From: Paul Cosgrove (paul.cosgrove@heanet.ie)
Date: Wed Jul 23 2008 - 13:34:24 ART
Saw the same problem myself a number of times. Nokia had at least one
bad batch of disks, some Fujitsu disks as I recall, and released an
advisory about it a few years ago. You may be able to negotiate some
preventative work if you have already experienced failures.
Paul.
Ina&Laurean wrote:
> I work in an environmet where we have about 35 Checkpoint FW running on
> Nokia platform; I don't manage these firewalls but I do often troubleshoot
> problems related to the firewall issues.
>
> The Checkoint management interface is great and is very easy to manage
> multiple firewalls but I have to say that hardware reliability is not so
> good, we've had many hard drives failing and many the file system got
> corrupted.
>
> What I don't like alos with Checkpoint is the VPN client which I have to say
> it is very unstable with
> lots of connectivity problems.
>
> I worked before with Nortel Contivity VPN and it worked way way better.
>
> Laurean
>
>
>
> On Wed, Jul 23, 2008 at 9:07 AM, Muhammad Nasim <muhammad.nasim@gmail.com>
> wrote:
>
>> Sorry guys this email was only intended to Mr. Dip
>>
>> I and DIP know each other
>> : )
>>
>>
>>
>> 2008/7/23 Muhammad Nasim <muhammad.nasim@gmail.com>:
>>
>>> ho Brother
>>>
>>> After getting my CCIE on first attempt : ) people are asking me for
>>> recommendations and how can I give them wrong recommendations : )
>>>
>>> Somehow let see : )
>>>
>>>
>>> 2008/7/23 dip <diptanshu.singh@gmail.com>:
>>>
>>> Hi Nasim, dont worry we have lot of plans in the future.. and w8 for next
>>>> 2yrs if thing goes right definitely you will see some good things.
>>>>
>>>> Thanks
>>>> Dip
>>>> CCIE#20679
>>>>
>>>>
>>>> On Wed, Jul 23, 2008 at 4:46 PM, Muhammad Nasim <
>> muhammad.nasim@gmail.com>
>>>> wrote:
>>>>
>>>>> Hey Dip,
>>>>>
>>>>> If u can convey my message to Cisco it to please please leave the tail
>> of
>>>>> JAVA for making Graphical interfaces.
>>>>>
>>>>> 1. Juniper and Fortinet Graphical interfaces are awesome based on html.
>>>>> Cisco should do this.
>>>>>
>>>>> 2. Please remove the bugs in version 7.2.X AND 8.0 before ADDING new
>>>>> features : ) .
>>>>>
>>>>> 3. Inculde DMVPN support on CISCO ASA : ) ( Juniper firewalls supports
>>>>> this kind of VPN from version 6.0)
>>>>>
>>>>> 4.Make CISCO ASA a real UTM device (which can support
>>>>> IPS+ANTISPAM+ANTIVIRUS+URL Filtertin on one BOX. Right now it is not
>>>>> possible )
>>>>>
>>>>> HTH
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2008/7/23 David Tran <davidtran_mclean@yahoo.com>:
>>>>>
>>>>> "checkpoint support sucks big time as compared to cisco. see when u get
>>>>>> stuck
>>>>>> in live network all u care of some good guys to help u out of it this
>> is
>>>>>> where
>>>>>> no one can touch cisco for sure."
>>>>>>
>>>>>> This part I completely agree with you. Checkpoint TAC supports suck
>> big
>>>>>> time. This is
>>>>>> one area where Cisco is really good at.
>>>>>>
>>>>>> --- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
>>>>>>
>>>>>> From: sushil menon <sushilmenon2001@gmail.com>
>>>>>> Subject: Re: ASA vs Checkpoint
>>>>>> To: "David Tran" <davidtran_mclean@yahoo.com>
>>>>>> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer" <
>> beyer@optonline.net
>>>>>>> ,
>>>>>> ccielab@groupstudy.com, security@groupstudy.com
>>>>>> Date: Wednesday, July 23, 2008, 2:17 AM
>>>>>>
>>>>>>
>>>>>>
>>>>>> i think it depends on what are u looking for.
>>>>>>
>>>>>> from cisco point of view the few advantages and disadvantages i feel.
>>>>>>
>>>>>> cisco is lot cheaper than checkpoint. in checkpoint the biggest pain
>> is
>>>>>> the
>>>>>> licensing model. u need license for everything so the cost of it goes
>>>>>> very
>>>>>> high.since it;s a pure software u will have to invest on hardware
>> again
>>>>>> like
>>>>>> if u are thinking of secure platform then good ibm or hp server plus
>>>>>> their
>>>>>> support as well.
>>>>>>
>>>>>> checkpoint support sucks big time as compared to cisco. see when u get
>>>>>> stuck
>>>>>> in live network all u care of some good guys to help u out of it this
>> is
>>>>>> where
>>>>>> no one can touch cisco for sure.
>>>>>>
>>>>>> though checkpoint is famous for it;s gui that;s the only best thing i
>>>>>> find in
>>>>>> it. because it can be deployed on many different hardware
>> configuration
>>>>>> on
>>>>>> different hardware is tough because for most of the hardware u don;t
>>>>>> even get
>>>>>> a documentation for free like nokia and crossbeam u need login access
>> to
>>>>>> just
>>>>>> view the documentation there are hardly any good configuration
>> examples
>>>>>> that u
>>>>>> could use.
>>>>>>
>>>>>> there is nothing very great that checkpoint does that cisco cannot do.
>>>>>> except
>>>>>> for few things like running vpns and running protocols in
>> active/active
>>>>>> mode.
>>>>>>
>>>>>> but whereas vpns are concerned i find cisco vpns much scalable and
>> easy.
>>>>>> in
>>>>>> checkpoint u have something called as communities and according to
>>>>>> communities
>>>>>> u will have to decide u want to have a mesh or star like vpns. in asa
>>>>>> it;s
>>>>>> upto u can configure the way u want need not worry abt any
>> communities.
>>>>>> ofcourse for good management point of view seeing the logs in nice
>>>>>> format and
>>>>>> all u can go for checkpoint.
>>>>>>
>>>>>> if u are really looking for options i would say rather try juniper or
>>>>>> fortinet. they are even better than both cisco and checkpoint.
>>>>>>
>>>>>> especially fortinet provides everything in a single asic based box.
>> they
>>>>>> have
>>>>>> got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
>>>>>> single
>>>>>> box and their license cost is very less . their anti-virus has been
>>>>>> winning 3
>>>>>> consecutive awards in anti-virus bulletin.
>>>>>> they can do souce based routing,., source interface based routing,
>>>>>> policy
>>>>>> based routing and many more features .
>>>>>>
>>>>>> they have got their fortimanager like checkpoint to manage all the
>> boxes
>>>>>> from
>>>>>> a single point and they have a fortilog analyser for consolidating all
>>>>>> the
>>>>>> logs at a single place.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 23, 2008 at 7:56 AM, David Tran <
>> davidtran_mclean@yahoo.com
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> "
>>>>>> But there are downsides. It is software running on a computer, so you
>>>>>> have some form of Linux or Windows under the hood. We run ours on a
>>>>>> Nokia platform. The model we currently use is diskless, but some of
>> our
>>>>>> older ones had a harddisk that seem to fail regularly. Plus keeping
>> up
>>>>>> with patching means not only patching Checkpoint, but also patching
>>>>>> IPSO, which is Nokia's version of Linux."
>>>>>>
>>>>>> You should be using Secureplatform instead of Nokia. With
>>>>>> Secureplatform, you go to a single vendor, Checkpoint,
>>>>>> for support with both OS and Checkpoint. Nokia is overprice
>>>>>> and overrated.
>>>>>>
>>>>>> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
>>>>>> has been up and running for almost five years with two reboot,
>>>>>> because I upgraded it to HFA_17 and HFA_20.
>>>>>>
>>>>>> You will run into the same thing with Cisco as well. I can tell
>>>>>> you from Pix version 7.2(x) alone, there are about 28 different
>>>>>> versions out there.
>>>>>>
>>>>>> Checkpoint FireFly is high-end running on IBM x3650.
>>>>>>
>>>>>> Checkpoint can terminate VPN in active/active but Cisco ASA
>>>>>> can not,
>>>>>>
>>>>>> Checkpoint is expensive and cisco is not
>>>>>>
>>>>>> Imagine managing a firewall with 20+ interfaces with Cisco, a
>>>>>> very difficult task indeed. There is no cisco centralized
>>>>>> management like CP Provider-1 either, unless you count
>>>>>> Cisco Security Manager which run on crappy windows. This
>>>>>> product is horrible. Even Cisco TAC recommends Solsoft
>>>>>> over Cisco CSM.
>>>>>>
>>>>>> If you have the money, go with Checkpoint. Otherwise, go
>>>>>> with Cisco.
>>>>>>
>>>>>> As someone put it, Checkpoint firewalls is like driving a Porsche
>>>>>> or Audi while Cisco is like driving a Ford Pinto. Just like
>>>>>> everything in life, you get what you pay for.
>>>>>>
>>>>>> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
>>>>>> From: Bill Eyer <beyer@optonline.net>
>>>>>> Subject: Re: ASA vs Checkpoint
>>>>>> To: "dip" <diptanshu.singh@gmail.com>
>>>>>> Cc: ccielab@groupstudy.com, security@groupstudy.com
>>>>>> Date: Tuesday, July 22, 2008, 7:34 PM
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Dip,
>>>>>>
>>>>>> For what it's worth, at our company we use a mix of Checkpoint and
>> Cisco
>>>>>> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
>>>>>> deliberate design solution on my part to provide diversity.
>>>>>>
>>>>>> Both manufacturers have advantages and dis-advantages, and I will give
>>>>>> you my rant on both of them.
>>>>>>
>>>>>> The Checkpoint is great for a couple of things. The Management
>>>>>> interface is still the best. Even I, who have never been to school on
>>>>>> it can easily configure and push policies. The logging system, while
>>>>>> proprietory, is really nice. If my firewall engineers had their way,
>> we
>>>>>> would use only Checkpoint firewalls.
>>>>>>
>>>>>> But there are downsides. It is software running on a computer, so you
>>>>>> have some form of Linux or Windows under the hood. We run ours on a
>>>>>> Nokia platform. The model we currently use is diskless, but some of
>> our
>>>>>> older ones had a harddisk that seem to fail regularly. Plus keeping
>> up
>>>>>> with patching means not only patching Checkpoint, but also patching
>>>>>> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
>>>>>> told me they are coming out with their own appliance, that will
>> feature
>>>>>> integrated patching.
>>>>>>
>>>>>> Checkpoint is also "rental software". To legally keep it running you
>>>>>>
>>>>>> have to re-license it periodically. You also have to have a dedicated
>>>>>> PC as a management server, and yes this has it's own license. Lastly
>>>>>> Checkpoint support is really expensive, although third party support
>> may
>>>>>> be available from the appliance manufacturer. We get ours from Nokia.
>>>>>> Unlike Cisco TAC, Nokia does draw the line at some support requests.
>>>>>> For example I asked them to walk me through installing the R55 patch
>> and
>>>>>> they told me I had to hire a VAR to do the work. I got around it but
>> it
>>>>>> was painful.
>>>>>>
>>>>>> Smart Defense, which is their version of IPS also adds extra costs and
>>>>>> since it is implemented in software, has a dramatic effect on
>>>>>> throughput.
>>>>>>
>>>>>> All and all it adds up to a higher cost than ASA.
>>>>>>
>>>>>> ASA wraps good things into a single box, and the cost is lower.
>>>>>> However, the management gui is not as easy to use (although recent
>>>>>> generations are definitely better). Logging is also horrible. The
>> logs
>>>>>> on the built in gui are not nearly as nice as Checkpoints, so you will
>>>>>> probably find the need for some type of Enterprise logging tool. The
>>>>>> good new is that it is syslog so any enterprise SIM tool should work.
>>>>>> We actually use CS-MARS, but the staff still doesn't like it as much
>> as
>>>>>> Checkpoint.
>>>>>>
>>>>>> That's my rant anyway. If you have the money to pay for it,
>> Checkpoint
>>>>>> is really nice, but support is higher, both in cost and in time.
>>>>>>
>>>>>> In our case in the Data Center we use Checkpoint as a perimeter
>>>>>> firewall, then sandwich our DMZ between the outside and inside
>>>>>> firewalls. The theory is that if there is a vulnerability in one
>>>>>> manufacturer a hacker can't exploit it to get all the way inside the
>>>>>> enterprise. The inside firewalls are FWSM blades. For small sites we
>>>>>> use ASA because cost is the driving factor there.
>>>>>>
>>>>>> Long post, and maybe off topic, but I am certain that other engineers
>>>>>> will have their own opinions.
>>>>>>
>>>>>> Sincerely,
>>>>>>
>>>>>> Bill
>>>>>>
>>>>>> dip wrote:
>>>>>>> Hi Guys,
>>>>>>>
>>>>>>> i have to evaluate between Cisco ASA and Checkpoint for a big
>>>>>> enterprise.
>>>>>> I
>>>>>>> think this is a better place to ask since lot of people would have
>>>>>> worked
>>>>>> on
>>>>>>> both products.
>>>>>>>
>>>>>>> Please provide me all the plus points which you saw in checkpoint
>>>>>> which
>>>>>> you
>>>>>>> think currently Cisco ASA doesn't have or vice versa.
>>>>>>> Also what feature's checkpoint has which you think should be must in
>>>>>> cisco
>>>>>>> Firewalls .
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>> Dip
>>>>>>>
>>>>>>>
>>>>>>>
>> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Muhammad Nasim
>>>>> Network Engineer
>>>>> Saudi Arabia
>>>>>
>>>>
>>>
>>> --
>>> Muhammad Nasim
>>> Network Engineer
>>> Saudi Arabia
>>>
>>
>>
>> --
>> Muhammad Nasim
>> Network Engineer
>> Saudi Arabia
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
-- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301Please consider the environment before printing this e-mail.
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART