Search:

Yes, that is correct. The process is all manual. When you login into the Standby SMS in pre-R80 it would ask you whether you want to make it Active. R80 and later will let you login in read-only and...

Hi there,

Some initial checks/questions that I can think of:

- Check that the VPN encryption domain is configured properly.
- Are you using Mobile Access blade?
- If you are enabling office...

Hi there,

My management server is listing in the license repository hundreds of "unattached" licenses which I am pretty sure didn't add. More surprisingly the Signature Key is different for each...

How are you defining objects? have a look at sk14587

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk14587

THe password is manually set during the first configuration wizard. There is no default password as such.

If you have access to the WebUI the password should be the same.


Yes, you can...

Make sure you can open connection to all the relevant ports from/to the secondary SMS. In this link there is a good diagram of all the required ports.
...

You can achieve it with an URI resource object. Have a look at sk40348.

Not sure if Saf@ supports it though. You might want to have a try... =)

For specific answers, provide specific questions... :)

What OS/version are your firewalls running? what's the output of 'show vrrp interfaces' in both units?

have you monitored multicast in all...

Agree, Check Point documentation is not very clear about how exactly the schedule log forwarding mechanism works. It is my understanding that any object with this setting enable will forward local...

Yes, no discussion that if it works, managing will be messy with routing and NAT's

It all depends on your settings in the firewall object under:

1407

If secondary SMS is not configured as log server, firewalls will store logs locally until the primary SMS becomes available.
...

Hi there,

As long as:
1. There is a decent bandwidth between the primary and secondary SMS
2. The secondary SMS is able to reach all the gateways

There shouldn't be any problem with building...

cpview will give you a bunch of details including historical data.

Regards

Ed

Not sure about timers, but if you enabled "Automatically download Contracts and other important data (Recommended)" during the first time installation wizard the SMS will try to connect the Check...

"if you ever held a CCSE certification, even if it is currently expired, you are eligible for this Update exam. So you don't need to start over with CCSA R80."

Source:...

That's a tricky idea that actually might work... Thanks for that! I will check it out and see how it goes.

Challenges that I can foresee, fw objects cannot be used in NAT rules... but easy to fix...

Hi there,

Thanks for your answer. Yes, indeed I have read what you've mentioned in the documentation. However, we are not necessary enabling Mobile Access in the VS'es, moreover, the DNS...

Hi all,

I am building a new VSX gateway with some virtual firewalls. Part of the requirements is to configure different DNS servers depending on the logical allocation of each virtual system.
...

Hi there.... have you checked you Internet access speed with your ISP? Is the Internet access still slow during non-peak hours? What about testing a direct connection through the firewall (not using...

Thanks for clarifying @PhoneBoy and especially for pointing that SK

Regards

Ed

Hi there... once a gateway is installed is there any way of knowing if a "virtual gateway" (either on cloud or ESX) is running vSEC NSX mode or Network Mode?

Thanks


Sent from my iPhone using...

Hi Cathy

If they are separated boxes, You need to use the R77.30 migration tools from the R75 SMS. I don't remember whether is one step upgrade, but you can easily find it at CP SecureKnowledge.
...

Hi Jonne,

Thanks for the updates. Unfortunately, I wasn't able to find a solution either. I managed to get approval for a short maintenance window :) and upgraded without using CU.

Cheers

Hi,

Is the Wi-Fi router NAT'ing source addresses for devices connected to it?

Hello there,

I have done SSL inspection with Check Point R77.XX and tuning the policy is quite tricky at the beginning, all depends on the number of internal applications that rely on SSL (apart...

It is my understanding that this feature is not enabled by default. However, considering that Gaia is based on RHE 5, it uses OpenSSH, so you can try by modifying the SSH config files to allow...

Check if 443 is opened by issuing 'telnet 192.168.0.115 443'

Are you using the latest R77.30 iso file? If not try using an old version of IE or modifying the SSL/TLS settings under Internet...

Hi Valeri,

No I didn't. However, I have been able to replicate the issue in my lab.

Thanks for the idea, I'll try it in my lab and come back with the results

Cheers

Hi,

Hopefully someone can give me light on this issue...

scenario: VSX VSLS upgrade R77.10 to R77.30 Jumbo HFA 205 using connectivity upgrade method. All VS'es running on one member during the...

Well yes... True! thanks for the clarification. Is this officially supported?. I do not see the benefits of having MDS with a single domain though.

Looks like Layer 2 issue. However, I would start checking:


Global Properties and make sure that ICMP is allowed, if not create specific rules to allow ICMP to the cluster
what's the cluster...

Hi,

No, you need a Multi-Domain license. The SMS license cannot be used for Multi-Domain.

Regards

Ed

I had some issues setting up DNS on an 1100 appliance some time ago, not the same behavior with Wi-Fi as you have described, but certainly disconnections when I added an internal DNS server.

There...

Thanks for the comments.... Good to hear that it actually makes sense to spend some time providing feedback.

Regards

Ed

I have provided a simple feedback to one of the SK's and what's Check Point's answer?





My feedback
------------------
The statement of "using a guest OS definition of Redhat Enterprise...

I think lots of us are in the same boat here, so nothing to regret :)

In regards to the services working before applying the solution. Probably is due to the fact that by default some services are...

By default the Active member does not forward traffic sent to the standby gateway.

You might need to set fwha_forw_packet_to_not_active to 1 (zero by default)

[Expert@HostName]# fw ctl set int...

Gaia uses the Linux dhcpd so you can refer to the dhcpd.conf documentation for full details

https://linux.die.net/man/5/dhcpd.conf

sk92473 also provides more details.

Hope it helps.
...

Hello there,

When you run 'show snmp traps' you are referring to Gaia traps which is mainly related to the OS level.

To get ClusterXL traps you need to check the Check Point MIBs (in software...

Wow! tricky one... keep us posted please.

Thanks for sharing.

Did you check LACP that hash policy and rate matches in both switches and FWs?


What's the output of "/proc/net/bonding/bondx" on each of your bonds?

Hi Laf,

Unfortunately my experience with Ironport is quite basic but from what I've seen so far it is seems to be a more mature Web proxy solution.

As you might know, configuring Check Point as...

Interesting.... did you check that hardware clock is synchronised?

check by issuing "date;clock"

Regards

Ed

Hi everyone,

I am currently working on a migration from a Cisco Ironport Web proxy into Check Point URL Filtering.

I just wanted to share the categories translation that I have used.

Happy...

Hi Gilbert,

Have you tried this:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107872

Regards

Ed

Hi Dom

I had the same a similar issue. I manage to fix it by installing the latest CPUSE on top of R77.20 and then removing the problematic hotfix through "installer uninstall"

Have a try and...

Hi Oerlikon,

You may need to configure the "Statically NATted IP" setting under Link selection and set the address that the external firewall is presenting to the Internet. Whit this option the...

Hi cciesec,

Thanks for pointing me to some known issues and the related SKs.

scaring indeed...

Regards

Ed

Hi Val,

Can you point me to any official document (If any) that expands this affirmation?

Not that I don't trust you =) but it would help me to liaise with some documentation requirements in...

Hi everyone,

I have recently received a requirement to install the latest R77.30 Jumbo GA HFA Take_205 over several units, these firewalls have a mixture of different blades (fW, VPN, IA, App &...

Hello there,

My two cents:

Have you tried a longer period? let's say 5 minutes?

As far as I know cron has a 60 secs granularity, if the first iteration takes longer both will fail.

From...

Hi Bill,

Any relevant log in the PEP log file? Start having a look at $FWDIR/log/pepd.elg

Regards

Ed

sk103839 is your best friend for this one...

If your firewalls are running R77.30, theoretically the hotfix is included already.

Regards

Ed

That's the problem of backups, it's platform dependent. If for example, the interface names are different the restore will fail.

That's why it's easier to rely on migrate export/import.

Have a...

Hi Rick,

The easiest way is to take a migrate export from the 3050 and then migrate import in the VM. Make sure that the VM, is running the same version, also configure the same hostname. If...

That's great news!

Please let us know as soon as the public release is available. Perhaps EA for CPUG members? =) something like R80.10 now #JustSaying

Regards

Ed

Hi Sebastan,

I think this is not possible. I asked quite the same question to a CP support engineer some time ago and he said that Check Point does not have any quarantine folder or so.

You...

Hi Laf,

If your management is running R77.30 and Take_98 (or higher) is installed the command installed_jumbo_take should give you the information

Otherwise, cpinfo -y all can give you an...

Thanks for sharing Valeri. I didn't know this... Looks safer than enabling all and then filtering using grep.

Regards

Ed

As far as I know this feature is still unsupported

from sk61701 "CoreXL Known Limitations"

ID 00417888 "The following features/settings are not supported in CoreXL: ... 10. Virtual Tunnel...

I'm quite concerned after reading this post, especially considering that I just got a requirement to deploy HFA Take 205 in a large CP environment

Can I ask you if the CPUSE was updated before...

If you're replacing the standby unit, there shouldn't be a problem. The only think I would think of is that the cluster is not configured properly.


It can be any of these if it's not configured...

so it's a piece of hardware. I though it can be emulated using an external hard disk.

Great option anyways!

Thanks Valeri...

Interesting option... I haven't used before... any particular tool that you would like to recommend to perform the DVD emulation? I guess a partition needs to be allocated just for the DVD emulation?

Apart from SecurID I have also integrated Check Point with Entrust Identity Guard (https://www.entrust.com/products/entrust-identityguard/) works pretty nice.

I had the same issue with a couple of 5600 appliances. You're right using the updated version ISOmorphic fixes the issue.

Thanks for sharing ShadowPeak!

Regards

Ed

Thanks for your reply, but that's exactly the problem these firewalls do not support the installed_jumbo_take command.

Hi everyone,

I have a mixture of R7X firewalls, most of them with no support for the [very nice] installed_jumbo_take script to get the right Jumbo HFA installed.

Does anybody know how to...

Snapshot will not work in the new one, backup is a better approach. However:

In high level cleaner way is:

1. show configuration in the failed unit and save it in TXT format
2. Make sure that...

The question is "for free"?

I think Algosec products have (non-free) alternatives to get a full understanding in the "security policy" level (not in the rule level). Even though, it goes beyond...

Just be aware that Application Control is a subscription base license, meaning that you need to renew it yearly.

Regards.

Thanks Uri,

Great workaround...

Object dumping needs a bit of clean-up, but it's good...

Regards,

Ed

I enabled Netflow one year ago over a couple of 13500 gateways (non-VSX, R77.10), both being monitored with Solarwinds and no issues reported so far.

The only tuning that I had to make, was to...

I would not recommend to enable debugs as the CPU can easily increase to 100% getting too busy even to stop the debugging.

In addition, SecureXL can make your statistics inaccurate as probably the...

Hi David,

I have a couple of customers running R80 SMS with R77.X gateways, no major issues on the gateway side so far.

If I were you I would go for option 2, especially if you deployment has...

Hi ba3113,

I agree with Valeri, changing the SMS name should be your last option. If the aim is to migrate the legacy SMS as well, you can survive for a while with the same name in both servers. ...

Hi everyone,

As per sk64501 Web visualization Tool is no longer supported on R80.

I guess the workaround is to make use of the new R80 API?? Does anyone know if there is any similar tool for...

Hello,

for all who are facing this issue the solution was published last December 2013 at sk97517
...

Hi rafalario!

congrats to u! Did you pass 156.315.1 or 156.315.65 (NGX-R65)??? You know how long different is it?

Regards!

Download and Install the software:

See "Utilities and CP Apps" section in Index of /

Hi!

D. Is the correct answer. Read "Syngress - Configuring CheckPoint NGX" Chapter 6 - Page 167.

"Each time you manually block an intruder in SmartView Tracker, the
gateway adds an entry to...

Hi!

Read thread "New .vce based on testking 16.1 here!" by tdr125

Thank You karia!!!

Yes, My question is because I made a manual static NAT in a ClusterXL with HA, I configure the virtual MAC associated with the public server IP address but it didn't work. When I change the virtual...

Hi all!

thaks Northlandboy for share your experiences whith us...

One more question regarding ARP: I have configured diferents Clusters (HA & LB). The virtual MAC asigned to each virtual...

Any drop packet in Smart View Tracker?

Hi Bekker

I don't know any version of SecureClient for Windows Mobile 5 in the Checkpoint suite products, however AnthaVPN support it...

greetings