31. Rulebase cleanup of large Cisco rulebase (approx 10,000 rules), migration to Check Point and P1 upgrade for leading UK Communications and Entertainment Business
58. NGX Eventia Suite December 2010 http://www.checkpoint.com/services/lifecycle/support-periods.html
59.
60. Old UTM-1 appliances 450, 1050 and 2050 have end of engineering support and end of support dates (successor products available)http://www.checkpoint.com/services/lifecycle/appliance-support.html
61.
62.
63. Save up to 25% off new Check Point IP appliances
64. All traded in Nokia’s & new IP appliances ship with 1 year IPS subscription
123. Blade licensing for UTM-1 appliances The UTM-1 series appliances ships with two major SB options. UTM-1 xxx2 & 3 (includes mgmt for itself/cluster) UTM-1 xxx2 & 3 Software Container IPS FW VPN
137. Gateway Software Container SKU: CPSG-P805Number of Gateway Software Blades Security Management Unlimited Sites Number of Management Software Blades Security Gateway Number CPU Cores
Technically focused event largely based on experiencesLot of information – all presentations will be available online by the end of the event, do ask questions particularly in informal clinics (designed to be more interactive)Realise a number of you are existing customers however wanted to provide a little information about us, our history of Nebulas working with Check Point, some of work we do and have doneSkills in CP solutions
(slow) Main reason for the event – R65 going end of life but also huge number of options now exist, both software and hardware, for customersNo simple solution that fits everyone – depends on the hardware you have and features or functionality you want to useWhen I was heavily involved in CP consultancy 4 or so years ago if you understand import upgrade utilities was fine. With advent of software blades and a rapidly expanding portfolio as a result of numerous acquisitions this is certainly no longer the case.
Nebulas Security were founded in 2001, Check Point partner since 200112 engineers: 7 consulting and 5 in support, well over CCSP requirementsHave 5 of my consultants here today plus David and Mark from Check Point and Darren from distribution so a perfect time to answer any questions. All of us will be around throughput the morning and for lunch.
Check Point Certified Support PartnerGood relationships within the channel for escalation
Invited to join 2 years agoVE – significant amount of testing with the VE product (hypervisor integrated firewall). Inter-vm traffic inspectionAbra – built in sandisk technology, previously a SanDisk partner so understand technology + virtualisation skills e..g around thinappApplication. Control blade – clinic later this morning, ability to control based on application rather than just port. Just entering EA now
Rulebase cleanup and firewall consolidation using a combination of Tufin and Nebulas custom scripts (750 rules reduced to 300, no errors).Flow analysis using Sourcefire RNA for hardware consolidation from 20 to 2 mission critical/market data firewall pairs (FTSE 100 Finance Broker). From cisco/juniper to check pointCleanup of Cisco rulebase (10,000 rules) and migration to Check Point using CP confwiz. Large Provider-1 upgrade and migration (Leading UK and Entertainment Business)6.0/r7x upgrades – timkirk (one of our senior CP consultants) provide some of his knowledge gained
Previous projects on rulebase analysis – work with tufinTufin – been working with for a few years, offer both hosted and on-site assessment service (for those that need)One of a number of rulebase analysis/compliance solutionsOnly requires an OPSEC object to be created on smartcenter and policy pushedLogs are analysed in our datacenterConsiderations around loggingPriced per firewall + small charge for setup and report generation, doesn’t matter if you have 10 or 10,000 rules – charge is the same. We have to pay for use of Tufin licenses. Purposefully kept costs low in order to encourage usage of the service – helps us and our support teams too
Rule and object utilisation breakdown - number of hits + percentage of overall rules - first hit and last hit - unused rules - object utilisation, and rules containing unused objects and/or services - most/least used security and NAT rules - rule shadowing + duplicates flagged up- PCI report available
That’s not it! nevertheless, we’ve spent a lot of money on a lot of kitThis is available for customers to use, any of the software you see today we can demonstrate in the lab/you can come in and playSlight change to orderVideo recordingHand over to David Morrow for a section on ‘why upgrade’ and the various software blades
I hope you find the day useful, PLEASE ask questions (the more interactive the better)Timings – break about 11am, though likely slightly earlier before break-out/clinic sessions and then some lunch
Talk about the differences between SPLAT UTM-1, Power-1 and IP appliances. UTM-1 aimed more at the SMB, with the Power-1 & IP appliances offering Enterprise and large-scale deployment. Also UTM functionality is best suited to the UTM-1 range of appliances, which is mainly due to the hardware architecture and throughput requirements.
For example – UTM functionality performs much better on SPLAT. Indeed the latest UTM blades are only available on SPLAT.
More information is available at the below link
More information is available at the below link
Also EOS license receive less trade-in discount
For example, if you plan on running new UTM type threat in the near future then perhaps SPLAT is a preferable option.And for dynamic routing and other high-end small packet network requirements the IP appliances might fit best.
General intro
Brief agenda
Nokia put up the security arm up for sale in September 2008Check Point completed the acquisition in April 2009IPSO runs on all nokia IP series platform, current version is 6.2BSD package management is simple enough to use, though it has quite a few idiosyncrasies that administrators need to be aware of in order to use it effectively
SPLAT is a linux based OS that makes the install of CP and all its blades, mgmt, fw, vpn, remote access, very easyThe install wizard makes an average splat build take around 30 mins depending on modules and hotfixesSPLAT supports dynamic routing when using SPLAT pro, just use the “router” command via the CLI to get into a cisco like shell.----- Meeting Notes (08/11/2010 16:38) -----not fully RFC compliant for OSPF, doesnt support virtual links
IPSO was originally a product from IPSILON networks, a Nokia acquistion from 1997, so it’s a very mature platform.Dynamic routing support features the two big ones, OSPF and BGP. Administration has good role based access and external authentication supportVRRP is an RFC that is well known and understood by many vendorsHowever using Voyager has its own nuances, installing packages for example.WUI offers good monitoring of systems stats, CPU, disk, temp, throughput etc.----- Meeting Notes (08/11/2010 16:38) -----NetFlowADP on 695 and above
Gaia will be a linux based OS that pulls together the two OS lines within Check Point into a single, supportable product that fulfills all the mgmt and gateway requirements of a Check Point estate----- Meeting Notes (08/11/2010 16:38) -----UTM-1Power-1Partner
The best bits of SPLAT – easy install, easy mgmt, quick and simple build with all relevant CP packages pre installedThe best bits of IPSO – advanced dynamic routing, advanced admin access and authMultiple CLI options, CLISH, BASH, CPSHELLClusterXL is still going to be an option for HA and load sharingA single platform to learn for mgmt, gatewayUpgrade paths from all current operating systems----- Meeting Notes (08/11/2010 16:38) -----RIP OSPF and BGPIP clustering is being phased out, vrrp for HA, cluster XL for load balancing
Release 1 early 2011
Good morning everybody, my name is Tim Kirk (as some of you already know), and I’d to take this opportunity to welcome you all to this event. I’m going to be delivering a presentation focusing on software blade licensing and how to upgrade from your current NGX estate. As many of you are aware Check Point licensing has been notoriously difficult and complex to understand and implement. My objective today is to give you confidence and an understanding when choosing new Check Point products or planning an upgrade. Please feel free to jump in with any questions, or wait until the end Q&A slide. So without any further ado here goes:
List recent Check Point projects (ICAP, Gartmore,???)
Such as network cards, additional HDDs----- Meeting Notes (08/11/2010 17:07) -----ADD GATEWAYS NOT SITES
List recent Check Point projects (ICAP, Gartmore,???)
List recent Check Point projects (ICAP, Gartmore,???)
License change on MAC, SB licensing enforcement with HFAs
UTM 27x & 57x are available with just FW and VPN (with management)
Floodgate-1 now part of advanced networking
Worth bearing in mind that most of the features haven been enhanced. For example the IPS event analysis SB is a new licensable option within SmartEvent. This is not included for free if upgrading from Eventia Analyser.
Use this as an opportunity to audit your Check Point licenses to establish whether or not the SKU are required