cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Propose your Idea of the Year!

Yes, this is this time of year, again. 

Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better:

The Idea Of The Year!

The rules are the same as beforeit is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones.

Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game? 

Tell us NOW!

A few disclaimers/notes:

  • There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year",
  • From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on,
  • Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well. 
  • "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known!

@Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later.

Get creative, use your imagination and PROPOSE!

 

41 Replies
Alex_Gilis
Copper

Re: Propose your Idea of the Year!

Top of my head, so not exhaustive at all:

- Have Zone Alarm and the standalone Endpoint VPN become compatible products. 

- Smart Console in-place upgrades with IP/fingerprint retention

- MAC version of Smart Console

- Integration of CPview and things like fw accel stat in the monitoring blade

- No more legacy SmartDashboard for some features

- Streamlining of Endpoint solution and deployment options - also, the possibility to convert shared policy to unified policy when you run R80.X via some sort of wizard in a layer or so. This is a classical case for people who upgraded their R77 management.

- Fixed deployment schedule for accumulator hotfixes. Helps foresee maintenance windows in organizations with rigid change management procedures.

- Find a way to restore the object search like in R77, where you could find any part of an object name and not a word in the object.

- Scheduled policy pushes in Smart Console

Danny
Pearl

Re: Propose your Idea of the Year!

- Check Point Packet Tracer as SmartConsole Extension

- SmartConsole Web to allow usage of the all SmartConsole functions in modern HTML5 supporting web-browsers, not just SmartView

Re: Propose your Idea of the Year!

@Danny could you elaborate what functionality is missing in the Packet Mode search, which is already part of the SmartConsole?

 

And fw up execute:

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_ReferenceGuide/html_f...?

0 Kudos
Danny
Pearl

Re: Propose your Idea of the Year!

I'm missing the full graphical visualization of the processing of a packet after it arrived at the inbound interface. I mean address spoofing check, GEO policy check, NAT, routing, firewall chain, implicit rules, explicit rules, security blades until the packet leaves the outbound interface. Such GUI tool is missing for many things: proper troubleshooting, security optimization, performance optimization, education purposes, security audits, etc.

Danny
Pearl

Re: Propose your Idea of the Year!

- Changelog for SKs (every day dozens of changes to Secure Knowledgebase are published, see RSS feed, still only Check Point internal staff sees what was changed

- Changelog for AppControl updates (was started in 2015/16 then stopped: last changelog from 2016)

- Web-based Changelog for IPS (currently works via E-Mail only)

- Check Point Assistant as SmartConsole Extension (remember Clippy? Wouldn't it be coool for Check Point beginners as well as professional to have a little neat assistant thatg gives you tips and hints while you work within SmartConsole!?)

Danny
Pearl

Re: Propose your Idea of the Year!

- Self-Update for GAiA Healthcheck (similar to CPinfo)

- Hosting for Code Hub scripts on codehub.checkpoint.com (because I'd love to host our ccc script and my upcoming SmartConsole extensions on checkpoint.com for security reasons)

Re: Propose your Idea of the Year!

@Danny fair enough, thanks for explaining

 

0 Kudos
Mircea
Ivory

Re: Propose your Idea of the Year!

I would love to have the WatchTower app supporting all gateways, even the non-embedded ones.

These days everyone has a smartphone on them, I think this would prove a very useful tool to firewall admins, being able to quickly check on their most important CheckPoint devices.

Thank you.

Re: Propose your Idea of the Year!

actively being worked on.

0 Kudos

Re: Propose your Idea of the Year!

Switch the SMB appliances to Gaia so that, at the very least, there is a unified command structure.

While we're on the topic of SMB appliances, how about an SFP port in the 1490?  Sometimes, I don't need insane firewall performance.  But I do need to hook up a piece of fiber to the gateway because of distance or life issues.

Give us a way to have global IPS policies either by CMA or even by MDS so that we don't have to update every single gateway at a time.  Ideally, at the MDS level, I create an IPS policy that can be applied to every gateway manged by said MDS.  And have some architecture to push those updates (and only the IPS updates) to the gateways.

I got a chance to bring this up to the powers that be at CPX Vegas, but I'll bring it up here.  Make it easier to diagnose VPN issues.  It is a real pain in the keyboard to have to look at tracker to get a little information, then crack open the CLI and do a IKE Debug (and crack open WinSCP to pull the data off the gateway), load it up and review the data in IKEView.  Why can't it all just be in one pane of glass so I don't have to open so many other apps?  I hear changes are coming, but they can't come fast enough.

Can CPView get moved to a GUI?  Maybe right click on a gateway and click CPView and BAM - data.

How about going a'la VMWare and moving SmartDashboard to HTML5?  Then it doesn't matter if you're running Windows, or Mac, or Linux or AtariOS.  SmartDashboard everywhere.  And, oh, when you upgrade the MDS, it updates the HTML5 version of SmartDashboard.  No more having your teammates upgrade the dashboard.  Plus, you can integrate the already-there Smartview!  This would also be great in a DR situation.  One less application that needs to be kept up to date on the DR PC images.

 

 

0 Kudos

Re: Propose your Idea of the Year!

Right click on an object, any object->export.

Right click on a policy anywhere (and I mean anywhere) else, create rule, import object.

Or even rules now that I think about it.

0 Kudos

Re: Propose your Idea of the Year!

1470-1490 is having fiber interface for almost 2 years now..
0 Kudos

Re: Propose your Idea of the Year!

- A real unified console with no more legacy consoles.

- More options and easier interface with https inspection.

- More views

- Smartevent alert configuration Best Practices / Template

- Smartevent third party integration and correlation logs guide.

0 Kudos
Maik
Silver

Re: Propose your Idea of the Year!

>>> SmartConsole as a web application, maybe HTML5 based, like the SmartView option for logs

>>> Overall better performance for the SmartConsole application itself (some local tests showed that the application can only utilize one CPU core and therefore it often runs into performance problems when searching trough a big rulebase)

>>> The reporting function of the policy verification option in the current state is just not useful at all. If you have 5-6 hidings it gets very problematic to fix all of these in one attempt, as;

- the information about the hidden rules is static, so for example the report says "Rule 3 hides Rule 16 for Service & Applications ..." => the better approach would be to list the UIDs of the given rules in addition

- if one rule gets corrected by you the complete static mentioning of hidings makes no sense anymore. Let's assume you 'kill' one hiding and delete rule 4, now every rule after rule 4 "moves" up one rule as rule 4 was eliminated. This could be resolved with mentioning the UIDs in addition - as already mentioned - or with a more dynamic approach, which updates the hiding report automatically if a rule gets deleted. Like some kind of automatic list, that you can work from top to bottom until you verify again and the hidings are gone.

- if you have a large rule base with lots of inline layers it can get very frustrating to verify in such a case. Because the verifier stops once a hiding in one inline layer was found. In such a case the verification should continue until the end of the rule base is reached, so that - again - all hidings can be solved with one verification. In the current state I often need to verify 2-3 times, just because I have that many inline layers that could and often do have hidings within it.

>>> In SmartConsole you can copy multiple rules as pictures - also add an option to allow the copying of multiple rule IDs (maybe as a csv or just with spaces in between)

>>> Please add the option in VSX to configure DNS + NTP for each VS individually. I really do not see any benefit from synching this to all VS's within a VSX. It just is a contradiction to the virtualization and separation itself if you ask me.

0 Kudos

Re: Propose your Idea of the Year!

Devise a way to take a full MDS backup without having to take said MDS down.  And automate the backup and offloading of said backup.

0 Kudos
Danny
Pearl

Re: Propose your Idea of the Year!

- show a warning on policy Installation if stateful inspection is disabled

- allow the restriction of access control policies access based on user or permission profile without having to use MDS

0 Kudos
Aidan_Luby
Nickel

Re: Propose your Idea of the Year!

-Allow the ability to set VPN Keepalive method per community instead of per gateway (Tunnel Test for CheckPoint only Communities and DPD for Communities involving 3rd Party VPN Gateways)

-Allow rules AND section titles to be copied at the same time in SmartConsole. (Creating section titles is best practice but migrating a rulebase with them requires ctrl clicking each rule instead of being able to shift select a list and copy all of it including section titles)

Re: Propose your Idea of the Year!

Dedicated management plane (thought I think this one is coming).

0 Kudos
Kim_Moberg
Silver

Re: Propose your Idea of the Year!

1) Implement a Gephi report view.

Easy to see three/spin with Source and destination or with service/port.

2) dpd on 3th party vpn communites

3) vpn cli commands via Gaia api

4) iketool implementation in smartconsole

5) central mgmt of Cloudgard services

6) cloud guard SaaS can be used on tablets/ipad/iphone.

7) DHCP server with Options like PXE boot images but to do that today one have to write-protect after making changes to DHCP.conf to make sure changes are keeps after reboots/restarts.

Just some ideas from my side

Best Regards
Kim
0 Kudos

Re: Propose your Idea of the Year!

Most of the company now started using NG firewall.

There is a flow using if NG firewall, If NG firewall loos connectivity with there Vendor cloud it may vulnerable for a while. During this time any new attack can be propagated inside customer Network.

All DB is update from 24*7 NG cloud signature development center for all NG Firewall vendor.

Any schedule downtime at NG Firewall cloud vendor may inform there all customer who bought there NG firewall.

It may help our customer to protect there network from any unforeseen situation. 

0 Kudos
Vladimir
Pearl

Re: Propose your Idea of the Year!

1. Split screen Policy and SmartLog option.

2. Single Universal Endpoint client with every agent Check Point has.

3. Pre-installed, dynamically updatable healthcheck script callable from SmartConsole with HTML report displayed in SmartView.

4. Categorization Override bulk imports of URLs

5. Dynamic Hit counters

6. Feature availability notification and alert in CPUSE "Verify" (i.e. currently in 80.30 with no MABDA, installation allowed to proceed).

7. SNX replacement: Java got to go.

Re: Propose your Idea of the Year!

Add Load sharing (Unicast mode) on R80.20 versions and above.

0 Kudos
Alex_Gilis
Copper

Re: Propose your Idea of the Year!

VSX: Possibility to route to Null/Loopback in VS topology like in a physical gateway. 

0 Kudos

Re: Propose your Idea of the Year!

Make the firewall data available in PRO support options available in Smart Dashboard.  WITHOUT the need for an extra subscription cost.

0 Kudos
Kim_Moberg
Silver

Re: Propose your Idea of the Year!

Hi @Tommy_Forrest 

I do also agree.

the idea with Check Point PRO support is good. Being proative and auto create a TAC if any incidents happens with the hardware.

But I am afraid it is now two to systems in keep track of and it is always raising flags for something which is recommended described in SK. For example for for R80.10 GA running with fwha_forw_packet_to_not_active=1. this was not recommended but the SK required it to be active.

 

Best Regards
Kim
0 Kudos

Re: Propose your Idea of the Year!

@Kim_Moberg  - I get the idea of PRO support.  And it's a cool idea and the whole auto TAC thing on hardware is great and all.

 

But I'd like away to see things like session state tables are full and other similar performance impacting issues to show up in Dashboard and not requiring an additional subscription.

I think having that data would help your customers and may even reduce TAC calls (or maybe induces some, I don't know).  For us, as an example, we had a system that was having intermittent slowness issues.  We'd looked everywhere.  Networking, vendor hardware, our hardware, we poked around the firewalls to see if there were any issues.  We then got a demo period into PRO and I quickly found it was a session state table issue.  The value had been manually set instead of auto.  Set it to auto and no one has complained since.  Had we known or been able to know this from the beginning it would have been one less bullet point towards consideration of other vendor firewall offerings.

0 Kudos

Re: Propose your Idea of the Year!

1. MAC address filtering and MAC address based Rule.

2. Device detection. Detect Device OS, type etc... In future maybe we can create Policy by device type.

3. Web based Smart Console. As we know SmartView has the web access.

4. 3 more ISP support

0 Kudos
Kannan_R
Iron

Re: Propose your Idea of the Year!

Some of these enhancements have already been discussed multiple times in the community and I'm still stressing it. Hope I'm not repeating any of the existing feature.

** As @Danny suggested, Packet tracer feature with good visualization
** Packet capture (tcpdump) feature in Smartconsole
** MacOS and Android OS support for Threatemulation.
** Threat hunting or EPA can include Vulnerability assessment feature
** VPN-domain per VPN-community.
** Unified upgrade for firewalls in HA. For example, When we download OS/hotfix on primary, it can get sync'ed to other firewalls in the cluster. And then, the ability to install/upgrade HF/OS in the cluster environment with single/minimal clicks from primary firewall
** Logs can be enhanced with additional fields (destination interface - just to ensure routing is correct, TCP session end reason: How the TCP session was closed [because of timeout or TCP fin packet or RST packet or any other] as it helps to troubleshoot a lot]
** Live threatmap (Like in Palo Alto firewall, threatmap shows the source country of live threats hitting the corresponding firewall)
** Release notes can be made available in GUI as a link to see the new features & fixes as well as the known limitations before upgrading/installing version/hotfix.
** Importing objects in Smartconsole
** Smartconsole auto-update
** Considering the increased focus in automation, more scripts can be added to scripts repository by default. This way, we can avoid enforcing the customers to learn scripting to do tasks to a certain level.
** cpview in smartconsole
** backup & restore of mgmt server from smartconsole
** Enhancements for ClusterXL Load Sharing
** Simplify DHCP relay config (when we enable it, it should automatically create rules accordingly) as we need to configure rules manually now
** Simplified VPN configuration with wizard (Right now, we need to jump to multiple places to configure one VPN tunnel)
** Download option can be made available for the outputs of the task executed by the scripts in script repository as most of the available scripts now are show commands only.
** Support for SMTP authentication for Sendmail. This will help us to send mail alerts in the environments which doesn't support anonymous mail without authentication.
** One of the pain point for many customers is disk getting full with logs. To overcome this, log settings configuration in SmartConsole can be enhanced (such as retention duration based on days and scheduling logs transfer to remote repositories via SCP,SFTP or tftp) without having to write scripts / use cron by the user.
** DNS Security feature (I believe it's in the pipeline)

Alex_Gilis
Copper

Re: Propose your Idea of the Year!

Possibility to mute certain types of CPUSE updates on some of your systems. Let's say you have 10 clusters managed by your SMS and a new version of Smart Console comes out. Your client will call you to say that their 10 clusters need to be updated when in reality it's something it's the kind of update you would do only on your management.

0 Kudos