some ckp irritations

Printable View

February 23rd, 2002, 10:43 PM
gold eagle

some ckp irritations

last few years a few things annoy me about this. It seems to have carried over in versions and updates.

When doing a search on time and date sometimes it'll never complete.

When jumping to bottom of active log it will time out (grrr happens often) and give the pop up this has taken longer than expected...

When the log windows hangs or takes a long time once in a while the main gui window will unload in the background.

system has enough ram, swap and cpu etc. Engine on solaris.

Mgmt console on nt or solaris seems no diff.

Anyone else (experienced in ckp) want to add to these or comment?
February 24th, 2002, 09:49 PM
gold eagle

I add that if one adds a host over the license for a small site ckp gets punchy, and the contact your rep message comes up. :-(
February 25th, 2002, 04:22 PM
iNViCTuS

I have experienced similar issues, but only when the mgmt console is running on NT/2000. There are many issues with logging that NG is supposed to take care of. I have never had any of these problems on Solaris, but perhaps etsh911 can comment further, as he has seen and/or heard of just about every CP problem possible.
February 25th, 2002, 07:27 PM
mrwall

Well, Provide me with more information, I might be able to help...

When jumping to bottom of active log it will time out (grrr happens often) and give the pop up this has taken longer than expected...

AFAIK, that issue has arose on alot of mangment consoles on NT <didn't get such a thing on Solaris befor> .

I suspect that it is a memory problem, CP is <as any other app> a memory hog. But that doesn't mean that it will use all the free-memory space that it has...

On a defualt install, CP only used 10Megs of Ram <from 64Megs to 256Megs> you can change this behaviour and assign a real amount of memory using the fwhwmem command.

Provide us with more info and I think that em and invictus can find a solution to your issues...
etsh911
February 25th, 2002, 07:54 PM
gold eagle

ok thks guys. I have changed out the memory for all new chips and had the mboard etc checked as well by our sun var in case it was a hw problem. Added extra hdd for more space, but there is still lots on the "old" one. Koffed the microsoft consoles.

Now on the solaris console even after a reboot (usually blowing out fragged stuff) the logger stills times out when reading. --Just to see if I was nuts, waited for zero traffic through the box and still the logger updating mechanism is iffy.

It's ck41 (2000) and, obviously, someone is going to recommend upping to ng.

I do believe it is a bug within cp. Tell me more about that command to force assign mem to the cp engine.
February 26th, 2002, 08:19 PM
gold eagle

Well the time for editing expired, so a new post. It seems to happen upon first instance of logger opening and not so much after you close it and reopen.

etsh911 - ideas?
February 27th, 2002, 05:29 PM
mrwall

Sorry for my late reply,

Phoneboy has discussed the fwhmem command at http://www.phoneboy.com/faq/0088.html .

It should help with the first part.

About your log viewer,

Try using the 'fw log' command from the console to limit your searches and use the '>' shell operator to redirect output to a file, then load the specific seacrh entries from the GUI.
That *should* help.

The problem is that CP always has problem in its reporting module and the log viewer.

Tell me if this helps,
Also, try to check Phoneboy's section on 'Logging and Alerting' at http://www.phoneboy.com/search/wwwwa...q+and+logalert .

Hope this helps,
etsh911
February 27th, 2002, 06:41 PM
gold eagle

thks etsh911. I'll post anything out of the ordinary once I try it.
March 12th, 2002, 04:50 PM
gold eagle

Well, the hell with ckp 41. :(

I'm going to upgrade to ng.
March 12th, 2002, 05:21 PM
KorpDeath

Really?
March 12th, 2002, 07:27 PM
gold eagle

really. Actually If I could get some money from these tight fisted *&@# that run the corp then I would try something else. Like maybe sunscreen, but where I am right now it's overcast. :)
March 13th, 2002, 05:10 PM
mrwall

Hmm, would someone name a *good* reason why NOT to run CP or run SunScreen in favour? Your discussions seem pretty weird and anyone that has been into the FW industry and has learnt CP in a correct manner knows that no other product could compete, be it PIX, Raptor, Gauntlet or even StoneSoft's StoneGate..

name something serious and I'll find a way to access SunScreen, I bet it wont compete with CP as usual...

SOMETHING SERIOUS...
etsh911
March 13th, 2002, 06:12 PM
KorpDeath

How about this good reason: I don't like it. I don't think it's as good as Sunscreen.

As for the rest of your post, it doesn't make sense. Are you trying to say that if you don't run CP, you don't know what you are doing? Please.
March 13th, 2002, 06:26 PM
mrwall

WoW! u don't like it, Man, I wonder how that didn't become an industry standard...

What on earth do u mean by u don't like it, if SunScreen has something to offer then name it, and show everyone on this forum how great your SunScreen and you knowlege are.

I have previously demonstrated point that make CP excel other FWs on this forum and ANYONE on the fw1-wiz list knows that I know my ****..

etsh911
March 13th, 2002, 09:16 PM
KorpDeath

Sunscreen offers stealth mode. In other words it runs in bridged mode, no IP stack to speak of. Now, how useful do you think a firewall with non-IP interfaces is?
(*hint*very useful*hint*)

Keep in mind I'm a user and not a high and mighty developer, such as yourself, so forgive my ignorance. But, I believe this is major difference between the two. As far as I know CP doesn't offer that capability. Or does it?
March 13th, 2002, 09:22 PM
gold eagle

etsh911 - I don't see how you have taken offense in this matter. I am upgrading from 41 to ng, which, of course, is still ckp. I don't know why my discussions are weird - I've been with ckp for +3 years and if there is some things that are annoying about it I'll say so. The product is still good, I just think pix might be better. Our company runs at least all of the popular fws and there is good and bad with each one.
March 13th, 2002, 09:39 PM
imchaser

I joined this site hoping to gain some insite in CPfw and Security. I'm new to this whole thing so I hope you'll excuse me for getting into this discussion. I am a backup FW admin on a CPfw4.1 sp-1 and have been having alot of trouble with AOL mail. YA I know but what doctors want doctors get. Anyway, users can log into AOL at the home page successfully but when they attempt to access their mail the "Detect Network Settings" on IE comes up. This happens on 4.0 sp2 through 6.0. I'm not seeing anything being blocked or otherwise not connected in the fwlog. AOL is of course of no help and CP well is CP. Anybody seen this, its only been affecting us for 4-6 weeks.
March 14th, 2002, 06:08 PM
KorpDeath

Not to ignore you imchaser but I'd like to think etsh911 will come back and show me what's what, you know? This is the second time I've brought up valid points and I have yet to see an intelligent response from him. So? You called me out, with the insults and such, and now where are you? Hmmmm..
March 14th, 2002, 06:52 PM
iNViCTuS

KorpDeath:

Please forgive my ignorance a I am also a CP and PIX guy...Have never really done much with Sunscreen.

I am just wondering how a firewall works in stealth mode...you obviously can't keep state if there is no TCP/IP right? Also, what about NAT, how would that work...I am assuming you would have to do it on your router..

I have heard of IDS being able to run in stealth because it is only passively inspecting traffic but I never knew you could or would want to do this with your FW. I would also think that it would make centralized management almost impossible unless you have an interface with an ip stack bound to it on a management LAN (which is what I am assuming you do).

Most importantly, how would the firewall filter at layer 3 and 4 (like a normal FW does) without an IP stack bound to the interface? Bridging is done at layer 2...

Again I am just asking questions because I have never used it and do not know...but I would like to learn more.
March 14th, 2002, 07:17 PM
KorpDeath

Well. It does have a state table. It's all about the drivers.

If you are running the firewall in stealth mode you shouldn't use it to NAT. It will work but the performance will be slow.

As for management, it uses SKIP.
March 14th, 2002, 07:25 PM
mrwall

KD,

So, not being a board regualr makes me wrong from your point of view..

I'll just add a few lines to waht invictus said...

First, any system without an IP stack won't be able to communicate with ANYTHING unless designed to create replies by itself <ie. emulating an IP stack> wich isn't a correct apparoach from a system desiging point of view. Although it saves the system from most IP packet attacks, it's considered such a memory hungry solution that isn't worth it..

And if you wanted it for CP, you should ask Nokia to provide it and not CP, CP runs on any OS that might include any system that runs a specific network-related app, wich leads to my next point...

What about content security? how would your stealthmode technology get to send packets to <for example> my UFP server? CVP? ANyone familliar with CVP knows that it could protect from viros travveling the network in alot of protocols and not like those on mail-servers...

Ok, invictus said without an IP stack mangment would be imposible, depends on the type of mangment, does Sunscreen offer a solution to mange multiple FWs from one box or something like Provider-1?

Also, what sort of HA and FO schemes do such boxes provide? any box doing HA while bound to an IP address takes around 100ms to get the info to the other box and another 55ms to add the changes, that means a total of ~155ms, would you tell me how fast is it to do HA without an IP stack bound to an interface plus the time needed to generate the replies?

Another valid point is authentication, How would it do auth? most <if not all> auths need to talk to the FW thru something, without an IP stack such communications would have to be done thru Unix pipes <or some gay socket programming> so how would you be able to auth? and to what degree does auth state sync work on the Sunscreen?

Last point,
don't VPN connections need to interact with an IP stack? a FW that does the encryption and decryption is one that takes more load than it needs..

Ok, this is about it or the SunScreen, lets see why I prefer CP..

1) INSPECT, I've seen alot of ppl get majic done with it..
2) The OPSEC alliance, Provides you with nearly everything you need
3) Centralized mangment & an award winning GUI, doesn't need explanation
4) IPSO, I'd really like to see an OS scale to routing purposes as IPSO does anyone that has used it knows what I mean..
5) Support, logic, easy configuration for basic tasks and difrentiation of tasks as in control.map...

SO, am I wrong? correct me, and pleas note those *valid* points that you've said befor I ran away from answering <probably cuz I chickened>...

etsh911
March 14th, 2002, 07:33 PM
mrwall

Hmm, if I had to do NAT from another box just cuz of 'Stealth Mode Technolog' then **** it, I bought a FW to become a border gateway to my network and not because it has a technology that isn't anywhere else..

OK, so would u tell us how does it do SKIP without having an actual IP stack bound to an interface? and BTW, SKIP *was* a great technology one time and I'd really like to see it survive IKE specially that IKE has become a standard in IPv6..

Another note,
Alot of ppl claim they understand state, would you show mea state table dump for one of your own created table that actually works by tracking more than src,sport,dst,dport,ip_p? I've posted alot befor to fw1 related lists about maintaing state for syn and ack bits.

Just remebered, CP does load balancing for logical servers, does Sunscreen do it? and to wich degree? Plus, could Sunscreen be used to understand the underlying protocols as to not allow SMTP traffic to go thru port 80 in a manner similar to that of a proxy?

bleh,
etsh911
March 14th, 2002, 07:49 PM
mrwall

Gold eagle,

I didn't mean u by the weird conversations part
and i*, I'm not familiar with AOL, yet if u provide some more info, I could help...

Waiting for a reply...
etsh911
March 14th, 2002, 08:01 PM
KorpDeath

Wow. Do you have no clue or what? Maybe it's the bad engish but you make no sense.

You asked what Sunscreen has to offer that CP doesn't, so I answer and you come back with more developer crap (we've been over this one already). I already answered the question about auth and all that so......go look.

You obviously have no idea of what Sunscreen is all about and you aren't about to go read, so I'll end this thread before it turns into a flame session.

As always, it's been a pleasure arguing with you about CP and Sunscreen. I still say Sunscreen is better, and you haven't given me any reason to look at CP.
March 14th, 2002, 08:10 PM
mrwall

And I replied..

if Sunscreen is selling becuase of it's 'Stealth mode tech' then to hell with Sunscreen, a useless technology isn't an advantage nor a disadvantage, it's a SHITLOAD....

And I haven't been shitting about developer crap, all of what I said were valid points to ANY CP admin working on a good site <invictus, what do u think?> and I haven't seen your reply to my auth Q anywhere, would u mind linking me and also linking to your valid points that I chickened after?

Also, if all fo what I named isn't considered a good reason to look at CP, then just name whatever u want to see, tell us your fantacies and I'll call the responsible parties..

NOT KIDDING,

Just tell me what does CP miss/need to become a better FW...

etsh911

O, and BTW, state tables go into kernel space and have nothing to do with drivers regardless of the OS and type...
March 14th, 2002, 08:38 PM
iNViCTuS

Like I said earlier...I do not know much about Sunscreen, so i have no basis for my argument

However, I do work with Checkpoint and I agree with etsh911's arguments because everything he said is right. I do know for a fact that checkpoint provides me with all the functionality that I need and then some, so personally I couldn't see why I would need something else.

Again...I do not know about a 'stealth' firewall because I cannot see it really providing anything useful. (I would still like to learn how it works though...curiousity is getting the best of me). I was also going to make the point about content security and VPN's because it would be impossible without an IP stack, especially if your fw was your VPN endpoint.

I do have to mention that is has been quite some time since I have found a good thread to respond to on the forums, and this one is just plain fun.

It is kinda funny how every exciting argument I have seems to be with KorpDeath ;)

Everyone is entitled to their opinion and who is really to say what is right and what is wrong. Different solutions work in different environments. I obviously have a biased opinion as does etsh911 because CP is our product of choice, but that does not necessarily mean Sunscreen is bad. CP is just better....;)
March 14th, 2002, 08:38 PM
KorpDeath

I don't really care what CP is missing. I don't use the product. I understand your point of view, but you aren't concerned with what I am concerned with so this discussion is moot. \

And auth is done with SKIP keys. VPN is also done with SKIP but I don't use my firewall to do VPN because I have an appliance for that which works great.

Thanks for the conversation.
March 14th, 2002, 09:52 PM
gold eagle

I wouldn't mind re-entering my own thread - I think some of what you guys say is really interesting. etsh911 - I don't know cp like you do but what you say sounds right. iNViCTuS you are way beyond me in this and I am curious now in who is right (or maybe you all are, in a way). KD - now I would like to see that stealth fw, how much does it cost? Maybe I can get one in to play with. I'm going to sun's site to see.

I think I am somewhat out of my depth here so I'm not gonna argue details with you guys.
March 14th, 2002, 10:02 PM
imchaser

Hi MRWALL, I don't see any other conversations about AOL so I'll assume you are directing the more information to me, I hope. Where should I start, internal network or CPFW config?
March 14th, 2002, 10:29 PM
iNViCTuS

Quote:

Originally posted here by gold eagle
KD - now I would like to see that stealth fw, how much does it cost? Maybe I can get one in to play with. I'm going to sun's site to see.

Unfortunately you will probably not be able to find anything because Sun has announced an End-of-Life for Sunscreen :(
March 16th, 2002, 04:59 PM
gold eagle

iNViCTuS - do remember you said that in another post but, in looking at sun's site right now I see that sunscreen 3.2 will be pkgd out with solaris 9. Which, of course, is not even released yet. It has been pkg with sol 8 trusted already. I don't see the eol part. Do you have a link? quote"Sun has focused future efforts beyond SunScreen 3.2 towards more fully integrating stateful packet filtering into Solaris rather than producing seperate layered firewall products. This Solaris feature is still under development" Is this what you mean. If so, they are building it into future solaris releases.
March 18th, 2002, 03:45 AM
iNViCTuS

Actually I heard from a couple of Sun employees a week or so ago. I have also heard from several other people that this is true, but I too have not been able to find it on their site.

I sure KD can verify this though, because he also told me the same thing.
March 18th, 2002, 04:01 AM
KorpDeath

That's what I've been waiting for. So Sunscreen built in to Sol 9. All I can say is SWEET!!!!