Category Archives: Check Point

Anything to do with Check Point

R80 – wow

I’m blown away. I’m stunned. I’d sell my kids schoolbooks to use it (I don’t have kids). It is my inner glow.

In the past year I have used:

  • Cisco’s new security management GUI
  • Palo Alto’s Panorama (sounds like its from the Jetson’s cartoon)
  • NSX Distributed Firewall
  • R80 Checkpoint

And R80 blows away all the other vendors.

And get this….I think they even tested it before they released it. I know, even I am stunned. OK, there are still some bugs and dealing with CP arrogance is a pain but R80 makes it all OK. They actually thought about the user experience and enhanced its enterprise management capabilities to allow scaling. It is true art.

TESTED: Just basic SmartDashboard on R77.30 gateway. I did not test MDS or R80 gateway which are coming out soon.


cool things:

  • Was in 77.30: Deep inspection of objects. You can search through hierarchies of groups to find a base object like Both in rule base and object finder. The search is like google or you can qualify it. Just beautiful.
  • pencils on rules that identify items that were modified
  • Local copy of changes that you publish and share with others, finally concurrent access
  • SmartLog embedded into Dashboard and interacts with it – very very cool
  • 14 second vs 2 minute policy installs – very cool
  • From my desktop GUI is API driven. From GUI can console to mgt and issue API statements.
  • Add to groups from menu and menu stays up until you are done makes it easy to add to groups. Several ways to group. Grouping is key to scaling a management environment.
  • Import/Export domain worked flawlessly
  • Can export into spreadsheet rules and objects. Needs a bit of work but step in right direction
  • Licensing is actually a bit easier (I thought I’d never say this) to manage


  • Looks like they will not implement more scoping beyond global/local objects as in the past. I loved PAN’s implementation of global/domain/firewall/zone scoping. When microsegmentation hits, I think we will even need scoping on a per application basis. So application PAYROLL has its own rule/object database and can inherit/export to other databases.
  • crashes now and then
  • Where is SmartTracker :-(..but you can use R77.30 Tracker!!! Thank YOU!
  • For same event – data in Tracker is different that in SmartLog
  • vSec integration is pretty basic. You can only see security tags, can’t manipulate them
  • Software update notifications are fudged at this time
  • Can’t import rules and objects from spreadsheet
  • Application-site objects have a flaw that if you use them like groups your rulebase may become corrupted in how it evaluates rules because you might have duplicate application objects and it does not alert you.
  • Searching through groups with exceptions doesn’t work right.

I’ll update this as I use it more, but so far kudo’s. For large environments you might want to wait until more bugs are ironed out but for smaller installations you will never look back.

Inner Glow YAAAAH!



PA Daily Operations update – From The Trenches

Firewalls have been around for 25+ years and at this point to me is a firewall is a firewall no matter what the label on the box says. I am totally mystified why organizations randomly jump from one vendor to another based on technology alone. I know licensing costs soar, support sucks, platforms are unstable, etc. But in the end a firewall is a firewall and the grass doesn’t get much greener after you make the switch. You probably get 1 year of cheap hardware and kiss ass support before you swirl to the bottom of the toilet as the new vendor pulls in new customers and forgets all the fireworks they promised would fly from your behind.

So yes I am talking the PA vs. CP debacle. PA is a fine firewall (if you don’t turn on all the misc junk). CP is a fine firewall (if you don’t turn on all the misc. junk). PA is a massive marketing machine the earth has never before seen. CP has an incredible enterprise management and logging infrastructure that can’t sell snow to Eskimos.

I just spent 3 hours in a PA hands-on class. Been 5 years since touching one. My reaction : painful.  Why? Because from the marketing rah-rah I was expecting fireworks would fly from my behind. The reality is: Its just another firewall. The web interface reminds me of all the other freeware java/ajax shakey hope-to-god-this-works GUI firewall interfaces. Or maybe they hired a bunch of ex-Cisco CSM programmers and sent them to Web development school for 6 weeks.  I mean its OK, but primitive compared to CP for an enterprise environment. Their logging just sucks compared to SmartLog.

I just don’t get it, but kudos to their marketing machine.

I have friends at another  enterprise corp that spent millions and countless hours to switch. Years ago they had about 300-400 CP firewalls and ~5-10 firewall people. NOW:

  • ~50 firewall bodies
  • PA management and logging is OK but definitely not as good as CP
  • It is stable
  • App control is starting to be deployed and mostly works sometimes
  • Various 3rd party analysis tools don’t work like Tufin, Firemon, etc. so rule reviews are difficult
  • Support is hot/cold

So millions were spent and countless hours were toiled and they went from Point A to Point A with 5x more bodies. How did that increase security? How did that lower costs?

Summary: Don’t drink the Kool-aid. Understand what your end goal is, don’t just go from Point A to Point A. Spend those funds on more important security projects that have a cost/benefit.





Palo Alto Threat Detection review from the trenches

So I have a friend of mine XXX who has been through several iterations/implementations of IPS, DLP, Firewalls, Threat Detection because someone drank Vendor YYYY cool-aid. XXX is much like me — dealing with CheckPoint can sometimes be a pain and its getting real old but CP management and logging (SmartLog) keeps us with the home team.

XXX’s mgt drank the Palo Alto kool-aid so XXX brought me up to date on the good/bad/ugly of PA’s threat detection environment.

So here it is in my words with XXX’s review:


  • Scoping for objects/rules is great: firewall,zone,global. Wish Checkpoint had this
  • Licensing is easier
  • Solid as a rock, good quality
  • IPS between Palo and CheckPoint is about the same


  • Logging cannot compare to SmartLog. Some cryptic form of regex
  • Trying to correlate logs in centralized logging is very difficult – each log type Firewall, URL, Threat, etc has its own log item and the only way to tie them together is session ID which is reused about every 2 weeks.  Very difficult when there are multiple firewalls that use the same session id.
  • They don’t even have a true DLP it is called Data Filtering.  It will not take full regex entries therefore false positive rate is very high for SSN and CC
  • Wildfire only scans specific file types and is far less than FireEye.  It also will only scan a file that is 10 mb or lower so some files can get through.  [Getting exact numbers from FireEye.]
  • Rules are easy to enter where it becomes difficult is if you want split responsibilities between network and security.  In order to enable URL filtering, IPS, data filtering they need to be added to a rule.
  • no “Where Used” function until last release
  • Expensive!
  • Checkpoint has more of a true DLP, Palo has data filtering
  • Support has been poor
  • FYI: XXX LOVES!!! FireEye. Every firm I’ve worked with has said the same. What SmartLog is to me, They feel about FireEye

Summary: Detection systems are weak and forensics capabilities (Log searches/correlation) is even weaker.

Redirecting NSX firewall syslogs into SmartLog


So we know that NSX DFW is a cool toy, but its logs are invaluable for debugging and forensics. Wouldn’t it be cool if would could see DFW logs along with SmartLogs???So our need is to have single-pane of glass security; Enter vSec and SmartLog.

After 100 VMs we knew that using DFW would just not work. In addition the logging was painful syslog based. So we decided to use the best management and logging tools on the market….and it just so happens this is one of the things CP does extremely good. Management and logging. Today’s talk is on “Having Fun with Logging”.

So we needed to get the DFW syslogs into SmartLog. How to do that. Well, first thing you do is pour salt on the documentation.  Its OK, but only gives you the basics. I have decoded this documentation and will show you how to send DFW logs to SmartLog and make it go a lot faster. By default, you can just turn it on with factory defaults… but will overwhelm your SmartLog server and all the data will be in the ‘info’ field and not parsed out. So it took me a couple months to figure out how to do all the parsing efficiently so as not to bury our log server.

And now for the rest of the story…..



NSX is the part of vMWare vSpere that runs its SDN…including the firewalls..Distributed Fire Walls (DFW). These firewalls send their syslog to their eSXI hosts which we forward to a custom syslog-ng server on a single VM.  We customized this syslog-ng server to parse DFW logs into CSV format….no easy task but doable. Why????


Once in CSV, syslog-ng forwards the logs to ‘syslog’ on currently a UTM 4800 with 4 cores. This is a custom syslog built by CP to accept syslog and convert to CP native log format. ‘syslog’ forwards the converted logs to fwd which enables SmartLog and Tracker to read the logs.

Simple enough…….ok, then read no further.

syslog-ng config

Syslog-ng allows you to parse through logs and reformat them. You can do some simple parsing with the basic configuration file, but the fun starts with more complex patterns with the pattern matching databases. Basically you need to convert this:


into this:


Now all you people are tons smarter than this old balding has-been…so I am not going to explain syslog-ng internals to you all. You will have to read the documentation. But I will give you the overview of what I did with it.

syslog-ng has two parts

  • General filtering config – Most people use this just for simple filtering of logs
    and re-formatting of logs and redirecting logs to host files, DB’s, other log servers.
  • Pattern Database – More complex parsing where you can take pieces of the input line, parse out specific items with regex, and insert those regex patterns into variables/macros to be used later in the General Filtering Config.

General Filtering Config: First thing you need to do only filter on DFW logs and nothing else.  NSX puts labels on these logs and you will have to look in the raw log file for it.


Second thing you have to do is get rid of the TERM log entries (terminate connections for TCP, for UDP you’ll see zillions of these going to 5355 some sort of local subnet DNS resolution. Unfortunately in cloud world we have huge subnets so all the VMs are doing this local link DNS resolution). 75% of the DFW logs are TERM entries so can be ignored.

Pattern Database: Next part is a bit harder. You have to build a pattern database that will parse raw DFW log entries and match each field up to a named macro. For example below is a snippet of a DFW log entry matching pattern. You can see the ‘action’, ‘domain’, ‘protocol’ fields are 3 of many fields that would match a DFW log entry from above.


This can be a delicate task, but there is a tool to help debug … ‘pdbtool match ‘. You can type in a sample line and see if the your pattern database will match it:


General Filtering Config: Next, DFW labels ICMP protocol as ‘PROTO’. So I just translate into normal geek lingo ‘ICMP’.


General Filtering Config:Next is the fun part. We finally get to output CSV to the CP syslog server. Notice how the MACRO names like ‘size’ and ‘protocol’ are used to fill in the CSV?


General Filtering Config: And here is the ‘main’ section that drives all the above phases:


so restart you syslog-ng server:

/etc/init.d/syslog-ng restart

and off you go!

At this point you can ‘tcpdump -X -n s0 port 514’ to verify that in fact the logs are formatted correctly and heading over to CP land.

SYSLOG Testing

Just in the off case my code sucks, here is how you test it. There are syslog generators out there that you can use: I used this one and here you can see how I generated traffic:


One key thing is the “dfwpktlogs–” is what triggers the regex’s to fire in the next section. Do NOT use ‘:’, you have to use ‘–‘ or for some reason the regex won’t parse correctly. More below…



So now the logs are flowing to port 514 on SmartCenter Log server. So you have to make sure you enable the syslog process (NOT syslogd) to listen.



This will start the syslog process on port 514 on SmartCenter.


On a MLS, you have to restart the whole MLS for the config to kick in. On MLS, a syslog daemon will be started PER domain log server IP address for every domain SYSLOG is configured to accept SYSLOGs for that domain.


and syslogng logs will flow magically into Tracker. Actually they will magically flow, but only fill in the INFO field and will not parse …. yet.

Oh yeah, when debugging you can get the syslog process to re-read the syslog config with:

  1. mdsenv <DOMAIN>  # MDS only
  2. fw kill fwd; fwd -n &


OK, now it gets fun.

So there is this CP tool: Eventia Log Parser that looks pretty cool. You feed it your SYSLOGS and magic parsing configuration pops out the other end:



Yeaaaaaaah…NO. Doesn’t work and the config you output is so complex the SYSLOG engine will run at 100%. Both ELP and SYSLOG were written about the time after the Civil War and are on version 1.0…Typical CP V1 code so don’t get your hopes up. Let me know if you have better luck, I spent days on this.

So I decided to generate the syslog parsing config myself. I saw what ELP attempted and then came up with my own.

Remember that SYSLOG-NG is sending CSV formatted logs:


and CP SYSLOG is taking them in and turning them into SmartLog readable:


So let’s begin.

The debug process is this:

  1. mdsenv <DOMAIN> if on MDS
  2. Edit the syslog rules with your stuff
  3. ‘fw kill fwd; fwd -n &’ restarts the syslog daemon
  4. Use the syslog generator
    1. Forget all this parsing junk, just get the SYSLOG-NG to dump into the CP SYSLOG and see the results in TRACKER in the ‘info’ field
    2. Try and get the REGEX rule to fire on ‘dfwpktlogs–‘
    3. Try and get field #1 to parse and fill in some random text field for debugging
    4. Try and get field #1 to output into the official SmartTracker field
    5. Go to #2 for field #2/3/4/5….

So far I have given you enough information to do #4.1. Let’s work on #4.3.

This may look simple…but it took me days and days to fine tune this. The ELP generated config was pages and pages of REGEX expressions. I boiled down to 1 line:


Even if you aren’t a regex geek, you can see that I am parsing the CSV file into 9 fields.

REGEX GEEK OUT (don’t read this if you aren’t a regex geek):

FYI: They don’t implement FULL regex matching! Example: You can only have 9 matching field patterns, I couldn’t get it to recognize ‘:’, you can’t use lazy searches ‘.+?’. It is some limited hack that you will never figure out because there is no documentation other than examples.  AND their regex performance is horrible, so I tried to avoid using ‘.*’ because it is greedy and will scan the whole line and then backtrack. Instead I used the ‘[^,]’ which searches for all characters NOT ‘,’, which is the same as ‘(.*),’…but doesn’t have the backtracking.


============= END GEEK OUT===============================

So what is important is the ‘dfwpktlogs–‘.  When the regex sees this pattern, it will fill in the 9 columns of information from the CSV formatted input line. Now there are 3 different types of actions that will be taken depending on the results of a REGEX match:


  • NO MATCH on regex: Result->log entry with data in INFO field
  • MATCH: but no log entry, you matched the  ‘dfwpktlogs–‘ but trying to print out a number into Tracker or Data type error, wrong field name, syntax error on field names, etc.
  • MATCH and () field hits: can use index_value(1) to fill out fields (coming next)

OK so next you will try and parse field #1 which is the first ‘([^,]+)’. This is the PASS|DROP field from the CSV. What I did is I first captured the field and then dumped it into a random text field. This told me that 1) I captured it correctly 2) I am able to write to SmartTracker.


Here is the add_field that does this. add_field adds the field to tracker. Field_name is the Tracker field this case it is the ‘rule_name field” field_index is CSV field 1 (from 1-9). Field type is the type of the Tracker field. But beware, I didn’t always get this right and the log entries would just dissappear so I had to experiment. I also looked into:

$FWDIR/conf/syslog/CPdefined/*.C files for examples to see what their field types are.

You can also look into


to see the Tracker field names and types. Its a bit kludgey but between CPDefined examples and this file you’ll get close.

Here you can see ‘rule_name” is the name of the Tracker field defined in svt_fields.C.



So now you have 1) You captured field #1 and 2) You wrote it to ‘rule_name’ field. You can now verify that you captured the field you intended to. Once you verify this, you can then write it to the REAL field with:syslog-tracker-real-field

Here we are writing the PASS|DROP to the ‘action’ field in tracker:


HOLD ON DREEZ: How in the heck did PASS|DROP get converted to Accept|Drop???? you ask.

Grasshopper, I introduce the dictionary file…


This is a second file in the same directory that will do transforms for you. Here you can see “PASS” being converted to ‘accept’.

DREEZ you ask: How do I know what to convert to what?

Oh yes grasshopper. You read the CP documentation…NOT!!! HAHAHAHAHAH. Dreez makes a big funny. HAHAHAHAH. Remember grasshopper, this documentation was written in the Civil War and even now the Lord Developers rarely talk to their lowly documentation peasants slaving in the fields trying to identify nuggets of information to feed their ignorant customers. (If you want real documentation see AWS documentation, you can see where developers talk to the documentation team). That’s what phone support is for —- DUH!!!!

Oh yes, I easily diverge, forgive me.

No grasshopper you do what us old people have been doing for centuries. You look at examples in



On your log server: fw log

Will print out your logs with the field names in them.

To get a feel of what the valid field types are.

So now that you know how to do field #1, now you go through all the fields one at a time….or……

You can just use my template as a starter!!!



So the first time we did this, we used CP’s syslog ELP generated config on one of our big servers and the server went to 100%++++. Unfortunately the ‘syslog’ process is single threaded so it had no where else to go.

So with 1100 VM’s….each with its own firewall…sending syslog to my config described above to a 4800 (slow) based management station…performance was much better but not ideal. The 4800 has a quad core Q9400 on it. Syslog process is a bit busy but at least not 100%. It will average between 11% and 60%, and burst to 90% now and then.

Now remember that on MLM, each domain/cma/clm has its own ‘syslog’, so you can manually distribute the load amongst multiple logging domains. But I would hate to do domain design based on log loads. For example, at one company 2 of 12 domains had 90% of our logging. So should we split them up further because of logging? Not sure.

Your mileage may very….



Everyone is excited about this because SmartLog is what our org (and all the other orgs I’ve been at) live and die by. Centralized single-pane of glass easy to use and fairly fast security monitoring. It is the gem of all of CP’s products. And it mostly sometimes works!!!

Now we can send logs from other tools like other firewalls, URL filtering, FireEye, etc into this and use SmartLog to get quick answers. I am keeping both flat syslog files as well as sending them to mongodb and SmartLog. YES: SEIM tools exist…but either they don’t work, too expensive or at capacity, etc. ‘grep’ is free. ‘mongodb’ is free, etc.







Administrator Audit Made Easy – Create CSV of MDS user permissions

Darn auditors want to know who has what permissions in MDS……but want it in a spreadsheet! What’s up with that old technology?

Here it is, a matrix of users and their permissions.


Python Program #2: Adminparser

NOTE: Goes hand in hand with my Cparser module.

Hopefully this will be easier with the R80 REST interface.

Audit OUT!


Convert any CheckPoint .C file into Python List

Killing two birds  with 1 pebble. Learning some python and automating our admin audits.

This is the core of it. Converts any .C file into a Python list. So you can use this to parse through your objects, rulebases, users, admin lists, etc.Once converted you can create GUIs, other parsing tools (like I will use for admin user deltas)

Download here:


2015 CPX Part Zwei – SDN

UPDATE: CheckPoint R80, R77.20(with updates) has announced integration with Vmware 6.0 which is great. Called Vsec. Clarifies many of the questions below. I haven’t seen it (because I’m sitting on a beach in Italy), but hope to do a pro/con when I get back.

========================================Date 5/10/2015 CPX Conference ===============

Summary: CheckPoint R80 is integrating with most the other SDN players: NSX, ACI, OpenStack. Looks great so far. Problem: (Heard this at CPX) Financial IT guy said CIO called him and asked for a 600 server farm to do some big data mining on confidential financial data. Classic physical deployments would take 6 months. They did it in 2 weeks – virtual world and scripting. How does/will CP protect this data mining farm? BEGIN SDN Glossary:

  • North-South Traffic: data traffic in/out of a physical VMware/Virtual host
  • East-West Traffic: data traffic between virtual guests internally within a physical VMware/Virtual host
  • ESXi – VMware’s Hypervisor or operating system that operates on bare metal
  • vSphere – VMware’s total virtual package offering
  • vCenter – VMware’s management station component for managing servers
  • NSX – Networking component of VMware
  • Virtual Guest – A OS environment (Linux, Windows XP, MAC OS, OEM custom product) running in an emulated physical environment on top of a hypervisor (VMware, OpenStack, VirtualBox, KVM, etc). Common operations are virtual guests can be paused, take snapshots, have an API for automating/monitoring guests.

END SDN Glossary; BEGIN CP VE Glossary: CheckPoint VE is CP’s firewall product that runs in a vMware environment. It has two modes:

  • Network mode – Firewall as you know it runs as a guest in a virtual environment, cannot see any other objects  in the virtual environment
  • Hypervisor mode – runs inside the hypervisor, can see all objects in the virtual environment. This allows you to assign a L2 firewall to each virtual guest. So in the end, nothing more than host based firewalling….but saying the word ‘hypervisor’ sounds so much more cool.

END CP VE Glossary So CP has a couple problems with VMware right now:

  • Currently not integrated in the latest ESXi 6.0 release at the Hypervisor level (Hypervisor level is like being inside the Windows OS. In Windows if you want a list of all processes you must ask or be inside of the Windows OS to see all the processes. If you want a ‘firewall’ to protect process A from process B you have to be inside Windows OS. Same thing with Vmware Hypervisor.)
  • Management: R75.20—- cannot grab VMware objects/IP addresses/network fabric
  • Enforcement: So right now CP is not integrated inside ESXi 6.0 VMware Hypervisor so CP cannot protect East-West Traffic.

The fuzzy details are CP has integrated with an old Vmware API 5.5, but not the current 6.0. In order to get into the real SDN game CP firewall must run inside the Vmware Hypervisor which is the Vmware OS. Specifically is must have access to NSX. Now one CAN today manually spin up CP VE network mode instances (as guests) inside the 600 virtual server farm and manually connect into the virtual network…..but a human being has to manually configure the firewalls as we do in the physical world because only humans know the IP addresses and server names and protocols. What R80 WILL do is use the VMware REST API (see my blah blah on REST) to grab all the VMware objects and their IP addresses. They appear as DataCenter objects (if I remember right) in Dashboard and can be referenced like any other object.Note that these objects are really pointers into the VMware environment, and R80 keeps sync with VMware so if the object is deleted in VMware, it disappears from CP (little scary, VMware modifying firewall policy, another discussion). What R80 can’t do is enforce policy on east-west traffic today because 1) There is no R80 firewall and 2) I’m not sure VMware released the latest 6.0 API. So I saw demos of the management integration and it looks good. VMware objects look like any other objects, but note they are pointers into VMware and not managed by CP. If all goes as planned, the R80 firewall should be supported in the NSX 6.0 Hypervisor. What are the bells and whistles?

  • If a new VM is spun up, you can automatically generate a policy and a L2 firewall to protect it
  • If a VM vMotions from Fargo to Shanghai, the firewall follows it
  • At L2, you can redirect a service/port to the firewall for filtering (this host is infected, inspect all its port 80 traffic), and then back to its original route
  • You can quarantine a VM if it misbehaves and not let it talk or shut it down

All this looks good, just hope they can get it to work. You see some of this in EXSi 5.5. So someone ask me “What do I think Software Define Protection” is? Mike what is “Software Defined Protection”??? Glad you asked. Firewall performance in a virtual world is a game changer. CheckPoint’s edge with Software Defined Protection is that it has been designed ground up in software. Performance is based on throwing more CPUs at the problem, and not custom ASICs. Other vendors rely on custom ASICs for performance so migrating their code to a software based virtual world requires re-coding and/or los of hardware based performance gains. In addition, in the virtual world security will become more dynamically scripted with no expensive slow humans in the chain. Firewalls, rules, objects will become more automatically created and destroyed all through software. CheckPoint’s R80 has the API and the tools (so they say) to play in a scripted automated world all managed from a single pane of glass centralized security management platform. Now THAT’s Software Defined Protection

2015 CPX – R80 and CapsuleH

Summary: 2015 CPX was like a continuation of 2014 CPX. No big announcements, usual rah-rah. R80 and Capsule were the focus. As always highlight was talking directly with developers. Lunch was great.

R80: Dorit says its out now, techies say Q3. MDS version is still up in the air. R80 firewall in EA. So basically I can’t say when its coming out but I hope to god the QA people are busy. I actually bought some CP stock based on R80 release.

Capsule: Funny: Gil says “How many people have threat prevention on your mobiles?” about 2 people out of 1300 raise their hands. “See, we can’t even get CP people to use it…that’s why its a 5 year plan”. Crowd roars. (not direct quote but something like that).

True Story: I was in Costa Rica on guided tour on steep path on sheer cliff. Guy ahead of me asks his wife to take a picture of him with his iPhone. Wife steps back and almost falls off cliff. He yells “MY IPHONE!!!!”

My read of Capsule is that people care more about their mobile phones than they do their partners. Reduce their battery usage, screw up texting, block mobile data access and they will hunt you down and burn you in your bed. I agree with Gil. Until the bad guys trash your phone and the pain is worse then the impact of the security software, the market has yet to develop. Technology needs to catch up to support the additional load  on the device.

I spent most my time tracking down their progress on Software Defined Networking which I think looks exciting and hopefully will be CP’s next ride to the top with R80 management.

The tofu and quinoa warm dish was fantastic. The tofu had a bit of crunch to it.

So the rest of the show was a 2014 repeat telling you to turn on more security stuff, the end of the world is near,  the cemeteries of full of people that had computer viruses, we are all going to die.

Random Details in Random Order with Random Comments:

CP Strategy over the years:

  • 2012 CP as security company vs product company- history
  • 2013 3D security rah rah- that’s all history
  • 2014 Software Define Protection
    • Management
    • Control
    • Enforcement
  • 2015 Software Define Protection – 2 years in a row

I actually saw SDP described in several talks 2 years in a row by some of top management…so maybe it will stick. I just don’t get how the title has anything to do with the content and how it makes CP standout from the rest of the hoard. Everyone has management, control, enforcement. CP’s edge is Great Centralized Management.

So my frustration with Gil is he does not set CP’s strategy as “Centralized Security Management” and then follow up to say “Last year we said we’d do X, Y,Z and we did X and Y. By 2017 we will do 1,2,3,4. Capsule is good example, everyone and their mothers will have mobile protection…but imaging trying to centrally manage security on 100,000 mobile phones. Who is going to do that best? Why is CP better than competitors? By when? What does it look like? What do the analyst think? What kind of revenue numbers? What is the sales strategy?

(To be fair Dorit did some of this, but from a operation point of view not a visionary point of view)

But then again he does have a private jet and I drive a 2006 Scion.

Who is Check Point this year.

Some guy gave talk trying to prove with statistics that CP is the best.

  • Best prevention software – Everyone says this, software is still maturing.
  • Best management platform – Agree: but competitors are very close. Needs quality R80 release
  • Best security DNA – Everyone says this but he was right – most people in CP have military backgrounds with the enemy 20 miles from your child’s bed so they do have a security mindset.

Featured Speakers:

  • Michael Morell – FBI director: End of world is near, Chinese hacked his email and wife figured it out, he saw scary stuff
  • Michael Chertoff Former Homeland Security Guy:End of world is near, he saw scary stuff

Threat Prevention: 

  • AV is now useless, too many zero day attacks
  • IPS going the way of AV
  • Threat Emulation is the rage….until hackers put a “sleep(till Tuesday)” in their code
  • AntiBot is OK, but using encrypted channels so look for known DNS and IP addresses
  • Threat Cloudiness is a must to stay on top of zero-day attacks
  • They bought Hyperwise and Lacoon because the above are pretty iffy, but no one could tell me what they do.

My read: CP’s blades are still maturing but their edge is single pane of glass centralized management. Threat Prevention is not a technical problem, its a people management problem. When the sh*t hits the fan, you want all silo’s in the organization looking at a single pane of glass…not 10 different “Best of Breed” solutions. Single pane of glass security management increases detection rates because people are familiar with a single product, reduces response times, and lowers TCO.  This is the value CP brings to the security marketplace.


  • Everyone I spoke to has a different release date. I’m OK with being late, it just has to have the quality this time. I even bought some stock betting on R80.
  • I can’t get 2 people to give me the same picture on R80 MDS. Latest speech is it will be 1 executable, but you can sign into either MDS or SmartDashboard. Last year they said it was all merged…we’ll that ain’t merged. MDS is long on the tooth and needs more integration with SmartDashboard. Only 2 big differences are
    • you are suppose to be able to have multiple sections of global policy instead of just top and bottom.
    • global objects are broken into chunks instead of one big database
    • you can import chunks of objects into the domains
  • Hit counts on objects
  • Logging integrated into Dashboard
  • I couldn’t get an answer if you can seamlessly copy between domains
  • They realize the future is all about scripted access, so REST API and associated tools is huge
  • Software Defined Networking integration looks cool

Dorit – President

  • Roadmap – Nothing really new just bigger faster
  • I thought this was impressive. A person in our group asked a question about some innocuous technical point on Amazon cloud. Dorit hunted her down 1 hour later to give her an answer…and there were 1300 people at the conference.
  • Dorit also was very responsive to my issues. I heard from internal people that she was pushing buttons trying to make things happen.


  • As always one goes to CPX to talk to the developers. The afternoons are were you really can connect with the muscle of CP and get the real story. And they can see your pain and try and make a difference.
  • I spoke with several developers from Threat Prevention, SDN, R80, They really want to hear your pain and make a difference which is a  great feel.

SDN, Clouds

  • Spent 1/2 the show tracking down SDN demos which I am excited about.
  • R80 will integrate into SDN products. Saw some cool demos
  • Separate blog coming

Tufin – Talking the Right Talk

  • Tufin gave a pitch on Cloud Security Management and how big an issue it will be.
  • They are dead  on with identifying the problem, Rubin was great
  • In cloud and SDN objects/rules are created by scripts so the scalability and speed of deployment will be mind boggling. Imagine having a script that deploys 1000’s of servers and firewalls and rulesets in seconds. Next there is a network problem and you have to go find it.
  • I’m not sure what their solution is about but they are only ones that can talk about management complexity we are weaving for ourselves.

Making LDAP/Identity Awareness SmartDashboard User Picker Go Faster…And even Fix it

So our SmartDashboard user picker keeps breaking. So turns out for Yet To Be Determined Reason (YTBD) the User Picker gloms onto an LDAP server specified in a random LDAP AU. I haven’t figured this part out yet. So if the LDAP server goes down or is in SIBERIA, your user picker experience will make you want to switch to Cisco ASA. Remember, the UserPick in Dashboard is making queries from YOUR PC!!!!!   So you need to find a LDAP server closer to your PC. The User Picker is pretty darn sensitive to latency so you won’t know if its broke or tired, it just randomly works. It took me forever to figure out how to make the UserPicker wire into an LDAP server that is faster. This is it

  1. 1) Note what LDAP server the UserPicker is currently using by expanding the user list. In the example below it is going to the SIBERIA-DC.uesrpickerborke
  2. .Now you have to go through all your AUs and figure out which AU points to the SIBERIA LDAP server. Hopefully you are able to change it to a DC that is more local to your UserPicker. You might have to duplicate this UA and assign the new one to the SIBERIA firewall and keep this one for the UserPicker.faster
  3. If you have multiple DCs in your list, you have to pick the lowest latency one here. This is what decides what DC User Picker will use.

Yeah, I know its a hassle but I PROMISE you its fixed in R80. PROMISE!!!.



Identity Awareness started to fail, Captive Portal broke – Certificates changed

This weekend our captive portals just stopped working. This obvious error told me a lot (not).


tcpdump was equally confusing..


Took me a while, but turns out AD certificates changed and no one notified us. I just happen to notice that the fingerprint changed when  I fetched it.


One of those “Thank god it wasn’t the firewall” days.


Helen's Loom

"Peculiar travel suggestions are dancing lessons from God." - Kurt Vonnegut

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.