Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin

Propose your Idea of the Year!

Yes, this is this time of year, again. 

Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better:

The Idea Of The Year!

The rules are the same as beforeit is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones.

Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game? 

Tell us NOW!

A few disclaimers/notes:

  • There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year",
  • From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on,
  • Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well. 
  • "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known!

@Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later.

Get creative, use your imagination and PROPOSE!

 

75 Replies
Alex-
Leader Leader
Leader

Top of my head, so not exhaustive at all:

- Have Zone Alarm and the standalone Endpoint VPN become compatible products. 

- Smart Console in-place upgrades with IP/fingerprint retention

- MAC version of Smart Console

- Integration of CPview and things like fw accel stat in the monitoring blade

- No more legacy SmartDashboard for some features

- Streamlining of Endpoint solution and deployment options - also, the possibility to convert shared policy to unified policy when you run R80.X via some sort of wizard in a layer or so. This is a classical case for people who upgraded their R77 management.

- Fixed deployment schedule for accumulator hotfixes. Helps foresee maintenance windows in organizations with rigid change management procedures.

- Find a way to restore the object search like in R77, where you could find any part of an object name and not a word in the object.

- Scheduled policy pushes in Smart Console

G_W_Albrecht
Legend Legend
Legend

I see this topic getting more and more confusing - people started with 1 - 3 ideas per posting, but meanwhile, people write long lists reminding me of the letters with wishes for Xmas... This makes it nearly impossible just to give a Kudo to a brilliant idea as the post contains more than twenty, so you also have to post und clutter all up.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Danny
Champion Champion
Champion

- Check Point Packet Tracer as SmartConsole Extension

- SmartConsole Web to allow usage of the all SmartConsole functions in modern HTML5 supporting web-browsers, not just SmartView

_Val_
Admin
Admin

@Danny could you elaborate what functionality is missing in the Packet Mode search, which is already part of the SmartConsole?

 

And fw up execute:

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_ReferenceGuide/html_f...?

0 Kudos
Danny
Champion Champion
Champion

I'm missing the full graphical visualization of the processing of a packet after it arrived at the inbound interface. I mean address spoofing check, GEO policy check, NAT, routing, firewall chain, implicit rules, explicit rules, security blades until the packet leaves the outbound interface. Such GUI tool is missing for many things: proper troubleshooting, security optimization, performance optimization, education purposes, security audits, etc.

Danny
Champion Champion
Champion

- Changelog for SKs (every day dozens of changes to Secure Knowledgebase are published, see RSS feed, still only Check Point internal staff sees what was changed

- Changelog for AppControl updates (was started in 2015/16 then stopped: last changelog from 2016)

- Web-based Changelog for IPS (currently works via E-Mail only)

- Check Point Assistant as SmartConsole Extension (remember Clippy? Wouldn't it be coool for Check Point beginners as well as professional to have a little neat assistant thatg gives you tips and hints while you work within SmartConsole!?)

Danny
Champion Champion
Champion

- Self-Update for GAiA Healthcheck (similar to CPinfo)

- Hosting for Code Hub scripts on codehub.checkpoint.com (because I'd love to host our ccc script and my upcoming SmartConsole extensions on checkpoint.com for security reasons)

_Val_
Admin
Admin

@Danny fair enough, thanks for explaining

 

0 Kudos
Mircea
Explorer

I would love to have the WatchTower app supporting all gateways, even the non-embedded ones.

These days everyone has a smartphone on them, I think this would prove a very useful tool to firewall admins, being able to quickly check on their most important CheckPoint devices.

Thank you.

Tomer_Sole
Mentor
Mentor

actively being worked on.

Tommy_Forrest
Advisor

Switch the SMB appliances to Gaia so that, at the very least, there is a unified command structure.

While we're on the topic of SMB appliances, how about an SFP port in the 1490?  Sometimes, I don't need insane firewall performance.  But I do need to hook up a piece of fiber to the gateway because of distance or life issues.

Give us a way to have global IPS policies either by CMA or even by MDS so that we don't have to update every single gateway at a time.  Ideally, at the MDS level, I create an IPS policy that can be applied to every gateway manged by said MDS.  And have some architecture to push those updates (and only the IPS updates) to the gateways.

I got a chance to bring this up to the powers that be at CPX Vegas, but I'll bring it up here.  Make it easier to diagnose VPN issues.  It is a real pain in the keyboard to have to look at tracker to get a little information, then crack open the CLI and do a IKE Debug (and crack open WinSCP to pull the data off the gateway), load it up and review the data in IKEView.  Why can't it all just be in one pane of glass so I don't have to open so many other apps?  I hear changes are coming, but they can't come fast enough.

Can CPView get moved to a GUI?  Maybe right click on a gateway and click CPView and BAM - data.

How about going a'la VMWare and moving SmartDashboard to HTML5?  Then it doesn't matter if you're running Windows, or Mac, or Linux or AtariOS.  SmartDashboard everywhere.  And, oh, when you upgrade the MDS, it updates the HTML5 version of SmartDashboard.  No more having your teammates upgrade the dashboard.  Plus, you can integrate the already-there Smartview!  This would also be great in a DR situation.  One less application that needs to be kept up to date on the DR PC images.

 

 

Tommy_Forrest
Advisor

Right click on an object, any object->export.

Right click on a policy anywhere (and I mean anywhere) else, create rule, import object.

Or even rules now that I think about it.

0 Kudos
Martin_Valenta
Advisor

1470-1490 is having fiber interface for almost 2 years now..
0 Kudos
G_W_Albrecht
Legend Legend
Legend

LOL: Switch the SMB appliances to Gaia so that, at the very least, there is a unified command structure.

This is a wish to father christmas or similar storybook characters without any reality - on Embedded devices you will always have GAiA Embedded...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Tommy_Forrest
Advisor

@G_W_Albrecht  - Fine.

Then unify the command structure with Gaia.  It's super annoying having one set of commands for the big firewalls and another for the SMB boxes.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Yeah - It's also super annoying having one set of possibilities riding a bycycle and another when cruising in my Chevy 😉. I do not care about technical ressources or price tags, just gimme gimme gimme...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Aidan_Luby
Collaborator

Gunther,

 

What is so preposterous about wanting unification of command structure? Even if we realize that Gaia Embedded might not match feature parity with regular Gaia, why wouldn't you want the command structure of common tasks to work the same way on Gaia or Gaia Embedded. 

 

People love to make fun of Cisco for having people learn different operating systems for Firewalls, Routers, Nexus Switches, etc. and people applaud Juniper for having good unification allowing the training people receive to be applicable to all devices. Why wouldn't that apply for CheckPoint? 

0 Kudos
_Val_
Admin
Admin

@Aidan_Luby , the point @G_W_Albrecht is trying to make, the fundamental difference between regular Gaia appliances and SMB line is about HW. One is Intel chips based, the other is on ARM. One has full blow software installable, the other has heavily stripped and optimised code. Are you expecting the same software to run on Arduino and high end lenovo PCs? CLI depends on a platform you can run it on. 

0 Kudos
Aidan_Luby
Collaborator

@_Val_ But what does that have to do with command structure? I understand the difference between how code is compiled and run on different CPU architectures but why does that mean the code that administrators are typing into their firewalls should be any different?

 

If I'm setting up a feature that exists on both platforms, regardless of how that command runs in the back-end, why can't the syntax be the same?

 

I can see stripping the features back but then I would say just keep the command the same and on Embedded Gaia strip out any parts of that command not compatible for Gaia Embedded.

0 Kudos
Aitor_Carazo
Contributor

- A real unified console with no more legacy consoles.

- More options and easier interface with https inspection.

- More views

- Smartevent alert configuration Best Practices / Template

- Smartevent third party integration and correlation logs guide.

0 Kudos
Maik
Advisor

>>> SmartConsole as a web application, maybe HTML5 based, like the SmartView option for logs

>>> Overall better performance for the SmartConsole application itself (some local tests showed that the application can only utilize one CPU core and therefore it often runs into performance problems when searching trough a big rulebase)

>>> The reporting function of the policy verification option in the current state is just not useful at all. If you have 5-6 hidings it gets very problematic to fix all of these in one attempt, as;

- the information about the hidden rules is static, so for example the report says "Rule 3 hides Rule 16 for Service & Applications ..." => the better approach would be to list the UIDs of the given rules in addition

- if one rule gets corrected by you the complete static mentioning of hidings makes no sense anymore. Let's assume you 'kill' one hiding and delete rule 4, now every rule after rule 4 "moves" up one rule as rule 4 was eliminated. This could be resolved with mentioning the UIDs in addition - as already mentioned - or with a more dynamic approach, which updates the hiding report automatically if a rule gets deleted. Like some kind of automatic list, that you can work from top to bottom until you verify again and the hidings are gone.

- if you have a large rule base with lots of inline layers it can get very frustrating to verify in such a case. Because the verifier stops once a hiding in one inline layer was found. In such a case the verification should continue until the end of the rule base is reached, so that - again - all hidings can be solved with one verification. In the current state I often need to verify 2-3 times, just because I have that many inline layers that could and often do have hidings within it.

>>> In SmartConsole you can copy multiple rules as pictures - also add an option to allow the copying of multiple rule IDs (maybe as a csv or just with spaces in between)

>>> Please add the option in VSX to configure DNS + NTP for each VS individually. I really do not see any benefit from synching this to all VS's within a VSX. It just is a contradiction to the virtualization and separation itself if you ask me.

0 Kudos
Tommy_Forrest
Advisor

Devise a way to take a full MDS backup without having to take said MDS down.  And automate the backup and offloading of said backup.

Danny
Champion Champion
Champion

- show a warning on policy Installation if stateful inspection is disabled

- allow the restriction of access control policies access based on user or permission profile without having to use MDS

Aidan_Luby
Collaborator

-Allow the ability to set VPN Keepalive method per community instead of per gateway (Tunnel Test for CheckPoint only Communities and DPD for Communities involving 3rd Party VPN Gateways)

-Allow rules AND section titles to be copied at the same time in SmartConsole. (Creating section titles is best practice but migrating a rulebase with them requires ctrl clicking each rule instead of being able to shift select a list and copy all of it including section titles)

Tommy_Forrest
Advisor

Dedicated management plane (thought I think this one is coming).

0 Kudos
Kim_Moberg
Advisor

1) Implement a Gephi report view.

Easy to see three/spin with Source and destination or with service/port.

2) dpd on 3th party vpn communites

3) vpn cli commands via Gaia api

4) iketool implementation in smartconsole

5) central mgmt of Cloudgard services

6) cloud guard SaaS can be used on tablets/ipad/iphone.

7) DHCP server with Options like PXE boot images but to do that today one have to write-protect after making changes to DHCP.conf to make sure changes are keeps after reboots/restarts.

Just some ideas from my side

Best Regards
Kim
0 Kudos
Aloke_Paul
Participant

Most of the company now started using NG firewall.

There is a flow using if NG firewall, If NG firewall loos connectivity with there Vendor cloud it may vulnerable for a while. During this time any new attack can be propagated inside customer Network.

All DB is update from 24*7 NG cloud signature development center for all NG Firewall vendor.

Any schedule downtime at NG Firewall cloud vendor may inform there all customer who bought there NG firewall.

It may help our customer to protect there network from any unforeseen situation. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is just untrue !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vladimir
Champion
Champion

1. Split screen Policy and SmartLog option.

2. Single Universal Endpoint client with every agent Check Point has.

3. Pre-installed, dynamically updatable healthcheck script callable from SmartConsole with HTML report displayed in SmartView.

4. Categorization Override bulk imports of URLs

5. Dynamic Hit counters

6. Feature availability notification and alert in CPUSE "Verify" (i.e. currently in 80.30 with no MABDA, installation allowed to proceed).

7. SNX replacement: Java got to go.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events