Tag Archives | Check Point

Firewall Pair

Using Check Point Identity Awareness with NAT

Check Point Identity Awareness is problematic in environments that have multiple customers, overlapping private address space, and NAT. It can be done, if you understand the traffic flows, the connections needed, and how to combine several features. Here’s how I did it. Background: Typical Check Point Management Flows A quick reminder of the traditional flows used […]

Continue Reading
Firewall Pair

Check Point SmartLog – Recommended

Trigger warning for Check Point haters: I’m about to say nice things about Check Point. Continuing the recent theme of Check Point-related posts, I’d like to give Check Point credit for once. SmartLog is what I always wanted from Tracker/Log Viewer, and they’re not even charging me extra for it. Shocking, I know. Traditional Log Analysis 15-20 […]

Continue Reading
Firewall Pair

Check Point – Don’t Use the ‘Install On’ Column

I got caught out by Check Point’s “Install On” column recently. Most people don’t need this setting any more, but it’s still there for legacy reasons. Time to re-evaluate. When you create a firewall policy using Check Point, you define the set of possible installation targets. That is, the firewalls that this policy may be installed […]

Continue Reading
Firewall Pair

Check Point – Upgrade Without Dropping Connections

Check Point firewall upgrades have always been painful. The loss of connection state is a big part of this. Existing connections stop working, and many applications need restart. It looks like there is a way of minimising this pain on upgrade. Stateful firewalls record the current ‘state’ of traffic passing through, so they can recognise and […]

Continue Reading
glacier-icon

Disappointed With Check Point

I have recently started working with Check Point products again, after a 5-year break. This has given me a different perspective on how they are progressing. It has been disappointing to see that they’re still suffering from some of the same old bugs. Some of the core functionality is now showing its age, and is no longer appropriate […]

Continue Reading
256px-FireIcon

War Stories: Check Point Meltdown

Firewalls are usually deployed as a cluster, to provide failover capabilities. Protocols such as VRRP are used to that traffic is normally routed via one node, but if that node fails, the other one automatically takes all traffic. Connection synchronisation ensures that the backup firewall is always aware of all active sessions, so that a […]

Continue Reading