- Local User Groups
split screen is available since R80 using either:
a. the undock button at the log view
b. the web-based log viewer at https://<your Security Management Server IP>/SmartView - since R80.20 there have been major gap closures of the web log viewer comparing to the one that resides within SmartConsole.
Thanks @Tomer_Sole , but I was talking about simply using another tab without the need to switch between policies and logs.
The options you are describing are nice too and there is a use case for all of these options.
I.e. when working on a laptop, the screen space is limited so either we have to toggle between undocked apps or use tabs, if those could be universal.
I do also agree.
the idea with Check Point PRO support is good. Being proative and auto create a TAC if any incidents happens with the hardware.
But I am afraid it is now two to systems in keep track of and it is always raising flags for something which is recommended described in SK. For example for for R80.10 GA running with fwha_forw_packet_to_not_active=1. this was not recommended but the SK required it to be active.
@Kim_Moberg - I get the idea of PRO support. And it's a cool idea and the whole auto TAC thing on hardware is great and all.
But I'd like away to see things like session state tables are full and other similar performance impacting issues to show up in Dashboard and not requiring an additional subscription.
I think having that data would help your customers and may even reduce TAC calls (or maybe induces some, I don't know). For us, as an example, we had a system that was having intermittent slowness issues. We'd looked everywhere. Networking, vendor hardware, our hardware, we poked around the firewalls to see if there were any issues. We then got a demo period into PRO and I quickly found it was a session state table issue. The value had been manually set instead of auto. Set it to auto and no one has complained since. Had we known or been able to know this from the beginning it would have been one less bullet point towards consideration of other vendor firewall offerings.
1. MAC address filtering and MAC address based Rule.
2. Device detection. Detect Device OS, type etc... In future maybe we can create Policy by device type.
3. Web based Smart Console. As we know SmartView has the web access.
4. 3 more ISP support
Some of these enhancements have already been discussed multiple times in the community and I'm still stressing it. Hope I'm not repeating any of the existing feature.
** As @Danny suggested, Packet tracer feature with good visualization
** Packet capture (tcpdump) feature in Smartconsole
** MacOS and Android OS support for Threatemulation.
** Threat hunting or EPA can include Vulnerability assessment feature
** VPN-domain per VPN-community.
** Unified upgrade for firewalls in HA. For example, When we download OS/hotfix on primary, it can get sync'ed to other firewalls in the cluster. And then, the ability to install/upgrade HF/OS in the cluster environment with single/minimal clicks from primary firewall
** Logs can be enhanced with additional fields (destination interface - just to ensure routing is correct, TCP session end reason: How the TCP session was closed [because of timeout or TCP fin packet or RST packet or any other] as it helps to troubleshoot a lot]
** Live threatmap (Like in Palo Alto firewall, threatmap shows the source country of live threats hitting the corresponding firewall)
** Release notes can be made available in GUI as a link to see the new features & fixes as well as the known limitations before upgrading/installing version/hotfix.
** Importing objects in Smartconsole
** Smartconsole auto-update
** Considering the increased focus in automation, more scripts can be added to scripts repository by default. This way, we can avoid enforcing the customers to learn scripting to do tasks to a certain level.
** cpview in smartconsole
** backup & restore of mgmt server from smartconsole
** Enhancements for ClusterXL Load Sharing
** Simplify DHCP relay config (when we enable it, it should automatically create rules accordingly) as we need to configure rules manually now
** Simplified VPN configuration with wizard (Right now, we need to jump to multiple places to configure one VPN tunnel)
** Download option can be made available for the outputs of the task executed by the scripts in script repository as most of the available scripts now are show commands only.
** Support for SMTP authentication for Sendmail. This will help us to send mail alerts in the environments which doesn't support anonymous mail without authentication.
** One of the pain point for many customers is disk getting full with logs. To overcome this, log settings configuration in SmartConsole can be enhanced (such as retention duration based on days and scheduling logs transfer to remote repositories via SCP,SFTP or tftp) without having to write scripts / use cron by the user.
** DNS Security feature (I believe it's in the pipeline)
Possibility to mute certain types of CPUSE updates on some of your systems. Let's say you have 10 clusters managed by your SMS and a new version of Smart Console comes out. Your client will call you to say that their 10 clusters need to be updated when in reality it's something it's the kind of update you would do only on your management.
it would be very nice to rename the colors as in R7x.X
In R7x.X i renamed some colors as DMZ or Internal or something else.
now i have to check other objects which color i have used. tags are fine for searching, but colors are better for human eyes.
Many things are or being done...
MacOS Threatemulation. Vpn dommain per community is in r80.40. SmartConsole auto update is in works (Tomer commented about it in the past)
Give customers opportunity to "decouple" management server side even more (like it is the case with separate log server), especially for larger installations - give them option to install management database into separate DB machine and provide good tuning guide in order to make DB "fly". Maybe with this move also support some other popular DB's in the future like Oracle, MSSQL, etc? Usually larger enterprises have their own DB servers and dedicated DBA teams who can tweak DB machines - thats why this idea is proposed.
Get rid of "fat" smartconsole client finally and move it to web as the initative seems to be. This could also be provided as "tiered" installation for scalability like web frontend could be run on one machine and the logic behind it on the other machine.
Concurrent policy push capability in the same CMA.
It seems the best practice when going from, say 80.20 to 80.30 will be to completely redeploy gateways. Why can't I just use CPUSE to upgrade VM's in place?
Make the Autoprovisioning stuff a lot less obnoxious. It has been a real pain getting this stuff up to speed.
I wish to configure the network settings of a gateway from SmartConsole like it work in VSX.
You need a new interface... you have to configure the gateway in GAiA and too in SmartConsole.
Route entries are the same, why not set via SmartConsole?
Best way would be to configure a management interface on the gateway and all other via SmartConsole.
The ability to be able to influence routing based on the policy. i.e.
Rule A matches src traffic to dst of office 365 and CDN, allow this to be routed to a different gateway rather than default route.
PBR only allows based on IP address but routing based on the firewall policy, applications etc. In theory, could allow easier manipulation of the traffic based on traffic being matched.
Content-aware routing, is probably the best name i can suggest
More routing capabilities are much welcome...
- PolicyBasedRouting in VSX ( in normal VS not in virtual router )
- full PBR Support in VSX ( not only IPs as source or destination )
- virtual router running on VSLS in VSX
- virtual router functionality under normal GAiA, not VSX
More and better proxy features:
- reverse proxy, full URL rewrite
- reverse proxy, not only on port 80 and 443
Delta pushes within smart console policy installations
Allow Geo Protection exceptions to be a dynamic object to assist with automation
Improve overall speed of Smart Console
Give out more vendor swag 🙂
Idea of the Year poposal:
Return to the core checkpoint values, IE: support the engineers in the operations departments of customers and SSP's.
Stoping your release train from taking us on a rollercoaster rides from bug to fix to new bug.
Limit yourselves to the stable realeases we know and love.
Thus only release new features once a fully stable-state has been achieved in the previous release.
- Backup GAIA configurations from Gateways and Virtual Systems making them available for restore. Right now everyone has to build their own solutions.
- Integrated web and/or pdf export (print to pdf is clunky and never works quite right) to create policy used in compliance.
@Nanda- I agree. It would be nice if there was a centralized backup system in the MDS.
That said, BackBox does a fantastic job of backing up gateway configs. It's also helpful and changing user passwords on said gateways.
I have many dreams and wish:
1) Web-based SmartConsole in html5.
2) A real-time console for analyzing VPN problems in the SmartConsole comparable to ikeview but in real time.
3) A way to change DNS and HTML entries in real time. For example, to overwrite the DNS entry test123.com in checkpoint.com or the same for HTTP ( http://test123.com to http://checkpoint.com).
4) WAF blade!😀I know you are working together with Radware. When can we expect a solution here?