[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)

Gert Doering gert at greenie.muc.de
Sat Apr 5 07:50:25 EDT 2008


Hi,

On Fri, Apr 04, 2008 at 05:31:08PM -0500, Murphy, William  wrote:
> Checkpoint also does stateful failover...

Yes, I've seen this at a VPN partner's site.  Nice and shiny (and 
expen$ive) fully redundant checkpoint cluster.

About once a month, both halves decide "this VPN tunnel is MINE!!" and
really break things.  To get the VPN tunnel back to operation, the
cluster needs to be reloaded (or wait for everything to time out).

Don't even get me started on their complete inability to understand what
a IPSEC phase 2 proxy ID is good for, and that "accept anything that
comes in, and use a more-or-less random supernet of the permitted 
networks for the outgoing proxy ID" is *not* "user friendly!".

The only thing that makes Checkpoint a "market leader" is that they
have a nice and shiny GUI - but I'd trade that any day for a workable
CLI on top of a robust and stable *firewall*.

(I dislike PIX and ASA, but in comparison with a Checkpoint, give me
an ASA every day)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080405/99afa480/attachment.bin 


More information about the cisco-nsp mailing list