CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: syn-ack

Page 1 of 2 1 2

Search: Search took 0.00 seconds.

  1. Replies
    20
    Views
    3,910

    Re: 80.10 problems on ESXi 6.5

    i know this is somewhat old, but it came up via google so i wanted to make note.. check point has released sk126473 in regards to this. long story short, use Virtual Machine Version: 10.
  2. Re: exclude a server from anti-spoofing protection?

    Very good. Let us know how it goes! :)




    Ahh, I wasn't aware of that limitation. Thanks for the info.
  3. Re: exclude a server from anti-spoofing protection?

    I suppose one way would be to sit the Websense server on it's own subnet, and turn anti-spoofing off for the interface sitting on that subnet.

    That said, can't you interface Websense with your...
  4. Replies
    9
    Views
    4,752

    Re: Anti-Spoofing: Useful or pain in the ***?

    I concur. It is, as someone else mentioned, a pretty vanilla feature. All it does is makes sure the ip ranges coming into an interface, should be coming into that interface. In general, non WAN...
  5. Replies
    8
    Views
    3,857

    Re: GAIA + Stactic Routes

    I am setting up several new 12000 boxes with GAIA, and when doing so did not set a default route... I could be mistaken, cause I've physically moved the new equipment to a new lab section and have...
  6. Replies
    12
    Views
    4,831

    Re: Check Point R75.45 Released

    Damn, you've got some pull with CP!! ;)
  7. Replies
    12
    Views
    4,831

    Re: Check Point R75.45 Released

    You are correct... From the overview URL I linked above Software Download Matrix is lists:

    2012 Models Appliances
    Data Center Appliances
    UTM-1 Appliances
    IP Appliances

    But it is not listed...
  8. Replies
    12
    Views
    4,831

    Check Point R75.45 Released

    Just saw this in my Google+ stream at https://plus.google.com/104254744289815391235/posts/Ks2bq5LaLT3

    More info at...
  9. Replies
    23
    Views
    11,784

    Re: Check Point R75.40

    I was in the tech room for one of the demos, it was by an older gentleman on some of the CLI vs. Web GUI usage.

    How about that AccessIT booth though!! (Not sure if you were able to peruse the expo...
  10. Replies
    3
    Views
    1,789

    Re: Check Point SmarLog

    At CPX they kept saying it used "Google-like" search.. If that is true, you might be able to negate something by prefixing it with a minus sign.

    -drop
    -1.1.1.1

    Of course, I am just guessing, I...
  11. Replies
    23
    Views
    11,784

    Re: Check Point R75.40

    Our support used to be through Fujitsu, and as for tech support they were always great. Sales support on the other hand was non-existent.

    Now, enterprise wide, we use Accuvant. So far I have only...
  12. Thread: Wipe a Nokia

    by syn-ack
    Replies
    4
    Views
    1,536

    Re: Wipe a Nokia

    Remove the drives, attach them to a system with a CDROM drive, download and burn DBAN to a CD, and wipe the disks using your preferred wiping standard, DBAN supports several.
  13. Replies
    23
    Views
    11,784

    Re: Check Point R75.40

    But why would ya do that!?!? ;)

    Just got back from CPX 2012 yesterday, I live in Florida so it was only a short drive.

    What we were shown of Gaia was very strong looking, and having come back...
  14. Replies
    24
    Views
    8,927

    Re: What happen to Checkpoint Website

    The hostname usercenter.checkpoint.com is resolving to 194.29.38.11 for me.
  15. Replies
    2
    Views
    1,073

    Re: Disabling VPN Module

    Thanks for the reply dsb.nepo, and thanks for the link to CPrules... I have not used that before, but it looks like a great tool not only for doing this cleanup, but for keeping rules well...
  16. Replies
    2
    Views
    1,073

    Disabling VPN Module

    Okay, just wanted to get some input from fellow cp admins before doing this, to see if there is anything I'm missing.

    We are currently running NGX R62 on IPSO platform. Yes, I know these are old....
  17. Replies
    4
    Views
    1,779

    Re: FTP port redirect issue

    You're not by chance using ftp with a resource, such as GetOnly or PutOnly?
  18. Replies
    16
    Views
    6,434

    Re: SQLNET through FW1

    I think we are having issues as well, but due to timeout mismatches between the firewall and Oracle. I've read that SQLNET has a default timeout of 2 hours, and Check Point times out at 1. So the...
  19. Replies
    7
    Views
    2,437

    Re: FTP Secure is blocked

    And things like PCI-DSS say you must do both! Transport and data at rest.... Depending of course, on the data.
  20. Replies
    7
    Views
    2,970

    Re: Upgrade Import Issue in SPLAT

    Using certain tftp servers will limit the file size transfer to 32 meg. So if you have a file larger than that, it will end the transfer before it is really finished, leaving you with an incomplete...
  21. Replies
    6
    Views
    2,841

    Re: Aggregated EtherChannel Interface Errors

    What I have found, I believe, is the following.

    The qdrops are caused when the NIC processor attempts to hand off the packet to the firewall itself for rule processing. If the firewall is too...
  22. Replies
    6
    Views
    2,841

    Re: Aggregated EtherChannel Interface Errors

    Very nice command! That'll be going in my cheat sheet!

    Here is the output:
    ifphys:eth-s3p1:errors:in = 3684
    ifphys:eth-s3p1:errors:out = 0
    ifphys:eth-s3p1:errors:collisions = 0...
  23. Replies
    6
    Views
    2,841

    Re: Aggregated EtherChannel Interface Errors

    I just checked solarwinds to see what the history looked like. 50% of the errors were from last night. Previous to that, there have been no errors for over a month, which is as far back as my data...
  24. Replies
    6
    Views
    2,841

    Aggregated EtherChannel Interface Errors

    I have two gig fiber ports that I have setup in as an aggregated port. The AE interface itself shows no errors, but the physical ports themselves do. I'm not sure if the errors are normal, just part...
  25. Replies
    3
    Views
    2,846

    Re: IPSO Port Aggregation

    Performed the interface migration this weekend on firewall 1 of 4, and everything went well save one exception...

    I recreated VRRP and moved from Legacy VRRP to the New Simplified VRRP, and in...
  26. Replies
    3
    Views
    2,846

    Re: IPSO Port Aggregation

    Yeah, that is what I have done.. I've got 11 logical sub interfaces configured and tagged under the aggregated link... I was just curious why the first logical interface cannot be tagged as well.. Of...
  27. Replies
    3
    Views
    2,846

    IPSO Port Aggregation

    So....

    I am moving our 14 fa copper interfaces on our 530's to a bonded setup using our 2 gig fiber interfaces. The process as I see it so far is as follows:


    Create the aggregated link, and...
  28. Replies
    4
    Views
    2,516

    NAT Rule 0 from External vs. Internal

    I have what is, an oddity... It seems...

    We need to let a client through on a particular port, that happens to be one of the Firewall-1 ports, for ICA... However, the destination is not the...
  29. Replies
    5
    Views
    4,883

    Re: Cisco Redundant Cores / STP / Nokia VRRP

    Okay, so... The more I am reading, it doesn't look like using the layer 3 switching capabilities of my 4500's will work for us, since all internetwork traffic must pass through our check point...
  30. Replies
    5
    Views
    4,883

    Re: Cisco Redundant Cores / STP / Nokia VRRP

    Wow.. Thanks for the detailed response! I've some follow-ups as well..



    So, if I understand you correctly it would go something like this..

    Set up vlans on primary:
    vlan1
    ip address...
  31. Replies
    5
    Views
    4,883

    Re: Cisco Redundant Cores / STP / Nokia VRRP

    Sorry, I edited the post to be more clear... Hopefully.....
  32. Replies
    5
    Views
    4,883

    Cisco Redundant Cores / STP / Nokia VRRP

    Need some advice as I've never attempted the below configuration.

    We have two Cisco 4506 switches which will be used, eventually, as our core switches. I would like to set them up in redundant...
  33. Thread: Why Windows?

    by syn-ack
    Replies
    3
    Views
    1,119

    Re: Why Windows?

    Some people are afraid of CLI type OS's I guess... I'm a big Windows guy myself, but even I know when to say when... Run CheckPoint on a Windows platform, no way... Especially not when there is this...
  34. Replies
    11
    Views
    5,079

    Re: Checkpoint Install on IPSO 3.9

    I've got two 440's running 3.9/R62 in my test environment. No issues...
  35. Replies
    1
    Views
    1,607

    Re: Database revision control error

    Failed to create object, or failed to create database revision? If the second option, then you might need the fixed gtar library...

    Change paths though for your version..
    ...
  36. Replies
    6
    Views
    2,067

    Re: Inbound NAT Works, outbound Doesn't?

    Move the NAT rule for this particular object above the NAT rule for the regular hide NAT.
  37. Replies
    6
    Views
    2,895

    Re: What happened to CPEthereal?

    That is odd, not sure on that... Perhaps Gremlins.... ::: yikes :::


    Glad to share! =D
  38. Replies
    6
    Views
    2,895

    Re: What happened to CPEthereal?

    In Wireshark go Edit > Preferences > Ethernet and check "Attempt to interpret as Firewall-1 Monitor File".
  39. Replies
    6
    Views
    2,895

    Re: What happened to CPEthereal?

    Just get wireshark.

    Wireshark: Download
  40. Replies
    2
    Views
    1,581

    Re: Script problems running under cron

    Did you try chmod 777 the backup job file?

    And just in case you have not added it, add the below to your script, before it executes commands:

    . $cpdir/tmp/.CPprofile.sh
  41. Thread: Log file size

    by syn-ack
    Replies
    10
    Views
    2,403

    Re: Log file size

    The script is all above in the included post, as well the quote post by you... You can edit it in notepad or any text editor, but like said it will probably take require some changes to make it work...
  42. Replies
    4
    Views
    1,570

    Re: best way to manage gateway

    I'd also recommend selecting installation targets specific to that policy.

    In the policy for firewall1 go to the menu up top, Policy>Policy Installation Targets and add only firewall1 to the right...
  43. Replies
    14
    Views
    2,973

    Re: Advices for Checkpoint or nokia clustering

    Thanks cciesec2006, that's definitely good info to have... I will be sticking with my nicely working Legacy VRRP... :)
  44. Replies
    14
    Views
    2,973

    Re: Advices for Checkpoint or nokia clustering

    cciesec2006, Can you share some more info on what is buggy about the new Simplified VRRP? I am still using Legacy VRRP on my 530's, and have really had no intention on switching to Simplified, but I...
  45. Replies
    14
    Views
    2,973

    Re: Advices for Checkpoint or nokia clustering

    One problem with clustering though is troubleshooting. You have no way to know which box is going to pass what traffic. So you have to run captures on both...
  46. Thread: Log file size

    by syn-ack
    Replies
    10
    Views
    2,403

    Re: Log file size

    I have not run a Windows platform Check Point system in years.. But here is some stuff that can maybe get you started... Not sure if this works with your version or not, so some testing would be...
  47. Replies
    14
    Views
    2,973

    Re: Advices for Checkpoint or nokia clustering

    Don't waste time with IPSO clustering.. It is a PITA and can make troubleshooting difficult.. VRRP is the way to go IMO...
  48. Replies
    4
    Views
    1,865

    Re: Splat admin webpage hangs

    I would at least try restarting the browser afterwards. The WebGUI definitely will not work with that option enabled. It will hang just as you've explained in your situation.
  49. Replies
    4
    Views
    1,865

    Re: Splat admin webpage hangs

    Are you using IE7 by chance? If so Turn off "Enable XMLHTTP support" under Internet Options -> Advanced.

    This will have some adverse effects, once of which I noticed was it disables Ajax features...
  50. Replies
    12
    Views
    4,578

    Re: NGX r65 Dashboard Slow

    My mgmt was running on an old 800mhz server until I just recently upgraded... Now running on dual 2.4ghz, 10k scsi drive, 2gig ram.. Before, just saving a policy would take about 3 minutes, and...
  51. Replies
    12
    Views
    4,578

    Re: NGX r65 Dashboard Slow

    What is your management server's specs?
  52. Replies
    3
    Views
    1,644

    Re: Nokia Platform high CPU util

    Yeah, the above log paste does little to help diagnose the problem.. Can you tell us how many conns you are averaging? Your topology and infrastructure basics? Is this a firewall only, or a log...
  53. Replies
    6
    Views
    2,053

    Re: NAT by Service Issue

    If you dont specify what the originator is doing, it will use the same original port...

    Meaning, if you specify a translation of an IP from inside to out, it will only NAT the IP, and the port...
  54. Replies
    6
    Views
    2,053

    Re: NAT by Service Issue

    Not that it answers your question, but there is not need to double up on your NAT's... Only the initiating side needs a NAT... Meaning, if you have someone coming IN to you for a service, and you...
  55. Replies
    12
    Views
    6,431

    Re: Disable antispoofing for a subnet

    See this Thread: http://www.cpug.org/forums/topology-issues/5875-another-weird-anti-spoofing-issue.html#post24875
  56. Replies
    39
    Views
    17,431

    Re: database revision control problem

    Download from here:
    http://web.sitepros.net/stuff/gtar.1.15.zip

    Download will be slow, my server is getting hammered... But that is the one that worked for me...

    Then below to 'install' it......
  57. Replies
    9
    Views
    3,835

    Re: what is the prot range for service any

    I agree with chillyjim... ;)
  58. Re: How to find a rule which is not used for a period of time

    Umm... User SmartView Tracker and filter by Rule number?
  59. Replies
    7
    Views
    13,357

    Log Backup/Archive Script

    Having moved my mgmt server from Windows, to SecurePlatform, I had to write some scripts for backing things up. I have a few more scripts to write, but thought I would share this one with everyone....
  60. Replies
    9
    Views
    3,835

    Re: what is the prot range for service any

    That only applies if you have multiple objects on the same port configured. If you setup say a tcp object call test1 and give it port 123 and then create test2 with the same port 123, the one that...
  61. Replies
    9
    Views
    3,835

    Re: what is the prot range for service any

    All ports... 1-65535... And any protocol, tcp/udp plus about 50 or so other protocols...
  62. Re: Telnet sessions seem to be freezing after key exchange

    I truly miss my AS/400 shop... I'm glad I've one at home to tinker with when I get bored...

    Never blame the AS/400!!! They are perfect! The best thing since sliced bread!!! lol... Sorta kidding......
  63. Replies
    6
    Views
    2,647

    Re: Dual core support with R65 on SPLAT 2.6

    I'm sorry, I should also clarify that this is a SPLAT box that runs only my SmartCenter (Management/Logging). Of which both of those benefit from the dual cpu's.

    On a side note, this new server is...
  64. Replies
    6
    Views
    2,647

    Re: Dual core support with R65 on SPLAT 2.6

    I'm running SPLAT on a 2 CPU Box.. Both are recognized, and both are used as you will see below...

    http://weblog.sitepros.net/stuff/splat_top.png
  65. Replies
    16
    Views
    5,256

    Re: SmartCenter and NAT

    Just curious if you have maybe tried this.. I have no idea if it will work, and have not tested it.. But....

    What about creating a host file entry on the machine connecting to the smartcenter...
  66. Replies
    14
    Views
    2,710

    Re: Writing Scripts (how to step by step)

    Oh and just as an FYI, the Nokia IPSO has already a fully functional and easy to use backup system that is available through it's web interface.

    Config>Backup and Restore

    You can run them via a...
  67. Replies
    14
    Views
    2,710

    Re: Writing Scripts (how to step by step)

    It's a lot different if you're coming from a GUI based OS such as Windows... And it can and will likely be frustrating at first, but after some time goes by and you get used to it, you can fly...
  68. Replies
    14
    Views
    2,710

    Re: Writing Scripts (how to step by step)

    Ahh.. You're looking for how to create the script, not execute it... To create the script, login to your nokia via SSH... Then run VI, the unix text editor.. Now VI is a little different to use, so...
  69. Replies
    14
    Views
    2,710

    Re: Writing Scripts (how to step by step)

    Create your script, name and put it where ya want.. Then use the job scheduler through nokia voyager to execute it.. You can execute any *nix command through there... Or you could add it via CLI by...
  70. Replies
    14
    Views
    2,710

    Re: Writing Scripts (how to step by step)

    Are you trying to schedule the job to run? If so, a good first step would be the Job Scheduler in Voyager. Go to Voyager, login as admin, then go Config>Job Scheduler...

    Hope this helps..
  71. Replies
    16
    Views
    5,256

    Re: SmartCenter and NAT

    Ahh... Well, that is no good. I could think of some possible solutions, but I think they would be a mickey mouse way of doing things...
  72. Replies
    16
    Views
    5,256

    Re: SmartCenter and NAT

    Curious... Why?
  73. Replies
    16
    Views
    5,256

    Re: SmartCenter and NAT

    How about not nat'ing on the cisco, and instead give the management box the 4.2.2.3 address on one of it's interfaces?
  74. Replies
    7
    Views
    1,876

    Re: How did I become Senior member?

    I wonder if comp.security.firewalls on usenet is active at all.. Have not checked in there for quite a long time...

    So far I'd agree, this is the best resource I know of, thanks to people like...
  75. Replies
    7
    Views
    1,876

    Re: How did I become Senior member?

    Any other decent forums besides here and the cp forums?

    And I agree, you seem to be pretty knowledgeable to me...
  76. Replies
    7
    Views
    1,876

    Re: How did I become Senior member?

    It's usually based on post count.. Once you reach a certain number of posts, your status changes...
  77. Replies
    2
    Views
    2,556

    Re: CCSA/CCSE Class in Orlando Feb 11th

    I live in Orlando, and can't fly... So I am interested in the courses... I'll submit the request for rejection later today...
  78. Replies
    3
    Views
    1,549

    Re: Nokia support website

    Comes up fine for me.. Still down for you???
  79. Replies
    10
    Views
    1,702

    Re: Connecting Smartcentre to corp n/w

    That right there is the answer.. In our environment we have one group that manages Windows boxes, another does *nix... The only way to keep both of them out, is to use SPLAT... Neither group would...
  80. Replies
    10
    Views
    1,702

    Re: Connecting Smartcentre to corp n/w

    Actually you lose another layer of security besides the GUI IP client list, a very important layer... If someone has access to that server, via rdp or whatever, then they have access to bypass the...
  81. Replies
    15
    Views
    6,447

    Re: How to install R65 HFA 02?

    Just to add a little advice..

    I would strongly consider running SmartCenter on SPLAT as well, rather than on Windows. It performs better, is easier to setup, backup, and recover with... And...
  82. Replies
    6
    Views
    1,685

    Re: Upgrading from R55 to R62

    I've heard about more issues with R65 than any other R6x version.

    I have a couple of my Nokia's on R62, and have had no problems as of yet.
  83. Replies
    12
    Views
    5,060

    Re: Firewall changes FTP filename?

    Me too my friend!



    We have actually put in place several methods for data transfer, since we are actually a datacenter that hosts over 130 different clietns, we had to come up with ways to...
  84. Thread: easy one guys

    by syn-ack
    Replies
    4
    Views
    1,594

    Re: easy one guys

    Not sure exactly what you are talking about, since your question could mean several things... But there are a few ways to NAT a network, depending on what your purpose is.. You can create a network...
  85. Replies
    5
    Views
    1,434

    Re: Adding Public IP from different Ranges

    It has been a long time since I worked with CP on a Windows gateway.. But have you added a route for the external ip to the internal ip on the gateway?

    route add -p 207.123.123.123 mask...
  86. Replies
    10
    Views
    1,702

    Re: Connecting Smartcentre to corp n/w

    I would hope that your systems administrator understands the need to have a properly secured firewall management server, and part of that being that RDP is NOT used to access it in order to run the...
  87. Replies
    10
    Views
    1,702

    Re: Connecting Smartcentre to corp n/w

    ^ +1....

    As well you should secure that Windows server, which means disabling not only things like RDP for terminal services, but also the server service, workstation service, file sharing, etc......
  88. Replies
    3
    Views
    2,734

    Re: certification expiration

    I suppose my 4.0 cert needs some updating... ::: turns red :::
  89. Replies
    4
    Views
    1,364

    Re: So...... What's Your Config/Stats?

    Upgraded one of my clusters last night to R62... They are still typically running about the same CPU usage, although every once in a while will spike to 70-80%... But typically under 10%... However...
  90. Replies
    15
    Views
    5,684

    Re: Nokia IPSO 4.1 build 40 with NGx R65/HFA_02

    Thanks for the update... Let us know if there is anything further, especially since I have a couple boxes that I was planning to upgrade to R65..
  91. Replies
    15
    Views
    5,684

    Re: Nokia IPSO 4.1 build 40 with NGx R65/HFA_02

    Did you turn on logging for all your rules? If so, anything in Tracker?

    Also, did you tcpdump the internal interface and see traffic getting to it for https traffic?
  92. Replies
    6
    Views
    4,043

    Re: SPLAT 2.6 and network installation (PXE)

    mamakos, Kudos to you for keeping us updated on this!
  93. Replies
    13
    Views
    6,916

    Re: Differences between SPLAT and SPLAT Pro?

    For what it's worth coming from someone you have never met... Trust me as much as you can... After being deeply engrossed in this industry since it's inception, there is a world of difference between...
  94. Replies
    13
    Views
    6,916

    Re: Differences between SPLAT and SPLAT Pro?

    There is a lot more to a piece of hardware, than what processor it is based on.
  95. Replies
    13
    Views
    6,916

    Re: Differences between SPLAT and SPLAT Pro?

    FWIW, given the budget for it, I would take an IBM server over a crappy Dell server any day... It's just unfortunate however, that budget does not always allow for such...
  96. Replies
    7
    Views
    2,236

    Re: backup question

    You can get away fine with just the upgrade_export from the Windows server, but just make sure you note your ip and any routes you have added to that box. Usually not a big deal, but in a large...
  97. Replies
    7
    Views
    2,236

    Re: backup question

    You should only need to run the upgrade_export on SmartCenter system, or if it is SPLAT the backup function would get the FW1 config, as well the system config, maybe saving you some setup time in...
  98. Replies
    4
    Views
    5,197

    Re: Directory Cleanup

    Actually I have done exactly that as a test... It looks like the export function just grabs everything under certain folders, including all of the old stuff I probably dont need.. The above listings...
  99. Replies
    4
    Views
    5,197

    Re: Directory Cleanup

    Also, here is one of several folders under ConversionCache:



    total 139900
    drwx------ 2 root root 12288 Jan 14 10:34 .
    drwx------ 8 root root 4096 Jan 14 10:34 .....
  100. Replies
    4
    Views
    5,197

    Directory Cleanup

    I've inherited someone else's work and would like to do some cleanup.

    The SmartCenter server has a lot of what looks like backup files scattered everywhere. Like renaming of objects and rules...
Results 1 to 100 of 108
Page 1 of 2 1 2