I agree 100% with this one: - Improve FW UI in a way  to allow creation of Rule Sections. Now the rulebase is quickly becoming very confusing. Look at the Migration Tool, that's how It's done (Thanks Albert 🙂 ... View more

Agree that a scheduler on-box would be nice. However, ssh-key auth is available from 4.1. This means that you can automate backups by adding a cron job on an external box. Simple enough. ... View more

I'd say - look at Global Protect if you want a packaged product. If you have the skills/time you could use the API to push computer names and IP in to the PAN. Would require some development time on your end though. ... View more

I'd have to agree. RSA keys and Certificates in general is something I'd like to see. ... View more

Are we talking about virtual desktops or terminal server/citrix here? Please elaborate a bit further on the subject. ... View more

Yes, I have seen that type of behavior a few times. The reason being that the agent is continuously reading the DC/Exchange logs that you point out in the agent configuration. The more complex the environment (number of users, number of polled DC's per agent) will have an impact on how much traffic that is generated. Unfortunately reading the security log is something that can consume quite a lot of bandwidth in some environments. If possible I suggest you try adding one more agent and place it closer to the remote DC/Exchange server. ... View more

Yes, that my friend is in the manual. In the gui simply click the VR, Add the route (network/mask/gw) and commit. Thats about it. ... View more

No, a VR holds both static and dynamic routes, (if used). Lets say your VR looks like this: Route                              Gateway                    Interface 0.0.0.0/0          195.1.2.3        eth1 192.168.20.0/24    192.168.10.5     eth2 195.1.2.1/27                        eth1 192.168.10.1/24                     eth2 In the example above, using anti-spoofing on the zone with eth2 as a member interface would only allow hosts from the directly connected network 192.168.10.0/24 and the nexthop network 192.168.20.0/24 as these two networks are the only ones with valid return routes. The PAN-device extracts the source IP and source interface, (source zone) when the ingress packet arrives. ... View more

Anti-spoofing is not based on any address-book or address-group entry. It is simply based on the routes you have in your VR. In other words you need to compare route tables between your Checkpoint-GW and the PAN-device. ... View more