CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: Bob_Zimmerman

Page 1 of 4 1 2 3 4

Search: Search took 0.01 seconds.

  1. Re: Secure Internal Communication (SIC) Basics

    Change management's name? Need to reset the ICA and all trust relationships. I hit that mostly when rebuilding a failed management (I wrote the process for the three-file rebuild, and used it on a...
  2. Re: Secure Internal Communication (SIC) Basics

    Elaborating on this one a bit. Resetting SIC should almost never be necessary, and it often makes problems worse and reduces your ability to troubleshoot the problem. While building your...
  3. Re: Secure Internal Communication (SIC) Basics

    The trust establishment negotiation is actually from the management to the gateway and from the management to the log server. The rest is accurate, yes.
  4. Replies
    3
    Views
    531

    Re: All that's old is new again.

    There was also SunOS/Solaris, and I think you could install FW-1 on Redhat as well for a while.

    The level of sensitivity to Solaris patches was a huge pain. That build also didn't get great...
  5. Replies
    13
    Views
    1,606

    Re: Upgrade to 80.40

    Sure, but there's a great saying among programmers: the best code is the code you don't have to write. If you can arrange other things such that you don't need the modification, that's vastly...
  6. Replies
    13
    Views
    1,606

    Re: Upgrade to 80.40

    I try really hard not to make modifications to files like the table.def, implied_rules.def, and so on. This is why. Upgrades always wipe them out, and updates sometimes do as well. Rediscovering all...
  7. Replies
    8
    Views
    1,722

    Re: API Irritations

    'show changes' is so close! It provides enough information to highlight items which were changed. Unfortunately, it doesn't provide enough to actually merge those changes from just the 'show changes'...
  8. Replies
    19
    Views
    9,828

    Re: SmartDashboard on macOS

    Still working on the ordering of empty sections.

    Since I last posted, I have:

    Added NAT rulebase display.
    Added a picker to choose the policy package you want to view. It also has a special...
  9. Replies
    8
    Views
    1,722

    Re: API Irritations

    And back to hair-pulling frustration.

    If you run 'show objects', and you get a group, that group's members are given as a list of UUIDs.

    If you get the same group via 'show object', the group's...
  10. Replies
    19
    Views
    9,828

    Re: SmartDashboard on macOS

    For my initial development, I skipped dealing with certificates and so on. Instead, I coded it to use custom TLS trust evaluation, and to blindly trust any certificate presented by a particular IP...
  11. Replies
    8
    Views
    1,722

    Re: API Irritations

    Just ran into a more pleasant surprise! 'show object' appears to work with any UUID. Object, policy package, layer, even individual rules. I noticed when I made a mistake handling inline layers and...
  12. Replies
    8
    Views
    1,722

    Re: API Irritations

    Entirely possible. That said, if somebody else wants to build tools like the ones I build, this might help them avoid some of the data model potholes I've hit. It took me days to convert from a...
  13. Replies
    8
    Views
    1,722

    Re: API Irritations

    Found a new one. I'm probably going to report this as a bug.

    Access sections don't give you their position. They have a 'from' integer and a 'to' integer for the rules inside them, but no position...
  14. Replies
    19
    Views
    9,828

    Re: SmartDashboard on macOS

    Your comment did remind me I forgot to handle cell negation. Simple enough fix. I just added a "negate" variable in my cell view, and fed it the appropriate value from the working row. SwiftUI is...
  15. Replies
    19
    Views
    9,828

    Re: SmartDashboard on macOS

    That's actually the thing I find most disappointing about the API. It was a chance for a clean break. You could have provided a VCS like Hg or Git (or even non-distributed; something like SVN), but...
  16. Replies
    19
    Views
    9,828

    Re: SmartDashboard on macOS

    It's 100% Swift 5.2. It's a very nice language. Easy to reason about. Automatic reference counting for memory management, a good static analyzer, good exception handling capabilities.

    The UI is a...
  17. Replies
    19
    Views
    9,828

    Re: SmartDashboard on macOS

    I was not aware, but web applications are universally pretty awful. You have reduced working space due to the browser's chrome on top of the application chrome. In-page state interacts in really...
  18. Replies
    19
    Views
    9,828

    Re: SmartDashboard on macOS

    Funny this should be the most recent thread in the off-topic forum. I was just trying to determine where to ask if anybody was interested in a little application I've been working on.

    I'm solving...
  19. Replies
    13
    Views
    1,606

    Re: Upgrade to 80.40

    That would be my expectation. Kernels are easy to swap. Itís a single binary image stored on the disk. Point to a new one, done.

    Filesystems are much harder to swap (though not impossible; Apple...
  20. Replies
    13
    Views
    1,606

    Re: Upgrade to 80.40

    I upgraded my personal 2200 from R80.20 to R80.40 over the weekend. It has a 1.8 GHz dual-core processor, 4 GB of RAM, and a SATA SSD. Except for the SSD, it's pretty close to a worst-case scenario....
  21. Replies
    8
    Views
    1,722

    Re: API Irritations

    I converted my code to use a single class for all objects, then switched to using 'show objects' to get everything.

    Tags aren't included in 'show objects'.

    Are you kidding me?



    I'm also...
  22. Replies
    12
    Views
    2,522

    Re: automated MDS backup

    Ah. Yeah. By convention, brackets indicate optional arguments in UNIX/Linux, and less-than and greater-than indicate mandatory arguments. In both cases, the enclosing characters need to be removed as...
  23. Replies
    8
    Views
    1,722

    Re: API Irritations

    Found another one. Some API endpoints are case-insensitive, while others (the specific one I hit was where-used) don't return anything for uppercase UUIDs. It's easy enough to just add a...
  24. Replies
    8
    Views
    1,722

    API Irritations

    I'm trying to do more with the management API, and it is insanely frustrating to deal with. Thought I would vent a little here.

    First, something actually very good: the API is versioned. Version...
  25. Replies
    9
    Views
    1,922

    Re: Business case to keep Check Point

    My knowledge of Palo Alto is limited, but I know their feature to identify users on endpoints (like Identity Awareness) is trivial to misconfigure. I've seen a few Palo Altos with that feature...
  26. Replies
    12
    Views
    2,522

    Re: automated MDS backup

    SSH keys are a user-level thing. Check Point doesn't use them directly for anything, and they won't interfere with anything Check Point does.

    I'm working on SCP stuff myself (specifically, still...
  27. Replies
    12
    Views
    2,522

    Re: automated MDS backup

    The file should be created as soon as you touch it, and it should have contents as soon as the >> is run. My bet would be time zone confusion (maybe he checked before the script had run?) or node...
  28. Replies
    1
    Views
    737

    Re: Standalone 2200 with R80.10 and up

    Remove the "return 1;" from the end of line 1129, and config_system will happily set up your 2200 as a standalone system.



    For some reason, I couldn't post (or preview) with that final line of...
  29. Replies
    1
    Views
    737

    Standalone 2200 with R80.10 and up

    I recently needed to get a personal Check Point license for some development work I'm doing. Getting a new software license would be hundreds to thousands of dollars, while Check Point branded...
  30. Replies
    12
    Views
    2,522

    Re: automated MDS backup

    Thanks for the comment! I'm never sure if anybody else cares about this kind of thing.
  31. Replies
    12
    Views
    2,522

    Re: automated MDS backup

    I just updated my MDS past the versions in sk163300, which changed mds_backup to no longer gzip the final tar file. That broke my file renaming logic. Testing a fix.

    Edited to add: This should...
  32. Re: Any interruption if I add the interesting traffic into the existing site2site tun

    IPSec VPNs are negotiated by the gateways for pairs of endpoints. An "endpoint" in this context can be a single host or a network (including the network 0.0.0.0/0, which includes all IPv4 addresses)....
  33. Replies
    12
    Views
    2,522

    Re: automated MDS backup

    I normally use mds_backup -b -i -l. The b sets batch mode, which doesn't prompt for anything. The i includes the rule hit counts. The l (lowercase L) excludes logs (I have separate MLMs, so this is...
  34. Re: trouble creating cluster interface in cluster XL

    So you're aware, the last step in that list undid all the earlier steps in that list. That button exists specifically for people who don't want to build the interface themselves. I would guess that...
  35. Re: trouble creating cluster interface in cluster XL

    The first screenshot is telling you someone else is making changes to gate01, so you can't make your changes.

    The second screenshot is telling you it doesn't like something about the change you...
  36. Replies
    1
    Views
    488

    Re: Licensing Cost / Job Interview

    To me, the single biggest selling point of Check Point's software is just that: it's software you can throw on your own server or VM. You can download the installer ISO for all the current versions...
  37. Replies
    4
    Views
    2,621

    Re: Network Load Balancing Server

    I doubt the firewall would do automatic proxy ARP for the virtual server. You could try adding a proxy ARP statement or using a VIP which isn't on any real network you use.
  38. Replies
    5
    Views
    1,185

    Re: Trying to run Python script

    Python has a concept of modules. A module provides functions and object types which Python by itself does not.

    Apparently this script requires one called "rulebasecsv", which isn't on the system...
  39. Replies
    5
    Views
    1,185

    Re: Trying to run Python script

    To expand on this, the "^M" part of the error is a control character. Control-M is a carriage return.

    Different platforms encode line endings in different ways. Specifically, classic Mac OS used a...
  40. Replies
    2
    Views
    2,831

    Re: SIC Certificate Management

    A Check Point SmartCenter or MDS runs an internal certificate authority (ICA). It is self-signed, and is the root of trust for the SIC domain. Secondary managements, log servers, firewalls, and so on...
  41. Re: R80 box NAT'ing out weird public IPs

    Are the public IPs close to any public IPs you have defined? In the same /24, for example? You can do static NAT between two network objects of the same size, so that can cause NAT to IPs you don't...
  42. Replies
    3
    Views
    3,001

    Re: Is This Still An Active Group?

    I am very much not a fan of Check Point the company, so I prefer to post here. My posting on CheckMates is mostly just code and quick answers I know off the top of my head to questions about some...
  43. Replies
    4
    Views
    3,179

    Re: Mixing different hardware in a cluster

    It's more the CoreXL config. Last I tested, you can use a 16-core box to replace a 4-core box in a cluster as long as you change the new one from the default CoreXL config to be the same as the...
  44. Finding which interfaces are used and how many times

    I recently had a need to find which interfaces on a VSX system are in use, thereby letting me know which interfaces are available for future expansion. I wrote this quick script and thought it may be...
  45. Replies
    4
    Views
    3,179

    Re: Mixing different hardware in a cluster

    I don't know about documentation, but I know it works. You need the same CoreXL and SecureXL config on all members.

    Same version down to the patch level is a good idea, but you can force...
  46. Replies
    4
    Views
    1,370

    Re: Issues with SMS running R80.20M1

    Sounds like at this point, your best bet is to treat it as a completely failed primary SmartCenter. I don't know the process for R80-family management off the top of my head, but support should...
  47. Replies
    4
    Views
    1,370

    Re: Issues with SMS running R80.20M1

    Who said managing R80.20 firewalls from an R80.20M1 SmartCenter isn't supported? That doesn't sound right at all. Last I heard, managing R80.20 firewalls from R80 (no dot) is supported, you just...
  48. Re: new blog post on installing Kali on SMB or R80.x (3.10 kernel)

    Considering Docker is STILL based on chroot (just with cgroups added), it's a new-school container, too!

    I wish GAiA had been based on IPSO instead of SecurePlatform. Then we could have ZFS,...
  49. Re: new blog post on installing Kali on SMB or R80.x (3.10 kernel)

    To be clear, this is just a chroot, right? It's running the same instance of the same kernel, not a full hardware VM?
  50. Re: Adress Spoofing with Always On VPN RAS Server

    That's almost certain to be a routing loop. Run an fw monitor when you see the problem. I bet you will see a SYN pass through the firewall, then the same SYN hit the firewall on the interface it just...
  51. Thread: CP1500

    by Bob_Zimmerman
    Replies
    6
    Views
    4,667

    Re: CP1500

    Looks like new boxes Check Point just announced:

    https://www.checkpoint.com/downloads/products/1500-security-gateway-datasheet.pdf
  52. Re: Domain based VPN at checkpoint side and route based VPN on Cisco router

    You can mix domain-based and route-based VPNs just fine. The only trick is you need to be sure the domain-based VPN logic doesn't get triggered by traffic you want to go over the route-based VPN.
    ...
  53. Re: Licence expiration and the impact on security

    My understanding is URL filtering should work, but categorization won't. That is, if you try to use the category Check Point provides called "News / Media", nothing will match, as you no longer have...
  54. Replies
    2
    Views
    859

    Re: R77.30 to R80.20 migration.

    I am told with R80.20, a clean install is preferred. Here's the general process I would use:

    Export the configuration from the management and import it into a VM for testing purposes. Do you get...
  55. Replies
    6
    Views
    1,777

    Re: NAT assistance

    This is almost certainly what's going on. The destination is being changed, but the source isn't. Some janky clients (most notably, many versions of systemd) send NTP traffic from UDP port 123, not...
  56. Replies
    3
    Views
    1,473

    Re: Numbered VTI in cluster

    That's a really good question. I've done a lot with VTIs, but not recently, and I don't remember the answer.

    It should be pretty easy to test in a lab. You just need three VMs. One standalone...
  57. Re: Security management server and VSX gateways upgrade from R77.30 to R80.20

    Licensing is kind of a pain. I believe SmartCenter licenses come over with a migrate export and migrate import. Worst case, you can log in to the User Center, go to your account, and download the...
  58. Replies
    26
    Views
    6,264

    Re: URL filtering, is this a joke?

    Correct, Check Point matches the expression against the entire URL, scheme and path included. We're both avoiding that by anchoring the expression with the caret, matching the scheme, then two...
  59. Re: Smart console don't show log in correct time order

    The timestamp in the logs is based on a value in the log record set by the recording firewall. The order in which you see the logs is based on the absolute order of arrival.

    This means your...
  60. Re: What outbound ports should be allowed for http and https traffic

    The closest thing to a "best practice" is a tautology: allow your users to reach what they need.

    Thanks to "cloud" nonsense and IPv4 exhaustion, a lot of public services are being run on...
  61. Re: Security management server and VSX gateways upgrade from R77.30 to R80.20

    First, it's important to define "downtime".

    When you are upgrading your management server, you will not be able to access it to make changes or view logs (the management will be totally down). You...
  62. Replies
    3
    Views
    3,725

    Re: GAIA PORTAL WHITE PAGE

    If your firewall has access out to the Internet, CPUSE should be able to download new versions and you can install them from the command line:

    installer download [tab]

    or

    installer...
  63. Replies
    5
    Views
    1,944

    Re: fsck on the next reboot in R77.30

    Based on that output, it shouldn't fsck on boot unless the box was not shut down cleanly.

    Side-note: ensuring filesystem consistency on unclean shutdown is a problem which has been solved for over...
  64. Re: Intervlan Routing configuration on checkpoint

    Have you added the interfaces to the firewall object's Topology table in SmartDashboard (pre-R80) or SmartConsole (R80+)?
  65. Replies
    2
    Views
    1,834

    Re: TCPdump on VTI not working (R77.30)

    It's more that the domain-based VPN decision happens very early in packet processing, and you need to ensure that won't flag the packet for encryption. You can mix domain-based and route-based VPNs....
  66. Replies
    1
    Views
    3,678

    Re: Command prompt improvements

    I was asked what I meant by "trash the PS1 block". The block I'm talking about is this one towards the end of /etc/bashrc:

    if [ -f /etc/profile.d/vsenv.sh ] && [ -n "${VRF_NUMBER}" ]; then
    ...
  67. Replies
    1
    Views
    3,678

    Command prompt improvements

    Check Point's command prompt for BASH kind of sucks. I've been working on some improvements. With these changes, when you log in with an unprivileged account (which must be a member of the group...
  68. Replies
    0
    Views
    2,231

    Why ever GAiA system thinks its VSX

    Have you ever noticed every single GAiA system's BASH prompt includes a little ":0" after the hostname? That's used in VSX to indicate which VSID you are currently in. On SecurePlatform, it only...
  69. Re: How to output fw ctl zdebug + drop to a file ?

    My Check Point knowledge is from years of working in their call center (terrible work environment; always fill out post-ticket surveys and give top marks, because nobody deserves management that...
  70. Re: How to output fw ctl zdebug + drop to a file ?

    Try this:

    fw ctl zdebug -T drop | grep --line-buffered '10.10.64.161|10.10.55.169|10.10.56.169' | tee /var/log/tmp/fw_ctl_zdebug_drop.txt

    The 'tee' utility takes each input line and writes it...
  71. Replies
    6
    Views
    1,828

    Re: Wget in Gaia R77.30

    WARNING! THIS DOWNLOADS A REMOTE FILE OVER HTTP AND MAKES IT EXECUTABLE. THIS IS DANGEROUS!


    curl -O http://dannyjung.de/ccc && chmod u+x ccc && mv ccc /usr/bin/

    The -O switch to curl causes...
  72. Replies
    6
    Views
    1,828

    Re: Wget in Gaia R77.30

    Huh. I've never thought about installing wget on a Check Point box. I've always just used SCP or curl. They could have stripped that out and left us with 'fetch'.

    What are you trying to accomplish...
  73. Replies
    6
    Views
    1,665

    Re: multicast issue

    Unicast goes to one host.

    Broadcast goes to all hosts in a network.

    Multicast goes to no hosts, because it's set up wrong. Again.
  74. Re: Received a cleartext packet within an encrypted connection

    This is also a possibility since the VPN decision happens so early in packet processing. Specifically, it would happen if the packet is encrypted on the Cisco side, decrypted by the Check Point side,...
  75. Re: Received a cleartext packet within an encrypted connection

    Other way around. "Received a cleartext packet within an encrypted connection" means the Check Point side is expecting it to be encrypted, but the Cisco side isn't encrypting it. Either the...
  76. Replies
    9
    Views
    1,720

    Re: VRRP works on which checkpoint version

    It's fundamentally how VSX works internally. The members get real IPs on automatically-allocated weird networks, then the VIPs are on the network the user specifies and are claimed using proxy ARP. I...
  77. Replies
    9
    Views
    1,720

    Re: VRRP works on which checkpoint version

    You can actually do this with simple proxy ARP statements. You just need to get the traffic to the firewall, then the firewall rules only care about the IP. Go ahead, ask me how I know. ;)

    I would...
  78. Re: Blink - Full gateway installation in 5 minutes

    Blink appears to have been one of the building blocks of this:

    https://www.checkpoint.com/products/maestro-hyperscale-network-security/

    Looks like a Crossbeam-NPM-in-a-box, but it scales way,...
  79. Replies
    9
    Views
    1,720

    Re: VRRP works on which checkpoint version

    I believe all GAiA versions support VRRP. What are you trying to accomplish, though? I don't think I've ever seen a situation where it's better to use VRRP than ClusterXL New Mode.
  80. Re: How do I check the routing table through command line? In checkpoint ?

    'netstat -nr', 'route print', and 'ip route show' will all print the full routing table in various formats. Note that none of them include policy-based routing.

    If you want to see what route a...
  81. Re: 23500 - expansion cards are not visible .

    It's worth checking to see if the interfaces wound up in different slots from the ones you expect. The slots on the front of the box aren't labeled, so figuring out which of the five of them is "slot...
  82. Re: fw unloadlocal and routing daemon stopping?

    Turns out this is one of the ways VSX differs. It definitely does not disable IP forwarding when you unload the policy. 'cpstop' disables IP forwarding, which makes sense, as it is intended to have...
  83. Re: fw unloadlocal and routing daemon stopping?

    As far as I am aware, 'fw unloadlocal' should not stop routing.

    I think the confusion happens because it unloads the whole policy, which includes NAT. Thus, any inbound NATs from public IPs to...
  84. Replies
    2
    Views
    1,491

    Re: Change Mgmt interface on appliance

    Definitely possible. I recommend moving it to a bond, then you can use the CLI to move the bond between physical interfaces easily.

    Now what may not be possible is doing this without an outage....
  85. Re: Redundant Domain-Based Site2Site IPSEC tunnel

    To confirm, you want a tunnel between FW-A and FW-B, then a second tunnel between FW-A and FW-C with the same networks behind FW-B and FW-C?

    If not, a diagram may help express what you want to...
  86. Re: craig dods blog post about hacking Palo?

    Palo Alto Networks' website as a whole is pretty iffy. While not that level of bad, you can edit their downloads page to request files other than the ones you are allowed to download, and they'll...
  87. Replies
    4
    Views
    1,677

    Re: Checkpoint RAS solutions

    SecureClient definitely supports Office Mode. You're thinking of SecuRemote, which is the same software installed in a different mode. I don't think either is supported anymore (i.e., you can't call...
  88. Re: Dedicated Management Port and Firewall Rules

    "Mgmt" is just another interface on the OS. It does not have its own routing table. In fact, there is nothing special about it at all; it's just another Intel e1000 interface which happens to get a...
  89. Replies
    3
    Views
    4,880

    Re: Disk space on SMS

    This is a somewhat less verbose command to use:

    du --max-depth=1 -h .

    The earlier command crawls the filesystem and prints *all* directory sizes. The "--max-depth=1" switch causes it to crawl...
  90. Re: HA Failover appears to be caused by sync interface

    Sometimes, you can get newer drivers from the TAC than are currently shipping in generally-available versions. For a while, the shipping e1000 version (7.3.15-NAPI) was pretty janky, and a newer...
  91. Re: Migrate cluster gateway from MDS to new Management

    So to confirm, you want to carve a CMA off from your MDS and make it a separate SmartCenter?

    This will involve the firewalls changing SIC domains, which means an outage. How long an outage can you...
  92. Re: deleting Index directories in /var/log/opt/CPSmartLog-R76/data

    Generally, if you unlink a file and your used disk space doesn't go down, some process still has the file open. You can try 'cprestart' to restart all of the Check Point services. WARNING! If this is...
  93. Replies
    1
    Views
    2,630

    Re: Get VSX objects of a CMA from expert

    Which version? In versions before R80, you should be able to parse the $FWDIR/conf/objects_5_0.C file to get any type of object you want.

    I haven't looked at R80's internals extensively yet, but I...
  94. Re: HA Failover appears to be caused by sync interface

    Drivers might, sure. It looks like firmware is not, though. Not sure how much that matters.
  95. Re: VPN from Checkpoint to Cisco ASA - Route based

    I think I just answered a few of these questions in another thread:

    https://www.cpug.org/forums/showthread.php/22661-Domain-based-VPN-and-VTI

    Technically, you can have two encryption domains...
  96. Replies
    1
    Views
    1,180

    Re: Strange block for VPN traffic

    "Packet is dropped because there is no valid SA" always means a VPN negotiation has failed. If other things on your end are able to talk to other things on the peer's end, that points to a phase 2...
  97. Re: How does "Fetch Policy" work on small appliances centrally managed in r80.10

    Edges used a policy fetch system. On the SmartCenter, "pushing" policy to the Edge (or an LSM profile for a group of Edges) instead compiles it, saves it locally on the SmartCenter, then sends the...
  98. Replies
    4
    Views
    2,827

    Re: authentication failure

    I think you actually need two 'n' switches. The first one stops reverse domain lookup for IP addresses, while the second stops port lookup in /etc/services.

    tcpdump -nni $interfacename host...
  99. Replies
    5
    Views
    1,727

    Re: Domain based VPN and VTI

    Outgoing link selection is kind of weird. With domain-based VPNs, the traffic is modified in-flight, so the routing decision is made, then the packet is encrypted. For outgoing traffic, you get clear...
  100. Replies
    5
    Views
    1,727

    Re: Domain based VPN and VTI

    I thought I would add a technical explanation of why this works.

    Domain-based VPN decisions are made very early in the process of handling a packet. If the source is in my encryption domain and...
Results 1 to 100 of 359
Page 1 of 4 1 2 3 4