CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: jflemingeds

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds.

  1. Re: SSL/TLS Inspection for FTPS Connections

    Does it really have to be ftp over tls? I take it sftp (over ssh) or the likes isn't an option?
  2. Re: Configure different public IP for Remote Access (S2S already present)

    I haven't tried that before. I think you would have to do a bit of hacking but maybe creating a loop interface with said IP on it would work. I think you would need to have a different NAT on each...
  3. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    hurray.. 5th times a charm.
  4. Re: Remote console and/or RDP (or VNC) access

    There is also impitool with SOL (Serial over Lan). I haven't used it but its on my giant todo list.
  5. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    new version posted.

    try running it from the same dir maybe?

    cd /etc/scripts/
    bash script.sh
  6. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    ok strange.. it worked using this input. I'm going to post a few more changes. I think its hitting the exit.

    This alpha script is really coming along with all these bug reports! It might even get...
  7. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    hmm ok run this and show the output.

    mdsenv cma-10.109.114.12
    CPLogInvestigator -a -p
  8. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    ok try it again. I updated the first post.
  9. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    sk87263 - I thought it shipped with R77.30. Maybe not. I'm adding a check for that.
  10. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    Do you have CPLogInvestigator on your system? If not can you install it? If you do can you show the output of cma-192.168.1.10-logs.txt?
  11. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    hmm i think thats because bash doesn't support float or one of those number might be coming up zero.

    Can you run bash -x script?
  12. Replies
    15
    Views
    240

    Re: Script for MDS log summary

    And before you ask, yes, i did in fact write that sed statement and for sure did not look that up on google at all.

    Not... at ... all.
  13. Replies
    15
    Views
    240

    Script for MDS log summary

    Hi I made this .. um... wonderful script to give me some worst case numbers for a R77.30 MDS based on how many logs were in the system. Shows highest number of logs per day per CMA.



    #!/bin/sh...
  14. Re: BGP routes showing hidden and inactive on CP 1490 with version R77.20.60

    Could also be a static route is being taken over bgp. Just throwing some ideas out there.
  15. Re: BGP routes showing hidden and inactive on CP 1490 with version R77.20.60

    can you show the output of the show bgp peer x.x.x.x received-routes and show route all?

    Just wondering if maybe the next hop isn't set correct?
  16. Thread: Openstack?

    by jflemingeds
    Replies
    5
    Views
    674

    Re: Openstack?

    ok so i found a deployment project that seems to be pretty good. I've done a multi node deployment multiple times and it seems to work pretty well.

    Kolla-ansible -...
  17. Re: Domain Objects in R80.10 and above - sk120633

    My guess is what they are saying is existing domain objects (We're talking upgrade here) will not be converted to FQDN mode. Also I would assume the gateway needs to be running R80.10 as well.
  18. Re: Can anyone try give some logical understand to this!!

    Not sure if this works for a debug or not, but you can try this to get more info.

    export TDERRROR_ALL_ALL=5 ; ips off >& ~/output.txt

    then look at output.txt in home dir. Might be a lot of data...
  19. Re: VSX - Virtual Systems not sending logs to MDS

    Havenít played with vsx enough to know but do all vs log from the same address or does each vs log from a different ip?

    If they are different I would check netstat -anp | grep 257

    See if the...
  20. Replies
    25
    Views
    961

    Re: R80.10 in VMware

    Ooh a cli wizzard. Yeah just stop doing that way. Itís error prone and you canít save your answers oh and itís slow. Use the template and donít look back.
  21. Replies
    25
    Views
    961

    Re: R80.10 in VMware

    Not sure what Iím missing but you do not have to use the webui for th first time wizzard.
  22. Replies
    25
    Views
    961

    Re: R80.10 in VMware

    Of vsx ?
  23. Re: SIP - the other side of one of the fences

    In this case asterisk has a work around for dealing with sip and nat without alg. As I said before everything started working once sip inspection was disabled. Src nat is a hide and dst is static nat...
  24. Replies
    25
    Views
    961

    Re: R80.10 in VMware

    Iím not following the bit about being required to use the webui.
  25. SIP - the other side of one of the fences

    </rant>
    So i've been spending a lot of time with SIP on Cisco ASA routers. What i have to report is that the other side of this fence is not all green grass. Its full of all the same brown crunchy...
  26. Replies
    12
    Views
    393

    Re: PPPoE problem

    should be like this.
    fw_clamp_tcp_mss=1

    But that file is only read on boot up. Did you possibly reboot after policy install?

    Need to understand if its going back to zero after policy install...
  27. Replies
    12
    Views
    393

    Re: PPPoE problem

    is it setting back to 0 after a policy push? BTW i'm guessing you did but did you also set that in the fwkern.conf?
  28. Replies
    1
    Views
    308

    Re: Hotfix Info - Embedded GAIA - 1100

    Gaia embedded doesnít support patches. You might get a one off binary with instructions on how to install. By far however what you will get is a new install binary. The way you can track this is with...
  29. Replies
    25
    Views
    961

    Re: R80.10 in VMware

    Well, really you can just find the commands. The whole system is just shell script so all the heavy lifting is done with external commands. I think you can take it down to a single command or to....
  30. Replies
    3
    Views
    126

    Re: dbedit rule id syntax

    9 rule headers. Difference right now is 16 (or 15 i'm guessing rule base is off by 1?) I have 1 disabled rule as well. Still not enough. :/

    implied rules blasts ways past that number.
  31. Replies
    3
    Views
    126

    dbedit rule id syntax

    Does anyone know how the logic behind rule id of a dbedit script for adding/removing objects from src/dst of rules?

    If i try to add/edit rule 119 as shown in dashboard the changes go in 103 (or...
  32. Replies
    25
    Views
    961

    Re: R80.10 in VMware

    You've been able to config a firewall without webui for a very long time.

    config_system is the latest way for R77.30. Haven't tried R8x.
  33. Re: Help on understanding why cant do nothing on the fw Virtual systems

    From expert can you run
    echo $SHELL
    export
    source /etc/profile
    export
  34. Replies
    1
    Views
    113

    Re: HA Upgrades in 1490 appliances

    Sure would be nice if someone knew how to run these under kvm-arm.

    So upgrades logs are stored in /logs. Iíd look there first. Maybe that will uncover some clues.
  35. Replies
    1
    Views
    310

    automatic restore of P1 backup

    FYI i have script setup to do a automatic restore of a full P1 environment (hurray open server!). The script ssh()es to the backup server, starts a tar -zxvf of the backup, pipes the stream of the...
  36. Re: Changing users authentication method en masse

    be sure to report back how things go.
  37. Replies
    4
    Views
    236

    Re: legacy client auth connectivity HTTPS

    I think you need to get more information about what encryption or hash method is making things angry, then disable it and generate a new cert.

    Just a guess sk106478 might be a good place to start....
  38. Re: Changing users authentication method en masse

    Damn it man, save those wrists!

    Step 1 - restore backups into lab that has working radius and secureid
    Step 2 - dump user database
    #if p1 don't forget to mdsenv into said CMA.
    fwm dbexport -f...
  39. Replies
    11
    Views
    405

    Re: Operation Memory Clean up is needed.

    Im confused as to what savedb even does. I just ran through creating some objects using dbedit and didn't issue a savedb and everything showed up where i expected. I've also looked at other examples...
  40. Replies
    4
    Views
    236

    Re: legacy client auth connectivity HTTPS

    Are you using the default vpn cert that the gateway generates or are you using your own?
  41. Replies
    1
    Views
    341

    Re: OSE problems

    Well.. so brute force method going forward.

    awk -F'[,]' '/,ose,/ {print "create host_plain ose2rtr_"$1"\nmodify network_objects ose2rtr_"$1" ipaddr "$3; if ($9){ print "modify network_objects...
  42. Re: Export SmartDashboard objects to a text file

    yupers, it will convert .C to .CSV
  43. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Start a new thread and runs the commands requested.
  44. Replies
    1
    Views
    341

    OSE problems

    So i've got 99 OSE problems and a host object isn't one of them. Well.. really its more like almost 800.

    Anyone know of a black magic dbedit script or.. really anything.. to convert OSE objects...
  45. Replies
    11
    Views
    405

    Re: Operation Memory Clean up is needed.

    ack.. yeah VSX doesn't support db revisions. You would like checkpoint would alarm or warn when creating and not restoring.

    I would not mess with anything further and contact support. Grab that...
  46. Replies
    11
    Views
    405

    Re: Operation Memory Clean up is needed.

    Is this part of the demo CMA you turned up in the other thread? I guess if you're worried you could restore the database revision. I would do a savedb more then just once at the end. Like maybe every...
  47. Replies
    12
    Views
    547

    Re: SQLNET and NAT

    What service is showing in the logs and what does that service show in the advanced section for protocol? abusharif pointed out the sqlnet2 inspection should support sqlnet redirect based on the...
  48. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    So does that mean that normal setting for Vpn tunnel on fortinet is 0.0.0.0/0 for proxy id and you changed from that default to something like Vpn tunnel per subnet pair?
  49. Re: Traffic not going through the VPN tunnel

    Just a guess but does the non working host have a NAT rule? If so sounds like you need a no NAT to work around that.

    If thats not the case then we need more info. Are you seeing the packet hit the...
  50. Re: Anyone interested in scientific research?

    I assume you be documenting this endeavor?
  51. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    There has been a lot of discussion (Well maybe not a lot) about changes that would be helpful for this forum and this thread pretty much encompasses everything I've brought up.

    Just a quick...
  52. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Can you disable the domain object for for a period of time? It might help zero in on root cause.
  53. Replies
    4
    Views
    423

    Re: CP 800 / WLAN issues

    I didn't see anything like that but i'm running on a 750.
  54. Re: Anyone interested in scientific research?

    I think this fall nicely inside the everything else clause of misc.
  55. Anyone interested in scientific research?

    I'm going to try to make peanut butter cookies with chocolate covered espresso beans.

    If anyone has embarked upon a similar project please let me know.

    That is all.
  56. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Need to know if both firewalls have the same problem or not.

    Also dmesg from both.

    What is that very last line about eth7? Was something cut off?
  57. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    I haven't seen this asked yet (or i missed it). Have you noticed if this happens on both firewalls or is it only happening when of the firewalls is active?
  58. Replies
    1
    Views
    108

    Re: RADIUS for external users and mfa

    Do a packet capture and see if the raduis server is returning unknown user.
  59. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Yeah that is the thing. If it was arp I would expect it to be happening at random times and not around policy install.

    Those kmalloc lines don't look good. Can you past fw ctl pat at and the...
  60. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Linux has a max size for the arp table. Neghbor table overflow mean you hit the max which by default is I think 1024? You can bump the size without issue. From clash i think itís like set arp-cache...
  61. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    I was thinking arp issue as well but couldnít tie it to policy install unless maybe there are a lot of nats using local subnet and maybe a failover is happening post policy install. Maybe garps...
  62. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Reply with the output of the following from both cluster members. Can you explain firewall topology as well? It seems like your saying only the dmz interface is going mia correct?

    dmesg
    fw ctl...
  63. Re: high cpu on the fw process of the standby firewall

    Yeah so non idea why the sk went mia. Call support and ask. Might be an internal only now.

    I think the end result pointed to a driverissue or maybe something with vrrp.
  64. Re: high cpu on the fw process of the standby firewall

    The screen shot shows a kernel process called events. That was what I was keying on. May not be related to your issue. Start a new thread to be sure.
  65. Replies
    7
    Views
    366

    Re: cphastart error

    yeah sounds like maybe a type-o on fwkern.conf.
  66. Replies
    16
    Views
    409

    Re: OSPF Route-based VPN questions

    How is this going?
  67. Replies
    16
    Views
    409

    Re: OSPF Route-based VPN questions

    I donít think tcpdump works on the vti interface. You need to use fw monitor. I think the filter would be like Ďip_p=89,accept;í

    Oh and turn off secure off securexl before running monitor.
    ...
  68. Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Come to the linux side, we have cookies.
  69. Replies
    16
    Views
    409

    Re: OSPF Route-based VPN questions

    Are you trying to route mgmt server access over a VTI by chance? I'd check routing in both directions to verify.
  70. Replies
    16
    Views
    409

    Re: OSPF Route-based VPN questions

    Are you mixing domain and vti vpns? You could use vpn tu to clear any relation SPIs setup. When you say you can't ping across the vti are you still getting encryption errors? If so ospf isn't going...
  71. Replies
    16
    Views
    409

    Re: OSPF Route-based VPN questions

    Yeah start with empty enc domain. That for sure is a problem.
  72. Replies
    13
    Views
    615

    Re: Not responding to arp-who-has

    Nice going, i'll buy you one of those famous $18 buds lights at vegas for your abilities assuming your going to cpx.
  73. Replies
    5
    Views
    190

    Re: Route Based VPN VTI configuration

    I'm assuming when you say VTI ID you're talking about the gateway name when you add the vti tunnel via clish? Assuming so yes its uniq and also case sensitive. I would assume you would have to write...
  74. Replies
    5
    Views
    190

    Re: Route Based VPN VTI configuration

    hmm. i've never done a full mesh with VTI. Good question.

    Do all the peers have direct internet connection meaning they aren't nated? I only bring this up because the peers can route through the...
  75. Replies
    13
    Views
    615

    Re: Not responding to arp-who-has

    and if none of that works you can always check for dropped packet with fw ctl zdebug drop.
  76. Replies
    13
    Views
    615

    Re: Not responding to arp-who-has

    Aaah. That makes sense. One last option if clustering doesn't fix it. On your proxy arp config are using the interface name or forcing a MAC address in the proxy arp? I just hit an issue a few days...
  77. Replies
    13
    Views
    615

    Re: Not responding to arp-who-has

    How could outbound nat traffic work if arp isnít being responded to?
  78. Re: fw ctl zdebug command is a bad practice

    Its not the size of the buffer that counts, its how you use it Don Quixote.
  79. Replies
    9
    Views
    358

    Re: fw ctl zdebug command question

    Maybe it started out in a R&D bubble but its for sure main stream now.

    sk100808
    How to use " fw ctl zdebug" command

    bla bla bla

    "See sk98799 for more information about in-depth kernel...
  80. Replies
    2
    Views
    143

    Re: OSPF dyanmic traffic allowing rule

    ospf routers (which includes the cluster) go in source and dest

    all mulitcast ranges go in dest.

    Side advice, i try to set ospf priority to 0 so firewall can't become DR/BDR as well.
  81. Re: fw ctl zdebug command is a bad practice

    I agree, i'd much rather explain to someone to do a zdebug and not worry about them messing up flags or resetting them.
  82. Replies
    7
    Views
    234

    Re: Cluster-cluster FIBMGR and ssh

    If i recall someone posted anisble code for R80.
  83. Re: Gateway as a Proxy - NAT Hiding Address Selection

    I was thinking you wouldn't need the VIP since the connection starts from the firewall node and would match a cluster fold. I also said to use services so other things wouldn't be high jacked. Also....
  84. Replies
    13
    Views
    413

    Re: R80: object explorer: unused objects

    Yikes. I assume it's clear that from a user prospective that would not be an unused object since it's in the nat policy. I understand the flip side could be it's not really in the nat policy but that...
  85. Replies
    7
    Views
    234

    Re: Cluster-cluster FIBMGR and ssh

    If you're going to use smart center you might as well use cprid_util to move files around instead of ssh.
  86. Re: Multi domain management server in vmware workstation doesn't run

    is it just the fwm process that is down? Did you by chance put a license on the CMA?
  87. Re: Gateway as a Proxy - NAT Hiding Address Selection

    Sounds like hide nat rule might work. I'm not sure if there are cases where you're VIP needs to be used else where, but for example this would only change your src nat for a given services...
  88. Replies
    7
    Views
    234

    Re: Cluster-cluster FIBMGR and ssh

    1. You used to have to create that rule for dynamic routings updates but I think itís implied now.
    2. I think itís a good rule to have. If someone has sshed to the firewall they must have admin...
  89. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    With beer!! Yes larger!! Err... no wait ..I mean logger

    fw ctl zdebug drop | grep --line-buffered | logger &
    disown

    It should run forever until you kill the fw ctl zdebug.

    Will be sent to...
  90. Replies
    6
    Views
    335

    Re: So I tried loading pfSense on a 4600

    I think pfsense is very picky on the way the remote is identified in phase I. You may want to pull a ike debug to see how the checkpoint is advertising and compare with what pfsense is configured...
  91. Re: CheckPoint 750 flash alternative OS on appliance

    NAND mdt. Checkpoint uses UBIFS on the 750 / 1400. 1100 uses jffs I think.
  92. Replies
    6
    Views
    335

    Re: So I tried loading pfSense on a 4600

    My guess is the kernel isnít sending the console output to the serial port. Do a search for pfsense searial console.
  93. Re: CheckPoint 750 flash alternative OS on appliance

    Anything is possible!

    Connect to the console port (115200 baud) boot the box and hit ctrl-c when promoted.

    I think there is a tftp option. If not shrug. If so try booting your fav arm distro....
  94. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    oops, loaded wrong IKE.elg file. ignore!

    Nothing to see here! .. um... yet! :D
  95. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Are both sides setup for Certificate base VPN instead of PSK. Is that correct? Looks like a cert issue right now.
  96. Re: Question regarding failover in ClusterXL (and not only)

    That sounds harder then "good enough".
  97. Replies
    3
    Views
    429

    Re: ISOmorphic download

    I haven't used ctrl-I in long time.
  98. Replies
    9
    Views
    717

    Re: new build of R77.20.60?

    FYI sk117894 is updated with build numbers and their fixes.
  99. Replies
    7
    Views
    918

    Re: Check Point debugging GUI

    Did you make this tool a long time ago? It seem interesting but really i wouldn't be cool with running this. Maybe if it was in a language used an interrupter like python or perl or something so that...
  100. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    Never say die!! Look said person up on LinkedIn/ fecalbook as well.
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4