CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: Christoph

Search: Search took 0.00 seconds.

  1. Re: General questions concerning "Smartlog" in R80.10

    Ok, default under logs seems to be "log indexing" disabled. Enabled it. Sorry for causing an alarm:)
  2. General questions concerning "Smartlog" in R80.10

    So Smartview Tracker is gone, Smartlog is now the standard log tool, renamed "Logs & Monitor" and SmartLogGui.exe gone as well. All fine.

    The old Smartlog was DB based. The new "Smartlog" looks...
  3. Maximum Mail Size TE/TX Question (internal MTA)

    Hi,
    does anyone know if there is a specific setting to adjust the maximum allowed mail size for the Check Point TED/emaild MTA, running on 127.0.0.1:10025?

    Right now large mails, like i.e. 300mb...
  4. Replies
    16
    Views
    3,642

    Re: Check Point "e-kits"

    I will point my colleague to your post. I just saw the OS release 10.13.1 (whatever this means) and he told me the installation aborts of the alpha client midway.
  5. Replies
    16
    Views
    3,642

    Re: Check Point "e-kits"

    Offtopic: What good does it do when their gateways are a total mess in relation to versions, features, licensing, hardware and lifecylce. These are all over the place.
  6. Replies
    16
    Views
    3,642

    Re: Check Point "e-kits"

    Hi Shay



    I got my e-kit a few days ago and could print (without watermarking?), now I cannot print anymore:(


    Talked to a colleague who will attend a training with me tomorrow. He is...
  7. Replies
    9
    Views
    4,159

    Sticky: Re: Latest CCSA R80 exam information

    Yes it does, but these examples do not happen that often in the document.

    The strange thing is, now the print option vanished (again?) from the capsule client, after restarting it.
  8. Replies
    9
    Views
    4,159

    Sticky: Re: Latest CCSA R80 exam information

    I just got my hands on the capsule protected document and I agree the experience is underwhelming.
    I cannot print (no print button to start with)
    I cannot copy paste. Fortunately there doesn't seem...
  9. Replies
    9
    Views
    4,159

    Sticky: Re: Latest CCSA R80 exam information

    *sigh* this sounds so stupid on so many levels. Linux users (or VM users in general) who have to run Capsule Docs in a Windows VM can still screenshot everything, so why do it in the first place? The...
  10. Replies
    9
    Views
    4,159

    Sticky: Re: Latest CCSA R80 exam information

    Next week i've a scheduled training for CCSE R80.10 and I saw that the course material is delivered as "Check Point e-Kits" via Capsule Docs.
    Has anyone used these and can share their experience...
  11. Routing Gaia question - Network migration

    Hi,
    I have the following situation:

    1. Current deployment:
    [checkpoint gaia]-> [router] -> [destination networks/16]

    The destination network is routed with static routes

    2. Planning...
  12. Replies
    3
    Views
    1,147

    Re: R77.30 take 216 GAIA backup

    We had this problem with scp backup all the time after various upgrades.
    "Solution" here, delete the backup and recreate it on the command line. UI based configuration was hit and miss.
    Pathwise...
  13. Replies
    2
    Views
    6,322

    Delete specific logfile entries

    Hello,
    I have a deployment with some gateways that log to their management where logs get stored for x months. A new gateway on a remote site brings a regulatory requirement to keep logfiles back...
  14. Replies
    7
    Views
    1,739

    Re: R80 in production environment

    Just two things from my limited experience.
    1. R80 management is nice. Things you always wanted to do just work, even if it's a simple copy paste here and there - it's possible.
    2. Invalid input...
  15. Re: Installing both Gateway and mgmt server on same platform

    Imho if the need arises to go from a standalone to a distributed environment you wish you would have gone distributed in the first place.
    Then if you have problems with the management you're at the...
  16. Re: In which scenarion antispoofing come into the picture

    Not sure what you're aiming for, but if you have a network behind a locally connected network you may need to define this network in you antispoofing topology for antispoofing to work.
    This usually...
  17. Replies
    2
    Views
    1,167

    Re: setting up a sandblast lab on vm

    I think the main problem would be to get the Sandblast VM installer. AFAIK Check Point doesn't hand them out so easily.*
    Other than that it's no problem to run the VM in i.e. VMware workstation or...
  18. Replies
    11
    Views
    5,727

    Re: SmartLog via CLI

    Looked a bit further into it. You can gather all the relevant information in XML form from the smartlog database via i.e. curl.
    Default offset is a start at line 1 from your request with an end of...
  19. Replies
    6
    Views
    2,576

    Re: CLI script for pushing FW policies

    Cannot remember a way about pushing, but maybe a ssh triggered 'fw fetch <mgmtsrv>' on the gw will be a starting point?
  20. Replies
    11
    Views
    5,727

    Re: SmartLog via CLI

    The cookie was in the first http request when the initial or any subsequent request by smartlog. Not sure when the cookie was set and how persistent it is.

    tcpdump -nnvXSs 0 -i any port 18242 -w...
  21. Replies
    11
    Views
    5,727

    Re: SmartLog via CLI

    Thank you. I took a quick look:

    # curl_cli -b "CPToken=XYZ123XYZ123XYZ123DUMMY"...
  22. Replies
    11
    Views
    5,727

    Re: SmartLog via CLI

    Necro an old thread.
    Has there ever been a solution to this problem?
  23. Replies
    11
    Views
    4,630

    Re: Threat Emulation Hold Scanning

    Imho there are three options available.

    1. As Sebastan mentioned TX. This is almost instant, the user gets a link to download his file and if scanning hasn't finished the file is not available....
  24. Replies
    14
    Views
    3,655

    Re: igb 0000:04:00.0: Detected Tx Unit Hang

    Why not update to R77.30? Though the Intel PT (both e1000 and igb) are on the HWCL, support for R75.4x should have ended.
    Was this issue always present or is this a new phenomena after i.e. adding...
  25. Re: Configure 1000NW as a WAP (not sub-netted) from an SG620

    Hi,
    the bridge feature on safe@is not transparent. This device is not a switch and dhcp discovery will fail, as the broadcast packets will be dropped between ports. To make this work you still have...
  26. Replies
    9
    Views
    2,760

    Re: Securing CCP - DDoS?

    Correct me if I'm wrong. CCP is running on all interfaces. Recommendation is to isolate the sync. Recommendation is to not have two clusters on the same switch/vlan.
    Most common deployments I have...
  27. Replies
    9
    Views
    2,760

    Securing CCP - DDoS?

    Hi,
    is there a preferred way to secure CCP against (rogue) clusters?

    Almost all the networks I have seen have the Check Point Cluster with the Cluster IP in the corresponding production network....
  28. Replies
    7
    Views
    1,423

    Re: white-list outgoing traffic

    It probably doesn't show up until first utilized. You can access unused objects if you right click anything but an object/folder in the object panel on the left hand side, i.e. the title "Network...
  29. Re: How to configure client authentication using radius.

    What kind of radius?
    For freeradius it's something like this:

    freeradius:

    client.conf
    client xxx.xxx.xxx.xxx*{
    secret = your_shared_secret
    shortname = hostname
    ...
  30. Re: Facing issue when "calculate topology based on routing" is enabled.

    Better yet, use a group with exclusions.
  31. Replies
    3
    Views
    13,572

    Re: Checkpoint interface MAC address

    It does and I'm wondering why CP is using a globally unique identifier another company paid for and not using locally administered addresses or better yet their own allocation. Afaik you're not...
  32. Re: Completly disable any kind of SIP inspection

    Unfortunately no. I had to do this already to get rid of the early NAT related to sip.
  33. Completly disable any kind of SIP inspection

    Hello,
    has anyone more luck than me in disabling SIP packet tampering/dropping by Check Point? I just want to pass udp/5060 through the firewall.
    First I was faced with early NAT problems. So I...
  34. Replies
    0
    Views
    785

    NAT of internal device on a CP Edge

    Hello,
    I've got a remote site that is housing some servers. One server has to be temporarily relocated to another site.
    The idea is to statically NAT the IP of the server on the internal Network to...
  35. Replies
    23
    Views
    11,658

    Check Point R75.40

    R75.40 aka Gaia is now officially released and available in the usercenter. sk67581
  36. Re: [Help] VPN client cannot ping or access any host in Lan

    Your best bet would be to check the tracker to see what happens. My first guess would be that anti-spoofing is dropping the packets. This would show in the tracker.
  37. Replies
    3
    Views
    2,365

    Re: Mobile VPN Client for Apple "iOS"

    Hi, can you confirm my information, that this hotfix will at first only be available for R75.20 and R71.40 but not R75.30?

    Cheers
    Christoph
  38. Replies
    3
    Views
    2,365

    Mobile VPN Client for Apple "iOS"

    Hi,
    this morning I saw that the Check Point Mobile VPN Client 1.92 was released on the Appstore. Unfortunatly this client doesn't work against a r75.30 setup (The site does not support this client...
  39. Re: How to block IPv6 traffic through the firewall?

    Hi,
    i guess your CP firewall isn't configured for ipv6. If it is however it would route the ipv6 traffic and you could block the traffic with a rule at the gateway, otherwise the ipv6 traffic will...
  40. Replies
    11
    Views
    3,060

    Re: R65.4 to R70/R71 - how to upgrade?

    From the top of my head. R64.5 cluster with management HA on the gateways, so no Provider-1.
    It did work. If you need further information, you can PM me, though I have to talk to a college, who did...
  41. Replies
    0
    Views
    1,478

    IPS exclusions versus inclusions

    Hello,
    out of a large number of networks on a firewall module, I want to apply the IPS only to a handful of networks. Is it correct that this is only possible, by putting the large amount of...
  42. Replies
    11
    Views
    3,060

    Re: R65.4 to R70/R71 - how to upgrade?

    From the top of my head.
    There is a hotfix (open case with CP) for this problem.

    1. Install hotfix
    2. Perform update R65.4 -> R70.10
    3. Move/Replace some files
    4. Done
  43. Re: splat ipv6pack r71.30 policy installation issue

    I think the ipv6 objects show up the moment the ipv6 license is installed.
  44. Re: splat ipv6pack r71.30 policy installation issue

    I haven't tried 71.30 as the management for 70.10 gateways with ipv6 yet, but you should only install the ipv6 pack on gateways with 70.10 or below.
    For the management server, there are hotfixes...
  45. Replies
    1
    Views
    1,533

    Antivirus Performance

    Hello,
    I'm curious about the antivirus feature of the CP firewalls and the performance implications that might arise by enabling this blade.
    I mostly heard that the performance dropped considerably...
  46. Re: VPN into Internal Network (Routing 101 - I feel like an idiot!)

    Hi,
    as HartmutB wrote, you can fix this with a complete revamp of your routing, but if i.e you add another network behind the 10.0.4.0/22 or 10.0.8.0/22 you have the same problem you had before.
    ...
  47. Replies
    10
    Views
    5,852

    Re: Real CCSA R71 Questions

    "You are required to close all Check Point clients before the Export operation begins.
    If the export fails, stop Check Point services and run the upgrade_export command again.
    Press ENTER when...
  48. Re: Geo Protection...R71.30...Unable to find North Korea?

    Not knowing the solution for this issue, NK should be easy to implement manually for the moment.

    # Country: KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF
    # ISO Code: KP
    # Total Networks: 1
    # Total...
  49. Replies
    4
    Views
    2,014

    Re: One Member is always Active

    Just a wild guess, as it happend recently to me. On a new R71.30, upgraded from R65 i had a licensing issue, so that one member was 'ready' while the other was 'active'. This is a non working HA...
  50. Re: v6 installed on R71.10 splat cant ping virtual int

    This limitation is also present in the ipv6 pack. The latest version supported atm is R70.10. This is a real gamebreaker in a setup with other devices, that rely on icmp for state detection, i.e....
  51. Replies
    6
    Views
    2,809

    Re: ipv6 standalone configuration on cluster

    Aye, the configuration would be the "same" on both members, except obviously the ipv6 addressing configuration.
    Do you know whether the ipv6pack has been incorporated into r75?
  52. Replies
    6
    Views
    2,809

    ipv6 standalone configuration on cluster

    Hello,
    has anyone tried to use ipv6 on a cluster without the ipv6pack?
    As I'm running 71.30 on an ipv4 cluster i can't use the ipv6pack on the gateway, so I was thinking that it may work to just...
  53. Replies
    15
    Views
    7,863

    Re: State of ipv6 in Check Point products

    Until now i was only working with ipv6 and Check Point in clustered environments, so i went for the ipv6-pack.

    Now i saw, that ipv6 on R71.1 and even older versions was already included, but seems...
  54. Replies
    26
    Views
    6,679

    Re: Need help with Nokia Clustering

    Out of curiosity, where did you run the tcpdump? You see broadcast traffic from 01,02,03 on the sync interface of 04, but no broadcasts from 04?
  55. Replies
    15
    Views
    7,863

    Re: State of ipv6 in Check Point products

    I see it this way, ipv6 on the ISP side is quite established with imho a tremendous growth. On the client side at our company (Germany), ipv6 projects are starting, even if it's only that a small...
  56. Re: Smartdashboard R70 crashes when loading Smartmap

    From the knowledgebase:



    Tried it some months ago, works.

    Edit: Sorry noticed just now, that the forum is sorted newest to last:(
  57. Replies
    15
    Views
    7,863

    State of ipv6 in Check Point products

    Hello,
    i try to gather some information about the current but also future state of ipv6 in the Check Point product portfolio.

    Having some hands on experience with ipv6 in a clustered enviroment...
Results 1 to 57 of 58