Monthly Archives: May 2014

R80 Gateway

So the birds are singing that they are working on a R80 gateway in order to support the new R80 mgt station features like individual policy module pushes.

Please QA it this time…..



How to make VSX go fast

Got this from a little bird, so can’t take credit.

Use case was datacenter pushing 24Gb through a VSX chassis.

Can it do it?

I was told they got 22Gb on a 21700 through a single VS using this configuration:

  1. 21700/21400 has 3 PCIe bus’s on it. Each PCIex16 bus supposedly handles 16Gb in 1 direction.
  2. Config
    R77.10 – firewall blade only

    4 port 10Gb bond with two ports used on 10Gb line card one and two ports used on 10Gb line card two. Have to separate on two different PCIe buses so don’t overload single PCIe bus.

    VSLS Cluster (2 members) with 6 virtual systems created

    Layer 3+4 bond distribution algorithm

    Only one VS used to pass firewall traffic

    Single firewall rule – ANY-ANY-ANY-Accept –Log

    CoreXL enabled and set for 2 instances for the VS under test

    Hyperthreading not enabled


  3. MultiQ enabled and set for 12 RX queues (apply to both members). NOTE: MultiQ only works on receive and not transmit.

    cpmq set rx_num ixgbe 12

  4. fw ctl affinity -s -d -fwkall 4 
  5. cpmq reconfigure 
  6. Reboot 21700

    Follow these steps on both 21700VS cluster members

    1.            Create the $PPKDIR/boot/modules/simkern.conf file:


    [Expert@HostName]# touch $PPKDIR/boot/modules/simkern.conf


    Note: If this file already exists, then there will be no impact from ‘touch’ command.

    2.            Enable SecureXL parameter ‘sim_requeue_enabled’:


    [Expert@HostName]# echo ‘sim_requeue_enabled=1’ >> $PPKDIR/boot/modules/simkern.conf

    3.            Check that SecureXL parameter was added:


    [Expert@HostName]# cat $PPKDIR/boot/modules/simkern.conf

    4.            Reboot the machine to apply the changes.



    Run test from appliance idle state.  Between tests, please run:


    fwaccel off

    fw tab –t connections –x –y

    fwaccel on


    This will clear the connection table and avoid out-of-state errors in future tests.


How to make a Cisco geek cry


I work with this awesome Cisco geek who manages ASAs and MARS. Today I walked him through generating a report for his people with SmartLog.

I thought he was going to cry. This normally big tall handsome ex-US-Marine generally stoic person started making squeeky bubbling noises and then just started laughing exclaiming “THAT….IS……AWESOME!!!!!!, It would take me hours or days in MARS and its so beautiful!!!!”

Which brings me back to my rant…..what the hell is Software Defined Protection? CheckPoint will change the world with their awesome new R80 management station and Dudi’s SmartLog that makes Cisco geeks cry. Everyone and their mother has Software Defined Protection…but how many have a “Single Pane Of Glass Security Management”???

Only CheckPoint – god bless their souls.

Dudi…you made a grown man cry. Love you dude,


PS: PEOPLE: Just make sure ya’ all QA it this time.

WebUI CLI Access – If In Doubt

Have you ever sawed off the branch you are standing on? (TRANSLATION) Locked/Bricked yourself out of a firewall by changing to non-routable IPs, screwing up the sshd_config, blocking ssh, etc.? If not, then you haven’t spent enough years in the field.

Well this is not the total solution, but found it interesting. The WebUI has CLI access…..via port 443….and NOT terminating at the SSH daemon just a psuedo terminal. So its a step down from console access and a step up from SSH. You eliminate port 22 problems and sshd_config problems.



I also think??? R80 will give you access via the SIC tunnel port 18191 via SmartDashboard…I thought I spoke with the guy on this but can’t remember.




Day 2 – Drinking From the Firehose

Summary: I was asking my friend why CPX was so good this year compared to last years. He said “Less sales RAH RAH, more technical”. He was right. They had about 30 developers in tow that knew the real answers. The “rah rah” team seemed to be in the background and only appeared when you need them which was great.  Oh and the attitude was much more humble this year for whatever reason. Oh, and they even talked about Quality Assurance a bit, wish I could hear more of this! So for the first time I can say I’d spend my own money going to this conference. Next year I think I might head to EuroCPX on my own dime.

41000/61000 – CoreXL/SecureXL

The 61000 is basically blades in a cage that cost $1 million. Each blade is 20 processors. In dashboard you only see 1 firewall, not even a cluster. Blades are hot swappable and have a variety of redundancy. The 41000 is a $250K small brother of the 61000. Each blade supports 10-40Gbps?? of throughput. They don’t use any special SecureXL hardware accelerator, they just throw more cores at the problem.


R80 SmartEvent/SmartLog Performance

SmartLog: They claim they reduced a 5 minute search to 10 seconds in SmartLog. They claim 1:1 index to log size (we were seeing 3:1). SmartEvent is totally rewritten to use its own Smartlog-like index and is suppose to be super fast. You can get R80 now, it is version agnostic works for all versions.


SmartDashboard – SubPolicies and Layers

I went  back 3 times to the R80 Mgt presentation. I am very excited about the work they are doing and can’t wait to download the EA and try it out.

  1. Two types of policies are much more structured in this GUI which is great
    -Access Policies – Rules people write with IP addresses and APPLICATION protocols and User Names. X can get to Y
    -Threat Prevention (dynamic rules responding to threats IPS, AV, Threat emulation,etc).
  2. Layers: In the picture you can see the 1/2/3 policies above. Those are called layers. Each can be one of the following: Access Control, Application Control, Compliance, DLP, (and maybe something else). The screen shows we are currently in the data center policy which is an access control policy. This policy is executed first from top to bottom on every packet. Next #2 the  compliance policy is executed and then Next #3 the DLP policy is executed.
  3. Cool thing you can install each layer separately from the others so you don’t have to install all of policy and IPS all at the same time. I think I said before that policy and threat measures can be installed separately…finally. You can see the policy installation options in this screen.

IMG_1707 IMG_1704

  1. WITHIN!!! A policy you can create subpolicies. These subpolicies are kinda like the current sections markers we have now except each subpolicy can have its own administrative editors. The policy will be executed from top down including all the subpolicies, but each one has a different editor.
  2. Down on the left you can barely see where you can use command line to do everything you want in the GUI. Very cool.
  3. They also have a “Web Services” view, where you can build web screens with SOAP/REST scripts to interact with the management station.
  4. They also added another column (optional) called data awareness. You can specify what types of files to allow/disallow for upload/downloads. Probably from the DLP blade. In the app control column you can say Frank can access YouTube but only for 60 seconds and 6 meg of data or give a file name they can download.
  5. Rules have another action called “Monitor”. They will just log activity but no make enforcement decision so you can play out “What If” scenarios.
  6. They do have a view called “Unified” where you can see all policies and threat protection all in 1 pane. Each column per rule is another protection like app control, threat prevention, etc.
  7. They finally support multiple concurrent admin audit. You log in and create a session. This session has all your edits. You can save your session, etc. As you work on rules you lock the rule but not the whole DMS. When you are done with your session you publish it. Only after you publish it can it get installed on gateway. When you click on the rule, you can see the history of edits on that rule.
  8. You can click on a rule and ask to see all the logs for that rule. Very cool.
  9. The gateways can now recognize interfaces as objects like Cisco/Palo/Juniper. You define the interface(s) as a zone and use that as an object.
  10. One thing that has me a bit worried. They say they integrated logging, monitoring, smartevent, policy all into one dashboard which would be really cool. But I think in reality you only see a summary in Dashboard and when you click for more detail it kicks off the standalone SmartWhateven client.  Not too impressed, prefer single pane of glass model.
  11. You can file Service Requests from SmartDashboard. pretty basic, really hope we don’t have to use it much. PLEASE!!! Not after the last 4 years of pain.
  12. Once again, nothing on MDS yet. Still in the thought stage.  But very cool start.
  13. I’ll save the best for last. CSV export and import!!!! You can FINALLY import and export objects with CSVs for editing and reimporting. Perfect for enterprises for managing large number of objects. If you are religious, thank you gods.
  14. For provisioning, they do have a script manager. Didn’t get to play with it much, seemed pretty basic.
  15. Change Control: I guess it will somehow integrate with Change Management systems like HP and Remedy and you can drag and drop from your Change Management on your ticket window into the management station for IP addresses and a column with ticket information like ticket number and comments from the change control ticket.  The links are they, they have to partner up.
  16. Web Based Object Management: So if you have an object group that is dynamic and person XXX is responsible for maintaining the group, you can create a web page with WebServices, they log in with AD and manage only that object and nothing else WITHOUT using SmartDashboard.
  17. I thought?? I saw CLI access VIA the SIC tunnel port 18191 from SmartDashboard which be very cool. That would supplement WebUI CLI access via 443 and of course CLI via port 22. Helps a ton in case we lock ourselves out of a box somehow, another avenue.

All of the above has the making of THE BEST Enterprise Security Management Environment on the planet. THIS is what makes and differentiates CP from the wannabees. THIS is what makes me so proud to be associated with this product. Two-Thumbs  Plus Up (but please make sure you QA the frigging thing this time. Screw the whiners, take your time and deliver a quality product)


Kinda anticlimatical. Lots of FUD and when the attack happened I kept asking “what happened” and then it ended. I think I missed the point. I guess they are going after more SCADA traffic signatures for app control and IPS. Not sure how mature it is. If you have SCADA traffic, call them and they are very very ambitious to sniff your traffic and create more signatures.


GAIA – Next Steps

Nothing really too cool here, incremental which is OK by me as long as they run it through QA. As long as they stabilize the basic firewall features they can go as slow as they like. If the firewall doesn’t work, might as well get a different product.

  1. Working on 77.20 for more stability THANK YOU!!!!!
  2. They have a routing team in Israel instead of the Nokia crew in California and the Cluster people in Israel. So hopefully routing and clustering will start coming together.
  3. More abilities to upgrade from the GUI from the cloud…I missed some of this. I hate upgrading from the GUI because it freezes and dies so I’ll stick with the CLI thanks.
  4. You can get detailed reports on HFAs, HFs, versions, etc in the GUI. In future will upload to cloud for more reports. OK start, but need inventory of our whole environment, not just 1 gateway at a time.
  5. CPView: Seems to be a really cool CLI tool to view performance issues. Can run on any version NOW. Can see inside the kernel and inside blades to see what they are doing with memory and CPU. Thumbs up.
  6. Performance sizer. Runs 24 hours on a system and can tell you if you need a bigger system. We use it and it is so-so. You have to be able to anticipate internal external User base and doesn’t seem to be based on realistic numbers. Neutral.
  7. CoreXL and SecureXL can be mostly modified within the GUI instead of the command line. Thank YOU!
  8. I saw nothing on fixing licensing hell. Oh well, maybe version R90.
  9. LVM Manager. They have a CLI GUI that lets you dynamically change disk partition sizes. Just front end to lvmmanager from Linux but I like it.

Rant and Rave

PREQUEL: I had my best discussion with a gentleman from Atlanta who I forgot his name and organization. CP should hire him as their director of marketing because he painted the picture that Gill and marketing have missed for 25 years: “Single Pane of Glass for Policy and Response”.  Right now organizations pick best of breed products. Large ones have 2-3 different firewall products (CP and Cisco), 1 SEIM like Envision (sucks), 1 Threat Emulator like Fireeye (awesome), 1 IPS like SourceFire (awesome). Best of breed. Unfortunately the threats are coming faster than these best of breeds can respond. When SourceFire picks up a DDOS or Fireeye sees a internal compromised system SLOW BUREAUCRATIC UNTRAINED POLITICAL people have to make phone calls and do change control and fight political battles to respond to the threat. Meanwhile the hackers only have one purpose and do not have to fight those political, training, etc battles.

While CP may not have all of the the best of breed point solutions, the do have the best of breed single pane of glass to respond to zero-day threats. It all starts with awesome management and logging which allows organizations to have one political boundary, one trained staff, one  bureaucratic boundaries, one tactical solution solution to react to zero-day threats in one pane of glass.

But does that sell a CSO or CFO? No.

What sells is the ROI. Imagine only having to have X number of security operations personnel instead of 5x, one for firewalls, one for DLP, one for SEIM, one for AV, one for SPAM, one for URL, one for IPS, one for ….. The numbers may be off but you get the idea.

Basically CP marketing is selling technology (performance, appliances, pretty GUIs ). At CPX they pitched their latest theme “Software Defined Protection”. What the heck does that mean? How does that save money? How does that differentiate from competitors? How does that make me want to run to the CP Retail Store and buy 10 610000?? Instead my above description is selling solutions with ROI, and everyone understands ROI. This is the theme The Gill should paint and every talk and demonstration could echo it and every sales and marketing person could lead with. Maybe something like “CP: Your single pane zero-day solution” <<<Rah-Rah do the dance here>>. And then ever year at CPX The Gill should measure and share with us how far they have come to dominating the Security Management market based on their awesome management environment.

(Then again, The Gill has an awesome jet and I drive a 2006 Scion XA. Who Knows Best?)

CPX Day 1 – Drinking from the firehose

My scratchy notes: Not sure this all makes sense…..

CP Geeks, I declare this years CPX a victory. Summary: It feels like that last 5 years (of pain) they have been laying the groundwork for a  really cool platform and this year is the first year I can see this happening.  Everything is looking good on paper.

9am: The disco starts,( the bass is still ringing in my head and its 10pm at night as I write this).

GIL Shwed, Amon Bar:


– Guess what?  hackers are still out there
– Make sure you turn on your antivirus/antibot/IPS,etc
– Buy CP stuff

2012 3D security rah rah- that’s all history
2012 CP as security company vs product company- history

1400 attendees, 30% more than 2013. 600 in 2012. Conference is growing hugely

This years theme: Software Defined Protection based on:

– Enforcement Points: gateways, mobile,
– Control – 1) Access Control and 2) Threat Cloud set your policy
– Centralized Unified Mgt: to management the environment

If the above is confusing, basically they are coming back to their core strengths: Management, logging, enforcement through a single pane of glass.

Threat Cloud: Is basically virtual machine where they run attachments to see if they modify system files. Then distribute to all gateways to make enforcement decisions real time. They are now opening the threat cloud to other parties so they can contribute. All the data will be anonymized. This is an excellent decision. Hackers share info, why shouldn’t the defenders. Two Thumbs Up.

OPINION: This is CP’s strength. One platform for analyzing and enforcing decisions near real time. Although as a separate product not a market leader, the full package of management logging enforcement is alone in the marketplace. Very cool. I’m a believer. Just hope they QA it before they release it.

Announcement: Threat Cloud is now Open Threat cloud so other organizations can contribute to it. Very cool,

Announcement: R80 Management in EA. Sign Up. Looks REALLY !!! cool. Only the SmartDashboard version right now working on the MDS version. But two thumbs up on features. Hope they do QA on it.

Observation: MDS, SmartDashboard, SmartLog, SmartEvent, Smart Monitor are being merged into a single product which makes data analysis so much easier. Not sure why people pay for Envision, Arcsite, Mcafee Security Manager as separate products.

Mobile Enforcement: Endpoint will perform Secure Document, Isolated Sandbox and Cloud Filter to filter data sent to device: OPINION: Jury is out. Feels like a really heavy client waiting for the hardware to catch up to support it. Not much experience with it at this point.

Brian Krebs

Amusing talk about work monitoring the underground.  He broke the Target story. He noticed that hackers where selling credit cards with zip codes and figured out that the zip codes were to bypass the geo-location lockouts the banks put on use of stolen credit cards.

His summary was dead on and I’ve been saying for years. Buying a bunch of blinking lights is useless:

1) Figure out who wants to get you
2) Know your enemy
3) By talent not just tools to do the analysis
4) Go past compliance basics



61000/41000: Good presentation by Marco on the power of these systems. Really expensive but I think it is the architecture of future CP products. Basically in your SmartDashboard GUI you see 1 standalone firewall but the hardware appliance is running 120?? CPUS and all hot swappable so you just plug in more boards if you need more throughput. They decide to throw CPUs at the performance problem vs ASICs. So clustering and CoreXL are fairly invisible to you at the dashboard. Great concept hope they QA it.

21000: has a secureXL accelerator card based on the Tilera processor that is V2 of the NOKIA accelerator card. Only available in 21000.


There are two semi-new features to improve performance on the gateways:

1) HyperSpec: Turning on Hyperthreading on the processors to double the number of processors. Best used for assisting IPS/ThreatEmulation/etc CPU intensive work and NOT I/O

2) Multi-Queue: Assign multiple CPUs to a NIC where each CPU handles a unique src/dst session for that one NIC. Only enhances I/O performance throughput and NOT CPU intensive performance and NOT more individual sessions.

Multiq MultiUse

CoreXL and SecureXL admin are going into the GUI to simplify admin. Here are samples:





VERY impressed.

  1. – Everything in the GUI has command line equivalent that can be scripted. You can even type in command lines at the GUI instead of mouse click. VERY critical for huge installations that need to script large operations. CONGRATS: not sure anyone competitor gets this concept of trying to manage huge number of objects with flexbility. Love it.
  2. – SmartMonitor, SmartLog and soon others will all be integrated into a single GUI. 100% double thumbs up.
  3. – Objects can now be tagged. Very cool once again for managing huge number of objects.  You can now perform operations on these tagged objects. 100% Two Thumbs Up
  4. – Rules of another comment for Change Control. Two thumbs up.
  5. – Hit count on Object Use. 100% for maintenace. Two Thumbs Up.
  6. – Instant message others from GUI. Two THumbs Up for collaboration.
  7. – You can push ACLs, separated from IPS, separate from AV now. Two thumbs up.
  8. – They are still debating what will go into the MDS version. All the above is for a single management station. They think that global/local policy will stay the same which is kinda a bummer. But they understand that we need to share objects and trying to figure out the best way to do that. Just hope they send it through QA, don’t care what they decide.
  9. See DAY 2 post for more detail.


QA and Training


– QA now has 230 people doing testing. Development has QA sessions every week.  But he cautioned that it is a very complex product and will take a while to see results but R77.10 is good start. Run away from R76

– Training: Taken away from sales and embedded into R&D. So training will be on par with software releases. Some very cool classes on Advanced Debug and VSX.  Hope they send it through QA.

Met Pete and friends overlooking Potomac: Thanks for getting to know you all there!

Going to bed with a CPX buzz.




CPX Bound


Yes once again its that time of year and I will be heading to the conference. Got tons of questions about SecureXL, CoreXL, SAM, optimized drops, R80 MDM.  Brian Krebs who detailed the Target breach will be speaking.

Remember that CPX is a bit special, so review my CPX How To Guide.

Several people wanted to get together. Fantastic. Email me by clicking on my name below my picture and I’ll send you my cell phone and we will gather a posse’. Wednesday night is looking good…and I’m staying all weekend to enjoy the sites.




Helen's Loom

"Peculiar travel suggestions are dancing lessons from God." - Kurt Vonnegut

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.