CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E



Type: Posts; User: slowfood27

Page 1 of 3 1 2 3

Search: Search took 0.01 seconds.

  1. Re: Any recommendations for dual 10GBASE-T adapters?

    First of all, it needs to be supported by Check Point. So you want to consult the relevant compatibility list at https://www.checkpoint.com/support-services/hcl/
  2. Replies

    How to count numer of objects in group

    What is the easiest way to count the numer of objects in a Group (R77.30)?
  3. SmartEvent like look for Logs and Monitor

    Is there a way to customize the General Overview of "Logs and Monitor" in R80.10 that it looks like the R77.30 SmartEvent Overview --> View --> All
  4. Replies

    Re: RCV Overruns on bond interface

    many thnx for your quick response.
    Here we go:
    [Expert@1100prfw101:0]# ethtool -S eth2-07
    NIC statistics:
    rx_packets: 2186714449
    tx_packets: 2028555817
    rx_bytes: 2003239137553
  5. Replies

    Re: RCV Overruns on bond interface

    in the meantime we have this situation:

    netstat -ni
    Kernel Interface table
    Mgmt 1500 0 40148390 ...
  6. Replies

    Re: RCV Overruns on bond interface

    Don't let you mislead by the massive higher number of packets on eth2-08 compared to eth2-07. eth2-08 was the single physical IF before we introduced the bond interface. And we did not reset or...
  7. Re: Not able to find vpnd.elg file through WINSCP

    The vpnd.elg file is located on the F irewall module in $FWDIR/log
    However, when you log in via WINSCP, you don't have the local environment.
    Then you find the *.elg file in /opt/CPsuite-R77/fw1/log
  8. Replies

    Re: RCV Overruns on bond interface

    The Load Balancing Method is default (Layer 2)
    The physical interfaces in bond1 are eth2-07 and eth2-08.
    If we compare the number of packets on both physical interfaces for the last 24 hours, we...
  9. Re: S2S VPN is getting disconnected frequently

    Go to $FWDIR/log on both firewalls and perform the following commands:

    vpn debug on
    vpn debug ikeon

    Let the debug run for some time and check if the file $FWDIR/log/ike.elg is growing.

  10. Replies

    RCV Overruns on bond interface

    On a clustered 15400 Appliance (R77.30 hfa 312), on the external interface eth2-08 we observed a receive overrun rate of 0.008 percent. The interface run at 1 Gbps speed and is connected to a Cisco...
  11. Set default shell for Radius users according to Radius attribute

    Is there a way to set the default shell on Gaia for a group of Radius users to /bin/bash, while another group of Radius users would get /bin/clish
  12. Migrate external Interface to bond interface on production environment

    I need to migrate the external interface of an active/standby cluster (R77.30) in a production environment to a bonded interface.
    What would be the recommended steps to keep downtime at a minimum?
  13. Re: IKE Phase 2 Quick mode VPN encryption domain matching process

    Thx for your replies, that's clear so far.

    What is the decision process on the local CP Gateway?
    On one side, we have the source IP of the encryption rule, on the other hand we have the entries...
  14. Replies

    Re: Policy installation takes long time

    Blocking individual IP addresses is does not help prevent attacks from botnets, since you will never be fast enough to adopt to their dynamics.
    A properly designed security policy combined with the...
  15. IKE Phase 2 Quick mode VPN encryption domain matching process

    How does the IKE quick mode negotiation processs for the encryption domain work in detail on a Check Point Gateway (R77).

    Let's take the following example:

    The encryption domain for the local...
  16. Re: How to verify CPAP-SG5600-NGTX-SSD install SSD ?

    from the Console in expert mode do a "dmesg grep | Vendor"
  17. Re: Blink - Full gateway installation in 5 minutes

    And it's really fast ...

    Sicne the WebGUI CPUSE-based installation of the HFA 302 failed on a member of a productive cluster (could not uninstall HFA 216), we decided to re-install that gateway...
  18. Replies

    bootp packets no longer forwarded

    We observe a weired behaviour on a VRRP Cluster (R77.30, HFA 302) in the sense that bootp packets generated by Wireless Clients are no longer forwarded.
    The cluster gets the bootp packets from a...
  19. Re: Blink - Full gateway installation in 5 minutes

    First suggestion would be: Provide a version in combination with the ISOmorphic tool. The actual usage of blink requires to copy the blink images and the blink utility (plus an optional answers.xml)...
  20. Re: Blink - Full gateway installation in 5 minutes

    In the meantime i used the blink mechanism twice with the same kit:
    blink.tgz MD5 44439258b2692912fecff1be4a74a15b
    blink_image_1.0_Check_Point_R77.30_GA_SHA2_T3_Jumbo_T292.tgz MD5...
  21. Replies

    ingress/egress on same interface

    I have to migrate rules from another firewall vendor, where the packet leaves the firewall on the same interface (egress interface) as it has entered the firewall (ingress interface).
    As far as I...
  22. Replies

    config_system: command not found

    Just re-imaged a 12400 to R77.30 Jumbo take 292 using the blink mechanism, didi the initial configuration and modified some system configs.
    Now I want to clear the whole gaia config using the...
  23. Re: Smart Dashboard login issue R77.30 open server.

    Make sure that you enable your GUI Client in cpconfig:

    Expert@yourMgmtServer:0]# cpconfig
    This program will let you re-configure
    your Check Point Security Management Server configuration.

  24. Re: SSH Access to Gateway works only on Mgmt interface

    Got it finally, the listen address in the sshd_config file needs to be commented out:

    ListenAddress --> does not work

    #ListenAddress --> does work
  25. Re: SSH Access to Gateway works only on Mgmt interface

    It's a new 15400 cluster running standard fw and R77.30 Jumbo Take 292

    Here is some more stuff:
    Expert@mygateway:0]# netstat -anp | grep :22
    tcp 0 0 ...
  26. SSH Access to Gateway works only on Mgmt interface

    Just replaced a 12400 Cluster with new 15400 HW.
    All is fine, except that the cluster member accept ssh connection only on the Mgmt interface.

    When I log in to the gateway and try to do a local...
  27. Replies

    Re: Weired drop on accept rule

    The protocol type was set to MMS, this is also indicated in the zdebug output:rolleyes:
  28. Replies

    Re: Weired drop on accept rule

    Problem solved: The UDP service had a non-matching protocol type assigned. Set Protocol type to none
  29. Replies

    Re: Weired drop on accept rule

    Here is the debug output:

    ;[cpu_5];[fw4_0];fw_log_drop_ex: Packet proto=17 -> dropped by fw_conn_post_inspect Reason: Handler 'mms_code' drop;

    What is the...
  30. Replies

    Re: Something weird with VPN

    When you upgrade to a cluster, be aware that the certificate is now isued to the cluster object, not to the individual cluster members node.
    There is mayba an older node based cert causing trouble.
  31. Replies

    Weired drop on accept rule

    In Smartview Tracker we get a weired drop on a accept rule.

    The rule looks as follows:

  32. Replies

    Re: Database Revision Ques

    Well understodd, and fits perfectly to my needs.
    Remember that we talk about "old" gw HW and "new" gw HW. When we do the SIC reset, it because of the new gw HW. On the old gw HW, we do no SIC-reset,...
  33. Replies

    Re: Database Revision Ques

    just to be sure, A DB Revision saves as well the SIC trust. So if I create a DB-revision, then perform a SIC reset (because i changed the HW). Then I have to rollback for some reason to my old HW,...
  34. Poll: Re: "Group With Exclusion" in firewall rules

    A group with exclusion (let say Group-A) is built from 2 other groups, where group-A = Group-B minus Group-C.
  35. Benefits of enabling acceleration NAT templates

    sk71200 states that "Using SecureXL Templates for NAT traffic is critical to achieve high session rate for NAT". In contrast, SecureXL templates for NAT are disabled by default.

    What benefits or...
  36. Replies

    Re: Multicast over GRE

    The GRE-Tunnel is completely transparent to the Firewall. However, since both routers (Tunnel Endpoints) can start a communication, you must make sure that your firewall rule allows true...
  37. Replies

    Re: Eliminate non-UTF-8 encoded chars

    Yes, these commands make much more sense and let you eaysily correct the database.
    BTW: The sem_fw_policies and sem_network_objects are indeed related to SmartEvent. I did a db re-sync according to...
  38. Replies

    Re: CP SMS upgrade question

    Yes, correct. And it's always a good idea to create a backup prior to upgrade (VMware snapshot, Gaia snapshot, etc.):cool:
  39. Replies

    Re: Eliminate non-UTF-8 encoded chars

    Expert@fwmgmt:0]# grep -e $'^\t\t: (' -e comment $FWDIR/conf/objects_5_0.C | grep -e ": (.*" -e "comments (.*" -o | grep -e [[:cntrl:]] -e "["$'\x80'"-"$'\x9F'"]" -e ": (.*" | grep comments -B 1...
  40. Replies

    Eliminate non-UTF-8 encoded chars

    The report of the pre_upgrade_verifier reports:

    To create a working environment, the errors must be fixed
    Objects with non-Unicode characters

    The database contains...
  41. Replies

    SmartEvent gone in R80

    SmartEvent is a very useful tool when you're dealing with IPS and Antibot Blades. It's functionality has obviously not been ported to R80.*, which makes R80.10 much less valuable for our operation...
  42. Re: Is there a way to automatically delete backups older then x days?

    I have written a script which copies the backup files to an archive server and deletes the local backups, while keping a selectable number of copies.
    Drop me a PM if you are interested
  43. Re: Migrating from VRRP Cluster to Load Sharing CLuster XL

    Firewall Clustering should always happen due to availability and redundancy, and never due to performance reasons. If performance is an issue, there is always a box big enough to handle the traffic.
  44. Replies

    hitcount update again

    We manage 3 Check Point Clusters (all R77.30 Take 216) from a SmartCenter. From time to time, the hitcount in SmartDashboard stops increasing. This is true for only one (the biggest) of the 3...
  45. Replies

    Re: Delete old tgz files from /var/log/CPda ?

    The CPDA is the repository where CPUSE stores its updates. I strongly discourage you to delete something in there
  46. Re: Newbie Question - What Does Prob Stands For?

    prob stands prob(ably) for "probing"
  47. Site-to-Site VPN with dual homed 3rd party

    We should build a site to site VPN from a single homed CP R77.30 gateway to a dual homed 3rd party gateway. The VPN should automatically fail over if the primary IP of the 3rd party gets unavailable....
  48. Re: Hitcount does not increase when rule has a time object

    Lucky looser, we have got Tufin ;-)
  49. Re: Hitcount does not increase when rule has a time object

    Hm, we noticed that the hitcounts of other rules were NOT correct either.
    Most, but not all of the rules did not display the actual hitcount data. many of the hitcounts were 2-3 days behind.
  50. Re: Packets are being dropped even after successful phase 2 SA

    What does the error message on FW2 exactly say, when the packet is dropped?
  51. Re: Hitcount does not increase when rule has a time object

    No, due to the following reasons
    - This is a production environment, which need approval by CAB to install a new hotfix
    - The problem is not that big that it's worth the effort
    - Hotfix 272 (and...
  52. Hitcount does not increase when rule has a time object

    Added a new rule at the end of the policy (R77.30 take 216) with a time object.
    Although the rule matches traffic, the hitcount stays at zero and never increases.
    The object has a time object with...
  53. What rules for DHCP server are required

    R77.30 gateway acts as a DHCP server. Clients get their IP address when no policy is loaded on the gateway.
    As soon as the policy is loaded, clients get no longer an IP address.
    What minimum policy...
  54. Replies

    Microsoft Azure acting as C&C?

    this morning, a bunch of Antibot Events popped up saying that the Anti-bot Blade prevented Communination with C&C site The protection name is Operator.Trickbot.dh.
    Reverse Lookup shows...
  55. Replies

    SmartEvent GUI Window has minimum size

    All Smart*** GUI Windows can be manually adjusted to any size, except the SmartEvent GUI window, which refuses to shrink below a certain size.
    Is this a feature or a bug?
  56. Re: How to convert traditional mode VPN policy to simplified mode VPN policy


    this is one of th nasty "features" of simplified mode, that VPN is always preferred over any other rule, where source and destination match.
    The get the stuff running, we had to add an...
  57. Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    After converting the policy from traditional to simplified mode, we run into a weird problem we didn't have before.

    We have a site to site VPN with HPE, and its encryption domain consists of a...
  58. Replies

    Re: Tool to add DHCP reservations easy

    What was the question?

    If you're looking for a professional, standalone IPAM tool you might look at Infoblox
  59. Replies

    Re: Smartcenter CA is not running

    See sk33224
  60. Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    It means that you cannot encrypt everything within your community. Before the VPN Tunnel is established (or needs to be re-established) the 2 gateways need to exchange the relavent parameters using...
  61. Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Thanks folks for your input
    The policy is now converted and clean, it will go live soon
    The problems we had were caused by 2 elements:

    A partners encryption domain overlapped with internal...
  62. Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    While testing the new, converted policy we had some side effects we can't explain.
    We have all site to site VPN rules at the top of the policy.
    Somewhere further down, we have the following rule:
  63. Replies

    does gaia support Socks proxy

    Does Gaia R77.30 support the use of ssh option "ProxyCommand"
  64. Re: Is it possible to filter firewall ip by subnet

    SmartView Tracker filter accepts a subnet mask length, e.g.
  65. Replies

    Re: Exporting Objects from Management Server


    might help
  66. Replies

    How to emergency shut down a specific VPN

    Consider the case you have several Site-to-Site VPNs, and on a specific VPN you see that you receive malware.
    What is the fastest way to shut down that specific VPN?
  67. Re: How to export single domain from MDM to SMS

    And yep, this was the exact reason. We needed to re-name the new SmartCenter due legal issues, since one financial company was bought by the other ;-)
  68. Re: How to export single domain from MDM to SMS

    The attached Doc might help

  69. Re: Site to Site VPN (Source and Destination NAT)

    A drawing might help
  70. traditional mode VPN still supported in R80.10?

    The R80.10 release notes state that the "traditional to simplified VPN mode conversion" is not supported. Does this mean, that traditional mode VPNs are no longer supported as well?
  71. Replies

    Re: SmartCenter http to unknown AKAMAI Server

    Got it
    > sigcheck.checkpoint.com

    Non-authoritative answer:
    sigcheck.checkpoint.com canonical name =...
  72. Replies

    SmartCenter http to unknown AKAMAI Server

    We notice from the log files, that our SmartCenter (R77.30 Take 216) periodically tries to connect directly to external hosts and via http. These destinations are...
  73. Replies

    Re: SecureXL randomly turned off

    Last week we installed HFA 216 on top of R77.30, since then, the problem has not been reproduced
  74. Re: How to get complete config with Tacacs server keys with clish ?

    When working with passwords, PSKs and other keys, it's usually a good idea to store them centrally in a safe place.
    I'm sure you did that, didn't you?
  75. Replies

    Re: Replacing Bluecoat with Check Point

    Check Points URL Filtering and Application Control Functions are not that powerful as those of specialized manufacturers such as Bluecot or McAfee Webgateway (amongst others).
    The Check Point...
  76. Re: IPSO Cluster cphaprob -a if missing cluster interface

    Just getting the interfaces is not enough, you need to define the virtual Cluster Interface in the Topology manually
  77. Replies

    Re: SecureXL randomly turned off

    Hm, the SKs described above do not seem to match.
    I just installed the policy, and agin, fwaccel was turned off.

    The proposed commands show:

    Expert@test:0]# fwaccel test -v -stat
  78. Replies

    Re: SecureXL randomly turned off

    After carefully watching our environment we can state the following:

    1. SecureXL is definitely turned off when, and only when a policy is installed
    2- SecureXL is NOT ALWAYS turned off when a...
  79. Replies

    SecureXL randomly turned off

    2 Node 12400 Cluster with vrrp
    Blades: Firewall, ClusterXL, IPSec VPN, Qos
    R77.30 JHFA 185
    SecureXL enabled

    Since a couple of days, we notice that the CPU time from the acive node...
  80. Convert externally managed Check Point gateway to internally

    Is there a way to convert an "Externally Managed Check Point Gateway" to a "Check Point Gateway", meaning internally managed by my SmartCenter.
    Maybe using guidbedit?
  81. Replies

    Re: R77.30 Jumbo HFA 216 not seen in installer

    Issue resolved

    The wonderful damned Clish output is not able to show the full line of information, since it shows just "Jumbo Hotfix Accumulator General Availability ...":

    test> show installer...
  82. Replies

    Re: R77.30 Jumbo HFA 216 not seen in installer

    Thanks mate for your support.
    Unfortunately, the recommended actions did not change anything. I still do not see the newly imported package.
    I even do not see the lates HFA 185, which is actually...
  83. Replies

    Re: R77.30 Jumbo HFA 216 not seen in installer

    How the installer sees its DB:

    test> show installer status
    Agent: enabled
    Build number: 1272 (agent build is up to date)
    Network connection: connected
    Update from cloud: ...
  84. Replies

    R77.30 Jumbo HFA 216 not seen in installer

    imported the Jumbo HFA 216 succesfully using installer, but "show installer packages imported" does not list the new HFA package.
    trying to re-import fails, with error "package already imported"...
  85. Replies

    Re: Migrate VPN from IKEv1 to IKEv2

    And did I get this right that IKEv2 is NOT SUPPORTED with traditional VPN mode?
  86. Re: VPN Intermittent Issues losing accecss to certain VLANs in remote site?

    Subnet negotiation Failures in Phase 2 are quite common.
    Be aware that the encryption domain definition MUST match exactly at both ends. Check Point does by default supernetting of adjacent...
  87. Replies

    How to start the portmapper

    In order to mount an NFS remote share, we need to run the portmapper on the local Gaia system.
    How can we start it
  88. Active connection enters Bandwidth limitation window, what happens in terms of QoS

    When we configure QoS in the way, that connections using a specific Service are limited to a maximum bandwith during office hours, but can use unlimited bandwidth during the night.
    Lets say a backup...
  89. Replies

    Log admin login type ReadOnly

    Is there a way to determine what type of login was performed by Check Point Admins? ReadWrite or Readonly.
    If we have a look in SmartView Tracker --> Management, we that the admin has logged in, but...
  90. Replies

    Re: cron is not working with R77.30 JHFA 205

    So you say that is't even started? Any log entries in /var/log/messages which might help?
  91. Replies

    Re: cron is not working with R77.30 JHFA 205

    As the scrips states, you should not edit crontab, but enter the job definition in clish. Did you?
  92. Replies

    No HA Licensed Appliance > 5900

    In the Appliances price list you can order a HA Configuration, consisting of a Primary (100% price) and a HA (80 % price) Appliance, but only up to the 5900 Series.
    For all bigger appliances, the HA...
  93. Replies

    Re: Office365 IP addressing alternatives

    Since all Office 365 traffic is SSL encrypted (https), how can the Application Control Blade recognize that it's Office 365 traffic?
  94. Re: Where does SmartView Monitor store custom views

    Problem solved
    the Check Point User needs full admin privs in order to be able to "Write" to disk when storing a view
  95. Where does SmartView Monitor store custom views

    On a monitoring Desktop we use SmartView Monitor to display the status of our gateways on a big screen.
    We use a local windows user (secmonitor) to run the SmartView GUI.
    We customize our view and...
  96. Replies

    Re: R77.30 migration form SPLAT to GAIA

    I would strongly reccommend to migrate both the SmartCenter AND the Cluster to Gaia.

    The easiest way would be to build a complete new, isolated infrastructure consisting of a new SmartCenter (can...
  97. Re: Question regarding Topology under host object

    If you populate the topology section of a host, you are able to use multiple IP Addresses for that object in a rule-base. Might make sense for Router objects or hosts with multiple NICs
  98. Replies

    Re: Poor network performance

    Before entering the high sophisticated level of troubleshooting your firewall it might be worse checking basic things such as network connectivity.
    Have you had a look at the Network switch...
  99. Replies

    Re: Automatic Policy Push

    Basically, you need to make sure that you are in the right CMA context, and then run the command:

    fwm load <policy> <target>, where <policy> ist the (case sensitive) name of the <policy>.W file,...
  100. Re: Local Encryption Domain per peer instead of local Gateway in R80.x

    Well, if it comes to troubleshooting wit dozens of VPNs, you might need an answer to the question: "What subnets do I really annouce to VPN peer XY". You cant't answer that question specifically,...
Results 1 to 100 of 257
Page 1 of 3 1 2 3