This blog is becoming an archive – Farewell!

Dear readers,

this blog was started in 2009 while I was working as a Senior Consultant in the field of network security.

As some of you may have noticed, there were very intense phases were I put a lot of articles on this blog.

Lately there have been no new articles on this blog.

The reason for that is my current job as IT Architect which I started in 2014.

When I changed from being a consultant to being an Architect and Project Manager, my focus on technology got much broader while I was loosing the depth on certain topics at the same time.

I was able to keep up with Check Point topics for a while – but without being an active technical part of projects and troubleshootings I lack the input of new material for this blog.

And in January this year my last technical certification expired – I was certified CCSA since 2001 and certified CCSE/CCSE+ since 2004.

So finally I decided to keep this website up and running as an archive because some of you may find some older stuff still usefull.

But when it comes to new stuff, especially with R80 on the way, I’d like to recommend you to my fellow Check Point bloggers listed on this site.

Thank you all for letting me being a part of the great worldwide Check Point user community over the last 7 years.

And thank you to Check Point for their products which I enjoyed working with for over a decade and for all the great people I had the chance to meet!

Thank you all for listening!

Goodbye and Farewell!

Tobias Lachmann

Sending mails from cronjobs

Here is a little guest post from Frank Taylor. Frank is sharing his findings with sending mails from cronjobs.

On the management server (R77.20) I could send a mail ($FWDIR/bin/sendmail) from scheduled jobs (cronjob) but it not worked.

This works fine from cli/bash but never worked from cronjob.

bash$ echo “this is a message” | $FWDIR/bin/sendmail -t smtp.corporate.local -s subject -f from_address admin@my.corporate.local

After a little debugging I found a solution:
If you want to send a mail via cronjob you need to add LD_LIBRARY_PATH environment variable.

Here is the simple cronjob script:

=================================================================
#!/bin/bash
# ’sendmail’ need libProdUtils.so from /opt/CPshrd-R77/lib
export LD_LIBRARY_PATH=$CPDIR/lib
echo “mail from cronjob” | $FWDIR/bin/sendmail -t smtp.corporate.local -s subject -f from admin@my.corporate.local
=================================================================

Thank you for sharing, Frank!

Appliance Hardware – Updated July 30th 2015

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21800 4100 78.6 23.5 9.9 2x Intel Xeon E5-2690v2 3.00GHz (Ten-Core) 16
21700 3300 78.6 11 8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
21600 2788 75 8.5 6.8 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 12
13800 3800 77 18.3 9.6 2x Intel Xeon E5-2680v2 2.80GHz (Ten-Core) 16
13500 3200 77 17 7.8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 2050 30 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1185 30 7 3.5 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 811 15 2.5 2.5 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 673 11 2 1.5 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 405 9 1.5 1 Pentium Dual-Core E6500 2.93GHz 4
4400 230 5 1.2 0.7 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 121 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200B 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 2
1200R 49 2 0.45 0.06 Cavium OCTEON III CN7010 1.20 GHz 1
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 0.9 Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 3150 2x Intel Xeon E5-2630v2 2.60GHz (Six Core) 64 6 TB
Smart-1 3050 2x Intel Xeon E5-2609v2 2.50GHz (QuadCore) 32 4 TB
Smart-1 225 Intel Core i5-3550S 3.10GHz (Quad Core) 16 2 TB
Smart-1 210 Intel Pentium G2120 3.10GHz (Dual Core) 8 2 TB
Smart-1 205 Intel Celeron G1620 2.7GHz (Dual Core) 4 1 TB
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 25 Intel Core2 Duo Processor T7400 2.16 GHz 3 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

 

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

CPLogInvestigator – get a view on your logs

Check Point has a nice but nearly unknown tool called CPLogInvestigator.

If you try to get a view on how many logs are written in your system, this tool helps you find the answer.

Also nice for sizing an SmartEvent solution, because this depends on logs per minute.

[Expert@FIREWALL:0]# CPLogInvestigator -a -m -p

Thank you for using log investigator tool.

==============================================================
Start reading log file: /opt/CPsuite-R77/fw1/log/fw.log

......................
Reading log file is DONE.

Total scanned 4358548 logs out of 4358548 logs in file
Scanned logs dates are from 27-05-2014 23:58:59 to 28-05-2014 15:36:48

========================================
Product log statistics (Per Day):
- Anti Malware : 1985
- Application Control : 6
- Connectra : 242
- HTTPS Inspection : 261520
- Identity Awareness : 9348
- New Anti Virus : 93
- Security Gateway/Management : 49
- SmartDefense : 93
- URL Filtering : 2228006
- VPN-1 & FireWall-1 : 4127915

Total logs per day:

Date | GB | Count
2014-05-03 | 0.2759 | 2534045
2014-05-04 | 0.1913 | 2092758
2014-05-05 | 0.7525 | 5148661
2014-05-06 | 0.7230 | 5414813
2014-05-07 | 0.7945 | 5767700
2014-05-08 | 0.7516 | 5279349
2014-05-09 | 0.6462 | 4940309
2014-05-10 | 0.3065 | 2885907
2014-05-11 | 0.1981 | 2231531
2014-05-12 | 0.8073 | 5591782
2014-05-13 | 0.8242 | 5805967
2014-05-14 | 0.9171 | 6270246
2014-05-15 | 0.8410 | 5601553
2014-05-16 | 0.6814 | 5524702
2014-05-17 | 0.3061 | 2754986
2014-05-18 | 0.2035 | 2252003
2014-05-19 | 0.7989 | 5536795
2014-05-20 | 0.7305 | 5290979
2014-05-21 | 0.7764 | 5548428
2014-05-22 | 0.8612 | 5643993
2014-05-23 | 0.7956 | 5631273
2014-05-24 | 0.3085 | 2768618
2014-05-25 | 0.2009 | 2243777
2014-05-26 | 0.9873 | 6336100
2014-05-27 | 0.8524 | 6045258
fw.log | 0.6322 | 4358548

==============================================================
Logs per minute table can be found at logPerMinute.txt

==============================================================
Tobias Lachmann

Appliance Hardware – Updated May 4th 2015

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21800 4100 78.6 23.5 9.9 2x Intel Xeon E5-2690v2 3.00GHz (Ten-Core) 16
21700 3300 78.6 11 8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
21600 2788 75 8.5 6.8 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 12
13800 3800 77 18.3 9.6 2x Intel Xeon E5-2680 2.80GHz (Ten-Core) 16
13500 3200 77 17 7.8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 2050 30 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1185 30 7 3.5 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 811 15 2.5 2.5 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 673 11 2 1.5 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 405 9 1.5 1 Pentium Dual-Core E6500 2.93GHz 4
4400 230 5 1.2 0.7 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 121 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200B 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 0.9 Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 3150 2x Intel Xeon E5-2630v2 2.60GHz (Six Core) 64 6 TB
Smart-1 3050 2x Intel Xeon E5-2609v2 2.50GHz (QuadCore) 32 4 TB
Smart-1 225 Intel Core i5-3550S 3.10GHz (Quad Core) 16 2 TB
Smart-1 210 Intel Pentium G2120 3.10GHz (Dual Core) 8 2 TB
Smart-1 205 Intel Celeron G1620 2.7GHz (Dual Core) 4 1 TB
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 25 Intel Core2 Duo Processor T7400 2.16 GHz 3 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Check Point will update their own certificates in October 2015, action required

Check Point will update the certificates for their online services during October 2015. Since a lot of features depend on communication to these online services, every Check Point administrator has to take action.

There is a hotfix available right now, please refer to sk103839.

October is some month away and maybe you don’t want to update your infrastructure right now.

Maybe this issue is covered within R77.30 and you might want to install this probleme fix release instead?

Any way you decide, please keep this topic in mind.

Tobias Lachmann

Determine installed Jumbo Hotfix version

When you try to determine which fixes are installed on your system, the command cpinfo -y all helps.

cpinfo-y-all

However: this command gives you no idea which take of the Jumbo Hotfix might be installed.

But Check Point stores the Take number in the CPregistry.

For version R77.20 run the command $CPDIR/bin/cpprod_util CPPROD_GetValue "Check Point Mini Suite/setup/R77_20_jumbo_hf" Take 0

The output value is the take number of the installed Jumbo Hotfix.

For the command on other version of R75 / R77 please consult sk98028.

Tobias Lachmann

Appliance Hardware – Updated March 26th 2015

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21800 4100 78.6 23.5 9.9 2x Intel Xeon E5-2690v2 3.00GHz (Ten-Core) 16
21700 3300 78.6 11 8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
21600 2788 75 8.5 6.8 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 12
13800 3800 77 18.3 9.6 2x Intel Xeon E5-2680 2.80GHz (Ten-Core) 16
13500 3200 77 17 7.8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 2050 30 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1185 30 7 3.5 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 811 15 2.5 2.5 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 673 11 2 1.5 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 405 9 1.5 1 Pentium Dual-Core E6500 2.93GHz 4
4400 230 5 1.2 0.7 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 121 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 0.9 Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 3150 2x Intel Xeon E5-2630v2 2.60GHz (Six Core) 64 6 TB
Smart-1 3050 2x Intel Xeon E5-2609v2 2.50GHz (QuadCore) 32 4 TB
Smart-1 225 Intel Core i5-3550S 3.10GHz (Quad Core) 16 2 TB
Smart-1 210 Intel Pentium G2120 3.10GHz (Dual Core) 8 2 TB
Smart-1 205 Intel Celeron G1620 2.7GHz (Dual Core) 4 1 TB
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

2200 appliance series now with more memory

Check Point is now extending the memory of the 2200 appliance series from 2GB to 4GB to boost performance.

I think this is a very good approach because no system should suffer these days from insufficient memory.

At the moment the specifications of the 2200 show still the old amount of 2GB memory but Check Point will update this page for sure quickly.

If you order a 2200 appliance in the next days and weeks, make sure that you get one with the extended amount of memory to benefit from this change in specifiction.

Tobias Lachmann

 

GAiA database problem – high CPU usage of confd

In the past weeks I encountered some problems with the GAiA process confd which is using the CPU very heavy, slowing down normal operation.

Also, configuration of the system using WebUI or CLISH was nearly impossible due to timeouts while saving.

The reason for that behaviour can be found in a very large database file called initial_db.

[Expert@firewall1:0]# ls -lah /config/db/
total 387M
drwxrwxr-x 2 admin root 4.0K Feb 25 08:52 .
drwxrwxr-x 3 admin root 4.0K Feb 25 08:52 ..
-rw-r--r-- 1 admin root 143K Feb 25 08:52 initial
-rw-r--r-- 1 admin root 92K Apr 18 2014 initial_10.0v1
-rw-r--r-- 1 admin root 387M Feb 25 08:52 initial_db

This error leading to this huge file size was fixed in R77.20 and will not occure any longer.

However, if your initially operated a system with a version prior to R77.20 and database started enlarging, you will face this error even when running on R77.20.

There is a procedure to fix this, but it is risky because of the nature of the problem.

Please make sure to have a backup and snapshot before performing this procedure:

  1. cp -v /config/db/initial_db /config/db/initial_db_ORIGINAL
  2. rm /config/db/initial_db
  3. conv2db /config/db/initial /config/db/initial_db
  4. chown -v admin:root /config/db/initial_db
  5. chmod -v u=rw,g=r,o=r /config/db/initial_db
  6. reboot

I’ve implemented this procedure on various systems and encountered no error so far.

Tobias Lachmann

Appliance Hardware – Updated January 18th 2015

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21700 3300 78.6 11 8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
21600 2788 75 8.5 6.8 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 12
13800 3800 77 18.3 9.6 2x Intel Xeon E5-2680 2.80GHz (Ten-Core) 16
13500 3200 77 17 7.8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 2050 30 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1185 30 7 3.5 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 811 15 2.5 2.5 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 673 11 2 1.5 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 405 9 1.5 1 Pentium Dual-Core E6500 2.93GHz 4
4400 230 5 1.2 0.7 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 121 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 0.9 Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 3150 2x Intel Xeon E5-2630v2 2.60GHz (Six Core) 64 6 TB
Smart-1 3050 2x Intel Xeon E5-2609v2 2.50GHz (QuadCore) 32 4 TB
Smart-1 225 Intel Core i5-3550S 3.10GHz (Quad Core) 16 2 TB
Smart-1 210 Intel Pentium G2120 3.10GHz (Dual Core) 8 2 TB
Smart-1 205 Intel Celeron G1620 2.7GHz (Dual Core) 4 1 TB
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Appliance Hardware – Updated October 26th 2014

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21700 3300 78.6 11 8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
21600 2788 75 8.5 6.8 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 12
13800 3800 77 18.3 9.6 2x Intel Xeon E5-2680 2.80GHz (Ten-Core) 16
13500 3200 77 17 7.8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 2050 30 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1185 30 7 3.5 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 811 15 2.5 2.5 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 673 11 2 1.5 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 405 9 1.5 1 Pentium Dual-Core E6500 2.93GHz 4
4400 230 5 1.2 0.7 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 121 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 0.9 Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 3150 2x Intel Xeon E5-2630v2 2.60GHz (Six Core) 64 6 TB
Smart-1 3050 2x Intel Xeon E5-2609v2 2.50GHz (QuadCore) 32 4 TB
Smart-1 210 Intel Pentium G2120 3.10GHz (Dual Core) 8 2 TB
Smart-1 205 Intel Celeron G1620 2.7GHz (Dual Core) 4 1 TB
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Thanks for voting me into “Top 5 Check Point experts” list

Indeni did an online voting and asked for nominations of the international “Top 5 Check Point experts“.

It turns out that I’m on this list, so thank you very much for voting.

But there are so many highly skilled and talented professionals out there, that should have been on this raking before me.

I’d like to name a few:

Please let me share the title of Top Check Point Expert with all of you!

Tobias Lachmann

Appliance hardware – Updated August 23th 2014

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21700 3300 78.6 11 8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
21600 2788 75 8.5 6.8 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 12
13500 3200 77 17 7.8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 2050 30 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1185 30 7 3.5 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 811 15 2.5 2.5 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 673 11 2 1.5 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 405 9 1.5 1 Pentium Dual-Core E6500 2.93GHz 4
4400 230 5 1.2 0.7 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 121 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 0.9 Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 3150 2x Intel Xeon E5-2630v2 2.60GHz (Six Core) 64 6 TB
Smart-1 3050 2x Intel Xeon E5-2609v2 2.50GHz (QuadCore) 32 4 TB
Smart-1 210 Intel Pentium G2120 3.10GHz (Dual Core) 8 2 TB
Smart-1 205 Intel Celeron G1620 2.7GHz (Dual Core) 4 1 TB
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Cluster Control Protocol (CCP) over Cisco Overlay Transport Virtualization (OTV) or Brocade VCS fabric technology.

In modern virtualized infrastructures we want our virtual machines (VM) to move between different locations. Not only between members of the same VMware cluster that remain in different fire zones, but also between members of the same cluster (or a different cluster) within another data center.

While this sounds easy, please have in mind that you need to extend your layer 2 network infrastructure, too. Within one data center this task is easy. But between different data centers it becomes a difficult task if you want to maintain high operational stability.

This is the part where Brocades VCS fabric technology or Cisco OTV are a good solutions.

Brocade connects different switches with VCS to one big fabric, delivering stability and availability while avoiding things like Spanning Tree.

Cisco uses OTV to extend layer 2 network over routed connections, totally avoiding Spanning Tree.

Check Point uses the Cluster Control Protocol for cluster communication which utilizes specially crafted packets.

Since the CCP frames are so special, the question came up if this can be transmitted via OTV or VCS.

OTV for example encapsulates the received frames, transmits them over a routed connection, gets rid of the overhead on the other side and puts the frame back on the wire.

Good news for all security engineers operating in a multiple data center setup: the CCP packets can be transmitted as well over Cisco OTV as with Brocade VCS, regardless if Broadcast or Multicast is configured.

Tobias Lachmann

 

Hardware of new Smart-1 appliances

Today I was able to publish information on new Smart-1 appliances (thanks to a contribution).

On CPX2014 Check Point acknowledged that the problem with the old appliances was the small amount of memory and the small CPU.

The old Smart-1 5 had 2GB of memory and an Intel Celeron M 1.5 GHz.

The new Smart-1 205 has 4GB of memory and an Intel Celeron G1620 2.7 GHz.

So Check Point doubled the memory and now has a CPU that is over 7 times faster according to latest benchmarks – good call.

If anyone has already made experiences in production environments with the new appliances, please let me know how you would rate the performance in comparison with old appliance series.

Tobias Lachmann

Appliance hardware – Updated 30th June 2014

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21700 3300 78.6 11 8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
21600 2788 75 6.8 21 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
13500 3200 77 17 7.8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 2050 30 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1185 30 7 3.5 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 811 15 2.5 2.5 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 673 11 2 1.5 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 405 9 1.5 1 Pentium Dual-Core E6500 2.93GHz 4
4400 230 5 1.2 0.7 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 121 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 0.9 Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 210 Intel Pentium G2120 3.10GHz (Dual Core) 8 2 TB
Smart-1 205 Intel Celeron G1620 2.7GHz (Dual Core) 4 1 TB
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Check Point on IPv6

Check Point had a presentation on the IPv6 Business Conference 2014, organized by the Swiss IPv6 Council.

Aviv Abramovich shared some information about the IPv6 capabilities and challenges and the handling within Check Points products.

Check out the presentation!

Tobias Lachmann

Endpoint Security – number of licensed clients does not match the number of active clients

When you use Check Point Endpoint Security not solely with Active Directory, you have to maintain a local database of clients protected by Endpoint.

Every clients registers to the Endpoint Server and retrieves a license after installation of the product.

If this clients is removed from your network and is no longer active, the license is not freed unless you delete the client object with SmartEndpoint.

This may lead to a situation where the license counter is exceeded and new clients can’t get a license – even if the total number of active clients complies with the licensed value.

With sk92328 Check Point delivers a solution to this problem with a script that lists computers that have a license but have not contacted the Endpoint Server within the last 30 days – and that are likely to be phantom clients.

When you try to execute the script it might not work at first.

I tested it on an installation with E80.41. On this Endpoint server the PATH variable did not contain the directory with the postgreSQL binary. In my case this was C:Program Files (x86)CheckPointCPSharedR75.40databasepostgresqlbin

After copying the script into this directory I was able to call it and retrieve the results.

Sadly, the number of listed clients was very small. After examining the script I found that only clients who joined the windows domain were shown: AND device.is_in_domain=true

When I removed this condition, I got a complete list of clients that had a license but had not contacted the Endpoint server for the last 30 days.

Unfortunately, the script only displays the distinguished name and leaves out the common name, under which the client can be located when using the local database as well.

I modified the script from

select distinct (device.nid), device.distinguished_name from device

to

select distinct (device.nid), device.distinguished_name, device.common_name from device

This brought me the whole list of clients and I was able to exam them one by one – and delete them manually, if they no longer existed, freeing the needed licenses.

Tobias Lachmann

 

New Smart-1 appliances to arrive

Check Point will release new version of the Security Management appliances Smart-1 shortly.

On the website you can already find the information of the new models including a new datasheet.

We can expect upgraded hardware along with new blade packages.

For example, the compliance blade will be included in all models from now on.

The pricelist will be updated shortly and then we can compare the old appliances against the new ones.

Tobias Lachmann

TLS heartbeat read overrun (CVE-2014-0160) – vulnerability of Check Point products

You may have read about the critical openSSL vulnerability, which leads to extensive exposure of private keys, login data etc.

This is a major incident from the perspective of a security expert and needs urgent fixing, certificate replacing, account locking and so on.

My co-workers and I are currently in reviewing all systems to find the vulnerable ones and to launch counter measures.

As for Check Point products, there’s no SecureKnowledge article out right now. That’s why I investigated about the openSSL version used.

Do the following command on expert mode in SPLAT or GAIA to see installed packages related to openSSL.

[Expert@FIREWALL:0]# rpm -qa |grep openssl
openssl-0.9.8b-8.3cp738000011


As you can see, we have a version numbering that is matching openSSL version numbering – only with an extension for the specific Check Point build of this package.

Which means, that this package – which can be found in R75.45 and R77.10 – is derived from official openSSL version 0.9.8b from May 26th 2006. And this version isn’t vulnerable.

While we speak I got informed by Check Point, that further non-vulnerable products have been identified.

  • Security Gateway & Security Management
  • SMB products
  • 61k products
  • VPN Clients & Endpoint Connect
  • MacOS VPN Client

I will update this blog post with new information on the SK article to be released when it is available.

Best regards

Tobias Lachmann
 
 
UPDATE: Check Point just released sk100173 for this issue!


 
 

Now 400 a day – thank you for visiting!

I just took a look at the statistics for this site.

Since October 2009, when this blog started, the visitors per day have been constantly growing and are now at a level of 400 daily visitors.

So I thought I’d take the opportunity and say THANK YOU for reading the facts and my opinions expressed in this blog.

Also thank you for contributing information such as appliance hardware details or sharing comments on my posts.

And I really appreciate all the e-mails send to me in private which lead to great discussions.

Tobias Lachmann

Appliance hardware – Updated 21th March 2014

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21700 3300 78.6 11 8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
21600 2788 75 6.8 21 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
13500 3200 77 17 7.8 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 2050 30 7 6 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1185 30 7 3.5 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 811 15 2.5 2.5 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 673 11 2 1.5 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 405 9 1.5 1 Pentium Dual-Core E6500 2.93GHz 4
4400 230 5 1.2 0.7 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 121 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 0.3 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 0.9 Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Comment on “VSX licensing – my way or the highway”

Don Paterson wrote a very good comment for my post “VSX licensing – my way or the highway“. I don’t want it to be purely in the comment section so I put it in an own post.

Hi Tobias
I also questioned the 2 free vs license but I don't doubt that the vs0 is a fully functional Virtual System that can be used to pass and secure production traffic.

I would like to have seen the SG license convert to a license that allowed two virtual systems in addition to vs0. It might just be too complicated and restrictive to then force the customer to use a dedicated management port. Not to mention the vsx conversion wizard issues that would cause (I doubt I would ever use that wizard myself).

I can see why you think of it as the hypervisor but that is maybe not the best way to see it.
Gaia is the host OS and has no hypervisor.
The vs0's old name of Management Virtual System is the one I like best.
It helps to describe and understand the functions of the MVS and it's Dedicated Management Interface (DMI); interface between the rest of the virtual devices (VSs, VRs and Vs witches) and the management and also provides the provisioning channel for the management server/s to deploy virtual devices and manage them. Not forgetting the role of hosting the daemons (yes that is where it fits closest with the hypervisor comparison).


The reality is that if the management server/s and/or any other hosts on the DMI LAN needed access to the customer networks (behind the VSs) or the external untrusted side of the vsx gateway then the MVS (vs0) could indeed be connected to a VSwitch or VR and provider secure access to the other networks, whilst offering all the VS blade functionality for the vs0 and effectively for the management LAN.
This would mean that is is the a fully functional VS being utilised and therefore the license is being taken advantage of (as advertised).
There is only really one way to deploy vsx in my opinion and that way is with a DMI that gives management to vs0 (the gateway/cluster members) and the vs0 is never connected to a VR or VSwitch (with a warp link), unless specific low risk scenarios dictate that it should. I wouldn't want to see the gateway compromised by a management LAN host bandwidth demands on vs0.
There is always the option to have a while new VS to provide the management LAN with a firewall for production traffic (Internet access) on separate ports, in the same way as customer VSs are provisioned.
That is where it is then that I would expect the question as to the cost of that new VS license.
Enjoying your blog as ever.
Regards
Don


Thank you Don, I appreciate that comment and would be glad to get other oppinions as well and start a discussion.

Please feel free to share your thoughts!

Tobias Lachmann

Appliance hardware – Updated 10th January 2014

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21600 2788 75 8.5 21 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 21 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
13500 3200 77 17 23 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 1861 30 7 17 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1046 25 3.5 12 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 738 15 2.5 8 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 623 11 2 6 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 374 9 1.5 4 Pentium Dual-Core E6500 2.93GHz 4
4400 223 5 1.2 3.5 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
11065 up to 1222 15 3.7 10 2x Intel Xeon E5530 2.40GHz (QuadCore) 6
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 ??? Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

The guys from Check Point QA branch are doing a good job

My personal Check Point experience goes back to 2001 and I had my hands on various versions over time.

Also I tested many EA version of Check Point products when public EA was available.

But in the end of last year I participated for the first time in a private EA program.

Private EA means that everything is completely done together with Check Point.

An EA engineer from QA branch came over from Israel and was doing the upgrades along with me, noticing every tiny detail.

I was very impressed that he checked so much and noticed details that I would have totally overlooked.

Lot’s of reports were writen and taken back to R&D to fix problems and make the process of installation or upgrade easier.

After the general availability (GA) release of the software there was another visit from Israel, helping to transfer the infrastructure from EA version to GA version.

Because this was such a enjoyable experience, I wondered why myself and others complained about Check Point QA in the past so much in blogs and forums.

After some thinking I found a possible explanation.

Most engineers in the field do not deal with freshly installed infrastructure, but with systems that have been upgraded and upgraded for years.
Maybe once migrated from stand alone to distributed infrastructure. Maybe we had old licenses for convert, which were bought a decade ago.

This seems to be scenario that Check Point is hardly able to cover when testing new versions in the lab, maybe it is not that common around customers?

And even when they put in a lot of effort with private EA programs where they test new versions on production environments, you can’t cover every possible constellation.

The conclusion for me from this experience is that I won’t complain (that easy) about Check Point QA in the future. And that I will do some fresh installations from time to time to get rid of left behinds from previous upgrades.

Tobias Lachmann

Check Point Processes and Daemons

Check Point released a lovely SK article which describes all the processes and daemons that you can find on your system.

I consider this article a very valuable ressource and recommend that you keep a copy nearby if you deal with Check Point products on a daily basis. And if you don’t deal with them on a daily basis – keep the article even closer as reference.

Tobias Lachmann

R77.10 released – upgrade now

Check Point released the version R77.10 on January 15th.

With this release it is possible to upgrade from R75.47 installations and get the benefits of the new version.

For R77 installations the upgrade to R77.10 is highly recommended, since the many bug fixes that were integrated in R75.47 are now available in the R77 release train. Check the Release Map for details.

Also, we have new features like Mobile Access blade on VSX installations, which work quite nice.

I would highly recommend this upgrade if you’re on R76 or R77.

Tobias Lachmann

Early availability for R77.10 is out!

EA R77.10

The early availability program for Check Points latest version update R77.10 is now out for public EA.

BUT: you have to fill out a questionaire to get access – if your answers are good enough by Check Points judgement. I liked it more as in the old days – were you just had to click register to get the software and the documentation.

But anyway, give it a try. R77.10 is supposed to be a very interessting (bugfix) release.
Tobias Lachmann

VSX licensing – my way or the highway

Do you remember how I informed you about a post on Valeri Loukines blog?

He wrote about the fact that Check Point claims that every appliance starting from 4800 series comes with two virtual systems.

But when you really want to use it, they already count one of this licenses for the VS0. Which is actually the hypervisor, in my eyes.

Check Point arguments that VS0 is a potentially full security gateway context because you can assign interfaces to it. And for that matter they count it for licensing.

Now, if you look at vsx stat, you won’t find VS0 listed as virtual device. I think that this proofs that Check Point isn’t really believing in his own arguments and sees this VS0 as the hypervisor, too.

[Expert@firewall:0]# vsx stat -v
VSX Gateway Status
==================
Name: firewall
Security Policy: firewall-firewall
Installed at: 27Nov2013 10:00:00
SIC Status: Trust


Number of Virtual Systems allowed by license: 25
Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 180 / 79700


Virtual Devices Status
======================


ID | Type & Name | Security Policy | Installed at | SIC Stat
-----+-------------------------+-------------------+-----------------+---------
1 | S firewall1 | firewall-firewa...| 27Nov2013 09:31 | Trust
2 | S firewall2 | firewall-firewa...| 27Nov2013 09:33 | Trust


Type: S - Virtual System, B - Virtual System in Bridge mode,
R - Virtual Router, W - Virtual Switch.


What do you think about this?

Tobias Lachmann

Appliance hardware – Updated 11th November 2013

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21600 2788 75 8.5 21 2x Intel Xeon E5-2658 2.10GHz (Eight-Core) 16
21400 2003 50 7 21 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
13500 3200 77 17 23 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 1861 30 7 17 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1046 25 3.5 12 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 738 15 2.5 8 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 623 11 2 6 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 374 9 1.5 4 Pentium Dual-Core E6500 2.93GHz 4
4400 223 5 1.2 3.5 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 ??? Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Limitation of CLISH when copying backup with SCP

When you define a scheduled backup with GAiA WebUI and choose SCP transfer, you’re able to provide a directory on the target system to where the backup package will be transfered.

In certain situations you can not use the WebUI, for instance when using the gateway with VSX, where the WebUI is disabled and you have to deal with CLISH only.

CLISH has a nasty limitation when configuring this backups with SCP transfer as you can not provide the target directory. Instead the backup file is transfered to /var/CPbackup/backups

This is not very clever, as this directory is located on the root partition which is always quite short of disk space.

Check Point acknowledged this problem and R&D stated that there is “currently no time frame for this issue to be resolved”.

What a pitty!

So the poor administrator is left with the only option – creating a symbolic link for the directory and have it pointed to somewhere else (presumeably a directory in the /var partition).

No quite nice – but a least a work around.

Tobias Lachmann

URL Categorization – new way or no way?

In one of my last posts I wrote about the process of submitting URLs to Check Point for re-categorization.

Someone commented on that and wrote about his bad experience, where Check Point did not change a submitted URL.

While my experiences at that time were different, I wrote about how good this worked for me.

But now I’m stuck, too.

I submitted the URL www.modelle-hamburg.de – which is a directory for prostitutes in the Hamburg area. Clearly a site belonging in the category “Sex”.

modelle-hamburg.de

Here is the summary of my request:

Request Details
--------------------
ID: 61cfb44e-cda9-4c12-ad29-b15636ec7ed3
URL: http://www.modelle-hamburg.de
Suggested categories: Sex,Nudity
Comment:modelle-hamburg.de is a web based directory for hookers and brothels in the Hamburg (Germany) area. Hookers have lots of nude / pornographic pictures online.

As you can see from the above screenshot, the categories “Sex” and “Nudity” are correct for this website.

However, Check Point reported back that they won’t change a thing:

Dear Customer,
Your request to change a URL category was analyzed, but the decision was made to keep the current category.
Current categories:Inactive Sites


So I’m left with a clearly wrong decision for the category of this website.

Now I have to escalate this issue and open a Service Request, which is quite some effort.

This experience makes me wonder how good this process works if someone “analyzed” my submission and declines a obvious category. One look from a web browser would have been sufficient…. So the question remains, if someone really analyzed this request or if it was just checked against a database before declining it.

Tobias Lachmann

Update 11/10/2013:

I opened a ticket for escalation, which took three days to get to the right person who fixed the category. So the issue is solved, but the process still doesn’t make me happy. Category change should never have been declined in the first place.

Appliance hardware – Updated 6th November 2013

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21400 2003 50 7 21 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
13500 3200 77 17 23 2x Intel Xeon E5-2670 2.60GHz (Eight-Core) 16
12600 1861 30 7 17 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1046 25 3.5 12 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 738 15 2.5 8 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 623 11 2 6 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 374 9 1.5 4 Pentium Dual-Core E6500 2.93GHz 4
4400 223 5 1.2 3.5 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 ??? Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Dynamic IP address (DAIP) Security Gateways – Problem getting Default route from DHCP

I spend an awful amount of time solving this problem with lots of TAC ressources involved.

The scenario:

A 4400 appliance was supposed to be deployed on an Internet access delivered through a cable modem.

This cable modem only assigns IP addresses from DHCP.

So the Security Gateway has to receive it’s IP address for external interface along with information on the default route.

With a freshly installed R77 on the appliance I was not able to get this setup running.

The IP address was assigned to the interface every time, but no change in the routing table. And therefore no default route and no Internet connection.

Reason for that behaviour, as it turns out, is a special mechanism the prohibits routes to be added from the “Kernel side”. All configuration should be done from WebUI or CLISH instead of kernel level (as for example in Expert mode).

Dhclient runs on operating system level. Since the dhclient is the program that is responsible to assign the IP address to the interface and set the routing, it is affected by this as well.

The solution to this is easy. Just enable Kernel Routes from WebUI or on CLISH type set kernel-routes on.

Enable Kernel Route Options

You can find this option in GAiA WebUI Advanced Mode under Routing Options.

After enabling this option and restarting the Routing Daemon, you will get an IP address from DHCP and the default route will be set.

Tobias Lachmann

Appliance hardware – Updated 6th October 2013

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21400 2003 50 7 21 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12600 1861 30 7 17 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1046 25 3.5 12 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 738 15 2.5 8 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 623 11 2 6 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 374 9 1.5 4 Pentium Dual-Core E6500 2.93GHz 4
4400 223 5 1.2 3.5 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 ??? Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 150 2x Intel Xeon L5410 2.33GHz (Quad Core) 16 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Upgrading Endpoint E80.30 to E80.40 – Error occured during old plug_in removal

When I tried to update my Windows 2008 Server R2 based installation of Endpoint Security Management E80.30, it failed time after time.

Before the actual upgrade an error window showed with the message “Error occured during old plug_in removal”.

Error occured during old plug_in removal

The solution to this problem came from Jim who’s working with Check Point TAC:

Just stop SNMP and SNMPTrap services before upgrading the server.

I followed this and was able to do the upgrade without any problem.

Tobias Lachmann

R77, R76, R75.47 – which one to choose?

We’ve seen a lot of comments on my post of “R77 coming soon“.

There were rumors that the R77 could be actually a “R76.10” release, but I think this will not be the case.

Why? Well, first we will see a new blade coming with R77, the compliance blade. It is already on the website that it is supported with R77. And: it is about time for the compliance blade to be integrated.

When you think on CPX 2013, you might remember that another big topic was Threat Emulation. The website still shows the information that it will be available in Q2/2013.

Check Point missed that date already. Which makes me think they will release it with R77 finally.

So we have two new “big blades” integrated. That doesn’t seem like a bugfix or maintenance relase to me, so in my eyes R77 is a real major version and not a minor version update, diguissed with a wrong numbering.

Which leads us to the question which version to use in our production environments.

I will proceed with installing R75.47 on IPv4 environments that need the most basic blade and does not require any feature from R76.

With IPv6 I will use R77 from the moment it is available for new installations. The same applies for any other feature needed from R76, I will install R77.

We will see a R77.10 before we see a R76.10, I believe.

Would be really great to have an inside into Check Points strategy for new releases in the upcoming month. But as always, information on that is more than rare.

So we have to wait until CPX2014 when Dorit will deliver here presentation….

Tobias Lachmann

Identity Awareness without the need of domain administrator credentials

Check Point released sk93938 which shows in detail what kind of privileges of domain user needs to have in order to be used as account for Identity Awareness.

Until now you had to grant domain administrator right to the IA user, which caused several issues when it comes to companies security policies.

With the new SK article you can create your user with custom rights so that he is just able to read the Active Directory events from the domain controller that are needed for Identity Awareness.

Tobias Lachmann

Release of “bug fix version” R75.47

Check Point released the R75.47 version yesterday.

sk93448 has all the information and downloads in it.

When you look at the release notes and the resolved issues, it’s mainly a maintenance or bug fix version.

There are countless fixed bugs – and I’ve seen quite a lot of them within production environments.

So my suggestion would be to install this version first within your test environment, test it and get it into production as soon as possible.

When at CPX2013, I heard that this version would be released in June. The release was done only one month later, so a very good estimation of the time frame.

Tobias Lachmann

Improved URL Categorization

A few week ago I posted about a Check Point website where you could submit URLs for re-categorization.

I just got word from product management that the website was improved.

For tracking purposes you now get a reference ID. Everybody with an UserCenter account will be able to see the status of the request. Also, an email will be send to let you know what has been done (changed or not, new category for URL, old category).

Request for URL Categorization

Very useful and another step into the right direction, improving the process and the visibility.

Tobias Lachmann

Appliance hardware – Updated 31th July 2013

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21400 2003 50 7 21 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12600 1861 30 7 17 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1046 25 3.5 12 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 738 15 2.5 8 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 623 11 2 6 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 374 9 1.5 4 Pentium Dual-Core E6500 2.93GHz 4
4400 223 5 1.2 3.5 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 2
1100 28 0.75 0.14 0.05 ARM926EJ-S 0.5

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
1070 101 1.8 0.25 ??? Intel Celeron M 1.5 GHz 1
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Hardware and performance

Check Point is not exactly happy with my appliance hardware list published on this blog.

The reason is that they’d rather like to talk about SPU and throughput instead of CPU models, gigahertz and amount of RAM.

Are they trying to keep important information away from us? No, I think that is not the case.

But they fear that only looking at partial hardware data can lead to false conclusions when it comes to sizing decissions.

A very good example are the recent comments to the appliance hardware list. As you can see, 21400 appliances and 12600 appliances have same CPU and RAM, but differ in performance. The reason is that the rest of the appliance is different and this leads to different benchmark values.

Please always have that in mind when do make sizing decissions based in my appliance hardware list!

There’s much more to a good security gateway hardware than CPU and RAM. Good HDD I/O, the right network interfaces and so many more components make the package complete.

Tobias Lachmann

Appliance hardware – Updated 13th June 2013

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21400 2003 50 7 21 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12600 1861 30 7 17 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1046 25 3.5 12 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 738 15 2.5 8 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 623 11 2 6 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 374 9 1.5 4 Pentium Dual-Core E6500 2.93GHz 4
4400 223 5 1.2 3.5 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 2

Check Point UTM-1 / Power-1 Appliance series

Modell SPU FW VPN IPS CPU RAM
9075 1006 9 2.4 7.5 2x Intel Xeon E5410 2.33GHz (QuadCore) 4
5075 596 9 2.4 7.5 Intel Xeon E5410 2.33GHz (QuadCore) 2
3070 298 4.5 1.1 4 Intel Core2 Duo E6400 2.13GHz 3
2070 101 3.5 0.45 2.7 Intel Celeron 440 2.00GHz 2
570 101 2.5 0.3 1.7 Intel Celeron M 1.5 GHz 1
270 50 1.5 0.12 1 Intel Celeron M 600 MHz 1
130 50 1.5 0.12 1 Intel Celeron M 600 MHz 1

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Advertisements in SmartDashboard

When I logged into a R75.46 Security Management recently, I was presented with an advertisement by Check Point for the new 1100 appliances series.

Check Point SmartDashboard Advertisement

I don’t care if some freeware that is installed on my personal computer presents me with naggins screens or adverts.

But when you use applications within a professional environment, this seems unappropriate.

What do you think?

Tobias Lachmann

Please help improving URL Filtering through correcting URL categories

I recently stumbled across the issue that lots of local german web pages are categorized as potentially harmful within URL Filtering.

One way to deal with this is to manually override the category within the security management.

This will help immediately for this installation, but the problem of an URL in the wrong category still exists for all other installations worldwide.

Now I’m asking all of you to improve URL Filtering by submitting URLs within a wrong category to Check Point for review.

On the URL Categoriaztion web page you can check to which category your URL belongs and you can also suggest new categories along with a comment.

Please make massiv use of this service to improve URL Filtering in the long term.

Thank you very much!

Tobias Lachmann

Determine appliance hardware from command line

You can determine which appliance you’re connected to with a simple command:

[Expert@fw1]# dmidecode | grep "Product Name"
Product Name: T-140-00
Product Name:


Refer to this list of product names:

G-50 Check Point 21400
P-230 Check Point 12600
P-220 Check Point 12400
P-210 Check Point 12200
T-180 Check Point 4800
T-160 Check Point 4600
T-140 Check Point 4400
T-120 Check Point 4200
T-110 Check Point 2200
L-50 Security Gateway 80

P-30 Power-1 11000 Series VSX-1 11000 Series
P-20 Power-1 9070 Connectra 9072 VSX-1 9070
P-10 Power-1 5070

U-40 UTM-1 3070 Connectra 3070 Smart-1 3074 VSX-1 3070
U-30 UTM-1 2070
U-20 UTM-1 1070
U-15 UTM-1 570
U-10 UTM-1 270 Connectra 270
U-5 UTM-1 130
C6P_UTM UTM-1 2050
C6_UTM UTM-1 1050
C2_UTM UTM-1 450

IP-150 IP-150
IP-282 IP-282
IP-295 IP-295
IP-395 IP-395
IP-565 IP-565
IP-695 IP-695
IP-1285 IP-1285
IP-2455 IP-2455

U-31 IPS-1 2076
P-11 IPS-1 5076
P-21 IPS-1 9076

U-42 DLP-1 2571
P-22 DLP-1 9571

S-10 Smart-1 5
S-20 Smart-1 25
S-21 Smart-1 25
S-30 Smart-1 50
S-40 Smart-1 150

Updates to this list are welcome! Please send an email to tobias@lachmann.org

Tobias Lachmann

CPX 2013 – rumours

I heard some rumours about the release dates of new Versions:

– R75.47 – end of June

– R76.10 – August / September

– R77 – end of June

Where I think that the date for R75.47 and R76.10 sounds adequate, the date for R77 is probably not even close. We’ve seen R76 in the end of February. In my opinion they will not release a new major version only 7 month later.

As I said: these are just rumours. Let’s see if the dates are somewhat correct.

Tobias Lachmann

CPX 2013 in Barcelona

I arrived at Barcelona airport on monday and the very first thing I saw was Check Point advertisements all over the place.

CPX2013 at Barcelona airport

This was a good start for the conference, even if I didn’t make it for the training tracks.

I tried to use the pre-registration before the conferece – but others had this idea, too. The line was nearly 100 meters long. So I decided to show up late on Tuesday and register right before the conference. Which turned out to be the right thing to do.

The presentations were not interesting and so I did not go to any of these. Instead I met some guys I knew for years like Danny, Valeri, Matthias, Ofer, Evgeny, Eyal and many others. That is the most important part of CPX (at least for me). Get in contact with people and exchange facts and opinions.

I spend most of my time in the technology room this year – where Check Point presented the compliance blade, DDos protector, Mobile Security, Web Security and Threat Emulation. Experienced Folks presented and were able to answer most questions right from the spot – regardless of the technical level of that question. And the attendees of CPX could join in the demonstration with some notebooks which had the software installed. We were able to play around, listen and ask question. And play around some more. 🙂

Lot of things to learn here. I would recommend technology room over the presentations again and again.

What I missed out was performance room – sorry, Peter! Seemed to me as I’ve seen all of these last year already.

The thing that impressed me the most was the new 1100 appliance series. They can be managed with Security Management, where they act as every other appliance.

And they can be used as standalone Installation. And the internal management, delivered by a WebUI, is smoking hot. The features and their presentation is very good. Lot’s of features but still easy to manage. This will be the right appliance to use in projects where you had to use an UTM-1 Edge until now. And it certainly will attract more customers that use an UTM solution from another vendor at the moment (Sophos, Watchguard etc.)

I was only to play with this appliance for about 30 minutes and will write some more about it when I have my very own one shortly.

To sum up: CPX2013 in Barcelona was worth the trip. Make sure you attend next CPX in 2014!

Tobias Lachmann

Critical IPv6 security update

Check Point released a “IPv6 support enhancement Hotfix“.

While “support enhancement” does not sound very import, the SecureKnowledge article says it contains critical bug fixes. And: the hotfix should be installed to all version from R70 onwards where IPv6 is used.

Only the new R76 does not need to be patched, perhaps they rewrote so much code that the bug doesn’t exist in that version any longer.

Please be aware that you cannot upgrade your R75.40/R75.45 installations with the recent available upgrade packages without uninstalling the fix before the upgrade and install it again after the upgrade.

Maybe this is a good time to upgrade to latest R75.46 before installing the IPv6 hotfix.

Tobias Lachmann

CPX training track

Well, how nice: Check Point announced that there will be a training track the day before CPX 2013 in Barcelona.

Attending this track gives you lot of knowledge an extends your current certification for one more year.

But there’s a think that isn’t nice at all: the announcement of the training track was issued weeks AFTER the registration for CPX itself opened.

If someone registered early and booked all flights, hotel stay etc. along with the conference registration, it might not be possible to change this afterwards to match the time for training track.

Guess what: this is exactly what happened to me.

My flight was booked long before training track was announced and it cannot be changed. I will miss this pre-conference event.

You guys at Check Point: Seriousley! Please think about your conference BEFORE you put details on your website and open registration, enabling everyone to have the opportunity to participate.

Tobias Lachmann

Affordable Security Management for small environments

Lately Check Point was discussing with partners and customers if there’s the need for a distributed deployment (Security Management on a dedicated system with dedicated Security Gateway(s)) even in small environments.

Regardless of the size of the appliances, I use distributed deployment from the moment where I have a HA environment – so I’m very happy which Check Points latest decision.

We have now, for a limited time, the opportunity to buy a small management package license.

This is a software license which can be deployed on an open server or in a virtual machine and it manages 2 gateways only.

We have three blends available:

  1. CPSM-P203-SOC Security Management pre-defined system
    NPM, EPM, LOGS, 100 Endpoints, 2 Gateways – $3100.00
  2. CPSM-P207-SOC Security Management pre-defined system
    NPM, EPM, LOGS, MNTR, EVIN, PRVS, UDIR, 200 Endpoints, 2 Gateways – $4100.00
  3. CPSB-EVS-C200-SOC SmartReporter and SmartEvent blades
    EVNT, RPRT, 2 Gateways – $2100.00

This is a limited time offer until end of Q3/2013 and I would encourage everyone to make use of this great deal.

This may be the last time where you can get a full blown security management or event reporting for your small environment. And the possibility to use this license in combination with a virtual machine enables you to get a powerful system for a very reasonale price point.

Tobias Lachmann

Don’t filter (all) ICMP – you may need it!

My co-worker Rene stated some time ago: “If someone is filtering ICMP, he does not understand the Internet.”

I have to agree with that most of the time: I don’t want my Firewalls to show up in a traceroute or reacting to echo requests, that’s why I have my stealth rule. But there are ICMP messages that should not be filtered to ensure connectivity.

The best example is ICMP type 3 code 4: “fragmentation needed and DF set” (refer to RFC792 for details).

As you know, fragmentation causes a performance impact and should be avoided.

But sometimes you need to fragment in order to get the connection up and running.

The last time I saw an error related to an MTU issue, it was when accessing an SSL encrypted website. The first packets were exchanged without any problems.

The problem showed when the SSL certificate was actually exchanged and generated a bigger packet which couldn’t pass a router.

The router send an ICMP message notifying about the need of fragmentation, which was filtered by the Firewall.

After we created a new ICMP Service

ICMP type 3 code 4 service

and allowed this traffic

rule allowing ICMP

the website was accessible again.

Tobias Lachmann

New version of slide rails for appliances

Some month ago I wrote a post about the poor quality of the slide rails delivered with 4000 appliances.

I haven’t ordered any slide rails since then because I thought they were not worth the money.

But last week I installed a 4800 appliance which has the slide rails already included with no extra cost.

What can I say: I saw new slide rails in a very good quality. Pretty much the same you can expect from any well known server manufacturer like IBM, HP or Dell.

The slides could be put into the rack without any tools and were very stable.

From now on I will order slide rails again for the appliances!

Tobias Lachmann

Update to “Migrate export from a Secondary Management Server”

I found the sk65360 that describes the migrate export from a secondary management server.

In contrast to my blog post it states that only the command cpprod_util FwSetPrimary 1 is necessary to enable a migrate export.

So forget about the remaining commands like cpprod_util CPPROD_SetValue SIC ICAState 4 3 1, ckp_regedit -d //SOFTWARE//CheckPoint//SIC OTP and ckp_regedit -d //SOFTWARE//CheckPoint//SIC ICAip.

However, to delete the object for primary management from object_5_0.C you still need to modify the attributes as described before doing the export.

Tobias Lachmann

For those with old UTM-1 appliance out there

The UTM-1 appliances had a horrible hard disk layout in the beginning – or a horrible LVM layout, to be more correct.

This has changed over the versions for the better and now it suits everyone.

But if you still have an appliance with space problems, you may consider using Check Point latest tool.

In sk91060 they published an officially supported way to uninstall packages from old versions after an upgrade.

I have done this some times already myself by hand, but with a bad feeling in my stomach. As I knew that this wasn’t supported. So nice move from Check Point to deploy an official tool.

Still having space problems after deploying this tool? Maybe you should consider changing the partitions sizes.

Tobias Lachmann

Migrate export from a Secondary Management Server

Recently I needed to do a migrate export from a Security Management.

Normally this is a procedure without any problems and works quite well.

However – this time the only system that was left of the Security Management was the Secondary Management Server.

The first installed Security Management is always the Primary Management Server, the other Security Management is considered Secondary Management Server.

This distinction is valid until you sync both Management Servers. After successful sync you simply have an active and a standby Security Management. States of these two can be changed and you can use either for management of your Security Gateways when it is in active mode.

Unfortunately the difference between Primary and Secondary Management Server hits you when you try to do an export via migrate export since this can only be done on a Primary Management Server.

In my specific scenario the Secondary Management Server was the only Security Management system left and I had to get the export from it.

With my back to the wall I had two options:
a) call Check Point Professional Services and pay an awful lot of money to have them fix it for me
b) deep-dive into Check Point object database and registry and fix it myself

As money is always short I chose option b).

Most important thing before doing any of this operations is to make a backup of the current configuration. If you can you should do an snapshot, too.

Then stop all Check Point services on the Security Management with cpstop. This is important so that nothing can alter any configuration file while you’re working on it.

First we need to make changes to the file $FWDIR/conf/objects_5_0.C. It is very long and hard to read, so editing directly with VI or any other command line editor is not recommended. I copied it to my PC with SCP and used Notepad++ to do the job, which is a really powerful editor.

Now search for the object of the Primary Security Management by its name. You will most likely find many references, so make sure that you’re actually editing the object. One of the attributes reads primary_management (true). Change this to primary_management (false). Then remove the attribute Deleteable (false) from the Primary Security Management.

Afterwards, search for the object of the Secondary Security Management.
Configure primary_management (true) and Deleteable (false) as attributes for it.

Now copy the edited file back to its original location on the Secondary Management.

Enter the CLI and configure the Check Point product registry with this commands:

  • cpprod_util FwSetPrimary 1
  • cpprod_util CPPROD_SetValue SIC ICAState 4 3 1
  • ckp_regedit -d //SOFTWARE//CheckPoint//SIC OTP
  • ckp_regedit -d //SOFTWARE//CheckPoint//SIC ICAip


Now you should make sure that the procedure succeeded by issuing the command cpprod_util FwIsPrimary. If it returns 1 then everything is OK. If not, restore your backup and start all over again. Most like there is a mistake in objects_5_0.C.

After the former Secondary Management Server is now considered the Primary Management Server, we can run our migrate export on this machine and get the export we wanted to have.

This is fairly complicated – so if you’re not absolutely sure about what you’re doing then please consider choosing option a) and contact Check Point Professional Service and let them do it for you.

Tobias Lachmann

Congratulations to Royi

I just found out on LinkedIn that one of my favorite Check Point TAC engineers was promoted team leader of escalation support team.

We have been doing some cases over the past years and I feel lucky for him.

Congratulations to your new position, Royi!

Tobias Lachmann

New Early Availability Program for Check Point E80.41 VPN MAC

Check Point now has a new EA program for E80.41 VPN MAC client.

As stated by Check Point “This release aligns Endpoint Security VPN for Mac with Endpoint Security E80.41 for Mac.
You can upgrade Endpoint Security VPN to Endpoint Security, for more Endpoint Security software blades and functionality.”

You can register over your UserCenter or PartnerMap Account -> My Products -> Early Availability.

Tobias Lachmann

Check Point Performance Sizing Utility

Check Point has published a tool which is called “Performance Sizing Utility” or “CPSizeMe” with sk88160.

It is the successor of the Check Point Performance Evaluation Utility from beginning of 2012 (which was used to gather real-live data for the validation of the SPU metric).

CPSizeMe depends on the CPuploader tool which it utilizes for the transfer of the information to Check Point.

The scrips gathers performance data for a given time frame, normally 24 hours.

If you supply an email address to the tool and upload the data to Check Point, you get a nice PDF report as “thank you” for submitting real-live performance data which helps them to make better sizing recommendations.

Tobias Lachmann

New feature in SecureKnowledge – Suggested Solutions

The Check Point Secure Knowledge has a nice new feature which is worth noticing.

When you view a SecureKnowledge article there will be a display of related articles that have been read by users that also viewed the current displayed one.

Check Point SecureKnowledge - Suggested Solutions Feature

Check Point SecureKnowledge – Suggested Solutions Feature

A useful feature that will help you to find other articles that you might have missed but are related to the topic you are searching.

Tobias Lachmann

New Error in GAIA Backup

While working with R75.40 you may have stumbled across sk79020.

The SecureKnowledge article describes how SCP transfers of backup files are failing because the installed openssh package does not support the needed command line switch "-u".

There is a fix available for the error described in sk79020 that consists of new openssh packages for GAIA. These packages are already integrated in R75.45.

But recently I found a new error in R75.45 backup when configured with SCP transfer.

Although there is no limitation described in any article and the WebUI let’s you configure it, we have no support for usernames with a hyphen "-" in it when it comes to copying the backup package with SCP.

This will lead to an error where the backup package is created but not transfered without any further error message.

So make sure your usernames are hyphen-free and enjoy the new GAIA+ feature backup.

Tobias Lachmann

Check Point Experience CXP 2013 in Barcelona

What has been a rumor is now confirmed: CPX 2013 will again be in Barcelona.

Personally I have no ideas why Barcelona again…. nice weather the last time, but despite from that the location wasn’t THAT great.

Anyway, European CPX will be beginning of April 2013, make sure to register soon.

And for all the Check Point partners out there: make sure to use COOP money for event sponsoring. Ask your distributor about it if you’re a silber or bronce partner.

By now I’m undecided if I should attend.

It’s always great to see some of the folks again that are around for some time. But nothing really new from the presentations actually.

Maybe they extend the Tech Rooms next year a bit, it was very interesting to play around with new technology and learn from the experts.

Tobias Lachmann

New version of Hardware Compatibility List (HCL) available

There a new version of Check Point Hardware Compatibility List (HCL) available.

We have a better usability as you can filter the list with various options, like vendor or date of certification.

The list for the certified systems in the last year is rather short but has the most important vendors listed.

Current Check Point Hardware Compatibility List for systems certified in the last year

Current Check Point Hardware Compatibility List for systems certified in the last year

When it comes to choosing a system I would go for Dell or HP. Maybe some day I will post about my favorite hardware configuration.

Please just don’t have a look at the list itself but follow the link to the specific system as well. There you will find more information about hardware configuration and some times also limitations or recommendations specific to this hardware. Import for getting the hard drive controller operating or for getting network interface cards to work.

Tobias Lachmann

No support for appliance accessories

In my last post I wrote about support costs for a 2200 appliance rack mount kit that showed in a quote.

After getting back to Check Point they confirmed quickly that this was an error as with the slide rail kit.

No support costs will be charged for appliance accessories. I you already have a quote with that error, consult with your Check Point partner and get it fixed by Check Point.

Tobias Lachmann

Support cost for Rack Mount Kit

It is a year ago that I wrote a post about Check Point charging support costs for slide rail kits on appliances.

Today I discovered that the Rack Mount Kit for 2200 appliances also has support costs when you use the quoting tool.

I can only hope that this one slipped through the QA of Check Point and they’re not really going to charge support costs for a piece of metal?

Tobias Lachmann

Installation failed; reason – load on module failed, failed to load security policy

Recently I tried a policy installation on a Security Gateway appliance which failed with the message: Installation failed; reason - load on module failed, failed to load security policy

From my experience I know that a cpstop ; cpstart normaly solves this problem.

But since I was dealing with a remote site gateway which also was stand-alone installation, issuing cpstop was no option since it would interrupt the service.

So I utilized the cpwd_admin command for stopping and restarting FWM and CPD.

cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"
cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"


cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"


Then I checked the status of all my services with cpwd_admin list.

All services were up and I tried policy installation again, which worked as expected.

So the problem was solved without service interruption.

Tobias Lachmann

Configuring SNMP on GAIA

My post from October 2011 about configuring SNMP settings on Secure Platform (SPLAT) is one of the most read in this blog.

Now I want to add a new How-To for configuring SNMP on Check Point GAIA – which is quite simple.

System Management - SNMP on Check Point GAIA WebUI

System Management – SNMP on Check Point GAIA WebUI

Just select SNMP menu item from System Management menu.

SNMP Setting von Check Point GAIA WebUI

SNMP Setting von Check Point GAIA WebUI

Then check the box for enabling the SNMP Agent, check the box for all the interfaces where you want the SNMP Agent to listen and press Apply.

Then configure your SNMP community as needed and press Apply under this section again.
 

Don’t forget to create a rule to allow SNMP access to your Security Gateway in your security policy and install it to get SNMP data.

If you don’t like the WebUI you might also configure the SNMP settings from the CLISH command line.

set snmp agent on
set snmp agent-version any
set snmp community ThisIsSoSecret read-only
add snmp address 192.168.1.1


We most recent SNMP MIB can be found on a GAIA installation with R75.45 at /opt/CPshrd-R75.40/lib/snmp/chkpnt.mib
 

Tobias Lachmann

Configuring BGP in High Availability Environments with GAIA

In my last post I wrote a quick How-To on configuring BGP between a Security Gateway and a Cisco Router. Today we’re going to extend this setup to full High Availability.

As shown in the overview picture, we now have two routers involved in the BGP. These two routers provide a HSRP (Hot Standby Router Protocol) IP address for the Security Gateways as Default Gateway. The Security Gateways are clustered using ClusterXL.

Redundant Setup with Cisco Router and Check Point Security Gateways speaking BGP

Redundant Setup with Cisco Router and Check Point Security Gateways speaking BGP

When you install a R75.45 from scratch you will find that you run into trouble as the routed routing daemon in GAIA has a bug when it comes to a HA configuration.

Check Point has acknowledged this problem and provides a new version of routed since 20th November.

The old version has the following information:

[Expert@fw1]# cpvinfo /bin/routed

[** Version info attributes of '/bin/routed' **

[Build Number = 986000037
Major Release = NGX
Minor Release = gaia_fiber_adp_ea

 

The new version has the following information:

[[Expert@fw1]# cpvinfo /bin/routed

[** Version info attributes of '/bin/routed' **

[Build Number = 986003002
Major Release = NGX
Minor Release = foxx_hf_ha45_003

 
With the fixed version of routed there are only little changes that have to be done to configure the Security Gateways running GAIA for High Availability and BGP in addition to the configuration of a non redundant setup.

First thing is to configure the BGP Router-ID for every Security Gateway to have the ClusterXL IP address in it.

Configuring BGP Router ID in Check Point GAIA WebUI

Configuring BGP Router ID in Check Point GAIA WebUI

Then you have to edit the BGP peer group and add both Cisco Router aka BGP peers. Don’t forget to set the local address to the physical IP address of the specific gateway.

Add Peer Group Details on Check Point GAIA WebUI

Add Peer Group Details on Check Point GAIA WebUI

To complete the description details here are the Cisco configuration for both routers in this scenario.

Router A:

interface Loopback0
ip address 192.168.200.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.100.2 255.255.255.0
standby 0 preempt
standby 1 ip 192.168.100.1
standby 1 priority 40
!
interface GigabitEthernet0/1
ip address 10.10.10.2 255.255.255.0
!
router bgp 12345
bgp router-id 192.168.200.2
bgp log-neighbor-changes
neighbor BGP_TEST peer-group
neighbor BGP_TEST remote-as 12345
neighbor BGP_TEST description iBGP Session between Core and Security Gateway
neighbor BGP_TEST update-source Loopback0
neighbor 192.168.100.100 peer-group BGP_TEST
!
address-family ipv4
redistribute connected
redistribute static
neighbor BGP_TEST soft-reconfiguration inbound
neighbor 192.168.100.100 activate
exit-address-family
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.200.3 255.255.255.255 192.168.100.3


Router B:
interface Loopback0
ip address 192.168.200.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.100.3 255.255.255.0
standby preempt
standby 1 ip 192.168.100.1
standby 1 priority 50
!
interface FastEthernet0/1
ip address 10.10.10.3 255.255.255.0
!
router bgp 12345
bgp router-id 192.168.200.3
bgp log-neighbor-changes
timers bgp 60 180 180
neighbor BGP_TEST peer-group
neighbor BGP_TEST remote-as 12345
neighbor BGP_TEST description iBGP Session between Core and Security Gateway
neighbor BGP_TEST update-source Loopback0
neighbor 192.168.100.100 peer-group BGP_TEST
!
address-family ipv4
redistribute connected
redistribute static
neighbor BGP_TEST soft-reconfiguration inbound
neighbor 192.168.100.100 activate
no auto-summary
no synchronization
exit-address-family
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.200.2 255.255.255.255 192.168.100.2


Tobias Lachmann

Configuring BGP between Router and Security Gateway running GAIA

Today we’ll have a look at advanced routing and how we can exchange routing information using the BGP protocol between a Check Point Security Gateway running GAIA and a Cisco router.

It is common practice to use Internal Routing Protocols (IGPs) like ISIS or OSPF for carrying your infrastructure addresses and Border Gateway Protocol (BGP) for carrying Internet prefixes.

I found a very good presentation from Philip Smith who works for Cisco and explains BGP best practices in detail.

We assume that we have the following setup: a router, connected to the Internet on one hand and to a Security Gateway on the other hand. The Security Gateway should tell the router which network it protects using BGP.

Lab Setup for connecting a Check Point Security Gateway to a router using BGP

Lab Setup for connecting a Check Point Security Gateway to a router using BGP

In this setup we have the following routing information on the Security Gateway:

firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 178
C 127.0.0.0/8 is directly connected, lo
C 192.168.100.0/24 is directly connected, eth1
C 200.200.200.0/24 is directly connected, Mgmt


And this is the routing table for the router:

router#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override


Gateway of last resort is 10.10.10.2 to network 0.0.0.0


S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0


Note that the router is using a loopback IP address for establishing the BGP sessions. See the BGP best practices presentation referenced above for detailed explanation about this.

Now we configure our (Cisco) Router for an internal BGP (iBGP) session.

interface Loopback0
ip address 192.168.200.200 255.255.255.255
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.100.100 255.255.255.0
duplex auto
speed auto
!
router bgp 12345
bgp router-id 192.168.200.200
bgp log-neighbor-changes
neighbor BGP_TEST peer-group
neighbor BGP_TEST remote-as 12345
neighbor BGP_TEST description iBGP Session between Core and Security Gateway
neighbor BGP_TEST update-source Loopback0
neighbor 192.168.100.1 peer-group BGP_TEST
!
address-family ipv4
redistribute connected
redistribute static
neighbor BGP_TEST soft-reconfiguration inbound
neighbor 192.168.100.1 activate
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2


At this point the router tries to establish a BGP session with our Security Gateway and tells it about his own connected and static routes.

But the Security Gateway isn’t answering the BGP requests so let’s move on to the configuration of GAIA.

There are different ways to configure BGP, in this example we use the WebUI for it.

First login and change the view to Advanced so that you’re able to see all the menu items in the WebUI.

Changing the Check Point GAIA WebUI to Advanced View

Changing the Check Point GAIA WebUI to Advanced View


Then choose BGP from Advanced Routing menu.
Choose BGP from Advanced Routing Menu on Check Point GAIA WebUI

Choose BGP from Advanced Routing Menu on Check Point GAIA WebUI

On the BGP menu, first check the configuration of the router ID. In our example we use the real IP address of the Security Gateways external interface.

The next part is to change the Local System Identification.

Change_the BGP Local_System_Identification on Check Point GAIA WebUI

Change_the BGP Local_System_Identification on Check Point GAIA WebUI

As shown in the lab setup overview, our AS is 12345.

Save the change. Configuration page looks now like this.

BGP settings of Check Point GAIA WebUI

BGP settings of Check Point GAIA WebUI

Now we will add a peer group which will contain our Cisco router as peer.

Add_a BGP Peer_Group on Check Point GAIA WebUI

Add_a BGP Peer_Group on Check Point GAIA WebUI

Enter the peer AS numer. If it is equal to your own AS number, the page will show the peer group type as Internal, otherwise as External.

Add a BGP Peer Group on Check Point GAIA WebUI

Add a BGP Peer Group on Check Point GAIA WebUI

Then we enter the IP address of the Security Gateways external interface again as Local Address.

And last we add the specific peer by clicking on add peer.

AS lock while adding BGP peer in Check Point GAIA WebUI

AS lock while adding BGP peer in Check Point GAIA WebUI

Add BGP peer in Check Point GAIA WebUI

Add BGP peer in Check Point GAIA WebUI

When you click on Show Advanced Settings you’ll see various options including Logging and Trace Options. I recommend to turn them all on. The information can be found in /var/log/routed.log and the output looks like this:

[Expert@firewall]# tail -f /var/log/routed.log
Nov 16 15:28:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 48
Nov 16 15:29:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 1
Nov 16 15:30:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 6
Nov 16 15:31:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 6
Nov 16 15:40:18 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 60
Nov 16 15:40:18 bgp_send: sending 19 bytes to 192.168.200.200 (Routing AS 12345)
Nov 16 15:40:18
Nov 16 15:40:18 BGP SEND 192.168.100.1+43878 -> 192.168.200.200+179
Nov 16 15:40:18 BGP SEND message type 4 (KeepAlive) length 19


Advanced Logging and Trace Options in Check Point GAIA WebUI

Advanced Logging and Trace Options in Check Point GAIA WebUI

Overview of Peer Group configuration in Check Point GAIA WebUI

Overview of Peer Group configuration in Check Point GAIA WebUI

Close all configuration dialogs by clicking Save.

Advanced Routing -> BGP menu on Check Point GAIA WebUI

Advanced Routing -> BGP menu on Check Point GAIA WebUI

Now we’ll have a look at the routing table of our Cisco router. Will we see the routes from the Security Gateway?

router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override


Gateway of last resort is 10.10.10.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0


Nothing has changed here????

Let’s have a look at the Security Gateway:

firewall> show route bgp
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


No learned routes here!

Checking the operating system routing table in expert mode:

[Expert@firewall]# ip route
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.1
200.200.200.0/24 dev Mgmt proto kernel scope link src 200.200.200.200
default via 192.168.100.100 dev eth1 proto cprd


Nothing here, either. Let’s check again in CLISH:

firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 1117
B H 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 294
C 127.0.0.0/8 is directly connected, lo
B H 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 294
C 192.168.100.0/24 is directly connected, eth1
B H 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 294
C 200.200.200.0/24 is directly connected, Mgmt


Here we see BGP routes learned from the router, but the routes are marked “hidden”. Which means the routing process knows about them because he got the information from the BGP peer, but is not passing this information along to the routing table of the Security Gateway.

To solve the task of distributing routes via BGP, we have to configure some more option in GAIA WebUI.

Select Route Redistribution from Advanced Routing menu.

Route Redistribution menu from Check Point GAIA WebUI

Route Redistribution menu from Check Point GAIA WebUI

In our example we want to redistribute the routes from the connected interfaces through BGP, so select Add from Redistibute Interfaces.

Redistribute_Interfaces menu from Check PoinT GAIA WebUI

Redistribute_Interfaces menu from Check PoinT GAIA WebUI

Then select to which routing process you want to distribute to.

Redistribute_Interfaces_Choose_Protocol on Check Point GAIA WebUI

Redistribute_Interfaces_Choose_Protocol on Check Point GAIA WebUI

Then select which interface(s) you want to redistribute.

Redistribute_Interfaces_Choose_Interface on Check Point GAIA WebUI

Redistribute Interfaces Choose Interface on Check Point GAIA WebUI

Then enter a metric and click Save.

Redistribute All Interfaces on Check Point GAIA WebUI

Redistribute All Interfaces on Check Point GAIA WebUI

From this point on you will redistribute your routes over BGP to the Cisco router.

Redistribute All Interfaces Summary on Check Point GAIA WebUI

Redistribute All Interfaces Summary on Check Point GAIA WebUI

Let’s check with the router:

router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override


Gateway of last resort is 10.10.10.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0
B 200.200.200.0/24 [200/100] via 192.168.100.1, 00:00:31


At this point we achieved our goals, routes from the Security Gateway are distributed to the router using BGP.

But what to do if we want to import routes from the router into the Security Gateway?

In this case we have to define Inbound Route Filters. Select the appropriate menu from WebUI.

Inbound Route Filter Menu on Check Point GAIA WebUI

Inbound Route Filter Menu on Check Point GAIA WebUI

Then we need to define a BGP Policy for routes to import. Click on Add BGP Policy.

Inbound Route Filters Add BGP Policy on Check Point GAIA WebUI

Inbound Route Filters Add BGP Policy on Check Point GAIA WebUI

Define which routes to accept. In our case we accept all routes from peers in AS 12345.

Inbound Route Filters - Add BGP Policy - Detail  on Check Point GAIA WebUI

Inbound Route Filters – Add BGP Policy – Detail on Check Point GAIA WebUI

The summary show you the new BGP policy and from that point on your Security Gateway accepts routes send by BGP from the Cisco router.

The routing tables looks like this:

firewall> show route bgp
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 58
B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 58


firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 669
B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 62
C 127.0.0.0/8 is directly connected, lo
B 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 62
C 192.168.100.0/24 is directly connected, eth1
B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 62
C 200.200.200.0/24 is directly connected, Mgmt

The last thing I want to show to you are some helpful options or buttons.

Under Advanced Routing -> Routing Options you will find trace options for routing.

Route Options on Check Point GAIA WebUI

Route Options on Check Point GAIA WebUI

I suggest you turn them on increase the size for the trace files.

Route Options - Trace Options on Check Point GAIA WebUI

Route Options – Trace Options on Check Point GAIA WebUI

Don’t forget to apply the setting with the button on top of this page!

Last thing is the way to restart the routing daemon. The button can be found on the bottom of the Route Options page.

Restart Routing Daemon on Check Point GAIA WebUI

Restart Routing Daemon on Check Point GAIA WebUI



I hope you liked this little How-To on BGP.

Tobias Lachmann

Appliance hardware – Updated 25th October 2012

Here is a short list of the hardware used in Check Point appliances. The numbers show SPU and the maximum throughput for firewall, VPN and IPS traffic according to Check Point.

Check Point 2012 Appliance series

Modell SPU FW VPN IPS CPU RAM
21400 2003 50 7 21 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12600 1861 30 7 17 2x Intel Xeon E5645 2.40GHz (Six-Core) 6
12400 1046 25 3.5 12 Intel Xeon E5645 2.40GHz (Six-Core) 4
12200 738 15 2.5 8 Intel Core i5 750 2.67GHz (QuadCore) 4
4800 623 11 2 6 Intel Core2 Quad CPU Q9400 2.66GHz 4
4600 374 9 1.5 4 Pentium Dual-Core E6500 2.93GHz 4
4400 223 5 1.2 3.5 Intel Celeron Dual-Core E3400 2.6 GHz 4
4200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 4
2200 114 3 0.4 2 Intel Atom D525 1.80GHz Dual-Core 2

Check Point Smart-1 Appliance series

Modell CPU RAM HDD
Smart-1 5 Intel Celeron M 1.50GHz 2 500 GB
Smart-1 25b Intel Core2 Duo Processor E7400 2.80 GHz 4 2 TB
Smart-1 50 Intel Xeon E5410 2.33GHz (DualCore) 4 2 TB

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

All other values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Thanks to all the contributors for their info!

Tobias Lachmann

Performance impact of IPv6

At the Mini CPX here in Cologne the guys from Spirent presented some performance testing along with Check Point.

Really interesting stuff and cool technology!

During the presentation I wondered how much impact we would see on Check Point firewalls when instead of IPv4 packets IPv6 packets are processed.

Apparently, when it comes to the payload, there’s no change. If it is HTTP over IPv4 or HTTP over IPv6 – doesn’t matter.

But the processing of the IPv6 addresses take a little bit longer and there is a noticeable performance drop of about 10%. Quite neglectable in my opinion.

The other part is connection table, where you actually have to store the 128 bit long IPv6 IP address. In comparison to a 32 bit long IPv4 address this will consume 4 times more memory. From what I’ve learned so far we don’t actually see this number, but a decrease of about 40% in maximum connections.

The relevance for real live installations is quite low. First we have increased connection capacity due to 64-bit GAIA operating system. Second the amount of IPv6 traffic in normal installation will not come near to any numbers that we see with IPv4 at the moment. And if it does, you should do a PoC along with Check Point and maybe Spirent first to make sure you’re choosing the right solution for your multi-gigabit IPv6 troughput.

Tobias Lachmann

Slide rails for Check Point 4000 series appliances

For a recent project I ordered the slide rails along with a set of 4000 series appliances.

Thank god that Check Point is no longer charging support costs for the slide rails. 🙂

But when the slide rails arrived I was very disappointed. I would have expected something like the HP rack slides for 19″ servers that I know so well.

Instead I found that Check Point has some very cheap and poorly designed low cost rails.

Our guys who install hardware in the data center really had a hard time attaching the rails and putting them into the rack. In the end we decided not to use them and instead fixing the appliance the normal way.

From HP, IBM, Dell and other manufacturers you get really stable and well build slide rail kits with ball bearing and everything you can ask for a reasonable price.

But from Check Point you get some kind of scrap metal worth approx. $30 which isn’t barely doing the job. And they charge you $300. Nearly twice the ammount you have to pay for rails from HP etc.

So I decided this was the last time I ordered this appliances with slides rails from Check Point. I paid quite a price to make this experience.

What do you think about the rail slides?

Tobias Lachmann

Three new releases from Check Point

Folks, it’s getting exciting.

We have three new releases from Check Point:

The release that is most exciting to me is Endpoint Security E80.40.

You might remember that I expressed my love for E80.x versions before on this blog – but with E80.40 it is going to a new level of policy management and in plattform support.

Please review the sk articles linked above for details.

At the moment it is too much stuff to put it up in detail.

But for sure I will write a post about the latest update from Endpoint Security E80.30 to E80.40.

Tobias Lachmann

New feature in R75.40 VS limits impact of Denial of Service Attacks – Penalty Box

R75.40 VS has a new feature called penalty box.

To put it in short terms: if an IP address is reported by the IPS or dropped by firewall rulebase frequently, it is blocked the Performance Pack for a specified time range.

Since Performace Pack is performing the drop, the traffic doesn’t need to be processed by higher level mechanisms and so we save performance on the gateway.

This helps preventing DoS attacks – or at least it limits the impact.

Please find more about this feature in the sk74520.

Tobias Lachmann

Watch out for different version of Check Point’s GAIA operating system

Please have in mind that we have different GAIA versions out there.

We have GAIA and we have GAIA+ – which brings some new features and improvments and should be the one that is installed when building new systems from scratch.

On CLISH you can determine the version with the command show version all.

The following build numbers are know so far:

  • latest EA: 264
  • GA: 338
  • 2nd GA: 339
  • GAIA+: 65

To be honest: I’m not happy about this different versions. Makes life harder and when you connect to a system you don’t know, you have to make sure which version you’re on.

And for sure we can expect more version like GAIA++, GAIA enhanced or whatever Check Point wants to call it. Keeps confunsing engineers as we as customers.
Also, as seen with GAIA+, you can’t go from one version to another like that. So your GAIA installation cannot be upgraded to GAIA+. In worst case you have to re-do the installation.

Tobias Lachmann

Configuring GAIA – differences between CLISH and WebUI

Maybe you made your first steps with GAIA, the all new Check Point operating system, and found yourself at the point where you needed to go into “Expert mode” as used in SPLAT.

Just typing expert will give you the message that you need to define the expert password first by issuing set expert-password plain.

Having done that, you can enter expert mode as you like.

But unfortunately this configuration doesn’t survive a reboot.

Why? Because configuration made in CLISH are not persistent and survive a reboot unless you issue the save config command which writes the changes to the central configuration database.

When you work with the WebUI, changes are saved as soon as you press the button Apply.

Please have this in mind when configuring your GAIA from CLISH.

Tobias Lachmann

VPN problems with Cisco VPN Client and Endpoint Security E80.32

We needed to install a Cisco VPN client (5.0.07.0440) on one of the clients where Endpoint Security E80.32 client (8.1.205) with activated Anti-Malware blade was running.

First the VPN connection seemed to work as we got connected. But aparently now traffic was passing and the tunnel was unusable.

This is a issue known to Check Point and there’s the client version E80.32CFG2 (8.1.302) available which perfectly fixes this problem.

Just ask your local SE or the support engineer from TAC for this build if you are having problems with this kind of installation.

Tobias Lachmann

High CPU load on Endpoint Security Management – Sync problem

Recently I discovered that my Endpoint Security Management was experiecing a very high CPU load.

The 600 users killed my Xeon 2.8 GHz with 3 GB memory running with Windows Server 2008 R2 and Endpoint Management E80.20.

After consulting with the Check Point R&D and some debugging on the system we found out, that the Endpoint clients (8.0.986) we issuing too many Sync request which overloaded the server.

This was a known error and fixed in client version 8.1.205 which is available with E80.32.

After deploying the first clients we could see a drop in CPU load and when the installation on all clients finished, we were back to normal.

For me this means that it is always a good thing to stay up to date with the latest version.

Tobias Lachmann

Comparison of RPM packets from R75 to R75.40 SPLAT/GAIA

Recently I spend some time looking closer on changes made to GAIA in comparison to Secure Platform (SPLAT).

I freshly installed some different version of R75 (R75 up to R75.40) and took note of the version numbering of the installed RPM packages.

It is interesting to see when a specific version of a package was introduced and how long it has been unchanged throughout the versions.

Please find the full details here:

Comparison of RPM packages for Check Point Secure Platform / GAIA

As you can see, GAIA is based on much newer package version. Even R75.40 SPLAT hasn’t many changes to packages although it shares the same version number as the GAIA build.

Tobias Lachmann

Preventing specific Web Browser with Application Control

Today it is very important to use a current web browser to surf the web to limit the attacks that can be delivered to the client while surfing a malicious web site.

The use of Microsoft Internet Explorer 6 for example causes a high security risk. This is why Check Point has implemented an IPS protection to detect or prevent the use of IE6.

Check Point IPS protection for Internet Explorer 6
To achieve a more granular control over the Internet Explorer version or to detect an other browser one can use the Application Control blade.

Just add the browser as Application to the policy:

Check Point Application Control Application Selection
Check Point Application Control Policy
Example scenario:

Your organisation uses only Internet Explorer 7 or higher and keeps this browsers updated over automatic software distribution mechanisms.

Internet Explorer version 6 or prior as well as other browsers are not supported and not updated automatically and thereby cause a security risk for your company.

Maybe someone just installed this software on his own or uses a portable application.

With Application Control blade you can detect this and send a UserCheck notification to the user. So he’s informed that this software does not comply with the company policy and that he needs to contact desktop service to get a current software install.

Check Point Application Control User Check
I think this is a nice example on how to detect issues and inform the user to make him aware – without limiting his ability to work on the other hand.

Tobias Lachmann

Why we raise the price? Because we can!

The Check Point price modell is funny sometimes….

A Check Point 4607 appliance had a list price of $ 11.000.
We still can find the old price on some websites.

A couple of weeks ago the new 4400 appliance was introduced and the prices for the 4600 were raised over 36% to $ 15.000.

Why did Check Point do this?

Well, sources say that -at least in Germany- the term is “price/performance adaption”.

Or as someone commented: “a nice euphemism for: because we can”.

First we got 374 SPU for $ 11.000. Now we have to pay either $ 15.000 or stick with 223 SPU for $ 9.000.

What do you think about this? Please comment.

Tobias Lachmann

Distribution of Endpoint Security client

How to bring the Endpoint Security client package onto the machines of the users?

In one environment we first did manual installations before giving the machine to the user. Since this was not time efficient we changed the method. We added the Endpoint Security client to the software image that was used to clone the machines.

As a result, we could see something strange in the Endpoint Security Management. The count of clients remained the same and we could NOT see the new machines within the virtual groups. But the live view of the connected clients showed the machines that were missing.

I guess that during installation the Endpoint Security client creates it’s very own signature which is not directly related the machine name etc.

While cloning the machine we created duplicates of these signatures that let to the situation that these clients were not visible in the virtual groups.

The live view of connected clients however seem to work differently and that’s why we see the clients finally.

So my advice to you is not to use cloning when it comes to Endpoint Security clients but manual installation instead.

Tobias Lachmann

BIOS password on appliances?

Recently I got aware the Check Point has a BIOS password for the appliances. It was seen on a Smart-1 25b in the wild.

Until now the machines were delivered without any password so that you could change for example the boot order by yourself.

This seems to be no longer possible.

Does anyone know this new password?

Please let me know: tobias@lachmann.org

Tobias Lachmann

CPX: achieving certifications vs. learning something new

Yesterday I finally understood the new approach that Check Point is taking with the training blades.

They saw that people we’re taking courses just to pass certification and didn’t really learn something new because the topics covered in CCSA / CCSE have been the same for a long time – with small adjustments, of course.

The reason for doing a certification were mainly to qualify for a partner status rather than gaining knowledge.

So the brought up the new concept with the credits. Once you achieve your certification you can keep it active by earning two credits a year. This can be done by taking training blades for DLP, AppCtrl, IPS or security principles (only for CCSA) and passing the exam.

The idea behind it is to relieve the already certified professionals from the pain of learning again and again the same stuff for their CCSA or CCSE exams when a new version comes out. The showed the appropriate knowledge already, so why bother? Instead they should be familiar with the additional technologies in the newer version. Normaly you don’t have time to learn this stuff because you have to deal with maintaining your certification.

So the new goal is to educate people and let them gain knowledge rather then forcing them to certificy again and again on the same stuff.

I think this is a valid and good approach.

What I can’t really estimate is the quality of the new online training blades. I guess that people want to have classroom training, even for a single day, rather than a complete online training. When it comes to training, the instructor makes the difference. Especially his experiences with real-life projects and support cases. He can adapt speed and depth of information in the course to his audience to make it the best experience for everyone.

I’m not sure if training blades can do this…. guess we’ll just have to way for some feedback from the field for the next month.

Tobias Lachmann

CPX: 110 Gbps should be enough performance for everyone

Today I visited the Performance Lab on CPX here in Berlin.

Peter Sandkuijl from Check Point and the guys from demonstrated live performance testing of a Check Point 21400 appliance with the new .

This module with its 108 processing cores changes the way packets are handled and make it significantly faster.

With a normal traffic blend called iMix we saw about 50 Gbps of throughput without the module. With the module the numbers more than doubled. Very impressive.

We don’t have any pricing information yet, but I would expect that the card will nearly cost as much as the 21400 appliance itself. So we’re talking about more than $ 100K.

Tobias Lachmann

CPX: Major vs. Minor version

For some time I wondered how Check Point was doing the numbering of their versions.

My guess was that mostly political reasons were responsible.

On CPX 2012 in Berlin I had the opportunity to speak with a bunch of people from Check Point who confirmed this, but of course it’s not official.

GAIA was introduced recently, a major step in the Check Point operating system architecture. In former times this would have qualified for a new major relase.

What is the reason for making a minor release out of this, naming it R75.40?

The first reason seems to be that customers should consider it as ‘another HFA’ and be encouraged to install it quickly in productive environments. It’s no big deal, just another ‘service pack’. Really?

The second reason seems to be related to the current process of testing for Common Criteria Evaluation Assurance Levels. The page http://www.checkpoint.com/products/certifications/ shows that version R75 is currently in evaluation for EAL4. And it is easier to re-certifiy a maintenance relase (=minor version) than a major version – which costs a lot of time and money.

What can we learn from this?

I think that we should not rely on version numbers when making our decission for an upgrade. Check the release notes, the known limitations and the list a solved problems. Then decide if there’s a problem that you encounter and that has been solved in the new version. Or if there’s a new feature that you want to utilize because it helps you to enhance your security. Then, of course, try to replicate your production environment in a lab and test the upgrade process. Do thorough testing of all functions before deploying the upgrade in the live environment.

And try not to be impressed by any version numbering… it’s only numbers.

Tobias Lachmann

Passed my CCSA R75 exam

…….. I really don’t know what to think about the CCSA R75 exam I passed right now.

I’m working with Check Point products since 2001 and I was certified ever since, highest certification was CCSE+.

I installed, updated, migrated and configured a lot of different systems from 4.1 to R75.30.

I’d like to think that I have quite some knowledge about Check Point products….. but why wasn’t I able to score only 80% in CCSA exam, the first and easiest one?

It’s kind of frustrating……

Tobias Lachmann

GAIA – Configuring EA Take 5

After we finished installation, it is time to configure the system over the WebUI using the First Time Configuration Wizard.

Step 1 – Login

Here we use the passwort defined during installation instead of “admin/admin” as in old installations.

Check Point GAIA First Time Configuration Wizard WebUI


Step 2 – Welcome Screen

Check Point GAIA First Time Configuration Wizard WebUI


Step 3 – Configure Date and Time


Check Point GAIA First Time Configuration Wizard WebUI


Step 4 – Device Name and DNS


Check Point GAIA First Time Configuration Wizard WebUI


Step 5 – Network Connection

Note that you can configure a DHCP Server for this interface to serve the clients

Check Point GAIA First Time Configuration Wizard WebUI


Step 6 – Product Selection

Here you can choose wether to do a standalone installation with gateway and management on the same machine, or a distributed installation. When your system is a security gateway and part of a cluster, you can choose wether to use ClusterXL for clustering or have a VRRP cluster. The later is a feature that Check Point took from the IPSO.


Check Point GAIA First Time Configuration Wizard WebUI


If you install a security management, you can choose if this a primary or secondary server – or a Log Server / SmartEvent Server.


Check Point GAIA First Time Configuration Wizard WebUI


Step 7 – Create a cpconfig_administrator for use in SmartConsole


Check Point GAIA First Time Configuration Wizard WebUI


Step 8 – Define the IP addresses of GUI clients


Check Point GAIA First Time Configuration Wizard WebUI


Step 9 – Review and Finish


Check Point GAIA First Time Configuration Wizard WebUI


Check Point GAIA First Time Configuration Wizard WebUI


Step 10 – Installation and configuration

I like that at this point the system gives you feedback what kind of action it is performing at the moment and what the progress is.


Check Point GAIA First Time Configuration Wizard WebUI


Step 11 – Configuration is finished

Check Point GAIA First Time Configuration Wizard WebUI


On this point you setup your system, in our case a Security Management server.

Now we can install SmartConsole and login to the server.

Tobias Lachmann

CCSA R75 practice exam available

For all of you who want to certify or re-certify as CCSA R75, there is great news.

Check Point published a CCSA R75 pratice exam for you to train for the VUE exam.

The question pool is nearly 40 questions and you will have to answer 20 within the practice exam.

The real VUE exam has 100 question that have to be answered in 100 minutes, so much more information here.

But I recommend the practice test to everyone to get used to the way Check Point asks the questions.

Tobias Lachmann

GAIA – Installing EA Take 5 on VMware ESX

I want to share with you my experiences on the Early Availability version of GAIA, the new Check Point operating system.

Besides some upgrade testing I did a new installation in a virtual machine on a VMware ESX server.

Step 1 – Welcome screen

Check Point GAIA EA Take 5 Installation


Step 2 – Hardware Scan Details

Please note that GAIA recognizes that it is running on VMware and will automatically installed the VMware tools!

Check Point GAIA EA Take 5 Installation


Step 3 – Keyboard selection

Check Point GAIA EA Take 5 Installation


Step 4 – Disk information

The installer detected my disks and is automatically creating a software RAID 1 out of it. Very nice. If you want to use a hardware RAID instead, you have to leave the installer at this point, configure your hardware RAID and start over again. Then the hardware RAID will be presented to the installer as one single drive.

Check Point GAIA EA Take 5 Installation


Step 5 – Partitipons Configuration

We waited so long for that kind of feature! Especially working with UTM-1 appliance led to problems during software upgrades when some partitions where heaviley used. I wrote some articles about this in my blog on how to enlarge partitions to solve the problems while upgrading. Good that we can now change/correct the partition layout.

Check Point GAIA EA Take 5 Installation


Step 6 – Passwort for “admin” account

In SPLAT you had the pre-defined account “admin” with the password “admin” when the installation was done. Change of password had to be done while using the first time configuration wizard over the WebUI. From a security perspective this approach is much better.

Check Point GAIA EA Take 5 Installation


Step 7 – Management Interface

Check Point GAIA EA Take 5 Installation


Step 8 – Confirmation before formatting and installing

Check Point GAIA EA Take 5 Installation


Step 9 to 12 – Formatting and installing

Check Point GAIA EA Take 5 Installation


Check Point GAIA EA Take 5 Installation


Check Point GAIA EA Take 5 Installation


Check Point GAIA EA Take 5 Installation

You’re done!

First boot into GAIA

Please note that you can boot into 32 bit mode and also 64 bit mode.

Check Point GAIA EA Take 5 Installation


Starting the system – now whith “colored” progress bar

Check Point GAIA EA Take 5 Installation


Console login screen

The system doesn’t reveal any longer the version information and IP address and port for management access. Instead you can disply a banner, like in this screenshot

Check Point GAIA EA Take 5 Installation


After logging into the system with the password defined in step 6 you will get the message that the configuration has to be done through the First Time Wizard in WebUI.

Check Point GAIA EA Take 5 Installation


That’s it for installing GAIA EA take 5. Quite nice. Quite easy. Lot’s of changes under the hood and a really good approach.

Tobias Lachmann

Reset CA certificate for HTTPS inspection

With the introduction of R75.20 Check Points offers HTTPS inspection for different blades, namely DLP, IPS, Application control, URL Filtering and AntiVirus.

Once you created a CA certificate on a gateway for HTTPS inspection, there is no way to remove or renew this certificate.

Check Point HTTPS inspection - configuration overview
But maybe you chose the wrong name for the CA certificate or you’d like to change the date where the cert is valid or just start the configuration process all over again.

Then you can delete the CA certificate following these steps.

1. Open GUIDBedit and connect to your Security Management

2. Locate the table for ssl_inspection

3. Choose the object general_confs_obj

4. Go to the field ssl_cert_ref. The value in this field points to a certificate in the table ssl_certificates

Check Point GUIDBedit HTTPS inspection certificate reference

Check Point GUIDBedit table ssl_certificates
5. Empty the values ssl_cert_ref and ssl_cert_key by right-clicking on the value field and select reset.

Check Point DUIDBedit SSL certificate reset
6. Save and exit GUIDBedit

7. Connect to the Security Management with SmartDashboard and start with your new configuration.

Please note that this is not an official way documented by Check Point, so use at your own risk 🙂

Tobias Lachmann

CPX 2012 in Berlin

Check Point announced the place and time for the EMEA Check Point Experience 2012, which is Berlin from 30-31 of May.

Check out the CPX website!

The agenda shows three session for GAIA so that I think we’ll have GAIA released before or right at the date of the CPX in Orlando, which is 17-18 April.

It is really nice to have CPX in Germany again. If I recall it correctly the last one was 2007 in Munich.

Hotel is already booked and I got one of the last rooms in the conference hotel. Very comfortable. 🙂

Hope to see lot’s of you guys there and have some nice get-together.

Tobias Lachmann

GAIA early availability take 4

Today I received an E-Mail with the download links for the GAIA early availability packages.

It took Check Point over two weeks to check my “application” for the EA program.

I wonder how the select the ones who will get access to this program.

Still pissed that I had to wait until this day to get hands on GAIA.


Tobias Lachmann

PS.: my friend Valeri Loukine has a review on the GAIA EA in his blog

Thumbs up for Endpoint Security E80.30

For whatever reason I forgot to share my experience about the latest installation of Endpoint Security E80.30 with you.

Our customer had 750 seats and wanted to deploy mainly Anti-Malware blades, along with some VPN blades.

The longest part in setting up the Endpoint Security Management server was the installation of the operating system. The Endpoint part itself was taking only about 1 and a half hours.

After about 4 hours we had the system up and running and started to deploy clients!

I think this is a brillant example on how much the Endpoint management has improved with E80.x.

We make some use of a newly introduced feature called Virtual Groups. In environments when you have to deal with clients that are not part of any directory, you had to define IP addresses or ranges for them. Now you can group single objects from different locations into one virtual group and apply a policy to them. Very handy and easy to use.

Only some things need to be improved in future versions:
– limit the CPU usage of Anti-Malware blade while doing a system scan
– limit the bandwidth of the Endpoint management while distributing new packages to the clients
– setup proper E-Mail notification on various events in a readable format instead of using sk65437

Tobias Lachmann

Cool performance report for your Security Gateway

I already wrote a post about this fantastic Performance Evaluation Utilitiy provided by Check Point.

Now they added a bonus on top of this tool to encourage people to send in their actual gateway data.

You will get a report in PDF format that show deep insides of your gateways performance. For example not only the average throughput but the high average throughput where they take any numbers above the average into account. This will show you how your gateway performs when it is actively processing traffic.

Check Point Performance Evaluation Utility Sample Report

Check Point Performance Evaluation Utility Example Report

Please take a look at the Check Point Performance Evaluation Utility Example Report.

Everyone who can provide data should do so to improve the Check Point database from real world installations. I think that all Check Point users will benefit from this and we will see improvements in sizing recommendations and future releases.

Tobias Lachmann

Install on London Gateways?

There is an interesting bug in the Check Point Smart Dashboard.
Normaly the implied rules are not displayed, but you can enable the view.

View Check Point implied rules

What we can see now is that for three rules with have the entry London Gateways in the Install On column. Click on the picture to enlarge it.

Check Point implied rules - London Gateways

I wonder if this is just a bug while displaying the implied rules or if there’s an error in the implied rules and their enforcement itself.

Until now I couldn’t find an answer to that question, maybe someone of you has any information about that?

Tobias Lachmann

Check Point Performance Evaluation Utility released

Check Point released a Performance Evaluation Utility for their appliances.

Purpose of this utility is to gather information about CPU and memory consumption, throughput etc. in combination with your appliance model and the activated blades.

This information is analyzed by Check Point and used for the Appliance Selection Tool and other projects where they need to verify their assumptions about real world appliance behaviour against actual live environments.

If something suspicious is found, they will contact you and give you feedback about their findings.

Also, if you’re just curious about how your appliances is doing throughout a normal day, run this script and check the summary. If necessary you can dig into the raw data for troubleshooting.

Output looks like this:

Measured Data
=============
* Maximum gateway throughput: 785.340831 Mbps
* Maximum packet rate: 79343 Packets/sec
* Maximum CPU: 99%
* Maximum CPU core #0: 100%
* Maximum kernel CPU: 45%
* Maximum kernel CPU core #0: 45%
Number of unique IPs behind gateway: 85
Maximum concurrent connections: 1000
Maximum memory utilization: 1240 MB
Accelerated packets: 100.00%
VPN traffic: 0.08%
Detected interface packet drops: no
Detected install policy: no
===================================


I like this tool very much and there has been enormous improvement since the first versions.

I would like to encourage all readers of this blog to download this script, run it on all available appliances and send the data back to Check Point. This will help them to make products better and performance numbers more accurate.

Tobias Lachmann

GAIA rumor

I heard a rumor that GAIA will be delivered along with R75.40 release.

Since R75.30 came out recently, we’re very close to GAIA.

Will be interesting to see what GAIA really brings us. Personally I expect SPLAT base, hopefully 64bit, with recent Linux kernel but with CLISH command line interface. Would mean that I have to learn quite a bunch of new things 🙂

Tobias Lachmann

Update to Problems with SCP and Secure Platform while copying large files

OK, I stumbled about a known issue. We have sk66195 and sk45048 for this. Sadly these entries are only visible if you have Expert access or higher. I wonder why Check Point hides this info for normal users.

Here’s they explanation from Check Point why they use such an old version of OpenSSSH: “In order to keep SecurePlatform secure, an older build of OpenSSH is used that does not have dependencies to packages not included in SecurePlatform.”

You have to contact Support to get a fixed version of OpenSSH. At the moment they have a fix for R71.30 through R75.40 which will be also included in GAIA. The package version numbers differ slightly. Old: openssh-server-3.6.1p2-33.30.39cp. New: openssh-server-3.6.1p2-33.30.976075001cp.

As a work around, if you can’t or won’t install the package, you can use the old version 4.1.9 of WinSCP from 2009.

Tobias Lachmann

Problems with SCP and Secure Platform while copying large files

Today I stumbled about a problem with file transfer from or to a Secure Platform system using SCP.

I tried to copy a large backup file from the system, which failed.

C:Program FilesPutty>pscp -v -scp -l tlachmann 10.1.1.1:/var/CPbackup/backups/backup.tgz .
Looking up host "10.1.1.1"
Connecting to 10.1.1.1 port 22
Server version: SSH-2.0-OpenSSH_3.6.1p2
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.61
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 1024 5d:05:8a:64:7c:2f:ed:1d:f3:6b:aa:bb:cc:dd:ee:fb
Initialised AES-256 CBC client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 CBC server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "tlachmann".
Keyboard-interactive authentication refused
tlachmann@10.1.1.1's password:
Sent password
Access granted
Opened channel for session
Started a shell/command
Using SCP1
Connected to 10.1.1.1
Sending file modes: C0644 1277213515 backup.tgz
backup.tgz | 32 kB | 32.0 kB/s | ETA: 10:49:36 | 0%
Server unexpectedly closed network connection
Fatal: Server unexpectedly closed network connection


On the SPLAT machine there was the following message under /var/log/secure

Jan 26 10:02:53 fwm sshd[13480]: Accepted password for tlachmann from 10.1.1.2 port 4845 ssh2
Jan 26 10:03:05 fwm sshd[13480]: fatal: buffer_append_space: alloc 10518528 not supported
Jan 26 10:08:07 fwm sshd[13515]: Did not receive identification string from 10.1.1.2
Jan 26 10:12:22 fwm sshd[13526]: Accepted password for tlachmann from 10.1.1.2 port 4926 ssh2
Jan 26 10:12:23 fwm sshd[13526]: fatal: buffer_append_space: alloc 10498048 not supported


Seems that this is an OpenSSH error described here.

The entry describes that this is “Fixed in openssh-3.9p1-8.RHEL4.18”

On SPLAT we have older OpenSSH packages:

[Expert@fwm]# rpm -qa | grep openssh
openssh-3.6.1p2-33.30.39cp
openssh-server-3.6.1p2-33.30.39cp


Even R75.30 has this old package, so I opened a SR with Check Point. Will be interesting do see what they write back.

I’ll keep you informed.

Tobias Lachmann

Appliance hardware – request for help

Over one and a half year ago I posted the updated appliance hardware list.

From the feedback I got so far I know that customers and security engineers from partners love this list because it gives them the ability to do a better sizing for OpenServer hardware – just by comparing their throughput needs to the appropriate appliance and the hardware inside it.

And I also know from some comments at CPX that Check Point doesn’t like my list. They don’t want us to talk about hardware inside the appliances because the may seem to small and out of date.

Also, Check Point now changes from “what is the maximum throughput” to “how much power is needed for a special purpose, blade combination and desired throughput” with their Security Power measurement.

This is a very good approach and I can assure you that Check Point is putting enormous effort into the upcoming Appliance Selection Tool (AST) to make it accurate and based on real world experience as I contributed some appliance data myself and discussed it with them.

But still – I think we should update the appliance hardware list since there are so many new appliances out there.

For that I need your help!

The details can be determined from the command line: for the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to tobias@lachmann.org

What I know so far is that every new appliance from the 2012 series is supposed to have at least 2GB of memory and a Dual-Core CPU.

Please submit data from your own appliances to this list.

Tobias Lachmann

Check Point leads the new Garnter Magic Quadrant for Enterprise Network Firewalls

This december a new Magic Quadrant on Enterprise Network Firewalls was released by Gartner Group.

Check Point is clearly in the lead, followed by Palo Alto. These two are the only companies in the leader quadrant. All others are challengers (Fortinet, Cisco, Juniper, McAfee) or niche players.

It is interesting to see how the market changed and that the competitors are loosing ground.

Tobias Lachmann

No support cost for appliance slide rails

In a previous post I was talking about the fact that the Check Point quote tools charged a yearly 10% support cost for the new slide rail kit for appliances.

Check Point now reported back to me that this was an error and that they changed all their tools accordingly.

I can quote them on the following:

"Our policy is to charge support only for electronic components that may require assistance in case of failure break.
We changed our tools accordingly and now we will not charge for support for the rails"

Ofer Or, Product Manager at Check Point


Check Point, thanks for listening.

Tobias Lachmann

Installing a Check Point appliance from USB flash drive

The Check Point appliances come pre-installed with 1-2 SPLAT images for the current and some older release. If you have a new appliance with R75.20 you will also get R71.30 as well.

Normaly the “reset to factory defaults” mechanism work pretty well. If an appliance is screwed up you can restore an image stored on the machine.

For some reasons you may want to install an appliance from scratch which can be done using an external USB DVD drive connected to the appliance. You can boot from this device into an installer and re-image the whole machine.

But working with an external drive is not sufficient in all situations and handling can be complicated.

USB flash drives are quite easy to handle and don’t consume that much space in the technical engineers bag.

Since the days of appliances with NGX R65 with Messaging Security there was a sk article which described how to create a bootable USB flash drive either for NGX R65 or NGX R65 w/ MS fresh installation.

Sadly this was somewhat complicated and you had to have in mind a couple of things.

During the release of R70 I tried to build a bootable USB flash drive using some tools available. Namely I used a tool provided by HP for making USB flash drives bootable in combination with ISO files, but without success.

Then I stumpled about Unetbootin which is a nice tool to create bootable devices. Comes with a variety of pre-configured Linux distributions and is also to use ISO files.


What is does when working with ISO files is to extract the boot sequence from the ISO and use it for the flash drive. Then everything from the ISO is extracted to the drive.


Works for Linux distributions on my PC but not for a SPLAT ISO in combination with an UTM-1 appliance.

But now Check Point released a very cool new tool called ISOmorphic which makes bootable flash drives for the appliances from the ISO images provided by Check Point.









With an USB flash drive created by ISOmorphic I was able to boot an UTM-1 appliance directly without the need to make any changes.



From now on I will use this sweet new tool to pre-load my new appliances with the latest software image instead of upgrading older ones or upgrading with DVD drives.

Tobias Lachmann

OIDs for Check Point SNMP system monitoring

When you have configured SNMP and Check Point SNMP Extensions on your systems, you can start with system monitoring.

For Nagios we have some plugins available and other vendors also have pre-installed checks for Check Point equipment build into their products.

If you don’t want to use extra plugins you may use the check_snmp plugin command that is delivered with Nagios.

SVN Status
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1" -o 1.3.6.1.4.1.2620.1.6.102.0 -s ""OK"" -l "SVN Status"

Security Gateway Policy Status
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.1.1.0 -s ""Installed"" -l "Security Gateway Policy Status"

Security Gateway High Availability Status
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.5.102.0 -s ""OK"" -l "Security Gateway High Availability Status"

Security Gateway High Availability Modus
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.5.6.0 -s ""active"" -l "Security Gateway High Availability Modus"

Security Gateway High Availability Modus
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.5.6.0 -s ""passive"" -l "Security Gateway High Availability Modus"

Security Management Status
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.7.102.0 -s ""OK"" -l "Security Management Status"

Security Management Modus
/usr/lib/nagios/plugins/check_snmp -H $HOSTADDRESS$ -C $ARG1$ -o 1.3.6.1.4.1.2620.1.7.5.0 -s ""active"" -l "Security Management Modus"

If your monitoring system is using just simple SNMP queries, here are some OIDs to check for.

SVN Status – to be checked on every system

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.6.102.0
SNMPv2-SMI::enterprises.2620.1.6.102.0 = STRING: "OK"
SNMPv2-SMI::enterprises.2620.1.6.102.0 = STRING: "Problem"


Security Gateway Policy Status

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.1.1.0
SNMPv2-SMI::enterprises.2620.1.1.1.0 = STRING: "Installed"


Security Gateway HA Status

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.5.102.0
SNMPv2-SMI::enterprises.2620.1.5.102.0 = STRING: "OK"


Security Gateway High Availability Mode

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.5.6.0
SNMPv2-SMI::enterprises.2620.1.5.6.0 = STRING: "active"
SNMPv2-SMI::enterprises.2620.1.5.6.0 = STRING: "standby"


Security Management Status

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.7.102.0
SNMPv2-SMI::enterprises.2620.1.7.102.0 = STRING: "OK"
SNMPv2-SMI::enterprises.2620.1.7.102.0 = STRING: "Problem"


Security Management Mode

snmpget.exe -v 2c -c public 10.10.10.10 1.3.6.1.4.1.2620.1.7.5.0
SNMPv2-SMI::enterprises.2620.1.7.5.0 = STRING: "active"


Tobias Lachmann

Exclude the external address of VPN peer gateway from encryption domain

When you define a peer gateway for a VPN community, you also have to define the topology of the gateway that is used for VPN connections. This is the encryption domain.

Defining an encryption domain for external VPN peer

What you don’t see is that the encryption domain does not only include the IP addresses of networks associated with the gateway, but also the gateway IP address itself.

This behaviour is not shared by others vendors like Cisco for example, they only use the explictly defined encryption domains.

Common scenario:

You have a VPN with a partner and exchange encrypted traffic. In addition, the partner offers you webpages available over the Internet and reachable over the official IP address of his VPN gateway.

When you try for example to access this webpage from within your network, the traffic will be send encrypted to the remote gateway, let’s say a Cisco ASA Firewall.

The Cisco ASA does not see it’s outside IP address as within the own encryption domain and refuses to create a SA. So your connection attempt will fail.

The solution to this is to exclude the external IP address of the remote VPN peer gateway from VPN.

For this purpose edit the file $FWDIR/lib/crypt.def on the Security Management and change the line
#define NON_VPN_TRAFFIC_RULES 0
to:
#define NON_VPN_TRAFFIC_RULES (dst= IP_Address_Of_VPN_Peer)

Please be aware that this is the way for version R70 and above.

If you have a R75 Security Management that is managing R70 or R71 gateways, you have to edit the file in the compatibility package directory instead.
/opt/CPR71CMP-R75/lib/crypt.def

Tobias Lachmann

SSL Network Extender E75 available

The SSL Network Extender E75 is now available.

sk65210 has all the information about it.

We have now support for MacOS from 10.6.8 up to 10.7.2, both 32 bit and 64 bit. Also some Linux distributions are now supported for 32 bit and 64 bit.

I was testing the EA2 version of this software and had no problems. So I suggest that you update asap if you want to enjoy the new OS support.

Release Notes can be found here.

Known Limitations are here.

Tobias Lachmann

Mount USB stick on appliance or SPLAT

Ever wanted to use an USB stick on OpenServer using SPLAT or an appliance?

Just connect the device to an USB port of your choice.

1. Load the appropriate kernel module for handling the USB device
modprobe usb-storage

2. Check which new device was bound, for example /dev/sda1
fdisk -l

3. Create a mount point
mkdir /mnt/usbdisk

4. Mount USB device
mount /dev/sdb1 /mnt/usbdisk

5. Use the device to transfer data as you like

6. Unmount USB device
umount /mnt/usbdisk

Tobias Lachmann

UTM-1 Edge firmware 8.2.44 with security fix

Check Point reported that security vulnerabilities were detected in the WebUI of UTM-1 Edge appliances, related to “XSS, CSRF, information disclosure and offsite redirection”.

All firmware version in 6.x, 7.x and 8.x are affected.

The only firmware with this error resolved is 8.2.44 which is available for download.

I would suggest that everyone should apply the latest firmware as soon as possible.

Release Notes can be found here.

See all downloads here.

Tobias Lachmann

New Appliances support slide rails. How about slide rail support?

Starting with the new Check Point 4200 appliance you can get slide rails instead of fixed rack mounting, which is quite nice. The price for a pair of slide rails is $300,–. Quite high, but I can life with it.

Now here’s the funny thing: when you use the Quote Tool from Check Point and have the slide rails picked, it will offer you SUPPORT for it. Rate is 10% of the list price. Per year!

Support contract for slide rails
Guys…… seriously: why should someone buy support for a slide rail???? What do you offer to the customer for the money? And how likely is it that a slide rail has to be replaced or serviced. Or can we expect hardware updates for this part in the next time so that the money for support is legitimate?

Any comments on this greatly appreciated!

Tobias Lachmann

Configuring system monitoring with SNMP for Check Point security gateways and security management

If you want to monitor your Check Point environment, for example with Nagios or Icinga, you need to activate SNMP.

Here’s a quick How-To for Secure Platform (SPLAT):

1. Enable SNMP

1.1 Show existing users (=community string)
[Expert@firewall]# snmp user show
public
 

1.2 Delete user “public”

[Expert@firewall]# snmp user del public
Stopping snmpd: [ OK ]
/usr/sbin/snmpmonitor: Trap Server is not defined [ OK ]
[Expert@firewall]#


1.3 Create new user

[Expert@firewall]# snmp user add noauthuser YOURCOMMUNITYHERE
Stopping snmpd: [ OK ]
Starting snmpd: [ OK ]
[Expert@firewall]# /usr/sbin/snmpmonitor: Trap Server is not defined
[Expert@firewall]#


1.4 Enable service

[Expert@firewall]# snmp service enable
/usr/sbin/snmpmonitor: Trap Server is not defined [ OK ]
[Expert@firewall]#


[Expert@firewall]# snmp service stat
SNMP service enabled and listening on port 161.
[Expert@firewall]#


2. Enable Check Point SNMP extension

2.1 Check status

[Expert@firewall]# cp_conf snmp get

Currently SNMP Extension is NOT active
[Expert@firewall]#


2.2 Enable extensions

Please note that this will cause a restart of Check Point services!

[Expert@firewall]#cp_conf snmp activate
(...) Restart messages for cpstop / cpstart
[Expert@firewall]#


[Expert@firewall]# cp_conf snmp get

Currently SNMP Extension is active


3. Check for correct SNMP configuration

The SNMP daemon is running on port 161, the Check Point SNMP daemon runs on port 260. The Check Point daemon can be queried by the normal SNMP daemon as he acts as a proxy.

[Expert@firewall]# netstat -an | egrep -e "(:260|:161)"
udp 0 0 0.0.0.0:260 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*


4. Restart snmp daemon

[Expert@firewall]# snmp service disable
Stopping snmpd: [ OK ]
[Expert@firewall]# snmp service enable
/usr/sbin/snmpmonitor: Trap Server is not defined [ OK ]


5. Generate an access rule for SNMP polling from the firewall in your rule base.

6. Configure your system monitoring as you like.

For Nagios/Icinga I recommend the check_snmp_cpfw.pl plugin.

Tobias Lachmann

Endpoint Security E80.30 is coming

In November we can expect the new version of Endpoint Securiy – E80.30.

With this release we’ll see the usual bug fixing as well as some really interesting new features:

  • Virtual directories – used to group for example unmanaged clients without AD
  • Support for smart cards in FDE pre-boot user authentication
  • Client support for Windows Server 2003 and 2008 – limited to AV, Compliance and Firewall blade

Personally I’m excited about virtual directories as I need this features for non-AD managed environments.

And the possibility to install Endpoint Security with AV blade on a Windows Server gives you the power to have a company wide security solution with a single management. Very nice.

Can’t wait to test the new release.

Tobias Lachmann

My thoughts about CPUGCON2011

Last month I attended my third Check Point User Group Conference in Chur.

To go from Hamburg to Chur you first have to travel by plane to Zurich and then go by train to Chur. All in all about 5 hours of travel.

This is quite a distance but I really enjoy the swiss landscape and the alps.


Swiss Alps nearby Chur





The conference was held at Würth ITensis AG, the IT company of Würth AG. Within the building and right in front of the conference rooms we have a nice museum with all kind of modern art.





Modern art in the Würth building

The atmosphere there is really nice and I enjoyed it very much.



The first day started with Silvia Hagen, chairman of Swiss IPv6 Council, and her presentation on IPv6. Silvia advised us again to prepare for IPv6 and begin with the planing. I really enjoyed this presentation because Silvia is a very talented speaker and know how to attract peoples attention.


A lot of presentations were done by Valeri Loukine, CCMA #19 and one of the most skilled IT security people I know. He’s an intense guy – as you can tell by his look – and gave very intense presentations with lot’s of knowledge.


Sadly I have to say that I wasn’t satisfied with the presentations overall. We had sponsors speaking within the normal schedule (Tufin, Crossbeam) and therefore conference attendees paid for this presentations. It is okay with me if sponsors present within a parallel session and one can decide to attend or not. But being the only presentation in the normal schedule is not the right way.

Also I missed a broad variety of themes and speakers. In 2009 we had Rob Mitch, Valeri Loukine, Martin Hoz, Carsten Löhn, Yasushi Kono and myself presenting. Different topics, different styles of presentation, different focus on products, different opinions. Quiet interesting. But in 2010 it started to go down, we had less speakers and the topics didn’t seem to reflect what the crowd wanted to hear.

I presented my impressions to Barry Stiefel along with ideas on how to improve the conference so that everyone can get more out of it. But sadly I have to say that I couldn’t see real improvement this year. In my impression it’s getting worse. And as last year you won’t find the presentation of the speakers on the CPUGCON webpage by now. And I wouldn’t expect them to be published. Barry also recorded all presentation on camera to put them on a webpage. But again there’s no such material – not from last year, not from this year. It stays in Barry’s private collection, I guess. Sad thing.

What I did enjoy was meeting fellow administrators and consultants from many different countries. Always nice to see these guys.
Yasushi, Matthias and Tobias at CPUGCON2011

Also the presentation of the swiss cheese maker Mike Glauser was very interesting and full of things I wasn’t aware of when it comes to cheese.



We were allowed to try his cheese, which was a great experience. Rich of different flavors.


On the second day we visited a mountain brewery for dinner which was quite nice.



But besides from meeting people and enjoying non-technical presentations (cheese maker, brewery) I think I did not get enough out of the conference to justify the money spend. The lowest conference fee is nearly €600,–. Together with travel expenses you have to invest about € 1100,– to attend – not counting the three days out of office where you can’t earn any money for the company.

And after all it is the “Barry Stiefel Show”. He’s in charge of everything and decides what to do and what not to do. He claims to cultivate the community aspect and to speak for thousands of CPUG members but I honestly think he lost contact to the base of the CPUG community. Mostly I see this as a money earning activity for Barry more than a community event.

The fact that Check Point isn’t attending or supporting the conference is due to the (in my opinion purely personal) conflicts Barry has with Check Point. This year we had a Check Point employee attending “undercover”. It is no good sign that this seems to be necessary…. From a Check Point User Group Conference I would expect that the vendor is attending and also presenting deeply technical stuff. But Barry want’s Check Point only to attend if they pay for the employees going to the conference or even sponsor the whole event. Very sad…… Imagine how much in-depth knowledge guys from Check Point could deliver to the Administrators and Consultants who use the products every day. Imagine the feedback from both sides that could be exchanged. Imagine even the possibility that we might see some EA version (GAIA?) if the vendor would attend. But because Barry’s only contact at Check Point is Phoneboy, we cannot expect things to change.

Sadly I can’t see any improvements in the conference organisation, the variety of presentation and in the collaboration with the vendor. Not in 2010, not in 2011.

This leads me to the point that I think I will not attend the next CPUGCON. Although I would like to meet all the guys and to give some presentations for myself. But I cannot justify the costs for the event to my employer any longer if I don’t get as much out of it as I should.

Tobias Lachmann

Endpoint Security E80.20 – works like a charme

Just wanted to report that I installed a new Endpoint Security environment for a customer with E80.20.

Took me 3 hours for the Windows Server 2008 R2 as base and another 3 hours for the initial installation and configuration of the Endpoint Management Server.

Now we’re distributing the Endpoint Clients to the users and it works like a charme.

If I compare this to the old R7x solution of Endpoint Security, Check Point made a great step forward.

I really enjoy the product in the way it is right now!

Tobias Lachmann

can’t find ::cpsb-ia in cp.macro. license version might be not compatible

Maybe some of you enabled the Identity Awareness license in their UserCenter, as Check Point is offering this for free this year.

Identity Awareness advert in UserCenter
If you did so, you may receive the error can't find ::cpsb-ia in cp.macro. license version might be not compatible after you re-licensed again and installed the license in your environment.

Don’t be scared, there is no serious error behind this message.

But some older version (and also R71.30 for example) have a cp.macro file installed that don’t have the necessary informations about the IA blade license strings, as the product was not available when the file was build.

And: you don’t need the license until R75.10 anyway.

So just ignore the message. Or contact Check Point support to get an updated cp.macro file for your installation.

Refer to sk30478 for more information.

Tobias Lachmann

Exciting news – new appliances from Check Point

This week Check Point announced a new set of appliances as well as a new software solution for dealing with botnet infected clients.

The most interesting part from my point of view are the appliances.

2200 series appliance

We now have the 2200 appliance, which has a desktop form factor. It comes with 6 Gigabit Ethernet ports and has a SecurityPower of 114. This is more power than an UTM-1 570 appliance has for less than half the price.
This model starts at $ 3600,–. Very interesting approach.

I would see this as branch office firewall, but for direct internet access. A lot of companies deploy firewalls in the branch offices but route all traffic over a VPN to the central site to have it checked for malware because the central site has much more capable hardware.

With the new 2200 appliance I see the oportunity to give all branch offices direct internet access and scan the traffic for malware directly at the local site instead of central scanning.

Based on the security power I would say the 2200 appliance is good for up to 20 Mbit/s real world traffic fully scanned. Maybe even more, as this appliance has 2 GB of RAM installed. Something that was really needed for the UTM-1 models.

4000 series appliances

Check Point calls this series Enterprise Grade, which is quiet reasonable. This series is rack mountable and there’s an optional slide rail kit available.

The 4200 and 4600 appliances have 114 and 374 SPU with 4 and 8 Gigabit Ethernet ports respectivley. No LOM card, no optional redundant power supplies. – but at least 4 GB of RAM. Pricing starts with model 4205 at $ 4900 and at $ 11.000 for model 4607.

The 4800 appliance has 623 SPU and comes with 4 GB of RAM together with 8 Gigabit Ethernet ports. But with this model you can get a LOM card, redundant power supplies and memory extension to 8 GB. However, no redundant disc drivers. Pricing starts at $ 21.000 for model 4807.

12000 series appliance

These are the Datacenter Grade appliances. It starts with the 12200 model with SPU of 738. It has 8 Gigabit Ethernet ports and 4 GB of RAM, upgradable to 12 GB. For this machine you can have an additional redundant hard drive and an additional redundant power supply. Pricing starts at $ 29.000 for model 12207.

The 12400 has 1046 SPU and starts at $ 45.000 for model 12407.

The 12600 has 1861 SPU and starts at $ 59.000 for model 12607. The standard configuration delivers 14 Gigabit Ethernet ports, 6 GB of RAM, two redundant hard drives with RAID 1 and redundant power supplies. LOM card however is optional.

For a full overview of the new line of appliances I recommend that you consult with the comparion chart.

Along with the appliance you can get a fair priced set of packages: Extended Threat Protection, Web Control, UTM+, DLP+ and Extended Security. These are bundles of service blades which are cheaper than the sum of every single blade price in the package.

All in all Check Point is on the right way. The hardware is more up to date than the current UTM-1 series for example. It will be interesting to see what kind of hardware is actually inside the machines.

We have more memory, which is a good thing and will help a lot. But still the integrated management license cannot be installed seperatley and by this taking away some performance intensive operations from the machine itself. Maybe in the next iteration.

As for the botnet blade: I have to investigate a little bit more and will hopefully cover this in one of the next posts.

Tobias Lachmann

Are you kidding me – what happened next….

In my last post I wrote about licensing fun with Check Point.

Someone made a small mistake that led to issuing 1001 endpoint container licenses with one seat instead of one license with 1001 seats.

My distributor was sorting out things with Account Services from Check Point and I had no doubt that this issue would be fixed quickly.

I just thought it was a funny thing to post!
But damn, did Check Point take this one serious!

I was contacted directly by Endpoint Product Management as well as Account Services and they fixed this issue within one hour!

Guys, thank you for your quick response. I was totally relaxed about this issue and fixing it within days would have been sufficient for me.

But with fixing it within one hour, you really nailed it 🙂

Good work!

Tobias Lachmann

Are you kidding me?

Licensing fun with Check Point……

I ordered for a new installation Endpoint container for 1001 users.

Guess what I got? 1001 single licenses for an Endpoint container with 1 seat.

Can’t find words to describe how messed up my UserCenter account looks right now 🙂

What does Account Services says to this? Everythings okay, it is the way it should be.

Guys…… how can I attach my one Endpoint Antimalware blade license which is for 1001 seats to the appropriate container?

Seems very unlikely to me that this is the way it should be.

Will be interesting to see how this is sorted in the end.

Tobias Lachmann

PS: Added the new category “Fun” to this blog. No other category where this post would fit in 🙂

Identity Awareness ≠ User Directory ?

In a previous blog post I reported that you can use the Identity Awareness feature to get the functionality for authenticating your VPN user against your Microsoft Active Directory for free.

Check Point now contacted my to state that this is only limited to certain features.
Only Check Point Account Service can tell you for sure if the required features are enabled / usable when using IA instead of User Directory.
Contact your local Check Point partner and let him clarify your demand against Account Services.

To be sure, just buy User Directory blade and you’ll get the features you need for sure.

Tobias Lachmann

Abra is becoming Check Point GO

While checking out the new training blades for Check Point certification, I visited the eStore by Check Point.

Turns out that not only trainings manuals and blades are available, but also Starter Kits.

This Starter Kits are labeled Check Point GO but are clearly Abra sticks.
So we can expect a renaming soon.

I like the new name better as it reflects the mobility you have with this product.

Tobias Lachmann

Appliance performance

Oh, I love the new Appliance Selection Tool! And one get so interesting numbers from it!

If you look at the Appliance Comparison Chart you’ll see that the max throughput for a UTM-1 270 with IPS is 1 Gbit/s. When you play around with the Appliance Selection Tool you’ll see that with Firewall and IA blades (both mandatory) and additional IPS blade you can only get 77 Mbit/s throughput.

So in real live we can only have less then 10% of the numbers published so far.

Just with the firewall blade it is 390 Mbit/s real world traffic against 1.5 Gbit/s max throughput from the “old” datasheet.

On the one side is was time to have some numbers on real world traffic but on the other side it is very brave from Check Point to make this tool available to the customers.

Hopefully other vendors will do the same.

Tobias Lachmann

Appliance Selection Tool is online as Beta [Update]

We waited some time, but now the Appliance Selection Tool is online!

It’s not supporting all blades by now, but enough to play around and get a first impression.

Also they published information about the test method.

Very nice from what I can see for the moment.

Tobias Lachmann

UPDATE: Sadly it is like I supposed: the tool wasn’t supposed to be publicly available on the Internet. Check Point has taken it down and will re-release it in Q4.

New book on IPv6 from Silvia Hagen

Today we had the speakers dinner before the CPUG conference 2011.

Silvia Hagen was there, which delivered very good presentations on IPv6 last year and is going to speak again this year. Silvia is publishing a new book on IPv6 with O’Reilly: Planning for IPv6. The book will be in stores starting from 27th September but I was lucky to get one copy from her today as a present.

I can really recommend this book, having read half way through it by now. It’s fully packed with information and best practices on how to plan for IPv6, special things that you should have in mind and considerations for long termin strategies.

Tobias Lachmann

Only one day until CPUG CON 2011 in Chur

I just arrived in Chur today. While we had excellent weather the last two years, it’s raining at the moment. But the forecast says that we’ll get some nice sun and I’m really looking forward to it.

Just finished my last slides for the presentation tomorrow, some minor changes had to be made. Hopefully I did a good job here.

The speaking schedule is already published, I’m going to present right after Silvia Hagen who is opening the conference with an one hour introduction about IPv6. Since we have no other presentation at the same time, I can expect to have the full attention of all conference participants.

Silvia’s presentation in the last year opened some perspectives for all of us on IPv6 and it will we interesting to see how many to played around with it by now or are even using it in production.

More of CPUG CON 2011, IPv6 and my presentation in the next days.

Tobias Lachmann

Some numbers….

This blog is now running for about two years and I gathered some numbers:

At the moment we have 166 posts and 46 categories.

Per month we have about 2400 visitors.

The most references come from cpug.org, cpshared.com and google.com

Thank you all for making my blog a success and for your comments that give me inspiration and something to think about.

Tobias Lachmann

IPv6 on Check Point Security Gateways

During the preparation of my speech for the upcoming CPUG conference I did research on the roadmap for IPv6 on Check Point Security Gateways.

I couldn’t believe that you still have to use the IPv6Pack for R70.1 for getting at least some features in combination with IPv6, because this version will be out of support in about 18 month according to Check Point support life cycle.

But according to Check Point we will have a new IPv6Pack “somewhere in the future” – but not in the R75 release train.

I would think that we’ll see their next step when introducing GAIA.

Check out my slides from the IPv6 presentation in one of the next posts during the next two weeks.

Tobias Lachmann

DigiNotar incident

As you all may have read in the news, the CA DigiNotar suffered from a severe security breach. Hundreds of certificates were forged including well known web sites.

Since the use of certificates is based on trust, the CA certificates from DigiNotar have to be removed because you can’t trust them anymore.

Check Point has published sk65277 with instructions on how to remove the certificates.

The sk is valid for all versions from R65 to R75 and I strongly recommend to implement it fast.

Tobias Lachmann

R75.20 GUI enhancements – and old legacies

R75.20 brings us some nice GUI improvements with SmartDashboard. The design is more up-to-date and stylish then before, I really like it.

And we have nice features like to ability to get notified when write access to Security Management is possible.

Logon to Security Management with R75.20 SmartDashboard

This is really an improvement.

But still we can find some old legacies like the peek holes at various places.

For example in SmartView Tracker while selecting an object for your filter where you can’t see the whole object names as the field is way to small.

Object selection in R75.20 SmartView Tracker

Or in the Global Properties window; still not sizeable and therefore you have to scroll a lot.

I really hope they would fix this.

Tobias Lachmann

Identity Awareness = UserDirectory?

I got confirmation from Check Point Germany that the use of the Identity Awareness blade is enabling also the ability for authenticate remote access users for VPN against an Active Directory.

This means that a customer can obtain the IA blade which is free of charge at the moment. You can get it through the UserCenter by the way. After licensing and enabling this blade you can also configure an MS AD LDAP server to authenticate. Either use the wizard of the IA blade or do it by hand.

Very nice because you don’t need the expensive UserDirectory blade as long as you only want to authenticate against Active Directory.

For writing and changing the Active Directory you still need the UserDirectory blade, also for accessing LDAP directories from other vendors.

But most likely you will find AD in the field so the customer get’s a nice feature for free.

Hopefully this feature will remain accessible in the next versions as it is now, Check Point may change licensing or technical details without advanced notice. So we carefull when using IA blade for authentication remote access users and be prepared to buy UserDirectory blade, when something goes wrong 😉

Tobias Lachmann

GAIA

Since a couple of month I wanted to write something about GAIA, the upcoming Check Point OS.

The reason that I did not post anything is because I don’t know much more than the information shown on the offical website.

In the beginning of 2009 I had contact to the responsible product manager for GAIA and VPN-1 VE and we had a telefon call for several hours where he asked me for my experience with SPLAT and the UTM-1 appliances which run a modified SPLAT. I gave tons of input and we agreed to work together in the developing process.
But because of the fact that this guy left Check Point a couple of month later I was cut off of any information. No screenshots, no alpha version, no beta testing……

So by know I can only tell you that GAIA will the derived from SPLAT and is Linux based. We can expect it to be 64 Bit which will solve some memory limitations. The CLISH from the IPSO is still there and there is a very granular rights management. You can define which administrator has which rights on the system and which commands he can issue.

Seems that they have a focus on this feature, but I cannot see so much benefits from this one for my clients.

I hope for more hardware support including 10GE cards from all major vendors on OpenServer systems.
Also I’d like to see LVM on normal SPLAT together with enhanced USB handling (backup on a stick for example).

During the CPX in Barcelona in May I found out that even the german guys at Check Point did not have a EA version of GAIA at that time. Personally I think this is a shame.

There were rumors that one can propose customers to become part of the EA program….. but hey: how can I propose a customer when I don’t know what features your new OS will have?

All in all I’m not happy about the way Check Point is handling GAIA and the information regarding details and features.
🙁

Tobias Lachmann

Check Point 61000 appliance

Just to let you know: the list price for a 61000 appliance system with 1x Chassis Management Module , 2x Security Switch Module with 6x 10 GE fiber ports and 2x Security Gateway Module along with power supplies and license for 5 blades is starting at $ 195.000,– according to my sources. But in this pricing area you will always have NSP pricing within a project.

Tobias Lachmann

Check Point 21400 appliance

I just had a look at the datasheet and the pricelist of the Check Point 21400 appliance.

I can’t believe that the system starts at $ 115.000,– for just the box with license, 12 GB RAM, 13x Gigabit Ethernet-Ports and redundant drives, fans and power supplies.

If you buy an HP DL380 G7 server fully loaded with 12 cores, 24 GB RAM, redundant hard drives, fans and power supplies it costs about $ 10.000,–. And the SG1207 with additional blades is about $ 54.000,–.

So the Check Point appliance is $ 115.000,– compared to OpenServer for $ 64.000,–.
We don’t know the insides of the appliance by now, but I would bet that it is not faster than 2x Xeon X5690 running with 12 cores at 3.45 GHz which are inside the OpenServer.

Besides from the fact that a low-latency acceleration card is coming 2012 for the appliance there seems to be no reason to buy such a high-price appliance instead of OpenServer hardware which can deliver the same or better performance.

Still searching for the reason why anyone would do this…… any hints?

Tobias Lachmann

Thinking about Security Power…..

Check Point introduced a new metric called Security Power. They want to provide more useful information about the realistic performance of their appliance beside from “show off” numbers which claim high throughput.

This is a good and valid approach because max. throughput is measured with just one rule in the rulebase (any-any-any-accept) and the traffic consist only of 1500 byte long UDP packets. Plain and simple traffic, nothing really to do here for the firewall.

On the other hand we can have the worst case which would be 64 byte TCP packets. Here we have only small numbers when it comes to throughput, nothing worth to be found in a marketing slide.
But even this number is important as is defines to lower end of performance for a system.

Short story about this: once we had massive performance problems at a customer site. Some web-based application was running very slowly and the firewall was nearly at 100% CPU. We couldn’t find anything at first as the firewall was operating within normal parameters besides from high CPU load. Was this a bug in the software? A hardware failure? After some unsuccessful searching I did a traffic capture with fw monitor and analysed it with WireShark. The disposition of packet sizes showed me a very high appearance of really small packets. Looking further into the dump I realized that they derived from short LDAP queries that were going through the firewall. In terms of throughput is was not that significant. But in terms of number of packets it was significant. Gladly I had some information from inside Check Point about the performance of appliances in best and worst case scenarios. We could match the hardware from one of the appliances to the OpenServer system the customer firewall was running on, they were nearly the same. Then we compared the numbers for LDAP queries we had seen on the live system to the number of 64 byte TCP packets that could be handled by the appliance at best. And we found out that the 100% CPU load on the customer system was not coming from a software bug or hardware issue but from the firewall operating at the maximum performance it could deliver for that kind of traffic.

So coming back to Security Power: Check Point claimes that it is measured with a rulebase consisting of 100 rules which is fairly the amount of rules the normal customer has in it’s rulebase. The traffic used for measuring is a real-world traffic mix for whatever that means. Hopefully it’s mostly HTTP, some FTP, SMTP, SNMP along with DNS, NTP and ICMP. That’s what I would expect to be real-world traffic.

Based on the rulebase, the traffic-mix and the throughput needed a value is calculated called Security Power Unit (SPU). A UTM-1 3070 can deliver a max SPU of 298 whereas a Power-1 5070 delivers 596 SPU.

The online tool that will be available shortly takes into consideration which blades you use to calculate the SPU needed. In the example Check Point provided during the webcast the key numbers were 200 Mbit/s max throughput with three blades enabled (FW, IPS, AC). The traffic type was “Internet” for whatever that means. Maybe they take into account that different real-world traffic profiles arise from the use of the Security Gateway at the perimeter or internally. When deployed internally I would expect more SMB traffic for example. The tool calculated that 205 SPU were needed to fulfill the requirements.

Let’s compare the numbers: 205 SPU are needed for 200 Mbit/s real-world traffic with FW, IPS and AC. The appliance UTM-1 3070 is capable of nearly 300 SPU, so the hardware will be about 66% loaded.

In the pricelist you will find that the max throughput measured the old way is 4.5 Gigabit/s. So assuming a linear progress in CPU consumption linked to traffic this means that a UTM-1 3070 with 66% load is capable of 2.97 Gbit/s max throughput.

FW with one rule = 2.97 Gbit/s
FW with 100 rules, IPS and Application Control = 200 Mbit/s.

Really different numbers, aren’t they?

Some CCIE told me that with Cisco Routers he divides the performance numbers given by Cisco by half for every feature he implements. Using NAT? 50% performance left. Using ACL? 25% left. Using VPN? 12,5% performance left. Meaning you go from 1 Gbit/s routing performance to 125 Mbit/s while using 3 additional features.

This show that it’s not only Check Point that has only marketing numbers out there while real-world performance is something completely different.

So I appreciate the approach of Check Point to give us something to choose the right Security Gateway for the desired environment and it’s needs. On CPX someone from Check Point whom I trust told me that the tool is really accurate.

It will be interesting for me to check if I chose the right appliances in the past according to the appliance selection tool.

But there’s still one thing missing with Security Power: the ability to measure also OpenServer systems.
I know that Check Point is focusing on appliances, but there are still good reasons to deploy OpenServer hardware instead of appliances. You can’t expect Check Point to deliver SPU numbers for all server / NIC combinations found in the HCL, as CPU, memory as harddrives differ from system to system and each component has influence of the performance. But some testing tool to measure the max SPU of an OpenServer would be really great. I would guess that SPU is calculated by something like instrustions per second on specific hardware and that Check Point knows how much computing power is necessary to process a certain amount of traffic with selected blades. In this case you can transfer this into the OpenServer world.

Is this likely to happen? I guess not. Check Point want’s to sell appliances instead of licenses, judging by their recent activities.

So we still have to stick with our appliance hardware list that can be found on this blog. And by comparing appliance hardware with your OpenServer you can estimate the performance that this system is capable of.

Also on CPX I learned that Check Point is not happy about my hardware list for the appliances. They prefer to talk about performance numbers instead of hardware that is build into an appliance. I can totally understand them – but please try to understand our position as technical people. First of all we’re curious and we CAN find out what hardware is in the box…. and therefore we will DO it 😉
Second we need to choose the right solutions for our customers day by day. And when it comes to real world security requirements and traffic mix the Check Point performance numbers or far from being realistic. Wonderfully shown by Check Point itself in the example above with the UTM-1 3070 appliance were the tool calculates that a fully loaded appliance will only deal with 300 Mbit/s instead of 4.5 Gbit/s under realistic conditions. So we compare the appliances, were we have Security Power numbers and a tool, to OpenServer hardware based on the components inside the appliances.

Check Point, please understand: we need to know! Appliances are only 65% of real customers environments, the rest is OpenServer and we as CP partners have to cover this as well. Please give us a benchmark tool for measuring SPU on OpenServer!

And I would also prefer to have the number of max throughput with 1500 bytes UDP packets as well as 64 byte TCP packets for the appliances. This helps us also to get the right solution / core license.

Tobias Lachmann

R75.20 is available

During the live webcast today Check Point announced the release of R75.20.

The sk64361 tells you all the details, including the Release Notes.

Now they re-coded the URL Filtering, which is now connected to a “cloud service” for the update of the URL categories. I think I heard about this feature already from Bluecoat several month ago, so Check Point tries to close the gap. URL Filtering is now in the same policy with Application Control. This makes sense, as AC is kind of an bigger URL Filter anyway.

We have now support for inspection of SSL encrypted traffic, which is not limited to HTTPS. This feature is used in all blades and doesn’t require an extra license. We’ll see how this works in real live, maybe this is a topic worth a speech at CPUGCON 2011?

DLP is making use of the SSL inspection and extends it’s features to an internal DLP solution. The involves an Exchange agent who is also in charge for checking SMTPs mails send outbound.

The logging clients such as SmartView Tracker now allow to hide usernames for specially created administrators which is very important for avoiding unnecessary user tracking.

The SmartDashboard now let’s you change the mode, also if you’re already connected. And you can get a notification if you’re locked in read-only and the database locked is available since the other administrator is now locked out. Very useful. I wonder if they fixed the various “peek holes” in the SmartDashboard or SmartViewTracker, meaning not sizable windows that make it easy to see all the content.
Reminder for myself: do a posting about this later on.

Something very important about R75.20: you can update the R71.30 release, so no dead-end here any longer. This is due to the fact that R75.20 derives from the code base of R71.30.

Tobias Lachmann

New announcements from Check Point

Check Point presented some news in form of a webcast from New York.

The presentation has three main topics, first the new release R75.20 which comes with all-new URL Filtering and SSL Inspection within all the blade.

Second they introduced a new measurement of security performance called Security Power with the new unit SPU (Security Power Units). This should make the Check Point appliances more comparable and is not based solely on throughput. There will be an online tool called appliance selector where you define which blades you want to use and which throughput or users should be secured/inspected. Then, based on your input, the system calculates the number of SPU needed to fulfill your demands.

Third Check Point introduced some new very high performance appliances for data center needs, as Check Point points out. As you may rember from one of my previous posts, I don’t see the need in data centers the way Check Point sees it. But anyway, now we have a 21400 appliance which has up to 100 Gbit/s throughput and the 61000 system which delivers up to 1 Terrabit/s on throughput. Both appliances are highly customizable and redundant in itself.

I think I will post me thoughts about all of the topics in separate posting.

Tobias Lachmann

Two new EA programs available

There are two new open EA programs available. One for R71.40 and one for E75.20.

You can register yourself for the EA in the UserCenter from the products menu.

As for R71.40 I see some improvements in IPS checks including GeoIP and enhanced operating system support for the remote access clients / mobile clients.

E75.20 brings us the long awaited secondary connect feature which allows you to connect to two sites at the same time. Also you can pre-package the client with a initial desktop security policy which is enforced right after installation.

Tobias Lachmann

The reason why we need LDAP profiles

When we configure a LDAP connection from Security Management to a directory server, we need to specify a LDAP profile in the account unit properties.

Create LDAP account unit step 1

What’s the use of these LDAP profiles? They’re kind of translation tables to match UserDirectory LDAP request with the specific singularity of the directory server.

For example the Microsoft Active Directory has the attribute memberOf which describes the group membership of a user. In the standard LDAP scheme the attribute member is used.

So the LDAP profile Microsoft_AD has the field GroupMembership which contains the value memberOf and therefore the UserDirectory can find the groups correctly.

LDAP profile in GUI DB Edit

We have some pre-defined profiles for Microsoft_AD, Netscape_DS, Novell_DS and OPSEC_DS. They’re visible in the drop down menu of LDAP account unit properties but cannot be shown or modified anywhere else.

The documentation states that you can define your own profile, but doesn’t explain how. As the profiles are inside the object_5_0.C I would not encourage anyone to insert information directly in this file.

The safest way seems to be if you modify an existing profile using GUIDBedit. This way you can change values, but there’s no high risk of messing up with the structure of objects_5_0.C.

Tobias Lachmann

Inside Edge X

Every wondered what is inside an UTM-1 Edge X appliance?
What kind of hardware, what kind of software?

Well, thanks to my friend Mikael I can share some information with you.

The Edge X runs with a MIPS CPU from Brecis with 166 MHz.

The operating system is a uCLinux running kernel 2.4.20.

As filesystem SquashFS is used along with LZMA compression.

WiFi is provided by Atheros.

Interesting to know, don’t you think?

Tobias Lachmann

Content Scanning on UTM-1 appliances

Dear Check Point,

why do you sell really small appliance together with blades that allow content inspection?

Honestly, it’s a pain in the ass to have antivirus activated and then for example push a policy.
You will wait forever!

And it’s damn slow even on a UTM-1 57x series appliance, which is in the middle of the UTM-1 hardware variants.
Nobody should try this with an appliance smaller than UTM-1 57x, it will simply not work.
By the way, this is also a statement that you will get inofficially from your support engineers!

I think I need to elaborate here a little bit more about what I mean.

When I do the sizing for a customer, a 57x appliance with Antivirus, AntiSpam and URL Filtering is only sufficient for max. 4 Mbit/s throughput.
The box can do some more MBit/s, but then is nearly at 100% cpu…. and everybody want’s his system to have some reserves, right?
The box itself is fine when running with Firewall, VPN and Antivirus alone, but nowhere near the official Check Point numbers.

Small customers do not have a separate management, they use UTM-1 appliances because you can do all with one box: Gateway, Content Inspection, Management.
And every time you push a policy or view logs or do another action related to firewall management, this will have dramatic performance impacts.
Compiling a policy leads to massive CPU usage (load of 15 and more), massive memory usage (nearly no free memory and about 800MB used swap) and massive hard drive activity.

In the field I’ve even seen connection drops while pushing a policy due to heavy load. This is not supposed to happen. And is also happended on 207x series appliances when this machines were handling more traffic.

Yes, using the appliance with a separate security management don’t bring up these problems. In this case operation is quite normal and the numbers (besides from memory) are OK.
But nobody does this…. UTM-1 is meant to be managed by itself. That’s the beauty of the concept.

So but do I expect from Check Point here?

First I would not advertise the smaller appliances for Content Inspection with the hardware that is in place today. Start with a 57x when managed by itself.
Second, pimp the hardware. Enhancing the memory from 1GB to 2GB would help a lot to prevent swapping and therefore decrease performance because of IO waits.
And using a solid state drive would also help a lot while writing and reading files when doing Content Inspection, starting programs and installing policies.
Would cost about $ 150 then the hardware in place right now, so it’s neglectable.

When it comes to the CPU used, it’s understandable that Check Point uses smaller processors that limit the throughput. Otherwise no one would buy the bigger appliances or use licenses on OpenServers.
I can live with that…. just improof IO and I’m glad.

Would do you think about this issue? Comments are welcome at tobias@lachmann.org

Tobias Lachmann

Endpoint Security E80.20 available

We have a new version E80.20 of Endpoint Security, check out sk62880 for details.

A lot has been done on the server side like improved OS support, multi Endpoint management servers for large installations. On client side we have improved OS support and my favorite, the syncronisation of the uninstall password from the server to the client. You do not longer need to specify the password while creating the package, just deploy the package and the client will sync the uninstall password with the configuration on the management server. Very sweet.

Check out the Release Notes and the Known Limitations.

Tobias Lachmann

CPX 2011: Security Gateways in the data center

On CPX 2011 I listened to some presentations which dealt with the security gateways in data centers.

I got the impression that Check Point is only looking at high-end facilities of large companies because they were only talking about multi Gigabit firewalls and Crossbeam, VSX, Multidomain Management and so on.

Since 1997 I’ve seen a couple of data centers ranging from 250m² to 2000m² and different network sizes and I worked for MSPs the last years. I’ve seen that the service providers have multi-gigabit uplinks to the internet and that the backbone has 10 GigabitEthernet, but these are pure routers and at this point there’s no firewall or IPS functionality.

Depending on the customer there are some different setups.

First one is a dedicated type:

Dedicated customer setup in MSP environment

Connected to the backbone are smaller networks that represent a customer or a customer project, such as a web shop. And these smaller networks are protected with a perimeter firewall that is handling all the traffic. Normally a FastEthernet-Uplink is enough, some go with GigabitEthernet. And also inside the different network segments FastEthernet is most likely enough.

An UTM-1 27x appliance can handle these traffic without problems, if you’re doing the backup over the firewall using GigabitEthernet interfaces an UTM-1 57x will do the job and give you full performance for your network interfaces.

Then we have the second type, also dedicated:

MSP dedicated customer environment

Here we have a front end segment that contain for example the webservers. They have additional network interfaces that connect to the backend network segment where the database or application servers are located and an interface to the backup network. The firewall in this scenario has only to protect the whole environment against access from outside, so it just needs to handle an amount of traffic that corresponds to the uplink. Here you can easily go with a UTM-1 27x appliance.

The last type of infrastructure in a data center is the one where the users access resources which are all protected by firewalls.

Internal Firewall

The perimeter firewall protecting the passage to the internet can be small, there’s no difference to type one scenario. But the internal firewall that is shielding high traffic servers like file servers or backup servers needs to be multi gigabit capable. And this is the scenario Check Point only refers to when it comes to data center firewalls.

But to be honest, this is not so common in the real world. Most companies don’t run internal firewalls or they don’t protect the servers that produce high network load like file servers. Or, also widely seen, these servers have only GigabitEthernet connections and so the firewall don’t need to be that big.

So, what’s my bottom line? Well: data center firewalls are not only about high performance and multi gigabit. The vast majority of SME customers have other needs.

But what are requirement from a MSP perspective? First the solution has to be cost effective. At the moment customers are price sensitive and we have strong competitors like Cisco with their ASA solutions in the market.

When I look at our first setup we can have a firewall and management solution that consists of two UTM-1 272 appliances in a full cluster for $ 8.640. The same setup with two UTM-1 574 appliances is $ 16.200.

Check Point positions its VSX and P-1 as the product of choice for a data center / MSP solution. But if we look at the numbers, what do we see? VSX 2 core license with 10 virtual systems is $ 24.000, the HA license is $ 19.200. OpenServers like the HP DL360 server are about $ 5.000 each. So just the firewalls are $ 53.200 in total, per customer this would be $ 5.320. But now we also need a management. A proper multi domain management is at $ 100.000 on a Smart-1 50 appliance for 10 domains. So the management per customer is $ 10.000. In total we have a price of $ 15.320 for a virtual firewall instance running in HA mode on a 2 core system including management. In comparison the UTM-1 272 cluster is at $ 8.640.

A UTM-1 574 cluster costs $ 16.200 – the VSX cluster is cheaper by $ 880. But do we get the same performance for out money? Remember that the VSX is running on a 2 core license. So with actual server hardware and the proper amount of memory I would estimate a performance a little bit over a UTM-1 307x appliance, which is at 4.5 Gbps throughput. Divided by our 10 customers this would be about 500 Mbps per customer for $ 15.320. The dedicated solution would we running with 2.5 Gbps for only $880 more. I know that in real live customers have different traffic profiles and so the real available performance would be higher, but still. Remember Check Points point for data center firewalls: multi gigabit high performance.

It really needs a high amount of virtual firewall instances running on a powerful hardware along with a big multi domain management to create a cheaper solution (per customer) than a dedicated environment with appliances. Even taken in consideration the additional effort for power consumption, rack space, clima control…. for the dedicated solution.

And remember that the invest for a VSX / multi domain management solution is really high, you quickly need the customers that use and pay for this in order get your finances right.

That puts me to the point when it is usefull to have the “Check Point way” for data center firewalls and when not:
if you are running a huge data center as an MSP with lot’s of customers (100 and up) that all require a Check Point firewall solution for their environment, then it will make sense to use VSX and P-1 because it’s cheaper and the managment effort is less than with dedicated solutions which also saves money. At best you’re operating this as managed service.

If your data center consists of smaller customer installations and you don’t have that high amount of customers that requires Check Point protection (or that are willing to pay so much money) you are better with dedicated installations based on appliances. And also the invest are smaller and you can make them when needed.

Multi Gigabit is needed but can also be satisfied by small appliances. The need for Crossbeams and huge multi core firewalls with number of 15 Gbps and up is rare and most likely needed when you operate interal firewall systems that protect servers that are producing high network load.

To sum up: it would like to see Check Point moving their focus from purely high end when it comes to data centers. There are lot’s of MSP and data center provider out there that would love to have Check Point solutions in place when they would be affordable. Or when Check Point would provide a pay-as-you-grow model for licensing. The invest for hardware capable of multi gigabit is not the big thing, the license is. Maybe start with the desired number of IP addresses and just one core? Add another core(s) if you need more performance and then pay for it. Install a VSX system with P-1 for only two customers and only pay for these two. Add more customer licenses when you sold the firewalls to new customers. I know that would complicate licensing…. but it already is really complicated, so no big deal here.

Would be interesting to see if Check Point is adapting it’s thinking in the future…

Tobias Lachmann

R75.10 is here

I know that I’m late on this one, but anyway: R75.10 is available since a couple of days.

The release page shows all the info.

We have some known limitations (in addition to R75) – for example that you need to have a software blade license installed to upgrade to R75.10 or a trial license. There’s a new sk62950 stating that it is not enough to run on the 15 days trial license you get when you freshly install the system. You need to have a permanent software blade license or an evaluation license to succeed with upgrade. This is very important and requires some preparation while installing systems as an eval license may need to be aquired.

Luckily, for Power-1, UTM-1, Smart-1 appliances and IPSO 6.2 we have fresh install packages.

The resolved issues show that most of the improvement has been done in the field of DLP.

The release notes also list improvements in the Mobile Access Software Blade.

As always, make sure to read all the documents carefully and check with your existing infrastructure.

Tobias Lachmann

Using your Microsoft Active Directory for user authentication

The Check Point products have the ability since years to authenticate users using a LDAP server.

In former times this was called SmartDirectory(LDAP), now it is the User Directory Software Blade.

The pricelist states that you have to pay $4000 for it and you may say that this is an awfull lot of money.

But today I’m going to show you the cool things you can do with that blade and how to use this in your enterprise environment your enhanced user experience.

First we should have a look at the Actice Directory structure.

For my lab environment I build the test domain hamburg.local.

Test Active Directory structure

The OU (LDAP term for organisational unit) Employees is containing another two OUs which hold the endusers.

We place external users in the OU ext and internal users in the OU int. This is a pure example of how OUs can be used for grouping users into logical units for better administration.

All the users belong to one or more groups. We have built-in groups and custom groups. In my Active Directory I keep the groups created by myself in the OU Groups.

The normal Actice Directory Users and Computers plugin for the management console shows the AD structure in a tree view, but does not reveal the underlying LDAP structure.

Since the Check Point User Directory/SmartDirectory is a LDAP connector, we need to deal with the LDAP structure and attributes.

A good tool for displaying the LDAP structure of an Active Directory is ADSI EDIT, which is part of the support tools in Windows 2003 server and built-in with Windows 2008 server.

ADSI EDIT

When a complete path is needed, this is called DN or distinguished name. The DN for the built-in administrator for example is
cn=administrator,cn=users,dc=hamburg,dc=local.

OK, our Activce Directory is ready, let’s configure the Check Point Security Management.

Now we login to SmartUpdate and add the Software Blade license for User Directory, either eval license or normal license for your environment. Then we enable the blade and the functionality in SmartDashboard.

On your security management object, enable User Directory blade.

Enable User Directory Software Blade

In global properties, enable SmartDirectory(LDAP).

Global properties SmartDirectory(LDAP)

We then have to create a user template which contains information about how the user is able to authenticate. Select Check Point Password as authentication scheme.

Create User template

Create User Template

Now we’re going to create a node object which represents the Active Directory Domain Controller.

Create node object

Then we create the object for a LDAP account unit.

Create LDAP account unit step 1

On the Server tab click Add and select the newly created node object from the drop down menu.

Create LDAP account unit step 2

If you’re using unencrypted LDAP, the TCP port is 389 so leave this unchanged.

Under Username you fill in the credentials of a user that is able to do operation within the Active Directory.

Within my simple setup I chose the Administrator account.

Under Login DN you have to specify the full path to the user account within the directory.

The built-in Administrator is

cn=Administrator,cn=users,dc=hamburg,dc=local,

the newly created user John Doe is

cn=John Doe,OU=ext,OU=Employees,dc=hamburg,dc=local.

Fill in a password and submit with OK.

Then change to the tab Objects Management and say Fetch branches.

This is the first test if the security management can communicate with the Active Directory domain controller and if you supplied the right credentials. If so, you will see some branches.

Create LDAP account unit step 3

Normaly, these brances are not usefull because you created some of your own. In that case delete the fetched branches and create new ones.

These branches can be seen as container or folders that hold your users and/or groups.
Create all the branches you might need.

In our example we want to check for existing user accounts locted under OU Employees and sub-OUs and for security groups located under OU Groups so we need these branches.

Change to the Authentication tab and enable the checkbox for Use user template. Choose the newly created template from the beginning.

Create LDAP account unit step 4

Click OK.

Now you will find an object in the tree which represents the LDAP account unit. When you click on it, the account unit is accessed.

Access LDAP account unit

The data that is found in the directory is displayed in a tree view. Note that you see only the branches you configured.

LDAP account unit query

We’re only seconds away from using accounts from the Actice Directory!

Next create a LDAP Group which represent the users as only groups can be used in the rulebase.

I want to give this group VPN access so my group is named ldap-grp_vpn_access.

Then you have to select the account unit that should be queried for the user accounts, so choose the one created before.

At last we need to define the scope of the group. A very simple approach is to use the setting All Account-Unit’ Users. With this, all users found in the Active Directory belong to this group.

LDAP group with all users in account unit

But most of the time this is not the right solution as you want to limit the user access to a specific group of individuals.

So you can focus with your group on a special OU which is located in a sub tree. At this point we have the predefined branches again, that we created while adding the account unit object.

The drop down menu has the defined branches ready. Take special notice that you can’t change the branch configuration at the account unit if the branch is in use in a group!

LDAP group focus subtree

If you configure your group this way, every user that is in or beneath this OU is considered to belong to this group.

In my example setup I want to give selective access to the VPN, so the approach with all users in one OU is not the right one.

I’m going to build a security group in the Active Directory and assign the users as members to this group, which should get access to the VPN.

The group is called VPNUser and I configure the Group in branch option to check for the users here.

LDAP group in branch

Now every user that belong to VPUser can authenticate and access the VPN.

Not only the VPN, actually. This groups can be used anywhere in the rulebase, for example authentication rules etc.

That’s all for now – in a new blog entry I will cover dynamic filters, LDAP templates and so on.

Tobias Lachmann

Problems deleting node object

Last week I encountered a problem when I tried to delete the node object for an unused DNS server in a customer configuration.

Deleting the node failed because a message box told me, that the object was still in use. The reference says that it was used as “om_back_dns1”, which means as DNS server for office mode (Gateway properties -> IPSec VPN -> Office Mode -> Optional Parameters).

The catch here was that the referenced object was a security management. And a security management has no options to configure something like Office Mode through SmartDashboard.

I found the solution with GUIDBEdit in the objects_5_0.c file.

GUIDBedit

The security management HAD configured options for Office Mode DNS, although they didn’t show in the SmartDashboard.

I was able to reset the values using GUIDBEdit and after saving I could complete my action in SmartDashboard.

The best explanation that I have for this is a former upgrade some while ago. The customer had a stand-alone installation that was converted to a distributed installation some 6 years ago. Seems that the tools at that time didn’t check the configuration properly and migrated also some values that should not have been there.

I know that this kind of setup is hard to test while doing QA for a new product, but this is not uncommon in the field. Having one configuration that is upgraded and converted over and over again, from version to version. The error was created with version NG in production, now we have to deal with it while using R71 software blades.

Tobias Lachmann

Next Generation Firewall Test by NSS Labs

The NSS Labs performed a Next Generation Firewall Test, the first of it’s kind. It’s not a group test but purely about Check Point.

You can download the report here.

Interesting to see how a NGFW is defined and which tests have been done.

The Check Point appliance has some pretty good scorings and aces nearly all test with 100%.

Only the IPS test is using the out-of-the-box values and so we see the same results as from the NSS Lab IPS group test, where the policy without tuning is doing OK, but the tuned policy has the seconds best scoring of all tested systems.

I see this as another proof that Check Point is the product of choice and mostly everything is working into the right direction.

Tobias Lachmann

SecureClient End-of-Support

The SecureClient is End-of-Support in June 2011!

Time to change to the all new Endpoint Security VPN E75.10, which is a really great piece of software:

  • runs on Windows XP, Windows Vista and Windows 7, regardless of Service Pack and 32/64 bit
  • has improved stability for connections
  • integrates in the Windows Security Center for SCV checking

Check out sk61286 for all details.

Tobias Lachmann

Bye Bye UTM-1 Edge X…..

Now we have an official date for End-of-Sales of the UTM-1 Edge X appliance series, which is June 30th.

I think I got my first own Edge in 2004 during a promotion event and it’s running ever since. Constantly upgraded with the latest firmware, which is still running smoothly.
This is something that really impressed me all the time, the ability to run the latest firmware with all cool features on a 7 year old hardware. Nice work, Sofaware!

But now it’s time for a change to a new hardware generation and the Edge N series steps into place.

If we look at the list price, the Edge XW8 was at $800,–, the new NW8 is at $875,–.
This is OK and I think it will also be OK with most of my customers.

Tobias Lachmann

Support for MacOS X 10.7 is coming!

Dear Folks,

I’m really glad to inform you that we can expect Check Point to support the upcoming release MacOS X 10.7 with both SNX and SecureClient right along with the release of this new MacOS version.

This is great news, as we waited for 10.6 support quite a long time after the release of this version.

Now Check Point listened to our requests, which is really great!

Thank you guys!

Tobias Lachmann

Security Management R75 now supported under ESX/ESXi 4.1

In their facebook feed Check Point announced some technical updates, including “Security Management R75 (standalone and Provider-1) is now officially supported in ESX/ESXi Server 4.1.”.

I couldn’t see that this information is reflected in the documentation anywhere at the moment, but I’m sure this will follow.

We’re seeing the combination of security management and ESX virtual machine in the field a lot, so I’m really glad that’s now officially supported.

Tobias Lachmann

UPDATE: Thanks to Phoneboy for the link to the new Hardware Compability List (HCL) which includes the Virtual Platforms.

Maximum concurrent gateway tunnels

Under some circumstances you can see flapping device states concerning the VPN tunnel to the security gateway. This is caused by problems with a kernel table:

A gateway is exchanging constant tunnel test packets (UDP 18234) between itself and the remote gateway when a permanent VPN tunnel is configured, standard value is sending the packets every 10 seconds. Every successful exchange is kept in a kernel table named tnlmon_life_sign.

[Expert@fw1]# fw tab -t tnlmon_life_sign
-------- tnlmon_life_sign --------
dynamic, id 303, attributes: keep, sync, expires 60, limit 200, hashsize 512, free function c35ca9b0 0, post sync handler c35ca7e0


<91fda452, 00000001; 00000001; 34/40>

<91fd6d4a, 00000001; 00000001; 31/40>

A new permanent VPN tunnel creates an entry in the table, every succesful exchange refreshes the entry. If the lifetime of 60 seconds for the entry is exhausted, the entry will be deleted.

The information from this kernel table is send to the security management, which derives the status information about the VPN tunnels from it, which are displayed in SmartView Monitor.

By default the kernel table is configured to keep 200 entries. Depending on the number of tunnel you configured this can be not enough and can lead to the situation that the newer entries overwrite older ones when there are more than 200 entries. And as a result the security management cannot display correct status information, although everything is fine with the tunnel itself.

The table limit can be edited using GUIDBedit, just alter the value max_concurrent_gw_tunnels within the gateway object. To avoid unnecessary memory consumption, make sure to correlate the numer you enter with the number of VPN sites that you have.

GUIDBedit max_concurrent_gw_tunnels

Tobias Lachmann

When you think about taking a Check Point course….

…consider to travel to Switzerland and have the course at Dimension Data!

Valeri Loukine, one of the few Check Point Certified Master Architects worlwide and the most skilled professional I’ve met so far, is teaching now the official Check Point curriculum.

Besides from all the stuff in the courseware you can expect to get an extra portion of knowledge and hands-on experience from Valeri.

If there’s no Authorized Training Center (ATC) near you and you have to travel anyway, fly to Switzerland and train at DD!

I have to express that I’m not getting paid by Dimension Data for writing this, I’m purely stating my opinion and admiration about Valeri.

Tobias Lachmann

Upcoming tests from NSS dealing with Check Point products

Most of you might have seen the latest IPS Group Test from NSS Labs with Check Point IPS scoring the 2nd best result.

In the next couple of weeks we can expect others tests from NSS Labs, dealing with firewalls and next generation firewalls. Next generation firewalls mean that the functionality of firewall, IPS, application control and so on is bundled into one solution.

Will be really exciting to see how Check Point rangs in comparison with other vendors when the new blades are compared.

Tobias Lachmann

New Endpoint Access Clients E75.10 are available for everyone

The E75.10 clients have left the EA (early availability) stage and are now GA (general availability).

Check Point has an sk article that describes the release.

Check out the Release Notes.

I currently brought the E75 client into production and was impressed of it. Now with E75.10 we have a new cool feature, the integration of Windows Security Center into SCV (Secure Configuration Verification). Now we can test the presence of antivirus software, enabled windows updates, presence of firewall etc. via the mechanisms integrated into windows.
This is a big relief, as checking presence of virus scan software processes was a pain in the ass sometimes.

If you’re running a R71.30 system, you’re instantly good to go with the new release when it comes to Endpoint Security VPN and SecuRemote. Support for Check Point Mobile for Windows is coming with R71.40.

R75 systems are ready for Endpoint Security VPN clients, Check Point Mobile for Windows on R75 needs a hotfix and support for SecuRemote comes with R75.10.

To be sure about your system, check the release notes.

Now we also have full support for Windows XP, Windows Vista and Windows 7 with 32 Bit and Windows Vista and Windows 7 with 64 bit.

I’m very happy to have this new release finally available.

Tobias Lachmann

Something to think about

I did a lot of reading this evening, mainly in CPUG forum. Sad things are happening there.

Now I fully see why some senior members of CPUG forum came up with CPshared as an alternative.

At the moment I’m undecided what to do….. go 100% with CPshared forum or split 50:50 to CPUG and CPshared?
Just stick with my blog and ignore the rest?

One of my first thought was that we have to be really thankful for Barry Stiefel, hosting the CPUG forum all the years and keeping it going. It really takes time and effort, so THANK YOU BARRY!

What I know from Barry is that he tried several times to get Check Point as a vendor involved into CPUG. Officially, I might say. Because many CP employees are reading and posting in CPUG forum on their own, but not wearing the CP batch and only speaking for themselfs. Nevertheless, really good content from those guys. So THANK YOU CP EMPLOYEES!

The request for support or sponsoring of CPUG was not succesful, Check Point didn’t react as expected by Barry.

So, what does this mean? Is Check Point not interested in the user group? I don’t think so.

From what I’ve seen in the past years, Check Point really listens to us. I was contacted several times from Check Point directly regarding things I posted in this blog. Changes were made upon my feedback. I talk quite often with guys from product management and we discuss upcoming technology, pricing models and enduser experience with their products.
Really appreciated, by the way, so THANK YOU CP PRODUCT MANAGMENT.

Maybe it’s not about Check Point supporting their users, administrators, partners in general, but about the fact that CPUG is represented by only one person. And maybe they both had a very bad start and now things are stuck because of egos on both sides?

Having that in mind, the CPshared approach becomes even more valid. Starting over with a community site. Engaging from the beginning with CP employees, CP partners and really experienced users alltogether. Trying to get in touch with the vendor, confronting him not only with criticism, but with realistic feedback and the wish to participate and be a part of the solution.

I really have mixed feelings:

CPUG is running for so many years now and I really love the CPUGCON. Where else can you get in touch with fellow administrators, partners, instructors? CPX is a different type of event, that’s for sure.

But CPshared could be a new start for the community together with the vendor and I’d really like to see that happening.

Let’s hope that both community sites will stay respectivley become successful!

Tobias Lachmann

Check Point Open Technical Forum

Since a couple of days there a new forum available under www.cpshared.com

It’s a Check Point Open Technical Forum and want’s to connect the CP community as a whole: CP users, CP partners, CP employees and the vendor itself.

It was initiated by one of the most active members on CPUG forum and is supported by heavy weight senior members (in terms of CP knowledge) with lot’s of experience.

We will see how this forum develops, but I like the idea behind it.

Together with CPUG forum there will be an enormous amount of technical knowledge for the CP community.

Really like that idea.

Tobias Lachmann

Security Servers

There is an article, sk25766, which lists the security servers and the corresponding processes. Very useful as a reference.

Tobias Lachmann

UPDATE: Thanks to Jonathan for bringing this up: we also have in.geod as the Geo Protection part of the IPS engine. Not a real security server, but still….

New naming scheme for Endpoint

Phoneboy commented (by sending an email to blog@lachmann.org) on my previous blog entry where I complained about version numbering.

For Endpoint, they’re changing the naming scheme with the upcoming version. Instead of R80.20 it’s now E80.20 for this Endpoint Release. The gateway releases still have the “R” at the beginning.

I think this is a good way of differentiating releases, really like it.

Tobias Lachmann

Comment on this blog

Many people complained to me about the missing possibility to comment on the articles in my blog.

Well, this was done on purpose. Sadly I don’t have the time to check on comments, delete spam and make sure that everything works out well.

But that doesn’t mean that you don’t have the opportunity to comment: just send an email to blog@lachmann.org and tell me what you think about the post, what is missing and what is wrong in the blog entries. I will change it shortly and post corrections, if necessary.

I’m greatful for every sort of feedback.

Tobias Lachmann

Impressed of Endpoint Security R80.1

I have to admit that for a long time, I guess since version R71, I haven’t looked at Endpoint Security.

Back then I found it to hard to manage, not efficient enough and full of errors. Also, from a resellers point of view, not so much money to get out of it while selling this product.

But yesterday I was encouraged by Check Point to at least install R80.1 Endpoint Security Concole and play along with it in demo mode. I’ve done that and I was impressed. The console is clearly structured and now it is possible to use your exisiting objects to create firewall policies. All the tasks to get it running are shown in a getting started panel for easy access.

All in all it seems that from the management side they took a big step forward and now it looks like a really great product.

Hopefully I find the time to play along with it in the next weeks to get the full picture.

Tobias Lachmann

How to backup an UTM-1 without the Check Point backup utility

Someone confronted me with the following scenario:

An UTM-1 appliance is crashed and can’t boot properly.

Before resetting the device to factory defaults, a backup should be performed to restore the configuration afterwards.

How can you do this without booting the device and using the Check Point backup utility?

Well, the backup .tgz file you produce with backup utility is just a collection of configuration files from your local filesystem.

The backup utility uses the configuration in /var/CPbackup/schemes to determine which files to include and which files to exclude.

If you need to backup the configuration, just go for these files:

UAG

  • $UAGDIR/database/*
  • $UAGDIR/conf/*
  • $UAGDIR/boot/modules/*
  • $UAGDIR/log/*

SYSTEMCONFIG

  • /etc/sysconfig/*
  • /etc/hosts
  • /etc/hosts.allow
  • /etc/hosts.deny
  • /etc/resolv.conf
  • /etc/passwd
  • /etc/shadow
  • /etc/localtime
  • /etc/localtime.tz
  • /etc/snmp/*
  • /var/net-snmp/*
  • /home/*
  • /etc/cpshell/*
  • /etc/ethers
  • /etc/raddb
  • /etc/dhcpd.conf
  • /opt/spwm/conf/cp_http_admin_server.conf
  • /var/CPbackup/conf/backup_sched.conf
  • /var/spool/cron

SVN

  • /var$CPDIR/registry/*
  • /var$CPDIR/conf/*
  • $CPDIR/database/*
  • /var$CPDIR/log/*

RT

  • $RTDIR/scripts/*
  • $RTDIR/conf/*
  • /var$RTDIR/Database/*
  • $RTDIR/log/*

PERFORMANCEPACK

  • $PPKDIR/boot/modules

FWLOGS

  • /var$FWDIR/log

FW1

  • /var$FWDIR/conf/*
  • /var$FWDIR/database/*
  • /var$FWDIR/state/*
  • $FWDIR/lib/*.pf
  • $FWDIR/boot/

FG1

  • $FGDIR/conf/*
  • $FGDIR/scripts/*
  • $FGDIR/boot/modules/*
  • $FGDIR/log/*

CVPN

  • $CVPNDIR/conf/*
  • $CVPNDIR/var/*
  • $CVPNDIR/sync_files/*
  • $CVPNDIR/mgmt_conf_files/*
  • $CVPNDIR/htdocs/Mail/data
  • $CVPNDIR/htdocs/Mail/attachments
  • $CVPNDIR/htdocs/Login/images/CompanyLogo.gif
  • $CVPNDIR/htdocs/sre/descr/
  • $CVPNDIR/htdocs/sre/data/manual_rules.xml
  • $CVPNDIR/htdocs/sre/ICSScanner.cab
  • $CVPNDIR/htdocs/sre/SetupBrowser.exe
  • $WEBISDIR/conf/*

Since the device is not running, the variables are not filled with the correct values. For a R71 installation the variables have to be substituted with the following values:


CPDIR=/opt/CPshrd-R71
CPMDIR=/opt/CPsuite-R71/fw1
CVPNDIR=/opt/CPcvpn-R71
FGDIR=/opt/CPsuite-R71/fg1
FWDIR=/opt/CPsuite-R71/fw1
RTDIR=/opt/CPrt-R71
WEBDIR=/opt/CPportal-R71/webis
PPKDIR/opt/CPppak-R71/

You can boot an UTM-1 appliance from a live Linux CD or DVD, using an USB-DVD drive connected to the appliance.

While SPLAT is using normal partitions, the UTM-1 appliances use the Logical Volume Manager lvm. So the operating system you use should be able to deal with these LVM partitions. I use this modified grml system for this purpose.

On the boot screen you have to add some parameters for the startup process:


Some information and boot options available via keys F2 - F10. http://grml.org/
grml 2010.04 - Release Codename Grmlmonster 2010.04.29
boot: serial debug=noscreen lang=de lvm

When grml was finished, it has a console with all the needed tools. LVM is loaded already.

Check for the volume groups on the hard drive with the vgscan command:


root@grml ~ # vgscan -v
Wiping cache of LVM-capable devices
Wiping internal VG cache
Reading all physical volumes. This may take a while...
Finding all volume groups
Finding volume group "vg_splat"
Found volume group "vg_splat" using metadata type lvm2

Activate the logical volumes with vgchange:


root@grml ~ # vgchange -a y
6 logical volume(s) in volume group "vg_splat" now active

Now you can display the volume group with vgdisplay:


root@grml ~ # vgdisplay
--- Volume group ---
VG Name vg_splat
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 7
VG Access read/write
VG Status resizable
MAX LV 255
Cur LV 6
Open LV 0
Max PV 255
Cur PV 1
Act PV 1
VG Size 72.47 GiB
PE Size 4.00 MiB
Total PE 18553
Alloc PE / Size 7424 / 29.00 GiB
Free PE / Size 11129 / 43.47 GiB
VG UUID dCQA6u-z70X-LIsE-Xhmb-n5ho-ZMrX-JyBePy

You can display the logical volumes with lvscan:


root@grml ~ # lvscan
ACTIVE '/dev/vg_splat/lv_current' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_log' [10.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit

Mount the logical volume lv_current in /tmp

mkdir /tmp/utm1/
mount /dev/vg_splat/lv_current /tmp/utm1/

Change to /tmp/utm1 and you’re in the root directory of your UTM-1 appliance.

From there go to the directories listed above and get your files.
Transfer them over the network with scp or copy them to a USB stick.

After you did a backup of all the files you can do the factory reset.
When the initial system and software installation is done, just boot into maintenance mode and copy the backup files to the appropriate location on the appliance.

After a restart of the system you have your old configuration working.

Tobias Lachmann

Check Point and support for Apple products

Some of you may have already discovered it by themselfs, other may have read it in Valeri Loukine’s latest blog entry:

Check Point has a VPN solution for iPhone and IPad and now there’s also a public demo available.

To be precise, Check Point had support for iPhone from the beginning, the client is not new.

But what bothers me is the fact that the Check Point solution is not recognized in the market and by the customers. See the latest Gartner Maquic Quadrant for SSL VPN to have it black on white.

Why’s that? Well I think in the first place there’s an iPhone VPN client because Gil Shwed has gotten himself an iPhone and wanted to connect to his company. This may be the reason we have this solution. But besides from that, I can’t see no real platform strategie for VPN clients. Check Point has Windows clients which are really way ahead. But when it comes to Mac OSX and Linux, nothing really comparable to Cisco or Juniper.

I have stressed it before, customers want support for all their operation systems when they make a decision for a new VPN solution. And it is not uncommon that a Check Point gateway is securing the perimeter and has the site-2-site VPN connections, but a gateway from another vendor is doing the remote access.

Would be really interesting to discuss this issue with some guys from Check Point directly. But I’m not working for a platinum Check Point partner or have massive sales volume with this kind of products…. so I don’t think I will get the chance to talk to someone on CPX.

If any of you has some information or rumours, please let me know 😉

Tobias Lachmann

Check Point Experience (CPX) in Barcelona

Check Point will have two CPX events this year, one in Chicago and one in Barcelona.

I will attend the CPX in Barcelona and I’m really looking forward to it.

If you’re solely technical oriented, CPX will not provide so much new stuff for you.

But it’s one of the precious moments where you can have a deep inside look on upcoming strategies from Check Point.

And, above all, you can meet with the guys from Check Point in real life you might know by now only from phone or mail.

Hopefully many of my CP contacts can manage to attend, all the beers are on me 😉

Also I hope that some of you guys who read this blog are around. If you see me, make sure to pass by and have a little chat and a drink. I’m really interested in sharing experience, opinions and thoughts with all of you.

C U in Barcelona!

Tobias Lachmann

Keep up-to-date with SecureKnowledge and documentation

A very good tool for keeping up with changes in SecureKnowledge and documentation is the subscription in your UserCenter account.

Simply click within the UserCenter on “My Profile” and then on “My Subscriptions”. Here you can add all the topics you’re interested in.

Check Point Usercenter Subscriptions

If, for example, you subscribed to Secure Knowledge articles on Secure Platform, you will get a summary mail every week that contain a list of all articles that are new or modified and deal with this topic.

Personally I addedd all the topics and all the fields, SecureKnowledge, Documentation and Downloads.

So I’m always up to date and sometimes discover new or forgotten informationen that are relevant for me.

Tobias Lachmann

Performance analysis

There is a nice article in SecureKnowledge which points out how to analyze the system performance. See sk33781 for details.

The article isn’t only about performance, but also gives good troubleshooting hints and explanations about values and possible errors (especially true for the memory section).

Really worth reading. And you should try to understand every part of the sk, if something is unclear, investigate. Knowing this stuff is important.

Tobias Lachmann

Snow Leopard support with SNX available

It’s a shame that Check Point doesn’t see the potential in the Mac OSX operating system at the moment. I know that by numbers the Windows operating system family is much more attractive when it comes to developing clients version.

But today most companies are facing heterogeneous environments with a mixture of clients, windows clients as well as Mac OS and even Linux. And when it comes to choosing a new VPN solution, a key factor is the ability to support all operating systems existing in the company.

Luckily for us Check Point now has support for Mac OSX 10.6 aka Snow Leopard. See sk32162 for details.

Now that we have support for the current versions of Windows and Mac OSX, I hope this situation will last.
At the moment Apple is announcing Mac OX 10.7 aka Lion for summer 2011 and I don’t think that we will have a current VPN solution for it ready at the release date of closely afterwards. If so, it would be a big step forwards towards customer acceptance.

Tobias Lachmann

Recent changes….

Dear reader,

lately I haven’t been writing as much as I used to. This is because I switched to a new employer, the

akquinet Logo

akquinet system integration GmbH in Hamburg

Currently I’m busy with developing the enhanced network and network security portfolio and establishing product partnerships. As you might imagine, this is a time consuming process and a lot of work. But I’m very confident that I’m able to blog more frequently in the near future and I also have material ready for upcoming articles.

By the way: if you need any kind of help with Check Point products, you can hire me for projects or troubleshootings all over Europe. You can contact me directly over tobias.lachmann@akquinet.de

Tobias Lachmann

R75 HFA1 EA for Remote Access Client available

Check Point offers a public early availability version of the new R75 HFA1 Remote Access Clients.

We now have Endpoint Security VPN which replaces SecureClient and Endpoint Connect, giving you VPN funtionality along with SCV and desktop firewall.

Check Point Mobile for Windows is the successor of Endpoint Connect on mobile devices.

SecuRemote R75 is the long-awaited VPN-only client with support for Windows 7.

In general, all the clients are available for the following operating systems:

  • Windows XP 32 bit with SP2 or SP3
  • Windows Vista 32 bit or 64 bit with SP1
  • Windows 7 32 bit or 63 bit with all editions

You can apply for the EA over the UserCenter -> Products -> Early availability.

The Release Notes can be found here.

Please take special notice that the clients are supported on R71.30 and R75 platforms without the need of a special hotfix. However, SecureRemote R75 is not supported on Check Point R75 installations, but will be with R75.10.

Tobias Lachmann

R71.30 available

The new R71.30 packages are available since the beginning of January.

We have the first customer running this build without problems.

New for this release are some modification to the Provider-1 SmartConsole for better object handling, support for new VPN clients, such as iPhone and iPad, as well as support for Windows 7 (32/64 bit) and finally support for MacOS 10.6 on SNX.

The rest are smaller improvements that will not affect most of us in daily business.

Check out the release notes , known limitations and resolved issues.

Tobias Lachmann

Upgrade from R70.40 to R71.20

As described in a previous blog entry systems running R70.40 could not be upgraded without uninstalling R70.40 before.

Check Point know published the knowledge base entry sk59481 which describes a way to update such systems to R71.20 using R71.20 migration tools.

Seems that Check Point learned a lesson from the dead end with R65.4 and found a way to prevent stressful migrations for the admins.

Tobias Lachmann

Failed to parse topology: Missing node MgmtInternalCA inside set in the topology

This week we had a very strange error concerning UTM-1 Full-HA clusters.

As you may remember, an UTM-1 Full-HA cluster contains of two UTM-1 appliances running as cluster concerning the gateway part and with primary and secondary management installed on them running with management high availability.

We had the error that all our VPN connections to remote sites broke suddenly. The UTM-1 Edge appliances on the locations showed the following error message in the logs:

Error: Failed to parse topology: Missing node MgmtInternalCA inside set in the topology

Together with Check Point TAC in Israel we found out that the root cause of this issue was our SmartConsole client. While accessing the management with the client, it changed the value of the two UTM-1 objects from utm_cluster_member to cluster_member in the background.

This ment that the appliances were still considered to have gateway functionality on them, but the management part was not recognized and so Mgmt-HA broke. And, since there was no InternalCA in the objects_5_0.C, the parsing on the UTM-1 Edge appliances went wrong and VPN could not be established.

This can only be fixed by changes made by Check Point programmers by hand, unless you have a valid backup from before the changes.

Luckely for us, we found a valid object_5_0.C file on the secondary UTM-1, which didn’t contain the wrong information as this was not replicated from the primary UTM-1 due to broken MgMt-HA.

As far as I’m aware of, there is no other reference to this error message anywhere to be found and there’s no SK at the moment for it.

We believe that the SmartConsole client was acting that way for one of the two reasons:

a) it was running on a Windows Terminal Server
b) lot’s of different SmartConsoles clients from various version were installed on the system, causing interferrences with each other

Tobias Lachmann

New blog dealing with Check Point

For some reason lately I was not publishing as intense as I did in the past.

But still there is a good news for all you guys dealing with Check Point products out there.

Valeri Loukine, CCMA from Switzerland, started this own blog about Check Point.

I met Valeri on CPUGCON 2009 and I look up to him for being such an expert on Check Point products with so much experience.

Check out his blog!

Tobias Lachmann

Problem with SmartCenter fix from sk58360

When you install the Netfix package mentioned in sk58360 there’s the possibility that you run into a problem under certain conditions.

If your system is running R71(.x) and you did an in-place upgrade from R70 instead of a fresh install, then you will find that you still have the directory /opt/CPEdgecmp-R70.

With a fresh install the directory is /opt/CPEdgecmp-R71.

The you run commands on the upgraded R71 system, you will find this versions:

[Expert@fw]# $FWDIR/bin/sms -version
SofaWare Management Server version 8.1.0.18

[Expert@fw]# /opt/CPEdgecmp-R70/bin/SofawareLoader -version
SofaWare Loader version 8.1.0.6

If you do the same on a freshly installed system the versions are:
[Expert@fw]# $FWDIR/bin/sms -version
SofaWare Management Server version 8.1.0.18

[Expert@fw]# /opt/CPEdgecmp-R71/bin/SofawareLoader -version
SofaWare Loader version 8.1.0.11

Because of the very small change in the version of SofawareLoader, Check Point leaves this package untouched in the process of upgrading.

Now here lies the problem with the upgrade script that you need to run when you want to use the new 8.2.x Edge firmware.

The script checks for the version using the fwm -ver command.
When it finds R71 installed it assumes that the files that need to be modified are under /opt/CPEdgecmp-R71 instead of /opt/CPEdgecmp-R70.

Since this directory does not exist, the script will fail.

Bad QA done by Check Point here I have to say ;-(

The solution here can be one of the following two:

modify the update script to choose the right directory according to your system

or

create a symbolic link for the /opt/CPEdgecmp-R71 directory that points to the /opt/CPEdgecmp-R70 directory.

With this modifications the script will execute right and you can start using the new firmware together with a SmartCenter.

Tobias Lachmann

New UTM-1 Edge firmware 8.2.26 available

Check Point has a new firmware for the Edge series available since 6th of December.

If you look into the release notes you’ll find some interesting new features.

The UTM-1 Edge N-Series appliances can now be equiped with a cellular modem inserted into the ExpressCard slot and can also handle Gigabit SFP ports. A nice feature when you want to connect the appliance using fiber instead of copper.

Then, routing support on the N-series has been enhanced für PIM-SM, DVMRP and RIP.

A very nice feature for all platforms is the ability to do full URL logging and enhanced URL filtering.

And for troubleshooting purposes it is now possible to select the interface from which you want to run Ping and Traceroute tool.

Please be advised that you need to install the SmartCenter upgrade package when the Edge is connected to a Management. Refer to sk58360 for details.

When you look for the download in the Check Point Support center, please note that we have three versions of firmware images: one for the X-series, one for the X-series with ADSL-support and one for the new N-series.

Tobias Lachmann

Monitoring physical and virtual cluster interfaces from one host

This one bit me some days ago. My freshly installed cluster was intended to be monitored from a system within the internal LAN.
But for some reason I didn’t got a PING back from the master on one or the other interface.

Then I found the sk38623 which described the behaviour. Short explanation: the connection table may contain two entries with same source and destination ip address as well as same source and destination port. This creates an error and the second connection is dropped.

What can be done to solve this issue is to issue

fw ctl set int fw_allow_simultaneous_ping 1

on the CLI and/or setting this in the $FWDIR/boot/modules/fwkern.conf file.

See sk26202 for details on how to do this.

Tobias Lachmann

Edge reboot suddenly due to time problem

I just saw the sk56641 and like to quote from it:

“The cause of this problem is related to a specific counter that elapses every 13.6 years and is not expected to happen again in the life time of the device.”

Doesn’t Check Point believe in the Edge as a product? Why shouldn’t we experience this again 🙂
13.6 years is no time!!!!

Really, that one made my day. LOL.

Tobias Lachmann

R71.20

Ok ok…. I know I’m a little late for this one…. but R71.20 was released a week ago.

Check out the Release Notes, the Known Limitations and the Resolved Issues.

As you can see, quite a few fixed bugs. Especially the swap process running wild hit me a few times on customer equipment, so I’m glad that it is now fixed.

If you don’t experience any problems and dont want to manage SG-80 appliances, it think it’s safe to skip this update. Or at least wait until others have found the bugs in it 😉

Tobias Lachmann

Tobias Lachmann

IPv6 testing (part 1) – let the games begin

As promised, I’m going to write about the experiences I make while testing Check Point security gateways and IPv6.

First I’d like to introduce you to the lab setup that I chose:

IPv6 test environment

We have a Windows 7 PC as client which also has the SmartConsoles installed. The PC is connected to a Cisco router which is doing some basic routing. In the network right behind the router we have the Security Management server (aka SmartCenter) and the external interfaces of our two Security Gateway nodes, all connected to a Cisco Switch.

Behind the Security Gateways we have another Cisco Switch and a server which will be accessed by our client PC.

First I started with getting my equipment running with IPv4 addresses.
There is a need for this as some limitations apply. Every interface needs to have an IPv4 address when you want to configure IPv6 on it. And, on sync interfaces for ClusterXL you can only use IPv4.

When installing the SPLAT on the Security Gateways and Security Management, first you must check out the R70 IPv6Pack Release Notes.

For the setup of the R70 IPv6Pack on the gateways there’s a prerequisite of having version R70.1 installed.

On the Security Management however, IPv6Pack Management hotfix with R70.1 is only supported in a stand-alone environment. For the distributed installation you need R70.30 or R71.

This information is very important and at the moment I’m not sure how future version are supported by IPv6 pack (R71.10, R71.20, R71.30, R75??).

My production environment has R71.10 installed on the management, so no IPv6 here ;-(

But let’s move on with the lab environment.

First we install the IPv6 pack add-on on the Security Management. I chose R71 for the management and needed to download this file.
Precise installation instructions can be found in the Release Notes starting at page 15.

Then I generated IPv6 licenses for the gateways and the management. The IPv6 license is free of charge and can be created within the UserCenter. Just go to your products and select “Activate Advanced Features” tab to proceed.

After licensing was done in UserCenter, I attached the licenses to the gateways and management using SmartUpdate. After closing all SmartConsoles and opening them again, IPv6 options became available in SmartDashboard.

The rulebase is plain and simple for testing, ANY-ANY-ANY-ACCEPT.

Then I downloaded and installed the IPv6 Pack add-on on the gateways.

After a reboot I had to create a script int /etc/rc.d/rc3.d for setting up IPv6 during startup. Details on how to do that can be found in the Relase Notes or SecureKnowledge as well. Then run $FWDIR/scripts/fwipv6_enable on to enable IPv6 within the gateway. As far as I understood, we’re having two firewall kernel then, one handling IPv4, the other handling IPv6.

Finally I turned off Stateless Address Auto Configuration so that no IPv6 enabled router in the same segment as the firewall could lead to auto-configuration security breaches.

Having setup the gateways interfaces I now configured my Windows 7 PC and the Cisco Router with the desired IPv6 addresses from the subnets I chose.

Then I did a IPv6 ping from the Windows 7 to the inner interface of the router to check connectivity, which worked. Then I ping-ed the outer router interface, leading to the firewall, which also worked. Then I did a ping to the ip addresses of the cluster members – and this failed. I first had a look to the routing table of the Cisco router:

Router#sho ipv6 route
IPv6 Routing Table - 8 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
S 2B02:AD0:1800::/37 [1/0]
via 2B02:AD0:2000:0:26:E8FF:FE08:768E
C 2B02:AD0:2000::/37 [0/0]
via ::, FastEthernet0
L 2A02:AD0:2000:0:26:E8FF:FE08:778E/128 [0/0]
via ::, FastEthernet0
S 2B02:AD0:2800::/37 [1/0]
via 2B02:AD0:2000:0:26:E8FF:FE08:768E
C 2B02:AD0:3000::/37 [0/0]
via ::, Ethernet0
L 2B02:AD0:3000:0:26:E8FF:FE08:778E/128 [0/0]
via ::, Ethernet0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0

Seemed ok, all needed network were there. But obviousley the packets were not routed to the firewall. Then I realised that a Cisco router needs to be configured for doing IPv6 routing with the command ipv6 unicast-routing. After that command I was able to ping the ip addresses of my gateways.

In the next article we will have a look at the IPv6 from the Check Point gateways side and what is different from IPv4.

Tobias Lachmann

Error connecting to SmartCenter with GUI

I encountered an error while connecting with SmartDashboard to a NGX R65 SmartCenter server. The error message indicated a problem with the $FWDIR/conf/gui-clients and I checked for the right IP address in there. Even setting it to Any didn’t solve the problem.

While looking with fw ctl zdebug drop on the gateway after the connection attempt from the GUI client, no drops were seen.

Debugging with fw debug fwm on and examining $FWDIR/log/fwm.elg didn’t show any error or a reason for requection, it just seemed that the SmartCenter closed the connection right after login.

How did I solve this? Simple: cpstop; cpstart

The system was running for more than 450 days and it just seemed that some part of the fwm process had trouble.

Just remember that sometimes it can be a good idea to restart the software and/or the server 😉

Tobias Lachmann

SecureClient Next Generation – Endpoint Security VPN R75 is available

The new SecureClient Next Generation is now officially available. It is called Endpoint Security VPN R75 and is replacing the old SecureClient and also Endpoint Connect.

The look and feel of the client is quite nice, it connected without problems (or hotfix) to an environment running NGX R65 gateways with R71.10 management and to an UTM-1 cluster running R71.10.

Check out the overview page for the new client and the release notes.

Personally I think I will wait till more recent version of the hotfix are available or until the support for this client is build into the next service pack.

NGX R65 is end-of-support next march, so why bother with this old version? And R70.40 is a dead end and cannot be upgraded easily, so I will not operate a gateway with that version.

Better wait for R71.30 and use this HFA when it is known to have no severe errors.

Tobias Lachmann

IPv6 reading suggestions

Silvia Hagen wrote two brilliant books on IPv6 and I recommend to read at least one when you’re trying to work with IPv6.

I started with the german version and now I’m trying to figure out how to operate a Check Point gateway correctly with IPv6.

At the moment I see lot’s of burden and it seems that Check Point is not quite IPv6-ready yet.

Will post my findings in the next weeks in detail.

Tobias Lachmann

Adding routes on an UTM-1 over the command line

I recently became aware that some people searched for a way to add routes on an UTM-1 not over the WebUI but on the command line.

Well, this can be done using the normal OS related commands:

Example:

route add route add -net 192.168.1.0/24 gw 192.168.2.1
route --save

Please refer to SecurePlatform Administration Guide for reference.

Tobias Lachmann

Inside SG-80

I got some info about the hardware of the new SG-80 appliance from Check Point, thanks to Marko.

The processor is a ARM926EJ-S so we’re leaving the x86 world with this appliance. The hardware is quite capable and ok for smaller branches, so no problem here.

After reviewing the SG-80 known limitations I wonder why these exist? Is it that hard to adapt the Check Point code to this platform?

Why is AntiVirus on POP3 and content based AntiSpam not supported? These two seem essential for the desired positioning of this gateway as all-in-one solution for remotes offices.

Why is there no SNMP-Monitoring and no SmartUpdate, no SmartProvisioning?
How are we supposed to manage and monitor this appliance in an enterprise environment?

As a first approach, the SG-80 is ok for some deployment situations.
But the software needs to evolve and present all the features that we’re used to.

Hopefully GAIA will sort these kind of things……

Tobias Lachmann

IPv6 Extension Headers support

After hearing two great presentations about IPv6 delivered by Silvia Hagen yesterday, I digged into the IPv6 capabilities of Check Point software.

Really quick I came up that Check Point isn’t supporting all Extension Headers in IPv6.

As standard only Fragmentations Headers are supported, by editing the $FWDIR/lib/table.def also more Extension Headers were enabled. Enabled means here that these headers are accepted but no content inspection is performed on this headers.

I’m fairly new to IPv6 at the moment, but letting packets through with no inspection on specific parts of the packet doesn’t seem to be a good idea.

Hopefully I will find out more and then I will present my findings to you.

Tobias Lachmann

Learned something new – or again?

Checking the current number of connections can be done with the command fw tab -t connections -s

Especially when you do a Full Connectivity Update in a ClusterXL environment, you need to verify that both members have nearly the same amount of connections.

When I did this in the past, I opened SSH connections to both nodes and issued the command.

Thanks to the presentation of Yasushi Kono yesterday I now know (again?), that this command can be issued also on the management server to get values from both firewall nodes. Just add the target(s) as option to the command:

[Expert@fwm]# fw tab -t connections -s fw1 fw2
HOST NAME ID #VALS #PEAK #SLINKS
fw1 connections 58 137867 250322 508451
fw2 connections 8158 137560 250310 507258

Much more comfortable… 😉

Tobias Lachmann

In Chur again

It’s the night before the Check Point User Group conference 2010 and I just returned from a nice dinner with Barry, the guys from Würth and all the others speakers.

I’m excited to see who’s attending this years and I’m thrilled about the upcoming discussion and our favorit products.

Tobias Lachmann

Antivirus

All applications like SmartView Monitor get the information about the Anti Virus version running on the Security Gateway by reading the following one of the following files:

  • R70 – $FWDIR/av/ca/update/incoming/Anti_Virus.entitlement.C
  • R71 – $FWDIR/av/kav/update/incoming/KSS_AV.entitlement.C

Tobias Lachmann

Emulation of UTM-1 appliance in VMware with R70

With NGX R65, you could install the UTM-1 ISO image into a VMware machine for testing purposes.
Starting with R70, the installation worked, but no network connectivity afterwards.

The reason for this is that a script probes if the hardware running the UTM-1 image is an appliance or not.

For that purpose the following commands are issued:

[Expert@cpfw01]# dmiparse "System Information" "Manufacturer:"
Crossbeam Systems Inc.
[Expert@cpfw01]# dmiparse "System Information" "Product Name:"
C2_UTM

This information is used to parse the file /etc/sysconfig/ethmap.database which contains information about the interface setup of the specific appliance.

This leads to the creation of a corresponding /etc/sysconfig/ethmap file, derived from ethmap.appliance.advance, ethmap.appliance.plus or ethmap.appliance.regular.

This could look like this:

[Expert@cpmodule]# cat ethmap
Internal eth0
External eth1
DMZ eth2
Lan1 eth3
Lan2 eth4
Lan3 eth5
Lan4 eth6
Lan5 eth7
Lan6 eth8
Lan7 eth9

This information is also used when netconf.C is created. Since the dmiparse command doesn’t give the information that we’re dealing with an appliance from Check Point, the mapping goes wrong and we have wrong information in netconf.C.

[Expert@cpmodule]# cat netconf.C.backup
(conf
: (conns
: (conn
:ifname (Internal)
:type (1)
:ipaddr ("192.168.1.1/24")
:s-code (0)
)
: (conn
:ifname (lo)
:type (6)
:ipaddr ("127.0.0.1/8")
:s-code (0)
)
)
: (routes
: (route
:dest (default)
:via (192.168.1.254)
:metric (0)
)
)
)

The solution to that problem is to simply change the ifname in netconf.C to the appropriate interface name like eth0.

For that purpose, login to the console over the VMware client, using admin/admin as username / password combination. Change to expert mode and edit the netconf.C like this:

[Expert@cpmodule]# cat netconf.C
(conf
: (conns
: (conn
:ifname (eth0)
:type (1)
:ipaddr ("212.1.57.221/23")
:s-code (0)
)
: (conn
:ifname (lo)
:type (6)
:ipaddr ("127.0.0.1/8")
:s-code (0)
)
)
: (routes
: (route
:dest (default)
:via (192.168.1.254)
:metric (0)
)
)
)

Now you can access the WebUI of your UTM-1 in the VMware and continue configuring like normal. There’s no problem configuring also all remaining interfaces, which are not in the netconf.C in the moment.

Tobias Lachmann

Documents related to troubleshooting

The Check Point knowledge base contains a lot of useful documents related to troubleshooting. Here’s a selection. Feel free to send an email to blog@lachmann.org when you think that a document is missing in the list.

SmartSPLAT – very nice SSH GUI client for SPLAT

I’d like to share with you that today I got aware of the project SmartSPLAT.

Cagdas Ulucan, CCSE+ from Turkey, developed a nice GUI that uses a simple SSH connection to login into your SPLAT-based box and display, change and collect a lot of useful information.

SmartSPLAT

The three shell windows show output of fw monitor, actual fw logging and the main commands, parameters for them can be set using the GUI.

When you click on a button (for example “debug vpn”), you can actually see what commands are issued to the shell, so here you have a learning effect.

The tool has a build-in ftp and syslog server, so produced debug files can the uploaded easily.

At the first moment you’re overwhelmed of all the tabs that address different (troubleshooting) topics, but I think the GUI will improve and Cagdas will find a way to enhance the presentation of his tool.

What is really cool is the cluster view, where you have a windows with two panes, each representing one cluster member. An easy way to send commands to both cluster members and compare the results!

Try his tool, it’s completely free and very very useful.
Send him his suggestion for improvement and make it even better.

Tobias Lachmann

resize2fs: Operation not permitted While trying to add group #128

Today I tried to increase the logical volume on a UTM-1 appliance as described before in this blog.

I got the error
resize2fs: Operation not permitted While trying to add group #128
when issuing the resize2fs command.

The solution to this problem: the journal was to small and had to be re-created:

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal size
Journal size: 32M

[Expert@firewall]# tune2fs -O ^has_journal /dev/vg_splat/lv_log

[Expert@firewall]# tune2fs -j /dev/vg_splat/log
Creating journal inode:
done

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal size
Journal size: 128M

After that do a filesystem check and issue the resize2fs command, which will succeed.

Tobias Lachmann

Increasing HTTP connection buffer for Anti Virus scanning

Just stumbled about sk36090 which describes that Anti Virus scanning for HTTP traffic can significantly slows down browsing.
The resolution is easy, just increase the buffer assigned to each HTTP connection.

Go to Policy -> Global Properties -> SmartDashboard Customization. Click on Advanced Configuration.

http_buffers_size

Change the http_buffers_size from 4096 bytes to a higher value. Since the default number of concurrent connections is 1000 for HTTP, changing the parameter to the maximum of 65500 bytes would only allocate ~ 63 MB for all buffers together, so why not go with the max?

Tobias Lachmann

Application Control – the next big thing?

Check Point announced their new Application Control software blade.

Not it is not only possible to use URL filtering for blocking or allowing specific sites, but also to determine what exactly is allowed or denied.
For example: allow Facebook in general, but block Facebook games.

The AppWiki database is listing several thousand webbased applications to choose from for use in your policy.

Like DLP, this blade comes with UserCheck technology. This resident (Windows) client allows the gateway to interact with the user. If for example access to YouTube is allowed only for business use and not for personal use, UserCheck can present a dialog to the user asking what’s the intended purpose of visiting the site. If the user confirms that it’s for business, he is allowed to access the site.

At the moment I’m wondering if this is the next big thing….. will customers buy this blade and enforce their very own policy? Will this be a considerable alternative to pure content inspection products like WebWasher? What are the implications for the company security policy? Who’s defining the allow/block lists?

To be honest, I’m not sure at the moment how customers will use the technology.

Maybe for them it’s enough to block one or two specific apps as reason to buy this blade.

Maybe it’s getting as complex as a full-blown IPS solution with a security engineer defining policies and checking logs all day…. and how many companies can afford that?

I guess we have to wait some time to see where it’s going…

Tobias Lachmann

new kernel modules starting with R70

On a SPLAT machine, which is based on (RedHat) linux, the Check Point software is running as user mode process or as linux kernel module.

This modules can be shown using lsmod

[Expert@firewall]# lsmod
Module Size Used by Tainted: PF
rtmmod_smp.2.4.21.cp.i686 281120 1
bridge 27680 0 (autoclean) (unused)
vpnmod_smp.2.4.21.cp.i686 1269512 3
fwmod_smp.2.4.21.cp.i686 7858176 11
simmod_smp.2.4.21.cp.i686 827904 1
vpntmod_smp.2.4.21.cp.i686 13808 0 (unused)
e1000 126728 6
bnx2 79432 2
crc32 3592 0 [bnx2]
sg 38092 0 (autoclean) (unused)
microcode 7072 0 (autoclean)
ide-cd 35840 0 (autoclean)
cdrom 33248 0 (autoclean) [ide-cd]
dm-mod 59428 0
keybdev 3048 0 (unused)
mousedev 5688 0 (unused)
hid 22628 0 (unused)
input 5504 0 [keybdev mousedev hid]
ehci-hcd 20968 0 (unused)
usb-uhci 27308 0 (unused)
usbcore 79680 1 [hid ehci-hcd usb-uhci]
ext3 92840 5
jbd 54056 5 [ext3]
cciss 70432 12
sd_mod 14128 0 (unused)
scsi_mod 118312 2 [sg cciss sd_mod]

When Check Point is referring to the firewall kernel, they’re actually talking about this linux kernel modules.

The Check Point kernel itself is composed of several modules, which can be shown using the fw ctl debug -h command.

In NGX we had the following:

  • fw “Firewall Module”
  • VPN “VPN Module”
  • FG-1 “Floodgate-1 QoS Module”
  • H323 “VoIP H.323 Module”
  • BOA “Malicious Code Protection Module”
  • WS “SmartDefense Web Intelligence Module”
  • CPAS “Active Streaming Module”
  • CLUSTER “ClusterXL Module”
  • RTM “SmartView Monitor Module”

Now with R70 and Software Blades, we have some more kernel modules:

  • kiss ???
  • kissflow ???
  • multik ???
  • SFT ???
  • CI ???
  • fw “Firewall Module”
  • VPN “VPN Module”
  • FG-1 “Floodgate-1 QoS Module”
  • H323 “VoIP H.323 Module”
  • BOA “Malicious Code Protection Module”
  • WS “SmartDefense Web Intelligence Module”
  • CPAS “Active Streaming Module”
  • CLUSTER “ClusterXL Module”
  • RTM “SmartView Monitor Module”

In the moment I have not found any reference for the new modules, no explanation of the modules itself or the modul kernel debugging options.

I opened a service request with Check Point to get this information.

Tobias Lachmann

Determine current Antivirus version

We’ve seen problems with updating the AntiVirus patterns in the past on UTM-1 appliances.
Somehow the reported version numbers seemed wrong.

But where to check what’s the current version?

Easy answer to that:
http://sigcheck.checkpoint.com/Siglist2.txt

Compare your version from SmartView Monitor or avsu_client to the version you see on the above page.

Tobias Lachmann

DLP again

Well, some thoughts about DLP were in my mind for some time and I want to write them down.

First, DLP is about unintentional data loss. There are always ways to get data out of a secure area, if it’s by USB drives, HTTPS upload, CD-Rs, steganography or what so ever. It’s nearly impossible to prevent data leaks completely.

But that’s not what DLP is aiming for… it’s for the user that accidental chooses the wrong email-adress or picks the wrong file for uploading on a website. And for that purpose, it’s totally sufficient.

The underlaying engine which does the processing is amazing and you can do all kinds of stuff with the data types. For most of your requirements Check Point brings build-in datatypes, if it’s credit card numbers or social security numbers.

Second: the hard part with DLP is to define a company policy and a list of data that should not leave the company. This is were technical and organizational security meet and the biggest challenge.

Concerning the DLP-1 appliances that I mentioned before, I have some information about the hardware.

The DLP-1 2571 has Dual Core CPU, 4 GB RAM and 500 GB HDD, so it’s pretty much a UTM-1 3070 series appliance with more memory and HDD.

The DLP-1 9571 is based on the Power-1 9075 and comes with 2x QuadCore CPU, 8 GB RAM and 2x 1 TB HDD.

Internal Check Point sources say that by now it’s safe to assume that for real live traffic you have to divide the performance numbers by 4. This will change with the next releases that improve performance.

If you haven’t noticed, DLP-1 appliances come with UserDirectory blade to allow easy connectivity to Activce Directory domains or LDAP directories.

DLP-1 will be able to scan also HTTPS traffic in the near future (Q1/11) and I’m really looking forward to that feature.

If someone has solid hands-on experience with a DLP implementation, please share them with me: blog@lachmann.org

Tobias Lachmann

New Check Point Series 80 Appliance

Check Point released a new appliance, the SG80 or Series 80 appliance.
It is aimed for branch offices and it is positioned between UTM-1 appliances and UTM-1 Edge appliances.
Performance-wise it is very close to the bigger UTM-1 appliances, if we can trust die datasheets.
The specs are:

  • Firewall Throughput 1500 Mbps
  • VPN Throughput 220 Mbps
  • IPS Throughput 720 Mbps
  • AV Throughput 100 Mbps

Since I measured only 20 Mbps AV scanning throughput with R71 on a UTM-1 270 appliance, I don’t trust this figures for real rule bases and real live traffic. But anyway, at least good enough for comparison to other Check Point appliances.

The management of this gateway has to be done over a Security Management server of Provider-1, it is not self-managed unlike UTM-1 appliances.

The desktop form factor is quite nice, I’m just wondering about the cooling. The UTM-1 130 appliances use passive cooling, too, and can get pretty hot sometimes.

What’s nice for smaller offices are the build-in 8 LAN ports with GigabitEthernet, so under some circumstances you can eliminate an additional switch in the office. The SG80 has one additional Gigabit WAN port and a Gigabit DMZ port.

As for now I have no info about the hardware in this appliance, nor the operating system. But I think that it is SPLAT based, deriving from the feature set.

The SG80 is comparably low cost for the performance, as it starts at $2500,–

At the moment this appliance can only be configured over the R70.40 version management / SmartConsole.

The wizard is a little bit different than for normal gateways, but very straight forward.
They changed the SIC handling here. At creation of the object in SmartDashboard you enter a secret and you can install the policy for this device.
But SIC is not established right away, but status of this object is ‘waiting’.
The administrator in the remote office can install the appliance later and connect to the Security Management with this secret, establishing SIC completely.
It’s a mixture of handling normal gateways and Edge appliances and very nice.
Also the most needed configuration option can be chosen when creating the SG80 object using the wizard.

SG80 wizard

SG80 wizard

SG80 wizard

SG80 wizard

SG80 wizard

SG80 wizard

All in all it’s a very nice approach with this new appliance and I can’t wait to get my hand on one of this boxes to test it.

If you had the possibility to test one, please send your findings to blog@lachmann.org

Tobias Lachmann

UPDATE: The SG80 runs Secure Platform Embedded as operating system. Sounds like a striped down version of SPLAT to me.

R70.40 released – use with care

Yesterday Check Point released R70.40 with some modifications for the new UTM-1 Edge N series and die Security Gateway 80 series, support for Embedded NGX 8.1 firmware, provisioning for IPSO 6.2 and enchanced vsx_util.

We have some improvements here, judging by the resolved issues.

This release is also the first one to handle SG80 gateways.

But, as the Release Notes state, the R70.40 cannot be upgraded to R71. You first have to uninstall it before upgrading. This is not very handy, so I would suggest to upgrade directly to R71.10 and wait for the upcoming R71.20 release, which should also contain the fixes and enhancements.

Tobias Lachmann

Manual failover between ClusterXL members

A Check Point security gateway cluster running under ClusterXL uses certain devices that must be running on the cluster member for the member to be considered active.

The devices can be displayed using cphaprob -ia list. A normal ouput will look like this:

[Expert@firewall]# cphaprob -ia list

Built-in Devices:

Device Name: Problem Notification
Current state: OK

Device Name: Interface Active Check
Current state: OK

Device Name: HA Initialization
Current state: OK

Device Name: Load Balancing Configuration
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 13212.1 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 13201.4 sec

Device Name: cphad
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec

Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec

If one or more of the devices have a problem, ClusterXL will do a failover from the active member to the standby member. This is only true as long as the second member has no problem itself. If this is happening, the cluster mechanism decides by its own which is the more suitable machine to handle the traffic and will or will not do a failover.

Failover will also occur if the issue cpstop or cphastop on the active member, stopping all Check Point services or just the ClusterXL related service.

For the purpose of maintenance it can be necessary to move away all the traffic from the active member to the secondary member through initiating a failover, leaving the security policy and services active on the machine.

This can be done by registering a new device and adding it to the list of the processes that must be running for the cluster member to be considered active and putting the new device in the problem state.

Use this command line: cphaprob -d STOP -s problem -t 0 register

If you want to unregister the problematic device and make the cluster member available and active again, just use this: cphaprob -d STOP unregister.

Learn more about the usage of cphaprob from the CLI manual.

Tobias Lachmann

Display errors in SmartView Monitor

Sometimes SmartView Monitor gets confused and it displaying wrong (cached) information.

To clear this up you do the following:

– issue cpstop on the Security Management server
– delete $FWDIR/conf/applications.C,
$FWDIR/conf/applications.C.backup,
$FWDIR/conf/CPMILinksMgr.db
and $FWDIR/conf/CPMILinksMgr.db.private
– issue cpstart
– install policy again
– open SmartView Monitor again

Tobias Lachmann

Appliance hardware – updated

Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to blog@lachmann.org

All throughput values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Have a close look of the throughput values of the UTM-1 450 in comparison to the UTM-1 570. The processor power is identical, also the memory. But the throughput values for the UTM-1 450 were measured with NGX R65, the values for the UTM-1 570 were measured with R71. See what a performance boost R71 can be, even on the “old” hardware. Sweet!

UTM-1 130

  • Intel Celeron M 600 MHz
  • 1 GB RAM
  • 80 GB ATA HDD
  • Firewall Throughput: 1.5 Gbps
  • VPN Throughput: 120 Mbps
  • IPS Troughput: 1.0 Gbps

UTM-1 270

  • Intel Celeron M 600 MHz
  • 1 GB DDR2 RAM 400 MHz
  • 160 GB ATA HDD
  • Firewall Throughput: 1.5 Gbps
  • VPN Throughput: 120 Mbps
  • IPS Troughput: 1.0 Gbps

UTM-1 450

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 80 GB ATA HDD
  • Firewall Throughput (R65): 400 Mbps
  • VPN Throughput: (R65) 200 Mbps

UTM-1 570

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 2.5 Gbps
  • VPN Throughput: 300 Mbps
  • IPS Troughput: 1.7 Gbps

UTM-1 1070

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 3 Gbps
  • VPN Throughput: 350 Mbps
  • IPS Troughput: 2.2 Gbps

UTM-1 2050

  • Intel Pentium 4 3.4 GHz
  • 2 GB RAM
  • 80 GB ATA HDD
  • Firewall Throughput (R65): 2.4 Gbps
  • VPN Throughput: (R65) 380 Mbps

UTM-1 2070

  • Intel Celeron 440 2.00GHz
  • 2 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 3.5 Gbps
  • VPN Throughput: 450 Mbps
  • IPS Troughput: 2.7 Gbps

UTM-1 3070

  • Intel Core2 Duo E6400 2.13GHz
  • 3 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 4.5 Gbps
  • VPN Throughput: 1100 Mbps
  • IPS Troughput: 4.0 Gbps

Power-1 5075

  • Intel Xeon E5410 2.33GHz (QC)
  • 2 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 9.0 Gbps
  • VPN Throughput: 2.4 Gbps
  • IPS Troughput: 7.5 Gbps

Power-1 9075

  • 2x Intel Xeon E5410 2.33GHz (QC)
  • 4 GB RAM
  • 2x 160 GB HDD
  • Firewall Throughput: 9.0 Gbps
  • VPN Throughput: 2.4 Gbps
  • IPS Troughput: 7.5 Gbps

Smart-1 25

  • Intel Core2 Duo T7400 2.16GHz
  • 3 GB RAM
  • 4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Rumors, rumors….

I heard some rumors recently that I’d like to share with you. True or not, nobody can tell. But sure interesting 😉

First, we can expect R75 GA by the end of the year. No idea what will be included, but maybe we see more improvements from software blades. As Dorit Dor stated some time ago, the introduction of software blades with R70 was the first step in a three-step-approach of a complete architecture re-design within the Check Point products. So personally I think that every new GA release will bring us closer to the goal and will give us additional performance and/or more features.

Second, Check Point seems to plan the content inspection of HTTPS traffic, availability should be around end of Q1/2011. This is a very interesting feature and I’m really locking forward to it. We had lot’s of projects where the customer choose not to use Check Point content scanning but rather a solution like WebWasher, which could inspect also SSL encrypted traffic. I wonder how the handling will be done in detail and how easy the setup will be in comparison with WebWasher etc.

That’s all for now. Wait and see, if these rumors have a valid background.

If you know more details, please do not hesitate and write an email to blog@lachmann.org

Tobias Lachmann

Behaviour of Data Loss Prevention

Mmmh…. the DLP software acts as a proxy between internal mail server and external mail server.

It accepts the mail from the internal system and in the same time sends the data out to the external system besides the last package to complete the mail. When the mail is received by the DLP gateway from the internal server completely, it is scanned for compliance to the DLP policy and if the check is ok, the last packet is transmitted to the external mail server, finishing mail delivery.

If the check is not ok, the last packet is withheld and the gateway shuts down the connection to the external mail server. So basically the mail has left the company, but because of the interrupted transfer, the external mail server is discarding the temp mail that has been deliverd by now.

I’m not sure at the moment that I like this behaviour… I’m thinking about better ways to handle this…. not finished thinking it through by now…. will let you know my thougts.

Tobias Lachmann

Secure Client for Mac OS 10.6 (Snow Leopard) available

SecureClient NG-AI R56 HFA 2 for Mac OS X 10.6 (Snow Leopard) is now officially available through the Support Portal. I tested the EA versions (Build 8 and 15) and had good results.

It’s sad that it took so long for Check Point to come up with a VPN client for 10.6 and also SNX support for Snow Leopard is not here at the moment.

Hope they’ll fix that soon.

Tobias Lachmann

UTM-1 1050 and 2050 network problems

So, what is the problem about? Well, NIC connections stay up for about 1 or 2 minutes, then they’re down for about 5 minutes.

We made an upgrade of an UTM-1 2050 series appliance to R71 and got massive connectivity problems. Two days later sk42174 came out which helped us fix the problem. Seems that the Linux Kernel starting with R70 assigns new drivers to the NICs, which are incorrect.
The solution for that problem is to change the settings back to the old driver.

For details please refer to the SK and have it in mind when you’re updating older appliances.

Back to Chur in September – CPUGCON 2010

I will be travelling to the Check Point Usergroup Conference (CPUGCON) in Chur this September!

Thanks to my employer MCS for giving me the opportunity.

Barry Stiefel accepted my presentations for “Best Practices For The Check Point Appliances” and “Check Point Troubleshooting” and I’m happy to speak again in front of such a great audience.

It turned out last year that half of the attendees were working for Check Point partners, so enormous amount of knowledge and experience there.

Make sure to attend, too!

Where else can you meet people like yourself, dealing with the same topics and the same problems? Benefit from their experience and their solutions.

Check out the conference presentations (work in progress) and meet the speakers.

And please don’t hesitate to speak to me and share some feedback about this blog when you see me in Chur.

Tobias Lachmann

R71.10 available

The new R71.10 update is available. Find all the resources on this page within UserCenter.

We now have Abra support on all gateway platforms, support for Outlook Web Access (OWA) 2010 over SSL VPN and R71.10 includes the hotfix for the SSL VPN blade, that was mandatory when using this blade with R70.

Please note that the R71.10 upgrade package cannot be installed on gateways with DLP.

Check Point also released complete packages for a fresh installation with R71.10 but they sadly don’t include UTM-1 images.

Tobias Lachmann

Proactive detection mode vs. Stream detection mode

As I wrote a while ago, we had great performance improvements with Antivirus Scanning and the R71 release. On the same UTM-1 hardware the throughput doubled. While this was true for my lab testing, real world testing didn’t show the same results. Upgraded systems had no better AV performance and only slightly more overall performance was showing.

The reason for that is that an upgraded systems keeps the old way of detecting viruses, the Proactive detection mode. In this mode, the traffic is trapped by the kernel and forwarded to the security server. The security server then forwards the traffic to the Antivirus engine and the traffic is allowed or blocked, depending on the response of the Antivirus engine. It is necessary to store the whole file first before scanning it.

The new Stream detection mode doesn’t need to store the file for scanning. Stream detection is able to scan uncompressed and compressed traffic while it is passing through the gateways kernel, doing decompression on the fly.

Stream detection mode works only signature-based, whereas Proactice detection mode works with Antivirus signatures and in addition with a sandbox where heuristic behaviour scans are done to detect malware, even if there no signature available at the moment.

Stream detection is default on fresh installations, so that’s why you can see great performance improvement on R71.

The mode can be changed within SmartDasboard -> Antivirus & URL Filtering tab -> Antivirus -> Security Gateway and then choose the desired protocol.

Configuration of Antivirus detection mode

HTTP and SMTP can work with Stream detection mode and Proactive detection mode, POP3 and FTP only work with Proactive detection mode.

While I appreciate the performance improvement which can be gained using Stream detection mode, I think we lower security a little bit by abstain from using Proactive detection mode.

This decission should be made with careful consideration of the specific setup and customer need. If you use solely Stream detection mode, make sure to have a good Antivirus solution from another vendor running on the end user’s desktop to double-check for malware.

What do you think about the two Antivirus modes? Mail your thoughts to blog@lachmann.org

Tobias Lachmann

Database Revision in R71

R71 brings us an improvement in the handling of database revision.
Now it is possible to define how long old version should be kept.
Criteria can be number of versions, age of versions, storage consumption of versions of free diskspace.

Automatic Deletion of Database Revisions

I think this is a very nice improvement and worth noticing.

Tobias Lachmann

Online partition resizing on UTM-1 appliances

Under SPLAT with 2.4 linux kernel (NGX R65) you had to follow a slightly complicated procedure to resize the partitions and the filesystems on an UTM-1 appliance.

Now the R7x releases bring us the 2.6 kernel with lots of improvements. A very nice one it the ability to resize (meaning increase!) the partitions and filesystems online, without the need of unmounting them.

[Expert@volvo]# lvresize -L 12GB vg_splat/lv_current
Extending logical volume lv_current to 12.00 GB
Logical volume lv_current successfully resized

[Expert@volvo]# resize2fs /dev/mapper/vg_splat-lv_current
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required
Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3145728 (4k) blocks.
The filesystem on /dev/mapper/vg_splat-lv_current is now 3145728 blocks long.

Please note: this can only be done while increasing the filesystems. Reducing the filesystems requires them to be unmounted!

In that case go with this procedure.

Tobias Lachmann

Control UTM-1 Edge appliances from command line

The Edge gets its policy from the SmartCenter server over the SofaWare Management Server process (sms).

The interval of pulling the policy is defined over Global Properties -> UTM-1 Edge Gateway -> Update configuration settings every XX minutes

Global Properties for UTM-1 Edge appliances

If you want to update an Edge immideately, you can do this be using the WebUI (access your SmartCenter over http://:9283/) or you can use the command line.

The directory /opt/CPEdgecmp-R7x/bin contains the tool swcmd which can be used to issue commands directly to the Edge appliance.

swcmd UpdateNowAll will tell the Edges to update their policy immediately.

swcmd Reboot will reboot the gateway.

Tobias Lachmann

Certificate Signing Request (CSR) key size

In a recent blog entry I described how you can use 3rd party certificates within your Check Point gateway.

Now I was informed by Brian that some commercial CA don’t sign any longer if the key size is only 1024 bit, you need at least 2048 bit.

How can we change the behaviour of the Check Point while issuing the CSR?

Just go to Global Properties -> SmartDashboard Customination -> Configure -> Certificates and PKI properties.

Global Properties -> SmartDashboard Customization

There we have an option the define the key size for the certificates. Available values are 1024, 2048 and 4096 bit.

Certificate and PKI properties

Change this value according to your need and the requirements of the CA you chose for signing.

Starting with R71 they standard key size 2048.

Tobias Lachmann

Update to R71 – enlarging UTM-1 appliance root partitions

In one of my previous blog entries I described a way to enlarge partitions of UTM-1 appliances. This was necessary especially for the older x50 series appliances, as they had a smaller hard drive and a bad partition layout.

In the past I only enlarged the partition that held the log files because that’s were you have the most data. The procedure was working just fine and I was happy.

A couple of days ago I started updating x50 series appliances from R65 to R71. Even with cleaning up the system of unused files right before the update I got into serious trouble. The cause was that the root partition was nearly about full.

The update process itself came up with no error, but while operating the appliance the root partition was completely full in no time. Especially updating the URL Filterung database, which is now about 370MB, filled the root partition quickly.

When I tried enlarging the root partition with the described procedure I failed.

Resizing requires to unmount the partition before – but you can’t unmount the root partition.

So I had to find another way to modify the partition sizes of the appliance.

Here’s what I did:

I downloaded an ISO-Image of grml, a Linux Live system for sysadmins. Then I modified the ISO to display output on the serial console. You can download this modified ISO here.

I connected an USB-DVD-Drive to the appliance and booted the ISO image.

On the boot screen I added some parameters for the startup process:

Some information and boot options available via keys F2 - F10. http://grml.org/
grml 2010.04 - Release Codename Grmlmonster 2010.04.29
boot: serial debug=noscreen lang=de lvm

When grml was finished, it gave me a console with all the needed tools. LVM was loaded already and I was good to go.

I checked for the volume groups on the hard drive with the vgscan command:

root@grml ~ # vgscan -v
Wiping cache of LVM-capable devices
Wiping internal VG cache
Reading all physical volumes. This may take a while...
Finding all volume groups
Finding volume group "vg_splat"
Found volume group "vg_splat" using metadata type lvm2

Then I activated the logical volumes with vgchange:

root@grml ~ # vgchange -a y
6 logical volume(s) in volume group "vg_splat" now active

You can display the volume group with vgdisplay:

root@grml ~ # vgdisplay
--- Volume group ---
VG Name vg_splat
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 7
VG Access read/write
VG Status resizable
MAX LV 255
Cur LV 6
Open LV 0
Max PV 255
Cur PV 1
Act PV 1
VG Size 72.47 GiB
PE Size 4.00 MiB
Total PE 18553
Alloc PE / Size 7424 / 29.00 GiB
Free PE / Size 11129 / 43.47 GiB
VG UUID dCQA6u-z70X-LIsE-Xhmb-n5ho-ZMrX-JyBePy

You can display the logical volumes with lvscan:

root@grml ~ # lvscan
ACTIVE '/dev/vg_splat/lv_current' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_log' [10.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit

Then I did the resizing of the volumes groups to better values:

root@grml ~ # lvresize -L 11GB /dev/vg_splat/lv_current
Extending logical volume lv_current to 11.00 GiB
Logical volume lv_current successfully resized

root@grml ~ # lvresize -L 25G /dev/vg_splat/lv_log
Extending logical volume lv_log to 25.00 GiB
Logical volume lv_log successfully resized

Keep in mind that you will need some free space for imaging purposes, so don’t use up all the space on the hard drive!

Then a file system check has to be done, followed by the resizing of the file system.

root@grml ~ # e2fsck -f /dev/vg_splat/lv_current
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix? yes

Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vg_splat/lv_current: ***** FILE SYSTEM WAS MODIFIED *****
/dev/vg_splat/lv_current: 26973/655360 files (0.1% non-contiguous), 384238/1310720 blocks

root@grml ~ # resize2fs /dev/vg_splat/lv_current
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_current to 2883584 (4k) blocks.
The filesystem on /dev/vg_splat/lv_current is now 2883584 blocks long.

root@grml ~ # e2fsck -f /dev/vg_splat/lv_log
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix? yes

Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information

/dev/vg_splat/lv_log: ***** FILE SYSTEM WAS MODIFIED *****
/dev/vg_splat/lv_log: 56/1310720 files (3.6% non-contiguous), 49409/2621440 blocks

root@grml ~ # resize2fs /dev/vg_splat/lv_log
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_log to 6553600 (4k) blocks.
The filesystem on /dev/vg_splat/lv_log is now 6553600 blocks long.

To finish, deactive the logical volumes:

root@grml ~ # vgchange -a n
0 logical volume(s) in volume group "vg_splat" now active

root@grml ~ # lvscan
inactive '/dev/vg_splat/lv_current' [11.00 GiB] inherit
inactive '/dev/vg_splat/lv_log' [25.00 GiB] inherit
inactive '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit

That’s it. Reboot again and start the Secure Platform.

Check with df -h that you have the desired partition layout:

[Expert@cpmodule]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
11G 1.4G 8.9G 14% /
none 11G 1.4G 8.9G 14% /dev/pts
/dev/hdc1 145M 13M 125M 9% /boot
none 502M 0 502M 0% /dev/shm
/dev/mapper/vg_splat-lv_log
25G 33M 24G 1% /var/log

Tobias Lachmann

Keep up 2 date? Why 8?

I stumpled about the process keepup2date8, which was running after a R71 upgrade for quite a while on the machine.
Took me some time to find out that it is nothing to worry, but the Kaspersky process for updating the antivirus-database.

Tobias Lachmann

Using 3rd party certificates for your SSL VPN

With Check Point software it’s very easy to configure client authentication over https or SSL VPN with the SSL Network Extender (SNX).

But unfortunately, Check Point presents a self-signed certificate from the internal CA to the users.

This warning message can be confusing for the users and even might not work, depending on the company policy and settings in the browser.

The better way is to have a certificate on the gateway that was issued from one of the big CA like Verisign, Thawte etc. and present this to the users.

Because these CAs are known to the browser as trustworthy, no error message appears while connecting.

I’m going to show you how to configure your gateway with a certificate from a 3rd party CA.

1. First, we need to create a trusted CA object under the Servers and OPSEC Applications section.

Creating a trusted CA object

2. Then we give a name to the CA object and choose OPSEC PKI as CA type.

CA properties

3. On the next tab you can import the CA certificate from a file.

OPSEC PKI properties

Here you can also choose to do an automatic enrollment for certificate renewal over three different protocols. However, this isn’t supported by all CA. Personally I don’t do automatic renewals but do it by hand instead every time.

If you uncheck CRL retrieval from HTTP servers, all certificates will be trusted, wether revoked or not. For our purpose it’s ok to have this unchecked.

4. While importing the CA certificate you have to approve it.

Accept CA certificate

5. Now we’re done with the CA object and can actually go to the gateway object.

Gateway properties

6. Click on Add to create a new certificate. You’re asked for a Nickname of the certificate which is used in various places in the GUI and in config files. I would suggest to keep it short and descriptive. Choose to enroll this certificate from the CA created in the steps before.

Certificate properties

7. At this point a CSR (certificate signing request) is going to be generated. The DN (Distinguished Name) has to be correct for the certificate to be created by the CA, so take good care here!

Generate CSR

In our example we sign the certificate by United Internet CA and we have to use this DN for a gateway with the DNS name of fw.test.de

CN=fw.test.de,OU=Comodo InstantSSL,OU=Authorized by United SSL,OU=Authorized by United SSL,O=TEST GmbH,STREET=Test Straße 90,L=Hamburg,ST=Hamburg,OID.2.5.4.17=22159,C=DE
Alternatives DNS are defined as FQDN.

8. After filling in the details a CSR is presented. Copy it to the clipboard are save it to a file and hand it over to the CA you chose for signing. Make sure that the text is copied completely.

CSR view

9. When the CA give you back your signed certificate, complete the process by selecting the appropriate nickname and click on Complete.

Gateway properties

10. Load the certificate, accept it and attach it to the gateway.

Accept certificate

11. Now you can choose this certificate to be presented when connecting to SSL Network Extender etc.

Clientless VPN configuration


VPN Clients configuration

To use this certificate in client authentication you have to configure the file $FWDIR/conf/fwauthd.conf.

Change the entry to

900 fwssd in.ahclientd wait 900 ssl:fw.test.de

Tobias Lachmann

Check Point User Group Conference 2010

Don’t forget to register for the Check Point User Group Conference 2010 in lovely Chur.

Barry will update the site ongoing to keep you informed about agenda, speakers and other details.

I’m not sure if I can attend CPUGCON this year, but I will try. If I get accepted again as speaker, I might afford the trip.

At the moment I submitted presentations about troubleshooting, DLP, VPN-1 VE and UTM-1 appliances.

We’ll see how many of those can make it to the agenda.

Tobias Lachmann

New EA for Discovery VPN client

Check Point now has an open EA for the Discovery VPN client, which is the successor of the well-known SecureClient. Based on the documentation, it’s a mixture of Endpoint Connect when it comes to the VPN client engine and Endpoint Security Secure Access when it comes to the build-in personal firewall. The good part is, that the personal firewall rules can be managed the old-fashioned way through the SmartDashboard, like today with SecureClient. So no change her and the ability to use all the existing object in your database.

To access this EA, log into your UserCenter account, go to Products -> Early Availability and choose to register for Discover VPN client.

In the moment the Discovery VPN client is only available for NGX R65 HFA60, a release for R70/R71 will follow shortly. Supported gateway platforms are SecurePlatform, Windows and IPSO 4.2.

The client has support for Windows XP 32 bit with SP2 or SP3, Windows Vista 32 and 64 bit with SP1 and Windows 7 32 and 64 bit, so most of the operating system platforms found in companies are covered.

The following features are not supported at the moment:

  • Single Sign-on (SSO)
  • “Suggest Connect” Mode (Auto Connect)
  • Pre/Post Connect Script
  • Entrust Entelligence Support
  • Diagnostic Tools
  • Compression
  • VPN Connectivity to VPN-1 VSX
  • DNS Splitting
  • “No Office Mode” Connect Mode

But this is OK as it is an EA on the GA version will surely have all those features.

In addition, Discovery VPN client has features that Endpoint Connect is offering, like better Location Awareness, Automatic Site Detection, better Roaming etc.

A hotfix has to be installed on the gateway to enable Discovery support, no changes at the SmartCenter are needed. The configuration has no Discovery specific details, just a normal SecureClient configuration. If you have an exisiting deployment, nothing has to be changed.

I will test this client in the next weeks. If you have done so, please feel free to send comments to blog@lachmann.org and share your experience.

Personally I miss support for Mac OS 10.4, 10.5 and 10.6 very much. Especially media related companies such as advertisement agencies, print and TV producers use Mac OS as operating system, so this is a significant number of users.

Sadly, Check Point hasn’t these operating systems in the same focus as the Windows OS. This leads to the point where the customers change from SecureClient to IPSecuritas, a freeware VPN client. Using this client means more work for the client administrators, as settings can’t be distributed in the way it is done with SecureClient for Mac OS.

Tobias Lachmann

UTM-1 hardware

Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.
If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on UTM-1 appliances, feel free to send them to blog@lachmann.org

UTM-1 130

  • Intel Celeron M 600 MHz
  • 1 GB RAM
  • 80 GB ATA HDD

UTM-1 270

  • Intel Celeron M 600 MHz
  • 1 GB DDR2 RAM 400 MHz
  • 160 GB ATA HDD

UTM-1 450

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 80 GB ATA HDD

UTM-1 570

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD

UTM-1 1070

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD

UTM-1 2050

  • Intel Pentium 4 3.4 GHz
  • 2 GB RAM
  • 80 GB ATA HDD

UTM-1 2070

  • Intel Celeron 440 2.00GHz
  • 2 GB RAM
  • 160 GB ATA HDD

UTM-1 3070

  • Intel Core2 Duo E6400 2.13GHz
  • 3 GB RAM
  • 160 GB ATA HDD

Power-1 5070

  • Intel Xeon E5410 2.33GHz (QC)
  • 2 GB RAM
  • 80 GB ATA HDD

Smart-1 25

  • Intel Core2 Duo CPU T7400 2.16GHz
  • 3 GB RAM
  • 4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Avatar – the gateway, not the film!

Check Point opened the public EA for the successor of VPN-1 VE, codename Avatar. Avatar is designed to run with vSphere 4.

Register for the EA within your Usercenter account. Go to Products and then Early Availability. Register for Avatar EA and download the software and documentation.

I have waited for this EA for a while and I’m very curious. There are rumours that the licensing will also be changed and I hope it’s more affordable than the current pricing.

Tobias Lachmann

Delete all ARP entries on SPLAT

We stumbled over this one yesterday: some servers behind a gateway had a problem with ARP resolution and we wanted to make sure that ARP worked. To verify this we tried to delete all ARP entries and see if the ARP cache was filled up again (and correctly).

While Windows has arp -d * as a working command to delete all entries at once, under Linux and therefor SPLAT you have to try something different.

This little script will do the job for you:

#!/bin/bash
for arpentries in `awk -F ' ' '
{ if ( $1 ~ /[0-9{1,3}].[0-9{1,3}].[0-9{1,3}].[0-9{1,3}]/ )
print $1 }' /proc/net/arp`
do
arp -d $arpentries
done

Tobias Lachmann

More benefits for recent CCSE certification

Check Point changed the benefits for their Check Point Certified Security Expert (CCSE) certification.

In the past we had

  • Expert Access to SecureKnowledge
  • Newsletter
  • Logo rights

Now they added

  • Access to level-3 TAC support engineers

I’m not sure what this means. I deal a lot with the TAC in Israel as part of my daily work, but never encountered a “level-3” engineer. Normally your call is handled by a support engineer and, if escalated, handed over to an escalation engineer. And maybe a diamond engineer from the diamond support team assists. Would we interesting to know what “level-3” means.

Anyway, the goal is clear: give the higher certified people direct access to support engineers that have the same level.

In addidtion, Check Point changed the handling of calls from Check Point Certified Master Architects (CCMA). Now they get escalation priority while opening a case. Also a good thing, as a CCMA is so highly trained that he could easily work as escalation support engineer with Check Point. If a CCMA opens a case, it must be severe.

The community demanded such priviliges for skilled people a long time (see CPUG board for the discussion) I’m glad that Check Point now made a step forward!

Tobias Lachmann

UPDATE: Pierre Lamy, Technical Lead of Ottawa TAC, pointed out what tiers/levels exist. A level-3 engineer is the normal support engineer who’s handling a case opened with Israel TAC.

Again backup problems after R70.30 upgrade when using SCP

We had this before, now it’s back: the problem with not working scheduled backups after upgrading to a R70.xx version. Seen on R70.20, now I upgraded a environment from R70.10 to R70.30 – and the error is still there. The backup files are not correctly transfered to the SCP server configured.

The solution is to disable scheduled backup through the WebUI.

Then go to the /var/CPbackup/conf directory and delete the file backup_sched.conf.

Afterwards open the WebUI again and re-configure scheduled backup.

Next time the backup runs everything will be OK and files are transfered to another server with SCP.

Tobias Lachmann

New firmware 8.1.37 for UTM-1 Edge X series

Check Point released a new firmware for the UTM-1 Edge appliance series.

As the release notes show, modifications were made for the new N-series appliances, along with some bug fixing.

The most interesting details:

– support for Endpoint Connect clients
– support for new USB modems
– times based rules are now supported

In the release notes some more features are listed, but with a reference that they will only work with hardware version 1.4.
I guess that is the hardware version of the new N-series appliances.

Nice features supporting hardware version 1.4

– 802.11n support
– GigabitEthernet support
– ore firewall throughput
– more VPN tunnels
– support for some more USB modems

Tobias Lachmann

Details on Data Loss Prevention (DLP) blade licensing

It has taken a long time to get information from Check Point how to license the DLP blade, but now I got an answer:

For the 500 and 1500 user DLP blade a 2-Core-Container is needed. For the unlimited user DLP blade you need a 8-Core-Container.
The size of the blade is determined by the number of users behind the gateway!

So that would mean you need an SG201 container (included: gateway for up to 500 users) for the CPSB-DLP-500 blade.

For the CPSB-DLP-1500 blade a SG203U pre-defined system is needed, to allow more than 500 users.

For the CPSB-DLP-U blade a SG801 container is needed.

So the solution for 500 users will cost $3000 for the blade and $6500 for the container, so $9500 in total.

The solution for 1500 users will cost $7000 for the blade, $14000 for the container, so $21000 in total.

The unlimited solution will cost $12000 for the blade and $18000 for the container, so $30000 in total.

This is the pure software side, you will also need hardware, for example an open server for additional $4000.

If we look at the appliance solution DLP-1 2571 we’ll find that it is limited to 1500 users but costs only $14990.

In case your organization need DLP protection for up to 500 users, a solution with software running on an open server is about $1500 cheaper. If you need up to 1500 users, you pay $10000 more with an open server solution than for the DLP-1 2571. Lot’s of money….. but still worth thinking about it because of the higher performance you will get from an open server.

More easy with the DLP-1 9571 that you need for unlimited users, as the appliances costs $49900. The software solution on an open server is only $34000, that is about $16000 cheaper.

What’s the baseline here? Well, carefully think about your setup before you buy. Think about performance limitations you may encounter with an appliance. Think about the cost for the 2nd and 3rd year… and then make your decision!

Tobias Lachmann

Delete old log files on SPLAT machines

There is no way to configure your SPLAT box or UTM-1 appliance in a way, that only logs for the last X days were kept.

The only work-around would be to configure on the firewall object -> Logs and Masters -> Required Free Disc Space together with the option Do not delete log files from the last X days.

By configuring a very high value for required free disc space you could have the script run every day and with the other option prevent it from deleting the needed logs.

OR – you could implement a short script:

[Expert@fw1]# cat /usr/bin/del_logs.sh
#!/bin/bash
/usr/bin/find /var/log/opt/CPsuite-R65/fw1/*.log* -ctime +217 -print -exec rm -f {} ;

The parameter ctime is the amount of days for the logs to keep.

Run the script with cron:

[Expert@fw1]# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.19431 installed on Mon May 10 10:21:33 2010)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
42 11 * * * /usr/bin/del_logs.sh
50 2 * * 1,2,3,4,5,6,7 backup_util sched

Now you’re able to delete the old logs as you like. If you backup your firewall or SmartCenter to your local disc, maybe you want to do this with your backups, too?

Tobias Lachmann

How to build an UTM-1 cluster with SmartCenter HA (aka Full Cluster)

Maybe you’ve seen my presentation on CPUGCON 2009 about migration to an UTM-1 cluster from a distributed environment.

Now I was asked to provide a how-to about building this kind of UTM-1 Full Cluster from scratch.

Actually this is very easy. Building UTM-1 clusters was supported from the start, but the SmartCenter could only reside on one appliance. With the introduction of NGX R65 with Messaging Security, we also got SmartCenter High-Availability for free.

In our setup we assume that we have two appliances, one primary and one secondary. Setup both with the normal First Time Configuration Wizard.

Make sure to install the primary on as locally managed and primary cluster member.

The secondary appliance is also installed as locally managed but as secondary cluster member.

On the secondary appliance you also have to fill in a SIC secret to establish the communication later.

After completing the First Time Configuration Wizards on both appliances, connect with the SmartDashboard to the primary UTM-1 appliance.

Now the wizard for configuring the cluster pops up. When defining the secondary cluster member, fill in the SIC secret entered in the WebUI wizard.

Fill in all the details that reflect your cluster. Make sure to have at least one dedicated sync network.

Topology could look like this afterwards:

Now you can define rules, push the policy and make the cluster work. After that check the Management HA in the SmartDashboard:

This picture shows that both cluster members have a SmartCenter installed and are working in Management High-Availability mode.

That’s it for building an UTM-1 cluster with Management High Availability – also known as UTM-1 Full Cluster.

Tobias Lachmann

Abra documentation and software available

Documentation and software for the Abra stick is now available in the Check Point suppport center. I stumbled over two things in the known limitations. First, Office mode is not supported on Abra. And second, CIFS is not supported over a VPN tunnel that was established with Abra.

By now I don’t know why these limitations exist, but I would rate them as servere. Especially Office Mode is a must-have while working with Client-2-Site VPNs.

Pricing seems to be $140 for a 4GB Abra stick and $210 for a 8GB Abra stick. I’m not sure if we have to purchase an additional Endpoint Security license (container + VPN) when Abra is able to do Office mode, but I think so. That’s the way you have to license Endpoint Connect at the moment.

I will now play around with Abra a little bit and come back with more information in a couple of days.

Tobias Lachmann

R71 performance on UTM-1 appliances

As mentioned before, the UTM-1 appliance had performance trouble when doing content scanning and I would not recommend doing this in this machines. Now R71 claimes to give a big boost by new methods of scanning. I tested the performance improvement of the new R71 release with the following setup:

UTM-1 270 mit GigabitEthernet-Uplink to the Internet and GigabitEthernet-Link to the internal network. 4 Servers mit GigabitEthernet as clients running HTTrack website copier in the internal network. I used HTTrack to download several website at the same time, creating a mixture of HTML, graphic, archives and executables content.

The UTM-1 270 was installed out-of-the box using the wizard. I activated VPN, SmartView Monitor and Antivirus in addition the moduls already activated as standard.

The rulebase had two rules, on allowing access to the systems from a management client outside the network and one rule for allowing access to the Internet for the servers. No NAT was used, no additional settings.

With NGX R65 with Messaging Security (HFA25) I had an average throughput of 1,026,474 Bytes / sec while running with 100% CPU load for a couple of minutes.

With NGX R65 with Messaging Security (HFA70) I had an average throughput of 1,094,563 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R70 I had an average throughput of 1,647,257 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R71 I had an average throughput of 1,999,611 Bytes / sec while running with 100% CPU load for a couple of minutes.

My test maybe not so accurate as the ones that Check Point is doing, but I thing the traffic blend reflects the behaviour of normal users really good.

And, having 2x the performance with Antivirus scanning on the same hardware is pretty impressive! The improvement really shows, how nice! I also recognized that R71 comes with a new AV engine with has the name KSS, maybe Kaspersky?

This is enough performance to use modern DSL lines or direct links completely, not only partial. So I would recommend this release to everyone who still uses content scanning on an UTM-1 appliance and has performance problems.

Tobias Lachmann

New UTM-1 Edge N-Series appliances

Check Point is launching a new series of UTM-1 Edge appliances, the N-Series. Looks like the rumours from years ago came true and they finally build the “Edge Arrow”.

Here’s the baseline from what we know by now:

– 5x more firewall throughput than X-series appliances
– 5x more VPN throughput than X-Series appliances
– 7x more concurrent connections than X-series appliances
– GigabitEthernet-Ports instead of FastEthernet
– 3G connectivity build-in
– two flavours: 32 users and unlimited users, 8 users and 16 user only with X-series
– 4x more VPN tunnels (SA)
– unlimited Remote Access profiles
– 802.11b/b/n support (UTM-1 Edge NW)
– 802.11z wireless security support
– no build-in ADSL-modem available
– new 8.1 firmware for all models (not available by now on support pages)

The complete specification can be found here.

An UTM-1 Edge N32 is $200 more expensive as an old X32 and costs $1400 instead of $1200, same applies to the NU which is now $2200 instead of $2000 for XU.

If you take in consideration how much more power you can get, the $200 more are totally fine with me.

Will be interesting to see how the firmware developed from 8.0.42 to 8.1. Hopefully it’s available soon.

Tobias Lachmann

When to use UTM-1 appliances – and when not – Part II

Last week the R71 software version was released. One of the most interesting things for me was the performance improvement they promised on appliances.

The use now SecureXL to accelerate connections and state that they now can deliver up to 4 time more firewall throughput and connection rate and up to 3 times more IPS throughput. Some limitations apply to SecureXL as described in the R70 Performance Optimization Guide so we have to see how this works with real life rulebases.

But the biggest change to me is the performance enhancement with Antivirus, where Check Point speaks of up to 15! times more throughput and up to 80 times more connection rate.

This is done by the new Stream Detection Mode. As you may remember from my previous post, AntiVirus suffered from the bad HDD performance on UTM-1 appliances, as every file had to be downloaded to the disc, scanned and then delivered to the client. Now the inspection is done as the traffic passes through the gateway and they do a pattern matching as far as I understood. Makes perfectly sense that this way of traffic inspection improves performance. Unclear is for me at the moment how compressed content is handled. I can’t see now other way than storing the archive to disc, uncompress it and then scan the content. Not sure how they handle this – on the fly seems unlikely.

Anyway, I will test this in the next days to get my own results and will check the processes and disc accesses while doing so, which will hopefully gives an explanation.

By the way: URL Filtering is handled differently, too. Now the connections are handled in the kernel space and no longer folded into the security server. This will improve performance and will change the way we can debug this blade.

If Check Point can keep the promises on performance while running R71 on UTM-1 appliances, I will be deeply impressed. Remember that the appliances are sold for some years now and have less powerful hardware, compared to standard OpenServers. Would be a great thing for all of us the protect the investment in the appliances!

Tobias Lachmann

SecurePlatform and NTP

This is an old problem, but maybe not everyone knows this:

If you work with NTP servers sync on SPLAT, you should also set the timezone to get correct date/time and daylight saving. Unfortunately, this can’t be done in the WebUI. So first configure your NTP servers in the WebUI. Then access the command line and execute sysconfig. Use option 4 to go to time settings and then option 1 for setting the time zone according to your location.

Verify that you got the correct time using the WebUI.

Tobias Lachmann

Well done, Royi!

Just had an amazing “support experience” with Check Point:
My customer suffered from sudden loss of VPN connectivity as the SmartCenter CA died because of a database corruption.
Check Point needed only 30 minutes from answering my call to providing a hotfix that solved the problem!
Well done, guys! Very well done!

Tobias Lachmann

URL Filtering update error

When you receive continous update errors within the URL Filtering modul, maybe it’s a good idea to delete the whole database and rebuild it via the update database function in SmartDashboard. Was helpful for me several times…

  • First change to the directory $FWDIR/uf/sc/update/incoming.
  • Delete all the files beginning with “sfcontrol”. The file “sfcontrol” itself is the database, all the others are differentials and status infos.
  • Run cpstop and cpstart for a restart of the services that controll URL Filtering.
  • Go to your SmartDashboard, change to the “Content Inspection” tab and click on “Update Databases Now”.

It will take awhile to download to whole database, but you can watch this process while checking the files and sizes in the directory.

While debugging URL Filtering in general, you may stumble over sk35196 which describes several procedures with the avsu_client command and optional parameters. Please note that Check Point changed the URL Filtering provider, I think with HFA50, from SurfControl to SecureComputing. This engine change comes together with a change in the parameters when you call avsu_client. The application name “URL Filtering” does not provide valid output when you use the SecureComputing engine, you have to use “URL Filtering2” to get actual results from the installation.

avsu_client -app "URL Filtering" fetch
failed to fetch signature update
err_str=Failed. Message from module: "Server has no available updates".
info=
Local version is date

avsu_client -app "URL Filtering2" fetch
signature file up to date
err_str=Succeeded. Existing signature is up-to-date.
info=
Local version is date

Sadly just calling avsu_client gives no explanation about the changed parameters, it only lists “URL Filtering”.

Tobias Lachmann

Don’t shoot the messenger

Some days ago I was informed by a friend of mine that he nearly lost his status as a Check Point partner.

What has happened?

Well, he was openly speaking in the Check Point User Group (CPUG) forum about the new software blade licensing and what he liked and disliked about it. Instead of appreciating open feedback, Check Point got angry about this.

We had hard times selling the advantages of software blades to the customers and nearly no one bought the upgrade.
That’s why Check Point changed the cost for upgrades in the end, because of all the negative feedback.

So, what’s my point about this?

Like Shakespeare said: “Don’t shoot the messenger!”

Partners and also certified professionals are brand ambassadors for Check Point in front of the customers.

So maybe it’s a good idea to get their feedback before major changes are announced and involve them as soon as possible in the process of development.

As for me, I had some really good conversations with guys from product management and development. They asked me about my customers, how they use the products and what I can and cannot sell to the customers. About the necessity of certain features and so on. And I appreciate this and I think this is the absolutely right way.

But unfortunately, as events have shown, this is not the way Check Point is following with everybody…. sad.

Tobias Lachmann

PS: The make the picture complete: since upgrade to software blades is free and we have great new features with the R70.x versions, we can easily argue the upgrade to the customer.

Criticial error messages and logs

Today I want to bring your attention to SecureKnowledge article sk33219, which deals with “Critical error messages and logs”.

There we have a nice list of possible error messages together with a short explanation why this error occured.

I’m missing hints on how to resolve the issue or to a related sk. But all in all a very usefull article you should bookmark for further reference.

Tobias Lachmann

Abra is USB-1 is Abra

I wrote before about the new settings in R70 relase labeled USB-1. It turns out that I was right and this is refering to a Mobile VPN/Workplace solution. This was officially announced on CPX last week.

By now I got some inside info about the name, very funny. Abra was the original code name for this project. The final product should stick with the naming convention and be a “something-1”. So it came to USB-1. This was decided by a high level authority within Check Point, so the name was brought into the GUIs. But after a while they discovered that Abra was the better name to place the product in the market and so it was allowed to stay. But at this time, it was to late to change the GUIs as they were delivered with HFA of R70.

Will be interesting to see how the market reacts to Abra, but I would predict good feedback for this product. Better and easier as setting up notebooks and vpn clients for users or external contractors, just give them a stick and there they go.

Only the import/export feature could be better. In my opinion the stick should act transparent on a PC with Endpoint Security Media Encryption installed, as normal USB sticks do. So in the company transfer data to Abra and work on them later at home. And if you loose the stick, everything is still encrypted.

I’m curious how the product will evolve but I’m expecting more good things to come.

Tobias Lachmann

When to use UTM-1 appliances – and when not

In the year 2007 Check Point introduced the UTM-1 appliances. We sold a lot of these, because they had a good value for the money and they were an easy way to quickly deploy stand-alone cluster setups.
The old software license for a gateway with unlimited IP addresses was more expensive than a UTM-1, when you included also the hardware to run the gateway on. And UTM-1 appliances brought more with them for free. On example is SmartDirectory to get user data out of LDAP-Directories/ADs, another is Management High-Availability to sync primary and secondary SmartCenter running on the appliances.

So, why did I choose this headline? Why asking the question, when not to use UTM-1 appliances?

Well, Check Point promoted Messaging Security at the beginning, later one the Total Security Package which offered Antispan, Antivirus and URL-Filtering. The idea to have all this functions together on one gateway that has to deal with the network traffic anyway sounded smart. And it is, believe me. What was not smart was to ability to use these functions on every gateway… which customers did.
The UTM-1 270 for example has a Celeron M 60 MHz CPU in it, together with only 1 GB of RAM. The 570 series has a Celeron M with 1.5 GHz CPU and also 1 GB RAM. Could you really believe that this hardware is capable of dealing with Firewall rules, VPN, SmartCenter functions and all the Content Inspection at once? Turns out they can’t. We’ve seen enormous CPU loads in the field, together with tremendous utilisation of I/O. The installation of a policy nearly took down the systems and users experienced connection loss from that. The reason for the later seems to be that at the beginning Check Point started to many instances of the security servers for the scanning. This was fixed in a HFA and is actually no longer existing. But the bad I/O performance still remains. Well, every intercepted download has to be writen to the harddrive and scanned. If it’s compressed, it had to be uncompressed before scanning. This creates high load for sure.

Even the bigger UTM-1 2050 appliances had only a Pentium 4 mit 3.4 GHz and 2 GB of RAM in it. More powerful, true. But not really enough power anyway. And I/O still sucked.

Ok, let’s get back to the initial question. When should I use an UTM-1 appliance?

I think that these appliances do their best job purely as Firewall and/or VPN gateway. We like to use them in dedicated customer environments like Web Shops our web server housings. Depending on customers need and prerequisits you can deploy the appliances a single gateway or HA-cluster. Managed by a bigger SmartCenter or self-managed, together with Management HA.

When should I not use an UTM-1 appliance?

In case you want to use content inspection, stick with a software license and run it on an OpenServer. There you can increase the memory and use dual-core CPUs. You can get better harddisc performance with specialised controllers and maybe just add more discs and have a RAID 0. Since they introduced the new Multi-Core licensing where you pay for the amount of CPUs you want to use, this is getting really affordable. The SG203-U license togehter with the desired content inspection blades is the best combination, even for demanding environments.

Oh, I forgot one thing: when you buy an UTM-1 appliance, you have to stick with the number of network interface. On an OpenServer, just add additional network cards as needed until all slots are filled. Even GE or 10GE is no big deal.

So, the use of an UTM-1 appliance depends on the scenario where you want to deploy it. Carefully think about it and then choose your solution. Have in mind that an appliance may be cheaper thaen software plus OpenServer hardware. But if your users complain about the performance, handling only a few service calls can eat up the safings from an appliance.

Finally I want to mention some things that are unique to the UTM-1 appliances and that you loose when choosing SPLAT on OpenServer. First the image management, which is quite good. Easy to use and perfect for rollback operations after major changes in your environment. Second the ability to crash recover an appliance through the front panel and the use of a prepared USB stick to deploy the initial configuration. Very cool feature for remote locations.

Hopefully we’ll see performance improvements with upcoming GAIA even on single core machines through new code, so that we can use the UTM-1 appliances with all features again. Wait and see..

Tobias Lachmann

DLP = Data Loss Prevention

Check Point announced DLP as a product at the CPX2010. DLP stands for Data Loss Prevention and is a solution to make sure that specific data is not leaving the company – wether it’s intended or unintended.

Basically it’s an extension of the gateways capability to intercept and scan emails, http and ftp traffic and react to the content found. Works kinda like the antivirus scanning that we know for some time now. So it’s transparent to the users and the mail/web servers that are part of the communication.

The administrator defines a policy for his content and the direction where it is send. For example you can block mails to recipients outside your organisation if an attachment to that mail derives from a template which is used for confidential content. Or the attachment or the mail itself contains some keywords that are suspicios if they are used too many times. Because of the predefined data-types, Check Point speaks of 250 by now, I found it very easy to be going with this in a short period of time.

The action for the rules can be just logging, prevention of sending the content or asking the user what to do. As always, Check Point has a client for Windows operating systems only by now. This clients notifies the user with a popup that something has been blocked. The user can decide to send it anyway, discard or review the incident. Also it can be configured that the user has to type a justification for sending, if the mail is caught by the policy at first.

If you’re not using a resident client on your machine, an email notification is the second way to notify the user. The email informs you and is offering links where you can click. The links points to an application on the gateway, reachable over a webserver. Depending on your decision, the content is released or held back. As an alternative you can reply to this notification email and add keywords to the subject. The gateway will see this keyword when the mail goes through it and follow your decision.

All in all I find this solution easy to configure and implement. But to be sure we have to wait until GA of DLP. Interesting will be, how good the custom configuration of data types and rules will be. DLP has the possibility to create own types by using regular expressions. But as you might know, working with RE can be a pain in the ass.

So, in what flavors is this DLP solution offered? Well, we have two appliances, DLP-1 2571 and DLP-1 9571. The smaller one states that it can process 70.000 messages per hour and has a througput of 700 MBit/s. The bigger one 350.000 messages ans 2.5 GBit/s. As this are marketing numbers, we should cut them in half – at least. To be sure, we should assume only 1/4 the capacity stated, judging by the experience with UTM-1 appliances and Messaging Security in the past. The smaller appliances has a price of $14990 for the first year and $7000 for the following years, the bigger $49990 for the first and $12000 for the following years.

Or you have your DLP solution on your normal perimeter gateway, which I find more useful. We have three blades, CPSB-DLP-500, CPSB-DLP1500 and CPSB-DLP-U. The last part stands for the number of recommended users, but I’m not sure if there’s some kind of enforcement like with ip addresses at the gateway blades. We’ll have to wait for licensing info on that topic. The 500 user blade is $3000, the 1500-blade is $7000 and unlimited users come for $12000. The DLP is a service blade, so the numbers are per year.

If someone want’s to use this, and I bet many companies will, I think that the best solution is to buy a software blade container together with the DLP-blade and run it on an OpenServer under SPLAT. SPLAT is the only supported platform by the way. The server is about $4000 for a HP DL360, IBM 3350 M2 or similar, $12500 for a 4 core container and $3000-$12000 for the desired blade. For the first year this is starting at $19500 and $5250 for the following years. The advantage that I see in contrast to the appliances is more performance through cores, memory and hard discs. Especially hard dics performance was the bottleneck that we saw on most appliances running other content inspection software like Messaging Security etc.

So, what’s the bottom line:
First of all, I’m excited and think this is a good product. Unlike other new releases like SmartProvisioning, SmartWorkflow etc. I think this solution is ready to be used from the start. And second I’m curios how customers will use this solution. I think we can expect some demanding requirements for rules we havn’t even thought of by now 😉

Start checking out DLP here or in the pricelist.

As soon as I get this to work in an live environment, I will post my findings!

Tobias Lachmann

R70.30 is there

Folks,

the new R70.30 is available. See the release notes here
All in all some minor fixes. The biggest point is the possibility to use sub-CAs for SSL-VPN, which was not possible in the past.

Other improvements include Windows 7 support for SmartWorkflow and some Non-English regional formats for map visualization.

Tobias Lachmann

I’m back!

Hello everybody!

I’m back from my parental leave, which lasted till the end of March. During that period, I spend all the time with my son but no time with this blog.

Now I’m back at work and I see interesting things everyday that give me inspirations for articles, so expect new content soon.

What also happended is that I gained the CCSE R70 certification for contributing to the new CCSE exam. Thanks Ken Finley, this is greatley appreciated! Now I’m done with re-certification until CCSE+ comes out.

Bye for now

Tobias Lachmann

Geo Protection – new in R70.20

A cool feature was introduced with R70.20 which is called Geo Protection. It is part of the IPS blade and you need to have a proper IPS blade license for that.

What it does is the mapping from IP addresses to countries over a database (not sure yet which database CP bought) and then block connections by countries.

You can block connections TO or FROM a specific country and you can also define exceptions for that rules, like with other IPS protections. The actual policy of blocking/allowing is displayed in a world map overview and gives an easy overview.

When traffic is examined and blocked by Geo Protection, we get nice logs entries in SmartView Tracker.

This feature is also good for logging, as you can just accept any traffic but log the connections and determine this way, what countries access the resources behind the firewall or were your users get their webpages from.

Only catch here is licensing: this only works with R70.20 SmartCenter und Gateways which have both proper R70 Software Blade licensing. But hey, it’s free of charge and some sort of bonus to those who converted their licenses already 😉

I hope they put more features into Geo Protection or link it to normal IPS protections and/or the rulebase. Cool scenarios we can think of….

Tobias Lachmann

Neighbour table overflow

Under SecurePlatform you can sometimes see the following message in /var/log/messages

Jan 15 13:44:08 fw1 kernel: Neighbour table overflow.

This refers to the ARP cache a.k.a. Neighbour table.

If you’re running a gateway with lot’s of interfaces or big subnets, you might see many nodes over Layer-2, so communication to them fills your ARP table and sometimes overflows it, which can lead to connectivity errors.

The ARP cache table has a maximum size, which can be displayed with cat /proc/sys/net/ipv4/neigh/default/gc_thresh3.
You can verify the actual amount of ARP entries either with arp -an | wc -l or with ip neighbor show |wc -l. Proxy ARP entries are only displayed when using the arp command.

Periodically and automatically the entries in the ARP cache are verified. At a specified interval, a garbage collector is running and removes entries that are no longer used. The interval can be verified with cat /proc/sys/net/ipv4/neigh/default/gc_interval, by default it’s 30 seconds.

The garbage collector is controlled by three variables:
gc_thresh1, which is the minimum number of entries in the ARP cache. If the actual number of entries are below this value, the garbage collector will not run.

gc_thresh2, which is the soft maximum number of entries. If the actual number of entries is above this value for more than 5 seconds, the garbage collector will run.

gc_thresh3, which is the hard maximum number of entries. If the actual number of entries is above this value, the garbage collector with immediately run.

gc_thresh3 is also the maximum value of ARP entries that can be kept in the table.

The default values are quite low, so you might want to increase them.

You can do this on the fly with the following CLI commands:

sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
sysctl -w net.ipv4.neigh.default.gc_thresh1=1024

This does not survice a reboot.

To survive a reboot, add this lines in the /etc/sysctl.conf file

net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024

Afterwards run the command sysctl -p for the changes to take effect and then reboot.

Tobias Lachmann

Backup error in R70.20 SPLAT

Yesterday we did an inplace-upgrade of a SPLAT box to R70.20 from NGX R65. Since then, the scheduled backup was broken. When I tried to edit the settings through the WebUI, I got the message GENERAL ERROR.

Fix for this was to disable the scheduled backup on the command line with backup -e off.
Then I was able to edit all the settings through the WebUI again and backup is working now.

This seems to be an error in R70.20, because we had another customer with this error who upgraded from R70.1 to R70.20 and it was working with R70.1

Tobias Lachmann

USB-1 is coming

I just found a new section in the Global Properties of my R70.20 SmartConsole labeled “USB-1”.

Judging by the settings, this USB-1 is the SecureWorkspace/VPN-Client that comes on a secured USB stick and enables you to connect securely to your company without the need to install software on a client computer.

Will be interessting to see when this is officially released and what the feature set will look like.

Tobias Lachmann

New SK regarding error with SIC renewal in R70

Just found the new sk43744, which describes that the automatic certificate renewal will fail in R70, R70.1 and R70.20. This is a problem when you upgraded from an older installation in-place, where the CA is kept. Since certificates are fundamental for the way Check Point software works, please take this seriously. Otherwise policy installation, log receiving and SmartConsole connections to SmartCenter are affected.

Normally SIC certificates are automatically renewd 15 month before expiration.To determine if you have a problem that needs to be fixed, verify the expiration date of your SIC certificates and follow the procedure in the sk43744.

Please note that the command line cpca_client lscert -stat Valid -kind SIC is not a valid alternative, as it produces an ouput with wrong dates, so you have to use the ICA web.

Tobias Lachmann

Identity Logging with R70.20

I just installed the R70.20 update on our SmartCenter Server. We can now use the Identity Logging feature, which is very cool. It is an update of Logging & Status blade and is used to associate IP addresses of workstations to users, working on this machine. It works only with Active Directory servers running on Windows Server 2003 and 2008, but this is ok with me. SmartCenter has to run SPLAT/Linux or Windows Server 2003/2008.

After configuration, a table with the association of IP and user name is held on the SmartCenter and this information, if available, is displayed in the log entries on SmartView Tracker.

Configuration is done an SmartCenter object -> Logs and Masters -> Identity Logging. Only a few things to fill in.

Configuration of Identity Logging in SmartCenter

It’s easy, but I would have expected to find an LDAP accounting unit here, like you configure AD servers within SmartDirectory.
Just for using Identity Logging, this is easy to implement. When you have already a SmartDirectory configuration, you’re doing the job twice.

This feature is only available with R70.20 on a SmartCenter which works with Software Blade licenses. A little incentive for those who changed to the new licenses 😉

Tobias Lachmann

Migration to Software Blades with CPVP-VCT-U license

Following the current promotion, you can trade-in your old license with no additional cost for a Software Blade license that has equivalent functionality. Now I discovered that with the CPVP-VCT-U license you’re not getting a proper equivalent, as SecureXL is missing in the new license.

This error was reported to Check Point and is acknowledged. They will fix it in the next days and publish new Upgrade calculator and Upgrade matrix.

No big deal really, as you always get CoreXL accelleration with R70. SecureXL might no be necessary for most users, taking the aspect of performance.

Tobias Lachmann

Determine UTM-1 appliance series from CLI

If you want to know which appliance series you have, you can use a command line tool to determine this information.

Just run /usr/sbin/dmidecode | grep "Product Name"

Sample output:

[Expert@xxx-fw1]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: U-30-00
Product Name:

[Expert@yyy-cp1]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: C6P_UTM
Product Name: NSA-1086

Here are the translation for the information under the field Product Name:

  • P-20-00 -> Power-1 9070 Appliance
  • P-10-00 -> Power-1 5070 Appliance
  • U-40-00 -> UTM-1 3070 Appliance
  • U-30-00 -> UTM-1 2070 Appliance
  • U-20-00 -> UTM-1 1070 Appliance
  • U-15-00 -> UTM-1 570 Appliance
  • U-10-00 -> UTM-1 270 Appliance
  • U-5-00 -> UTM-1 130 Appliance
  • C6P_UTM -> UTM-1 2050 Appliance
  • C6_UTM -> UTM-1 1050 Appliance
  • C2_UTM -> UTM-1 450 Appliance

Tobias Lachmann

Check Point is listening!

On December 21st I wrote about my latest experience with Software Blade licenses, a couple of days later I received an email from Check Point about this posting. They asked me if I would be willing to share my experience with this incident and licensing in general with them to generate some improvement in the process. Today we had a long phone conference with a very good and productive discussion and I can see the effort at Check Point in improving.

I also had a couple a phone calls with developers and product managers in the past month, were they wanted me to share my experience with specific products and also my opinion about new products and recent changes with them.

So you can really say: Check Point is listening!

I’m really glad they’re doing this and I think this is the right way to be more sucessful – side by side with the partners and customers, listening to their needs.

Check Point: keep on with the good work!

Tobias Lachmann

Enlarging UTM-1 partitions

Some users may experience problems with full partitions on Check Point UTM-1 appliances, most likely with the partition holding the log files as this partition is small, especially at the first appliance series.

When you install SecurePlatform, all partitions have fixed sizes except for /var which gets the remaining free space after the creation of the other partitions. Because logs are stored in /var/opt/CPsuite-R70/fw1/log, there’s rarely trouble with disc space.

The UTM-1 appliance work different as they use the Logical Volume Manager (LVM) for handling the partitions. The LVM is assigning the hard disc space to the partitions and allows resizing of partitions.

However, the filesystem is untouched when you resize a partition. So following sk33179 doesn’t give you additional space for your logs.

To achieve this goal you first have to resize the partitions:

  1. View the name of the log partition with lvdisplay, most likely, this name is /dev/vg_splat/lv_log.
  2. Then resize with
    lvresize -L 30GB /dev/vg_splat/lv_log.
    In this example the partition is resized to 30GB.

Reboot the appliance with serial console attached. Access the boot menu by pressing a key when prompted and boot into maintenance mode.

Then execute this commands:

umount /dev/mapper/vg_splat-lv_log
e2fsck -f /dev/mapper/vg_splat-lv_log
resize2fs /dev/mapper/vg_splat-lv_log

This modifies the filesystem and brings it to the new partition size.
Reboot the appliance afterwards and verify with the df -h command that you accomplished the resizing of partition and filesystem correctly.

Tobias Lachmann

Inside Check Point licensing

One of our customer bought a new UTM-1 2070 appliance. This device comes with 3 managed sites.

Now he wants to manage more sites and brought up the question, if he can use a SmartCenter unlimited license he already owns. Just purchasing normal support for SCT-U is cheaper than buying an SXA license and the needed support for this license.

I don’t know if Check Point license policy is allowing that use, but from a technical point of view we can verify if this works.
For that reason, we have to take a look inside the cp.macro file. This file has all the definitions of features and licenses.
On SecurePlatform, you find this file under /var/opt/CPshrd-R70/conf/cp.macro

If we look in the license for an UTM-1 2070, we find these two strings: CPMP-UAPP-1-NGX CPXP-SXA-2-NGX
The first is for the appliance itself, the second is the management extension for two additional sites.

Let’s break down the first one:
For CPMP-UAPP-1-NGX, we have the following relevant entry:
MACRO ::CPMP-UAPP-1-NGX CPMP-UAPP-module-base-NGX CPMP-UAPP-management-base-NGX CPVP-UAPP-1-NGX

That means that actually the string is a macro itself and consists of CPMP-UAPP-module-base-NGX, CPMP-UAPP-management-base-NGX and CPVP-UAPP-1-NGX.

Let’s focus on CPMP-UAPP-management-base-NGX:
cp.macro has this definition for it:
MACRO ::CPMP-UAPP-management-base-NGX CPMP-SCT-1-NGX CPFW-AM-U-NGX CPMP-HA-MGMT-NGX CPMP-SMPO-NGX CPMP-EVRX-U-NGX

So this is another macro for the SmartCenter (CPMP-SCT-1), SmartDirectory (CPFW-AM-U), Management-HA (CPMP-HA-MGMT), SmartPortal (CPMP-SMPO) and Eventia Reporter (CPMP-EVRX-U).

We go for the SmartCenter part:
MACRO ::CPMP-SCT-1-NGX CPMP-EMC-1-NGX

Again a macro, so we need to investigate CPMP-EMC-1-NGX:
MACRO ::CPMP-EMC-1-NGX fw1:6.0:lcontrol fw1:6.0:vpnmgmt fw1:6.0:vpnstrong fw1:6.0:remote1 fw1:6.0:cluster-u

Now we’re close to the final answers 😉

The macro fw1:6.0:lcontrol has this definitions:
MACRO fw1:6.0:lcontrol mgmtcore fwmgmt cpui qosmgmt cmpmgmt dbvr_unlimit cluster-u
This breaks down to:

MACRO fw1:6.0:mgmtcore cmd
+--#DESCRIPT#fw1:6.0:cmd#Saving a file from the log viewer

MACRO fw1:6.0:fwmgmt fwc filter
+--#DESCRIPT#fw1:6.0:fwc#INSPECT compiler
+--#DESCRIPT#fw1:6.0:filter#INSPECT code generation

MACRO fw1:6.0:cpui policyui lvui sstui rtmui
+--MACRO fw1:6.0:policyui ui
+--#DESCRIPT#fw1:6.0:ui#Policy User Interface
+--MACRO fw1:6.0:lvui fwlv
+--#DESCRIPT#fw1:6.0:fwlv#FireWall-1 Log Viewer
+#DESCRIPT#fw1:6.0:sstui#System Status User Interface
+#DESCRIPT#fw1:6.0:rtmui#RTM User Interface

MACRO fw1:6.0:qosmgmt fgmgmt rtmmgmt
+--#DESCRIPT#fw1:6.0:fgmgmt#FloodGate-1 Management
+--#DESCRIPT#fw1:6.0:rtmmgmt#RTM Management

MACRO etm:6.0:cmpmgmt
+--#DESCRIPT#etm:6.0:cmpmgmt#Compression management

dbvr_unlimit
+--#DESCRIPT#fw1:6.0:dbvr_unlimit#Policy Versioning

cluster-u
+--#DESCRIPT#fw1:6.0:cluster-u#Unlimited number of clusters for HA

Finally, we have found out the management related features hidden in the license:

    Policy User Interface
    FireWall-1 Log Viewer
    Saving a file from the log viewer
    System Status User Interface
    RTM User Interface
    INSPECT code generation
    INSPECT compiler
    Policy Versioning
    Compression management
    Unlimited number of clusters for HA

But it is not said, how many sites can be managed.
This information is in the last “big” macro CPMP-EMC-1-NGX, coded in
fw1:6.0:remote1
#DESCRIPT#fw1:6.0:remote#Allows remote management

So you can manage one site with this license, e.g. the UTM-1 appliance can manage itself.
But the UTM-1 2070 comes with a 3 managed sites license.

This is defined in the CPXP-SXA-2-NGX addition to the UTM-1 license:
MACRO ::CPXP-SXA-2-NGX fw1:6.0:remote2 fw1:6.0:cpxmgmt
#DESCRIPT#CPXP-SXA-2-NGX#SmartCenter Extension for 2 additional sites; version: NGX; 3DES

We have remote1 and remote2, which comes to the count of 3 managed sites.

So, back to the initial question: can we use a SCT-U license for extending the managed sites of an UTM-1?

MACRO ::CPMP-SCT-U-NGX CPMP-EMC-U-NGX
#DESCRIPT#CPMP-SCT-U-NGX#SmartCenter for an unlimited number of gateways;version: NGX; 3DES

Again, look into the next macro CPMP-EMC-U-NGX

MACRO ::CPMP-EMC-U-NGX fw1:6.0:controlx fw1:6.0:vpnstrong
#DESCRIPT#CPMP-EMC-U-NGX#Enterprise Management Console for an unlimited number of gateways; version: NGX; 3DES

From there we go into fw1:6.0:controlx:

MACRO fw1:6.0:controlx control vpnmgmt

And further onto control:

MACRO fw1:6.0:control remote lcontrol

We know the “lcontrol” macro from our investigation before, also the “remote” keyword.

#DESCRIPT#fw1:6.0:remote#Allows remote management
As “remote” comes without any number, this means unlimited management.

To answer the question we began with: YES, you can use an unlimited SmartCenter license as an extension of the management capabilities of an UTM-1 appliance.
From a technial point of view.

I will open a call with Check Point to make sure that this is actually permitted within the license regulations.

As you can see, licensing within Check Point products is complicated through the use of so many macros, but in the end it comes to a limited number of features that are encoded in the licenses.

If you will, you can chase down also the new Software Blade licenses with this scheme to see, what is actually enforced.

Tobias Lachmann

UPDATE: Check Point just confirmed that the use of a SmartCenter license on a UTM-1 appliance is not permitted to extend the amount of managed sites. You have to stick with the SXA extensions or build up a separate SmartCenter.

“It’s Christmas, Theo. It’s the time of miracles, so be of good cheer…” – Hans Gruber in Die Hard

Since Christmas is the time for kids making their wishlists, I will also give it a try and make my personal wishlist to Check Point. And as Christmas is also the time for miracles, maybe some of my wishes will come true in the next year…. we’ll see.

SecurePlatform
Image Management / Snapshots
Well, we have Gaia coming sooner or later. What I really would like to see in there is the Image Management of the UTM-1 Appliances. Better to handle as Snapshots for most tasks. A really great evolution would be a combination of both. Being able to create and store images locally, as well as taking snaphots/images and storing them over the net using SSH.
Could make data recovery even more easy.
Why not add a dialog during SPLAT installation, where you can choose to use Image Management with LVM or stay with the old partitioning. If Image Management is chosen, you should decide for yourself, how the space should be divided between /var and the image partition.

Time and Date settings
Why can I set NTP parameters together with the GMT in the WebUI, but need to go to the CLI to set time zone?
This should also appear in the WebUI.

Administrator Accounts
I’d like to choose on creation which shell the accounts should use (bash or cpshell) and what the idle timeout of a session should be. Also the ability to scp something to the box using this account should be an option to enable here.

SNMP
The SNMP settings should be configured using the WebUI. Also I’d like to have a download link to the current MIB on the box.

SmartConsole
Adding objects
The new icon with the “+” sign on each cell is very helpful for quick-adding of objects. I’d like to have the opportunity to add a new object, too

Window resizing
Some dialog boxes can’t be resized. Normally these fixed size dialog boxes have too much content and you must use scroll bars to see the content. Examples: Global Properties, Firewall object page, network object page. All windows should be resizable.

Gateway Topology
I have to maintain a gateway cluster with more then 150 interfaces. Whenever I need to make a change to the interface configuration, I have to scroll to the entire list to find the right entry, since the list is unsorted. Not funny.
I’d like to have the ability to sort the list by clicking on the column header.

Troubleshooting
InfoView
We really need a more up to date and stable version of InfoView. Normally I need to try 2-3 times before I can open a cpinfo file because the tool crashes. As far as I known it’s not maintained any longer, but all support partner really need this!

Endpoint Security
SecureClient / Endpoint Connect
Endpoint Connect should be the successor of SecureClient, but it isn’t really. EC lacks the personal firewall feature. For most SME customers the old SecureClient Desktop Policy feature was all they needed. Check Point should understand that Endpoint Security is not the answer to all demands.

Licensing
Check Point does not offer a maintained, up to date VPN client without any costs. For using Endpoint Connect, a Endpoint Security Secure Access license is necessary if you want to use OfficeMode.
Like Cisco, also Check Point should give away a full blown VPN-Client for free!

OS support
Parts of Endpoint Security run on Windows 7? Congratulations. But why do we still have to struggle with VPN clients for MacOS or Linux? Why do we have to use an actual OS like Snow Leopard with a very, very old VPN client like SecureClient?
I think that before integrating new features into Endpoint Security and all other products that have to be installed on clients, you should make sure that you have support for all common OS. Windows XP, Vista, 7 as well as MacOS 10.4, 10.5 and 10.6. Also a client for Linux (Debian, RedHat/CentOS, Ubuntu) should be available.

Version numbering
I nearly lost it with the Endpoint Security version numbers, since it’s not any longer corresponding to the other products. Keep the version numbering more simple.

That’s it for now, but for sure I will extend my wish list in the next days… so much things CP needs to take care of.

Happy XMAS, everybody.

Tobias Lachmann

My trouble with Software Blade licenses

My latest experience was with our first customer that used all R70 licenses, instead of just upgrading to R70 but sticking with NGX licenses.

Ok, what happened? In the User Center I found a container and some blades. I checked the container and licensed it by assigning an IP address to the container. Then I attached the blades to the container. Afterwards I clicked on “Get license” and had my license file. I also got my contract file, too.

Then the nightmare happened when I installed the license to the customer system during our installation. Nothing worked! And by saying “nothing”, I mean “nothing”. Not even firewall was working! A total disaster, we had to rollback the whole stuff.

After spending 3 days with Support and Account Services from Check Point we found the error: through my procedure I had just licensed a container, without any blades. Attaching blade to a container and issuing “Get license” does nothing to the license. You have to attach the blades to the container and then license the whole package. Only this creates an valid license.

At the moment I haven’t made up my mind completely. Was it my fault? Am I to stupid to understand how to produce a correct license? Or is the User Center just working unexpected?

By the way: Total Security licenses are a total mess, too. We had several cases were (using NGX licenses) the AntiSpam, AntiVirus or URL Filtering module stopped working or updating because of license issues. The sad part is here, that all customers bought proper licenses and the User Center displayed all items correctly.

I really wish they will fix that….

Tobias Lachmann

Check Point R70.20 is now available

The release R70.20 is now available. I checked the documentation and found that it contains many important fixes as well as new features. Especially it takes care of the new multicore licensing scheme, that has been introduced by Check Point.

Check out the What’s new page, the Release Notes, the Known Limitations and the Resolved Issues.

R70.20 is like the HFA60 for NGX R65 from the bugfixing side plus some added features.
Highly recommended for installation.

Tobias Lachmann

Re-Certification R70

Today I passed the first part of my re-certification. Since the R70 CCSA exam is now available, I started with this one and will later on go for CCSE and CCSE+. I took the Accelerated CCSE exam once, wasn’t funny. I’m not going to do that again with R70!

The R70 exam is under NDA restriction, so I can’t go into detail or tell you about specific question.

But some general things can be said:

– we now have a tough time frame – 130 questions in 120 minutes!
– the questions are now more detailed and have good pictures which help a lot; but the scenarios are more complex
– you actually have real live questions which occur in the daily work
– all topics from the course are covered and you have to know more details about the product and general security methods
– it’s not like to old CCSA exam, it’s more like the CCSE actually

Sadly, some things haven’t changed:

– still questions that can’t be answered correctly
– questions with two! answers that have the same text -> which one will be judged as correct?
– answers like “1,2 and 4 are correct” -> here I found that no answer had the number X in it, which is also correct; kind of misleading
– lot’s of questions that need to be re-phrased to make sense; especially for non-native speakers some of them are very hard to understand

I took the exam without practicing and passed. But this is truly not recommended! At least you should buy the student handbook from the training courses to know all the topics. Remember, the course has now 5 days instead of the 2 it had before.

Will be interesting to see, how the CCSE goes.
I submitted some questions for this exam to Check Point. If I’m lucky, they will accept some of this questions. The promised reward was gaining the CCSE R70 certification.
If this works, I’m of the hook 😉

Tobias Lachmann

Project Gaia – the new Check Point OS

Check Point will come up with a new OS platform that will succeed Secure Platform (SPLAT) and IPSO.

Judging by the features that are shown on the project page, it will be based on Linux / SPLAT and many features of the Nokia Voyager will the transfered to the WebUI.
I was able to get some rumours from Check Point, that acknowledge this guess.

At the moment there’s no code available for customers or partners, but I’ll keep you posted as things develop in the next month.

Tobias Lachmann