CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: isharted

Search: Search took 0.01 seconds.

  1. Re: Checkpoint Smart-1 mgmt-server VS. Linux management server

    gaia is the way to go for sure. they have worked out any kinks early on. in the future, gaia will be your only option. regardless of that, i believe you'll have your best experience with it. it's...
  2. Replies
    16
    Views
    8,722

    Re: Schedule migrate export

    i would recommend using scp with key authentication so you don't need to store a password in plain text. other than that, this is what my script looks like
  3. Replies
    2
    Views
    2,822

    Re: VPN Phase 2 - Invalid ID Information

    sounds like a check point configuration issue with the encryption domain of the externally managed gateway (your sonicwall). ask the check point side to verify that config in the topology of that...
  4. Replies
    2
    Views
    896

    Re: verify NAT translation

    Disable SecureXL temporarily
    # fwaccel off
    # fw monitor -e "host(x.x.x.x), and port(yyy),accept;"
    (where x.x.x.x is the source or destination IP that is not being translated and yyy is the TCP or...
  5. Re: Checkpoint R76VS and cluster member failover

    the failover is happening because the cluster members are detecting a problem state or a lack of response. even if you change priority options or clustering types, a failover would still occur. you...
  6. Replies
    4
    Views
    1,619

    Re: licensing limit

    if i remember correctly, it won't let you push policy to anything if you have more than your licensed number of managed check point gateway objects defined.
  7. Replies
    3
    Views
    1,214

    Re: Nat i, I, o, O

    you can see where fw monitor fits in by showing the output of "fw ctl chain" while running fw monitor in another window -- this output changes based on the config you push from SmartDashboard

    if...
  8. Re: Cluster with two Dell R620s... can I add a third cluster member on a Dell R310 (H

    The first two things I can think of are CoreXL and interfaces. You have to have the same CoreXL configuration (which may need the same amount of cores, depending on your config) on every member. ...
  9. Re: Cannot open Smartdashboard on Window Smartcenter R65

    To answer your question, in Windows you can go to Start -> Run and type in services.msc

    That opens the console to manually start and stop windows services, one of which should be Check Point FWM. ...
  10. Re: Difference between Checkpoint Eventia/Cisco MARS/Juniper STRM and Arcsight/Envis

    as far as i know, Eventia is best suited for Check Point IPS logs. i don't even know if it takes in other vendors' data.

    juniper STRM is Q1 QRadar with juniper branding and an NSM-like (i.e....
  11. Replies
    7
    Views
    5,684

    Re: Manual NAT with local.arp not working

    can you post the contents of local.arp and the MAC address of the interface that should be responding to ARP requests?

    is this just a single firewall or a cluster?
  12. Replies
    20
    Views
    22,152

    Re: Check Point vs. Everyone

    I have supported several different vendors over the years. Here are my observations.

    Check Point
    Best central management by far, great troubleshooting tools with only a few annoyances...
  13. Replies
    8
    Views
    3,495

    Re: Checkpoint R77.10 release date

    they updated sk95746 on 12/30
    "R77.10 will be released by Jan 15, 2014 and will consolidate all previous releases."
  14. Replies
    3
    Views
    1,810

    Re: OpenServer as Data Center Firewall

    Are you looking for an HCL?

    http://www.checkpoint.com/services/techsupport/hcl/
  15. Re: S2S with different source encrypt domain, same destination encrypt domain?

    This is why RFC 1918 space should be avoided for site-to-site tunnels. This situation would never happen. There are three options I can think of, and I'm not sure any of them will work in Check...
  16. Re: how would I take a member of a cluster offline ?

    Are you looking to make the cluster member "Down" or have it completely detached from the cluster?

    sk55081 describes the best method for your Gaia cluster. You can register a problem device on...
  17. Replies
    12
    Views
    3,956

    Re: Nightmare upgrade to R75

    it would be best to start with those error logs :)
  18. Replies
    6
    Views
    2,061

    Re: Site to Site VPN errors : Very very urgent

    the most common issue at phase 2 is an encryption domain mismatch. look at your ike.elg and see what Check Point is advertising for its side. CP often supernets its encryption domain. check Secure...
  19. Replies
    15
    Views
    9,257

    Re: Upgrade from R65 to R75

    if that's the method you want to go, then you'll need to use the upgrade_export or "migrate export" upgrade tool from R75.30 and run it on the R65 box. i would recommend maintaining the same...
  20. Re: Fortigate 110C Site to Site VPN - Only One way connectivity!

    i believe that should work. what error are you getting? is there a reason you have 172.17.42.254 instead of 172.17.42.255 like the others?
  21. Replies
    10
    Views
    12,861

    Re: Site to Site VPN with double NAT

    You'll need both sides of the tunnel to support NAT traversal (NAT-T). It will use UDP 4500 instead of UDP 500 to negotiate IKE.
  22. Replies
    4
    Views
    3,494

    Re: Filtering a range of IP's

    192.168.1.1-254 does not work
    192.168.1.0/24 works
    192.168.1.1-192.168.1.254 works

    Just type it into the "Specific" box and click Add. You don't need to choose from the list.
  23. Replies
    1
    Views
    1,756

    Re: Routing or NAT Problem

    It's kind of difficult to tell from the description, but you may have defined the static NATs backwards. The object's main IP should be the actual IP on the mail server (10.243.20.105). Then you...
  24. Replies
    50
    Views
    18,343

    Re: Check Point R77

    I'm not wild about Check Point hosting updated ISOs. Imagine you build a cluster on build 230. Three months later, you have a hardware failure and have to rebuild one of the cluster members. If...
  25. Re: Endpoint Connect client disconnects every 20 seconds after connecting successfull

    This is often a routing issue. Ensure your Office Mode pool is being routed out the external interface. I wouldn't test from inside your network if you are doing so.
  26. Replies
    5
    Views
    16,164

    Re: Ping not working via Checkpoint

    Look at your implied rules in the Global properties of your policy.
  27. Re: VTIs with non checkpoint endpoints (inc sonicwall)

    it doesn't matter what vendor the remote peer is using. IKE and IPSEC are open standards which check point complies with for the most part

    i would suggest configuring VTIs in a lab or VM...
  28. Replies
    3
    Views
    3,866

    Re: Speed up fwm logexport

    do you absolutely need the logs in plain text format? i think eliminating that requirement would be your best solution, apart from adding more CPU power and disk speed

    i'd suggest using an OPSEC...
  29. Replies
    2
    Views
    2,026

    Re: Creating VSX Virtual Devices using DBEdit

    this has "unsupported" and "probably a bad idea" written all over it. dbedit doesn't have much dependency checking, so you can create db entries that shouldn't be possible to exist. you can see what...
  30. Replies
    1
    Views
    1,322

    Re: How to check Interface Utilization....

    look at the VSX admin guide. you can use SNMP to monitor physical interfaces in the VS 0 context. in R75.40VS, you can use SNMPv3 to monitor additional per-VS information
  31. Re: VSX-1 Mgmt Interface disconect causes cluster DOWN status

    if you don't want an interface monitored by ClusterXL (which is what VSX is using here), you add it ("Mgmt") to $FWDIR/conf/discntd.if in context 0
  32. Provider-1 Connected Administrators - Modify Refresh Rate?

    R71.10 P-1 MDG Connected Administrators view. It updates once every five minutes. I am looking for a way to modify this to refresh more often. I'm thinking it will have to be a dbedit setting, but...
  33. Replies
    4
    Views
    1,540

    re: Check Point's version of Cisco EasyVPN?

    If you want to use your existing ASAs, you will need to make the changes to both sides every time.
  34. Replies
    11
    Views
    5,595

    Re: Passed Accelerated CCSE R70 156-915.70

    I just took this exam last week and barely passed it. I mainly studied the courseware, and I knew it very well. The rest of my preparation was from work experience and labs. I would have been MUCH...
  35. Replies
    4
    Views
    3,685

    Re: Sic general failure 148

    Have you tried resetting SIC?
    Have you tried fetching from the gateway? fw fetch <ip.of.management.server>
    I would run "top" on the gateway during a policy push to see if cpd is maxing out and...
  36. Replies
    5
    Views
    2,244

    Re: Help VPN Office mode

    This output would be helpful:
    fw monitor -pi +vpn -pO -vpn -e "host(10.12.1.101),accept;" -o fwmonitor_om.cap
    Generate the traffic, end the capture, and attach fwmonitor_om.cap here. We should be...
  37. Replies
    2
    Views
    1,465

    Re: Checkpoint R70.20 to Nortel Contivity

    See pages 72 and 81-84 of this document to get you started:
    http://dl3.checkpoint.com/paid/9d/CP_R70_VPN_AdminGuide.pdf?HashKey=1277292913_e97765ffbd8ead8062c4ff6fb120aa64&xtn=.pdf

    Make sure to...
  38. Replies
    9
    Views
    2,605

    Re: R71 RollBack to R70.20 SmartCenter

    (From the R71 Upgrade documentation)
    To an Earlier Version on SecurePlatform
    To revert to a prior software version (R70 or R6X) on SecurePlatform:
    1. Before upgrading to the newer version, take...
  39. Replies
    7
    Views
    2,401

    Re: Doh! SIC failed after R65 HFA_70 Hotfix

    Did you run "cpd -d" and look at the debug output in $CPDIR/log/cpd.elg?
    This might tell you what is failing. Sometimes I see it complaining about the SIC certificate here and need to renew it.
    ...
  40. Replies
    7
    Views
    2,401

    Re: Doh! SIC failed after R65 HFA_70 Hotfix

    see if cpd is running using either "ps auxww | grep cpd" or "cpwd_admin list"
    if it isn't running, run "cpd -d" and check $CPDIR/log/cpd.elg again
  41. Re: VPN-1_SecureClient_NGX_R60_HFA_02_Supplement_3

    I just came across this thread on a search. To add to hammop1's post, Check Point created sk36691 for this issue.

    In addition to Dell's Connection Manager, Check Point recommends uninstalling...
  42. Thread: CCSE+ R70?

    by isharted
    Replies
    4
    Views
    3,069

    Re: CCSE+ R70?

    Thanks for your input, Robert and Shadow. I agree that the path you described would be best. I have been concentrating on another vendor while waiting for this to get ironed out. However, I will...
  43. Re: contact info in checkpoint regarding certificates

    I don't know how long you have been waiting, but my last cert took almost 2 months to arrive.
  44. Thread: CCSE+ R70?

    by isharted
    Replies
    4
    Views
    3,069

    CCSE+ R70?

    I plan to get a CCSE+ sometime in the near future. However, with a lot of Check Point exams moving to R70, I'm wondering if I should hold off for now.

    I currently have CCSE R65, and I plan to...
  45. Re: Extreme Slowness on VPN Tunnel - Packets drop

    Could there be a load issue on the Edge device (B)?
    Also, are you putting the vpn flags in your fw monitor (-pi +vpn -pO -vpn)?

    On issues like this, I usually start with focus on the Edge device....
  46. Replies
    4
    Views
    7,967

    Re: Streaming Engine: TCP Invalid Checksum

    (If this is on a VLAN interface on Splat)
    If you have access to Secure Knowledge, you will want to check out sk42791 (I don't want to copy the details in case that's against the rules).

    Looks...
  47. Replies
    9
    Views
    2,219

    Re: SD Already Up to Date

    I am having this issue as well. I can't find any documentation on Check Point's site for stopping R62 SD updates.
Results 1 to 47 of 48