CheckPoint UTM bugs

September 25, 2009 at 8:50 pm Leave a comment

Overall, I am extremely happy with the CheckPoint UTM-1 Edge X boxes that my company is using in our locations.  We have segmented our network into VLANs by purpose (one for wireless, one for POS, one for Network Management, etc.) and all these segments intersect at the UTM.  Since the IPs for all these devices aren’t neatly distributed into subnets, the location’s Class C network is bridged all together, with the firewall happening on the bridge.  Everything worked fine until there was a new requirement added in.  Management wants customers to be able to wirelessly connect to a special SSID to get Internet access, like a HotSpot.  We wanted to place this on a separate subnet and have that subnet drop into the UTM, letting it handle NAT, as well as the various firewall rules needed to make sure our customers don’t end up dropping out on our network.  But, the UTM doesn’t work reliably in this manner.  Web traffic works in starts and stutters.  A wireshark trace shows lots of retransmissions, even if we are on a wired connection.  It’s so bad that loading a single web page can take many minutes, if it ever loads.  However, ICMP packets work fine, the entire time.  We tried for days to get it to work, but it continuously worked the same way.  Finally, we loaded a debug version of code onto the UTM and disabled connection caching (a suggestion given to us by CheckPoint when working a previous problem).  As soon as we did this, everything started working as we expected.  It gave us about a 10% hit to processor utilization, but that was worth it, since it actually worked.  Unfortunately, this isn’t a solution that will work in a production environment, as we can’t just have the box boot up to that mode, the command to disable conneciton caching doesn’t just disable it, it “Toggles” it, so if it’s On, it will turn it off and vice-verse. Easy right?  Just get back with CheckPoint, let them re-create it, then fix the bug and off to the races we go.

Unfortunately, a few months ago our management decided to go to a 3rd party for CheckPoint support.  So, instead of explaining all this to a CheckPoint tech, I’ve explained it all to a 3rd party, who has to go and verify that it really is broken like we say, at which time he will escalate it to CheckPoint.  It’s been a week since we opened the ticket.  Last we heard, two days ago, the tech hadn’t got the Lab set up yet.  Great going, management!  We’ve saved a little money, but we’re wasting a lot of time.

Advertisements

Entry filed under: Networking.

Snow Leopard – Evolutionary Changes Mac OS X, Flash Games, and non-admin accounts

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Calendar

September 2009
S M T W T F S
« Aug   Nov »
 12345
6789101112
13141516171819
20212223242526
27282930  

Most Recent Posts


%d bloggers like this: