Things that make my crazy

aner_sagi · ‎2018-10-21

Hi,

This post is about things in checkpoint products that makes me crazy \ angry.

1. there is no wizard when you need to convert a gateway to cluster. i have to delete the gateway and create a new cluster object. why?

2. i can't allow LDAP AD user group as a group of smartdashboard admins. i have to use radius. why ?

3. smartcenter user experience is poor. the smartdashboard gui get stuck even when i put a lot of resources (32 Gb/ 48GB + 8 / 16 cores).

4. me and my customers lost faith is CP https inspection implementation. it's too problematic and complicated to operate.

5. VTI \ route based VPN. the procedure to make it work is too complicated and i am afraid to use it together with current VPN domain based implementation.

Aner.

Tomer_Sole · ‎2018-10-21

Hi Aner,

Thank you for this feedback.

The truth is that we have a roadmap that includes some of these items. I can't name target releases but they will be addressed.

I want to touch on #3 - performance of the UI. Can you please elaborate on which screens are exactly stuck when you work with SmartConsole? We recently posted R80.10 Security Management - Performance Tuning Guide - Check Point Software Technologies and it contains some advice in case SmartConsole is slow as well as hardware sizing. The R80.10 user interface is actually supposed to operate faster thanks to Lightweight communication from SmartConsole to the server so we are interested with investigating issues that relate to this aspect.

aner_sagi · ‎2018-11-07

Hi Tomer,

Sorry for the late response. I work for a platinum partner in israel that deal with enterprise customers.

The "slow and stuck" dashboard is something common to all of my R80.10 customers.

They Use VM.

I read your great optimization guide.

The only point i found relevant for my customers is set the memory to reserved.

Am i missing something ?

I don't allow less then 16Gb on Smartcenter. Most of my customer has 32Gb and some even 64GB.

Still it does not help.

If you want real time customer environment - call me .

Aner

050-4009897

Timothy_Hall · ‎2018-11-07

The most common "slow and stuck" SmartConsole situation I see teaching the CCSA/CCSE classes is caused by making any edit to a gateway or cluster object and hitting OK. Even with 8 cores, 16GB of RAM, and a SSD it always seems to take much longer than modifying any other type of object, and the SmartConsole consistently stops responding at all for 3-5 seconds (fades out when clicked on, clicks don't register at all, then it suddenly snaps back). The host machine and VMs have plenty of RAM and are not ever touching swap space at all.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

PhoneBoy · ‎2018-10-21

To provide some context, it would help to know what version you are levying the complaints about.

To respond to the points you raised:

1. I'm pretty sure the correct process is to create the cluster and add the (existing) gateway to it, not delete the gateway and create a new cluster.

2. I get it's one less component to maintain to just use AD (versus maintaining a RADIUS server that connects to AD), but is there also a difference from a functionality standpoint?

3. The architecture prior to R80 made SmartDashboard and friends require more resources in larger environments. This is definitely improved in R80+ and we are making continual improvements to SmartConsole so it operates efficiently.

4. It would be helpful, perhaps in a separate thread, to highlight the specific issues you're having with HTTPS Inspection. Or you can point to existing CheckMates threads. There is roadmap to address some of the well-known complaints.

5. It would be worth your time participating in our Usability Testing. One of our current projects is around VPN in particular. See: Usability Testing - join us!‌

Alex_Weldon · ‎2018-10-22

I'm interested in #4 - Can you share the roadmap publicly?

PhoneBoy · ‎2018-10-22

What I am aware of that we've discussed publicly are:

HTTPS Inspection policy still uses SmartDashboard -- Possibly as part of an R80.20.Mx release
URL Filtering based on SNI -- customer release for R80.10, planned for R80.20
More ciphers -- These are typically added in jumbo hotfixes as required

Above is subject to change of course.

Again, if you have specific issues, they should be detailed in a separate thread (or existing threads referred to).

Vladimir · ‎2018-10-21

1. Here the cluster creation Wizard from existing gateway:

2. What is the hardware and OS on which SmartConsole itself is installed, not the Management Server, for that your specs are ample.

3. The AD Group for management is valid though, but you can use Windows Server built-in RADIUS (Network Policy Server role) for that.

Kaspars_Zibarts · ‎2018-10-22

Breathe! and look at the bright side - all these small things keep you employed

I agree on gateway to cluster conversion as we were faced with the same challenge so it took me a while to come up with decent process from ClusterXL admin guide (ClusterXL Administration Guide ) Converting a Security Gateway to a ClusterXL section. I guess it depends on many factors- will you keep original IPs as new VIPs, will you change mgmt interace IP on the gateway etc etc. But still, the process could have been written in better way.

Yes - pls bring direct connectivity to AD and allow using group instead of individual members, that's rather annoying

Regarding SmartConsole - make sure that latency is not too high between client and management server as that will redecude your experience noticably

Timothy_Hall · ‎2018-10-22

In the CCSE R80.10 class the student converts an existing single gateway to a 2-node ClusterXL HA pair during one of their lab exercises on the first day, and actively uses it for the rest of the class.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

_Val_ · ‎2018-10-23

Hi aner sagi‌, I appreciate your passion.

Some of the point were already addressed above. I just wanted to let you know that R&D will be contacting you offline to follow up your HTTPS issue.

All the best from here

aner_sagi · ‎2018-11-07

Hi Tim, Vladimir and all.

First I want to thank you all for the time you took to reply for my last post.

I am back from a customer site in UK when I tried the wizard to convert the single gateway to a cluster.

The wizard is not good. Sorry.

The gateway I tried to convert to a cluster had 2 VPN S2S tunnels + remote access that I had to disable before I could continue

With the process. also the wizard is not clear on the stage after you add the gateway and you need to specify IP address of

Physical and VIP.

This code should be rewritten. Now with the current wizard it’s the same amount of work like deleting the gateway and create a

New cluster object in dashboard from scratch.

I will soon reply about the other point I raised on the original thread.

Aner Sagi.

Vladimir · ‎2018-11-07

Sounds about right. I may add that I am also seeing SmartConsole "jumping" to full screen, overlaying the Windows taskbar for those 3-5 seconds and then returns back to normal. Not a show stopper, but is annoying.

Consistently observed on Dell Precision 5510 with Xeon, 32 GB RAM and SSD. Management server(s) running in VM with 16GB RAM and ample CPU and storage IO provisioned.

SantiagoPlatero · ‎2018-11-08

Hi all, I believe some of us we've working alongside Check Point for quite long also have the same complaints, at least for the SmartConsole performance and, a very critical one, the HTTPS inspection feature.

I think CP must work hard on solve the multiple issues regarding for HTTPS, as almost all blades need the HTTPS inspection be enabled to meet its full potential. It's disheartening for me to can't analyze all the internet outgoing traffic (and miss the full level of details of the views/reports) because if I enable the HTTPS inspection I've my bosses kicking on my office because internet browsing is almost unusable.

Also, I've the same performance issues with SmartConsole, no matter how much resources I apply for the VM running the management or how resourceful is my desktop computer. The delays when applying changes to gateways or the full screen almost freeze when publish the changes are issues that now I'm used to it, but it deal a lot of damage of the user experience, as Aner pointed out in the OP.

Finally, the AD integration for SmartConsole administrators it's kind of tricky to deploy, as you says it need a Radius server to manage the authentication request. But, as Dameon pointed out, it doesn't have any issues for the functionality standpoint.

Hope CP, the R&D dept. and all the guys are working on this issues take our criticisms as constructives ones.

Regards!

Are you a member of CheckMates?

Things that make my crazy