Re: Propose your Idea of the Year!

_Val_ · ‎2019-06-10

Yes, this is this time of year, again.

Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better:

The Idea Of The Year!

The rules are the same as before, it is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones.

Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game?

Tell us NOW!

A few disclaimers/notes:

There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year",
From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on,
Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well.
"Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known!

@Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later.

Get creative, use your imagination and PROPOSE!

Alex- · ‎2019-06-10

Top of my head, so not exhaustive at all:

- Have Zone Alarm and the standalone Endpoint VPN become compatible products.

- Smart Console in-place upgrades with IP/fingerprint retention

- MAC version of Smart Console

- Integration of CPview and things like fw accel stat in the monitoring blade

- No more legacy SmartDashboard for some features

- Streamlining of Endpoint solution and deployment options - also, the possibility to convert shared policy to unified policy when you run R80.X via some sort of wizard in a layer or so. This is a classical case for people who upgraded their R77 management.

- Fixed deployment schedule for accumulator hotfixes. Helps foresee maintenance windows in organizations with rigid change management procedures.

- Find a way to restore the object search like in R77, where you could find any part of an object name and not a word in the object.

- Scheduled policy pushes in Smart Console

G_W_Albrecht · ‎2019-07-05

I see this topic getting more and more confusing - people started with 1 - 3 ideas per posting, but meanwhile, people write long lists reminding me of the letters with wishes for Xmas... This makes it nearly impossible just to give a Kudo to a brilliant idea as the post contains more than twenty, so you also have to post und clutter all up.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Danny · ‎2019-06-10

- Check Point Packet Tracer as SmartConsole Extension

- SmartConsole Web to allow usage of the all SmartConsole functions in modern HTML5 supporting web-browsers, not just SmartView

_Val_ · ‎2019-06-10

@Danny could you elaborate what functionality is missing in the Packet Mode search, which is already part of the SmartConsole?

And fw up execute:

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_ReferenceGuide/html_f...?

Danny · ‎2019-06-11

I'm missing the full graphical visualization of the processing of a packet after it arrived at the inbound interface. I mean address spoofing check, GEO policy check, NAT, routing, firewall chain, implicit rules, explicit rules, security blades until the packet leaves the outbound interface. Such GUI tool is missing for many things: proper troubleshooting, security optimization, performance optimization, education purposes, security audits, etc.

Danny · ‎2019-06-11

- Changelog for SKs (every day dozens of changes to Secure Knowledgebase are published, see RSS feed, still only Check Point internal staff sees what was changed

- Changelog for AppControl updates (was started in 2015/16 then stopped: last changelog from 2016)

- Web-based Changelog for IPS (currently works via E-Mail only)

- Check Point Assistant as SmartConsole Extension (remember Clippy? Wouldn't it be coool for Check Point beginners as well as professional to have a little neat assistant thatg gives you tips and hints while you work within SmartConsole!?)

Danny · ‎2019-06-11

- Self-Update for GAiA Healthcheck (similar to CPinfo)

- Hosting for Code Hub scripts on codehub.checkpoint.com (because I'd love to host our ccc script and my upcoming SmartConsole extensions on checkpoint.com for security reasons)

_Val_ · ‎2019-06-11

@Danny fair enough, thanks for explaining

Mircea · ‎2019-06-11

I would love to have the WatchTower app supporting all gateways, even the non-embedded ones.

These days everyone has a smartphone on them, I think this would prove a very useful tool to firewall admins, being able to quickly check on their most important CheckPoint devices.

Thank you.

Tomer_Sole · ‎2019-06-11

actively being worked on.

Tommy_Forrest · ‎2019-06-11

Switch the SMB appliances to Gaia so that, at the very least, there is a unified command structure.

While we're on the topic of SMB appliances, how about an SFP port in the 1490? Sometimes, I don't need insane firewall performance. But I do need to hook up a piece of fiber to the gateway because of distance or life issues.

Give us a way to have global IPS policies either by CMA or even by MDS so that we don't have to update every single gateway at a time. Ideally, at the MDS level, I create an IPS policy that can be applied to every gateway manged by said MDS. And have some architecture to push those updates (and only the IPS updates) to the gateways.

I got a chance to bring this up to the powers that be at CPX Vegas, but I'll bring it up here. Make it easier to diagnose VPN issues. It is a real pain in the keyboard to have to look at tracker to get a little information, then crack open the CLI and do a IKE Debug (and crack open WinSCP to pull the data off the gateway), load it up and review the data in IKEView. Why can't it all just be in one pane of glass so I don't have to open so many other apps? I hear changes are coming, but they can't come fast enough.

Can CPView get moved to a GUI? Maybe right click on a gateway and click CPView and BAM - data.

How about going a'la VMWare and moving SmartDashboard to HTML5? Then it doesn't matter if you're running Windows, or Mac, or Linux or AtariOS. SmartDashboard everywhere. And, oh, when you upgrade the MDS, it updates the HTML5 version of SmartDashboard. No more having your teammates upgrade the dashboard. Plus, you can integrate the already-there Smartview! This would also be great in a DR situation. One less application that needs to be kept up to date on the DR PC images.

Tommy_Forrest · ‎2019-06-11

Right click on an object, any object->export.

Right click on a policy anywhere (and I mean anywhere) else, create rule, import object.

Or even rules now that I think about it.

Martin_Valenta · ‎2019-06-12

1470-1490 is having fiber interface for almost 2 years now..

G_W_Albrecht · ‎2019-07-05

LOL: Switch the SMB appliances to Gaia so that, at the very least, there is a unified command structure.

This is a wish to father christmas or similar storybook characters without any reality - on Embedded devices you will always have GAiA Embedded...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Tommy_Forrest · ‎2019-07-05

@G_W_Albrecht - Fine.

Then unify the command structure with Gaia. It's super annoying having one set of commands for the big firewalls and another for the SMB boxes.

G_W_Albrecht · ‎2019-07-05

Yeah - It's also super annoying having one set of possibilities riding a bycycle and another when cruising in my Chevy 😉. I do not care about technical ressources or price tags, just gimme gimme gimme...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Aidan_Luby · ‎2019-07-05

Gunther,

What is so preposterous about wanting unification of command structure? Even if we realize that Gaia Embedded might not match feature parity with regular Gaia, why wouldn't you want the command structure of common tasks to work the same way on Gaia or Gaia Embedded.

People love to make fun of Cisco for having people learn different operating systems for Firewalls, Routers, Nexus Switches, etc. and people applaud Juniper for having good unification allowing the training people receive to be applicable to all devices. Why wouldn't that apply for CheckPoint?

_Val_ · ‎2019-07-05

@Aidan_Luby , the point @G_W_Albrecht is trying to make, the fundamental difference between regular Gaia appliances and SMB line is about HW. One is Intel chips based, the other is on ARM. One has full blow software installable, the other has heavily stripped and optimised code. Are you expecting the same software to run on Arduino and high end lenovo PCs? CLI depends on a platform you can run it on.

Aidan_Luby · ‎2019-07-05

@_Val_ But what does that have to do with command structure? I understand the difference between how code is compiled and run on different CPU architectures but why does that mean the code that administrators are typing into their firewalls should be any different?

If I'm setting up a feature that exists on both platforms, regardless of how that command runs in the back-end, why can't the syntax be the same?

I can see stripping the features back but then I would say just keep the command the same and on Embedded Gaia strip out any parts of that command not compatible for Gaia Embedded.

Aitor_Carazo · ‎2019-06-11

- A real unified console with no more legacy consoles.

- More options and easier interface with https inspection.

- More views

- Smartevent alert configuration Best Practices / Template

- Smartevent third party integration and correlation logs guide.

Maik · ‎2019-06-11

>>> SmartConsole as a web application, maybe HTML5 based, like the SmartView option for logs

>>> Overall better performance for the SmartConsole application itself (some local tests showed that the application can only utilize one CPU core and therefore it often runs into performance problems when searching trough a big rulebase)

>>> The reporting function of the policy verification option in the current state is just not useful at all. If you have 5-6 hidings it gets very problematic to fix all of these in one attempt, as;

- the information about the hidden rules is static, so for example the report says "Rule 3 hides Rule 16 for Service & Applications ..." => the better approach would be to list the UIDs of the given rules in addition

- if one rule gets corrected by you the complete static mentioning of hidings makes no sense anymore. Let's assume you 'kill' one hiding and delete rule 4, now every rule after rule 4 "moves" up one rule as rule 4 was eliminated. This could be resolved with mentioning the UIDs in addition - as already mentioned - or with a more dynamic approach, which updates the hiding report automatically if a rule gets deleted. Like some kind of automatic list, that you can work from top to bottom until you verify again and the hidings are gone.

- if you have a large rule base with lots of inline layers it can get very frustrating to verify in such a case. Because the verifier stops once a hiding in one inline layer was found. In such a case the verification should continue until the end of the rule base is reached, so that - again - all hidings can be solved with one verification. In the current state I often need to verify 2-3 times, just because I have that many inline layers that could and often do have hidings within it.

>>> In SmartConsole you can copy multiple rules as pictures - also add an option to allow the copying of multiple rule IDs (maybe as a csv or just with spaces in between)

>>> Please add the option in VSX to configure DNS + NTP for each VS individually. I really do not see any benefit from synching this to all VS's within a VSX. It just is a contradiction to the virtualization and separation itself if you ask me.

Tommy_Forrest · ‎2019-06-11

Devise a way to take a full MDS backup without having to take said MDS down. And automate the backup and offloading of said backup.

Danny · ‎2019-06-11

- show a warning on policy Installation if stateful inspection is disabled

- allow the restriction of access control policies access based on user or permission profile without having to use MDS

Aidan_Luby · ‎2019-06-11

-Allow the ability to set VPN Keepalive method per community instead of per gateway (Tunnel Test for CheckPoint only Communities and DPD for Communities involving 3rd Party VPN Gateways)

-Allow rules AND section titles to be copied at the same time in SmartConsole. (Creating section titles is best practice but migrating a rulebase with them requires ctrl clicking each rule instead of being able to shift select a list and copy all of it including section titles)

Tommy_Forrest · ‎2019-06-11

Dedicated management plane (thought I think this one is coming).

Kim_Moberg · ‎2019-06-11

1) Implement a Gephi report view.

Easy to see three/spin with Source and destination or with service/port.

2) dpd on 3th party vpn communites

3) vpn cli commands via Gaia api

4) iketool implementation in smartconsole

5) central mgmt of Cloudgard services

6) cloud guard SaaS can be used on tablets/ipad/iphone.

7) DHCP server with Options like PXE boot images but to do that today one have to write-protect after making changes to DHCP.conf to make sure changes are keeps after reboots/restarts.

Just some ideas from my side

Best Regards
Kim

Aloke_Paul · ‎2019-06-11

Most of the company now started using NG firewall.

There is a flow using if NG firewall, If NG firewall loos connectivity with there Vendor cloud it may vulnerable for a while. During this time any new attack can be propagated inside customer Network.

All DB is update from 24*7 NG cloud signature development center for all NG Firewall vendor.

Any schedule downtime at NG Firewall cloud vendor may inform there all customer who bought there NG firewall.

It may help our customer to protect there network from any unforeseen situation.

G_W_Albrecht · ‎2019-07-05

This is just untrue !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Vladimir · ‎2019-06-11

1. Split screen Policy and SmartLog option.

2. Single Universal Endpoint client with every agent Check Point has.

3. Pre-installed, dynamically updatable healthcheck script callable from SmartConsole with HTML report displayed in SmartView.

4. Categorization Override bulk imports of URLs

5. Dynamic Hit counters

6. Feature availability notification and alert in CPUSE "Verify" (i.e. currently in 80.30 with no MABDA, installation allowed to proceed).

7. SNX replacement: Java got to go.

Are you a member of CheckMates?

Propose your Idea of the Year!

The Idea Of The Year!

Tell us NOW!

Get creative, use your imagination and PROPOSE!