Monthly Archives: December 2013

MDM Architecture Part IV ( I think its IV)

What is an MDM? Well you better start learning what it is because its coming to a SmartDashboard near you in a couple years. In the future there will only be 1 management console not two and its about time. CP can’t hide MDM behind new icons for much longer.

This is the basic problem with MDM to date that will be rectified in the new version but I’m not sure exactly how. This is my guess from a brief look at the demo.

A Domain is composed of

  1. A rule
  2. A rule package called a policy
  3. Objects
  4. Firewalls

A MDS is composed of

  1. Global rules
  2. Global Policies
  3. Global Objects

Not too tough so far.

Next is where the problems start showing up.

A DMS applies a policy to a firewall (Yes it can do install on, forget that for now). So 1 policy gets installed on 1 firewall BUT all DMS objects get installed on ALL DMS firewalls. Seems unfair?



Similarly, a single Global Policy gets applied to a set of domain(s) and all the policies inside that domain(s) BUT the Global Objects are applied to ALL domains that have any global policy on them at all. Seems unfair.


So the problem is on scoping. Objects are spewed all over the place while policies have explicit mappings. For example, let’s say you want DMS A Rule 1 to be applied to all DMS A firewalls. You’d have to manually duplicate Rule 1 into all DMS A policies..BUT..DMS A Object 1 automagically appears in all DMS A firewalls. As the number of firewalls and objects grow, the problem gets worse.

What I think they are going to do to fix this is put scoping rules on all these objects. Each object and policies will have a context in which they apply. There will be a firewall policy, DMS policy and Global policy. Like an onion of layers, the global policy will wrap the DMS policy  which will wrap the firewall policy. Similarly there will be global, DMS and firewall objects.

theonion of components

The ‘install on’ field should also exist as an alternative to the above.

Palo Alto does a similar thing and I think its just the next natural step … and I hope Check Point does it much better!!!

Just my opinion people


SolarWinds Cattools – Script Manager – The cat’s Meeeeoooow

If you have more than 6 firewalls, I know most of you probably have a script library sitting around. Maybe you’ve been through 10 admins and so the scripts are a hodge-podge of semi supported and hacked up tools that sometimes work…until a new R1000.45 HF 201 comes out and changes formats, so then you hack into your scripts yet one more time.

CP is suppose to come out with some sort of scripting support in R10001.48 HF 132 (R77 has some of this, haven’t seen it). I’ve been begging them to go out and buy SolarWinds Cattools. I’ve started to use it in the past month and I’m not sure how I survived without it all these years.

Cattools is a script manager based on a primitive form of Visual Basic.  You import all your firewalls from an MDS export into an excel spreadsheet and import into the panel on the left. Then on the right panel you have your scripting library. Below you can see I have various scripts for inventorying our firewalls as well as modifying them, etc.


Here is one example of how I inventory our firewalls to make sure they all have snapshots in case we have to rebuild. You highlight the script you want to run and click ‘run’. It will execute this bash script I wrote which downloads a bash script to inventory snapshots and executes the script and dumps the results into standard output on the Cattools management station. From there I use perl, awk, grep to gather the output (I’m working on turning this into a spreadsheet).


Cattools is awesome.  In reality it is fairly good…because its like giving a cup of water to a dying man searing in the Judaean Desert of Scriptland. CheckPoint really needs to regain its lead in supporting and managing large enterprises, and if they bought Cattools and improved it to work best with CP products they could rock the world.  As is…Cattools is designed very specifically for Cisco/Juniper/appliance markets so it had some quirks I had to overcome. It will work out of the package…but I improved it with my own scripts..the results of one you can see above.

Specifically Cattools is designed to work with Cisco like products. So it is hardcoded to expect certain prompts on the CLI. And the GUI is designed around these Cisco  like prompts. As is, it will work with GAIA but you get a lot of errors and timeouts…but in the end it works. So I made it work more generically with Unix and any application like FTP, GAIA clish, Install scripts, SCP with passwords, etc.

When reviewing scripting tools the big hangup is handling prompts. Your script can hang on a “password:” prompt or a prompt from a weird application like installing patches. Cattools with my mods does a great job of handling prompts. Out of the box Unix and GAIA require you install expect scripts to handle the prompts so can be done but a bit of a challenge.

Also look at how wayward processes are killed. Cattools does a great job monitoring and killing off wayward processes. It has several levels of timers where if a response is not forthcoming, it shoots the process.

Also look at how the output is gathered and brought home. The scripting tool should handle this for you. Cattools I feel does a great job of this. It also allows you to post process the output. I am figuring this part out now and will report in the future.

I’ll be talking more about Cattools as I get time. In the mean time you should give it a go…but temper it with knowning about the out-of-box issues. But it is still a cup of water to a dying soul.

Massive script engines are a double edge sword. They can save you incredible amounts of time….or destroy your entire environment. When using tools like these make sure you have control processes around them. For example: On operations that modify the firewalls, those have to undergo review and have 2 people execute them together and on a max of 2,4,,8,16 firewalls as you prove it works.

NOTE: I loved this product so much that my company Midpoint Technologies now sells this product. So I have a strong bias.

Script ON!


Grasshopper – What is a Blade you ask?

So I just figured out why I have no clue how licensing works. ‘Blade’ is totally an overloaded term. Seems like CP management, marketing, licensing and GUI people should have lunch together.

I was investigating today’s meaning of Performance Pack PP,  Acceleration and Clustering ACCL, Advance Data Networking ADN or ADNC Advanced Data Networking and Clustering.  These were, are, is, going to be…a ‘blade’ at some point in the marketing branding cycle. CP ADNC blade.

So if today’s definition 12/4/2013 of ACCL is a blade, then what is ClusterXL? Is it a function? Then what is IPS? A blade or a function?

For me, when I hear the term ‘blade’, it should show up in the SmartDashboard GUI with a checkbox next to it.I don’t see PowerPack, ADN, ACCL in the SmartDashboard GUI. ADNC kinda appears in the GUI. Is it a Blade?  A Bundle of Blades in the GUI or a bundle of features? But it is sold as a license ‘blade’.

Seems like CP needs to sync their marketing and licensing with their implementation.
 They overload the term Blade too many times.
At least Blade was a cool movie. They should ask Wesley Snipes for advice.
Dull Blade,

FWD zombie – Anyone else?


So I’m taking a poll here. One of our ‘busy’ gateways is always logging locally and we are dropping logs. The box is a total overkill and hardly breathing (See this to verify), but still logs are dropping constantly. I know we aren’t the only one this is happening to because my other customers are seeing exact same problem.

I happen to catch it while on the box and the weirdest thing  is happening that I sent to support and verified with them. The FWD process disappears. It seems that while FWD is logging locally FWD will NOT show up in a ‘ps -ef’ or on ‘top’.



As soon as its done writing the local log file, it re-appears in ‘ps -ef’. But it did NOT die, because the run time is still high! It just zombied on me:


Why do you care? Well turns out development won’t look at it until they can replicate it or get more samples. I don’t blame them because I might be smoking ragweed.

So if anyone else is having this problem and wants to form a united front so development can get moving on this, drop me a line via HERE.

Thanks and we’ll be keeping a light on for ya,



RADIUS Update! Finally have superuser access using RADIUS

You might want to check out the update on my RADIUS post. After 1 year, I finally made some headway to RADIUS superuser access with nonlocal users.

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.