What We’ve Learned From Speaking With Our Customers

A month ago I shared some of our plans for 2016 and mentioned that I’d be speaking with our customers, asking them a few questions. The survey was very successful in my opinion – I spoke with dozens of customers for 30 minutes each and asked them 14 different questions. I would like to thank all of the survey participants for enduring my questions and sharing their honest feedback.

Continue reading

How to Configure a VPN for DAIP Gateway Connected to Internet Using USB 3G-Modem

INTRODUCTION

This document describes the specific configuration of Check Point appliances as a DAIP gateway (with Dynamically Assigned IP Address). It connects to the Internet using a USB 3G modem. As Check Point 2012 appliances do not support USB modems, an additional router will be used which supports USB 3G modems converting them to RJ-45.

Specific to this configuration is an additional Hide NAT which prevents the connection from the Check Point Smart Center to the private IP address of the DAIP gateway in order to send the configuration and initiate a VPN connection.

This document is based on Check Point appliance 2200, TP-LINK TL-MR 3040 which supports various 3G and 4G modems and USB 3G-modem Teleofis RX301 R4. Other modems and routers could be freely used.

LAB CONFIGURATION

As a central gateway we use a virtual machine with the Check Point version R77.30. Its name is «DK-CPSG». The external interface is connected to the Internet and has a public IP address. There are also two internal interfaces to a management network (192.168.48.0/24) and a test segment (192.168.114.0/24).

Continue reading

2016: A Year Of New Opportunities

Welcome to 2016! By now you’ve probably read all of the vendors’ “predictions” for 2016, are done with the holiday celebrations and are ready to implement your New Year’s resolutions. For me, starting a new year always brings excitement with it – thinking about everything we can achieve. It is like standing in front of freshly cut grass before a soccer game: The smell in the air, how clean the grounds are and the potential for big things to happen.

At indeni, we have great plans for 2016, which I will detail below. But first, let’s look back at 2015:

Continue reading

Using cURL to Monitor Check Point VSX Firewalls

“If you are bad at IT, you’re going to be really bad at virtualization.”
Steve Chambers

Foreword by indeni:

Though scalable and functional, virtualization hasn’t yet stood the test of time and innately results in decreased visibility until fully socialized within the marketplace – the catch twenty-two of technology adoption. Even the best of IT professionals are going to struggle with the implications of this market shift.

Continue reading

Check Point Firewall Guide Performance Optimization: The Dual Default Gateway Problem

Is your Check Point Firewall connected to your core internal router on a dedicated VLAN/segment with no other systems present? In other words, is your firewall connected to your core internal router with a transit network used solely to forward traffic between the firewall and core router like this:

th1

Figure 3-4: A Private Firewall- Core Transit Network

Or do you have something like this:

download1

Figure 3‑5: Non-private Transit Network between Firewall and Core Route

Continue reading

Announcing indeni 5.3: more than 400 improvements!

capture

Welcome 5.3!

In this release we’ve included over 400 improvements to the underlying infrastructure and bugfixes, added new content and expanded our Palo Alto Networks firewalls’ support. Please reach out to our support team to get the updated release.

IMPORTANT NOTE TO CHECK POINT USERS: Starting with 5.3, indeni no longer uses port 8181 to communicate with the firewall. The advantages of using port 8181 prior to 5.3 are now built into the use of port 22, the standard SSH port.

NOTE: Customers who require support of a given product version prior to the main release can contact support@indeni.com and a running build will be provided.

Select new signatures: Continue reading

How To Do an IPSec VPN Configuration Between PAN Firewall and Cisco ASA

Step by Step Guide: IPSec VPN Configuration

Between a PAN Firewall and Cisco ASA

Overview:

This document describes the step by step guide on how to configure IPSec VPN and assumes the Palo Alto Firewall has at least 2 interfaces in Layer 3 mode.

High Level Diagram:

IP schema specification:

Steps to be followed on Palo Alto Networks Firewall for IPSec VPN Configuration

Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:

Name: tunnel.1
Virtual router: default
Please refer this article if you need any help to configure Virtual Router on Palo Alto Networks.

Zone: (select the layer 3 internal zone from which the traffic will originate)
Please refer this article if you need any help to configure Layer 3 interface on Palo Alto Networks.

Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

Configure IPSec Phase – 1 configuration

To Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
(These parameters must match on the Cisco ASA firewall for the IKE Phase-1 negotiation to be successful)

Continue reading

Best Book Firewall Performance and Optimization

indeni, cisco

UPDATE: The book is no longer offered by indeni. Please go to www.maxpowerfirewalls.com to purchase the book. Below is the original blog post as it appeared. You may also want to take a look at what indeni does for Check Point firewalls.


Our goal at indeni, since inception, was to share as much knowledge as we can with users around the world. Today we’re excited to announce that Timothy C. Hall’s most recent book, “Max Power: Check Point Firewall Performance Optimization”, is now being made available for free to certain Check Point users, at our cost!

Note: this offer is valid through Nov 15th, 2015 only.

The book, published last April, will help you get the maximum performance from your Check Point Firewall! This book takes you through discovery, analysis, and remediation of common performance issues on Check Point firewalls.

Continue reading

Meet indeni in October

This October, we are hosting a few events across the east coast of the United States together with our partners. So, if you’re in the area, you are welcome to join:

  • Atlanta, GA – Sayers, Check Point and indeni are taking you shooting. Event details…
  • Boston, MA – Zensar, Check Point and indeni are challenging you with a puzzle. Event details…
  • Buffalo, NY – Netanium, indeni and others are getting you drinks. Event details… 

Looking forward to meeting you face to face!

How to Export Check Point Log Files into a Readable Format Without Using Smartview Tracker

Data connections and led lights in an industrial building grain visable in areas and colours removed from certain images to enhance them., Low aperture used to create a shallow DOF on on connections or lights
Exporting Check Point Log Files without Using Smartview Tracker.

Need to Export Check Point Logs Files Without Using Smartview Tracker? No Problem.

It may come as a surprise to you that some Check Point Firewalls store log files in a binary format, especially if you’re used to analyzing the logs with Smartview Tracker or if you simply have the logs forwarded to an Opsec server. This poses a unique challenge for environments that don’t want to invest in an additional logging server but want to be able to review the logs in a readable text format.

If you have the option and the license I highly recommend using Smartview Tracker. It’s a terrific application with the built in functionality to search through multiple log files, analyze traffic and create custom filters. Below is a screenshot of the application in Demo Mode, as you can see there’s an assortment of information available at your fingertips.

If however Smartview Tracker isn’t available because of your setup or simply because of your preference and a logging server is not an option, Check Point natively supports the binary to text conversion with its fwm logexport command. The fwm logexport command converts the binary formatted log into a readable ASCII format.

Continue reading