Can U recommend a good UK Check Point Support Company? 2

[StoneColdDave]

I am looking for a new company to support Check Point Firewall-1 4.1 & NG, yeah I know 4.1 is no longer supported by Check Point.

But I would be grateful if anyone can recommend any good UK support companies. As our current support company seems to know less about Check Point than I do!!!

Thanks

 

[Piloria]

wirelesspeap I have to agree with everything you had to say.
I have worked with Checkpoint for years I have now also been working with PIX for about 6 months and completed CSPFA and associated exam. When programing up the PIX via PDM from experence i can tell you you have to go back and start again via command line.
a command line that uses the clear command in some instances to clear tempory tables and others to remove whole chunks of your setup.
IFthe PDM replace command line then it would improve by an order of magnitude but it isnt it is a half finished bolt on. If logging was even close to checkpoint then i would even recomend it. Its getting there (but not yet)

 

[wirelesspeap]

StoneColdDave wrote:
"Cisco PIX use their own secured OS called Finese, plus it links into our Router & Switch structure (all Cisco) well, easy to control and manage"

This is a sign of a person who is completely ignorant about
network security. Just because it is easy to "control and
manage" does NOT mean that it is secure. This guy took
this phrase straight out of the CSPFA exam book. What a Cisco KoolAid drinker.

One other thing about Pix, if you have multiple VPN unnels to remote locations and you need to clear a particular VPN tunnel, it can not be done with Cisco Pix (you can do this with Cisco IOS or Checkpoint via the "vpn tu" command and specifiy the peering endpoint). The other thing is that if you decide to clear all the tunnel but instead of typing "clear isakmp sa and clear ipsec sa", and you mistakenly type "clear isakmp and clear ipsec". Guess what you just F! yourself. All your VPNs configuration are now GONE!

 

[chicocouk]

I was under the impression that you can drop a specific vpn tunnel on a pix using any of the following commands;

clear [crypto] ipsec sa entry (destination-address) (protocol) (spi)

clear [crypto] ipsec sa map (map-name)

clear [crypto] ipsec sa peer


CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[ChrisAC]

if you have multiple VPN unnels to remote locations and you need to clear a particular VPN tunnel, it can not be done with Cisco Pix"

I'm pretty sure that it can.

clear crypto sa peer <ip address>

Personally, I work with both Checkpoint and Cisco Pix and can see positives and negatives with both products. On most of our large scale implementations we use Firewall-1/VPN-1 which makes these jobs much easier to manage but sometimes when we have a customer with a couple of sites the price of the Firewall-1 solution just kills it! Once you've paid for the box, the firewall licence, the VPN licences, the Checkpoint support (££££) the hardware support etc many customers are just blown away by the cost. I've seen so many jobs lost due to the cost of a Checkpoint solution where the customer has ended up with a Sonicwall or ISA server from the company down the road. Unfortunately, sometimes it's the bean counters who make these decisions and not the engineers. SOMETIMES the Pix solution is better suited to a particular need of a customer and sometimes they just request a Pix straight out. Granted, Cisco have a lot of work to do on that product but they are getting there and the large install base is a testiment to that.

For SME's we started using the VPN-1 Edge devices but after over a year of problems and constantly been told that "the next firmware upgrade will fix that" (each one seems to create more problems that it's fixed!) we're now looking at the Pix for these jobs. So far, no problems which is a nice change to all the hassle that we've had with Checkpoint lately, especially when they dumped Small Office which really screwed a lot of jobs for us. The VPN-1 edge was supposed to be the answer to all our problems but so far it's created more than it's solved.

Having said that, I still enjoy working with Firewall-1 on the larger installations and it is better suited to those who can afford it. Managability is great and the logging is second to none.

Each installtion must be assesed on its own requirements and the correct product must be chosen based on a number of factors, not just which one the engineer thinks rocks the most!

That's my opinion anyway. You don't have to agree.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[ChrisAC]

To answer the original question, we work with InTechnology who bought out Allasso.

http://www.intechnology.co.uk

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[wirelesspeap]

Guys,
Thanks for the correction. Didn't have coffee before I post that message. I guess after failing the CCIE security lab exam last week, I become disoriented.

Thanks.

wirelesspeap

 

[StoneColdDave]

Now there's really no need for attacking me in this post, as I'm sure it's not what this forum is suppose to be about. Especially considering as my posts started with "in my experience" and "Personally".

I never said I was CCIE Security certified or claimed to be an expert authority on this subject, as my field covers a wider range of issues, not just network comms. The Cisco PIX is proving a better solution in my paritcular field and environment (in my experience!)

In hindside, I guess I should of expected a big anti-Cisco feeling in the Check Point section of this board. Probably like posting "MS Windows Rulez" in the Unix section, you just asking for trouble. As one guy posted each Firewall platform has it's advantages.

I'm an open minded sort of guy, so Thanks for all the info, it's increased my understanding, whether the points were professionally or unprofessionally put.

 

[Akiwondo]

One needs to have there facts right b4 they slate of a solution. If you don't know the facts then DON'T SLATE.




Akiwondo (MCSE, CCSE)

 

[StoneColdDave]

I guess you're right, they should