Friday, April 29, 2011

News abour R75 courses and certification

Finally I have managed to get some solid information about R75 training and certification.

According to my sources, Check Point is going to release R75 CCSE training by the end of Q2. CCSA R75 will be released a bit later. In addition, CCSE plus certification will be reinstated. There will be additional blade certification with R75, and plus status will be function of that.

Thursday, April 28, 2011

Simulating VSX provisioning process in the lab

Sometime while troubleshooting VSX or working on proof of concept, you need to build some VS objects without actual VSX physical cluster objects connected to your management system.

For example, I am working on some support issues with a customer, and we do not intend to mess around our production system. We could build a physical lab, but having extra VSX 9090 just sitting there is too expensive. VMware seems to be a good option, but there are two blocking issues:
  • you cannot create a VMware machine with more then 10 interfaces,
  • it is impossible to restore VSX appliance to VM.

What to do then?

There is a way to run some simulations without physical VSX machines, using your MGMT only.

Usually if you are touching VSX objects, pressing OK button starts a provisioning script that runs on the Main CMA. This script is supposed to push configuration changes to your physical machines and all relevant VSX objects: virtual systems, routers and switches. If your physical machines are not available, the script will fail.

But you can bypass actual provisioning scripts being sent to VSX members by using some specific debug flags.

On the Main CMA run “fw debug fwm on” with the following flags:

TDERROR_ALL_VSXM_DBG_SKIP_PING=INFO
TDERROR_ALL_VSXM_DBG_SKIP_INSTALL=INFO
TDERROR_ALL_VSXM_DBG_SKIP_PULL_SIC=INFO


These flags will suppress connectivity checks and scripts' execution on VSX, if the cluster members are not available.

It means you can re-create your MDS on VMware and then play with it before making any change on production. With this commands having VSX machines on VMware lab is not required.

I have to make some warnings before wraping this up.
  • Remember, all provisioning happens on the Main CMA, so mind your Provider-1 context before executing these debug commands. 
  • Avoid using this technique on production environment unless advised by Check Point support to do so. 
  • Close any GUI clients before executing the commands. MDG can still be open, but having SmartDashboard or even GUIdbedit running while you are putting these debug flags affect the outcome.
If you are looking for highly technical training on VSX and other Check Point products, please check out our ATC in Lausanne. We run our courses in English. We welcome all participants, from and outside of Switzerland.  Please go to this web page and choose "Contact us" tab if you are willing to make an inquiry or would like to register to the announced courses.

We are masters of customized training. If you do not find your subject in our schedule, contact us anyway, we will tailor a training session specifically for you. You will not be disappointed.

Tuesday, April 26, 2011

No news on R75 certification just yet

Hi all!

I have mentioned that fair amount of visitors in this blog are coming from Google search about R75 courses and certification.

Unfortunately for the moment I do not have any news on this subject. It seems that Check Point is working internally to come up with such activities, but nothing surfaced yet. I do not have any ETA, and rumors are inconclusive.

There are some voices saying R75 will have CCSE plus certification revived, but I cannot confirm or deny this information.

Let's wait till CPX, there might be some insights for the matter. I will keep you posted, guys.

Wednesday, April 13, 2011

Check Point gloats over NSS firewall test results

Forbs has published an interesting article about the latest NSS Firewall testing. Apparently Check Point is the only vendor passed the full range of tests. The rest: Cisco; Juniper, Fortinet and even Palo Alto (!), failed on TCP split handshake tests.


Additional reference: Check Point press release

Good job, Check Point!

Monday, April 11, 2011

There is no CCSE plus R7x

Strange, but I am getting several hits on this blog every day originated by Google search on "CCSE plus R71" and similar.

Guys, please remember: there is no CCSE Plus anymore, neither for R70 nor for R71.

Current Check Point certification/education only has CCSA and CCSE exams and courses. There are rumors that it might change with R75, but no material proof for that just yet.

Check Point gives away free Identity Awareness licenses

I am sincerely surprised today.

My Check Point SE just told me that just this year Check Point is giving away free permanent licenses for Identity Awareness Software Blades.

Apparently these licenses are not only have zero price tag, but also have free lifetime maintenance.

I am still waiting for an official document, but it is about time to call all your customers who are even remotely interested in the feature.

The action is limited till the end of the year.

Friday, April 1, 2011

how to visualize your rulebase

One of security admin tasks is document the security system. Sometimes it is necessary to print out your rulebase, objects and users. How to do that?

There are many different ways, but one of the least known is Check Point standard Web Visualization Tool.

The comprehensive history and recent documentation can be found in sk30765. The tool is actually a script that creates HTML file with your rulebase, NAT, objects and users. It is quite useful for printing out the data.

This tools only exists for R65 and R70. I have tried it on R75 MGMT server, and there are some funny bugs, but it still does its job, most of it.

And Check Point... If you read this, please patch the tool for your own latest versions, pretty please.

R7x upgrade path diagrams

Originally found here.

If you are wondering what would be your upgrade path from R6x to R7x, these three diagrams will help you to understand dependencies and supported paths.




Upgrade to R70


Upgrade to R71


Upgrade to R75


Credits to filereverse

SmartSPLAT - yet another SMART way to manage SecurePlatform

You are considered to be an expert if you can effectively work with SPLAT CLI. It usually takes knowledge and expertize to operate with fw monitor, kernel debug, and ClusterXL commands.

But is it indeed that complicated? Apparently not. There is a brilliant tool out there called SmartSPLAT.


It allows you just almost everything you might dream of: getting traces, collecting debug information, managing interfaces, preparing SCP transfer, changing cluster parameters, etc. The full list might actually take a couple of pages.

And can you imagine this tool is free of charge?

The author is Çağdaş Ulucan, and we all are grateful for his tremendous job.