will fix it in the next days and publish new Upgrade calculator and Upgrade matrix.

No big deal really, as you always get CoreXL accelleration with R70. SecureXL might no be necessary for most users, taking the aspect of performance.

Tobias Lachmann

One of our customer bought a new UTM-1 2070 appliance. This device comes with 3 managed sites.

Now he wants to manage more sites and brought up the question, if he can use a SmartCenter unlimited license he already owns. Just purchasing normal support for SCT-U is cheaper than buying an SXA license and the needed support for this license.

I don’t know if Check Point license policy is allowing that use, but from a technical point of view we can verify if this works.
For that reason, we have to take a look inside the cp.macro file. This file has all the definitions of features and licenses.
On SecurePlatform, you find this file under /var/opt/CPshrd-R70/conf/cp.macro

If we look in the license for an UTM-1 2070, we find these two strings: CPMP-UAPP-1-NGX CPXP-SXA-2-NGX
The first is for the appliance itself, the second is the management extension for two additional sites.

Let’s break down the first one:
For CPMP-UAPP-1-NGX, we have the following relevant entry:
MACRO ::CPMP-UAPP-1-NGX CPMP-UAPP-module-base-NGX CPMP-UAPP-management-base-NGX CPVP-UAPP-1-NGX

That means that actually the string is a macro itself and consists of CPMP-UAPP-module-base-NGX, CPMP-UAPP-management-base-NGX and CPVP-UAPP-1-NGX.

Let’s focus on CPMP-UAPP-management-base-NGX:
cp.macro has this definition for it:
MACRO ::CPMP-UAPP-management-base-NGX CPMP-SCT-1-NGX CPFW-AM-U-NGX CPMP-HA-MGMT-NGX CPMP-SMPO-NGX CPMP-EVRX-U-NGX

So this is another macro for the SmartCenter (CPMP-SCT-1), SmartDirectory (CPFW-AM-U), Management-HA (CPMP-HA-MGMT), SmartPortal (CPMP-SMPO) and Eventia Reporter (CPMP-EVRX-U).

We go for the SmartCenter part:
MACRO ::CPMP-SCT-1-NGX CPMP-EMC-1-NGX

Again a macro, so we need to investigate CPMP-EMC-1-NGX:
MACRO ::CPMP-EMC-1-NGX fw1:6.0:lcontrol fw1:6.0:vpnmgmt fw1:6.0:vpnstrong fw1:6.0:remote1 fw1:6.0:cluster-u

Now we’re close to the final answers

The macro fw1:6.0:lcontrol has this definitions:
MACRO fw1:6.0:lcontrol mgmtcore fwmgmt cpui qosmgmt cmpmgmt dbvr_unlimit cluster-u
This breaks down to:

MACRO fw1:6.0:mgmtcore cmd
+--#DESCRIPT#fw1:6.0:cmd#Saving a file from the log viewer

cluster-u
+--#DESCRIPT#fw1:6.0:cluster-u#Unlimited number of clusters for HA

Finally, we have found out the management related features hidden in the license:

Policy User Interface
FireWall-1 Log Viewer
Saving a file from the log viewer
System Status User Interface
RTM User Interface
INSPECT code generation
INSPECT compiler
Policy Versioning
Compression management
Unlimited number of clusters for HA

But it is not said, how many sites can be managed.
This information is in the last “big” macro CPMP-EMC-1-NGX, coded in
fw1:6.0:remote1
#DESCRIPT#fw1:6.0:remote#Allows remote management

So you can manage one site with this license, e.g. the UTM-1 appliance can manage itself.
But the UTM-1 2070 comes with a 3 managed sites license.

This is defined in the CPXP-SXA-2-NGX addition to the UTM-1 license:
MACRO ::CPXP-SXA-2-NGX fw1:6.0:remote2 fw1:6.0:cpxmgmt
#DESCRIPT#CPXP-SXA-2-NGX#SmartCenter Extension for 2 additional sites; version: NGX; 3DES

We have remote1 and remote2, which comes to the count of 3 managed sites.

So, back to the initial question: can we use a SCT-U license for extending the managed sites of an UTM-1?

MACRO ::CPMP-SCT-U-NGX CPMP-EMC-U-NGX
#DESCRIPT#CPMP-SCT-U-NGX#SmartCenter for an unlimited number of gateways;version: NGX; 3DES

Again, look into the next macro CPMP-EMC-U-NGX

MACRO ::CPMP-EMC-U-NGX fw1:6.0:controlx fw1:6.0:vpnstrong
#DESCRIPT#CPMP-EMC-U-NGX#Enterprise Management Console for an unlimited number of gateways; version: NGX; 3DES

From there we go into fw1:6.0:controlx:

MACRO fw1:6.0:controlx control vpnmgmt

And further onto control:

MACRO fw1:6.0:control remote lcontrol

We know the “lcontrol” macro from our investigation before, also the “remote” keyword.

#DESCRIPT#fw1:6.0:remote#Allows remote management
As “remote” comes without any number, this means unlimited management.

To answer the question we began with: YES, you can use an unlimited SmartCenter license as an extension of the management capabilities of an UTM-1 appliance.
From a technial point of view.

I will open a call with Check Point to make sure that this is actually permitted within the license regulations.

As you can see, licensing within Check Point products is complicated through the use of so many macros, but in the end it comes to a limited number of features that are encoded in the licenses.

If you will, you can chase down also the new Software Blade licenses with this scheme to see, what is actually enforced.

Tobias Lachmann

UPDATE: Check Point just confirmed that the use of a SmartCenter license on a UTM-1 appliance is not permitted to extend the amount of managed sites. You have to stick with the SXA extensions or build up a separate SmartCenter.