A month ago I shared some of our plans for 2016 and mentioned that I’d be speaking with our customers, asking them a few questions. The survey was very successful in my opinion – I spoke with dozens of customers for 30 minutes each and asked them 14 different questions. I would like to thank all of the survey participants for enduring my questions and sharing their honest feedback.
This document describes the specific configuration of Check Point appliances as a DAIP gateway (with Dynamically Assigned IP Address). It connects to the Internet using a USB 3G modem. As Check Point 2012 appliances do not support USB modems, an additional router will be used which supports USB 3G modems converting them to RJ-45.
Specific to this configuration is an additional Hide NAT which prevents the connection from the Check Point Smart Center to the private IP address of the DAIP gateway in order to send the configuration and initiate a VPN connection.
This document is based on Check Point appliance 2200, TP-LINK TL-MR 3040 which supports various 3G and 4G modems and USB 3G-modem Teleofis RX301 R4. Other modems and routers could be freely used.
As a central gateway we use a virtual machine with the Check Point version R77.30. Its name is «DK-CPSG». The external interface is connected to the Internet and has a public IP address. There are also two internal interfaces to a management network (192.168.48.0/24) and a test segment (192.168.114.0/24).
Welcome to 2016! By now you’ve probably read all of the vendors’ “predictions” for 2016, are done with the holiday celebrations and are ready to implement your New Year’s resolutions. For me, starting a new year always brings excitement with it – thinking about everything we can achieve. It is like standing in front of freshly cut grass before a soccer game: The smell in the air, how clean the grounds are and the potential for big things to happen.
At indeni, we have great plans for 2016, which I will detail below. But first, let’s look back at 2015:
“If you are bad at IT, you’re going to be really bad at virtualization.”
— Steve Chambers
Foreword by indeni:
Though scalable and functional, virtualization hasn’t yet stood the test of time and innately results in decreased visibility until fully socialized within the marketplace – the catch twenty-two of technology adoption. Even the best of IT professionals are going to struggle with the implications of this market shift.
Is your Check Point Firewall connected to your core internal router on a dedicated VLAN/segment with no other systems present? In other words, is your firewall connected to your core internal router with a transit network used solely to forward traffic between the firewall and core router like this:
Figure 3-4: A Private Firewall- Core Transit Network
Or do you have something like this:
Figure 3‑5: Non-private Transit Network between Firewall and Core Route
In this release we’ve included over 400 improvements to the underlying infrastructure and bugfixes, added new content and expanded our Palo Alto Networks firewalls’ support. Please reach out to our support team to get the updated release.
IMPORTANT NOTE TO CHECK POINT USERS: Starting with 5.3, indeni no longer uses port 8181 to communicate with the firewall. The advantages of using port 8181 prior to 5.3 are now built into the use of port 22, the standard SSH port.
NOTE: Customers who require support of a given product version prior to the main release can contact firstname.lastname@example.org and a running build will be provided.
Select new signatures: Continue reading →
Step by Step Guide: IPSec VPN Configuration
Between a PAN Firewall and Cisco ASA
This document describes the step by step guide on how to configure IPSec VPN and assumes the Palo Alto Firewall has at least 2 interfaces in Layer 3 mode.
High Level Diagram:
IP schema specification:
Steps to be followed on Palo Alto Networks Firewall for IPSec VPN Configuration
Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:
Virtual router: default
Please refer this article if you need any help to configure Virtual Router on Palo Alto Networks.
Zone: (select the layer 3 internal zone from which the traffic will originate)
Please refer this article if you need any help to configure Layer 3 interface on Palo Alto Networks.
Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.
Configure IPSec Phase – 1 configuration
To Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
(These parameters must match on the Cisco ASA firewall for the IKE Phase-1 negotiation to be successful)
UPDATE: The book is no longer offered by indeni. Please go to www.maxpowerfirewalls.com to purchase the book. Below is the original blog post as it appeared. You may also want to take a look at what indeni does for Check Point firewalls.
Our goal at indeni, since inception, was to share as much knowledge as we can with users around the world. Today we’re excited to announce that Timothy C. Hall’s most recent book, “Max Power: Check Point Firewall Performance Optimization”, is now being made available for free to certain Check Point users, at our cost!
Note: this offer is valid through Nov 15th, 2015 only.
The book, published last April, will help you get the maximum performance from your Check Point Firewall! This book takes you through discovery, analysis, and remediation of common performance issues on Check Point firewalls.
This October, we are hosting a few events across the east coast of the United States together with our partners. So, if you’re in the area, you are welcome to join:
- Atlanta, GA – Sayers, Check Point and indeni are taking you shooting. Event details…
- Boston, MA – Zensar, Check Point and indeni are challenging you with a puzzle. Event details…
- Buffalo, NY – Netanium, indeni and others are getting you drinks. Event details…
Looking forward to meeting you face to face!
Need to Export Check Point Logs Files Without Using Smartview Tracker? No Problem.
It may come as a surprise to you that some Check Point Firewalls store log files in a binary format, especially if you’re used to analyzing the logs with Smartview Tracker or if you simply have the logs forwarded to an Opsec server. This poses a unique challenge for environments that don’t want to invest in an additional logging server but want to be able to review the logs in a readable text format.
If you have the option and the license I highly recommend using Smartview Tracker. It’s a terrific application with the built in functionality to search through multiple log files, analyze traffic and create custom filters. Below is a screenshot of the application in Demo Mode, as you can see there’s an assortment of information available at your fingertips.
If however Smartview Tracker isn’t available because of your setup or simply because of your preference and a logging server is not an option, Check Point natively supports the binary to text conversion with its fwm logexport command. The fwm logexport command converts the binary formatted log into a readable ASCII format.