I reported some problems we've encountered with Checkpoint's Firewall-1
to this list last week. Here is a brief follow up on the situation,
the problems we encountered, the solution, and some issues you might
want to keep in mind.
We had two major problems:
* The machine running FW-1 would hang completely several times
a week. We had to power cycle the machine to clear the problem.
* When the machine was rebooted, the FW-1 startup script would
report that the filters were installed and the GUI would
show that the machine ws protected. However, tests showed that
the entire network was wide open and no filtering was taking
place.
After talking with the reseller and Checkpoint several times, we convinced
them that the problem did indeed exist and that it had to be solved soon.
We allowed Checkpoint to log into the firewall and then exchanged a few
messages.
The filtering problem was fixed by making sure that the hosts file
agreed exactly with the objects defined in the FW-1 configuration. With
this change in place, the correct filter was installed each time the
machine rebooted.
We've not seen a hang since then, but it's only been a day or so.
Once installed correctly, FW-1 seems to be a viable firewall product.
Some points that you should keep in mind:
* Before you buy it, ask the reseller if they will come help you install
it. The marketing materials, and the poor documentation leave you with
a false sense of security. You can install it wrong, with fatal results.
* Your first line of support is your reseller. The startup screen tells
you to contact Checkpoint for support, but they will tell you to call
your reseller. So, make sure you're happy with your reseller if you
are concerned about support issues.
* The documentation is very sparse.
By far the most disturbing issue is:
* There is at least one failure mode that will result in your network
being left wide open despite indications to the contrary. This is
easy to fix, but it leaves you wondering what other failure modes
exist. The lack of adaquate documentation and source code makes
this an even larger concern.
On the up side, the GUI makes managing it very simple, the filter
language appears to be very powerful, it is handling the load
well, and the logging functionality is good.
Checkpoint just needs to work on ways to improve customer's faith
in its reliability. No security product should ever fail in any manner
other than "safe".
We'll see how it holds up over the long haul.
-David
|
|
