Search:

Thanks again.

I do have both of your books. Very good reading. I'll have another look.
Clearly these appliances are not the same although we cannot find any differences among them and giving...

Thanks for the responses. Yes I agree about not allowing "any" from the scan networks but We lost that argument.
The PCI auditors have full access for their scanners to scan all the gateways and...

I just noticed that the ports on the 2 gateways are a little different between the gateways, but still get tagged as "SMTP Server Non-standard Port Detection back door vulnerabilities"

-pat

Thanks for the response. The ports that are opened up and start listening when doing a netstat are: 35723,36873,41251,44422,45674,45960,47735,49595,51232,54766,56675,58281,60627,64168

We have all...

Tenable Scan will dynamically open up various ports "SMTP Server Non-standard Port Detection" only on 2 out of the 16 gateways in our production environment. So far it has only happened on the...

Thanks for the info and the SK. Very much appreciated.

-pat

Hello;
We are faced with rolling out a few hundred gateways. They have not been purchased yet but they will most likely be full Gaia devices not the embedded ones. We are at R77.30 at the moment...

Thanks again. Was just looking into the difference between r77.x and r80 policy revision stuff because that question did come up in a meeting a little while ago.

Much appreciated.

-pat

Great thanks very much for the clarification on the DB revision, and the info on R80. We are starting to lab up R80.

Hello;

We have multiple policies on a single smartcenter. When we take a database revision before a policy push; are we backing up ALL policies on this smartcenter?

I would think that we are...

I also attended via web. As mentioned some technical problems and questions via chat did not seem to work / were not seen. Over all very good and looking forward to more of these.

-pat

Thank You both. When I get back from vaca I'll be taking a crash course in Vmware.

Thanks
-pat

Thanks very much for the info. I'll look into Vmware again. I started down that road but there were so many options to choose in Vmware I ended up with Ubuntu.

Thanks again.

Hello;

I'm trying to put together a lab jump server with R77.30 Smartconsole installed. I have installed 64bit Ubuntu and Wine on a Dell 2950 but SmartConsole won't install.

Is anyone doing...

Maybe SK100507 ?

Seems to cover allot of these types of problems.

-pat

This happened to us after a restore. This fixed the problem. Clearing GUI Cache. sk100507

-pat13b

I did NOT see sk104958 !!! This does look promising...So they did get together on this. We just weren't updated I guess.

Thanks for the info !!!

-pat

Thanks for the info. I have seen some of this. I don't think Check Point and Aruba have a very good working relationship. At least this is what we see from a Customer perspective.
We were...

Just got my book the other day. Very nice !! Put together very well. Two thumbs up...

We did a demo of this and quickly figured out we could not put exceptions in for Geo protections.
Hoping they fix that eventually. Other than what you had mentioned about the lack of canned...

Thanks for the updates. That might be the difference. I do not have the Amazon Prime.

-pat

That's great. I'm looking forward to it. I just thought it was strange that the order hasn't moved in about a week. I ordered through Amazon US. I'll give it another day or so and contact them if...

Does anyone know if this book is in stock? I ordered from Amazon last week and it hasn't shipped yet. Typically they ship the same day or very next day.

-pat

We were not successfull in getting this to work. It's buried in the pdf that IA AD query does not work with NAT. So we moved one of AD servers into a DMZ off the Check Point without NAT.
The...

I think you would need to get specific with the rule. Again I have not used this bandwidth in any of my policies but I would think if you tied that with Identity awareness you could give certiam...

Thanks very much for the info. This is where I do do the permissions but regardless of the option I un-check, they are still able to jump into smart dashboard, tracker, smart log etc. Even though...

You can do this in Application/Url policy. I haven't tried it but the option is there.

-pat13b

Hello,

We are trying to give access to our SmartEvent appliance for our Security and Help Desk teams and only this appliance.

We don't want them to be able to launch from there into...

I get this when running the ipmtool command.


[Expert@sscpsmart02:0]# ipmitool sdr list full 2>/dev/null | egrep -i '^PSU.*watt'
[Expert@sscpsmart02:0]# ipmitool sdr ...

I want to thank all who posted ideas and comments.

My intention is not to bash Check Point. I have several years of experience with Check Point and prefer Check Point over any other.

The...

Thanks very much for the idea. I;ll have to try this.

Also, I did find this when doing

[Expert@sscpsmart02:0]# dmidecode -t chassis
# dmidecode 2.7
SMBIOS 2.5 present.

Handle 0x0003,...

Thanks, I did try dmidecode but nothing shows regarding power. Also the RAID, it is possible to lose one drive and still function. At least I can run RAIDCONFIG Status to see status but would be...

No we didn't find this. Our appliances are connected at 1Gig. Looking at the switch end they negotiated to 1Gig on the Mgmt interface.

-pat

Hello,

Not sure how popular the SMART-1 appliance is but we just realized that although you can configure the SNMP traps for power supply and RAID,

The appliance will not send out a trap when...

The portal was an option we presented but management does not want the user to have to sign in twice. Once with AD and then a second login for the Check Point portal.

I heard today that Check...

We run Algosec (purchased long before Check Point) but it produces much better reports and activily monitors changes a little better than with our Cisco FWSMs. It works well for them but I notice it...

Thanks for clarifying Jim.

My understanding from our Check Point Team, is that Check Point and Aruba are working together on the IA aspect. Aruba will work with direct integration with Palo Alto...

Intresting. Thanks very much for your reply.

No we don't have HTTPS inspection turned on. The organization wouldn't allow the certs to be pushed to the user's laptops and PCs.

My...

I forgot to mention we are at R77.20.

I also forgot to add, that checking the box "safe Search" in the engines settings does absolutely nothing either.

I'm sure there are many Companies with...

Hello,

Does anyone know how to block images from sites like google and craigslist ?

We would like to allow our users to get to these sites just not be able to see questionable images.
...

I'm not the wireless person, but my understanding from that group, is that the authentication of a user using certs is really done between the Client and the Wireless Controller.

So unless the...

We are running Aruba wireless and having zero luck in getting the controller, clear pass policy manager, or any other Aruba device to spit out Accounting updates on a regular basis.

The Check...

Aruba claims this CANNOT be done. I find it hard to believe that their controller cannot spit out RADIUS accounting.

Anyone actually have this working or tried to get it to work in their network?...

Thanks very much for the response.

Maybe I'm putting too much thought into this. Other than the configuration on the identity awareness / Radius Accounting section, do I need to define a RADIUS...

Hello,

Anyone using Aruba wireless and IA with Check Point?

Once the clients initially register their cert, the authentication is done between the Aruba and client and not AD, so we are trying...

We were getting this on a regular basis. Had to reboot the gateways then was able to push the policy.

But since upgrading to R77.10 have not seen this error.

-pat

Thanks very much for all the good advice.

I finally figured it out. We typically setup port-channels (logical interface) on our switches for our trunks then assign the physical interfaces to the...

Hello,

I have a new install of Gaia R77.10 on 12400 appliances in a ClusterXL Active/Active UNICAST setup.

I'm trying to implement VLANs in a trunk to a Cisco switch. If I configure these VLANs...

How about the "raidconfig" command from CLI. Not sure this is what your looking for?

-pat13b

I don't know what's going to be on the exam, but there is plenty of docs on Check Points web site pertaining to R76 and Gaia.

I also found a sample test of the CCSA 2013 with 50 sample questions...

I'm in a same situation as you. I have been grabbing pdfs off Check Points site and reading through them.

There does not seem to be any books published yet. The class is very new as well.
...

That was it !!!!

sk92943

Thanks David !!!

-pat

Thanks for the response.

I have run the "get gateway data" but still shows the same thing. I upgraded using the Gaia web interface. Seemed to work great. As near as I can tell it was upgraded...

I think this might be a cosmetic thing? but I upgraded my gateways (12400) and smart-1 appliances to Gaia R76.

In Smart Update all versions of everything show R76 except on the gateways.

They...

Hello,

How do you see RAID information in smartview monitor? When clicking on the link, it shows nothing.
We are running Gaia R76 on a smart-1 appliance with RAID-1. I know we can use SNMP to...

I recently found this out myself. Apparently X11 is not part of the "any" . You need to put in a seperate rule to allow for X11.

There is an article on Check Point web site that shows what...

No good info from the clish command line.

But looks like "ntpdc" does the trick in IPSO 6.x but not IPSO 4.x

-pat13b

Thanks for responding,

ntpdate (ip address) produces "the NTP socket is in use, exiting"

Just typing ntpdate with no ip addresses, produces "no servers can be used"

This is IPSO 6.2...

Hello,

I'm looking for a way to confirm that NTP is actually working form the command line or log.

I see it going through tracker but I would like to know if there is a way to tell if it thinks...

Exactly my point, these enterprise class devices will be placed in a computer room somewhere far away from the management stations and people maintaining them.

My experience is with the "50" I'm...

One point of interest (we found out the hard way) The RAID array cannot be monitored. The only indication given when a drive goes bad or out of sync in the RAID, is an audible alarm.

Check...

Thanks for the replies.

I recieved a new ver of the client from our CP partner. It worked on on one laptops but the other 3 are still not working.

- Performed CP-Clean.
- Went into registry...

Hello,

I'm having trouble (new install) getting the SmartDashboard R70.20 to load.

If it does load, it takes 10 min to complete. Most of the time if just hangs.

I have tried it on a couple...

I think this will do the trick.

Solution ID: skI5130

To configure Encrypted Client Authentication, perform the following steps:
1. Run the cpstop command on the Security gateway.

2. Edit...

I had issiues like this using IE. Try Firefox instead.

-pat13b

I'm using IPSO clustering on 350s with 512 RAM. I think that's the max the IP350's will take?

I'm at IPSO 4.2 with HFA02 and NGX R65.

Sounds like maybe a multicast problem. You can try...

This is great news. Do you know if it works for the IP390 and do you have a part number for this card?

thanks

-pat13b

Maybe a compatibility problem with Nokia TACACS and Cisco TACACS ?

I can try this in our lab next week, to see if I get these results.

-pat13b

ok, now I see.....

I still think it's because the cluster ID isn't in the attributes. Maybe you could test that to see if you can get by this problem. I seem to recall having a similliar isiue...

Did you define TACACS attributes and add the cluster id in ACS to allow for the cluster admin to login in.

Nokia-IPSO-User-Role=clusterAdminRole:9999
Nokia-IPSO-SuperUser-Access=1

-pat13b

Thanks for the responses.

I'll look into this on the correct license. It's good news that the UTM's can have this ability.

-pat13b

Thanks for the response chillyjim,

So what about UTM devices. Can these be upgraded to offer this as well?

Seems like an over site on Check Points part not to include this in basic SPLAT and I...

Hello,

Anyone know if there is a way to implmenet AAA (TACACS or RADIUS) authenitcation on a SPLAT box ?

The closet I have gotten is SPLAT PRO offers Radius.

Cannot find anything with SPLAT...

Hello,

As an update to my testing of this, so far its working well and going to be deployed into production. I did have trouble with the "cluster admin" role but I have figured that out...

UPDATE to this problem. Although I don't know what this error is and how to fix it, I was able to add the roles via clish. and that worked.

-pat13b

Hello,

I get this error message when trying to add user roles.
I'm logged into Voyager as admin.

"Couldn't Create Error File For Command: Permission Denied"

Any idea how to get around this?...

Hello,

I'm still testing this but seems to work so far. After a bunch of research and looking all over the web, I decided to go to the Cisco forum and look this up. A short search I found.........

Thanks for the reply and info.

Yes, We are currently running 7.55. Will have to plan an upgrade.


Thanks again.

-pat13b

Hello,

Any way to get Ethernet stats from the edge devices. I can't seem to find a way to look at errors / stats on the ethernet ports.

-pat13b

whoops, missed that one.

So after looking into this, I can't figure this out either.

I ran "dmidecode" in Expert mode. This is close as I can seem to come.

Handle 0x0001
DMI...

ssh to it and type:

>info device


[700000] Device Information:

Hardware:
Appliance Type: SBox-200-B
Version: 1.2G Industrial

Thanks for the reply.

I was able to get this to work and it works great. It was my configuration on the Cisco ACS server that was not correct.

-pat13b

Hello,
Does anyone know if these UTM Edge devices will do 802.1x on the LAN ports.

We are trying to authen with our windows credentials using this type of port security in order to authen our...

If you go to prometric.com and type in locate a site and choose this exam, a bunch of them come up.

Brookline, Waltham, Burlington, Danvers

-pat13b

Thanks cciesec2006.

Yes I did this on the Dell box. I'm thinking I have a bad image.

I'm going to try and download it again. I wasn;t sure if this file was bootable or not. Sounds like it...

Hello,

I downloaded "VPN-1_SPLAT26_R65_CD1.iso" and burned this onto a CD.

I was hoping somehow this would just boot and go through the install process, but not a chance.

Can someone walk...

Thanks for the clarification. Initially the 2070's would be together then the plan is to seperate one and place in a DR site. So It looks like phase 1 will be Cluster XL and then MEP once we move...

Hello,

Is MEP the way to go for UTM VPN site to site tunnel redundancy? I don't see much talk about here.

Looking to take a pair of UTM 2070's at the head end with UTM edge
devices at the...

I never thought to look on their website sofaware.com.

There is a few docs out there on this, regarding radid deployment and command line scripts.

I haven't read through all of them, but it...

Hello,

Is there a way to have these edge devices get their initial config via a tftp server ?

How would we go about this and create a config file?

We are deploying many of these in the field...

Hello,

I'm sucessfully doing this. The only thing I have found when the ACS log says successfull login and Check Point won't log you in as you describe, is that the expiration date has expired. ...

ok I won't ask you how. but is it any good ?

-pat13b

I have not done this yet. (in a few weeks i think)

I found a pdf but it's too big to upload to this forum.
It's on RSA web site and called:

RSA-CheckPoint_VPN1FW1_NGX_R65_AM7.1.pdf

-pat13b

UPDATE......

The file is called "cpsc.en_us"

It needs to be edited on the Firewall itself Not the Management server.

I was able to edit this file for the authen failed screen. Still...

Hello,

I have been pulling my hair trying to figure out why one of the Nokia's IP350's I have in my lab kept going to 100% CPU utilization.

I comapred my configs, swapped memory, swapped CPUs. ...

Confirmed, this only works for "Client Authentication"

Anyone ????

-pat13b

Thanks, I did see this, but was hoping there would be an easier way to do this.

For example with the Cisco PIX/ASA the only thing that needs to br done is entering text in a box.

-pat13b

Hello,

I have been searching everywhere for info on edititng the pop up in web browser for "User Authentication"

I see that under Global Policy, that I can tell it to load a file, but this is...

Hello,

Did you ever get an answer to this? We are trying to do the same thing.
I can't find this info anywhere.

-pat13b

Good to hear. Thanks for the reply. We are also looking at the ASA price comparision / functionality and management. but I'm hoping the Checkpoint product will win.

-pat13b