holla guys

where I can find information or labs simulation about CheckPoint device like VPN-1 edge, FW and security stuff?
And if can I to operate it in GNS3??
thanks

You can download the ISO and run the full suite for 14 days. You just need to register on their site. After that point you need a license key.

Checkpoint firewalls are terrible. I'd avoid them at all costs personally. But yes you can run them unlicensed for a while. I've even run them for testing in an Oracle Vbox VM on my Windows 7 desktop. I never tried to integrate that with GNS3 but I'm sure it's possible if you have enough network interfaces and patience.

Other experiences here... Please elaborate?

Also: don't count on it directly in GNS3, but giving GNS3 physical access should make it possible.

_________________
http://reggle.wordpress.com

They require a separate management server to administer them with a cludgy authentication process and proprietary protocols
Less intuitive interface (I guess you'd like it if you are a "clicker", I don't)
Simple tasks require more effort to accomplish than on an ASA (lol VPNs good luck)
Export policy from one cluster to another is an exercise in frustration (simple cut/paste on Cisco in notepad)
Their tech support skill level is somewhere between pathetic and terrible depending on who you talk to
Creating objects for everything just adds more overhead to creating new rules... it also creates dynamic garbage objects that you can't get rid of...
IPS feature is crap
URL filtering is a joke and isn't customizable enough to be useful beyond their cookie cutter category system...
Granular policy NAT policies take double the time to input into their stupid GUI

Should I go on?

Checkpoint seems to excel at one thing, marketing their products to the "Windows admins".

@writeerase

Which did you learn first, ASA or Check Point?

I've heard similar things...

Dont forget -
They are terribly expensive initially and for support (i.e. about $10k a year per)
The code is very buggy and it takes months for them to fix bugs.
You get 4 conflicting answers for the same question from support.
Firewalls stop forwarding traffic when you push polices.

To set things straight, I can confirm this is not true. About the other claims, that may very well be, no experience there yet.

_________________
http://reggle.wordpress.com

I can confirm this is true. About 1 out of every 5 firewall pushes stops traffic flow on a cluster and about one out of every 20 cause the primary unit to crash and the backup to take over. This has happened on version R70 and R75.

I'm not going bother putting in a ticket because we are getting rid of checkpoint within 6 months anyway, but if I did they the ticket process would go like this -

1) Call support
2) Be told to run some debug command that will crash the appliance within 30 seconds and upload the results
3) Not get back to me for over a week until I call them, then they ask me to run another debug and upload the results
4) After 2 weeks of no response call them back and have them tell me they cant find anything wrong and tell me there is nothing they can do
5) Escalate the case to a manager that will then get to to the next level of support
6) The next level of support will then tell me to run more debugs
7) After a few months of this I will either have a very simple work around that I could have been told in the beginning
OR - be told they cant reproduce the problem and they will no longer work the case.

The last and final step is my management telling me to get rid of the checkpoints as soon as possible.

Sounds like I have a similar issue . From what I can tell, only the VPN tunnels are reset.

We've got provider one here and nobody is really thrilled about it...

To fix your issue with the firewalls stopping forwarding traffic you need to disable SecureXL. What version you running? We get this a lot on R70.30....

To disable SecureXL one time(on each gateway, not on the management): fwaccel off

fwaccel stat will tell you whether it is properly turned off or not. Essentially the problem is that the SecureXL maintains a kind of state table, that doesn't properly refresh when pushing a policy. The downside to disabling SecureXL is that the firewalls go under excessive levels of load, and at the moment we are at a point where we have to disable SecureXL to push a policy, and then re-enable afterwards so that firewalls don't crash, or the network doesn't slow to a crawl.

- Most definitely correct.

- All correct, although don't mind the IPS. The support is horrible, and their software is full of bugs that requires you to upgrade your entire firewalls to fix(which simply isn't an option when your a PCI compliant environment where the firewalls run everything).

- I learn't both about the same time. Checkpoint Tracker is a good feature, everything else is reasonably rubbish. IPSEC VPN interoperability can be a nightmare, and debugging requires downloading the elg files and using a unintuitive app to parse the debug files.

- Damn we get this too(both the dropped traffic, and the firewalls failing over to standby on some policy pushes), and were hoping R75 would resolve it.

- This is correct, we have this issue, but only with some VPN's... The problem again, is SecureXL and you can fix the issue by disabling SecureXL or continually pushing new policies until it comes back. The way you can tell if it is SecureXL is if you see incoming connections over the VPN but your servers are stuck in a TCP Half Open state, or your outgoing connections aren't receiving a reply. What you will see in tracker is the incoming connection for example, and it all looks fine, but if you switch the destination and source around, you will see that the reply packet is probably being dropped because it is out of state(eg. an ACK when no SYN recorded) - this is because the connection tracking table that they call SecureXL is FUBAR and is not matching the return flow with the originating flow.... Stupid I know... Other option is a cprestart or completely resetting the fw state table, which I have a command for if you want but it's dangerous and will drop all existing connections on the network(which in my case would cause absolute havoc, which I guess isn't much worse than the havoc they already cause).

So long story short. Get rid of them, and get ASA's. No amount of "ease of use" will make up for the fact that they NEVER @#%*&ng work...

Or Junipers...

_________________
www.mellowd.co.uk/ccie/

@frupert

Thanks for the tips!

How'd you figure out it was SecureXL? Did you have to open a ticket?

Well said. To solve the ease of use issue we are actually looking at CSM which seem to have management features that are almost as good as Smart Dashboard.

At my last company we had to switch to juniper because of budget constraints. Love the CLI and feature set but the JunOS based enterprise products were terribly unreliable. Even the "redundant" JSRP cluster would crash at times.

Netscreen

_________________
www.mellowd.co.uk/ccie/