CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 16 of 16

Thread: State of ipv6 in Check Point products

  1. #1
    Join Date
    2010-11-11
    Posts
    57
    Rep Power
    10

    Default State of ipv6 in Check Point products

    Hello,
    i try to gather some information about the current but also future state of ipv6 in the Check Point product portfolio.

    Having some hands on experience with ipv6 in a clustered enviroment (70.1), i still feel uninformed where CP is heading and what the current state of most of the products is.

    I'm writing down a short list with things i know and the ones i don't know, maybe someone can share their knowledge and fill in on the parts missing.

    This is written as of 70.1|2|3 atm i have no information about R75 at the moment.

    FW1 Management:
    • ipv6 ready to administer ipv6 objects in the same rulebase as ipv4 ones.
    • ip adresses do not have to conform to a strict nomenclature which could result in difficulties to find/sort objects
    • you can't find/sort objects in the object list, as there is no ipv6 field, only an ipv4 one
    • Only five icmpv6 definitions come with the software compared to an estimate of ~37 ones
    • No NAT implementation whatsoever (NAT64/NAT66) I have to admit though this is a controversial issue.
    • Cluster sync is ipv4 only


    FW1 Enforcement Points
    • ipv6 configuration takes place on OS level only. Routing, kernelmodules, startup scripts have to be written manually. Overall a bumpy ride (rpm -i --force --nodeps...)


    Edge
    My information is limited on this. ipv6 can't be configured on the device itself and not through the management gui.
    Does anyone know what is planned for these devices in the future?

    Connectra
    I have no information whether ipv6 works here, does anyone know of CP plans here?

    Overall the lack of ipv6 documentation is underwhelming, but maybe I'm missing something.

    Christoph

  2. #2
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: State of ipv6 in Check Point products

    You also can't use a ':' character in an object. I create my network objects in the format Net-Subnet_BitMask-Description (Net-10.0.0.0_8-RFC1918).. Can't do that for IPv6.
    Net-2001:db8::_32-Documentation_Subnet is not allowed.

    The default options in the ipv6 kernel module are a little nuts. I've been told that will be changed.

  3. #3
    Join Date
    2009-04-14
    Location
    Ottawa, Ontario, Canada
    Posts
    319
    Rep Power
    11

    Default Re: State of ipv6 in Check Point products

    I ran with R65 IPv6pack on IPSO 4.2 for about 6 months. For basic filtering and logging it was fine, though had the same limitations you mentioned. R70.1 HCC + IPv6 pack is the same thing, but with a lot of little things added (like IPv6 traffic protection through IPS).

    Splat has more limitations than IPSO when it comes to v6, but of course IPSO was the first router OS which got v6 out of beta stage, ahead of Cisco and others.

    I'm not sure about the state of v6 in Gaia, it would probably be close to Splat for now.
    Last edited by plamy; 2010-11-15 at 13:21.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Pierre Lamy - Escalation Engineer Ottawa TAC
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  4. #4
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: State of ipv6 in Check Point products

    If you have need for IPv6 PLEASE let your SE know. We are (At least in the US-Northeast) collecting client interest in having this. Until now, outside of DoD and Edu, there has been very little interest.

  5. #5
    Join Date
    2010-11-11
    Posts
    57
    Rep Power
    10

    Default Re: State of ipv6 in Check Point products

    Quote Originally Posted by chillyjim View Post
    If you have need for IPv6 PLEASE let your SE know. We are (At least in the US-Northeast) collecting client interest in having this. Until now, outside of DoD and Edu, there has been very little interest.
    I see it this way, ipv6 on the ISP side is quite established with imho a tremendous growth. On the client side at our company (Germany), ipv6 projects are starting, even if it's only that a small customer gets a new network, he usually gets an ipv6 one too. Right now we have a bigger project with a commercial customer with a CP cluster that will only do ipv6 filtering. The decision fell for CP due to the good experience with the older ipv4 cluster.

    My problem atm is how to bring Check Point into the equation when it comes to new projects and to find a selling point even if the customer does not plan to implement ipv6 right now, let alone the lack of small business appliances that support ipv6.

    The problem maybe isn't even a technical one at this stage but more the lack of support, documentation and an ipv6 roadmap, compared to what other vendors offer (juniper/cisco).

  6. #6
    Join Date
    2007-02-10
    Posts
    53
    Rep Power
    13

    Default Re: State of ipv6 in Check Point products

    Agree with the above, the majority of large ISPs are now IPv6 enabled. We now have potential customers asking for IPv6 support at the proposal stage, so find it hard to recommend Checkpoint when they donít tick the boxes Ė especially where VSX is concerned. IPv6 is now making into business continuity plans so I see this as a major failing now.

  7. #7
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: State of ipv6 in Check Point products

    ISPs in the US are far behind the rest of the world. Of the four ISPs in my primary datacenter, 3 cannot support IPv6 until mid to late 2011.

  8. #8
    Join Date
    2010-11-11
    Posts
    57
    Rep Power
    10

    Default Re: State of ipv6 in Check Point products

    Until now i was only working with ipv6 and Check Point in clustered environments, so i went for the ipv6-pack.

    Now i saw, that ipv6 on R71.1 and even older versions was already included, but seems to lack some features (clustering i.e.) which can only be used when applying the ipv6-pack.

    Does anyone know of any documentation, features or lack of features of the "build-in" ipv6 Check Point comes with?

  9. #9
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: State of ipv6 in Check Point products

    Quote Originally Posted by Christoph View Post
    Until now i was only working with ipv6 and Check Point in clustered environments, so i went for the ipv6-pack.

    Now i saw, that ipv6 on R71.1 and even older versions was already included, but seems to lack some features (clustering i.e.) which can only be used when applying the ipv6-pack.

    Does anyone know of any documentation, features or lack of features of the "build-in" ipv6 Check Point comes with?
    I've asked for this from CheckPoint. For me, it is very unclear what IPv6 features are already included in a given build versus what the IPv6 Pack adds. And there is no IPv6 pack for R71 (yes there is an R71 management pack to support R70 IPv6 pack gateways). Does this indicate that R71 is full featured for IPv6? I don't know; very unclear.

  10. #10
    Join Date
    2010-12-22
    Posts
    1
    Rep Power
    0

    Default Re: State of ipv6 in Check Point products

    Grumble time.

    I have been working on building a new multi firewall solution using Checkpoint.

    We have spent a lot of money with them on licensing so I expect to get my monies worth! Also they say they are the best and supply an all in one solution...........

    The first problem I ran into was IPv6 and with what seems like an attempt at making checkpoint IPv6 aware.

    R71 does not support IPv6 except with the management only! Even this does not work like the manuals say you can only create objects through the network objects tab under the main tree.

    I managed to get IPv6pack working fine on a single gateway R70.1 (do not install .2 .3 .4 updates it stops working)

    Now I have tried applying it to our cluster build R70.1 with VLAN support and QOS and it has broken the clustering????
    Logged it with Checkpoint, or am I being stupid - is there a build order or sections of configuration that needs to be done before this works.

    I have read the IPv6 manual and R70 install and R71. nothing points out a clear build path?
    And the documentation has no continuity acorss all documents.

    This driving me nuts why they have developed R71 with no support I will not know.

    Andy

  11. #11
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    16

    Default Re: State of ipv6 in Check Point products

    Quote Originally Posted by AndrewBrowning View Post
    Grumble time.

    I have been working on building a new multi firewall solution using Checkpoint.

    We have spent a lot of money with them on licensing so I expect to get my monies worth! Also they say they are the best and supply an all in one solution...........

    The first problem I ran into was IPv6 and with what seems like an attempt at making checkpoint IPv6 aware.

    R71 does not support IPv6 except with the management only! Even this does not work like the manuals say you can only create objects through the network objects tab under the main tree.

    I managed to get IPv6pack working fine on a single gateway R70.1 (do not install .2 .3 .4 updates it stops working)

    Now I have tried applying it to our cluster build R70.1 with VLAN support and QOS and it has broken the clustering????
    Logged it with Checkpoint, or am I being stupid - is there a build order or sections of configuration that needs to be done before this works.

    I have read the IPv6 manual and R70 install and R71. nothing points out a clear build path?
    And the documentation has no continuity acorss all documents.

    This driving me nuts why they have developed R71 with no support I will not know.

    Andy
    It sounds like the usual Check Point story. No big, powerful customer has complained about this yet, so IPv6 remains one of those products that generates marketing materials and revenues, but doesn't yet generate working code.

    Welcome to our world.
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

  12. #12
    Join Date
    2007-01-23
    Location
    London, UK
    Posts
    28
    Rep Power
    0

    Default Re: State of ipv6 in Check Point products

    I know we're pushing Check Point for a proper feature roadmap now as our move to dual-stack is already underway. The only thing that we can say in Check Point's defence is that the other vendors we're dealing with seem to be just as disorganised with regards to their IPv6 strategies.
    CCNP CCSE+ CCNP-S

  13. #13
    Join Date
    2008-12-23
    Posts
    120
    Rep Power
    11

    Default Re: State of ipv6 in Check Point products

    Quote Originally Posted by Bartholemew View Post
    I know we're pushing Check Point for a proper feature roadmap now as our move to dual-stack is already underway. The only thing that we can say in Check Point's defence is that the other vendors we're dealing with seem to be just as disorganised with regards to their IPv6 strategies.
    I suspect that will change soon, as address space in ipv4 is almost gone all vendors customers will be pushing for some sort of road map.

  14. #14
    Join Date
    2006-10-18
    Location
    Belgium
    Posts
    56
    Rep Power
    14

    Default Re: State of ipv6 in Check Point products

    Quote Originally Posted by Barry J. Stiefel View Post
    It sounds like the usual Check Point story. No big, powerful customer has complained about this yet, so IPv6 remains one of those products that generates marketing materials and revenues, but doesn't yet generate working code.

    Welcome to our world.
    Maybe it's an idea, that all people here on this forum who need (better) support on IPv6 with Checkpoint, enter an RFE, maybe that helps... if we all do it, we maybe get something moving, the URL: https://www.checkpoint.com/rfe/rfe.htm

  15. #15
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: State of ipv6 in Check Point products

    That's one idea. Discussing your precise IPv6 requirements with your SE is also a good idea.

  16. #16
    Join Date
    2006-10-18
    Location
    Belgium
    Posts
    56
    Rep Power
    14

    Default Re: State of ipv6 in Check Point products

    yep, allready did that aswell... the more requests, the sooner something will be done about it.

Similar Threads

  1. Check Point R71.20 now GA
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 15
    Last Post: 2010-11-12, 05:05
  2. Device Name: Interface Active Check Current state: problem.
    By fkbr1 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 6
    Last Post: 2010-09-26, 12:15
  3. Check Point Products TCP Implementation Denial of Service
    By dbrown3611 in forum Miscellaneous
    Replies: 6
    Last Post: 2009-09-24, 19:01
  4. MIB no Check Point
    By renato_rj in forum Portuguese
    Replies: 0
    Last Post: 2009-06-15, 10:24

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •