Dear Checkpoint representatives;
We are experiencing very similar problems with our new
implementation of our Checkpoint firewalls, and
already have different firewalls being tested in our
labs. We have learned that the Phone Support for
GoldPlus support was nothing more than a voice
front-end for the SecureKnowledge Base and Phone Boy
information. Save the support money, and use
PhoneBoy.
-----Original Message-----
From: Paul DeHerrera [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 6:13 PM
Subject: [FW1] Checkpoint Experience
Dear Checkpoint representatives,
I am writing to you as the network administrator for
Large Scale Biology in
regard to our corporation's experience with CheckPoint
products. Last year
I was tasked to find a VPN/Firewall solution for our
corporation. We wanted
something that was reliable, scalable and above all
secure. After months of
research and investigation of many solutions, I was
convinced Checkpoint
could provide our solution.
Upon receiving approval for my project, I immediately
enrolled in a fast
track CCSA/CCSE class and started purchasing the
Checkpoint 4.0 products.
We decided to go with the Enterprise solution
including an unlimited number
of secured hosts in our corporate office. We
purchased Nokia VPN-1
appliances for our remote offices and software
subscriptions and gold
support for all products. We also invested in Secure
Client licenses and
RSA ACE server.
Our reseller Avcom was late in delivering the product,
one whole month later
than their original date to be exact. I didn't
realize it at the time, but
this was a foreshadowing of our Checkpoint experience.
When the product
finally arrived from Avcom, we did not receive any
license certificates and
could not start deploying the products that we just
received. A few weeks
went by and a bundle of certificates finally arrived
from Avcom. This was
when I was first introduced to
http://license.checkpoint.com (about November
1999).
I made it to the web site and entered my first
certificate key. Upon
clicking the submit button I received my first
Checkpoint license. I was
able to start deploying the product and life was good.
Now it was time to
enter the certificate key for the Nokia VPN-1
appliances. The website would
not accept the certificate key and would not generate
the licenses for
software subscription and gold support. However, I
needed support because I
was in the middle of deploying the product. A call to
Nokia tech support
and an explanation of the situation allowed me to use
a "complimentary"
support incident, which I have been using ever since.
I decided to follow up with Checkpoint to receive my
software subscription
and gold support. I made a phone call and spoke with
a wonderful lady named
Summer who did her best to assist. After several
attempts to contact Avcom
and their distributor (Westcon?), Summer was unable to
provide me with the
software subscriptions and gold support that we
purchased. This is when I
was passed on to Sherri Bentley. Like Summer, Sherri
assisted me with this
licensing issue. She has made several attempts to
resolve this issue with
no success. Sherri also contacted the internal
Checkpoint web site
developers who manually fixed some glitches, but still
no software
subscription and no gold support on the Nokia boxes.
Meanwhile, the passing months produced a new version
of the Checkpoint
software. I attended the Checkpoint Experience
conference in San Francisco
and learned about the many wonderful things that
Checkpoint 2000 offers.
Since Large Scale Biology was proactive in purchasing
the software
subscription for the Checkpoint products, we were
entitled to upgrade for
free. We decided that since we were going to upgrade
the product, we would
also take the opportunity to re-configure. We
separated the management
console from the firewall and wanted to use Linux
since it is more efficient
than Solaris and the price is right. That decision
has cost us dearly in
downtime and man hours spent licensing the new
CheckPoint products. Also,
the Nokia boxes still don't have the licensed gold
support and software
subscription that we originally purchased.
Technical support at Checkpoint is a real hit or miss
proposition. One tech
will be extremely helpful and efficient in finding the
problem and another
tech is obviously reading a book or web site and has
no true experience with
the products. I understand that new techs need to get
experience, but it is
extremely frustrating to listen to a tech fumble
through questions like
"what color is the network object for your firewall"
while you have a
network that is down.
Today I upgraded the Nokia VPN-1 Appliance to
Checkpoint FW-1 4.1 SP1. I
also upgraded the IPSO to 3.2.1. I spent hours
preparing for the upgrade by
calling tech support, obtaining the new version (4.1
Sp1) license,
downloading all the correct files and associated
documentation and crossing
every "T" and dotting every "i". After the upgrade
was complete I tested
VPN which worked like a dream. Then I tested
connectivity to the Internet.
None of the workstations on the internal network could
access the Internet.
I checked my rule base, double checked network objects
and Address
Translation rules. After a call to Nokia tech support
we determined that
this was a problem with Network Address Translation.
I just happened to
reboot the Nokia VPN-1 Appliance and watched the boot
up process. It said
"no license for address translation".
Once again I was suffering from a licensing issue. So
I called Sherri
Bentley to get my evaluation license. This is a
routine that has become all
too familiar. When the license doesn't work, use an
evaluation license
until you can get the real license. I now have a
collection of about 50
evaluation licenses. From November 1999 to July 2000
I have had
approximately 50 issues with my checkpoint license.
Furthermore, I still do
not have Gold Support or Software Subscription for the
Nokia VPN-1
Appliances that I purchased. The "complimentary"
support incident that was
extended by Nokia has been used to it's fullest
(approximately 50 times) and
they will no longer provide me with support, because
they do not show that I
ever purchased it. In addition, I have two firewalls
that are using
evaluation licenses that are about to expire. Again,
these are licenses
that were purchase in November of 1999.
There are more details to this story that demonstrate
the Large Scale
Biology "Checkpoint Experience".
I believe that Checkpoint has a strong product.
Firewall-1/VPN-1 is
technically not perfect, but very strong. However,
the administration,
support and licensing of the product is poor to say
the least. The online
licensing website should be deleted and re-engineered
from the ground up
including a completely new methodology for licensing.
I think that
Firewall-1/VPN-1 has great potential and I would
recommend it to my future
customers if I new that these issues were being
addressed and resolved.
I feel that I have been extremely patient with
Checkpoint through this
fiasco. However, my patience has come to an end. I
am in a position to
recommend and purchase another Firewall/VPN solution
for our corporation. I
strongly believe that before I make this decision that
it would be prudent
to give your management team an opportunity to
respond.
Sincerely,
Paul DeHerrera
Large Scale Biology
[EMAIL PROTECTED]
707.469.2357
http://www.lsbc.com
================================================================================
To unsubscribe from this mailing list, please see
the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
--- "Dameon D. Welch-Abernathy" <[EMAIL PROTECTED]>
wrote:
>
> I would like to announce the immediate availability
> of the FireWall-1
> Wizards Mailing List.
>
> This list is designed to be a discussion forum for
> FireWall-1 and related
> products. Unlike the FireWall-1 Mailing List, this
> list will be moderated.
> This means all emails to the list are approved by a
> moderator before being
> sent out. The approval guidelines are designed to
> promote useful discussion
> and eliminate redundant information. Because
> moderating a list can be a
> full-time job, there will be multiple moderators to
> help share the load.
> However, I, PhoneBoy, am in charge and always have
> the final say. :-)
>
> The list of topics this list will cover includes:
>
> * Use and troubleshooting of Check Point
> FireWall-1/VPN-1, the VPN-1
> Appliance (Nokia IPxxx), and SecuRemote/Secure
> Client.
>
> * Use and troubleshooting of third-party HA
> solutions for FireWall-1. This
> includes, but is not necessarily limited to
> StoneBeat, Rainfinity, Check
> Point's HA module (when it is finally released) and
> the HA features present
> in the IPSO Operating System (i.e. on Nokia IPxxx
> and VPN-1 Appliance
> platforms).
>
> * Security Issues, though the focus of the
> conversation should be "how to
> implement it in FireWall-1."
>
> * Announcements about PhoneBoy's FireWall-1 FAQs and
> similar resources.
>
>
> Things that will not get past the moderators
> include, but are not limited
> to:
>
> * Anything already covered in the FAQs. PhoneBoy's
> FireWall-1 FAQs will be
> the baseline this will be judged against, though it
> may eventually include
> other sources. Basically, do your homework before
> posting your questions.
>
> * OS Wars (i.e. which OS is better). The standard
> answer is "use what you
> know best."
>
> * Rants about Check Point Support or your Reseller.
>
> * Flames or flamebait.
>
>
> Disclaimers:
>
> * The moderators are human and will make mistakes
> from time to time. Deal
> with it. :-)
>
> * This list is not meant to replace a support
> contract with Check Point,
> Nokia, or an authorized reseller.
>
> * This list does not represent the official opinion
> of Check Point Software
> Technologies, Ltd., Nokia Internet Communications,
> or anyone else for that
> matter.
>
> * Use the information contained herein at your own
> risk.
>
> * This is a public mailing list. Don't expect any
> sort of privacy.
>
> * All submissions to this list, whether or not they
> are approved, may be
> re-used by me without your permission.
>
> * We reserve the right to refuse service to anyone.
>
>
> How to join or leave the mailing list:
>
> * To join the Realtime List (i.e. messages are sent
> as they are approved by
> moderators), send a blank email to:
> [EMAIL PROTECTED]
>
> * To join the Digest List (i.e. batches of messages
> are sent periodically),
> send a blank email to:
> [EMAIL PROTECTED]
>
> * To remove yourself from the Realtime List, send a
> blank email to:
> [EMAIL PROTECTED]
>
> * To remove yourself from the Digest List, send a
> blank email to:
> [EMAIL PROTECTED]
>
> A searchable list archive will appear soon.
>
> --
> Dameon D. Welch-Abernathy
> a.k.a. "PhoneBoy"
> [EMAIL PROTECTED]
> http://www.phoneboy.com
> The views expressed herein are not necessarily those
> of anyone else.
>
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail � Free email you can access from anywhere!
http://mail.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
