Checkpoint Firewalls - *grrrrr*

WANg

Well-Known Member
Jun 10, 2018
984
581
93
So, just out of counting hands - how many of us supports Checkpoint firewall/network appliances at $dayjob, and how many of us actually enjoy / trust using them?

I don't have a very high opinion of them. Does anyone share my sentiments?
 
Jan 10, 2019
129
24
18
blog.azureinfra.com
I have a 4400 at home, it was a left-over somewhere.. but after struggling with it for days to get my internet connection stable enough I was like f-it.. finally through some people I know, (as their support, manual, forum - anything you would want to know - is behind a paid support front-door) I managed to find out, the problem I had was actually in the OS version!

But without a support contract, you can forget about getting anything upgraded.. so I managed to get a trial version and deploy that on the firewall - which then was highly underpowered - so I managed to get some additional RAM in it so it at least could run it.. but very slowly with everything installed..

I ended up installing PFSense on the box, still okay-ish performance, but could not get the display to work.. and got so annoyed with the console the way it works etc.. that I dumped it.. and went for a Juniper SRX340. That still happily runs' with BGP over VPN's to Azure regions, backend switches etc etc (#yes all at home..)

I think the fact that all their manuals, tips & tricks, and everything you might want to know are behind a support contract is what annoys me the most.. I understand I can't get upgrades, I understand I can't call someone.. but why can't you have regular manuals on the web? Makes a trial very hard.. and all I wanted to test / write about was how to make a BGP VPN connection to Azure
 
Last edited:

Marsh

Moderator
May 12, 2013
2,416
1,242
113
supports Checkpoint firewall/network appliances at $dayjob
My condolences.

I had love and HATE :mad: relation with Checkpoint software ( circa late 1990s ).

We used the firewall software to host Mega Internet company servers during the dot-com era.

Only good part was that no one in our group willing to maintain a pair of HA firewall machine.
By default ( shits roll downhill ), I "voluntary" to support it.
In just few years, I cashed out my stock options, that was my last job.
 

WANg

Well-Known Member
Jun 10, 2018
984
581
93
I have a 4400 at home, it was a left-over somewhere.. but after struggling with it for days to get my internet connection stable enough I was like f-it.. finally through some people I know, (as their support, manual, forum - anything you would want to know - is behind a paid support front-door) I managed to find out, the problem I had was actually in the OS version!

But without a support contract, you can forget about getting anything upgraded.. so I managed to get a trial version and deploy that on the firewall - which then was highly underpowered - so I managed to get some additional RAM in it so it at least could run it.. but very slowly with everything installed..

I ended up installing PFSense on the box, still okay-ish performance, but could not get the display to work.. and got so annoyed with the console the way it works etc.. that I dumped it.. and went for a Juniper SRX340. That still happily runs' with BGP over VPN's to Azure regions, backend switches etc etc (#yes all at home..)

I think the fact that all their manuals, tips & tricks, and everything you might want to know are behind a support contract is what annoys me the most.. I understand I can't get upgrades, I understand I can't call someone.. but why can't you have regular manuals on the web? Makes a trial very hard.. and all I wanted to test / write about was how to make a BGP VPN connection to Azure
Yeah, I obtained a 4400 from work, and it's been...challenging. My beef with the Checkpoint has always been that:
a) It doesn't seem to use any standard open source/well established firewall tech underneath, and its methodology and practices are very much proprietary. For example, how does the clustering work underneath? How does it actually implement its firewall logic? Can you fully trust something that you don't understand 100%? One of the major traits of the IT industry is that you are often tossed into a fire face-first, and you are expected to learn and figure things out while you fight the fire...it's a bit like putting out a fire in a fire station while you are building it out. If the tech isn't straightforward or behaves the way that you expect it to...is it worth your trust?

b) The steps to set one up is...kinda retarded.

For example, to get a Checkpoint cluster going you first have to install the right Checkpoint Gaia release (which involves picking whether you want clustering or not) onto each of the cluster members. Then you log into its web interface and configure it, but you'll need to manually define static routes (which usually means that your firewall is configured from the outside). Then you'll need to configure a WAN interface, a LAN interface and a sync interface. THEN if you want to setup some of the more advanced features you'll want to use SmartConsole server, which might or might not be on the firewall itself, or on a server that sits within the LAN. So then you'll need to setup an SIC on each node member to talk to the Smartconsole server. And then you hope like hell that the sync interfaces are correct and it starts communicating to each other, and if it doesn't, you might have to reboot, setup the SIC again, re-create the trust relationship, and then hope that it syncs.

And then you setup the firewall cluster, define the interfaces, design the network/host/protocol objects and publish the policies.

To learn all of that I had to run face first into a wall multiple times just to "get" what needs to be done, which involves me wiping a cluster 7 times, each running into its own pitfall - to build a cluster that inherits from an existing firewall policy took me 6 weeks, and at the end, it still doesn't work the way it's supposed to. At the end of the day and dealing with an impending network infrastructure change, I tossed pfsense into a t730 (later 2) and got what I need working in less than 4 hours.

c) And then there's the licensing.

*ugh*. I need a license to do firewall clustering, I need a license to update the Gaia OS. I need a license to allow SSLVPN. I need a license to enable site-to-site VPN, I need a license to do this, I need a license to do that. Hell, I need a license to grab the imaging utility for the OS so it can be flashed into the network appliance.

So yeah, anyone else seriously not a fan of Checkpoint?