YAF – Yet another Firewall

So just got my mitts on a 1100 and only one question.

WHY?

It is so different from mainline GAIA, its almost like buying Yet Another Firewall YAF. CP’s strength which I adore is Single Glass – Centralized Security Management – Lower Total Cost of Ownership – Etc. So WHY introduce YAF that doesn’t look like or can administrate like GAIA mainline? The GUI is not standard GAIA and the command line is butchered GAIA and the file system is not GAIA-like. I can tell a totally different team of R&D developed this YAF.

For large enterprises that are looking to standardize to lower administrative costs…and are borderline CP customers, why not just tip them over the edge to a competitor because the 1100 is YAF. OK, it may be simple and stripped down and stable,etc…but then what differentiates it from the competitors? Why not just keep the Edge series which were AWESOME and super stable rock solid? I’m not getting it.

And then I think of the R&D and support costs of YAF that distracts CP from its main mission – Single Pane of Glass.

Then again Gil has a jet and I  have a 2006 Scion…

1100 ScreenShot

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • .Q  On December 16, 2014 at 2:15 am

    Is that the WebUI/GUI for the appliance? It looks a lot like the Checkpoint Cloud management interface.

  • PhoneBoy (@PhoneBoy)  On December 16, 2014 at 6:59 am

    Every criticism you mentioned with the 1100 also applies to the UTM-1 EDGE, which was originally developed by another company (Sofaware) that Check Point partially owned and ultimately bought. The UI is different, the CLI is different.

    In my opinion, the 1100 is an improvement because it’s a lot closer to mainline Gaia than the UTM-1 EDGE ever was. Yes, it’s not exactly the same as mainline Gaia in a number of respects, but from a security functionality standpoint, you can do much of what R75.20 can do in a SMB-sized (and priced) box. And yes, an R77.x version of firmware is planned for this device that should shrink the gap further.

    And yes, the WebUI on the 1100 has a similar UI to the Check Point’s new Cloud Connect management interface (similar framework is used).

    Disclaimer: Check Point Employee, views expressed my own, etc.

  • Dreezman  On December 16, 2014 at 9:10 pm

    PhoneBoy! Great to hear from you. Thanks for all your past and current contributions to the community.

    I guess we are going to have to agree to disagree on this one.
    Example 1: I called our diamond guy to try to figure out why the 1100’s RADIUS GAIA is so non-GAIA. He said “Dreez, at this point you know more than me. Never touched one”
    Example 2: I have 400 going to 600 firewalls supported by my Cattools scripts. Push a button and boom, I deploy patches, find down members, do health checks,find non-standard configs,etc. Does YAF make my job easier or harder?
    Example 3: If Edges were NOT GAIA, but worked, simple, stable…Then why build another YAF that has no support infrastructure? Edges had a legacy support infrastructure. Either improve it, or ditch it and go to GAIA.
    Example 4: If CP is intending on ‘closing’ the 1100 GAIA gap, then why even create a gap? Why not build on an existing GAIA platform that can be supported?

    Summary: If you build that product that can’t be supported in an enterprise, its not a product – its a YAF.

    The only saving grace is that it is mostly supported in MDS….but so were the Edges.

    Thanks and keep it coming. I know I have always learned a ton from you.
    dreez

    • PhoneBoy (@PhoneBoy)  On December 17, 2014 at 4:51 am

      EDGE boxes have a huge gap between mainline Gaia in terms of features and functionality. Conversely, the EDGEs are simpler, but they also do much less. Think about the functionality difference between, say, FireWall-1 4.1 and R75.20.

      The 1100 was designed to provide the same level of functionality as mainline R75.20 in an SMB-type package. It’s a pretty tall order, and while there are plenty of areas where things can be improved, I think it’s a good offering overall. It’s also a step up from the SG80, which had even more differences 🙂

      While I’m no developer, I suspect regular Gaia would require significant rework to run on the 1100 hardware as there are some significant differences in architecture to the other platforms.

      In terms of support structure for the product, it’s there and very similar to what existed for EDGE.

      I believe some of the differences could be less problematic with better documentation. If you have specific concerns in this area, shoot me an email.

      • Dreezman  On December 17, 2014 at 10:19 pm

        Here are some specific ones screwing up my scripts that I found so far.

        1) File system. No /config/active
        2) RADIUS. No/Different/undocumented GAIA CLI. Don’t use same GROUP/roles as mainline GAIA
        3) No CLISH> show users
        4) No dbget
        5) File System No /var/log/CPbackup
        6) no CLISH> add backup

        Linux can run on a Raspberry, not sure why it would be tough to run on 1100.

        Thanks again,
        dreez

      • c0re  On January 10, 2015 at 11:51 pm

        I guess it’s because of CPU ARM achitecture in 1100.
        Not all features was ported from x86 to ARM, it’s hard work, that goes on.
        Raspberry is also ARM, so no point of using Raspberry.

      • Dreezman  On January 11, 2015 at 6:40 am

        I totally get not porting features and having a subset. But 1100 is not a subset, it is YAF.

        dreez

  • Dreezman  On December 18, 2014 at 7:39 pm

    Here’s a gem. 1100’s can only run AntiBot on 77.30. So now we may have to upgrade our whole MDS just to support AB. YAF.

  • Bob Mog  On January 21, 2015 at 5:06 pm

    the worst thing about the 1100 and 600 series platforms is the performance……again !!!

    Just to skimp on few dollars of RAM and a better CPU they crippled these boxes. Yes they run great with IPS disabled, but enabled recommended profile and your 1100 is toast. Why not juse use an intel CPU, use regular GAIA and charge customers 100-200$ more. Not even good for a home network.
    Wasted opportunity.

    In saying that at least you can manage them fully like a regular filewall from SmartCenter on the 1100.

    • Dreezman  On January 24, 2015 at 9:40 am

      Bob-o, I’m not going to fault CP on performance. These boxes are suppose to be for 1-4 person sales offices on a 1Mb DSL link. Maybe your experience is different.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: