/2020chronicle

Checkpoint SmartConsole just Sucks. 80.10 80.20

I’ve been deploying and managing corporate firewalls for over 27 years. Over the past two years this included an assortment of Cisco ASA (Firepower), Sophos and Checkpoint appliances. I can say without hesitation that Checkpoint SmartConsole is the absolute worst firewall management interface I’ve ever experienced. And Checkpoint wants a ransom to expand the number of appliances it can manage and deploy policies on.

I was told by our local NC Checkpoint rep that anyone who questions Checkpoint’s pricing will be shut down by their top brass in Israel because they’re ultra arrogant with regards to their perceived value. Apparently anyone who questions their pricing is just stupid and unqualified to judge. I’m qualified. Checkpoint SmartConsole is shit. Complete shit.

The catch is that I like the smaller Checkpoint, locally managed units and their interfaces are not too bad. The Checkpoint 3200 sold to us by RMSource in Raleigh, NC wasn’t up to the job. They didn’t bother to mention the need for Checkpoint’s “Management Console” licensing and put the management directly on the 3200. Later I’m told by Checkpoint that in order to deploy the licensed “Management Console” to push policy to multiple devices local management would have to be removed from the 3200 and it would have to be reconfigured or re-imaged from a backup. Never mind they were told this is our 24-7 core production firewall and they only get one shot at this. Vendor fail. They were fired. We never bought the Checkpoint Management Console. Not enough units to justify the price.

There are so many problems with “Smart”Console I don’t even know where to start. Let’s begin with the inability to make any changes in any security policy or the unit’s configuration without “Installing” the new policy on the 3200. This disconnects every VPN tunnel, every time. Interrupts active sessions. That’s just ridiculous bullshit. Perhaps this can be avoided with the fully licensed management console running on a VM? I don’t care. I’m not paying for it and any other firewall I’ve ever administered can have local configuration and security policies adjusted on the fly without interrupting any active sessions assuming the configuration of the ports, VPN or settings for any connection have not changed. Even the smaller Checkpoint units can do this. Not so with the 3200 and SmartConsole. It mole whacks every session, every time.

Want to see which specific VPN tunnels are connected and active? You’re not going to easily in SmartConsole which requires a few steps to launch Smartview and then run a Tunnel View… blah, blah…. fuck this. Why can’t I just click “Monitor”, “VPN tunnels” like every other security appliance on earth and see a list of gateway and remote access tunnels and their connection status? Aside from intentional complication, which it seems Chekpoint has mastered, I can’t think of a single reason they can’t make this as simple in Smart Console as it is on their other appliances.

There’s so much more to hate about SmartConsole. It can’t be upgraded in place, previous versions have to be removed before the latest release can be installed. It’s 2020. Fix your shit. The Gaia OS is as bad as it’s name and still a resource hog. What the hell is a Gaia anyway? Never mind, I don’t care. Or how about the fact that I still have updates pending on this damn 3200 that neither the Checkpoint vendor, RMSource, or Checkpoint support could ever get installed without errors? Again, they want to rip it down an start from scratch. What is it these people don’t understand about 24-7 up time meaning NO MAINTENANCE WINDOW for core key components? We don’t have hours to re-image or reconfigure our primary firewall. We will spend thousands to hot-swap replace this ill-advised 3200 before losing even one hour of production orders that flow through the thing. And guess what Checkpoint, we are.

1 comment

1 Comment so far

  1. Minnesota Firewallgal February 13th, 2020 6:36 pm

    I too have been in the Firewall/Security business for 25 years. I have worked with a lot of firewalls. I have helped develop 2 different firewalls as a QA engineer. When I first came to mycurrent position and worked with Checkpoint I was disappointed. The one saving grace was the logging. Now with 80.20 I am just plain bitter. What was OK in the policy management became AWFUL. I fully agree with the word SHIT to describe this and my experience with the Checkpoint big wigs (ours is a VERY large customer) as arrogant.

Leave a reply