NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] NG - UNACCEPTABLE!!! Re: WAS Is NG ready for general use ?



I know someone asked if NG was ready for general use, and others have been
asking how soon they could get it.  I would like to mention some problems
we've seen and see if anyone else has seen the logging issue specifically,
and I would wholeheartedly say that if you upgrade - BEWARE!!

We have been running FW-1 for years on multiple firewalls, all Wintel boxes.
Most recently, we were on 4.1 with the latest service packs on top of NT 4.0
SP6a.  We upgraded in a rolling fashion onto clean Win2K installs and tried
to import our objects/policies as instructed. Following the instructions on
how to do this and in various FAQs yielded only hours of frustration.  We
had to rebuild from scratch.

Although we got our site-site VPNs up, we have seen a multitude of other
errors.  DNS/AD errors via the site-to-site VPN that did not previously
exist, and which do not occur when tunneled alternatively via Netscreens.
Securemote failures due to missing SKU line items on paid-for (not eval)
licenses from the Checkpoint site!!!!  Intermittent object errors on policy
verification on objects that have not been modified in any way.  Errors on
trying to delete objects, with advice to contact technical support.  To top
it off, BSODs on multiple installs of FP1.

Actually, there is even one more issue we've seen which rivals the BSODs.
We have "front door" and "back door" firewalls which protect different
numbers of hosts.  The front door firewalls have always had unlimited
licenses, while the back door firewall had a 250 count license because we
have roughly that many hosts.  In our 4.1 and even mixed 4.1-NG
environments, we saw no logging issues.  However, as soon as we took the
back door firewall to NG, now when it detects "too many internal hosts
(typically due to transient laptops), it logs an error to our central
management station and ALL firewalls stop logging!!!!!  Actually, at some
point we still see logged events, but it ultimately fails and no items after
that error are displayed in the gui any more.  To reinitiate, you have to
clear the appropriate files, CPSTOP/CPSTART, and reinstall putkeys.  Talk
about the most screwed up thing ever.  TOTALLY UNACCEPTABLE, and if any of
you are on this borderline, I recommend you not upgrade.  We will likely
upgrade our license, but this is not the manner in which this should have
been handled.  I requested an eval license and even though Checkpoint
technical support told me this was not the issue, and we had no logging
problems until the day after it expired.  Same issue.

These items have all been reported to and ignored by Checkpoint.  Largely
the reason we are evaluating other products.

Mark Whitworth

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.