How Customers Use Check Point Firewalls Around the Globe

In order to conduct the in-depth analysis of configuration and stats on network devices we collect very large amounts of data. For our customers, this data is very useful in benchmarking their network versus other networks around the world. We call this service indeni Insight.

Below is an aggregation of some of the data we’ve collected through this service. We are providing it to help the wider community consider how their network behaves as well as their future plans.

If you are interested in benchmarking your own network within an hour’s work, try indeni today. Once the system is set up reach out to and we’ll do everything else.

Announcing indeni 5.4: New rule engine, Check Point 61000/41000 support

Welcome 5.4!

In this release we’ve included phase one of our infrastructure operations platform, added new content and as well as Check Point 41k/61k support. In addition, specific feature requests and bugfixes were included. Please reach out to our support team to get the updated release.

IMPORTANT NOTE TO ALL USERS: Starting with 5.4, the licensing mechanism is attached to the indeni instance’s unique identifier (uid) and not the IP address. This allows customers to not only change the IP of their indeni instance, but also set up cold active/standby high-availability in case the primary indeni instance is down or is cut off from the network. To set up cold active/standby, please reach out to our support team.

New content: Continue reading

Announcing the future of infrastructure health

Today I’m excited to announce our platform for infrastructure health. Before I go into what we’ve just done, let me explain why.

What’s the current status of infrastructure health?

What exactly is broken in infrastructure operations? Why are enterprises around the world still grappling with downtime?

Our research, as well as that of others, points to the human element. Over 70% of all outages are caused by human error. This is baffling – the people responsible for running the infrastructure are some of the smartest people out there. I meet them regularly, they know their job well. Many of them have a decade or more of experience in what they do. Still, mistakes occur. Why is that?

Continue reading

Why does infrastructure operations still suck?

Last Friday, I met with an individual that leads a 300-person team, responsible for running the networking and computing infrastructure in 50 data centers around the globe. I asked him what he thought of his OSS stack – the set of tools his team uses to stay on top of what’s going on in their infrastructure.

He hates it.

As I want to keep this blog post PG-rated, I’ll refrain from using his adjectives, but I can tell you he’s not happy with it. It’s a clobber of open source and commercial tools. The tools required a lot of customization and a variety of extensions written over the years. At the end of the day, though, it only gives him up/down monitoring and no ability to proactively avoid the next outage. Over 70% of outages occur due to human error and misconfigurations and the tools available to him are incapable of identifying even one percent of that.

Continue reading

What We’ve Learned From Speaking With Our Customers

A month ago I shared some of our plans for 2016 and mentioned that I’d be speaking with our customers, asking them a few questions. The survey was very successful in my opinion – I spoke with dozens of customers for 30 minutes each and asked them 14 different questions. I would like to thank all of the survey participants for enduring my questions and sharing their honest feedback.

Continue reading

How to Configure a VPN for DAIP Gateway Connected to Internet Using USB 3G-Modem


This document describes the specific configuration of Check Point appliances as a DAIP gateway (with Dynamically Assigned IP Address). It connects to the Internet using a USB 3G modem. As Check Point 2012 appliances do not support USB modems, an additional router will be used which supports USB 3G modems converting them to RJ-45.

Specific to this configuration is an additional Hide NAT which prevents the connection from the Check Point Smart Center to the private IP address of the DAIP gateway in order to send the configuration and initiate a VPN connection.

This document is based on Check Point appliance 2200, TP-LINK TL-MR 3040 which supports various 3G and 4G modems and USB 3G-modem Teleofis RX301 R4. Other modems and routers could be freely used.


As a central gateway we use a virtual machine with the Check Point version R77.30. Its name is «DK-CPSG». The external interface is connected to the Internet and has a public IP address. There are also two internal interfaces to a management network ( and a test segment (

Continue reading

2016: A Year Of New Opportunities

Welcome to 2016! By now you’ve probably read all of the vendors’ “predictions” for 2016, are done with the holiday celebrations and are ready to implement your New Year’s resolutions. For me, starting a new year always brings excitement with it – thinking about everything we can achieve. It is like standing in front of freshly cut grass before a soccer game: The smell in the air, how clean the grounds are and the potential for big things to happen.

At indeni, we have great plans for 2016, which I will detail below. But first, let’s look back at 2015:

Continue reading

Using cURL to Monitor Check Point VSX Firewalls

“If you are bad at IT, you’re going to be really bad at virtualization.”
Steve Chambers

Foreword by indeni:

Though scalable and functional, virtualization hasn’t yet stood the test of time and innately results in decreased visibility until fully socialized within the marketplace – the catch twenty-two of technology adoption. Even the best of IT professionals are going to struggle with the implications of this market shift.

Continue reading

Check Point Firewall Guide Performance Optimization: The Dual Default Gateway Problem

Is your Check Point Firewall connected to your core internal router on a dedicated VLAN/segment with no other systems present? In other words, is your firewall connected to your core internal router with a transit network used solely to forward traffic between the firewall and core router like this:


Figure 3-4: A Private Firewall- Core Transit Network

Or do you have something like this:


Figure 3‑5: Non-private Transit Network between Firewall and Core Route

Continue reading

Announcing indeni 5.3: more than 400 improvements!


Welcome 5.3!

In this release we’ve included over 400 improvements to the underlying infrastructure and bugfixes, added new content and expanded our Palo Alto Networks firewalls’ support. Please reach out to our support team to get the updated release.

IMPORTANT NOTE TO CHECK POINT USERS: Starting with 5.3, indeni no longer uses port 8181 to communicate with the firewall. The advantages of using port 8181 prior to 5.3 are now built into the use of port 22, the standard SSH port.

NOTE: Customers who require support of a given product version prior to the main release can contact and a running build will be provided.

Select new signatures: Continue reading