Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

What is your Check Point Idea of the Year?

As part of our First Birthday celebration, we are having an awards ceremony.

For awards, you need categories and voting!

Over the course of this week, we will share some of the categories and solicit nominations for said categories.

See the complete list of categories and voting instructions here: https://community.checkpoint.com/community/about-checkmates/blog/2018/05/08/checkmates-first-birthda... 

This category is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones.

I polled some folks inside Check Point that aren't in R&D and got plenty of suggestions.

Here are a few of them:

  • Cloud-based Endpoint Management
  • Automatic performance tuning based on hardware/policy configuration
  • Threat-hunting Platform

Now, it's your turn, CheckMates community: what's your Idea of the Year?

Please leave your suggestions below as comments.

A few disclaimers/notes:

  • There are no guarantees that any idea suggested will be developed, even the "Idea of the Year" Smiley Happy.
  • From the suggestions below, we will choose 3-5 ideas which will be put up for voting during the week of 14th May.
  • Preference will be given to ideas that come from customers and partners, though Employees are welcome to participate as well.
  • "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known!

Voting

Voting is now open for the above categories.

We will take your votes until 25th May 2018 @ 11:59pm Pacific Daylight Time. 

A vote will enter you into a raffle for a Check Point 1490 Appliance!

77 Replies
Smadi_Paradise
Employee Alumnus
Employee Alumnus

Your request is fulfilled. You can import Snort rules in R80.10.

Steve_Moran1
Contributor

1.  Geoprotection flexibility- countries a,b,c can hit this site, while d,e,f can hit this one, instead of on or off for the country.

2.  There's a handy export button to export objects, how about the handy import button?  

3.  recreate all the canned reports from smart reporter in smart event.

4.  finish integrating the legacy apps.  

0 Kudos
Moti
Admin
Admin

What's #4?

0 Kudos
Steve_Moran1
Contributor

QOS, Https inspection, DLP, Anti-SPam and mail and MOB are still managed in the r77 version smart dashboard in r80.

RickLin
Advisor

There is one more thing strange in my mind.

In R80.10, Security Gateway get interface with topology, it will also create Network object base our IPv4 static routes.

That is everybody known thing.

But the new network object can not display and can not be search out in Object Panel or Object explorer.

But it can display and be search out when we try to add object in Source or Destination.

Before R80, without this issue.

Hope this can be corrected in the feature.

Moti
Admin
Admin

PhoneBoy
Admin
Admin

I ran into this myself.

The only way to remove the objects from the database is via the API/CLI. 

0 Kudos
RickLin
Advisor

CheckPoint update sk126872 this week finally.

0 Kudos
Shehan_Wickrama
Collaborator

Adding an option to add an IP to GUI users so the GUI user can login only if the IP matches to the mentioned IP . Fortinet already have this feature.

0 Kudos
MrSaintz
Contributor

You can Shehan, even before Fortinet was founded back in 2000...

Carlos Santos
0 Kudos
PhoneBoy
Admin
Admin

We've had the ability to restrict access to SmartConsole and predecessor apps to specific IPs since the beginning.

Are you saying "Admin X can only log in from IP a.b.c.d"?

0 Kudos
Reinhard_Stich
Contributor

hi

1. VPN-domain per VPN-community. only one VPN domain makes it hard to configure several VPNs when you have large internal network ranges and want only a subnet as part of this VPN
2. a "rule checker" or "rule assistant". I know CP is working on something like that ...
3. a "performance assistant". if monitoring sees high CPU/memory usage it could recommend actions ..
br

reinhard

Steve_Moran1
Contributor

I've asked about #1 for a few years, and have always gotten the answer.. configure the vpn domain to be all-encompassing, configure your fw rule to limit the vpn access.  

0 Kudos
John_Fenoughty
Collaborator

I very much concur with Reinhard's request for a VPN-domain per VPN-community. Check Point's reply that we should us an all encompassing EncDom but control it via the rulebase per VPN is all well and good when both ends are Check Point but this confuses interoperability VPNs no end!

We could also really do with more control over the uni or bi-directional of the VPN tunnel initialisation. I know we can alter this by editing various files but it's really quite a basic requirement and should be in the VPN community.

Reinhard_Stich
Contributor

I got the feedback that CP is working on "VPN domain per VPN community" ... maybe this will come this year

0 Kudos
Morten_Olesen1
Explorer

What about integrating some sort of WAN-optimization into Site2Site VPN? So that services like eg. cifs gets optimized over VPN. I have seen quite a few companies using third-party products for this, to optimize trafic between all their Check Point protected offices.

Gaurav_Pandya
Advisor

Still some of the features like https inspection etc.. opens in R77.30 for R80. Also Smart event and https inspection is not stable in R80. it would be great if Checkpoint resolve such issues in R80.20 or in further versions.

Xavier_Koenig
Contributor

Have to agree with this one, very much feels like they just slapped an R80 sticker on some parts that weren't fully converted from R77.30. 

0 Kudos
RickHoppe
Advisor

Wouldn’t it be nice if SmartConsole is the place to be where you can push tweaks like kernel parameters and other manual customizations to the Security Gateway? So that everything is in the management database (something like the VSX config). At this moment you need to have a good backup or documented every manual tweak you’ve done in the past. Unfortunately I see a lot of environments where it is not documented and then it will cost a lot of time to find them. It will also save time when upgrading to a new major version. Just a thought.

My blog: https://checkpoint.engineer
PhoneBoy
Admin
Admin

We actually had a feature in IPSO that did something like this at the OS level.

0 Kudos
Brian_Owen1
Explorer

Smart Console Client for Mac or web based management!!

Aidan_Luby1
Participant

Or some common Linux distribution like Ubuntu.

Timothy_Hall
Champion
Champion

1) Fully integrate Geo Protection into the Access Control policy layers; make country objects directly selectable in the source/destination of rules.

2) Perform Geo Protect drops in SecureXL (if enabled), not the Firewall Path.  SecureXL already performs antispoofing drops and country-based drops with fw samp in the Accelerated Path, this shouldn't be difficult to do with Geo Protection as well.

3) Improve reporting done by fwaccel stat indicating why templating rate (Connections/sec) is zero (i.e. Anti-bot enabled, more than just "Firewall" checked in first policy layer).

4) Permit use of Security Zones in NAT rules, would make converting NAT rules from other vendors' zone-based firewalls much easier.

5) Add support for what other vendors call "NAT Oversubscription" that generally allows more than 50k concurrent hidden connections behind a single IP address.

7) Directly publish CPU and memory specifications of appliances, instead of users having to figure it out on their own

😎 Permit the definition of "FastXL templates" directly in SecureXL that forces internal, trusted traffic (i.e. backups) into the Accelerated path with a minimum of inspection.  Add all the warnings and caveats you want...

9) By default force all gateway kernel syslog messages issued by INSPECT/SecureXL into the regular firewall logs visible through SmartConsole/SmartLog.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Vladimir
Champion
Champion

The "Directly publish CPU and memory specifications of appliances, instead of users having to figure it out on their own" is definitely easy to accomplish and long overdue.  

Aidan_Luby1
Participant

I doubt they'd do it. Once you publish your hardware specs then people looking at two vendors will finally have a quantifiable comparison. I believe vendors would rather keep the conversation on their software and how it does "what no other vendor does".

Laxi_D
Contributor

This is really painful, some time we don't know what is exact reason for traffic go to the medium path (PXL).

3) Improve reporting done by fwaccel stat indicating why templating rate (Connections/sec) is zero (i.e. Anti-bot enabled, more than just "Firewall" checked in first policy layer).

0 Kudos
Tal_Ben_Avraham
Employee
Employee

"Add support for what other vendors call "NAT Oversubscription" that generally allows more than 50k concurrent hidden connections behind a single IP address" - checkpoint solution actually allows more than 50k concurrent per hide IP as long as destination IP is different (this actually means infinite over-subscription rate, while still bounded by connection table limit of course).

Laxi_D
Contributor

Pure Checkpoint SD-WAN solution or tie up with current sd-wan solutions as a security add-on.

Application base routing (Layer 7)

Load balance (ISP Redundancy) more than two ISP Links

Kim_Moberg
Advisor

Great idea! 


I've have been working on idea of including windows logs into SmartEvents so one could use it as a light SEIM product.

I actually think SmartEvent is a strong product especially with the google like search feature. I use it every days basically.


In stead of using a 3rd party product like nx why not then using your own tool like WinEventToCPLog. I can now today include Event logs from a Windows server 2016 into SmartEvent. Great. 

It would be great to have a WinEventToCPLog agent installed on a windows server to include smnp traps, difffent kind of windows logs file - like dhcp.log, dns.log or IIS log.


Hope this is an idea that can be implemented and used.

Best Regards
Kim
0 Kudos
Kim_Moberg
Advisor

Easy O365 hybrid migration interface.

A easy why to create O365 addresses and automatically updates of these ip scopes when Microsoft changes their scope. 

Best Regards
Kim
0 Kudos