I've said dumb, beacause at first I was trying to understand the mindset behind the fact that you don't want that your Security Gateway boots up automatically after an energy failure onsite.Then, after listen to my end customer and after thinking about the issue, I can see and understand the issue. I still think that it does not make sense for a Firewall vendor to implement something like that, since there are multiple solutions to address this on the market, but I since I did not find any reference to this on the documentation, I'm just asking to see if anyone had the same question over the time.

Thanks Andy.

Well, Im not a lawyer, never been one, know absolutely nothing about the subject, but to me, that may also fall into some legal trouble possibly, if vendor was to give such a suggestion. Because, if you think about it, what can stop someone from suing a company later arguing that they lost so much money because fw's got corrupted due to advice they were given, right?

I dont know, just "throwing" some scenarious out there...personally, in all my years with CP, I never had anyone ask me that.

Andy

Yup. I share the same vision. I understand the issue from the customer point of view, but I just don't see the point for a vendor to implement something like this.

Well, I think I will follow your suggestion and ask the TAC, just to have an official reply.

Thanks again Andy.

The best abbreviation in IT world, though this can apply generally in life...CYA...cover your a** : - )

Andy

Hi Bob,

Thanks for your insight on this. I don't think that will help my end customer. The most probable outcome of all of this is he asking us to disable such thing if we were able to deploy it on the first place. 🙂 If it was something supported on the Product Level, then fine, but when is something related with the system Level I'm a little bite reluctant to change. 

Regarding the open server suggestion, my end custmor has a paior of QLS250 for less than two years and is happy with them. I don't think that a change to open servers just because of this is even worth to think about.

Thanks again for your knowledge.

Regards,

César Santos

Just to make sure we have the fact right, I gather from all you said your customer is looking for a way that if site where firewalls are loses power, when it comes back on that firewalls do NOT power on automatically, right?

If thats the case, if I were you, as I mentioned before, I would open TAC case and ask exactly that and see what they say.

Just my honest suggestion.

Andy

Hi Andy,

Yes, you're right. That is exactly want he wants.

I'll open a TAC case, as you've suggested.

Kind Regards,

César Santos

Sounds like a good plan...keep us posted what they say, Im super curious. Though I never had anyone ask me this question, its really interesting one.

Andy

Guess thats the answer then 🙂

Andy

Well, when you buy Check Point's branded hardware, you pay today's pricing for decade-old specs, and you get weird limitations like this. At least the QLS250 is priced decently.

The only place to change this is in the boot ROM's configuration. On branded servers, that's behind a password which support does not share.

The QLS250 uses SSDs, so there's no real potential for problems with the physical drives; the only potential corruption is within the filesystem (either lv_current or lv_log). Snapshots let you fix problems with lv_current, and corrupted data in lv_log doesn't matter. Just keep at least two snapshots at any time, set up LOM access (so you can access the boot menu to revert from there in case the system doesn't boot), and you'll be fine.

Bob, I'm with you. I'm aware that the main potential problem is the corruption of the filesystem in the event of the Gateway continues to reboot due to energy problems onsite. Also, I'm aware how to kind of mitigate that risk. 🙂

I'm just trying to double check the question of my end customer, because I need to be honest and admit that he caught me off guard when he've asked me this.

Kind regards

Honesty is always the best policy!