How to install Check Point remotely without getting on a plane

So I had someone recently want to do a fresh install of a current production box. They wanted to go from an older version to a newer one. The gateway was currently plugged in and running and they had console access to it.

However, the box was on the other side of the country from where they were, and there was no one remotely at the location to help. They didn’t want to get on a plane, so what do they do ???

No worries. This is what you do:

First we need to re-run the First Time Configuration Wizard again
1. Login to Expert mode:

# expert
2. Delete the special file:

[Expert@HostName]# rm -i /etc/.wizard_accepted

3. Reboot the appliance to apply the changes (not required for Gaia OS):

[Expert@HostName]# reboot

4. Important Note: If this machine was configured as Security Management Server, and user will reconfigure the machine to be only the Security Gateway, then the following files must be removed from the machine (otherwise, intermittent SIC issues (e.g., ‘SIC error no. 147’) will arise during policy installation onto this Security Gateway):

[Expert@HostName]# rm -i $FWDIR/conf/ICA.crl
[Expert@HostName]# rm -i $FWDIR/conf/InternalCA.*

5. Next time user logs into the Gaia Portal, the First Time Configuration Wizard start automatically.

Note: The credentials for Gaia Portal are not reset to the default.

Now that we can get back into the Wizard:  

You are prompted for installation choose “Install a Version from the Check Point Cloud” and do the following:

1. In the First Time Configuration Wizard, select Install a version from Check Point Cloud. Click Next.


2. Define the Connection to Check Point Cloud. Choose an interface to connect to the Internet, and configure connection parameters.


Click Next. This shows the versions that you can install from the Check Point Cloud.

3. Choose the version to install. Click Finish.
Then after installation is done, it will be back with the install set to connect to it with your console and in the GAIA clish you will need to change it to the IP address that you wish it to be, add your routing as well, then connect to it and run the first time wizard.

(ex. set interface Mgmt ipv4-address mask-length 24 )
(ex. set static-route default nexthop gateway address on )

Now you will be up and running with the new O/S and you did not have to have anyone help, nor did you have to get on a plane 🙂

Six VMware questions to ask yourself

  1. How do you gain security and visibility inside the data center with your existing security solution?
  2. Can you protect the software defined data center with the same security infrastructure as your physical gateways?
  3. How do you protect the data center against the latest cyber threats?
  4. How do you know if a malware is propagated inside the data center?
  5. How do you secure business applications on the software defined data center?
  6. How do you automatically provision security to protect data center applications?

There is a simple answer to all six questions.

Check out how it all works in this Video titled Software Defined DataCenter in 10 minutes

Bottom line:

The Check Point vSEC and VMware NSX integrated solution delivers dynamic orchestration of advanced threat prevention for all data center traffic.

•Complete Integration with vCenter and NSX and full visibility of all data center objects in security policy. Single policy for both virtual and physical gateways simplifies security enforcement.
•Complete protection using Next Generation Threat Prevention to protect against cyber threats and share VM security state of infected VM with NSX for automatic remediation.
•Detailed vCenter & NSX context (VM names) in logs. Centralized monitoring, logging and event analysis ensures comprehensive threat visibility, both physical gateways and virtual ones inside VMware.



Need for CPU Level Sandboxing


When cyber criminal (or just some black hat hacker) has written a malware he/she must spread it somehow and make available for victims. One very common way is to hide the malware in a file that is then send as an e-mail attachment or web-link to their targets.

We who work with IT security keep repeating the message “do not open unknown attachments or visit suspicious web sites”. However, if the mail message tells that you have won in a lottery or somebody is just giving out money or sending you a CV, many people are keen to open the file… and BOOM, you are infected.

Why the virus radars didn’t catch this malware then? Because it was completely new, never seen before, so called zero-day attack, probably addressing some vulnerabilities the very first time.

Is there anything we can do to prevent users from even getting these malicious files with previously unknown malware? Yes there is. This technology is called sandboxing where files are opened in a safe environment, a.k.a. sandbox before delivering them to the recipient. Sandbox monitors the behavior that takes place when the file is opened. If any malicious activity (changing registry settings, adding unknown library files, changing browser settings etc.) is found, the file is dropped and the intended recipient only gets a message that the e-mail attachment or the downloaded file was stripped because it seemed to be malicious. So, set up a sandbox and you are safe, right? Well, unfortunately not right, because cyber criminals have also noticed that their stuff doesn’t go through anymore have learnt to alter their malware so that the traditional sandboxes don’t see it.

How can malware be altered then to avoid sandboxes catching it? This is very easy… Just do nothing. Sleep and activate only on specific hour or when user does certain movements. In order to catch also this kind of malware that doesn’t activate in a traditional sandbox, a CPU level sandboxing was developed.

A program can contain a lot of different functions. When function A calls function B and function B calls function C, they always should return values to the functions that called them (C should return to B and B to A etc.). Malware can take advantage of vulnerabilities in the program and return values to different locations. This behavior is called Return-Oriented-Programming (ROP). CPU level sandbox is capable of catching ROP.

Not all vendors have this technology. Make sure that your sandbox can prevent (not only detect) unknown malware and that it can pick up the ROP behavior as well. Currently Check Point has this feature available in the product called Sandblast.

“Drown” Attack

There is a great article written by Swati Khandelwal on the “Drown” attack.  It is yet another attack against OpenSSL. Swati writes:

“DROWN stands for “Decrypting RSA with Obsolete and Weakened eNcryption.”

DROWN is a cross-protocol attack that uses weaknesses in the SSLv2 implementation against transport layer security (TLS), and that can decrypt passively collected TLS sessions from up-to-date clients…It is a low cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details…

…and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday.”
This is a great read including some diagrams on how it is carried out. Check it out here at: Hacker-News
Good Times !

What does it feel of being hacked?

Protecting us from hackers is getting more and more important. Clever social engineering attacks don’t even need any technical skills…

The following video demonstrates how one guy’s life could be practically destroyed with hacking attacks.

Here is link to the original story.

Why should I have firewalls from more than one vendor in my network?

You shouldn’t!

Every now and then I meet customers whose company policy is to use firewalls or other security devices from two or even more vendors. Always they justify this decision with security. However according to Gartner over 99 % of all firewall breaches are caused by misconfiguration, not by firewall flaws. Gartner gave this statement already in 2008. Since then firewalls have got a lot more features that actually increase the risk for misconfiguration if you don’t know what you are doing.

In this light using firewalls/security gateways from more than one vendor seems to be more risky than consolidating all in one.

Following is my top list of reasons why one vendor is better than several.

  1. Personnel needs to be trained for only one vendor solution, instead of several.  Lack of knowledge increases the risk for misconfiguration.
  2. It’s easier to keep your software up-to-date with one vendor solution.
  3. Centralized management is easier to deploy with one vendor solution.
  4. Different policies are easily comparable and can be consolidated or migrated when they are all from the same vendor.

What should be taken into account when selecting a security vendor.

  1. Real security. Make sure vendor’s products are regularly tested by an independent test lab.
  2. If you have more than one gateway, make sure your vendor supports good and secure centralized management.
  3. In case you need help the vendor should provide credible technical support that is also easily reachable.

Disclaimer: I work for a security vendor, Check Point Software Technologies myself, but this text is entirely my own and does not represent opinions of my employer.

R80 eXchange Point! Share your scripts !

This is a great new feature that Check Point has brought us. It is called the eXchange Point. What is that you ask? The eXchange Point is where users can go to have discussions as well as join the open API community.

Go to:


The open API community allows you to share scripts for the R80 code with other community members. Our policy can be created now with the GUI, command line, or just write a custom script to do it for you !


Don’t write a script at all, maybe someone already has one, check out the code library, maybe someone already has done it!







This is me and R80

This is me, Lari. I have over 15 years experience in information security industry. I work as a security consultant in the Professional Services organization of Check Point Software Technologies.
I said yes when my colleague and good friend Mark Bennet asked me to become a co-author of this blog. So, here we go. This is my first blog post, but there will be more…

Yesterday Check Point announced R80, the next generation security management platform. Check Point’s centralized security management system has always been the best in market, but now the best got even better.

What is so cool about this new platform?

1. Unified policy. Everything can be done from the same view in SmartDashboard.
2. Policy segmentation. Different layers in policy increase efficiency.
3. Automation. Security operations can be automated to make them more efficient.
4. Orchestration. Integration with existing 3rd party tools over trusted APIs
5. Concurrent administration. Several admins can edit the policy simultaneously.
6. Consolidated logging and monitoring
7. Segregation of duties allow e.g. separate teams to manage IPS and firewall
… And much more…

For more details, see the Exchange Point Forum.

PAN Leap Year Upgrade Fail

Palo Alto seems to have a bit of a problem when doing upgrades. At least when it is on February 29. A screenshot below as well as comments made on the web show that the device seems to be incapable of performing an upgrade on that day.  While this is not a huge issue, it is hugely funny !

Check out what people are saying here: Leap-Year-Fail