CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: abusharif

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Re: Checkpoint Enterprise Software Support Timeline

    Yes, 7730 extension has occurred only once as you describe. This was due to pressure on Checkpoint by "big customers". I dont work for CP so no inside info here, but I know thats the reason from...
  2. Re: Checkpoint Enterprise Software Support Timeline

    if the "sha 256" thing back in a day is any compass, it will be extended at least couple of more times ;-)
  3. Re: R77.30 Dynamic NAT port allocation feature

    Install it via CPUSE which is preferred way of doing things
    Instructions are outlined in:...
  4. Re: Inconsistency switching between VSX contexts

    While you are at this topic, one things that annoys me is the custom RBA roles with for example Radius users.

    add rba role MyRadiusRole virtual-system-access all

    Will give access to all virtual...
  5. Replies
    6
    Views
    2,895

    Re: Problem with Packet Loss

    That's a lot of active blades for 4400, as Shadowpeak says, you have memory issues, no doubt about that.
  6. Replies
    20
    Views
    4,626

    Re: 80.10 problems on ESXi 6.5

    Yes sir!
  7. Replies
    9
    Views
    2,985

    Re: Check Point Gaia OS Privilege Escalation

    Cool cyber ninja t-shirt ;)
  8. Replies
    20
    Views
    4,626

    Re: 80.10 problems on ESXi 6.5

    Thanks Zimmie,

    Correct, I wasn't able to find it in webui!
    I've changed it now in VMX file
    virtualHW.version = "10"
  9. Replies
    20
    Views
    4,626

    Re: 80.10 problems on ESXi 6.5

    i am not able to reach my esx at the moment, but is it possible to "downgrade" compatibility mode/version of the VM (6>5) on the fly without need of re-installing?
  10. Replies
    20
    Views
    4,626

    Re: 80.10 problems on ESXi 6.5

    I have that issue as well, but as the only, afaik, downside is a tad slower boot up sequence I never bothered trying to fix it.
    Thanks for the tip!
  11. Re: steps to upgrade 61k from 76 to any latest version ? is it same like other hardwa

    What version are you running now? Vanilla R76SP?
    Upgrade procedure was somewhat modified since initial release of R76SP.
    Only time I had minor problems with upgrade was from vanilla R76SP (using...
  12. Replies
    12
    Views
    2,663

    Re: SQLNET and NAT

    I have no experience with sqlnet, but found this article
    I guess(!) sqlnet2 CP predefined service should be used for redirected sessions (rewritten src/nat/port)?

    ...
  13. Re: Upgraded both sides of my link to FIOS gigabit. Pretty disappointing 680 results

    Nothing new under the sun. Lab numbers you can easily divide with 3 to get somewhere near what appliances can perform.
    As long as one comes to terms with that you will keep your sanity ;-)

    Real...
  14. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Indeed it is, but in this specific case for retaining SPI's, procedure is same all the way up to and including r80.10, so it should be fine :p
  15. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Try this one:
    downloads.checkpoint.com/dc/download.htm?ID=7853
  16. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    These are used when you have 3rd party that is not respecting handling of SA's requested by the other side (if for example one side said delete SA and the other one just ignores it).
    I've seen this...
  17. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Not sure if this critical problem for you at this point, but if you are under pressure to get it working you could try with following:

    Global Properties > SmartDashboard Customization > Configure...
  18. Replies
    5
    Views
    813

    Re: AWS IPSec VPNs not working

    Glad to hear :)
  19. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Excellent, will try it out, thanks :)
  20. Replies
    5
    Views
    813

    Re: AWS IPSec VPNs not working

    So probably in this case this is due to that both AWS and Melbourne unit are managed from same Smartcenter = it wants to perform CRL check, which it will do from the Smartcenter IP/object.
    I assume...
  21. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Thank for for elaborate answer, much appreciated!

    Any way to force "sim vpn off" workaround to survive reboot?
    SHA384 isn't viable in my specific scenario (due to limitations of supported "cipher...
  22. Replies
    5
    Views
    813

    Re: AWS IPSec VPNs not working

    Hi

    What exactly is the error message?

    I've deployed several VPN tunnels in similar manner and it worked fine, never had any certificate related error messages.

    Anything blocking incoming...
  23. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Hi Shadowpeak,

    Did you explore any deeper into multicore ipsec?

    I've experienced and found out following



    With securexl, decrypt/encrypt will be done by sxl instance. Once traffic is...
  24. Re: procedure for immediately terminating a user

    if you have smartview monitor, you can terminate connection for the user through the GUI
    There is also client portion of 'vpn tu' command/menu which can reset ike/ipsec
  25. Replies
    4
    Views
    1,007

    Re: This is a test

    :D
  26. Thread: 1400 Series

    by abusharif
    Replies
    3
    Views
    1,337

    Re: 1400 Series

    1100 supports HA afaik, also described in the admin guide. Is it some specific clustering feature that makes you say it doesn't?
  27. Re: can't perform mds_restore in a DEV environment from a mds_backup of a Production

    iirc they didn't have any file ending. It was upgrade scripts (bash) from early r76SP as well as TCL
    One of the funniest occurrences was when we had upgrade fail with the snapshot image and the TCL...
  28. Re: can't perform mds_restore in a DEV environment from a mds_backup of a Production

    Someone been lazy writing that (yet another) shell script. I've seen some shell scripts in early days of 61000 that would make baby jesus cry
  29. Replies
    5
    Views
    1,226

    Re: How to emergency shut down a specific VPN

    Just remove that peer from community and push policy
    Or route the VPN peers IP somewhere into dark dark place (unless managed by your smartcenter ofcourse)

    Why do it the nice way that Shadowpeak...
  30. Replies
    5
    Views
    5,174

    Re: Exporting Objects from Management Server

    Ah, great didn't know that. Thanks!
  31. Replies
    5
    Views
    5,174

    Re: Exporting Objects from Management Server

    Checkpoints web visualization tool can do html, csv as well


    edit: You didnt say which version you are running, but r80 can export from dashboard directly to CSV as well.
  32. Re: Is it possible to filter firewall ip by subnet

    I am not aware of any additional fancy search filter in Tracker than that :(
    If you haven't tried it yet, I would recommend giving smartlog a try instead. It's much much more flexible when it comes...
  33. Re: How Do I Find Out The Virtual IP Of the ClusterXL firewall?

    Well yes, thats one of the cluster VIP's. I assume you have more than one clustered interface though :-)
  34. Re: Is it possible to filter firewall ip by subnet

    You can.
    First of which tool are you using? With Smartlog you can enter something like src=192.168.1.0/24 or src=192.168.1.*
    In Smartview tracker you can use 192.168.1.*
    etc etc
  35. Re: How Do I Find Out The Virtual IP Of the ClusterXL firewall?

    In the Smartdashboard/Console, doubleclick on the Cluster object, go to Topology -> Edit and you will be able to see both the physical interface addresses as well as Cluster VIP's.
    Or as I wrote,...
  36. Re: How Do I Find Out The Virtual IP Of the ClusterXL firewall?

    cli alternative, 'cphaprob -a if'
  37. Replies
    10
    Views
    2,387

    Re: What's the point of providing SK feedback?

    Weird response, I assume person that handled it can not confirm on their own if it should be changed or not.
    I've used the feedback option 6-7 times and was never asked to create SR, but it was more...
  38. Re: Export SmartDashboard objects to a text file

    As above, the one in $FWDIR/conf

    Glad converter seem to work for you :)
  39. Re: Export SmartDashboard objects to a text file

    I guess you already looked at this one: https://www.fortinet.com/products/next-generation-firewall/forticonverter.html
  40. Re: Export SmartDashboard objects to a text file

    which vendor are you switching to? Maybe that vendor has some conversion scripts.
    I've used confiz a lot but the other way around, migrating from Juniper to Checkpoint and it worked....fairly well...
  41. Re: Export SmartDashboard objects to a text file

    for the objects, you should be able to right-click on the group in question inside the dashboard and export it (dont remember the file format).
    From that file you should be able to script/pull out...
  42. Re: Detecting eicar virus test file with R80.10

    Are you sure that the downloaded file via wget is not UserCheck html code?

    Do "cat" on the file and check the contents
  43. Replies
    4
    Views
    2,322

    Barry Stiefel - RIP

    Just saw the linkedin post by Moti Sagey that Barry passed away.
    Sad news and I am sure he will be remembered, especially by this community as the founder of it.
    May he rest in peace
  44. Backup procedures.....so sick of the "hacks"

    I am seriously fed up with Check Points inability to fix something as simple as taking backup on the units.
    Year after year, decade after decade its still lacking big time.
    Not to mention like 10...
  45. Replies
    4
    Views
    2,469

    Re: 5500 Appliance LOM not working

    Silly question perhaps, but LOM is optional on most 5000 series of appliances. Is the appliance ordered with optional LOM card? (afaik the physical port is there even on units without it)
  46. Replies
    17
    Views
    3,315

    Re: R80.10 release on the way?

    That sounds great! :)
    Friend of mine was there and apparently he met you.........well he said you scanned his QR code, which I guess in todays society means friends for life ;)
  47. Replies
    17
    Views
    3,315

    Re: R80.10 release on the way?

    Hmm Neon lights and all....you sure its the conference center you're at? :)

    Kidding aside, too bad I had to skip CPX this year, would be nice to finally meet Phoneboy and Eric. (met Valeri in...
  48. Replies
    26
    Views
    4,019

    Re: Policy push speed is unchanged

    Adding/Deleting services should be covered by verification process. If you think about adding overlapping services, verification would normally complain about "Match for any" etc.
    So that should be...
  49. Re: Unable to activate threat emulation on 4600 appliances

    what does the following commands say

    'tecli show statistics" (last part "Last Sharing Suceeded")

    Otherwise check sk83520 which covers different check point URL's, among others threat...
  50. Re: push policy to gateway even when checkpoint policy verification fails

    Thanks was starting to doubt myself :)
  51. Re: push policy to gateway even when checkpoint policy verification fails

    I *think* I read somewhere about a way to disable verification, (maybe by Shadowpeak) but can't remember where.....and my googling skills have let me down for past 15 minutes.

    offtopic
    Regarding...
  52. Replies
    4
    Views
    7,578

    Re: Configurazione di un cluster remoto

    No problems :) Lot of helpful people in the community, but I doubt many are Italian speaking :(
  53. Replies
    4
    Views
    7,578

    Re: Configurazione di un cluster remoto

    Non parlo italiano, ma cercherņ di rispondere con qualche aiuto da google translate.

    1. Siete corretti, configurate i nodi di cluster (gateway) con routing IP ecc.
    Assicurarsi di aver impostato...
  54. Replies
    5
    Views
    1,032

    Re: Moving from Smart-1 appliance to Virutal

    Go with upgrade_export
  55. Thread: R80 zones

    by abusharif
    Replies
    12
    Views
    4,429

    Re: R80 zones

    Ah thats a shame, but hey compared to previous versions, what they have done up till now is huge step in right direction :)


    Thanks for confirming this :)


    ps. Also, if i recall correctly,...
  56. Thread: R80 zones

    by abusharif
    Replies
    12
    Views
    4,429

    Re: R80 zones

    I am still on EA from December/Jan, in that one it wasn't possible to use zones in NAT policy. Is that still the case in the newer builds?
  57. Replies
    3
    Views
    1,922

    Re: Change VSX GW Change IP address

    Are you trying to change the VSX gateways management IP?
    If so, follow the procedure in sk92425, "How to change the Management IP addresses assigned to VSX cluster and VSX cluster members in Gaia...
  58. Re: VSX on 41/61K chassis, some reading materials

    You are running version that supports virtual switches? IIRC R76SP.10 or later
    How is your licensing? VSW won't consume a VS license, but maybe it causes issue with creation additional VS* besides...
  59. Re: checkpoint VMAC address difference between R75.47 and R77.30

    Hi, can you check and share contents $FW_BOOT_DIR/ha_boot.conf file?
  60. Re: checkpoint VMAC address difference between R75.47 and R77.30

    Yepp, that is correct, more info in sk25977
  61. Replies
    8
    Views
    2,536

    Re: Per-flow throughput limitations?

    Obviously distribution of load would be horrible in scenario of single session host to host. You need meshed traffic to reach those impressive numbers and acheive spread.
    But, as this is what you...
  62. Replies
    6
    Views
    3,434

    Re: New R80 publication on the way...

    Looking forward to it!
  63. Replies
    7
    Views
    1,999

    Re: No HA Licensed Appliance > 5900

    Officially, 13k appliances never supported -HA either (based on quote tool / pricelist, such SKU simple do not exist visible for the customer or when ordering).
    If you ordered 2 standalone 13k...
  64. Replies
    7
    Views
    1,999

    Re: No HA Licensed Appliance > 5900

    Just to be PITA, yes generally its like that and been so for many years, however SOME appliance bundles (VSX) still have the -HA SKU's for appliances AND blades for these (in my case 13xxx...
  65. Replies
    8
    Views
    1,988

    Re: Selling a used 12600 appliance

    As Valeri mentioned I don't think there is market for this.
    After 17 years more or less with Check Point and 100s of customer I've never come across someone using or asking for used unit to have in...
  66. Replies
    16
    Views
    2,814

    Re: add new/replacement cluster member

    is ip forwarding active (since you unloaded the policy)?

    Perform:
    cat /proc/sys/net/ipv4/ip_forward

    If it says 0, do:
    echo 1 > /proc/sys/net/ipv4/ip_forward
  67. Re: Error: Deployment Agent update is in progress

    IIRC log file in older version of agens should be in $DADIR/bin and was called Da.out or something like that.
    But yeah, try the manual upgrade with RPM as described in the knowledgebase, never seen...
  68. Replies
    3
    Views
    11,339

    Re: Host Header Redirection

    It has been more than 15 years since i touched URI resources in CP, but yes it could be done IIRC. But its a bad bad legacy feature, so just don't go that way and listen to the gentlemen that...
  69. Re: Error: Deployment Agent update is in progress

    Sometime it will get stuck...
    I've seen many reasons to this...too many too remember. You can check the size of the deployment agent log file...if its at 2 gig, stop the da service, remove it, start...
  70. Replies
    38
    Views
    5,070

    Re: CPU, CPU, CPU, the mistery of the CPU

    He probably ment "fw ctl pstat" or "fw stat"
  71. Re: can we get host details configured in group

    Right click on the group in question and choose export.
    Save the file somewhere (its a text file)
    From there you can use whatever tool you feel comfortable with to filter out the IP's
  72. Replies
    8
    Views
    3,230

    Re: R77.30 latest jumbo hotfix not available

    It wouldn't be the first time they are somewhat delayed.

    If you need it right now, use following identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T178_FULL.tgz
  73. Replies
    7
    Views
    1,919

    Re: R80 in production environment

    They do have 16 core license, SKU CPSG-P1607

    Regarding R80.10 (gateway side) there is EA for it right now. Check Point "requirement/wish" during EA is that its deployed in production environment. ...
  74. Replies
    8
    Views
    2,480

    Re: IPSEC Certificate on the Gateway Expired

    nice one :)
  75. Replies
    8
    Views
    2,480

    Re: IPSEC Certificate on the Gateway Expired

    Indeed, but it's kind on unreliable as monitoring if you have gateways with perhaps somewhat static rulebase (where you don't push policy often).

    Since you mentioned it, maybe same warning message...
  76. Replies
    8
    Views
    2,480

    Re: IPSEC Certificate on the Gateway Expired

    I am not 100% sure, but I don't think such alert/monitoring function exists in CP.
    However simple bash script parsing the output of the above command and sending you an e-mail should be fairly...
  77. Replies
    8
    Views
    2,480

    Re: IPSEC Certificate on the Gateway Expired

    You can check it out via command line cpca lscert command (or something similar) or by activating web base ica management tool
    More info: sk39915
  78. Replies
    4
    Views
    1,674

    Re: Quick Question

    Could be yes. There is a setting for that IIRC that gives you possibility of choosing which interfaces "management" is allowed via as well as IP addresses and/or subnets
  79. Re: Management Server Redudancy between Appliance and Virtual/Open Server

    sk39345 will give you the answer.
    In short, it is not supported.
  80. Re: Hide vs static NAT with a pool of IP addresses

    Yeah its a tricky one as you have limited amount of ports to play with, different amount of instances on each scenario (installation) so its hard to give a spot-on recommendation to what values...
  81. Re: Hide vs static NAT with a pool of IP addresses

    It can be problematic in traffic intensive scenarios. As cciesec mentioned it depends a bit on securexl and amount of corexl instances as pre-defined amount of ports is split across the instances.
    ...
  82. Re: Cron Job to automate deletion of /var/log files

    Second that....I use it for regular log files as well ($FWDIR/log)...it takes care of itself :)
  83. Replies
    1
    Views
    1,657

    Re: Migrate Fortinet to Check Point

    From cost perspective I would say check out Check point life cycle management service.
    Fixed price for policy conversion which is very cheap compared to time you need to put in to do it yourself.
    A...
  84. Re: Permanent tunnel showing down in SmartView Monitor, but tunnel is working?

    any of the permanent tunnel limitations that apply to your setup (77.20 for 1100)

    check sk105380
  85. Replies
    3
    Views
    2,060

    Re: console putty session to Check Point 620

    115200 8N1
  86. Replies
    6
    Views
    2,205

    Re: 1470 and 1490?

    Got only cpuinfo from 1470



    processor : 0
    model name : ARMv7 Processor rev 4 (v7l)
    Speed : 1.7GHz
    Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4...
  87. Thread: 41k admin

    by abusharif
    Replies
    2
    Views
    1,584

    Re: 41k admin

    1. Just a "shell" where "all" commands entered through it will be distributed on your chassis (plural). By this I mean all the SGM's
    2. Not sure what you mean by "close"?
    3. Yes there is expert...
  88. Replies
    12
    Views
    4,227

    Re: Hide NAT causes 100% CPU and slow Bandwidth

    Uhm what? My point was about amount of accelerated traffic vs non-accelerated. So medium-path and f2f would benefit of more corexl instances, while accelerated traffic would benefit of SND's/SXL.
    ...
  89. Replies
    12
    Views
    4,227

    Re: Hide NAT causes 100% CPU and slow Bandwidth

    Phoneboy is right, however in my own tests with a 2200 (which has same cpu as 4200), I still benefit of CoreXL since 99% of my traffic is not in fast path and I get lower throughput with corexl...
  90. Replies
    3
    Views
    3,092

    Re: Check Point Packet Injector

    nice one, could help a lot when preparing policies!
  91. Replies
    11
    Views
    3,017

    Re: New spikefish blog post!

    haha....I guess "my firewall just went tits up" is a legit phrase now!
  92. Replies
    10
    Views
    2,740

    Re: Licensing CLM (old name)

    Thats my understanding as well

    I just uploaded the image of how it looks in my MLOGS container. DMNLOGS on bottom was the one i added


    1147
  93. Replies
    10
    Views
    2,740

    Re: Licensing CLM (old name)

    Ok maybe a misunderstanding here :p
    Thats what I tried to say, I used DMN-LOGS to create a Domain Log Server (CLM......CLM as in CMA's logging counterpart) and that I doubt you can use DMN-LOGS for...
  94. Replies
    10
    Views
    2,740

    Re: Licensing CLM (old name)

    R77.30

    In my case this was, as you say, to add another CLM in already existing MDL.
    I didn't try, but I doubt that DMN-LOGS can be used to create new MDLogserver (its one of those "loose blades"...
  95. Replies
    10
    Views
    2,740

    Re: Licensing CLM (old name)

    Hi

    CPSM-MLOGS-10 can be extended with more than 10, initially included CPSB-DMNLOGS-F licenses.
    Just did this couple of days ago once all 10 included licenses were used and added brand new...
  96. Replies
    11
    Views
    3,017

    Re: New spikefish blog post!

    lol almost spilled my coffee reading your "toilet" comment on Linkedin :)
  97. Replies
    5
    Views
    2,343

    Re: Jumbo HFA for R80 Release

    Monthly as in every 5-7 weeks (rumor).
    I don't consider it to be too often. We can still make choice whether to apply or not (based on what content of it actually fixes) and when.
    Less individual...
  98. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    Just as a side note regarding "Instance is currently fully utilized". String was not exactly like the ones you are showing but more of "1_1 fwd instance is currently...." (don't have the exact string...
  99. Replies
    5
    Views
    2,343

    Re: Jumbo HFA for R80 Release

    Remember the R77.30...announced at CPX as stability release with few new features. We're at take 150+ of the Jumbo, nuff said ;-)
    Nah, all kidding aside, its good that they release Jumbos...
  100. Replies
    7
    Views
    5,419

    Re: R77.30 jumbo hotfix

    Or one could choose another approach

    -Keep hotfixes as individual packages UNTIL its deemed stable enough to include it into JHFA
    -Keep some kind of flag/label on Jumbo HFA page next to each...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4