Archive for September, 2009

CheckPoint UTM bugs

Overall, I am extremely happy with the CheckPoint UTM-1 Edge X boxes that my company is using in our locations.  We have segmented our network into VLANs by purpose (one for wireless, one for POS, one for Network Management, etc.) and all these segments intersect at the UTM.  Since the IPs for all these devices aren’t neatly distributed into subnets, the location’s Class C network is bridged all together, with the firewall happening on the bridge.  Everything worked fine until there was a new requirement added in.  Management wants customers to be able to wirelessly connect to a special SSID to get Internet access, like a HotSpot.  We wanted to place this on a separate subnet and have that subnet drop into the UTM, letting it handle NAT, as well as the various firewall rules needed to make sure our customers don’t end up dropping out on our network.  But, the UTM doesn’t work reliably in this manner.  Web traffic works in starts and stutters.  A wireshark trace shows lots of retransmissions, even if we are on a wired connection.  It’s so bad that loading a single web page can take many minutes, if it ever loads.  However, ICMP packets work fine, the entire time.  We tried for days to get it to work, but it continuously worked the same way.  Finally, we loaded a debug version of code onto the UTM and disabled connection caching (a suggestion given to us by CheckPoint when working a previous problem).  As soon as we did this, everything started working as we expected.  It gave us about a 10% hit to processor utilization, but that was worth it, since it actually worked.  Unfortunately, this isn’t a solution that will work in a production environment, as we can’t just have the box boot up to that mode, the command to disable conneciton caching doesn’t just disable it, it “Toggles” it, so if it’s On, it will turn it off and vice-verse. Easy right?  Just get back with CheckPoint, let them re-create it, then fix the bug and off to the races we go.

Unfortunately, a few months ago our management decided to go to a 3rd party for CheckPoint support.  So, instead of explaining all this to a CheckPoint tech, I’ve explained it all to a 3rd party, who has to go and verify that it really is broken like we say, at which time he will escalate it to CheckPoint.  It’s been a week since we opened the ticket.  Last we heard, two days ago, the tech hadn’t got the Lab set up yet.  Great going, management!  We’ve saved a little money, but we’re wasting a lot of time.

September 25, 2009 at 8:50 pm Leave a comment


September 2009

Posts by Month

Posts by Category