CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: jflemingeds

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds.

  1. Replies
    21
    Views
    313

    Re: unable to connect to server

    I hope the humor translates. But come on. You going to let a shell script tell what is and isnít possible? Use the source Luke.
  2. Replies
    21
    Views
    313

    Re: unable to connect to server

    Well.. there is supported.. and then there is possible... :D

    I'm assuming this for a lab box since a 4200 is a pretty sad box for a mgmt server.

    crack the box open (oh noes!), look at the...
  3. Re: Editin multiple user object possible?

    Which version?
  4. Replies
    21
    Views
    313

    Re: unable to connect to server

    Yeah so upgrade the ram to 8 gig.
    </shifteyes>
  5. Re: Error when logging into CLI of Provder-1 server

    That’s it _nonlocl. What does messages say when you login?
  6. Re: Error when logging into CLI of Provder-1 server

    I think the user none-local or something like that is the user you become when you login with radius. Can you show your /etc/passwd file? Also what shows up in /var/log/messages when you attempt a...
  7. Replies
    31
    Views
    3,789

    Re: Java Process Consuming High CPU in R80

    I wouldnít be shocked if raid config was the issue. Raid 5 basically stinks. No write speed boost.
  8. Replies
    2
    Views
    81

    Re: Hot Fix Installation Verifier

    cpinfo -y all

    You might need to install the latest cpinfo for this to work. Upgrading cpinfo is %100 non-impacting.
  9. Replies
    10
    Views
    211

    Re: URL filtering, is this a joke?

    Not to down play your pain or anything. Just pointing out that from a regex point of view

    \.example\.com

    and

    .*\.example\.com

    should in theory match the same thing from a regex point of...
  10. Thread: Dual NAT

    by jflemingeds
    Replies
    6
    Views
    153

    Re: Dual NAT

    If you can't explain what you're trying to do its going to be very hard to help you. Can you show an network diagram maybe?
  11. Replies
    21
    Views
    313

    Re: unable to connect to server

    That only effected new installs of R77 after jan 24 2018 from reading SK22612.
  12. Re: Network monitoring on Checkpoint ext interface

    Nothing stopping you from compiling and running ntop yourself.
  13. Replies
    13
    Views
    227

    Re: 80.10 problems on ESXi 6.5

    That file should not be empty. This is from a r80 open server mgmt server for the normal section of the boot loader.



    title Start in normal mode
    root (hd0,0)
    kernel /vmlinuz...
  14. Re: Strange connection disruption 30minutes + after policy install

    Can you show an example arp request you see when the outage hits? Arp should be only used to find out info for the local network.

    Btw Linux does have a limit to the amount of arp entires it can...
  15. Re: Strange connection disruption 30minutes + after policy install

    This is very odd and smells like an incorrect subnet mask. There is no reason a device should arp for a remote server unless maybe it’s really talking to a nat on the local network.

    Is this...
  16. Re: pre upgrade check - INSPECT manual changes

    My guess is ldap across Vpn was enabled but to find out for sure do a install in a VM and compare the fresh install with your to see the difference.
  17. Replies
    13
    Views
    227

    Re: 80.10 problems on ESXi 6.5

    Can you show where you did so? Just making sure you put it in the right spot. Should be on the kernel line.
  18. Replies
    13
    Views
    227

    Re: 80.10 problems on ESXi 6.5

    Iím not sure it only effects boot up. None cachable ram is bad. The big posted made it sound like just about any data structure could end up in that range and have a performance impact.

    Of course...
  19. Replies
    13
    Views
    227

    Re: 80.10 problems on ESXi 6.5

    Something like /boot/grub/menu.1st

    The red hat bug you posted says it needs to be enabled (which doesnít seem to be default for red hat). What I donít know is if the code to support it is there or...
  20. Replies
    3
    Views
    185

    Re: Natting behind different ISPs

    Sounds right to me. Either do a automatic nat and set to hide behind gateway or do a manual nat with a host object of 0.0.0.0. Should do the same thing basically.
  21. Replies
    13
    Views
    227

    Re: 80.10 problems on ESXi 6.5

    Did you try setting acpi_mcfg_max_pci_bus_num=on in your menu.1st file?
  22. Re: MTU issues: packets are always fragmented by firewall!

    I donít get why anyone would want to use pmtu over mss. Maybe because pmtu is semi auto? Shrug. Just seems like it is better to not rely on a 2nd protocol to figure out mss when it can be handled...
  23. Replies
    12
    Views
    506

    Re: Anyone attending CPX360 2018?

    Did anyone else see the dance off between westcon and shadowpeak? It was epic.
  24. Re: MTU issues: packets are always fragmented by firewall!

    It should. If the mss is clamped to a low enough level you always be under mtu for tcp traffic at least.
  25. Re: MTU issues: packets are always fragmented by firewall!

    Is there a Vpn behind the firewall? Just wondering if that is the reason for the lowered mtu. If so that device should be clamping the mss in a perfect world.
  26. Re: MTU issues: packets are always fragmented by firewall!

    Ok well Iím checking out. Heading over to get settled for the game.

    If you can can you explain what thyou core problem is again?
  27. Re: MTU issues: packets are always fragmented by firewall!

    This site is really is a miserable experience on mobile. Iíll check it out from the airport if LA traffic doesnít curse me.
  28. Re: MTU issues: packets are always fragmented by firewall!

    Hmmm I canít seem to see the capture. Itís too blurry. Btw Ethernet has 18 bytes of overhead so max frame size will be 1518 with mtu of 1500 bytes.

    I would assume itís inherrited as well. I mean...
  29. Re: MTU issues: our R7720 and R8810 behaves differently cocnerning fragmentation

    Udp is stateless there for anything like this would require app layer to handle it.
  30. Re: MTU issues: our R7720 and R8810 behaves differently cocnerning fragmentation

    Check out sk61221 for how to do mss clamping.
  31. Re: site-to-site VPN issues, connection dropping during data transfers

    Hmm yes they are two different. Not sure where I got this being end point issue.
  32. Replies
    8
    Views
    198

    Re: Hide NAT only half working

    another thought, are you sure the return traffic is hitting the firewall? tcpdump -nnei $interface_interface host 192.168.10.x

    the "e" option will print mac address. Compare to phsical interface...
  33. Replies
    8
    Views
    198

    Re: Hide NAT only half working

    Is it getting dropped with anti spoofing by chance?

    fw ctl zdebug drop

    watch for drops from the 192.168.x.x host.
  34. Re: VPN advertising wrong subnet to the peer and traffic getting dropped

    yes, see same SK. sk108600
  35. Re: Smart Dashboard login issue R77.30 open server.

    Wow.. thanks for the heads up on this SK.
  36. Re: MTU issues: packets are always fragmented by firewall!

    I think something in checkpoint is acting like a proxy. I don't know if its checkpoint active streaming or a legit proxied connection. In either case as shadow peak pointed out this does not seem to...
  37. Re: site-to-site VPN issues, connection dropping during data transfers

    maybe sk106591?
  38. Re: After R80.10 upgrade, IA blade seems nonfunctional

    I
    Hmm looks like maybe wmi failed but maybe LDAP worked? Have you tried taking a packet capture to see if that shows something interesting?

    Maybe debugging pepd / prod (always forget which one....
  39. Re: VPN advertising wrong subnet to the peer and traffic getting dropped

    You can override using sk108600 - see Scenario 1. see subnet_for_range_and_peer.

    Note its something you'll want to document in some method as it won't show up in dashboard.
  40. Re: Asymmentric Routing when accessing gateway cluster members?

    Sure thing! Iíll get that as soon as a i get a chance.
  41. Re: Asymmentric Routing when accessing gateway cluster members?

    If cluster is healthy please explain firewall topology, where client is connected, show route table of firewalls and show the interface listed in the drop message.
  42. Re: SSH Access to Gateway works only on Mgmt interface

    Well thatís strange. Are you sure someone else over there didnít do that? I donít remember seeing a ssh listen option in clish but maybe there is one.
  43. Re: SSH Access to Gateway works only on Mgmt interface

    Something else. Ssh into the working interface then run netstat -anp | grep ip

    Where ip is remote systems ip.

    Oh could this be vsx?
  44. Re: SSH Access to Gateway works only on Mgmt interface

    Is this r80.10?
    ps axuw | grep sshd

    Show anything?

    Also netstat -anp | grep sshd

    /etc/ssh/sshd_config

    Should be master config file. Check for strange listen or bind lines maybe? Post th...
  45. Replies
    12
    Views
    506

    Re: Anyone attending CPX360 2018?

    3 out of 4 of us will be in Barcelona.

    I’m so not looking up middles finger images on google right now.
  46. Replies
    7
    Views
    255

    Re: Weired drop on accept rule

    I don't think slowfood meant it like that. Maybe no more coffee for the day. ;)
  47. Replies
    12
    Views
    506

    Re: Anyone attending CPX360 2018?

    I'll be there!
  48. Re: SSL/TLS Inspection for FTPS Connections

    I would would say either is just as secure and either can be misconfigured and have very bad things happen.

    This is a pretty good dock explaining how to setup a sftp jail.
    ...
  49. Re: SSL/TLS Inspection for FTPS Connections

    Does it really have to be ftp over tls? I take it sftp (over ssh) or the likes isn't an option?
  50. Re: Configure different public IP for Remote Access (S2S already present)

    I haven't tried that before. I think you would have to do a bit of hacking but maybe creating a loop interface with said IP on it would work. I think you would need to have a different NAT on each...
  51. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    hurray.. 5th times a charm.
  52. Re: Remote console and/or RDP (or VNC) access

    There is also impitool with SOL (Serial over Lan). I haven't used it but its on my giant todo list.
  53. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    new version posted.

    try running it from the same dir maybe?

    cd /etc/scripts/
    bash script.sh
  54. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    ok strange.. it worked using this input. I'm going to post a few more changes. I think its hitting the exit.

    This alpha script is really coming along with all these bug reports! It might even get...
  55. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    hmm ok run this and show the output.

    mdsenv cma-10.109.114.12
    CPLogInvestigator -a -p
  56. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    ok try it again. I updated the first post.
  57. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    sk87263 - I thought it shipped with R77.30. Maybe not. I'm adding a check for that.
  58. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    Do you have CPLogInvestigator on your system? If not can you install it? If you do can you show the output of cma-192.168.1.10-logs.txt?
  59. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    hmm i think thats because bash doesn't support float or one of those number might be coming up zero.

    Can you run bash -x script?
  60. Replies
    15
    Views
    509

    Re: Script for MDS log summary

    And before you ask, yes, i did in fact write that sed statement and for sure did not look that up on google at all.

    Not... at ... all.
  61. Replies
    15
    Views
    509

    Script for MDS log summary

    Hi I made this .. um... wonderful script to give me some worst case numbers for a R77.30 MDS based on how many logs were in the system. Shows highest number of logs per day per CMA.



    #!/bin/sh...
  62. Re: BGP routes showing hidden and inactive on CP 1490 with version R77.20.60

    Could also be a static route is being taken over bgp. Just throwing some ideas out there.
  63. Re: BGP routes showing hidden and inactive on CP 1490 with version R77.20.60

    can you show the output of the show bgp peer x.x.x.x received-routes and show route all?

    Just wondering if maybe the next hop isn't set correct?
  64. Thread: Openstack?

    by jflemingeds
    Replies
    5
    Views
    723

    Re: Openstack?

    ok so i found a deployment project that seems to be pretty good. I've done a multi node deployment multiple times and it seems to work pretty well.

    Kolla-ansible -...
  65. Re: Domain Objects in R80.10 and above - sk120633

    My guess is what they are saying is existing domain objects (We're talking upgrade here) will not be converted to FQDN mode. Also I would assume the gateway needs to be running R80.10 as well.
  66. Re: Can anyone try give some logical understand to this!!

    Not sure if this works for a debug or not, but you can try this to get more info.

    export TDERRROR_ALL_ALL=5 ; ips off >& ~/output.txt

    then look at output.txt in home dir. Might be a lot of data...
  67. Re: VSX - Virtual Systems not sending logs to MDS

    Havenít played with vsx enough to know but do all vs log from the same address or does each vs log from a different ip?

    If they are different I would check netstat -anp | grep 257

    See if the...
  68. Replies
    25
    Views
    1,115

    Re: R80.10 in VMware

    Ooh a cli wizzard. Yeah just stop doing that way. Itís error prone and you canít save your answers oh and itís slow. Use the template and donít look back.
  69. Replies
    25
    Views
    1,115

    Re: R80.10 in VMware

    Not sure what Iím missing but you do not have to use the webui for th first time wizzard.
  70. Replies
    25
    Views
    1,115

    Re: R80.10 in VMware

    Of vsx ?
  71. Re: SIP - the other side of one of the fences

    In this case asterisk has a work around for dealing with sip and nat without alg. As I said before everything started working once sip inspection was disabled. Src nat is a hide and dst is static nat...
  72. Replies
    25
    Views
    1,115

    Re: R80.10 in VMware

    Iím not following the bit about being required to use the webui.
  73. SIP - the other side of one of the fences

    </rant>
    So i've been spending a lot of time with SIP on Cisco ASA routers. What i have to report is that the other side of this fence is not all green grass. Its full of all the same brown crunchy...
  74. Replies
    12
    Views
    463

    Re: PPPoE problem

    should be like this.
    fw_clamp_tcp_mss=1

    But that file is only read on boot up. Did you possibly reboot after policy install?

    Need to understand if its going back to zero after policy install...
  75. Replies
    12
    Views
    463

    Re: PPPoE problem

    is it setting back to 0 after a policy push? BTW i'm guessing you did but did you also set that in the fwkern.conf?
  76. Replies
    1
    Views
    625

    Re: Hotfix Info - Embedded GAIA - 1100

    Gaia embedded doesnít support patches. You might get a one off binary with instructions on how to install. By far however what you will get is a new install binary. The way you can track this is with...
  77. Replies
    25
    Views
    1,115

    Re: R80.10 in VMware

    Well, really you can just find the commands. The whole system is just shell script so all the heavy lifting is done with external commands. I think you can take it down to a single command or to....
  78. Replies
    3
    Views
    153

    Re: dbedit rule id syntax

    9 rule headers. Difference right now is 16 (or 15 i'm guessing rule base is off by 1?) I have 1 disabled rule as well. Still not enough. :/

    implied rules blasts ways past that number.
  79. Replies
    3
    Views
    153

    dbedit rule id syntax

    Does anyone know how the logic behind rule id of a dbedit script for adding/removing objects from src/dst of rules?

    If i try to add/edit rule 119 as shown in dashboard the changes go in 103 (or...
  80. Replies
    25
    Views
    1,115

    Re: R80.10 in VMware

    You've been able to config a firewall without webui for a very long time.

    config_system is the latest way for R77.30. Haven't tried R8x.
  81. Re: Help on understanding why cant do nothing on the fw Virtual systems

    From expert can you run
    echo $SHELL
    export
    source /etc/profile
    export
  82. Replies
    1
    Views
    157

    Re: HA Upgrades in 1490 appliances

    Sure would be nice if someone knew how to run these under kvm-arm.

    So upgrades logs are stored in /logs. Iíd look there first. Maybe that will uncover some clues.
  83. Replies
    1
    Views
    556

    automatic restore of P1 backup

    FYI i have script setup to do a automatic restore of a full P1 environment (hurray open server!). The script ssh()es to the backup server, starts a tar -zxvf of the backup, pipes the stream of the...
  84. Re: Changing users authentication method en masse

    be sure to report back how things go.
  85. Replies
    4
    Views
    275

    Re: legacy client auth connectivity HTTPS

    I think you need to get more information about what encryption or hash method is making things angry, then disable it and generate a new cert.

    Just a guess sk106478 might be a good place to start....
  86. Re: Changing users authentication method en masse

    Damn it man, save those wrists!

    Step 1 - restore backups into lab that has working radius and secureid
    Step 2 - dump user database
    #if p1 don't forget to mdsenv into said CMA.
    fwm dbexport -f...
  87. Replies
    11
    Views
    473

    Re: Operation Memory Clean up is needed.

    Im confused as to what savedb even does. I just ran through creating some objects using dbedit and didn't issue a savedb and everything showed up where i expected. I've also looked at other examples...
  88. Replies
    4
    Views
    275

    Re: legacy client auth connectivity HTTPS

    Are you using the default vpn cert that the gateway generates or are you using your own?
  89. Replies
    1
    Views
    609

    Re: OSE problems

    Well.. so brute force method going forward.

    awk -F'[,]' '/,ose,/ {print "create host_plain ose2rtr_"$1"\nmodify network_objects ose2rtr_"$1" ipaddr "$3; if ($9){ print "modify network_objects...
  90. Re: Export SmartDashboard objects to a text file

    yupers, it will convert .C to .CSV
  91. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Start a new thread and runs the commands requested.
  92. Replies
    1
    Views
    609

    OSE problems

    So i've got 99 OSE problems and a host object isn't one of them. Well.. really its more like almost 800.

    Anyone know of a black magic dbedit script or.. really anything.. to convert OSE objects...
  93. Replies
    11
    Views
    473

    Re: Operation Memory Clean up is needed.

    ack.. yeah VSX doesn't support db revisions. You would like checkpoint would alarm or warn when creating and not restoring.

    I would not mess with anything further and contact support. Grab that...
  94. Replies
    11
    Views
    473

    Re: Operation Memory Clean up is needed.

    Is this part of the demo CMA you turned up in the other thread? I guess if you're worried you could restore the database revision. I would do a savedb more then just once at the end. Like maybe every...
  95. Replies
    12
    Views
    655

    Re: SQLNET and NAT

    What service is showing in the logs and what does that service show in the advanced section for protocol? abusharif pointed out the sqlnet2 inspection should support sqlnet redirect based on the...
  96. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    So does that mean that normal setting for Vpn tunnel on fortinet is 0.0.0.0/0 for proxy id and you changed from that default to something like Vpn tunnel per subnet pair?
  97. Re: Traffic not going through the VPN tunnel

    Just a guess but does the non working host have a NAT rule? If so sounds like you need a no NAT to work around that.

    If thats not the case then we need more info. Are you seeing the packet hit the...
  98. Re: Anyone interested in scientific research?

    I assume you be documenting this endeavor?
  99. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    There has been a lot of discussion (Well maybe not a lot) about changes that would be helpful for this forum and this thread pretty much encompasses everything I've brought up.

    Just a quick...
  100. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Can you disable the domain object for for a period of time? It might help zero in on root cause.
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4