CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Search:

Type: Posts; User: DannyW

Search: Search took 0.00 seconds.

  1. Thread: Traffic shaping

    by DannyW
    Replies
    3
    Views
    769

    Re: Traffic shaping

    The impetus to their call was they were seeing "discards" on a few on the circuits. Sounds like they are doing hard drops for traffic over the subscription.
  2. Thread: Traffic shaping

    by DannyW
    Replies
    3
    Views
    769

    Traffic shaping

    Our MPLS provider (verizon) wants us to "shape" our traffic that goes out on the hand-off interface to their network(s).

    We have 15 locations, any-to-any mesh MPLS config. The hand-off port from...
  3. Re: Internal to Internal traffic and application\url blade

    Thanks Tim, this sounded familiar, so i went back and re-read pages 184 - 191 of your book and it makes a bit more sense. I verified that "any" is not a destination in the APCL/URLF policy. If you...
  4. Internal to Internal traffic and application\url blade

    Hi everybody. We've recently made what seemed to be an innocuous change to the environment, but now finding the unintended consequences.

    5 locations - each running R77.30. Connected via an...
  5. Replies
    3
    Views
    774

    Re: spoofing question.....

    Yep, one route - default, pointing to the provider and they would handle site to site routing in addition to the internet. In the current config, i have the the interface that is set to the MPLS...
  6. Replies
    3
    Views
    774

    spoofing question.....

    Hi all. R77.30 \ gaia. Distributed environment - 15 sites, each with a CP 4000 appliance cluster.

    Each site has a single port MPLS solution which provides any-to-any connectivity to all of our...
  7. Thread: QOS question...

    by DannyW
    Replies
    1
    Views
    725

    QOS question...

    Hi all - Need to prioritize some traffic in a R77.30 gaia environment.

    Environment: My gateway is using 5 interfaces for locally connected segments (all are 1G connected), and 1 interface to the...
  8. VPN drops *sometimes* when policy is pushed

    Good day all. I have an 8 location network, all connected by private, any to any MPLS. 7 of these locations connect to each other only via VPN, same community. The location where the management...
  9. Replies
    19
    Views
    1,970

    Re: VoIP question(s)

    It's a workhorse:

    enabled_blades
    fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot


    thanks
  10. Replies
    19
    Views
    1,970

    Re: VoIP question(s)

    Attached is the output of the commands. In regards to service, sip and sip_any match port 5060. When the sip traffic is logged, it's just simply showing as UDP/5080.

    thank you.

    I plan on...
  11. Replies
    19
    Views
    1,970

    Re: VoIP question(s)

    Thanks
  12. Replies
    19
    Views
    1,970

    Re: VoIP question(s)

    Thanks for your help, greatly appreciated.
  13. Replies
    19
    Views
    1,970

    Re: VoIP question(s)

    Not sure if the app itself can measure response time - will check tomorrow when we have a call w the vendor. From one of the machines in question, i did a 3 hour extended ping to the hop before our...
  14. Replies
    19
    Views
    1,970

    Re: VoIP question(s)

    1) take 225
    2) yes
    3) near side: yes, at the cloud provider:no
    4) from the near side we're not NAT'ing, at the cloud-provider side, i add a hide-NAT as they require it

    thanks
  15. Replies
    19
    Views
    1,970

    VoIP question(s)

    Good morning all.

    We've recently contracted with a cloud-based VoIP solution, and placed a private MPLS port at their facility, so all traffic to/from their location is private: Our site <-> 100M...
  16. Re: strange behavior - can't ping gateway when clustered

    Outgoing traffic is NAT'd behind gateway.

    We use VMAC on all gateways

    thx
  17. Re: strange behavior - can't ping gateway when clustered

    Turned on logging for a return connection, and sure enough it was there, and being dropped by the cleanup rule:

    real IP -> Comcast gateway IP ICMP accepted - rule 0
    Comcast gateway IP ->...
  18. strange behavior - can't ping gateway when clustered

    Hello all. I'm bringing up a new site, R77.30, clustered 4800 appliances. Normal infrastructure, MPLS for internal/internet, and a Comcast cable modem for VPN redundancy.

    Comcast gave me a /29...
  19. Replies
    7
    Views
    1,732

    Re: VPN issue - invalid certificate

    At the risk of going into the weeds.....

    In the certificate view, i see this under CRL distribution points: http://boogenhagen:18264/ICA_CRL5.crl
    ...
  20. Replies
    7
    Views
    1,732

    Re: VPN issue - invalid certificate

    Thanks, Tim. We use NTP to sync all the gateways, as expected, all are in perfect sync. Where do I look to find out how the CRL URL is expressed in the fw certs?
  21. Replies
    7
    Views
    1,732

    VPN issue - invalid certificate

    Had a weird issue today. All gateways are gaia, R77.30, take 225. All gateways have a single interface MPLS port which provides all internal MPLS and internet access, inbound, and outbound. Plus,...
  22. Replies
    11
    Views
    2,025

    Re: Cluster stopped passing traffic

    fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot

    Thanks for the info. Seems like they only provided detailed info on fixes\enhancements for GA takes, do you know the verbiage of the...
  23. Replies
    11
    Views
    2,025

    Re: Cluster stopped passing traffic

    I did "fetch" the logs that were locally stored on each gateway.....nothing for the 3 hour period. Going to do try the cpview recommendation - will update everyone if I find something eye catching....
  24. Replies
    11
    Views
    2,025

    Cluster stopped passing traffic

    Good evening everyone. I had a 4800 cluster, R77.30 take 216 gaia stop passing traffic tonight. The cluster has 6 locally connected networks, and one interface leads to our private MPLS network. I...
  25. Replies
    1
    Views
    798

    gaia portal - stop listening on 80 and 443

    I have an auditor wanting me to disable our gateways from answering on 80 and 443 only on selected interfaces. So, if the gateway has 4 interfaces - one external, and 3 internal. Only one internal...
  26. Thread: dual factor

    by DannyW
    Replies
    1
    Views
    699

    dual factor

    Hello all.

    Environment is distributed, gateways are all gaia, R77.30

    I've been asked to investigate dual factor, and if it's possible to integrate into the rules. Example: If source=X, and...
  27. Replies
    8
    Views
    1,640

    Re: Spoofing question - redundant links

    Manually defined with a simple group.. My test location has two locally connected networks, and both are in the group. I can certainly change it to the topology option and test if you think that...
  28. Replies
    8
    Views
    1,640

    Re: Spoofing question - redundant links

    Yeah.. tried that earlier. I saw no spoof connections "detected" on that gateway - all it did was intermittently change the outzone to external.
  29. Replies
    8
    Views
    1,640

    Re: Spoofing question - redundant links

    Made the change, and had to revert back immediately - i'll try to explain what I saw. First i'll describe the interface spoof settings I had during the issue

    eth1 - local network, spoof set to:...
  30. Replies
    8
    Views
    1,640

    Re: Spoofing question - redundant links

    Tremendous, thank you. Will give that a shot and test.
  31. Replies
    8
    Views
    1,640

    Spoofing question - redundant links

    Hello all have a spoofing question in regards to my current setup. Distributed environment, all gateways are R77.30 Gaia clusters 10 sites in all.

    To interconnect the sites, and provide...
  32. Replies
    7
    Views
    2,039

    Re: apply HFA remotely

    1) Yes

    2) Have a look at sk92449 -- everything i used i found in that document

    3) The normal clusterXL_admin down/up commands
  33. Replies
    7
    Views
    2,039

    Re: apply HFA remotely

    Thanks for looking in to this. I was able to complete the rollout of JHFA 185 to all of my remote sites. Here's what i did, and it worked perfectly for every location ( 8 sites, 4600 or 4800...
  34. Replies
    7
    Views
    2,039

    Re: apply HFA remotely

    Thanks for the response. I was definitely on the standby unit yesterday - verified with a cphaprob stat.

    I had a feeling that yesterday when thing went terribly bad, it was when CPUSE issued the...
  35. Replies
    7
    Views
    2,039

    apply HFA remotely

    Should there be an issue applying a JHFA to a cluster member remotely. In the past versions, i tried to stay away from hot-fixes, but with R77.30, i thought I'd give it run.

    Today, i updated...
  36. Replies
    1
    Views
    2,338

    R80 - SmartEvent \ Logging

    Hello all - I've set up a new R80 server for Logging and SmartEvent on an openserver - with 4.2TB usable (raid10, fast drives) available for /var/log - this is currently running in parallel with my...
  37. Replies
    3
    Views
    1,901

    threatcloud intellistore

    Is anyone using this additional "premium" feature. Would be interested in any and all feedback. We're thinking about a few different feeds.

    thanks

    DW
  38. Thread: R80 - max disk

    by DannyW
    Replies
    9
    Views
    1,979

    Re: R80 - max disk

    I currently have smart event and logs on the open server, and policy management on a smart1-20 appliance.
  39. Thread: R80 - max disk

    by DannyW
    Replies
    9
    Views
    1,979

    Re: R80 - max disk

    OK, thanks for the info. I just did a quick test with a VM, added two different drives, and started the gaia install. It did identify both physical drives and said it would use both and showed the...
  40. Thread: R80 - max disk

    by DannyW
    Replies
    9
    Views
    1,979

    Re: R80 - max disk

    I could buy larger drives, but they will be 10K RPM instead of 15K. And then raid-10 them to get the same raid-5 capacity.



    Do i have the option to do this at install, or is there something i...
  41. Thread: R80 - max disk

    by DannyW
    Replies
    9
    Views
    1,979

    R80 - max disk

    Hello. I'm going to bite the bullet and move my SME/logging server to R80. Been using in lab with only one cluster logging to it for a few weeks, and it seems solid. Probably won't move management...
  42. Replies
    1
    Views
    1,400

    IA issue - source user name will change

    Good Day everyone.

    I've recently changed a slew of internal rules from source-IP white-list to access roles. For the most part, works great.. But, having one issue and it revolves around users...
  43. Replies
    1
    Views
    946

    cluster failing PCI scan

    Hi everyone. I don't believe our external scanner has picked this one up before, but it is now, and causing our PCI scans to fail.. The vulnerability is found on the external physical IPs of our...
  44. Replies
    3
    Views
    1,021

    Re: URL filtering questions

    With CDNs being prevalent on many sites, is there no way to allow the external CDN content that the original site is try to load without white-listing the whole CDN domain?

    If site...
  45. Replies
    3
    Views
    1,021

    URL filtering questions

    Hi all - Question about the URL filtering blade on r77.30

    I have a group of users that has very restricted internet browsing access. I created an "Application/Sites" group populated with the...
  46. Re: Identity Awerenes sessions lost after time their userid and gets dropped

    We seem to be having the same type of issue. For the folks that boot their machine every day, we see very few issues. But, for the guys that never reboot (they only lock\unlock), they have IA...
  47. Installation failed. Reason: Load on Module failed - failed to load Security Policy.

    For the past few weeks, i've been getting this message when i try to push policy. i have (7) gateway clusters, all running R77.30 gaia, and it has happened on all of them - some more than others. ...
  48. Replies
    4
    Views
    1,376

    Re: firewall / app control policy synergy

    Light bulb is now on... Thanks, just did a test, and sure enough, when i actually did something legit (ftp with logon and flow), log entries appeared as expected.

    thanks.
  49. Replies
    4
    Views
    1,376

    Re: firewall / app control policy synergy

    Thanks for answer, that makes sense.. but, i'm having a disconnect in what i'm expecting to see in the logs.

    Currently, firewall rule 8 is:

    internal -> not-internal(internet) 80/443 allow. In...
  50. Replies
    4
    Views
    1,376

    firewall / app control policy synergy

    Hello - it seems like i'm seeing different behavior on what is controlled by the policies than when i created the rulebase(s) back on r76.x. Currently on r77.30

    On the firewall policy:
    ...
  51. Replies
    2
    Views
    1,062

    Re: VPN over satellite links...

    Thanks, i'll keep looking for other options - the primary link is a 50M MPLS circuit, delivered from the LEC via fiber. I guess if i get some-type of a copper circuit from the LEC, it would have a...
  52. Replies
    2
    Views
    1,062

    VPN over satellite links...

    I've been tasked with finding a redundant ISP connection for some site-to-site connections (all checkpoint, managed from same management). We've had some bad luck in the past 24 months with trucks...
  53. Replies
    4
    Views
    1,470

    Re: IA - domain group issue

    It's pretty strange - it's just not consistent.. For many users in the AD group, a pdp monitor user shows the correct membership, and their internet rule works properly. For some < 10%, it doesn't...
  54. Replies
    4
    Views
    1,470

    IA - domain group issue

    Hello everyone..

    Having an issue with the IA blade when i create access roles that reference domain groups. All gateways are R77.20 or R77.30 (issue happens on both). Our domain is Windows 2012...
  55. Replies
    5
    Views
    1,696

    Re: who's using the bandwidth....

    Thanks, didn't know that was there. Is it only available on R77.30 - don't see it on my .20 boxes
  56. Replies
    5
    Views
    1,696

    who's using the bandwidth....

    Hello everyone.. Wasn't sure which forum to post this in, if app control is the wrong one, mods feel free to move..

    Have a bunch of clusters running either R77.20 or R77.30 gaia - management and...
  57. Replies
    2
    Views
    1,485

    combine *.domain \ and ports on same rule

    Maybe i'm missing something, seems like this should be simple.

    I have a rule in my main policy to allow traffic to sites not internal, and then i lock it down in the app control\URL filtering...
  58. Replies
    0
    Views
    1,028

    3rd party SSL cert \ VPN clients

    Hi all. I went out and purchased a trusted 3rd party cert for our external facing VIP and installed it on the cluster without issues. The VIP that users connect to with their client-to-site VPN...
  59. Re: fw stops passing\logging all traffic for a specific host

    Thanks for the replies, i have a feeling as well that it's arp related. In regards to VMAC, i was just reading up on this and it seems like a good idea to have on regardless. Are there any...
  60. fw stops passing\logging all traffic for a specific host

    Having a really strange issue that only recently started. Cluster of 4600s running R77.20 gaia with the jumbo HFA.

    This cluster sits at the edge of our network - one interface to our ISP, one...
  61. Thread: R77.30 EA

    by DannyW
    Replies
    11
    Views
    5,938

    R77.30 EA

    OK, i'll break the wrapper on this new(er) topic. Does anyone have an ETA for r77.30? With R80 seemingly delayed until Q3, may have to stop at r77.30 this year, as i hit lock-down in September.
  62. Replies
    9
    Views
    2,922

    Re: Latency w/IPS blade enabled

    We have 9 gateway clusters in all. 8 are client sites, where all traffic is either internal <-> internal, or internal <-> internet, all client sites have locally connected internet access, these...
  63. Replies
    9
    Views
    2,922

    Re: Latency w/IPS blade enabled

    [Expert]# enabled_blades
    fw urlf av appi ips identityServer SSL_INSPECT anti_bot
    [Expert]#

    thanks
  64. Replies
    9
    Views
    2,922

    Re: Latency w/IPS blade enabled

    Made the network exception for IPS: any locally connected network <-> any locally connected network. Pushed, and tried my little ping test.. Still seeing poor results, and it doesn't seem like any...
  65. Replies
    9
    Views
    2,922

    Re: Latency w/IPS blade enabled

    Thanks for the comments \ ideas.

    Here's a top from the gateway with IPS enabled:

    top - 10:08:40 up 3 days, 16:22, 1 user, load average: 0.84, 1.09, 0.81
    Tasks: 142 total, 3 running, 139...
  66. Replies
    9
    Views
    2,922

    Latency w/IPS blade enabled

    Hi all. 4600 appliance running R77.20 gaia. Typically about 8K connections, always under 25% CPU utilization, and box throughput is typically from 20-40 Mbits

    When i enable the IPS blade for...
  67. Replies
    7
    Views
    1,654

    white-list outgoing traffic

    Hello Everyone.. In my DMZ, i have (8) public facing web servers. Allow all 80 and 443 in, and nothing outbound to the public.

    Our web developers want me to open a port 443 connection to a a new...
  68. Re: When i install policy network goes down for 10-12 seconds

    check the /var/log/messages file for something like CUL_Freeze messages that correspond to the same time. I have this exact problem with an undersized cluster
  69. Thread: SSL inspection

    by DannyW
    Replies
    2
    Views
    1,416

    SSL inspection

    Hello all. Running R77.20 and looking into enabling ssl inspection across all blades. I currently have it inspecting a few machine's traffic now, and bypassing the rest, all seems to be working...
  70. Replies
    22
    Views
    14,152

    Re: Check Point R77.10

    Any idea as to when the splat r75.4x -> splat r77.10 upgrade image will be available?

    Danny
  71. Replies
    1
    Views
    772

    VIP assistance - cart before the horse...

    Hello all. Have a question about a new cluster i'll be setting up soon. Current environment is distributed - management on smart1-25.

    I'll be setting up a new 4800 cluster, SPLAT R75.46 -...
  72. Replies
    1
    Views
    1,467

    BGP configuration assistance

    I'll preface this with, I've never used BGP before, understand it's a routing protocol, but i guess it's more of an available path decision maker.

    I'll be installing a new cluster at a vendor's...
Results 1 to 72 of 72