topic Re: When you can't send everything to TAC. in General Topics

When you can't send everything to TAC.

SerB — Tue, 02 Jun 2020 20:20:05 GMT

Hello Chack Mates,

I have a problem, and I need your advice. I found a job that I have been seeking for a long time. There is a big customer who has got a lot of Checkpoint appliances. But they also have some security rules about personal information. And sometimes, my hands are tied when I can't send some information that TAC needs to solve a problem. For instance, I found a core dump file. It contains IP addresses, object names, and I also suspect that it contains usernames e.t.c. And I can't send it to them. Does anyone have experience of working with a client like this one? What should I do?
First I was thinking to write a parser. But to find all information that I need to remove, I have to know what to search. It's easy to remove IP addresses. The regular expression to find them is easy to write. But there might be a lot of other personal information. It's impossible to create all templates.

Re: When you can't send everything to TAC.

HristoGrigorov — Wed, 03 Jun 2020 06:19:14 GMT

The core dump is usually needed to see the stack trace. You may try to ask TAC for a remote session to extract this stack trace from the core dump right in the appliance or on some other machine suitable for that.

Re: When you can't send everything to TAC.

SerB — Sun, 07 Jun 2020 19:22:09 GMT

Thank you for your reply! Yes, we've already tried that. They gave me a script but it shows an error. It looks like the core dump file is corrupted.

But the problem is bigger than this one file. That's why I created this topic. Someone else has problems like that or is it just I was so lucky to find a job like this one. If it's normal I would try to get along as far as I could, but if it's not I would try to find another job because I'm getting tired of it.

Re: When you can't send everything to TAC.

_Val_ — Mon, 08 Jun 2020 07:09:51 GMT

Several points:

TAC is often requiring many different sensitive info from the end customer's environment.
In my personal view, it is okay to trust a security vendor with sensitive information. Same goes to a certified support partner. There is a legal protection in place as part of your support contract. Also, would there be a leak, reputation damage to vendor/partner would be devastating.
In many cases, it is extremely hard to get a grip on a situation, if expected tools are unavailable: cpinfo, debug files and remote access.

I have been in situations where end customers could not provide appropriate means of support to security vendors. In some occasions, I had to be eyes and ears to support on customers' sites where no files could be sent and no remote access possible. Not the best experience.

Usually that costs time, efforts, much more money and frustration. Yet, sometimes there is nothing you can do about it.

Re: When you can't send everything to TAC.

GalitS — Tue, 09 Jun 2020 07:17:37 GMT

My name is Galit Sadi and I am the TAC Project Manager

I would be happy to take it offline and try to assist you.

Please contact me at galits@checkpoint.com

Thx
Galit