CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: bhavinjbhatt

Page 1 of 2 1 2

Search: Search took 0.00 seconds.

  1. Re: R77.30 to R80.10 Management/SmartEvent upgrade

    Hi Mate,

    I have made the following suggestions
    1. Move from Smart 1-205 to Smart 1-405
    2. Move from Smart 1-205 to on premise VM infrastructure
    - Split out the Management blades on to 2...
  2. Re: R77.30 to R80.10 Management/SmartEvent upgrade

    Thanks Tim, that info is gold dust.
    Will update on how i get on.

    Cheers
    Bhav
  3. R77.30 to R80.10 Management/SmartEvent upgrade

    Hello Experts,

    I have a very interesting one at hand. A customer has a Smart 1-205 on R77.30 running Management, Logging and SmartEvent ....tell me right, whoever put this must have been on...
  4. Replies
    5
    Views
    695

    Re: Signs that a RAM upgrade is required

    Unfortunately they dont, just complained about policy push time outs and packet drops on the firewal, as well as loss of connectivity to the firewall until reboot.
    Thanks
    Bhav
  5. Replies
    5
    Views
    695

    Re: Signs that a RAM upgrade is required

    Thanks Tim,

    That is helpful. I will follow this as well as the firewall health check script :-)

    Cheers
    Bhav
  6. Replies
    5
    Views
    695

    Signs that a RAM upgrade is required

    Hi Experts,

    Someone suggested to a customer that the 12400 appliance needs a RAM upgrade from 8GB to 12GB, but i need to quantify that.

    I am after a list of commands and outputs that would tell...
  7. Replies
    2
    Views
    798

    The Old Guard at CPX360 Barcelona

    Hello All,

    So I attended Check Point CPX360 in Barcelona and had the fantastic pleasure of meeting some of my online mentors @Eric Anderson, @Phoneboy, @ShadowPeak and Vallerie..

    Please find...
  8. Replies
    1
    Views
    722

    HA Upgrades in 1490 appliances

    Hello Experts,

    Something very weird happened today with a 1490 HA pair.
    I logged in to check the code versions on the appliances and somehow kicked off an upgrade.
    Funny thing is, one appliance...
  9. Replies
    11
    Views
    1,790

    Re: Upgrading Check Point 1490 cluster

    Hi All,

    So this is how i got around it. say the cluster has member fw1 and fw2. I took fw2 down and upgraded fw1 from webui. once done and tested. I took down fw1, brought fw2 up, and upgraded...
  10. Replies
    2
    Views
    735

    IPS Profile and SmartEvent

    Hello Experts,

    I have a customer who wants to generate IPS profile specific reports from SMartEvent. Unfortunately this is not described in the SmartEvent admin guide.

    The second question is,...
  11. Replies
    11
    Views
    1,790

    Re: Upgrading Check Point 1490 cluster

    Hi All,

    It is just a minor update from r77.20.x to r77.20.y , no sure what the minor versions are at this point. but the fact that it is a locally managed cluster, i am not sure how to apply the...
  12. Replies
    11
    Views
    1,790

    Re: Upgrading Check Point 1490 cluster

    Hi All,

    Apologies for not writing clearly. The Check Point 1490 cluster is locally managed.

    So smart update isn't an option. Also, the upgrade wizard doesn't have 1490 or any SMB appliances in...
  13. Replies
    11
    Views
    1,790

    Re: Upgrading Check Point 1490 cluster

    Hi PhoneBoy,

    appreciate the quick reply, unfortunately, i can't seem to find the upgrade option in the standby Firewall webui ? does this need to happen from CLI ?

    Thanks
    Bhav
  14. Replies
    11
    Views
    1,790

    Upgrading Check Point 1490 cluster

    Hi All,

    i have a customer with a Check Point 1490 cluster locally managed.

    It is in need of an upgrade, what is the best procedure to upgrade ? do i just download and upgrade the Active member...
  15. Exporting Objects from Management Server

    Hello Experts,

    Is there a way to export the objects created in Smartdashboard to an excel sheet ?

    Thanks
    Bhav
  16. Replies
    2
    Views
    726

    Re: Licensing issue

    Hi All,

    a bit more googling lead me to this

    https://www.youtube.com/watch?v=69eIfbTBPPU

    hope this helps r80 noobs like me ;-)

    Thanks
    Bhav
  17. Replies
    2
    Views
    726

    Licensing issue

    Hi All,

    I have setup a r80.10 security management server and am trying to apply an eval license. but cannot find smartupdate or anything similar.

    I googled and found the below, but cannot find...
  18. SmartEvent/Management/EndPointSecurity Server

    Hi Experts,

    There is a customer with a Smart1-210 running Management Blade, SmartEvent/SmartReporter , and EndPoint Security Management Server. (i am pulling my hair out already)

    They want to...
  19. Re: Configure STAR or MESH VPN Communities on Check Point 1100

    Thanks for the response mcnallym. So basically a locally managed 1100 appliance can only participate in a star community, it being spoke and other being hub ?

    Thanks
    Bhav
  20. Configure STAR or MESH VPN Communities on Check Point 1100

    Hi All,

    I need to configure STAR or MESH VPN Communities on Check Point 1100 cluster, but cannot find any documentation or tabs on the webui to do so.

    All you can do is enable site to site and...
  21. Re: R77.30 Jumbo HFA 216 not seen in installer

    cpinfo -y all
  22. Re: Cluster in a Lab environement (cluster not working)

    Run fw ctl zdebug drop and look for anti-spoofing drops, cause you might need to update anti-spoofing, also, make sure you have a NAT rule that nonats all the interface networks to interface network,...
  23. Re: Moving from Smart-1 appliance to Virutal

    Hi Mate,

    Please follow the below steps.

    1. Fresh install of the VM with same Gaia r77.30, add the latest jumbo HFA.
    2. Make sure all system level Gaia configs are the same on VM and appliance....
  24. Replies
    1
    Views
    886

    Migrate or Export Endpoint Server

    Hello Experts,

    Want to move Endpoint Server from a Smart 1-210 to a VM.

    But can't seem to find anything straight forward like a good old migrate export that we use for Management Blade..

    The...
  25. Replies
    3
    Views
    1,100

    VPN Tunnel issues

    Hello Experts,

    I am trying to assist a customer set up VPN tunnels, but struggling. I have got a work around, but it's less than ideal.

    The scenario....

    One Management Server manages 2...
  26. Re: Managemnt Server sits behind NAT -SIC issues

    Thanks Gents, i will test the suggestions and come back to you.

    My assumption was that something needed to be done in the masters file and a few changes via GUIdbEdit...but this is easier.

    I...
  27. Managemnt Server sits behind NAT -SIC issues

    Hi All,

    I have a management Server with a private IP address and it sits behind a firewall and is NAT'ed to a static public IP.

    It is then trying to establish SIC with a gateway(gateway has...
  28. Replies
    1
    Views
    1,022

    connection tables in the firewall

    Hello Experts,

    What is the difference between connections and concurrent connections ?

    How do you distinguish between the connection number outputs from the below

    fw ctl pstat
    fw tab -t...
  29. Re: moving logs from one mgnt server to another

    Thanks mcnallym :-)
  30. moving logs from one mgnt server to another

    Hello Experts,

    I have a task to upgrade a Smart 1-5 from splat r75.20 to gaia r77.30.

    check point configs will be exported using migrate export, but i dont want to include the logs as they are...
  31. Replies
    2
    Views
    1,211

    setting up a sandblast lab on vm

    Hello Experts,

    Has anyone set up a vm lab for sandblast ? any chance i could get some advice on setting up a lab ?

    cheers
    Bhav
  32. Replies
    0
    Views
    623

    setting up endpoint server

    Hello Experts,

    I was after some advice on setting up an endpoint server on vm at home.. i have read the sk108375.
    so i build a management appliance on vm, and then apply the add-on from the sk...
  33. Re: Smart 1-205 Policy installation takes too long

    Hi All,

    Just to clarify this is a Smart1-5. and having taken a closer look at the utilization, seems like RAM could be an issue.

    I am considering two options here, due to clients cost...
  34. Smart 1-205 Policy installation takes too long

    Hello Experts,

    I have a customer who use a Smart -1 r772.0 to push policies to their checkpoint devices... but the policy installation takes 7-10 minutes... you literally push the policy and go...
  35. Re: console putty session to Check Point 620

    Thanks Abusharif... for all those who need information of the full range of CP products...here you go
    ...
  36. console putty session to Check Point 620

    Hello All,

    Does anyone know what settings to use for console putty session to Check Point 620 ?

    I used the standard 9600, but that doesnt work, i just get funny characters ...

    cheers
    Bhav
  37. Re: How to forward directed broadcast traffic for wake on LAN

    Thanks for pointing me the right direction. I had seen these SKs, but was a little confused after reading ...
  38. How to forward directed broadcast traffic for wake on LAN

    Hello Experts,

    Was wondering if anyone has configured forwarding of directed broadcast traffic for wake on LAN ?

    many thanks in advance.

    cheers
    Bhav
  39. Thread: 41k admin

    by bhavinjbhatt
    Replies
    2
    Views
    1,435

    Re: 41k admin

    Many thanks for clarifying all that Abusharif.

    In the second question, i meant clish, but have figured out that Clish is also for the local SGM and GCLISH for all SGMs.

    you can enter clish, and...
  40. Thread: 41k admin

    by bhavinjbhatt
    Replies
    2
    Views
    1,435

    41k admin

    Hello Experts,

    I have been tasked with helping a client in migrating traffic to 2 41000s...as most, this is the first time I will touch them, so started by reading the ATRG. Following which, I had...
  41. Replies
    7
    Views
    2,041

    upgrading Nokia IP 290 VRRP cluster

    Hello Experts,

    I am looking to upgrade a Nokia IP 290 VRRP cluster from 77.20 to 77.30, has anyone got any tips on how to proceed with this... i have limited knowledge of Nokias...and would e...
  42. Replies
    2
    Views
    1,271

    Re: Nokia IP290 Upgrade

    Thanks Phoneboy, that helped....for anyone looking for a quick answer, this is the sk referred...

    ipso[admin]# clish
    ipso:1> show asset software

    Flash-based systems will display the model...
  43. Replies
    6
    Views
    1,803

    Re: Firewall ports open

    Hiiya,

    it is just a nmap scan ( intense scan)... picks up tcp 7070 and 554...

    Also, noticed 564 picked up, something to do with remote access topology...

    cheers
    Bhav
  44. Replies
    2
    Views
    1,271

    Nokia IP290 Upgrade

    Hi All,

    I have a Nokia IP290, that needs to be upgraded, but when i use the upgrade wizard, it asks me whether is is IPSO Disk based or flash based...

    How do i check this ?

    Also, does...
  45. Re: Backup rulebase, objects and logs - R77.30 Gaia

    on smart-210
    1. save gaia config from clish
    2. download latest migrate tools, extract in a temp directory
    3. run migrate export filename.tgz
    4. copy gaia config and filename.tgz of the box
    ...
  46. Replies
    6
    Views
    1,803

    Re: Firewall ports open

    Hi there,

    With regards to Securemote, a CP engineer on chat told me so.

    as for the scan, i was doing it via an ISP...

    so not sure

    cheers
    Bhav
  47. Replies
    6
    Views
    1,803

    Firewall ports open

    Hello Experts,

    I have done a nmap scan on my checkpoint 4400 running r77.30 , and even though there is a stealth rule, am getting the below ports open...

    554/tcp open rtsp?

    7070/tcp open ...
  48. Migrate from Windows to Gaia - Management Server and SmartEvent

    Hello Experts,

    I have been tasked with migrating from Windows to Gaia. The client has got a Management Server, log server and SmartEvent Server built on a single Windows Machine :-( :-(

    I need...
  49. Replies
    3
    Views
    961

    Re: Data Loss Prevention

    Thanks for your response. I was reading about user Agents, any way I can pick your brains on that ?

    cheers
    Bhav
  50. Replies
    3
    Views
    961

    Data Loss Prevention

    Hey Experts,

    One more from me, anybody done a DLP deployment and has step wise configuration that I could benefit from ?

    Would really appreciate a step by step on DLP configuration as well as...
  51. Replies
    0
    Views
    620

    RemoteAccess - SecuRemote

    Hello Experts,

    Needed some quick advise on setting up remote access for SecuRemote (e80.50)

    I cannot seem to find a step by step gateway configuration guide for setting up remote access on...
  52. Thread: CCSM R77

    by bhavinjbhatt
    Replies
    24
    Views
    13,579

    Re: CCSM R77

    Hi ShadowPeak,

    Many thanks for the info... by the way, treated myself to your book, awesome material :-)

    Just out of curiosity, there doesnt seem to be much awareness for CCSM ? it is the top...
  53. Management Interface on Security Management Server

    Hello Experts,

    I am playing with a management server, trying to dedicate one ip port for smartdashoard connections, one ip port for policy push and a 3rd ip port to receive logs. is this possible...
  54. Replies
    7
    Views
    2,223

    Re: VSX Licensing

    Hi Budd,

    These boxes are lab kit provided by CP to the client.

    But your suggestion did work.

    cheers
    Bhav
  55. Thread: CCSM R77

    by bhavinjbhatt
    Replies
    24
    Views
    13,579

    Re: CCSM R77

    Hi there,

    Was just curious how we can find the number of CCSMs in the world currently. I am doing mine soon and wondered how many of us there will be ?

    Cheers
    Bhav
  56. Replies
    7
    Views
    2,223

    Re: VSX Licensing

    Thanks Abusjarif, will test it out and hola back if any queries...

    Thanks again
    Bhav
  57. Replies
    7
    Views
    2,223

    VSX Licensing

    Hello Experts,

    Happy New Year to all.

    I needed guidance on how to license the VSX gateways... i have these 4800s, which have no license on them, but i want to generate trial licenses for them...
  58. Clustering VS's sitting in separate VSX Gateways

    Hi All,

    I needed some guidance/help with clustering 2 VSs that sit on two separate VSX Gateways.

    Any information/limitations/restriction around this would be highly appreciated.

    Thanks
    Bhav
  59. Re: importing cisco config as a new policy into an existing database

    Hello Gents,

    Thanks for the input. seems like i might be doing things manually, as the confwiz tool doesnt support Cisco ASA version 8.4... seee below

    C:\Program Files...
  60. importing cisco config as a new policy into an existing database

    Hi All,

    I am trying to convert a Cisco ASA config, into a Check Point policy, and then import it into an existing Security Management Server.

    Has anyone done this, or can anyone help me with...
  61. Re: routing between 2 separate star communities on a gateway r77.20

    Hi Mcnallym,

    I thought hub mode applies only to remote access... our current scenario is to do with only lan to lan vpn tunnels.

    cheers
    Bhav
  62. Re: routing between 2 separate star communities on a gateway r77.20

    Hello Mcnallym,

    Thanks for the detailed response. I have done exactly how you have described above. Only thing i might be missing, is enabling hub mode on center gateway, how is this done ?
    ...
  63. Re: routing between 2 separate star communities on a gateway r77.20

    Hi All,

    Thanks for the responses, but i though maybe attaching some details might help.

    Please refer to diagram.

    I couldnt get the attached config to work. No idea what needs to be done, in...
  64. routing between 2 separate star communities on a gateway r77.20

    Hi All,

    I have a gateway, that has two separate vpn tunnels to separate satellites ( each using it's own star community)

    I need to be able to route traffic from one satellite gateway to the...
  65. Replies
    2
    Views
    1,065

    Building VSX in VMWare Lab

    Hi All,

    I was wondering if anyone could guide me or point me in th right direction for lab'ing up a VSX setup on my laptop.

    I tried google and cp website, mostly stuff on its architecture etc ,...
  66. Re: IPSEC tunnel to a gateway with dynamic ip address

    Hi Mcnallym,

    Both firewalls are 4200, with on box management...

    Thanks
    Bhav
  67. IPSEC tunnel to a gateway with dynamic ip address

    Hello Experts,

    I have a requirement to configure a lan to lan tunnel between two checkpoints, where one has a static ip address and the other has a dynamically assigned ip address.

    Is there a...
  68. ports required from Management server to Gateway

    Hi All,

    What ports need to be opened on a firewall sitting between a Management server and a gateway ?

    Thanks
    Bhav
  69. migrate export from secondary security management server

    Hello Experts,

    I had a 4800 cluster running management and security gw. the primary failed and i had to migrate export from secondary security management server.

    I used this sk65360, and tried...
  70. Replies
    1
    Views
    1,139

    SmartEvent Server

    Hi Experts,

    I am trying to build a SmartEvent server but really struggling, has anyone done it and what would you advise for the below questions

    1. How do you build a SmartEvent server on vm ?...
  71. Replies
    4
    Views
    1,152

    Re: Changing from Standalone to cluster

    Thanks for the response EricAnderson.

    Here is what i did.

    1. Created a database rev ctrl
    2. created the cluster obj with another ip address.
    3. did a get topology and populated all the vips...
  72. Replies
    4
    Views
    1,152

    Changing from Standalone to cluster

    Hi All,

    I need to migrate a standalone gateway into a cluster, while maintaining all the original ip address as VIPs.

    How do i approach this change on the Management server's smartdashboard ?
    ...
  73. Re: Migrating Cluster from one Management Server to another

    Hi Mcnallym,

    Thanks for the quick response. i have already followed/read the above in the SKs and pdf.

    My question was around the resetting of SIC in cluster, do i reset the SIC to both...
  74. Migrating Cluster from one Management Server to another

    Hi All,

    I have migrate exported config from an existing Management server, and built a new box with a new hostname and ip address, following the relevant ip change and hostname change procedures....
  75. Replies
    7
    Views
    1,642

    Re: 4600 cluster hitting 80% cpu

    Hi Shadow Peak,

    On a separate note, what is the best way to find out connection rate, throughput ( packet rate) ?

    Cheers
    Bhav
  76. Replies
    7
    Views
    1,642

    Re: 4600 cluster hitting 80% cpu

    Hi Budd,

    Here you go

    ===================================================================

    [Expert@bhav]# fwaccel stats -s
    Accelerated conns/Total conns : 1501/10226 (14%)
    Accelerated...
  77. Replies
    7
    Views
    1,642

    Re: 4600 cluster hitting 80% cpu

    This is what top says, and i have added some other fw accel related things too

    ========================================================================

    top - 14:29:04 up 7 days, 16:59, 1 user,...
  78. Replies
    7
    Views
    1,642

    Re: 4600 cluster hitting 80% cpu

    Hi Mate, here is the output for sensors

    [Expert@bhav]# cpstat -f sensors os


    Temperture Sensors
    ---------------------------------------------
    |Name |Value|Unit |Type |Status|...
  79. Replies
    7
    Views
    1,642

    4600 cluster hitting 80% cpu

    Hi All, I have a 4600 cluster hitting 80-90% cpu. it is running Gaia R75.47. I have applied the latest HFA to it. and also increased the connection limit to 40000. but it is still hitting high cpu....
  80. Replies
    8
    Views
    3,350

    Re: Zero downtime upgrade?

    Hi ShadowPeak/Mcnallym,

    When you upgrade the standby to the latest code and push a policy to it and not to the Active, by changing the version on the cluster object, how does failover happen, do i...
  81. Replies
    4
    Views
    1,069

    Re: Gateway serving as IDS

    Hello Experts,

    Thank you for the quick and helpful response.

    Here is the sk88980 that outlines configuration.

    Cheers
    Bhav
  82. Replies
    4
    Views
    1,069

    Gateway serving as IDS

    Hi Experts,

    I was wondering if anyone has setup a Security Gateway to just listen on a SPAN port and act as an IDS ?

    Note sure how it would work ? have done IPS when traffic is flowing through...
  83. URL filtering, HTTPS Inspection, HTTP/HTTPS Proxy

    Hello Experts,

    I have a client who wants the security gateway to act as a HTTP/HTTPS Proxy , and at the same time they want to URL filtering and HTTPS Inspection turned on.

    I cannot seem to...
  84. Re: Security Gateway vs Management server version compatibility

    Thank you Gents, I shall proceed accordingly.

    Cheers
    Bhav
  85. Security Gateway vs Management server version compatibility

    Hi All,

    I needed to know if a r77.20 gaia gateway can be managed by a management server running on r75.47 ?

    please advice.

    thanks and regards
    Bhav
  86. Migrate a Mangement Server from Stand Alone to a new HA setup of Management server.

    Hello Experts,

    I have a very difficult and interesting task at hand.

    Need to migrate from stand alone R75.47 Smart 1-5 management server to a HA pair of Smart 1-225's , with different host name...
  87. Re: Management server migration from R75.47 Smart-1 5 to r77.20 Smart-1 225

    Hi Mcnallym,

    I have question, can you migrate export from one stand alone Smart1-5 management server, and then Migrate import into a new Management server (Smart 1-225) which is going to be part...
  88. Re: issues with using putty to re-image from usb

    Hello Experts,

    So I finally beat putty, by copying "serial" and right clicking as soon as I got the prompt and hitting enter.

    But the next issue i got was as shown in the screen shot attached....
  89. issues with using putty to re-image from usb

    Hi All,

    I am trying to re-image a smart 1-225 to R75.47 from usb ..

    I am console into the box using putty, but when it gets to the boot bit where it asks you for local,vga or serial...

    i...
  90. Replies
    9
    Views
    1,884

    Re: Change firewall own IP address

    Hi Kitty,

    Change the ip addresses directly on the firewalls, and then do a get topology on the cluster from Smartdashboard.

    Double confirm the anti-spoofing settings before and after the get...
  91. Re: Replace existing FW with Checkpoint FW with less outage as possible

    Hi Mate,

    Apologies for the delay in replying.

    I would suggest you request a bigger change window.

    As for the Traditional VPNs, try migrate them beforehand to simplified, makes life a lot...
  92. Re: Replace existing FW with Checkpoint FW with less outage as possible

    Hi Mate,

    Apply the Jumbo fix for r77.20, i have done a few places.

    I used to be of the opinion of only applying HotFices that you need, but lately have just started applying the jumbo hot...
  93. Re: Firewalls not sending Logs to Management Server after disk went full

    Hi Mate,

    This worked, but i had to do an install Database for every change.

    Thanks a lot man :-)

    cheers
    Bhav
  94. Re: Replace existing FW with Checkpoint FW with less outage as possible

    Hi,

    I am just entering this conversation to share some of my past experiences

    1. i would avoid a big bang if possible, you cannot avoid downtime. Make sure you have a green zone time to do the...
  95. Replies
    5
    Views
    5,451

    Re: OPSEC LEA forwarding to Log Rhythm

    Hi Mate,

    I have already done all of the above.

    But still cannot see the logs in logrhythm.

    looking at packet captures, i see only 4byte data being sent from CP Mgnt server to logrhythm...
  96. Replies
    5
    Views
    5,451

    Re: OPSEC LEA forwarding to Log Rhythm

    Hi Experts,

    I am also trying to get logrhythm to pull logs from the checkpoint management server which also acts as the log server, but don't seem to be getting anywhere.

    I have done the...
  97. Replies
    5
    Views
    1,773

    Re: troubleshooting traffic drops...

    Hello Gentlemen,

    It turns out that there was asymmetric routing, as a result we couldnt get it working.

    The server had two NICs, whereby the traffic was coming in through NIC1 and going out of...
  98. Replies
    5
    Views
    1,773

    Re: troubleshooting traffic drops...

    Hi Mate,

    And clue about this though

    [Expert@vqb002005]# fw ctl zdebug drop | grep 10.0.5.47
    ;[cpu_0];[fw_1];fw_log_drop: Packet proto=6 10.0.2.51:51913 -> 10.0.5.47:443 dropped by...
  99. Replies
    5
    Views
    1,773

    troubleshooting traffic drops...

    Hi All,

    I have this server 10.0.5.47 that people are trying to get to, but cannot... i have the below logs, please assist....






    [Expert@vqb002005]# fw ctl zdebug drop | grep 10.0.5.47
  100. Re: Firewalls not sending Logs to Management Server after disk went full

    Hi Mate,

    Thanks for the quick response, but isnt there any other subtle fixes ?

    cheers
    Bhav
Results 1 to 100 of 150
Page 1 of 2 1 2