Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

I am Dorit Dor, VP of Products for Check Point, Ask Me Anything!

Dorit_Dor
Employee
Employee
22 100 184K

CheckMates members can WATCH A VIDEO of the event with special commentary here: Ask Me Anything with Dr. Dorit Dor and Team 

I am Dr. Dorit Dor, Vice President of Products at Check Point. I lead the company’s product management, business development, research and development (R&D) and quality assurance (QA). Together with the amazing product team at Check Point, we lead the initiatives from concept to delivery and oversee the roadmap.

 

Leading the Check Point R&D since 1995, I saw the industry evolution from static networks into modern IT, leveraging mobility and cloud alongside threats evolution with modern attack methods. While all of us are worried about the next attack, more than 93% of organizations have not put in place the fundamental cyber security technologies to prevent modern attacks. Attacks that can be avoided. My fear is that the world is adopting mobility, cloud, and IoTs without taking measures to secure them.

 

Our mission is to deliver protections against these modern threats in a way that is easy enough to consume, and for that we need your feedback. We are committed to being open, share our knowledge and expertise, and we hope this will lead to continued dialog and collaboration.

 

My team and I are delighted to invite you to Ask Us Anything!

How to Participate

  • Event is over, no further questions can be asked.
  • Questions asked during the event are posted with responses as comments below.
  • CheckMates members can also view an exclusive video of some of the questions and answers with special commentary here: Ask Me Anything with Dr. Dorit Dor and Team

With Me In This Session Are:

Tags (2)
100 Comments
Dorit_Dor
Employee
Employee

1. HP Gen 9 is certified as part of the HCL. There was an issue with specific variation of Gen 9 which wasn’t supported with maintrain versions (77.30/80.10). With configuration changes, it is possible to make 77.30/80.10 operational

2. We in QA are working constantly to improve our process & learn from the field.

Our Quality focus does not end with the Release, but continues Post Release.

In Post Release Analysis process, we review issues from multiple customer sources like Support tickets, Technical Forums and we also visit customers in our field week program. We review and identify the Quality Gaps. The review leads to action items like immediate or long term product improvements and also new test scenarios for example in our Customer Oriented Testing. The PRA helps QA in its continuous quality improvement.

I’ll be happy to work with you on the degradations you mentioned & check what we missed here.

3. As for R80.10 we have a common upgrades/updates method in CPUSE. If you can elaborate on your specific concerns in a separate thread on CheckMates (or privately), we can address them.

4. We have made improvements to both what is supported with SecureXL and CoreXL and optimization in R80.10. If you can elaborate on your specific concerns in a separate thread on CheckMates (or privately), we can address them.

5. Please refer to my previous answer regarding support. If you have specific feedback you are welcome to approach us directly with some specific case examples and we will handle it in retrospect like we would have handled similar survey feedback (learn the cases in order to improve process and give feedback back as appropriate).

6. Our Technical publication team is working consistently to improve our documentation & SKs to be up to date and consistent with our latest releases. We enable end users to post a direct feedback to any technical page in our website. Our team should respond to all feedback within 48 hours with clarification for any unclear subject, will be happy to work with you on the SK’s that are not clear enough.

Dorit_Dor
Employee
Employee

On Kaspersky

In the past years, we have built a strong threat prevention team and product capability that is independent from any external vendor and offers far superior zero day malware protection. Our modern network security protection is therefore offered with NGTX and SandBlast. 

Check Point works with many security vendors globally. Our goal is to offer our customers choice, while providing them with the best security and threat prevention in the market.


Check Point is tracking the rising concerns and directives regarding use of Kaspersky software by US government agencies and others. We are committed to support our customers and help them conform with any government regulations or concerns regarding use of 3rd party code in their environment. As such, we offer our customers the choice and instruct them how to configure our products according to their individual needs.

As part of this choice, we have recently released a version of our gateway that does not include the Kaspersky code (see sk118539). We also plan to offer its Endpoint Anti-Malware blade with no Kaspersky components. We are currently evaluating options to ensure quality and stability; we expect to conclude this evaluation in a few weeks. We will provide an update as soon as our plans are finalized.


As always, Check Point is committed to supporting its customers to conform with any government requirement, and happy to work directly with concerned customers to address their specific needs.

On Telephone Numbers

Device phone number can easily be used to attack a user and steal his account credentials.

 

A good example of this is an SMS Phishing attack. Mobile device users are more vulnerable to SMS phishing attack since SMS messages are limited by the numbers of characters and tiny URLs are commonly used for web site address. Users that aren't aware of this risk will not seek to check the site he just opened in his mobile browser and may enter his credentials to a phishing site. Further, mobile browsers tend to hide the URL address line to provide more content on the small screen and users need to actively unhide it to see the site address.

 

A more complicated attack is an SS7 attack. Signaling System 7 is a test of telephony signaling protocols used to set up and tear down phone calls, perform Short Message Service (SMS), and a number of other telephony functions. There are inherent weaknesses in the design of SS7 that can be used to enable data theft, eavesdropping, text interception, and location tracking.

  

In both cases the only thing the attacker needs to launch the attacks is the user phone number.

Ofer_Raz
Employee
Employee

We intend to move to a newer Linux Kernel in a phased manner, starting with the management products, then security gateways later on. The Linux kernel will be based on version 3.10.

 

We will have an Early Availability for Management Products soon and expecting to start an Early Availability for Security Gateways later in the year. Our Early Availability Programs page has more information about EA programs and how to sign up.

Ofer_Raz
Employee
Employee

We are looking into this capability for future versions of the SMB gateways. We would be happy to receive information and feedback on how this feature will be used and in what scenarios. For example, is this for retail environments, offices or something else? Will the social identification only be used for monitoring & logging, or also for setting policy for specific people?

Ofer_Raz
Employee
Employee

Let me start with the general fix release process.

Looking at a major version (say R77.30 or R80.10), we work with customers to provide them fixes and try to get all these fixes into a jumbo hotfix. As these fixes are available to all customers, we apply strict criteria on what fixes can be included. Assuming the fix is approved for inclusion, it will be included as part of the immediate ongoing jumbo hotfix, which are made available to customers with the issues in question. After getting enough positive experience with the fixes, we will declare one of the ongoing jumbo hotfixes to be recommended and it will be made available to all customers.

If, however, a fix is not approved for the jumbo, which may happen because the fix may work for a specific user scenario but adds risk for other users using the product differently, we will deliver a customer-specific hotfix. Systems with customer-specific hotfixes applied cannot be upgraded without getting a new version of their fix for the target upgrade version. For these customer-specific fixes, we will seek to add a more generally applicable fix into a future jumbo hotfix.

In recent years, we’ve added mechanisms in the upgrade process to prevent an upgrade in case a given fix was missing in the upgraded versions.

When a new major version is released (e.g. R80.20), we will do our best to incorporate the latest available jumbo hotfixes. Certification of new releases takes time and we may have frozen the release before the latest public hotfix. In this case, we will release a jumbo hotfix for the new major version aligned to the previous jumbo hotfixes.

In the Scalable Platforms (41k/44k/61k/64k), the process is quite similar, with the main difference being that customers are even more sensitive and the inclusion criteria for the jumbo hotfix is even more strict. We do strive to include most fixes in the Scalable Platforms code versions.

For your specific case, please approach us privately with specific examples (including relevant support tickets) and we can provide more direct feedback,

Ofer_Raz
Employee
Employee

1. HTTPS Inspection is planned to be incorporated into R80.x SmartConsole during 2018.

DLP in R80.10 works as it did in R77.x and will be further developed as part of our product roadmap.

 

It's worth highlighting that R80.10 introduces a new blade - Content Awareness – as part of the new Unified Access Control Policy. This blade also works with HTTPS Inspection, using it as part of unified policy and enabling the administrator to enforce Security Policy and restrict Data Types that users can upload or download based on the content of the traffic by identifying files and its content together with direction.

Content Awareness can be used together with Application Control to enforce more interesting scenarios (e.g. identify which files are uploaded to DropBox) that cannot be achieved with the existing DLP offering.

2. Oracle Cloud support for vSEC is on mid term roadmap.

Ofer_Raz
Employee
Employee

This sk describes best practices to maximize performance.

In Application Control blade in R77.x, an “Any Any Allow” rule will not only allow all traffic but will enable the deep inspection engines (streaming, pattern matching, application identification) on all traffic. If a user would like to classify application on all traffic (outgoing, incoming and internal), such a rule should be configured. However, if a user just wants to ‘allow all the rest’ the implicit cleanup of APPI policy should cover that.

In R80.10, the following rule will allow all traffic without doing deep inspection:

If you want to identify applications and do deep inspection, create a rule as follows:

If you want to this only for Internet-bound traffic:

Ofer_Raz
Employee
Employee

It is a good question, yet, there is no simple answer as there are many possible topologies.

Our recommendation is to maintain a layered approach. Segmentation can be done on both the virtualization platform (preferably at the hypervisor level for best segmentation) and the physical layer as an entity that is guaranteed to view all traffic to/from relevant segments and organizations.

Ofer_Raz
Employee
Employee

To the best of my knowledge, these are legacy features that are not in wide use.  I will be happy to explore more if you can share a bit more background to your question.

Ofer_Raz
Employee
Employee

1. Application Control ATRG is available in sk73220

2. Please see above response regarding future OS and Linux Kernel

Ofer_Raz
Employee
Employee

We have been running a 64-bit kernel since R75.40. Virtual Systems can run in 64bit mode as of R80.10.

If the question is around user space, we do not have plans to move this to 64 bits. We would love to hear about the use case you have in mind.

Our planned future OS is targeting support of Skylake-SP platforms. We are also planning to use XFS and overall improve I/O, which will improve the experience with snapshots.

Ofer_Raz
Employee
Employee

The routes that are added to the machine are derived from the VPN domain configuration on the Security gateway based on the Topology.

You have 2 options:

  • “All IP addresses behind the Gateway…” => will consider all the internal networks behind the gateway
  • “Manually defined” => you can defined specific network or group of networks for VPN domain and only routes for this network/s will be added. Traffic for these networks will be encrypted.

 

As for the DNS configuration, you can configure the internal DNS server in the Office Mode configuration:

When the client will connect to the VPN Security Gateway, it will download the DNS settings.

Those settings are per gateway and cannot be configured on the client.

Ofer_Raz
Employee
Employee

1. Indeed in R80.10 FQDN is supported in Access Policy, matching exactly the domain configured.

  • In this example: support.checkpoint.com will match but qa.support.checkpoint.com will NOT match
  • Gateway performs direct DNS query upon policy installation and caches the result
  • An additional DNS query is being sent every 30 seconds. The result will be added to the existing IPs for this domain.
  • Entry in cache expires after 1 hour.
  • For each connection, the IP is looked up in the cache. If found, the domain in the cache is matched against the domain in the rule.

2. There are no plans to make a complete WebUI replacement for SmartConsole. We will, however, continue to improve CLI and REST API support.

3. Different encryption domains for site-to-site VPN endpoints is planned for development during 2018.

4. For TOR traffic:

  • Traffic entering the TOR network:
    • TOR Browser traffic is encrypted, and while passing through the gateway, it will be detected and successfully blocked by Application Control
    • HTTPS Inspection is required in to order to block the traffic due to evasion techniques used by the TOR Browser (Domain Fronting among them).
  • Traffic exiting the TOR network:
Ofer_Raz
Employee
Employee

As you asked several questions, I will try to address each one:

Hi, I have a concrete case regarding sk39555 globally and more precisely in VSX environment .

I would you like you explain/show us how a firewall (classical or VS) manage if the actual concurrent session reached the maximum allowed :

- what is its comportment (and at what OSI level ? In case of a classical FW : the limitation is likely related to physical performance issue whereas in case of a VS the limitation is set manually ; BTW : maybe in next R8* the VSX Gateway will manage differently and allowing dynamically the maximum number of sessions ? Or maybe not because it's better to define manually this value ? So : why ?)

For Classical (non-VSX)  the connections limit is physical memory. VSX didn’t support 64bit until R80.10, so a single VS was limited by 4GB.

When running several VSs on a single appliance, customers should control how much memory each VS will get, so resource starvation of other VSs is avoided. We have more granular resource control per-VS on our roadmap.

If we choose the default of a maximum memory to a single VS, then it can create a memory starvation for all other VSs. We may consider this option for a 64-bit VSX but not as a default.

how we can be alerted ('fw tab -t connections -s' CLI ; SNMP using fwNumConn  and fwConnTableLimit) or - I don't know - by viewing /<somewhere>/<someLogFile>.log or in SmartLog ?

SNMP monitoring per VS of the fwNumConn parameter and check when it reaches fwConnTableLimit. We will consider adding SNMP traps for it.

how we can understand what it is needed and how we can adjust (what is the math we need to do and in VSX environment : does the SUM of all memory space allowed for all VS' hash table shall not exceed the total memory available on a VSX Gateway ?)

The SK mentioned above states that 420 bytes are used per connection, thus 420 * Number of concurrent connections is what is used per VS. The SK is from 2009 and we are verifying the numbers now. This number is for firewall only. With the various features enabled, each connection uses much more memory (estimated to be ~10k bytes per connection, but we are rechecking this).

Ofer_Raz
Employee
Employee

Currently there are no REST APIs providing ability to query classification for particular URL, as well as to check policy according to user and URL. The REST APIs are more likely to be used for defining policy rather than provide blade-specific context.

We do have a link to our Check Point site for URL classification. For the mentioned purposes, replicating a self-help web interface, it probably won’t help.

While it is not in our current plans, we will consider this for the future.

Ofer_Raz
Employee
Employee

Microsoft Operations Management Suite (also known as OMS) is a collection of IT management services, designed in the cloud and are hosted in Azure. A key component of OMS is its Log Analytics service which helps customers collect, correlate, search and act upon logs and events across multiple sources. We have published an SK describing how to send Check Point logs to Microsoft OMS. This capability is applicable to both on premise as well as public cloud gateways.

 

Note: that currently we only support this with R77.30, adding R80.10 support is on our road map

Ofer_Raz
Employee
Employee

Please read the general jumbo process as described on one of the previous answers.  

One of the big challenges we have with the R77.30 jumbo in particular is related for TLS 1.2. Unlike normal fixes, this is a relatively big fix (more than the usual jumbo fix) but it is needed for a large portion of the install base. We put the code into the current ongoing jumbo hotfix.

 

There are isolated cases of problems that we insist on resolving before making the jumbo hotfix recommended. We believe that we are quite close to the finish line and we expect to have an updated jumbo recommended hotfix available in the coming few weeks.

                                                                                                    

If you are in need of the latest ongoing jumbo, do not hesitate to use it if support recommends it. It’s already deployed in thousands of environments and when they recommend it, it’s after they look at your configuration to verify you can use it.

Danilo_Lara
Contributor
Contributor

First of all, thanks for this great initiative.

Is there a planned date to release Workflow blade for R80.10?

I would like to suggest to create a licensing simulator. It would be very helpful specially when quoting big deals when there are many gateways involved, multi-domain management, vsx, smartevent and endpoint security. As we have new part-numbers, sometimes we get confused when preparing a quote. Some part-numbers can not be accumulated, for example if I have two part-numbers for 3 virtual systems, I do not have 6 virtual systems licensed at all.

Regards,

Dorit_Dor
Employee
Employee

1. Its hard to cover such a long period in a short response but I will try to focus on the highlights.

Twenty years ago, the security defense (not called cyber yet) was mainly structured around networks with firewall and endpoints with anti virus. In the past years, national-grade tools were exposed and very sophisticated attacks were disclosed publicly. In parallel, the IT evolved, complexity increased, and now everything is truly connected leveraging mobility, software defined data center and cloud.  

I believe that, cloud and mobility bring challenges that are not realized by many enterprises yet, and are naively used without proper defenses (the risks being underestimated). I believe that attackers will leverage these vectors more. Such attacks can be prevented, and I believe that in the future enterprises, will realize the challenge and will protect their IT in an holistic way. The challenge will only intensify with IoT's becoming part of the connected network (including cars, medical devices and more) and with nation states leveraging cyber space more aggressively.

Our challenge as security vendor is to stay ahead. We need to continue and offer excellent protection to wide audience, keeping it simply enough to deploy and consume.     

2. Openness is a fundamental attribute of the Infinity architecture.

 

With the introduction of the R80 train and the Infinity architecture we have created built in API's for management, security and more. We see APIs as fundamental to operate the architecture and we have created mechanisms to safely delegate and manage the operation thru the APIs.   

 

The tools on top of these APIs will be shared as open source tools and can already be found in CheckMates and GitHub. Among the tools are object & rules manipulations, SmartMove (competitive policy conversion) and in the future web components and "policy apps" (applications that simplify targeted UI operations).

 

We have started to create an active community that can leverage and advance the tools. We are looking forward to your participation.  

Kadu_Bulglitars
Explorer

Hi,  first of all thanks for this great initiative.

So, I'm starting at Check Point and i have some silly questions:

I have an entire environment configured with rules and routes running on iptables. I would like to know what would be the best way to migrate the current solution to Check Point without causing major impacts on production. Is there any SK dealing with this question? In the moment all the configuration  (Check Point) is disabled but is the same that i used on the iptables, for example: all interfaces have the same ip address in both. The only way to migrate is on production.

Other question is about the ip address of the ClusterXL. It must be an external IP?

Gabi_Reish
Employee Alumnus
Employee Alumnus

Christoph, its our pleasure and we appreciate very much your question.


Since initiation of the Next Generation Smart Event, NGSE, as part of r77.30 and R80.x, instead of offering the partial functionality offering of SmartEvent Intro, we offer customers the full functionality of SmartEvent, together with the Compliance Blade as part of the Security Management Server for one year. In this mode, the customers can enjoy all the benefits of SmartEvent and then decide to renew this important functionality on an annual basis.

Amnon_Perlmutte
Employee
Employee

When we designed R80, we set a goal to have outstanding UI experience for the admin as well as flexibility in UI components (running all monitoring and key functionality on the web or mobile). At that point we evaluated the outcome of native windows UI vs. web client for heavy admin usage. The native client was far more superior in the heavy admin scenario, which accounts for the majority of use.

We developed a native windows UI, not willing to compromise that experience. In parallel we enabled strong API and CLI as alternate form of management. Moreover, some functionality (the part that was more relevant) is based on native Web interfaces (all logging and monitoring functions).

Going forward we intend to add more web components as well as adding mobile usage for certain scenarios. We have already seen our partners leverage the APIs & web to integrate management functions into their daily operation centers and we expect that the future web components will further continue the trend into more functionality.  

Mac native interface is second in priority compared to the above but we keep an open mind to additional needs and how they can help us support new usage scenarios.  

The excellent adoption of R80.10 into our large enterprise customer base and their overall positive reaction to the smooth user experience gives us confidence with the UI choices that we made so far.

Amnon_Perlmutte
Employee
Employee

In the Logs and Monitor section of SmartConsole or in SmartView, click on the plus (far right tab).

From here, you can create a New View:

 

Specify category Application Categories.

Create a simple table with the fields:

 

You can optionally include the Source User Name.

Example:

Amnon_Perlmutte
Employee
Employee

Java has been the leading technology for application servers for many years now. It has many advantages over low level programing languages and makes better use of different hardware capabilities. It is working as expected in R80 and is providing a superior management server for our customers. Many of the R80 management features would be very hard to provide with low level languages.

Like any technology, Java requires deep understanding of its internals to make sure it is used the right way to derive maximum benefit. We have highly skilled engineers who understand the technology in depth to make sure we provide the best solution to our customers.

Amnon_Perlmutte
Employee
Employee

We fully understand the need for customers to have a single pane of glass where they can manage all the security aspects. We have concrete plans and progressing toward having all the abilities to configure all management aspects from the SmartConsole in addition to CLI and REST API.

In our near term roadmap, we plan to support different encryption domains per gateway per VPN community. We also plan to support SAs created as encryption domains configured it in the future.

Amnon_Perlmutte
Employee
Employee

We’re planning to support per-object hit count during 2018.

Amnon_Perlmutte
Employee
Employee

If, understood correctly, you’re asking two questions:

As a customer, how can I get information about new APIs, in HFAs or releases, and the API roadmap?

Typically, the reason for having HFAs is to improving the stability of existing releases and not to provide a vehicle for delivering new functionality. Therefore, at the moment, there are no plan to deliver new APIs in HFAs.

New releases will bring with them new versions of the APIs and new functionality – you should be able to find the change log as part of the next release’s API reference. This API reference will become available along with the “early availability” (EA) program of R80.20.

The above items (interoperable devices, encryption domain, get topology) are, unfortunately, not part of our plans for R80.20. They are part of our roadmap for a later release.

Is there something that I can do today with regards to creating “interoperable devices”, setting “VPN Encryption domains” and fetching gateway topology/interfaces?

We have an undocumented APIs called “add-generic-object” and “set-generic-object”, these API provide direct access to the database and can be used to created “interoperable devices” and to set the encryption domain of a gateway. The “VPN Domain” settings offer these two options in the GUI:

 

To set the VPN domain to “All IP addresses behind Gateway ..”:

POST https://<mgmt-server>:<port>/web_api/set-generic-object

{

  "uid" : "8bc037bf-8626-4ec1-98e8-cc57918b7a03",

  "encdomain": "ADDRESSES_BEHIND_GW",

  "manualEncdomain": null

}

Where "8bc037bf-8626-4ec1-98e8-cc57918b7a03" is the unique identifier of the gateway object you which to edit.

To set the VPN domain to “Manually defined”:

POST https://<mgmt-server>:<port>/web_api/set-generic-object

{

  "uid" : "8bc037bf-8626-4ec1-98e8-cc57918b7a03",

  "encdomain": "MANUAL",

  "manualEncdomain": "9fe07a29-4c9d-4984-8ea2-01f2cc974c4b"

}

Where "8bc037bf-8626-4ec1-98e8-cc57918b7a03" is the unique identifier of the gateway object you which to edit and "9fe07a29-4c9d-4984-8ea2-01f2cc974c4b" is the unique identifier of the network/group object that you wish to use for the encryption domain.

Shortly, we will provide via Code Hub sample scripts for creating an interoperable device. Unfortunately, we cannot offer a quick workaround for fetching topology/interfaces.

Disclaimer: “The usage of generic-object API is similar to use dbedit script allowing customers to manipulate the Check Point database. The generic-object API calls are supported calls that customers are allowed to us.e However, if a customer writes a script using generic-object API calls and later that script is “broken” because Check Point had changed the schema of the database, Check Point TAC will not be responsible for adjusting the customer’s script to use the new schema.

Rolf_Lunestad
Explorer

Q: Will there ever be a better way to log/troubleshoot VPN connections?

There should access to VPN debug/logs in GUI. Today the process of debugging is too cumbersome with looking at elg files with IKEView etc

Amit_Gadol
Employee
Employee

Hi Ted:

Check Point Quality Assurance methodology and structured processes bring all Check Point products to the highest quality and meet Check Point strict standards.

 

The purpose of Check Point QA is:

  • To enable the release of Check Point security products
  • To enhance product end-to-end quality

QA is a Customer Advocate inside Check Point, making sure our products stand up to our customers' highest standards.

 

To meet our mission, we have a testing model that results in layers of confidence, throughout the QA lifecycle. Each layer has its methods and goals. When the success criteria of a layer are met, we have the confidence level to close that layer.

  

Layer 1 – Dev testing – Manual and Automated tests that are also used for regression in later Layers

Layer 2 – Smoke testing – automatic, quick and parallelized for Continuous Integration

Layer 3 – Feature / product testing – automatic to ensure regression & manual to ensure the User Experience through human interaction with the product

Layer 4 – COST - Customer Oriented Scenario Tests - simulating very large customer topologies & integration testing to gate the release to the next layer; production Early Availability – automatic & manual 

Layer 5 – Early Availability – Real world production deployments to get feedback from our valued Early Adaptor customers

Layer 6 – Go/NoGo Discussions based on Layer Test Results – automatic & manual

 

Each layer has its pre-defined quality gates & success criteria.

 

Once we release a product to General Availability, we start our PRA process. Post Release Analysis is a review of issues from multiple sources of information that QA verified as Quality Gaps. We share the issues with R&D, to close and prevent the Quality Gap from happening again. The PRA helps QA in its continuous quality improvement.

 

To detect & analyze issues that happens during testing or even in production we are using real world data from cpview & cpdiag this allows early detection for PRA and is also a good source for Customer Oriented Scenario testing.

 

Per log files, yes, we do have automatic tests that test the systems under stress, log files included.

Amnon_Perlmutte
Employee
Employee

There are two kinds of rulebase tools we aim to provide in the next year:

  • Rulebase Assistance Tool – a tool that helps to better locate a rule within a rulebase.  This feature will be suggested as an addon to SmartConsole (SmartConsole version not yet decided)
  • Compliance Blade – helps to make sure the rulebase as well as other configuration parts are defined according to best practices or regulations. While the Compliance Blade already exists in R77.x and R80, we expect to release next year an enhanced version which will provide many new capabilities to ensure the rulebase is well defined.

 

We welcome more inputs about needs for more tools. In case you feel there are more needed tools we’ll be happy to get your input.

Amnon_Perlmutte
Employee
Employee

SmartWorkflow consists of two parts:


1. Ability to see change report (diff)
2. Approval cycle.

In R80, as a multi admin system, these capabilities become more necessary and much more useful. R80 already provides some tools out of the box, and we plan to provide more during next year.


Available in R80.10:

  • Take over session, ability to move a session from one administrator to another.
  • Session history pane, In R80 all changes are made within a session which is saved on the server even before publish. The feature is not turned on by default, for more details please refer to Review the changes in your current session
  •  Revision control – R80.10 has a built in revision control where each and every published session can be found. It is possible to view the configuration of this session and see a list of changes made in the session.

Expected to be available next year:

  • Multi session per administrator – ability for each administrator to work on several sessions (e.g. different tickets) in parallel
  • Diff reports – Ability to track changes as diff or issue a report.

Approval cycle is also on our plans for next year, but have no final timeframe yet.

Ofer_Raz
Employee
Employee

We are looking at combining policy based routing with cloud services and would like to more about the use case, link/application distribution and health check probing. We are planning to accommodate some of the requirements as customer-specific releases and are also considering this for future maintrain releases.

Ohad_Bobrov
Employee Alumnus
Employee Alumnus

Pure client-less access is currently available via the Mobile Access SSLVPN Portal.

SNX as an on-demand L3 VPN client is available as well.

 

The following is on our roadmap:

  • Apache Guacamole support, for pure clientless RDP.
  • reCAPTCHA support in the portal’s authentication page.
  • New portal’s deployment agent, to support all browsers without Java plugins (sk113410, available now as HF)
  • Mobile Access Blade Settings in the new SmartConsole.
  • Improved Link Translation technology
  • A more rich and granular portal customization platform for the administrator
Gabi_Reish
Employee Alumnus
Employee Alumnus

Rutger, as part of realization of the infinity architecture we are working in multiple fronts to improve the collaboration and synergy across networks, cloud and management. On the management side we are continuously  strengthening our interfacing capabilities, enabling full integration with 3rd parties. On the threat prevention side, a core value of the architecture, we are continuing to innovate and add more technologies in order to detect threats even  better and prevent the damage before they occur, with increasing sets of threat intelligence. In the cloud we would like to continue our major investments and cooperation with key cloud providers, including new advancements in security management of workloads in the cloud.

As for inline Threat Extraction, this is something we are indeed working on with a target GA timeframe of Q1 2018. Inline Threat Extraction will will enable us to do threat extraction for all web downloaded documents. The most important value is that we will be one of the first if not the first to close a gap of downloading documents from private web-emails like Gmail. It will automatically extract the threats from the documents while downloading it. Though we have one of the fastest and most accurate sandboxes, end users expect the same response time as they get at home, and we will provide the same experience with greater security.

Neatsun_Ziv
Employee Alumnus
Employee Alumnus

ThreatCloud today blocks access to URLs  based on reputation and categorization. We are constantly working to add more capabilities to this reputation service and we currently serve a few billion IOCs per day. IP address are usually used when we have less accurate information like SPAM servers, we usually would like to have something that is more persistence and accurate than IP addresses.

Neatsun_Ziv
Employee Alumnus
Employee Alumnus

Check Point’s SandBlast family allows for prevention of zero days threats. Part of this family is SandBlast Agent that utilizes both cloud or local emulations and on-device abilities. Over the past year we had great success and adoption of these technologies. We are growing our investment in this field as we had seen many threats that were blocked within roaming user’s laptop and with special zero day exploits or non-exploit lateral movement like mimikatz. We are determined to push these products even father this year and we have a packed roadmap of new engines and ease of use improvements.

Gabi_Reish
Employee Alumnus
Employee Alumnus

Hans, 

Regarding your first question. I personally think that its not about a change in focus, but the security industry adapting a better balance between network and endpoint security. This balance is based on the realization that you can't detect and stop all attacks on the network and vice versa, cannot stop all advanced attacks on the endpoint.

Since early 2016, Check Point has offered SandBlast Agent, an advanced threat prevention and Endpoint Detection & Response (EDR) product for endpoints. SandBlast Agent includes the most advanced of our cyber security technologies, including bot detection/prevention, sand-boxing, forensics, and more recently, a very advanced anti-ransomware product. We will be happy to share more info with you. 

Regarding your second question, it is possible to view new content delivered in Overview Pane > What's New in https://cloud.checkpoint.com .

In the near future, we are looking into securing branch offices.

Gabi_Reish
Employee Alumnus
Employee Alumnus

 

Dmitry,

 

IoT provides the promise of greater productivity, connectivity which leads to greater access to information in both our personal and business life. Cyber security should be one the key factors in considering deploying of IoT services in enterprises and directly or indirectly by end-users. As a cyber security leader, Check Point is focused on protecting its customers today and in the future and as such we are building a roadmap to accommodate the current and future trends of IOT.  Check Point’s IoT security roadmap will be focused around the closely coupled building blocks of device discovery, segmentation, access management, threat prevention, data integrity, and endpoint security.

Dorit_Dor
Employee
Employee

a)  NFV and SDN are very different things. NFV indicates modern usage of virtual compute on the operator side in order to deliver functionality as service. Check Point as software product company have long delivered solutions for NFV environments. SDN relates to functionality that involve both security and networking. Our focus with SDN is on the security side and we are partnering with others on the networking side.


Moreover, we have delivered a cloud based security offering that can help integrating with SDN deployments as well as can be operated from an operator network. We have successfully delivered this solution with some telco partners and we are looking to extend our reach

b) Industry 4.0 is the integration of physical process, computation and networking that undoubtedly creates a new generation in Industry. Check Point is protecting today many legacy as well as modern utility and industrial environments, where some are already using our Threat Prevention and SCADA inspection and reporting capabilities that we released in the last years. We are also working on additional capabilities for the wider IoT space, with industrial applications but also others. We maintain relationships for several years now with several Industrial Equipment and IOT manufactures and work with some of them on solutions. Usually our criteria for joining a consortium is if we believe they provide net new technology or standards.

Thank you for referring us to the Industrial Internet Consortium - it seems to have a good group of Industrial players and also a security work group, so we’ll learn it more and consider joining.

Joachim_Zint
Participant

What is your “road map” regarding virtual security and micro-segmentation /network Virtualization ? I mean really without dedicated Check Point appliances.

It´s all about VSEC ? What about for example Project Calico https://www.projectcalico.org/micro-service-firewall/

https://www.projectcalico.org/learn/

Greetings

Joe Zint (METRO)

Joseph_Erlewein
Explorer

Q:
 When we call our Vendor for support, it’s frequent we/they need to escalate to Check Point.. Once escalated to Check Point, it is often days (in some cases weeks) before we get our issues addressed and resolved. This includes both Critical and non-Critical issues.
As an example of an industry leader, Cisco is also a "large player" in enterprise networking, and when we engage Cisco TAC for critical issues, we've been guaranteed same-day resolution and quick analysis (forensic and otherwise). They have always delivered.

This has almost never been our experience with an escalated Check Point issue, even after begging for escalations and status updates for more than a week.

Why is this, and will this situation be improved upon? 

Jason_Dance
Collaborator

So I understand that this information is fed into blades like URL Filtering and IPS.  It is common to find comments relating to 'known bad reputation IP addresses" on the quarterly reports.  Its this information that would be helpful to feed into a blocking mechanism (like perhaps the Suspicious Activity Monitoring rules) so that traffic from known bad actors can be dropped.  Is there anything in the works to add this (and other real-time threat feed information) into the Security Gateway?

PhoneBoy
Admin
Admin

This is an area we are investigating for sure, as mentioned by Dorit in the second comment linked here.

Stay tuned!

PhoneBoy
Admin
Admin

There isn't an "easy button" to migrate an iptables configuration to Check Point, though I'm sure you could script converting your iptables commands to appropriate CLI commands with R80(.10). 

Perhaps someone in the Developers (Code Hub)‌ space may have already done this, it's worth asking there. 

This is also something you can perhaps ask Check Point Professional Services or those of a local partner to assist with.

Generally speaking the ClusterXL IP must be on the same subnet as your physical interface.

That said if your ISP only gives you one public IP, you'll need to implement it this way: Configuring Cluster Addresses on Different Subnets 

There are several threads on ClusterXL on CheckMates that may help you further with ClusterXL as well.

If you have additional questions, please post a new thread in the https://community.checkpoint.com/community/infinity-general/appliances-and-gaia?sr=search&searchId=1...‌ space.

PhoneBoy
Admin
Admin

The major change is moving to a new kernel, as noted here, which will naturally allow support for newer hardware.

Backups are an issue we are looking at on many levels, and we've had some threads on this on CheckMates.

Some of the other things you mention can be investigated for inclusion in future releases. 

PhoneBoy
Admin
Admin

Using Dynamic Objects in R80.10, it's actually possible to do this today using whatever data source you'd like.

One such project that leverages this is here: CP Dynamic Block Lists 

PhoneBoy
Admin
Admin

Several questions in the AMA asked about VPN improvements that are indeed in the works.

However, I am not aware of any specific plans around changing how VPNs are debugged.

If you can post more specific feedback on this area in the https://community.checkpoint.com/community/infinity-general?sr=search&searchId=0d703ad4-927d-4d9f-b2...‌ space, I'll make sure the right people see it and provide feedback.

PhoneBoy
Admin
Admin

You bring up two problems here:

1. The fact that Endpoint and Network Management have different patch levels--we are already taking steps to address this.

2. Separating endpoint and network management. I'm not familiar with the plans in this area, but I completely understand your concern. I am working to get an answer I can share here and/or through your account team. 

PhoneBoy
Admin
Admin

Dorit answered a similar question above. To summarize:

1. R&D is leveraging remote access and providing better tools being provided to diagnose and troubleshoot (things like cpview and cpdiag are starters, in R80 cpm and the log doctors are other efforts). 

2. Make us aware of specific instances of support tickets not progressing through escalation and specific post-resolution feedback.

Klapesh_3477
Explorer

Hi Dorit Dor,

I am Using Checkpoint R80.20 on AWS Cloud, 

now my customer is want to google Google Authenticator on Client VPN, we are trying to same with mention Sk Reference Link but we did not get any Success, can you have any best Sk for this how to do this hole active with Google Authenticator,

https://community.checkpoint.com/t5/General-Topics/MFA-with-Google-Authenticator/td-p/39456

Regards

kalpesh