Dear Checkpoint representatives,
I am writing to you as the network administrator for Large Scale Biology in
regard to our corporation's experience with CheckPoint products. Last year
I was tasked to find a VPN/Firewall solution for our corporation. We wanted
something that was reliable, scalable and above all secure. After months of
research and investigation of many solutions, I was convinced Checkpoint
could provide our solution.
Upon receiving approval for my project, I immediately enrolled in a fast
track CCSA/CCSE class and started purchasing the Checkpoint 4.0 products.
We decided to go with the Enterprise solution including an unlimited number
of secured hosts in our corporate office. We purchased Nokia VPN-1
appliances for our remote offices and software subscriptions and gold
support for all products. We also invested in Secure Client licenses and
RSA ACE server.
Our reseller Avcom was late in delivering the product, one whole month later
than their original date to be exact. I didn't realize it at the time, but
this was a foreshadowing of our Checkpoint experience. When the product
finally arrived from Avcom, we did not receive any license certificates and
could not start deploying the products that we just received. A few weeks
went by and a bundle of certificates finally arrived from Avcom. This was
when I was first introduced to http://license.checkpoint.com (about November
1999).
I made it to the web site and entered my first certificate key. Upon
clicking the submit button I received my first Checkpoint license. I was
able to start deploying the product and life was good. Now it was time to
enter the certificate key for the Nokia VPN-1 appliances. The website would
not accept the certificate key and would not generate the licenses for
software subscription and gold support. However, I needed support because I
was in the middle of deploying the product. A call to Nokia tech support
and an explanation of the situation allowed me to use a "complimentary"
support incident, which I have been using ever since.
I decided to follow up with Checkpoint to receive my software subscription
and gold support. I made a phone call and spoke with a wonderful lady named
Summer who did her best to assist. After several attempts to contact Avcom
and their distributor (Westcon?), Summer was unable to provide me with the
software subscriptions and gold support that we purchased. This is when I
was passed on to Sherri Bentley. Like Summer, Sherri assisted me with this
licensing issue. She has made several attempts to resolve this issue with
no success. Sherri also contacted the internal Checkpoint web site
developers who manually fixed some glitches, but still no software
subscription and no gold support on the Nokia boxes.
Meanwhile, the passing months produced a new version of the Checkpoint
software. I attended the Checkpoint Experience conference in San Francisco
and learned about the many wonderful things that Checkpoint 2000 offers.
Since Large Scale Biology was proactive in purchasing the software
subscription for the Checkpoint products, we were entitled to upgrade for
free. We decided that since we were going to upgrade the product, we would
also take the opportunity to re-configure. We separated the management
console from the firewall and wanted to use Linux since it is more efficient
than Solaris and the price is right. That decision has cost us dearly in
downtime and man hours spent licensing the new CheckPoint products. Also,
the Nokia boxes still don't have the licensed gold support and software
subscription that we originally purchased.
Technical support at Checkpoint is a real hit or miss proposition. One tech
will be extremely helpful and efficient in finding the problem and another
tech is obviously reading a book or web site and has no true experience with
the products. I understand that new techs need to get experience, but it is
extremely frustrating to listen to a tech fumble through questions like
"what color is the network object for your firewall" while you have a
network that is down.
Today I upgraded the Nokia VPN-1 Appliance to Checkpoint FW-1 4.1 SP1. I
also upgraded the IPSO to 3.2.1. I spent hours preparing for the upgrade by
calling tech support, obtaining the new version (4.1 Sp1) license,
downloading all the correct files and associated documentation and crossing
every "T" and dotting every "i". After the upgrade was complete I tested
VPN which worked like a dream. Then I tested connectivity to the Internet.
None of the workstations on the internal network could access the Internet.
I checked my rule base, double checked network objects and Address
Translation rules. After a call to Nokia tech support we determined that
this was a problem with Network Address Translation. I just happened to
reboot the Nokia VPN-1 Appliance and watched the boot up process. It said
"no license for address translation".
Once again I was suffering from a licensing issue. So I called Sherri
Bentley to get my evaluation license. This is a routine that has become all
too familiar. When the license doesn't work, use an evaluation license
until you can get the real license. I now have a collection of about 50
evaluation licenses. From November 1999 to July 2000 I have had
approximately 50 issues with my checkpoint license. Furthermore, I still do
not have Gold Support or Software Subscription for the Nokia VPN-1
Appliances that I purchased. The "complimentary" support incident that was
extended by Nokia has been used to it's fullest (approximately 50 times) and
they will no longer provide me with support, because they do not show that I
ever purchased it. In addition, I have two firewalls that are using
evaluation licenses that are about to expire. Again, these are licenses
that were purchase in November of 1999.
There are more details to this story that demonstrate the Large Scale
Biology "Checkpoint Experience".
I believe that Checkpoint has a strong product. Firewall-1/VPN-1 is
technically not perfect, but very strong. However, the administration,
support and licensing of the product is poor to say the least. The online
licensing website should be deleted and re-engineered from the ground up
including a completely new methodology for licensing. I think that
Firewall-1/VPN-1 has great potential and I would recommend it to my future
customers if I new that these issues were being addressed and resolved.
I feel that I have been extremely patient with Checkpoint through this
fiasco. However, my patience has come to an end. I am in a position to
recommend and purchase another Firewall/VPN solution for our corporation. I
strongly believe that before I make this decision that it would be prudent
to give your management team an opportunity to respond.
Sincerely,
Paul DeHerrera
Large Scale Biology
[EMAIL PROTECTED]
707.469.2357
http://www.lsbc.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
