CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: davidson

Search: Search took 0.00 seconds.

  1. Re: Local Encryption Domain per peer instead of local Gateway in R80.x

    Check Scenario 1 in sk108600. You can manually alter the negotiations by making entries in your user.def file. I have used this to get around some "show stopper" partners.
  2. Replies
    4
    Views
    1,634

    Re: Authentication with Radius

    Sorry, you're correct. I was thinking of the Smart-1 authentication.
  3. Replies
    4
    Views
    1,634

    Re: Authentication with Radius

    I don't think so, additionally you can only specify a single radius server, not a stack. In our environment admins log in with their radius account unless there is a DR situation and then use an...
  4. Re: Session Matching failing after R77.30 upgrade

    I agree, or close enough for government work. As noted I wasn't pulling the errors from the get_conn_idle_timeout but we've been running for ~48 hours on Take 159 with no complaints from my admins.
  5. Re: Session Matching failing after R77.30 upgrade

    With Out of State management turned up we were seeing these problems every couple of minutes. RDP would go into reconnect, but SSH session just die. It wasn't the end of the world and we made to...
  6. Re: Session Matching failing after R77.30 upgrade

    Support and I tested that during the turn-up last week. The first symptom is a pretty good example of the original condition, but while running the debug statement I didn't see any hits for period...
  7. Re: Session Matching failing after R77.30 upgrade

    @jflemingeds

    Old fwkern.conf had the mac magic setting in it, new one does not since I'm using the r77.30 method (confirmed working).

    Connections are typically short, most of our reproduced...
  8. Re: Session Matching failing after R77.30 upgrade

    I was trying to dig up more info on aggressive aging... if I understand it correctly it shouldn't be firing because max connections is set at 50k and I'm peaking about 8k, and these connections have...
  9. Re: Session Matching failing after R77.30 upgrade

    Sorry, forgot that. I'm running R77.30 Hotfix #5.
  10. Session Matching failing after R77.30 upgrade

    I'm chasing an interesting problem I though I would run past the group...

    Last week we did an upgrade from R77.20 to R77.30 [ETA: I am currently running R77.30 Hotfix #5]. Due to the hotfix we...
  11. Replies
    28
    Views
    18,376

    Re: How to handle Office365 IP addresses

    Any concept of why AC didn't resolve the issue? It was just pitched to us again and some of the other replies here seem to indicate success.
  12. Replies
    8
    Views
    2,600

    Re: Routing table is not same

    If one member has a C route that the other doesn't I would be focusing on your interface configuration; either in local software config, physical connectivity or partner config.
  13. Re: automatic fail-over to redundant 3rd Party VPN peer

    Very interesting. There is a TON of VPN focused documentation out there that doesn't reflect this yet.
  14. Re: automatic fail-over to redundant 3rd Party VPN peer

    I believe that Permanent Tunnel is only available between Checkpoint <> Checkpoint pairs.
  15. Replies
    9
    Views
    2,232

    Re: FW opening for Amazon AWS

    Probably not, that's part of the whole global/regional redundancy pitch. Plenty of systems behind AWS, Azure, Akamai, etc have IP addresses that can't be relied on. Some folks are using Application...
  16. Replies
    4
    Views
    1,454

    Re: ISP uplink has a /30 network

    I've done this, in short you use local addresses for the self members, set the public IP as the VIP and set up a scopelocal route to cover the discrepancy. Check out sk32073. Biggest issue I had is...
  17. Replies
    2
    Views
    1,461

    Re: BGP and Policy Objects

    PO's on eldritch objects takes forever around here.
  18. Replies
    28
    Views
    18,376

    Re: How to handle Office365 IP addresses

    I've inherited an "manual update" implementation. There is an RSS feed you can subscribe to for updates that has been fairly reliable. We also have been running domain objects for this, but...
  19. Replies
    2
    Views
    1,461

    BGP and Policy Objects

    Hi, everyone. I'm pretty sure I know the answer, but I'm trying to run down every possible lead on this question.

    We're implementing BGP for the first time on a portion of our Checkpoint Firewalls...
Results 1 to 19 of 19