[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
Gert Doering
gert at greenie.muc.de
Sat Apr 5 07:50:25 EDT 2008
Hi,
On Fri, Apr 04, 2008 at 05:31:08PM -0500, Murphy, William wrote:
> Checkpoint also does stateful failover...
Yes, I've seen this at a VPN partner's site. Nice and shiny (and
expen$ive) fully redundant checkpoint cluster.
About once a month, both halves decide "this VPN tunnel is MINE!!" and
really break things. To get the VPN tunnel back to operation, the
cluster needs to be reloaded (or wait for everything to time out).
Don't even get me started on their complete inability to understand what
a IPSEC phase 2 proxy ID is good for, and that "accept anything that
comes in, and use a more-or-less random supernet of the permitted
networks for the outgoing proxy ID" is *not* "user friendly!".
The only thing that makes Checkpoint a "market leader" is that they
have a nice and shiny GUI - but I'd trade that any day for a workable
CLI on top of a robust and stable *firewall*.
(I dislike PIX and ASA, but in comparison with a Checkpoint, give me
an ASA every day)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080405/99afa480/attachment.bin
More information about the cisco-nsp
mailing list