cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee
Employee

Re: What is your Check Point Idea of the Year?

Your request is fulfilled. You can import Snort rules in R80.10.

Re: What is your Check Point Idea of the Year?

1.  Geoprotection flexibility- countries a,b,c can hit this site, while d,e,f can hit this one, instead of on or off for the country.

2.  There's a handy export button to export objects, how about the handy import button?  

3.  recreate all the canned reports from smart reporter in smart event.

4.  finish integrating the legacy apps.  

0 Kudos
Admin
Admin

Re: What is your Check Point Idea of the Year?

What's #4?

0 Kudos

Re: What is your Check Point Idea of the Year?

QOS, Https inspection, DLP, Anti-SPam and mail and MOB are still managed in the r77 version smart dashboard in r80.

RickLin
Silver

Re: What is your Check Point Idea of the Year?

There is one more thing strange in my mind.

In R80.10, Security Gateway get interface with topology, it will also create Network object base our IPv4 static routes.

That is everybody known thing.

But the new network object can not display and can not be search out in Object Panel or Object explorer.

But it can display and be search out when we try to add object in Source or Destination.

Before R80, without this issue.

Hope this can be corrected in the feature.

Admin
Admin

Re: What is your Check Point Idea of the Year?

Admin
Admin

Re: What is your Check Point Idea of the Year?

I ran into this myself.

The only way to remove the objects from the database is via the API/CLI. 

0 Kudos
RickLin
Silver

Re: What is your Check Point Idea of the Year?

CheckPoint update sk126872 this week finally.

0 Kudos

Re: What is your Check Point Idea of the Year?

Adding an option to add an IP to GUI users so the GUI user can login only if the IP matches to the mentioned IP . Fortinet already have this feature.

0 Kudos
MrSaintz
Nickel

Re: What is your Check Point Idea of the Year?

You can Shehan, even before Fortinet was founded back in 2000...

Carlos Santos
0 Kudos
Admin
Admin

Re: What is your Check Point Idea of the Year?

We've had the ability to restrict access to SmartConsole and predecessor apps to specific IPs since the beginning.

Are you saying "Admin X can only log in from IP a.b.c.d"?

0 Kudos

Re: What is your Check Point Idea of the Year?

hi

1. VPN-domain per VPN-community. only one VPN domain makes it hard to configure several VPNs when you have large internal network ranges and want only a subnet as part of this VPN
2. a "rule checker" or "rule assistant". I know CP is working on something like that ...
3. a "performance assistant". if monitoring sees high CPU/memory usage it could recommend actions ..
br

reinhard

Re: What is your Check Point Idea of the Year?

I've asked about #1 for a few years, and have always gotten the answer.. configure the vpn domain to be all-encompassing, configure your fw rule to limit the vpn access.  

0 Kudos

Re: What is your Check Point Idea of the Year?

I very much concur with Reinhard's request for a VPN-domain per VPN-community. Check Point's reply that we should us an all encompassing EncDom but control it via the rulebase per VPN is all well and good when both ends are Check Point but this confuses interoperability VPNs no end!

We could also really do with more control over the uni or bi-directional of the VPN tunnel initialisation. I know we can alter this by editing various files but it's really quite a basic requirement and should be in the VPN community.

Re: What is your Check Point Idea of the Year?

I got the feedback that CP is working on "VPN domain per VPN community" ... maybe this will come this year

0 Kudos

Re: What is your Check Point Idea of the Year?

What about integrating some sort of WAN-optimization into Site2Site VPN? So that services like eg. cifs gets optimized over VPN. I have seen quite a few companies using third-party products for this, to optimize trafic between all their Check Point protected offices.

Re: What is your Check Point Idea of the Year?

Still some of the features like https inspection etc.. opens in R77.30 for R80. Also Smart event and https inspection is not stable in R80. it would be great if Checkpoint resolve such issues in R80.20 or in further versions.

Re: What is your Check Point Idea of the Year?

Have to agree with this one, very much feels like they just slapped an R80 sticker on some parts that weren't fully converted from R77.30. 

0 Kudos
RickHoppe
Silver

Re: What is your Check Point Idea of the Year?

Wouldn’t it be nice if SmartConsole is the place to be where you can push tweaks like kernel parameters and other manual customizations to the Security Gateway? So that everything is in the management database (something like the VSX config). At this moment you need to have a good backup or documented every manual tweak you’ve done in the past. Unfortunately I see a lot of environments where it is not documented and then it will cost a lot of time to find them. It will also save time when upgrading to a new major version. Just a thought.

My blog: https://checkpoint.engineer
Admin
Admin

Re: What is your Check Point Idea of the Year?

We actually had a feature in IPSO that did something like this at the OS level.

0 Kudos

Re: What is your Check Point Idea of the Year?

Smart Console Client for Mac or web based management!!

Re: What is your Check Point Idea of the Year?

Or some common Linux distribution like Ubuntu.

Re: What is your Check Point Idea of the Year?

1) Fully integrate Geo Protection into the Access Control policy layers; make country objects directly selectable in the source/destination of rules.

2) Perform Geo Protect drops in SecureXL (if enabled), not the Firewall Path.  SecureXL already performs antispoofing drops and country-based drops with fw samp in the Accelerated Path, this shouldn't be difficult to do with Geo Protection as well.

3) Improve reporting done by fwaccel stat indicating why templating rate (Connections/sec) is zero (i.e. Anti-bot enabled, more than just "Firewall" checked in first policy layer).

4) Permit use of Security Zones in NAT rules, would make converting NAT rules from other vendors' zone-based firewalls much easier.

5) Add support for what other vendors call "NAT Oversubscription" that generally allows more than 50k concurrent hidden connections behind a single IP address.

7) Directly publish CPU and memory specifications of appliances, instead of users having to figure it out on their own

😎 Permit the definition of "FastXL templates" directly in SecureXL that forces internal, trusted traffic (i.e. backups) into the Accelerated path with a minimum of inspection.  Add all the warnings and caveats you want...

9) By default force all gateway kernel syslog messages issued by INSPECT/SecureXL into the regular firewall logs visible through SmartConsole/SmartLog.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Vladimir
Pearl

Re: What is your Check Point Idea of the Year?

The "Directly publish CPU and memory specifications of appliances, instead of users having to figure it out on their own" is definitely easy to accomplish and long overdue.  

Re: What is your Check Point Idea of the Year?

I doubt they'd do it. Once you publish your hardware specs then people looking at two vendors will finally have a quantifiable comparison. I believe vendors would rather keep the conversation on their software and how it does "what no other vendor does".

Laxi_D
Nickel

Re: What is your Check Point Idea of the Year?

This is really painful, some time we don't know what is exact reason for traffic go to the medium path (PXL).

3) Improve reporting done by fwaccel stat indicating why templating rate (Connections/sec) is zero (i.e. Anti-bot enabled, more than just "Firewall" checked in first policy layer).

0 Kudos
Employee+
Employee+

Re: What is your Check Point Idea of the Year?

"Add support for what other vendors call "NAT Oversubscription" that generally allows more than 50k concurrent hidden connections behind a single IP address" - checkpoint solution actually allows more than 50k concurrent per hide IP as long as destination IP is different (this actually means infinite over-subscription rate, while still bounded by connection table limit of course).

Laxi_D
Nickel

Re: What is your Check Point Idea of the Year?

Pure Checkpoint SD-WAN solution or tie up with current sd-wan solutions as a security add-on.

Application base routing (Layer 7)

Load balance (ISP Redundancy) more than two ISP Links

Kim_Moberg
Silver

Re: What is your Check Point Idea of the Year?

Great idea! 


I've have been working on idea of including windows logs into SmartEvents so one could use it as a light SEIM product.

I actually think SmartEvent is a strong product especially with the google like search feature. I use it every days basically.


In stead of using a 3rd party product like nx why not then using your own tool like WinEventToCPLog. I can now today include Event logs from a Windows server 2016 into SmartEvent. Great. 

It would be great to have a WinEventToCPLog agent installed on a windows server to include smnp traps, difffent kind of windows logs file - like dhcp.log, dns.log or IIS log.


Hope this is an idea that can be implemented and used.

Best Regards
Kim
0 Kudos
Kim_Moberg
Silver

Re: What is your Check Point Idea of the Year?

Easy O365 hybrid migration interface.

A easy why to create O365 addresses and automatically updates of these ip scopes when Microsoft changes their scope. 

Best Regards
Kim
0 Kudos