- Allow recovery/viewing of IKE pre-shared secrets, this is a major pain during firewall replacement projects and typically forces coordination with external partners/vendors which is a bottleneck to the whole process. There is no reason to secure this information from an authorized GUI administrator; making it visible in the SmartConsole or via some kind of CLI tool would be great. I realize this will entail a rework of how the pre-shared keys are stored since they appear to be kept as some kind of one-way hash.
- When a monitored interface is declared as DOWN by ClusterXL, provide more information about *why* in commands like cphaprob -a if. Physical link failure/flap? Cluster members can't seem to see each other at all? High CCP loss due to mulitcast mode causing switch forwarding issues? No other responding hosts detected on that interface at all? Bond problem? It is a guessing game right now.
- When ClusterXL Cluster Under Load (CUL) is active, display a notification or color change on the Gateways & Servers tab of SmartConsole or make this an alertable event.
- Want to echo Danny's request for a packet tracer type functionality that integrates all the disparate tools like the following, if the packet is dropped by any Check Point code show why similar to fw ctl zdebug drop:
- Packet receipt and its attributes (use pinj and include connection UUID too)
- What processing path is it assigned to and why (SXL/PXL/F2F/CPASXL/PSLXL/etc.)
- Antispoofing check result
- Geo Policy check result
- Connections state table lookup result
- If new connection, initial Firewall/Network policy matched rule (fw up_execute or Packet Mode search)
- NAT rule matched or cached hit from fwx_cache
- Subject to decryption by IPSec/HTTPS Inspection?
- What blades are assigned to inspect this connection's traffic at iI (or inbound side of SecureXL) and result from each
- Routing lookup result (ip route get) or PBR result if present
- What blades are assigned to inspect this connection's traffic at oO (or outbound side of SecureXL) and result from each
- Subject to encryption by IPSec/HTTPS Inspection?
- Packet leaves and its attributes & UUID
- Big honking warnings ("Wide Impact" Icon?) or extra confirmation on the Global Properties NAT screen prior to turning off "translate destination on client side" or "Automatic ARP Configuration" which will cause instant death for all NATs on most firewalls upon policy install, or a slow painful death of all NATs over the period of 4 hours, respectively.
- Provide the built-in ability to easily perform a "clusterXL_admin down/up" command from the R80+ SmartConsole (yes you could run a one-time script to do this). When a cluster member is stopped/started from the old SmartView Monitor it performs a cphastop/cphastart which is NOT the same thing.
-In a firewall traffic log entry, always update it with the egress interface even if Accounting is not enabled. This will allow immediate verification that the firewall itself routed the traffic correctly by looking at logs.
- Provide a SmartConsole alarm/status alert if overall packet loss at the network level on a firewall's interface (RX-DRP/RX-ERR/RX-OVR) exceeds some ridiculously high configurable threshold like 5% for an extended period.
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com