cancel
Showing results for 
Search instead for 
Did you mean: 
Start an article

Product Announcements

Employee+
Employee+

We are happy to update on the availability of R80.20 Security Gateways (based on new Linux kernel) and R80.20 Security Management in GCP.

 

Both BYOL & PAYG solutions are updated with the new version and ready for deployment through the GCP marketplace:

https://console.cloud.google.com/marketplace/browse?q=cloudguard

As always we are here for your comments and suggestions,

CloudGuard IaaS R&D 

Read more
1 0 73

Hi,

 

We’ve announced in CPX Asia 2 new Security Gateways appliances: 6500 & 6800. The Check Point 6500 and 6800 are a new generation of high performance Security Gateways for the enterprise market segment. With the new 6000 series, enterprise customers can enable advanced threat prevention and inspect for threats within TLS encrypted traffic.

 

The 6500 and 6800 will be available in the Check Point Product Catalog from February 1st.

Datasheets are available for download now.

Support Links

With the introduction of the 6500 & 6800 we are taking the opportunity to simplify and accelerate our business processes.

These new products and all of their accessories are priced with significant discounts incorporated in their list prices. This shortens sales cycles and eliminates dependencies in discounting processes.

In addition we revisited how we offer our Security Gateways. Instead of dozens of tedious appliance SKUs, each model will be available in 2 simple configurations: base and PLUS. Both are equipped with our existing and well-known Next Generation Threat Prevention subscription for the first year. The PLUS option adds a richer hardware configuration; redundant components when supported by the gateway, SSDs and extra memory for additional connection capacity. The base option comes with Hard Disk Drive(s) and supports local management while the PLUS with SSD disk(s) does not.

 

With the ~50% price reduction in accessories there are also stricter discounting policies which are also incorporated into the Check Point Product Catalog.

 

I would like to take this opportunity and thank the many groups that were involved in the introduction of these 2 new appliances – R&D, QA, Finance, NPI, Product Infrastructure, Planning, Business Analysis, Legal – great Teamwork!

 

Feel free to contact me in any question or query regarding the 6500 & 6800.

Wishing you a successful and fruitful 2019.

 

regards,
Yaron Weiler
Security Gateways Product Manager
yaronw@checkpoint.com
+972-54-9222361

Read more
5 2 449

Remember the teasers about new Gaia features in EA (REST API and Dynamic CLI) ?

 

So, we are glad to let you know that both features are now available for download, and have public SKs with all relevant information :

 

Ender (REST API) - sk143612

 

Dynamic CLI - sk144112

 

Please, feel free to try them out, and let us know what you think.

 

You can use GAIA_TECH@MICHAEL.CHECKPOINT.COM  forum to ask questions and share your experience, so that more people will get the sense of those features.

 

We will be showing both features in upcoming CPX, with live demo in Tech Room. Let me know if you want to meet there and discuss specific use-cases or roadmap.

Read more
8 4 217
Oliver_Fink
Nickel

Hi.

 

Today I am preparing a small presentation for our next week inhouse-exhibition about CDT – version 1.5. During my preparations I was trying to refine a script that was executed on the gateways via execute_script. After the script was executed successful once, I was unable to run it again on the same gateway. Output tells me that execution was skipped. No hints in the documentation.

 

It took me some time fo find where the state of the execution was saved. The script was named install_cp-scripts.sh. The state of the script can be reset on the gateway with:

/bin/dbset installer:cdt:/var/log/install_cp-scripts.sh 0

Knowing this one could put a command into the deployment plan executing this for scripts to be run again. But I do not consider saving the state on the gateway the perfect idea for a tool designed to centrally manage gateways. In my opinion such state information has to be saved locally on the management server running the CDT. In that way you can change the state in the same place where you configure the rest of your deployment.

By all means, this has to be documented.

 

Another suggestion would be a possibility to define a $HOME where the CDT commands shall be executed on the gateway. Actually $HOME is /. That would not be my directory of choice.

Read more
0 0 54
Employee
Employee

I've been asked several times about if CloudGuard is a WAF product (that's another discussion!) and how best can a dedicated WAF service be placed in front of CloudGuard IaaS gateways. As all the requests came from customers using Microsoft Azure, I decided to look into the Application Gateway.

In short, the Application Gateway is basically a "load balancer on steroids" and provides much the same functionality as a standard SKU Azure Load Balancer, but with the added benefit of WAF capabilities. As our reference architecture in Azure uses a load balancer and one or more gateways, this seemed the obvious choice for the deployment.

I wrote a lab guide to deploying this solution, as with most cloud topics, it will age very quickly, but hopefully give you a good starting point if you have a project that has strict requirements on having a WAF service at the Azure perimeter. It's very much a first draft, so there will be mistakes and also outdated information, please provide any feedback below.

Note this is not official Check Point documentation or advice, deploy this solution at your own risk. No warranties implied, may contain nuts. Check Point are not responsible for any service charges accrued by this deployment. The value of investments may go down as well as up.

Read more
7 2 284
Employee+
Employee+

Hi Everyone,

 

We are glad to announce that R80.20 Gateway with new Linux kernel is now generally available in Azure & AWS.

 

The new image offers significant improvements:

 

Important

  • R77.30 based solutions will be removed soon from the marketplace.
  • For specific exceptional cases where R77.30 is needed, please contact Check Point TAC.
  • Only standard deployment is supported for single R80.20 gateway. Standalone and custom configuration modes are not supported.
  • In order to manage R80.20 gateways using R80.10 Management Server JHF take 177 or later must be installed.
    See sk116380 for more information.

 

 

Performance

 

AWS

For R80.20 gateway:

 Maximum Throughput (Mbps)Maximum Throughput (Mbps)Maximum Throughput (Mbps)
AWS Instance Typec5.largec5.xlargec5.2xlarge
Number of cores248
CPEnt - NGFW260040554065
CPEnt - NGTP104018903400
  • Tested with Cloud-Certified leading testing equipment
  • Used AWS on-demand instances environment
  • Actual performance results may vary depending on cloud infrastructure resources availability, region, topology, and other factors
  • These results are based on actual performances measurements by Check Point performance lab using real-world traffic simulation with out-of-the-box configuration

 

Azure

For R80.20 gateways:

 Maximum ThroughputMaximum ThroughputMaximum Throughput
Azure VM sizeD2_v2 (2 core)D3_v2 (4 core)D4_v2 (8 core)
CPEnt - FW + IPS132025404890
CPEnt - NGFW132025354790
CPEnt - NGTP123525303985
  • Tested using default deployment and Check Point configurations.
  • Tested with Cloud-Certified leading testing equipment
  • Actual performance results may vary depending on cloud infrastructure resources availability, region, topology, and other factors
  • These results are based on actual performances measurements by Check Point performance lab using real-world traffic simulation with out-of-the-box configuration

 

Notes:

-          For different VM sizes see: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-sizes/ 

-          Performance can be limited by the network bandwidth allocated by Azure to the VM

-          NGFW:  FW + IPS (Recommended - out of the box) + APCL

-          NGTP: NGTP : FW + IPS (Recommended - out of the box) + APCL + URLF + AV + AB

 

AWS Solution templates update

All deployment options (Single Gateway, Cluster, Auto Scaling Group and Transit VPC) are supported and can be deployed using our CloudFormation templates.

 

 

Azure Solution templates update

 

The following marketplace offers have been renamed:

  • Check Point CloudGuard IaaS R80.10 Scale Set à Check Point CloudGuard IaaS Scale Set (as it supports both R80.10 & R80.20).
  • Check Point CloudGuard IaaS R80.10 High Availability à Check Point CloudGuard IaaS High Availability (as it supports both R80.10 & R80.20).
  • Check Point CloudGuard IaaS Cluster à Check Point CloudGuard IaaS R77.30 & R80.10 Cluster (as it supports only R77.30 & R80.10).

 

 

The new image is supported by the following solutions:

  • Check Point CloudGuard IaaS Single Gateway
  • Check Point CloudGuard IaaS High Availability
  • Check Point CloudGuard IaaS Scale Set

 

This version will be available on OCI & GCP Marketplace, soon.

As always we are here for your comments and suggestions.

CloudGuard IaaS R&D 

Read more
5 5 798

Recently had a client test KVM / oVirt as an alternative virtual environment. During testing we noticed that ClusterXL was repeatedly failing or just not forming a cluster. The active member could not detect the standby members status.

 

Debug ClusterXL output

 

;28Aug2018 14:50:31.269123;[cpu_6];[fw4_1];FW-1: check_other_machine_activity: calling fwldbcast_died for ID 0;

;28Aug2018 14:50:31.269138;[cpu_6];[fw4_1];FW-1: fwha_notify_interface: IF_IP_BY_HANDLE(ffff81023de270c0, 1)=10.121.47.131;

;28Aug2018 14:50:31.269145;[cpu_6];[fw4_1];FW-1: fwha_notify_interface: IF_IP_BY_HANDLE(ffff81023d856440, 2)=10.121.34.131;

;28Aug2018 14:50:31.269151;[cpu_6];[fw4_1];FW-1: fwha_notify_interface: IF_IP_BY_HANDLE(ffff81023d54fc40, 3)=10.121.36.131;

;28Aug2018 14:50:31.369011;[cpu_6];[fw4_1];FW-1: check_other_machine_activity: calling fwldbcast_died for ID 0;

;28Aug2018 14:50:31.469934;[cpu_6];[fw4_1];FW-1: check_other_machine_activity: calling fwldbcast_died for ID 0;

;28Aug2018 14:50:31.570847;[cpu_6];[fw4_1];FW-1: check_other_machine_activity: calling fwldbcast_died for ID 0;

;28Aug2018 14:50:31.670768;[cpu_6];[fw4_1];FW-1: fwha_report_id_problem_status: State (DOWN) reported by device Interface Active Check (non-blocking) (ID 1 time 85773.7);

;28Aug2018 14:50:31.670773;[cpu_6];[fw4_1];FW-1: id_blocking_state: check (0) (1) (4) ;

;28Aug2018 14:50:31.670774;[cpu_6];[fw4_1];FW-1: id_blocking_state: check (1) (1) (4) ;

;28Aug2018 14:50:31.670775;[cpu_6];[fw4_1];FW-1: id_blocking_state: check (2) (1) (4) ;

;28Aug2018 14:50:31.670776;[cpu_6];[fw4_1];FW-1: id_blocking_state: check (3) (1) (4) ;

;28Aug2018 14:50:31.670778;[cpu_6];[fw4_1];FW-1: id_blocking_state: check (4) (1) (4) ;

;28Aug2018 14:50:31.670779;[cpu_6];[fw4_1];FW-1: fwha_report_id_problem_status: Blocking state (ACTIVE) not changed by state DOWN from Interface Active Check (ID 1);

;28Aug2018 14:50:31.670788;[cpu_6];[fw4_1];FW-1: check_other_machine_activity: calling fwldbcast_died for ID 0;

;28Aug2018 14:50:31.770675;[cpu_6];[fw4_1];FW-1: check_other_machine_activity: calling fwldbcast_died for ID 0;

;28Aug2018 14:50:31.870573;[cpu_6];[fw4_1];FW-1: check_other_machine_activity: calling fwldbcast_died for ID 0;

;28Aug2018 14:50:31.970513;[cpu_6];[fw4_1];FW-1: check_other_machine_activity: calling fwldbcast_died for ID 0;

 

From a testing point of view we looked at a number of things including moving the 2 members to the same physical host device. Nothing resolved this inconsistency. We finally were looking at the switching network environment and noted that the MAC's we were trying to communicate with were either not listed in the MAC address table or not pointing to where they should be.

 

Testing lead us to look at anti spoofing capabilities of oVirt. oVirt and for that matter most hypervisors KVM or otherwise enable an anti MAC spoofing rule to prevent one VM from taking over the traffic of another VM. In our case with clustering that is exactly what we wanted to happen.

 

From an oVirt point of view we removed the anti MAC spoofing rule from the cluster VM interfaces. At this time oVirt is in the process of adding a default setting to enable the Ant spoofing filter process. See this link for details: https://ovirt.org/develop/release-management/features/network/networkfiltering.html

Read more
0 1 68
Employee+
Employee+

Hello Everyone,

We are glad to update on the release of R80.20 Service Registration bundle for CloudGuard for NSX-V.
Release highlights:

  • R80.20 Management and R80.20 M2 support in service registration and provisioning
  • R80.10 CloudGuard Gateway is now aligned to the R80.10 jumbo hotfix Take 154 with security fixes and updates
  • Improved OVF capabilities (Larger log partition size, Support of Virtual Machine Compatibility Settings…)
  • Improved automatic license distribution
  • Important bug fixes
  • NSX 6.4.x support

Stay tuned for NSX-T news and make sure to visit our tech room at CPX for more info and demos on our upcoming solutions!

CloudGuard IaaS R&D

Read more
3 0 157
Employee+
Employee+

Hello,

 

We are happy to update that we released R80.20 Management Server in AWS.

It can be deployed using our CloudFormation template for Security Management Server:

The R80.20 Management Server is available as BYOL and PAYG for managing 5 GWs and can be deployed on the AWS M5 Instance Type Family.

 

R80.20 Gateway with new Linux kernel will come soon.

As always we are here for your comments and suggestions.

CloudGuard IaaS R&D

Read more
1 0 62
Employee+
Employee+

Hello Everyone,

 

We are happy to update that AWS recently announced their new Security Hub (preview) service and CloudGurad for AWS was declared as one of the Launch Partners.

Customers can enable CloudGuard integration from the Security Hub Console and CloudGuard will send its findings (logs) to the new AWS service.

Detailed configuration steps available here.

 

You are welcome to watch and share the movie we created to emphasize the integration.

 

Note: The integration is currently supported only on R80.20 Management Server deployed in AWS.

 

As always we are here for your comments and suggestions.

CloudGuard IaaS R&D 

Read more
0 0 41
Employee+
Employee+

CloudGuard IaaS R&D is proud to announce our R80.10 CloudGuard Controller Hotfix 1 release over JHF take 154.

The HF is now available to install on top of JHF take 154 in addition to JHF take 70.

 

R80.10 CloudGuard Controller Hotfix 1 offers the following features on top of the CloudGuard Controller built-in to R80.10:

       Integration with Google Cloud Platform

       Integration with Cisco ISE

      Integration with Nuage Networks VSP

       Major upgrade support from R77.30 to R80.10

       Automatic license management with the CloudGuard Central Licensing utility

       Monitoring capabilities integrated into SmartView  

       CloudGuard Controller support for Bladed Systems: 64000, 61000, 44000, 41000

       SmartConsole UI improvement

 

Customers who already upgraded to R80.10 M1 / R80.20 GA can take advantage of all these features using the built-in CloudGuard controller (no HF installation required).

 

Refer to sk120464 for download and installation instructions.

As always we are here for your comments and suggestions.

CloudGuard IaaS R&D 

Read more
1 0 65
Employee+
Employee+

Hello Everyone,

In an effort to improve customer awareness and add visibility to our announcements regarding feature releases, I'll be posting blog entries whenever we have an exciting new feature.

Hopefully, this will both be a good source for you to find out about exciting new features, as well as a platform for you to give us some direct feedback about those new releases.

I'll start with a few recent announcements (and possibly repost some older ones just in case there are readers who missed them), and going forward I'll be posting about new releases as they are announced.

Edit: I'll publish all other posts under my personal Blog CloudGuard IaaS Announcements 

Read more
4 0 119

Hi,

 

I would like to invite you to try out two new Gaia features which may provide a great deal of simplicity in day-to-day operation. You can find a short description below, followed by dates, available versions and contacts.

 

Both of them deal with the way we configure settings on Gaia gateways. We are used to tools like clish and WebUI, and in many cases we even need to switch to expert mode to set/get some of the gateway settings. These two projects are aimed to simplify and organize this.

 

  • Dynamic CLI

        

 

The idea is very simple – pull any expert command/script/binary to real clish command. But, unlike “extended command”, we are talking about real clish – with friendly syntax, auto completion, full RBA support (roles/features/users), history and more…

 

Example : instead of assigning admin privileges to the operator in order to run

 

#fw tab –t connections –f

 

Just stay in clish and type

 

>show security-gateway table connections formatted

 

And enjoy the auto completion (including the list of available firewall tables), help strings, and a peace of mind knowing that this operator will only be able to see the tables but not delete them, for example.

 

The feature brings in the infrastructure, the coverage of possible expert commands to be ported into clish is ongoing, and the list can be augmented based on what the field needs.

===========================================================================================

 

  • Ender (Gaia REST APIs)

                    

 

 

This one is a bit fancier – running a REST daemon on Gaia gateway, allowing remote configuration based on HTTP with JSON arguments and JSON response. Similar to existing Mgmt APIs, but this time covering any gateway configuration, any clish command, any expert command/binary or any flow combining a group of clish/expert commands in one URL.

 

Any sort of automation/orchestration or remote monitoring/debugging on the gateway (or Mgmt server) can be achieved with this feature over REST, including Ansible and Terraform support.

===========================================================================================

Cool, so how do I get it and when ?

 

Both of the features are now in EA, beta versions available (can be installed on top of R80.10 or R80.20). They come as a separate self-updateable hotfixes, and do not block the customer from installing JHFs on top of it (sweet, right ? ). We plan to release an SK with a downloadable package for each of the features by the end of this month - stay tuned.

 

Please, do not hesitate to contact Linor, Tal and myself for more details or if you want the EA version packages to play around with…

 

Cheers,

Kim

Read more
11 20 589

Hi, all.

 

Great news for our Cloud Guard and Open Servers customers : R80.20 Security Gateway with new Gaia based on kernel 3.10 is a GO !

 

We have completed the certification of public cloud (AWS and Azure) and new HP Gen10 Open Servers platforms.

 

The image will be available in Azure and AWS in a few days.

 

Performance improvement on kernel 3.10 based CloudGuard environments is ~300% comparing to current CloudGuard numbers !

 

We now support latest Gen10 HP servers as R80.20 gateways – and we will be adding more open servers soon.

 

The SK for R80.20 kernel 3.10 gateway with all the information and list of limitations is ready here - sk141173.

 

Thanks,

Kim

Read more
10 24 994
Employee+
Employee+

Hi, a customer challenged me to replace an ailing member of a cluster with a brand new one. here are the steps:


(This was tested on an  R77.30 cluster Afand R80.10 management server)

We assume that we have a cluster where in azure, the names of the cluster member VMs are CL1 and CL2. The name of the resource group is CLrg. We want to remove CL2 and replace it with a new member of the cluster. The steps are

  1. From Azure, delete all the resources in the CLrg resource group that are part of CL2, (all these resources’ names will begin with CL2. They include the VM, IP address, disks, vNICs)
  2. From the Azure portal record the ID of the availability set of the cluster (you’ll find it under “properties” of the availability set, in the CLrg resource group.)
  3. From Azure, using some new resource group, go through the motions of creating a single gateway (using the single gateway template). For all the parameter values you enter, make sure you adhere to 6.b-6.g below.
  4. After the verification, but before you deploy, you have a chance to download the template. Download it.
  5. Edit the template file you downloaded by adding the “availabilityset” key/value to the “properties” of the “virtual machine” section of the template. It should look like this:
  6. Use your favorite tool (e.g., powershell) to deploy the modified template but note the following
    1. Deploy to the same resource group as the cluster
    2. The VM name must be the exact same name as the VM you deleted (in this vase “CL2”)
    3. The version must be the same as the cluster
    4. The license must be the same as the cluster
    5. The installation type must be “gateway”
    6. The machine type must be the same as the cluster members
    7. The Vnet must be the same existinig vnet and the subnets must be the same subnets as the other cluster member
  7. Verify that the template was successfully deployed by looking, in the Azure portal, at the members of the availability set. The new member should be there
  8. Prepare the gateway to be clustered. SSH into the new gateway and
    1. cpconfig--> (6) Enable cluster membership for this gateway
    2. Reboot
    3. Copy the HA config file from the member that’s still on the cluster. In R77.30 the following command should do it (assuming the access policy allows it!) by scp from the new gateway to the existing gateway
      1. scp admin@<ipaddressofexistingmember>:/opt/CPsuite-R77/fw1/conf/azure-ha.json /opt/CPsuite-R77/fw1/conf
    4. Reconfigure the configuration using the commands
      1. azure-ha-conf --client-id <client id> --client-secret <client secret> --force
      2. $FWDIR/scripts/azure_ha_cli.py reconf
    5. Add the required routes to the new gateway (the same routes you added originally to the cluster members) 
  9. From SmartConsole
    1. Remove the old member from the cluster
    2. Publish
    3. Add the new gateway as a cluster member
    4. From network management, Get interfaces on the cluster
    5. Publish and push policy to cluster
  10. Test failover

Read more
3 1 183
Employee+
Employee+

Register for Check Point’s November 7th webinar to learn why advanced security inside the private cloud imperative to your business http://bit.ly/2iTZTJx

Read more
0 0 270
Employee+
Employee+

Hi all,

   I would like to use the official announcement from Microsoft this week of having the first Azure Stack boxes getting shipped in September to better understand how enterprises and integrators receive these news. Check Point is already available in the Azure marketplace and very soon also available for the Azure Stack on premise flavor.

Is the market ready for so much innovation at this time? 

We are happy with our current on-premise solution and have no plans for the Microsoft solution so far0
I never heard about customers interested in this solution1
I know of customers interested in Azure Stack on premise2
I already have customers evaluating Azure Stack preview0
My own company has plans to use Azure Stack0

Read more
0 0 138