Yuri Slobodyanyuk wrote:

Yes and no  . Your solutions are perfectly correct, true, but ... don't forget that I called it 'List of Administrator's errors...' not Checkpoint product errors . So technical solutions existed long before R80.10,

e.g. wrong Policy install ? ... can't be easier than that - just check relevant gateways in "Policy Targets" menu for this policy and this will never happen. 

Removing object in use ? Well, just read the warning and click on the button "Where used" .

And while my list is compiled based on R55 - R77.30 versions, after speaking with thousands of IT guys/gals managing firewalls, I can assure you - they will 'outsmart' any technical safety measures put by bright R&D folks at Checkpoint, no one can beat the 8th layer of OSI, doesn't mean you should never try but  ...  

I encourage you to try to remove a used object from the objects bar in R80.10. Let me know if you found a way to do that.

In general, at Check Point we try to have our admins do the most by clicking the least. Some errors can be fully prevented with a smart backend platform (R80). Others are user best practices which aren't always a problem and are different between organizations - which I mentioned as stay tuned.

Of course there will always be the market for educational programs and partner sessions in which they help their customers make the most out of their Check Point products. We definitely learn from our partners' experience when shaping the future of our product line.

About admin errors (not common ones ) there's one story I have to share that took me 24 hours straight to figure out back in the days of February 2004 in one the largest airlines core FW

There was a worm called mydoom that attacked  www.sco.com and other IP addresses (https://www.google.com/amp/www.networkworld.com/article/2330164/lan-wan/the-worm-attacks--sco-downed...)

1)The security admin at that company created a rule #2 :any--(group called) bad-ip--http --drop

2)The symptom was downtime of traffic (ping worked ok) , if you reboot the firewall all works great for like 8 minutes and then the same down time of traffic 

3)No drops in the logs

4)After troubleshooting with Cisco R&D, check Point R&D no solution found 

5)All of the sudden I was hungry and ate a doughnut 

6)After the doughnut I drank Diet Coke (to balance the calories )

7)Then I had an epiphany they should invent a doughnut + croissant , this could work (again it was back in 2004 )

8)No sleep

9)I decided to see what's inside the group called bad-ip

10)I see a fuc$!ng domain object of www.sco.com (I.e. The fw tried to reverse DNS every packet )

11)Face palm 

12)I deleted it 

13)Everything works till today 

Lesson of the story : I should have patented cronut

So what you're saying is domain objects caused traffic to fall into the proverbial cronut hole?

Thankfully, they work much better in R80.10

Hehe yes

Hahaha , hilarious. 

Going down the memory lane I can recall in 10+ years at Netvision how at least 4 times clients downed their network by using this Dynamic Object - all major enterprises (and the newest case with R77.30 some 2 years ago). The user-friendliness of the SmartConsole tricked them:

" Hmm, my users are abusing the whole line to the Internet with Youtube/Facebook traffic, CEO is not happy - all is slow, but no license for URL Filtering, let's see...."

"Wait a minute, what this standing so prominently alone in the Smart DashBoard Dynamic Object does ?? Cool, it allows to enter facebook.com and youtube.com in its name and use it in Security Rules !!! Eureka ! Next pay raise is a done deal, I am genius. Let's create it as a 1st rule, source is all LANs (or any) ,destination this Dynamic Object(s), install policy and nirvana is close... Should "You were disconnected from the Management server" happen after that? Oh, here is CEO calling, probably to thank me."

"All is lost! No internet for the whole company, Checkpoint firewall failed, let me call my CSP and yell at them to fix it ASAP" 

Me: "What changes were done just before failure?"

Him:"Nothing unusual, was doing some rules"

Me:" Can you connect to the firewall from LAN by ssh?"

Him:"Not really" [then goes short explanation how to disconnect the whole LAN, or run fw unloadlocal] 

Me: "Please let it be a Standalone firewall" [I am happy - it is indeed Standalone so w/o Security policy I can connect to it from the Internet"

Me (after deleting this 1st rule and installing policy with CPU load going from 100% to 3%): "Look, this is not a technical failure this is you doing stuff you have no idea about"

Him:"Really? Ok, sorry for that ..."

Me [wishfully]: "I wish Checkpoint hid this stupid Dynamic Object deep inside Guidbedit cave or not created at all, in all these years I needed this object just once but took care of at least 20 cases of its misuse."

PS. I know what book I can write about Checkpoint - "Diaries of the phone boy or stories from the trenches" [if https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc  doesn't mind franchising his handle  ] 

I'm assuming above you mean Domain Objects, which definitely has some performance implications and had some bugs.

R80.10 has hopefully solved those issues

Dynamic Objects are actually pretty useful in the sense they are basically placeholders in the rulebase.

On the local gateway, you can define what IP addresses those objects resolve to.

The DShield block list was implemented as a Dynamic Object.

You can use the dynamic_objects command to modify the contents of a given dynamic object without doing a policy installation.

A few pre-defined ones exist such as LocalMachine and LocalMachine_All_Interfaces.

The performance impact of Dynamic Objects is not nearly as bad as Domain Objects, though in pre-R80.10 releases, it did disable SecureXL templates on any rule that is used (as well as any rules that follow).

In R80.10, this limitation does not apply.

I did mean Dynamic Object and rest assured - every time you use it in the Rulebase (especially  at the top of the Rulebase) in a busy network your firewall will max out CPU load at 100% (true for all gateways up to and  included R77.30 as I've seen it close up personally, not stories from someone and never mind the hardware - 16 Gb 8 cores + CoreXL + SecureXL still went down, haven't tried with R80 so can't comment) :

While problem with Domain object is its reverse DNS resolving , with Dynamic Object it is forward IP resolving for each passing session   thanks to https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc  for clarification : the real reason for Dynamic Object causing trouble is that when configured only via Dashboard and not via CLI it is left undefined..

Domain Object hasn't been so much of a problem (still happened but rarely) because it is hidden from the eye, so you would not stumble upon it as you do with Dynamic Object.

And of course I know what all these objects were meant to be used for, only that end users find more creative ways to utilize them.

Use of Dynamic Objects in R77.30 and earlier will disable SecureXL for the first rule it is used and all rules below that one.

If you put a Dynamic Object at the top of your rulebase, that could definitely lead to maxing out the CPU...

Hi Dameon, 

are you 100% sure?

I am using dynamic objects with R77.30 and fwaccel stat says that access templates are not disabled by the rules using dynamic objects.

I'm 100% sure on this.

In fact, there was a bug that I personally experienced around this that was fixed in Take 17 of the R77.30 jumbo: Jumbo Hotfix Accumulator for R77.30 (R77_30_jumbo_hf) 

If you're on a recent jumbo and you're still seeing this, I recommend opening a TAC ticket.

Second that, it seems your opponent is a bit confused and actually means Domain objects. 

Actually, not so much unsupported as undocumented. "vsx_util upgrade" option allows you to downgrade VSX cluster version too. 

In latest R80.10 we don't have installed_jumbo_take command.

It was integrated in cpinfo:

[Expert@R80-10-MGMT:0]# cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
HOTFIX_R80_10

[CPFC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

[FW1]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

Alex

The question posed has no reference to R80, R77, R65, etc...

Exactly, as there are a mix of versions that people use.

I was personally hoping for some oldies but goodies as well.

Remember fw putkey?  

still using it

Ouch. That was another fine mess you could get into. Untill you understoord exactly the various connections and how the gateway object is defined it could lead to a lot of weird connectivity issues.

It still is usefull to uderstand it as some other problems have the same root cause. Multihomes hosts are ..... a challenge.

General question is not, but my comment is for specific version. It will help to understand were it was deprecated and what to use instead of it.

This community will be in internet cache for a long time and maybe for someone running R100 it will be good to know that starting from version X they need to use different command to find installed jumbo take  

R65 old school:-)