Sal & Ray,
I'd say we all like CheckPoint's products, or else we wouldn't be on this
mailing list nor asking questions and giving answers. My response
was not meant to come across as harsh, just to make a point that I did not
want this to be the forum for a fierce debate over the nature
of the topic being discussed. The comment I made at the end of my initial
post was a comment, my own opinion. It was in no way meant to
influence or try to change anyone else's, nor to take away from the
products that CP offers. I wouldn't run them if I didn't believe in them.
Each
situation at each company is different, and some people don't use features
that others might. Thus, different hotfixes may have different
effects when applied. For us, breaking VPN tunnels and SecureClient was a
huge issue; we could not do that, so it was not a viable solution.
In the end, it has nothing to do with handling constructive criticism - but
really, I will repeat, this is not the place for it anyway.
Software is human made, humans make mistakes. However, having worked with
CP as long as I have, having worked with their support,
sometimes I feel left out in the wind on some issues. Perhaps your
experience is different - that's great. Minor annoyances are a fact
of life in software releases; major features being broken is a whole other
issue. At the time, there were many emails exchanged about
both Hotfixes (8 and 9).
The reason I asked the questions I did in the first place is because I was
probing to see if anyone else had seen any particular issues with
HFA12. It could be something in our environment. I'm not sure. That's why I
asked what I did. If you don't ask the question, you'll never know
the answer. I've been working very closely support on these issues and they
are stumped, which is why I posted here.
Ray, no worries. I understand you making valid points, and email is a
difficult forum to gauge the tone of how one is actually
relaying something. Same goes for me - as I said above, I was not trying to
do anything other than mitigate a huge debate. I do appreciate
your information on the User Database. I'm now guessing we had legacy
changes to the objects file to keep the user database install option
available. Yet, we also ran a cron job nightly to do the install, which
would be independent of the GUI... correct? Up until we applied
the new hotfix, the nightly job would make a new user creation (or password
reset) work on a firewall without a full policy install. Trust me,
I am trying to get us moved away from using the CP user database for
external options. Our database is just too large to be stored on mgmt.
Thanks for your help!
Regards,
Matt Goddard
CCSA, MCSE, CCNA
Security Information Team
Schneider National, Inc.
ph: 920.592.4787
"Anyone who has never made a mistake has never tried anything new." -Albert
Einstein
|---------+-------------------------------------------->
| | "Previtera, Sal" |
| | <[EMAIL PROTECTED]> |
| | Sent by: Mailing list for |
| | discussion of Firewall-1 |
| | <[EMAIL PROTECTED]|
| | KPOINT.COM> |
| | |
| | |
| | 03/08/2005 08:13 AM |
| | Please respond to Mailing list |
| | for discussion of Firewall-1 |
|---------+-------------------------------------------->
>----------------------------------------------------------------------------------------------|
|
|
| To: [email protected]
|
| cc:
|
| Subject: Re: [FW-1] HFA-13 is out - Anyone having issues w/ HFA12?
|
>----------------------------------------------------------------------------------------------|
Ray,
Most of us like Checkpoint products...and your post was fine.
Just like any user...including me, sometime get frustrated that a feature
that was working perfectly well on previous release...all of sudden does
not
work after a Hot fixes was applied.
Some people cannot handle constructive criticism about a product and want
all of us to practice the "bushido" about that product.
We pay a decent price for any product (software or hardware) and we except
the product to work as flawless as it can be (humanly possible).
I recently migrated to HFA13 from HFA-12...no problems to report on either
releases...other then some annoyances. But I am running on a ClusterXL on
SecurePlatform.
Regards,
Sal.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Ray
Sent: Monday, March 07, 2005 5:36 PM
To: [email protected]
Subject: Re: [FW-1] HFA-13 is out - Anyone having issues w/ HFA12?
Hi Matt,
I re-read my post and don't see anything that could be considered a
"threat." Please accept my apologies of you took anything as so.
The ability to push the user database alone was removed as of FP3 because
it
can cause corruption if the users are defined ina rule. There's a KB
article
on it. There is an objects-5_0.c hack that will put the menu option back if
you don't use users in a rule.
We've been using Edge boxes (managed) successfully since HFA04. Yes, there
were a bunch of fixes in 07 and later.
Ray
>From: [EMAIL PROTECTED]
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] HFA-13 is out - Anyone having issues w/ HFA12?
>Date: Mon, 7 Mar 2005 09:31:30 -0600
>
>In the interest of not starting a flame war, I won't address hardly any of
>your message. Most of us really do have better things to do than discuss
>the nature of companies and their beta-testing their customers. The
>statement at the end of my message was just a statement of my opinion. If
>you took it otherwise, this in not the forum for it, nor for threats
(which
>is how your message came across.)
>A few things I will say:
>VPN-1 Edge devices were useless until release HFA-07 of R55.
>HFA08 was released, pulled, released. Same with HFA09. Both broke
>encryption; one VPN tunnels, the other Secure Client. Neither was a decent
>solution.
>
>User database pushing has been working for us until I applied this patch.
I
>know, because I have been doing it for *months*. Unless you are writing
>the code for it, I really do not think it is appropriate for you to claim
>otherwise.
>
>As for my tag line, it is 100% true. It does not apply, however, to a
>company whose interest lies in the top level of Internet Security and the
>public code they release to their paying customers.
>
>It seems as though you got a bit worked up over nothing, and your
>spelling/grammar suffered too. Perhaps for the future, sticking to the
>point of this mailing list, which is to help those with questions, would
be
>in your best interest. You've had good answers before; don't let
>assumptions lead you in to getting off topic of what this is here for.
>Assumptions like, "he thinks Micro$oft is perfect". ;-)
>Cheers.
>
>Regards,
>Matt Goddard
>CCSA, MCSE, CCNA
>Security Information Team
>Schneider National, Inc.
>"Anyone who has never made a mistake has never tried anything new."
-Albert
>Einstein
>
>
>
>
>|---------+-------------------------------------------->
>| | Ray <[EMAIL PROTECTED]> |
>| | Sent by: Mailing list for |
>| | discussion of Firewall-1 |
>| | <[EMAIL PROTECTED]|
>| | KPOINT.COM> |
>| | |
>| | |
>| | 03/06/2005 01:07 PM |
>| | Please respond to Mailing list |
>| | for discussion of Firewall-1 |
>|---------+-------------------------------------------->
>
>
>---------------------------------------------------------------------------
-------------------|
> |
> |
> | To: [email protected]
> |
> | cc:
> |
> | Subject: Re: [FW-1] HFA-13 is out - Anyone having issues w/
>HFA12? |
>
>
>---------------------------------------------------------------------------
-------------------|
>
>
>
>
>Hi Matt,
>
>13 hotfixes isn't scary because we're not talking about a single-function
>application here. Several of them weren't even publicly released because
>they addressed specialized issues, however they had to be numbered for the
>people who applied them. I suppose they could have gone the MS route and
>just changed the release number and sold you a "new" upgrade instead of
>issuing an update. :-)
>
>Nope, haven't seen the issues you're referring to although you didn't
>povide
>enough detail to be sure. There's no such thing as a "user database push"
>anymore; it has to be a policy push.
>
>If you really went from 04 to 12, neglecting HFA08, you put your
>organization at risk from the ASN.1 issue. Not patching firewalls for
known
>exploits is a sure-fire way to unemployment in our company even if you
>don't
>get hacked. Failing to perform due diligence would violate SarBox and a
few
>other regulations.
>
>"Even M$ seems be able to get things fairly stable after about 6 service
>packs." You mean NT? Released in 1996 and had its 6th SP released three
>years later? that's not "competence" as I would define it.
>
>By the way, you're tag line of
>
>"Anyone who has never made a mistake has never tried anything new."
-Albert
>Einstein
>
>is a bit confusing given your criticism of Check Point trying new fixes.
>:-)
>
>Take care,
>
>Ray
>
> >From: [EMAIL PROTECTED]
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] HFA-13 is out - Anyone having issues w/ HFA12?
> >Date: Fri, 4 Mar 2005 17:00:07 -0600
> >
> >Has anyone else experienced weird problems with HFA12? Obviously there
>were
> >still problems with R55+HFA12 as they released HFA13, and we are
> >seeing specific issues with ClusterXL, User Database pushes, and strange
> >entries in SmartView Tracker. They may not all be related to the Hotfix,
> >but they all definitely started happening after I moved the firewalls up
>to
> >HFA12 from HFA04.
> >I would go in to more detail, but I will hold off unless someone else
has
> >definitely experienced issues relating to one (or all) of these.
> >
> >The real scary part to me is that there have been *thirteen* Hotfixes
for
> >one release of code. Sometimes I wonder if going from FP2 to R54 would
> >have been the better move and then waited until they worked all the bugs
> >out of R55, or released a very stable R56 (Or R60, the name seems to be
> >changing often). Even M$ seems be able to get things fairly stable after
> >about 6 service packs.
> >
> >Thanks in advance for any advice/help.
> >
> >Regards,
> >Matt Goddard
> >CCSA, MCSE, CCNA
> >Security Information Team
> >Schneider National, Inc.
> >"Anyone who has never made a mistake has never tried anything new."
>-Albert
> >Einstein
> >
> >
> >
> >
> >|---------+-------------------------------------------->
> >| | RoNNY Nussbaum <[EMAIL PROTECTED]>|
> >| | Sent by: Mailing list for |
> >| | discussion of Firewall-1 |
> >| | <[EMAIL PROTECTED]|
> >| | KPOINT.COM> |
> >| | |
> >| | |
> >| | 03/04/2005 12:20 PM |
> >| | Please respond to Mailing list |
> >| | for discussion of Firewall-1 |
> >|---------+-------------------------------------------->
> >
> >
>
>---------------------------------------------------------------------------
-------------------|
>
> > |
> > |
> > | To: [email protected]
> > |
> > | cc:
> > |
> > | Subject: [FW-1] HFA-13 is out
> > |
> >
> >
>
>---------------------------------------------------------------------------
-------------------|
>
> >
> >
> >
> >
> >-RoNNY
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
