CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: melipla

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Replies
    4
    Views
    4,860

    Re: logoff withouth disconnecting the VPN

    "Enable Always-Connect" yes, under VPN Options -> Site Properties -> Settings. Sorry for being incomplete, one of my pet peeves too.
  2. Replies
    4
    Views
    4,860

    Re: logoff withouth disconnecting the VPN

    So what if you used auto-connect instead of SDL? That should allow the drive mappings to be available after autoconnect kicks in.

    AFAIK #3 isn't possible (the "without disconnecting" part)
  3. Replies
    2
    Views
    2,789

    Re: trac.config settings

    It is here: sk75221
  4. Re: Publish Remote Desktop app via Mobile Access Blade

    https://technet.microsoft.com/en-us/library/cc771419.aspx
  5. Re: Publish Remote Desktop app via Mobile Access Blade

    Microsoft does have a way to redirect people to specific terminal servers using Remote Desktop Connection Broker (RD Connection Broker). However then you're delegating some of that responsibility...
  6. Re: prevent Intenet access if not connected to the VPN

    For laptops, using Endpoint Security it's called "HotSpot Detection". You can find out more here. My suggestion would be to engage your local Check Point Sales Engineer as a place to start. Check...
  7. Re: Jumbo Hotfix Accumulator (install or not to install, that is the question).

    Well put. The defacto support question used to be "Are you on the latest HFA?" now it's "Are you on the latest HFA w/Jumbo?". Things shifted when Check Point started releasing the Jumbo hotfix a...
  8. Re: Endpoint Security and Mobile VPN complaint despite Windows Security Center Alert

    So what are you using to detect it? Without that information we can't tell you why its failing. You basically have two options:

    SCV checks (Endpoint Security VPN / full Endpoint Security client)...
  9. Thread: VPN Issues

    by melipla
    Replies
    2
    Views
    1,312

    Re: VPN Issues

    There is no 83.50 client version(?) What is the disconnect error message? Is it really 20 seconds later? Some of these issues have to do with traffic intended for the gateway and being encrypted...
  10. Re: What are the issues in active-active scenario?

    Aren't Nokia's using VRRP set to active/active by default? Not sure if Gaia is similiar...
  11. Re: Jumbo Hotfix Accumulator (install or not to install, that is the question).

    Yes.

    Don't find out the hard way that there's a fix released for that bug that just took down your network.
  12. Replies
    31
    Views
    11,333

    Re: Appliance vs open server?

    IMHO If you're doing any UTM functions then I'd probably recommend [at minimum] a 4800 instead of a 4400 for a 500 person office.
  13. Replies
    1
    Views
    1,462

    Re: Endpoint VPN reauthentication

    Focus on the "why is it trying to re-authenticate 10 seconds later?". I believe there's more than one SK about this issue.

    In the meantime, disable password reuse so that you're not locking out:...
  14. Re: Really slow DNS causing browser hangs when VPN connected

    Thanks for following up, glad you found a resolution!
  15. Replies
    6
    Views
    7,644

    Re: Capsule (aka E80.60)

    This is all excellent news & hope this trend continues. On paper E80.60 fills some of the feature gaps E80.50 had, but until I can spend time looking at it I'll hold off on commenting.


    ...
  16. Replies
    6
    Views
    7,644

    Re: Capsule (aka E80.60)

    They may be complementary but their documentation is co-mingled to the point that the goal must be convergence. Nothing's clear about auto-renaming apps--the real kicker here is that "Capsule...
  17. Replies
    6
    Views
    7,644

    Capsule (aka E80.60)

    In case you missed it, Check Point revolutionized mobile security. Unfortunately during that process they decided to hijack a couple mobile apps to do it. Now everything says "Capsule" and if you...
  18. Re: Really slow DNS causing browser hangs when VPN connected

    Sorry to hear you're still having the issue. Can you share a capture of the issue? I'd like to see simultaneous tcpdumps from the DNS server and DNS client if possible.
  19. Re: Share your knowledge about rules managing DNS traffic through the firewall?

    This is a good article, I think you should read it.



    It will go both ways. The master will notify the slave but the slave can also initiate a different connection to pull the DNS records...
  20. Replies
    19
    Views
    7,559

    Re: Bash Vulnerability

    According to this article, bash is still vulnerable. Expect more patching to be done.
  21. Replies
    19
    Views
    7,559

    Re: Bash Vulnerability

    Looks like Check Point is tracking this in sk102673.
  22. Replies
    19
    Views
    7,559

    Bash Vulnerability

    https://access.redhat.com/articles/1200223

    Affects Gaia R77.20:

    # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    vulnerable
    this is a test
  23. Replies
    4
    Views
    1,960

    Re: Current stable version

    Since this is the "stability thread"...The hotfix only applies to R77.x versions lower than R77.20. Installing the hotfix simply for new DHCP services is not an approach I would recommend given my...
  24. Re: Really slow DNS causing browser hangs when VPN connected

    The one thing I wanted to try, but didn't get a chance to, was to use a name server that only returned IPv4 addresses, as we were using our AD servers for DNS and they return both IPv4 and IPv6...
  25. Re: Really slow DNS causing browser hangs when VPN connected

    I've seen something similar, however I was not able to find a cause. If you Wireshark the interface(s), I will bet that you'll see the client getting an IPv4 response first and an IPv6 response...
  26. Thread: DAservice

    by melipla
    Replies
    11
    Views
    7,065

    Re: DAservice

    Thanks for the pointer(s), looks like R77.20 uses Build 615--will try the newer build.
  27. Thread: DAservice

    by melipla
    Replies
    11
    Views
    7,065

    Re: DAservice

    This problem persists in R77.20. Currently 45k files & can't even remove files anymore:

    # ls -l plugin*
    bash: /bin/ls: Argument list too long
    # rm plugin-upgrade-matcher-*_Aug__*
    bash:...
  28. Thread: Welcome back!

    by melipla
    Replies
    24
    Views
    25,654

    Sticky: Re: Welcome back!

    You're off to a good start Eric--you even got Chilly to post again :)
  29. Replies
    26
    Views
    16,975

    Re: Check Point R77.20

    No more upgrading the management server? Interesting...

    My initial experience with the management server on R77.20 seems like it takes longer to install policy & am seeing some packet loss during...
  30. Re: Smart Dashboard Login Issues post R77.10 Upgrade

    Interesting. Just curious as to what the Management tab in Smartview Tracker logs as the reason for the failed login attempt? (Some sample messages here:)


    Authentication method: Password based...
  31. Re: Smart Dashboard Login Issues post R77.10 Upgrade

    I've seen this once or twice (can reproduce it too) and opened a ticket with Check Point about this. To make a long story short, there's a period of time when the management server is unavailable...
  32. Replies
    26
    Views
    16,975

    Re: Check Point R77.20

    The best source is sk97566 which we're also seeing in R77.10. & wow R77 was in Sep 2013? Seems so long ago...and yet it's right about time for the next major release...



    Thanks Barry! I knew...
  33. Replies
    3
    Views
    1,206

    Re: Gateway loses state table on policy install

    Ouch, sorry to hear they closed the ticket simply because they couldn't understand the issue.

    Have you done anything to minimize the load on the gateways? Specifically to traffic that gets...
  34. Replies
    26
    Views
    16,975

    Re: Check Point R77.20

    Well it does....in SPLAT you have to DHCP relay via interfaces [under sysconfig] and in Gaia you have to:



    The Gaia R75.40 - R77.10 DHCP bug which requires special NAT rules happens only if you...
  35. Replies
    26
    Views
    16,975

    Re: Check Point R77.20

    I'm happy to see the new HFA :)



    What's the reasoning behind releasing a patch that already has a patch (so to speak)? Why not integrate it directly?



    AKA Check Point broke how they...
  36. Replies
    1
    Views
    1,014

    Re: Log keep in Gateway

    Check Point has a document specific to logging troubleshooting, it would be worthwhile to use it.

    My take on the problem is that most of the time it's because the management server lost...
  37. Replies
    8
    Views
    2,153

    Re: Urgent R75.40+ patch?

    As a side note, R77.20 EA just posted--I don't see sk100431 or any of the issue IDs listed in sk100431 as being included in R77.20. :-/
  38. Replies
    2
    Views
    1,934

    Re: Checkpoint GAIA R75.47 and multi-queue

    Seems like the documentation gives you an "out" here:


    13500's have 16 CPUs right? Seems odd but my guess is that your corexl firewall instances are limiting you're ability to use more than...
  39. Replies
    14
    Views
    7,591

    Re: AWS Checkpoint firewall clustering

    Ah thanks for pointing that out, after doing some reading I ran across this in Security Gateway Virtual Appliance R75.40 Getting Started Guide for Amazon Web Services VPC on page 13 (regarding blade...
  40. Re: Question on managing a Checkpoint 1120 behind a NAT Gateway

    Well there's just the one NAT (the port forwarding), right?

    I think you can do it, particularly if it's not a Dynamic IP DSL modem. For the gateway object you'd use the DSL IP. For the topology...
  41. Replies
    14
    Views
    7,591

    Re: AWS Checkpoint firewall clustering

    If your non-clustered firewall goes down, yes it will be a single point of failure and you will lose connectivity to your hosts in the AWS cloud.

    There's no "special" documentation for AWS that I...
  42. Re: How to integrate R77.10 with Radius for authentication

    AFAIK SSO only works if you log in with domain password, not your radius one. There's no way to tie these two together without another authentication window appearing for your domain information...
  43. Replies
    1
    Views
    1,795

    Re: Enabling SecureXL

    cpsizeme does not work with multiqueue, however I doubt you have that enabled, so carry on.



    Enabling SecureXL does run you the risk of dropping packets in weird ways, however those were...
  44. Re: CPD daemon running but no18191 port listening

    Your output is what I would expect, because you are running the wrong command.


    [Expert@csfmvc1c2:0]# arp -a |grep 18191
    [Expert@csfmvc1c2:0]# netstat -an |grep 18191
    tcp 0 0...
  45. Replies
    8
    Views
    2,153

    Urgent R75.40+ patch?

    It's rare that my reseller sends me notices to patch...actually its never happened before, so I'm guessing this one is pretty serious.



    sk100431

    A potential stability issue might be...
  46. Re: Publishing SharePoint 2010 with Mobile Access Portal

    According to sk32086 you have to use Hostname Translation (HT), not PT.
  47. Replies
    15
    Views
    7,677

    Re: DNS Problem with E80.50 Endpoint VPN Client

    You're missing a closing parenthesis:


    :restart_dns_service_on_vna_init (
    :gateway (
    :default (true)
    )
    )
    ...
  48. Replies
    15
    Views
    7,677

    Re: DNS Problem with E80.50 Endpoint VPN Client

    I assume with Win 7 you've disabled UAC completely? Some things (like this) might not work until you do. Is the user you're logged in as an Administrator?

    Have you tried the new parameter...
  49. Replies
    2
    Views
    1,225

    Re: R77.10 drops RPC over TCP

    Yeah :-/ We had it configured like sk32473 recommended however we were getting drops--only seen in "fw ctl zdebug + drop". After switching it to "Any" the communication started working again. I...
  50. Replies
    10
    Views
    4,075

    Re: ClusterXL on r77.10 dropping igmp messages

    Plenty of people on Gaia, however I think most of us use broadcast instead of multicast for ccp. In addition to what the SK states you could also try disabling "Extended Cluster Anti-spoofing" in...
  51. Replies
    34
    Views
    19,522

    Re: Message "cul_load_freeze" with high CPU Usage

    That's most likely the aggregated average. If you have 10 CPUs, one is at 100% while the other 9 are at 0%, you only have 10% CPU average.

    In the command line, from expert mode, run "top". Hit...
  52. Replies
    15
    Views
    7,677

    Re: DNS Problem with E80.50 Endpoint VPN Client

    Don't use split DNS? I've never been a fan of hostnameX resolves differently externally than it does internally. If you have to use split, try shrinking your cache timeout. Or if they're using a...
  53. Replies
    15
    Views
    7,677

    Re: DNS Problem with E80.50 Endpoint VPN Client

    You should've been able to push the policy after the update and then have the client reconnect to get the updated setting (to allow disabling). There's a couple things that could go wrong, but...
  54. Replies
    6
    Views
    1,904

    Re: Give Checkpoint credit where credit is due

    So correct me if I'm wrong, but fw workers (aka CoreXL / kernel instances) don't handle any of NIC CPU (aka SND / cpu 0 - 1 for you)--what you've shown here is simply the fw workers (cpu 2-7)...
  55. Replies
    15
    Views
    7,677

    Re: DNS Problem with E80.50 Endpoint VPN Client

    There is this option in the $FWDIR/conf/trac_client_1.ttm file:



    :flush_dns_cache (
    :gateway (
    :default (client_decide)...
  56. Replies
    5
    Views
    1,740

    Re: Connections table max's out

    That seems extremely low for a connections table, even the low end appliances can handle at least 50k connections.

    As for why the count can change--there could be a couple factors. The primary...
  57. Replies
    6
    Views
    1,904

    Re: Give Checkpoint credit where credit is due

    Were you bonding before R75.47? I am interested in testing to see if simply bonding up my external interface will help distribute SI% across both.

    Thanks
  58. Re: E75 client works for awhile, then won't start, have to re-install?

    Haven't tested E80.50 too much, however I think I've seen it happen once--regardless try upgrading the big offenders to E80.50 or E80.42 (which is actually newer than E80.50) and see if it helps.
    ...
  59. Replies
    4
    Views
    1,880

    Re: Cluster members not seeing each other...

    Take a look at sk42096 if you can. In the past we've seen something like this due to CoreXL being set up differently on each cluster member [you can check this in cpconfig], although in Gaia it...
  60. Re: Unable to ping Interface from inside itself but can from another interface

    Anti-spoofing?

    "fw ctl zdebug + drop" will help explain why / where its dropping
  61. Thread: DAservice

    by melipla
    Replies
    11
    Views
    7,065

    Re: DAservice

    Looks like this issue persists with R77.10:

    4997 admin 18 0 326m 270m 4984 R 48 1.7 3530:16 DAService

    50% cpu usage on the management server. Stopping it took the server from a...
  62. Re: Why do you need the Mobile Access Blade when you have SSL?

    The problem is that I have remote users who need to access their data securely. You can split that six ways to Sunday, but its still a VPN solution when it comes down to it.
  63. Re: Traffic seems to be not passing through on 9070 firewall

    You mean you're using the R75 upgrade_export version on the R65 gateway? Using the R65 version of the upgrade_export will not create the proper file for an R75 import. You have to run the export...
  64. Re: Why do you need the Mobile Access Blade when you have SSL?

    Some web applications aren't designed to be publicly available on the internet. OWA is designed to be, however I'd be more concerned about other web access portals (ie for MS SQL). How do they...
  65. Replies
    2
    Views
    1,104

    Re: Install rule on gateways selection

    You have to install the second policy before it becomes active, which would replace the first policy that was active. All the rules in policy A would then be lost because they are not in Policy B.
  66. Replies
    2
    Views
    3,620

    Re: DHCP Relay + DHCP Server

    It should be noted that sk97642 replaced the SK you referenced.

    Is your management server also R75.47?

    Are you using ClusterXL, if so what kind?

    What kind of NAT, if any?

    Running the...
  67. Replies
    50
    Views
    18,522

    Re: Check Point R77

    At least you skipped over R75.40--I think I like your approach. I do think its ironic that they're advocating the use of software [R77.10] that's not even out yet. That's like saying Windows 8.2 is...
  68. Replies
    4
    Views
    1,569

    Re: NAT traffic goes abnormal

    The place you should already know about: SmartDashboard - NAT. What does it say you're doing?

    Summary of usage from the CLI:
    fw tab -t fwx_alloc -s

    Or go to Tracker and show the XlateSrc...
  69. Replies
    50
    Views
    18,522

    Re: Check Point R77

    I don't really understand the notification choices. How can SecurePlatform be an option but GAIA is not? The inability to select product versions seems odd too. Doesn't seem like it knows I'm on...
  70. Replies
    8
    Views
    3,564

    Re: Checkpoint R77.10 release date

    Still behind a EA questionnaire access for me. I see they added a place to submit EA bugs, which is nice. Based on the EA questionnaire, I find it interesting that they're sending people onsite to...
  71. Re: RX errors increasing on External Interface of Splat firewall

    If you're using an Intel nic and are on version R75.40 or higher, then it's Check Point's fault you're seeing these errors & sk42181 describes how to resolve it. I'd recommend doing it for every...
  72. Re: R77 Possible bug: "xx Hides rule xx" not shown anymore?

    Funny you should mention this--we had issues similar to this around R75.30 or R75.45. Once we moved up a version we started getting all of these verification errors & had thought the upgrade failed....
  73. Re: Weird issue when using with DHCP and Wi-fi

    You're missing rules in regards to DHCP. In tracker, try filtering the services column on bootp and all the dhcp-* services w/ no source IP or dest IP filters and you should see the drops / accepts....
  74. Replies
    4
    Views
    1,569

    Re: NAT traffic goes abnormal

    My initial thought was: "What are you doing for NAT?"

    My second thought was: "How can you minimize your NAT utilization?"

    I'm not very good at answering questions, but one thing I do know is...
  75. Replies
    50
    Views
    18,522

    Re: Check Point R77

    If you're on R77 and haven't installed the hot fix from sk96124, I would recommend doing so. Not sure how this one didn't merit a new ISO release...
  76. Replies
    3
    Views
    1,963

    Re: Monitoring the affinity/firewall instances

    Scripts (bash is your friend)! I'd probably script the analysis too....
  77. Replies
    10
    Views
    5,854

    Re: Intermittent Tunnel Loss

    We haven't been able to resolve it. Although with your frequency, I'd expect you'd have to take time to debug it (and it'd be much easier). As a side note, to update your earlier post with...
  78. Replies
    1
    Views
    2,315

    Re: Does Secure Domain Logon work in Windows 8?

    Did you try E80.50?

    Thanks
  79. Thread: DAservice

    by melipla
    Replies
    11
    Views
    7,065

    Re: DAservice

    Thanks for the quick response, here's my output:

    # cpvinfo /opt/CPda/bin/DAService | grep 'Build'
    Build Number = 502

    # file /opt/CPda/bin/DAService
    /opt/CPda/bin/DAService: ELF 32-bit LSB...
  80. Replies
    7
    Views
    11,354

    Re: R76 fw_worker_0 gets all CPU

    The only thing that sticks out is your NAT. You're doing more NAT than you have connections, which could mean some double NAT rules--not a terrible thing but odd. What's the output of this:

    fw...
  81. Thread: DAservice

    by melipla
    Replies
    11
    Views
    7,065

    DAservice

    Anyone else seeing extremely high CPU usage by the DAService? On my management server its anywhere from 40% - 70% cpu usage + 15% of the memory.

    Seems a bit high for something that I don't even...
  82. Replies
    3
    Views
    4,082

    Re: ssh long login and times out

    Not without further investigation, honestly it could take you two months to debug it and get the appropriate hot fix.
  83. Replies
    7
    Views
    11,354

    Re: R76 fw_worker_0 gets all CPU

    Do you only have 1 fw_worker (aka CoreXL instance)? With four cores I would suggest at least 2.

    Are you using SecureXL?

    Since it's SI traffic, my primary concern would be throughput. I would...
  84. Replies
    3
    Views
    4,082

    Re: ssh long login and times out

    They're most likely right. The problem you're describing, where you get the the login prompt but it doesn't complete and eventually disconnects you is indicative of a memory leak / consumption of...
  85. Replies
    2
    Views
    1,868

    Re: TCP connection issue

    Can you list contents of rule 10? IE is the X_Server in source or destination?

    Using the "Active" tab in Smartview Tracker is not recommended due to the load it puts on the gateway. You should...
  86. Replies
    5
    Views
    16,624

    Re: Ping not working via Checkpoint

    Ping is included in any, it's just tracker which can be confusing between ??icmp and icmp. The protocol ??icmp is the filter you want, which is a different column than the service one.
  87. Replies
    5
    Views
    16,624

    Re: Ping not working via Checkpoint

    Somewhere there's a drop. ICMP is also a protocol so you should be filtering on that and NOT the service. If you still can't find it, try using "fw ctl zdebug + drop" from the command line and...
  88. Re: Endpoint Connect client disconnects every 20 seconds after connecting successfull

    Try filtering the service in tracker on 18234 (udp), which is tunnel test. It could be getting dropped due to anti-spoofing if you use Office Mode. If you don't see anything then try "fw ctl zdebug...
  89. Re: Gateway Selection in E75.30 after Gateway Upgrade to R75.46

    Yes you must update the trac file on the gateway and push policy again, and then I'd suggest recreating all your sites in the VPN client for anyone who connected to that site. I'd look into the...
  90. Replies
    3
    Views
    2,180

    Re: CPU usage & policy optimisation

    We've heard for a long time that moving heavy hitting rules to the top of the rulebase helps, as recent as this year w/ R75.46 by people who deal with it day in and day out so there must be some...
  91. Replies
    50
    Views
    18,522

    Re: Check Point R77

    If your only concern is stability, then R75.30 is for you, although I'd probably consider moving to Gaia now that R75.47 is out... R75.46 was good but still a bit premature for Gaia adoption IMHO.
    ...
  92. Re: Can't access network drives after connecting???

    Well I hope no news is good news :)

    That is interesting about the offline files and the domain bit. All of our shortcuts tend to use the shortname too, but we haven't had to remap to the fqdn...
  93. Replies
    10
    Views
    5,854

    Re: Intermittent Tunnel Loss

    1) We haven't left it off, but disabling SecureXL while the problem is happening did not help. It's been on every time the problem has started.
    2) No hardware accelerator but we do use SecureXL....
  94. Re: Can't access network drives after connecting???

    Support tickets about CIFS performance over VPN. Our original problem was CIFS transfers breaking across our Check Point site to site tunnels, it just so happened that it improved CIFS performance...
  95. Replies
    10
    Views
    5,854

    Re: Intermittent Tunnel Loss

    We see one-off replay attack messages frequently enough, so the tunnel isn't always going down when it appears. However it's when the message appears, traffic stops traversing the tunnel, then...
  96. Re: Can't access network drives after connecting???

    Aye we've seen intermittent problems like this, is your cifs_tcpstr_max_window set to 131072? I think in versions previous to R75.30 it was called fwtcpstr_max_window.
  97. Replies
    10
    Views
    5,854

    Re: Intermittent Tunnel Loss

    We're having the same problem, our attempt to debug it has stopped due to how difficult it is w/the randomness of the occurrence. Debugging the problem while its ongoing [typically lasts 15 minutes]...
  98. Re: Addition to the Advanced Check Point Administrator's Toolkit... tcpreplay

    Have you used this with VPN traffic?
  99. Replies
    5
    Views
    8,561

    Re: Upgrading R75.40 to R77

    I think there's some confusion as to whether or not he's upgrading vs doing a fresh install. His original post said upgrade then his second post was only talking about "update" via "fresh install"...
  100. Replies
    5
    Views
    8,561

    Re: Upgrading R75.40 to R77

    For fresh installs, you can use an external DVD drive, however using a USB Device is much easier.

    You can upgrade it from the CLI / WebUI. :)
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4