More Related Content
Similar to Nebulas Solutions Group | R75 Event
Nebulas Solutions Group | R75 Event
- 1.
- 2. Good News:You’re notalone!Approx. 80% of Check Point’s installed base are on R65 or earlierBad News:The clock is ticking… R65 31/3/11*
- 3.
- 4.
- 5.
- 6.
- 7. ManagementOur aimtoday:To give you all the information you need to make the best decisions
- 8. Agenda:IntroductionWhy upgrade?> NewFeatures> Software Blades OverviewUpgrade considerations> Upgrade paths> Major release overview> Difference between R7x releasesProject Gaia (Unified OS)> Features & functionality> Planned releasesLicensing: Upgrade to software blades> Overview of blade licensing> Trade-in options> Zero cost software blade license upgradeSummaryTechnical Clinic Breakout Sessions
- 9.
- 10. Introduction AgendaWhy listento us? Knowledge/Resource
- 11.
- 12.
- 13.
- 14. Hosted AssessmentService
- 15. Lab EnvironmentKnowledge/ResourceOur largest partner
- 16. Partnered for 9years
- 17. 12 Engineers(7 consulting, 5 support)
- 18.
- 19. Check PointExperience
- 20. Channel SUSand TUS
- 21. Check PointUniversity Tours
- 22. Active usersand participants on CPUG
- 23.
- 24. Dedicated AM& SESupport Check Point Certified Support Partner
- 25. We logcalls for customers with CES contracts
- 26.
- 27. 286 supportcalls YTD (avg. 29/month)
- 28. Escalate around25% calls to vendorsEA program Select customers and partners worldwide
- 29. 1 of3 partners selected in the UK
- 30. Program benefits: -Early Availability Code - Demo appliances - On-site engineer and on-site product training - 24x7 R&D support until GA - Feedback to R&D and ManagementAbra, Check Point VE and Application Control BladeRecent ProjectsRulebase clean-up, Cisco/Juniper migrations and firewall consolidation project for a FTSE 100 Finance Broker
- 31. Rulebase cleanup oflarge Cisco rulebase (approx 10,000 rules), migration to Check Point and P1 upgrade for leading UK Communications and Entertainment Business
- 32. Numerous IPSO 6.xand Check Point R7x Upgrades in critical infrastructure environmentsHosted Tufin Service Hosted service
- 33. No hardwarerequired on site
- 34.
- 35.
- 36. Reports +Call
- 37. Low costHostedTufin Service
- 38. Lab Environment >£250,000 kit
- 39. 8 ESXservers
- 40. Multiple switchingstacks & SANs
- 41. CP Lab/demokit - Power-1 11070 - UTM-1 1070 - Nokia IP260 - Nokia IP695 - kit from distribution
- 42.
- 43. Why Upgrade?David MorrowChannelAccount ManagerCheck Point Software Technologies
- 44.
- 45.
- 46.
- 47.
- 48. URL Filt. AS,AV & WS
- 49.
- 50. WorkflowUser awareness –R70.20+
- 51. Upgrade ConsiderationsPresenter: TimKirkCheck Point Product Champion
- 52. ContentsPlatforms & maindifferencesSupported software & hardwareTrade-in offersUpgrade gotchas
- 53. Platforms & maindifferences0.2
- 54. Platforms & maindifferencesNo “one-size fits all” approach
- 55. Hardware CPU, memoryand disk specifications
- 56. End of lifesoftware and hardwareSupported Software & HardwareNGX R65 End of Support March 2011
- 57. NGX R60 SecuRemote/ClientJune 2011
- 58. NGX Eventia SuiteDecember 2010 http://www.checkpoint.com/services/lifecycle/support-periods.html
Editor's Notes
- #6 Technically focused event largely based on experiencesLot of information – all presentations will be available online by the end of the event, do ask questions particularly in informal clinics (designed to be more interactive)Realise a number of you are existing customers however wanted to provide a little information about us, our history of Nebulas working with Check Point, some of work we do and have doneSkills in CP solutions
- #7 (slow) Main reason for the event – R65 going end of life but also huge number of options now exist, both software and hardware, for customersNo simple solution that fits everyone – depends on the hardware you have and features or functionality you want to useWhen I was heavily involved in CP consultancy 4 or so years ago if you understand import upgrade utilities was fine. With advent of software blades and a rapidly expanding portfolio as a result of numerous acquisitions this is certainly no longer the case.
- #8 Nebulas Security were founded in 2001, Check Point partner since 200112 engineers: 7 consulting and 5 in support, well over CCSP requirementsHave 5 of my consultants here today plus David and Mark from Check Point and Darren from distribution so a perfect time to answer any questions. All of us will be around throughput the morning and for lunch.
- #9 Check Point Certified Support PartnerGood relationships within the channel for escalation
- #10 Invited to join 2 years agoVE – significant amount of testing with the VE product (hypervisor integrated firewall). Inter-vm traffic inspectionAbra – built in sandisk technology, previously a SanDisk partner so understand technology + virtualisation skills e..g around thinappApplication. Control blade – clinic later this morning, ability to control based on application rather than just port. Just entering EA now
- #11 Rulebase cleanup and firewall consolidation using a combination of Tufin and Nebulas custom scripts (750 rules reduced to 300, no errors).Flow analysis using Sourcefire RNA for hardware consolidation from 20 to 2 mission critical/market data firewall pairs (FTSE 100 Finance Broker). From cisco/juniper to check pointCleanup of Cisco rulebase (10,000 rules) and migration to Check Point using CP confwiz. Large Provider-1 upgrade and migration (Leading UK and Entertainment Business)6.0/r7x upgrades – timkirk (one of our senior CP consultants) provide some of his knowledge gained
- #12 Previous projects on rulebase analysis – work with tufinTufin – been working with for a few years, offer both hosted and on-site assessment service (for those that need)One of a number of rulebase analysis/compliance solutionsOnly requires an OPSEC object to be created on smartcenter and policy pushedLogs are analysed in our datacenterConsiderations around loggingPriced per firewall + small charge for setup and report generation, doesn’t matter if you have 10 or 10,000 rules – charge is the same. We have to pay for use of Tufin licenses. Purposefully kept costs low in order to encourage usage of the service – helps us and our support teams too
- #13 Rule and object utilisation breakdown - number of hits + percentage of overall rules - first hit and last hit - unused rules - object utilisation, and rules containing unused objects and/or services - most/least used security and NAT rules - rule shadowing + duplicates flagged up- PCI report available
- #14 That’s not it! nevertheless, we’ve spent a lot of money on a lot of kitThis is available for customers to use, any of the software you see today we can demonstrate in the lab/you can come in and playSlight change to orderVideo recordingHand over to David Morrow for a section on ‘why upgrade’ and the various software blades
- #15 I hope you find the day useful, PLEASE ask questions (the more interactive the better)Timings – break about 11am, though likely slightly earlier before break-out/clinic sessions and then some lunch
- #20 Talk about the differences between SPLAT UTM-1, Power-1 and IP appliances. UTM-1 aimed more at the SMB, with the Power-1 & IP appliances offering Enterprise and large-scale deployment. Also UTM functionality is best suited to the UTM-1 range of appliances, which is mainly due to the hardware architecture and throughput requirements.
- #21 For example – UTM functionality performs much better on SPLAT. Indeed the latest UTM blades are only available on SPLAT.
- #22 More information is available at the below link
- #23 More information is available at the below link
- #24 Also EOS license receive less trade-in discount
- #27 For example, if you plan on running new UTM type threat in the near future then perhaps SPLAT is a preferable option.And for dynamic routing and other high-end small packet network requirements the IP appliances might fit best.
- #29 General intro
- #30 Brief agenda
- #31 Nokia put up the security arm up for sale in September 2008Check Point completed the acquisition in April 2009IPSO runs on all nokia IP series platform, current version is 6.2BSD package management is simple enough to use, though it has quite a few idiosyncrasies that administrators need to be aware of in order to use it effectively
- #32 SPLAT is a linux based OS that makes the install of CP and all its blades, mgmt, fw, vpn, remote access, very easyThe install wizard makes an average splat build take around 30 mins depending on modules and hotfixesSPLAT supports dynamic routing when using SPLAT pro, just use the “router” command via the CLI to get into a cisco like shell.----- Meeting Notes (08/11/2010 16:38) -----not fully RFC compliant for OSPF, doesnt support virtual links
- #33 IPSO was originally a product from IPSILON networks, a Nokia acquistion from 1997, so it’s a very mature platform.Dynamic routing support features the two big ones, OSPF and BGP. Administration has good role based access and external authentication supportVRRP is an RFC that is well known and understood by many vendorsHowever using Voyager has its own nuances, installing packages for example.WUI offers good monitoring of systems stats, CPU, disk, temp, throughput etc.----- Meeting Notes (08/11/2010 16:38) -----NetFlowADP on 695 and above
- #34 Gaia will be a linux based OS that pulls together the two OS lines within Check Point into a single, supportable product that fulfills all the mgmt and gateway requirements of a Check Point estate----- Meeting Notes (08/11/2010 16:38) -----UTM-1Power-1Partner
- #35 The best bits of SPLAT – easy install, easy mgmt, quick and simple build with all relevant CP packages pre installedThe best bits of IPSO – advanced dynamic routing, advanced admin access and authMultiple CLI options, CLISH, BASH, CPSHELLClusterXL is still going to be an option for HA and load sharingA single platform to learn for mgmt, gatewayUpgrade paths from all current operating systems----- Meeting Notes (08/11/2010 16:38) -----RIP OSPF and BGPIP clustering is being phased out, vrrp for HA, cluster XL for load balancing
- #36 Release 1 early 2011
- #39 Good morning everybody, my name is Tim Kirk (as some of you already know), and I’d to take this opportunity to welcome you all to this event. I’m going to be delivering a presentation focusing on software blade licensing and how to upgrade from your current NGX estate. As many of you are aware Check Point licensing has been notoriously difficult and complex to understand and implement. My objective today is to give you confidence and an understanding when choosing new Check Point products or planning an upgrade. Please feel free to jump in with any questions, or wait until the end Q&A slide. So without any further ado here goes:
- #40 List recent Check Point projects (ICAP, Gartmore,???)
- #42 Such as network cards, additional HDDs----- Meeting Notes (08/11/2010 17:07) -----ADD GATEWAYS NOT SITES
- #44 List recent Check Point projects (ICAP, Gartmore,???)
- #45 List recent Check Point projects (ICAP, Gartmore,???)
- #46 License change on MAC, SB licensing enforcement with HFAs
- #48 UTM 27x & 57x are available with just FW and VPN (with management)
- #51 Floodgate-1 now part of advanced networking
- #53 Worth bearing in mind that most of the features haven been enhanced. For example the IPS event analysis SB is a new licensable option within SmartEvent. This is not included for free if upgrading from Eventia Analyser.
- #55 Use this as an opportunity to audit your Check Point licenses to establish whether or not the SKU are required