Search:

I've just tried it on Ubuntu 16.4, see below:


docker@ubuntu-DC1:~/ochepist$ ls -l ochepist.tar.gz
-rw-rw-r-- 1 docker docker 4760557 Aug 14 12:42 ochepist.tar.gz
docker@ubuntu-DC1:~/ochepist$...

Why not logstash as flow collector ? Read here

I had issues described in sk78180 Disabling MEP for Endpoint VPN Client

I developed program 'ochepist' for R77.30 which pulls Office 365 addresses from web page and exports in dbedit format. It is described here, link to repo included. I will upload binaries on...

Yeah I think smartpro is better to manage large number of gateways (never used it with regular gaia). But it doesn't make provisioning any easier. Zero touch provisioning (Zero touch portal) is...

you have API avail in R80.10 , see https://sc1.checkpoint.com/documents/R80/APIs/#gui-cli/install-policy

exactly but without colons;) Thnx !


$ curl --insecure -XPOST "https://10.254.253.110/web_api/login" --data-binary "{\"user\": \"admin\", \"password\": \"password\"}" -H "Content-Type:...

I am trying basic API on my R80.10 with curl below, but getting error


$ curl --insecure -XPOST "https://10.254.253.110/web_api/login" --data-binary "{"user":"admin", "password":"secret"}" -H...

I found it with:



> show web ssl-port
web-ssl-port 4434

Got Error: Access denied. The destination of your request has not been configured, or you do not have authorization to access it. (403)..strange , was not prompted for credentials

What is the GUI port I can access mobile blade ? it's not 443 because it is taken by portal

Finally I managed to upgrade , but had to follow sk116056 'Duplicate objects, IPS profiles, policies are displayed in R80 / R80.10 SmartConsole' Now I am on R80.10 and webui is available

Of course the module creating a rule based on the source/destination and port has to be vendor API specific. Looking at Checkpoint management API Reference v1.0 I can see 'add access-rule' with...

Thanks again, regarding using CLI to upgrade , which command do you run after untaring Check_Point_R80.10_T421_Upgrade_from_R80_FULL.tgz . I dont see typical UnixInstallScript...


Btw, see below...

Appreciate Yonatan, CP asked me to collect evidence , follow sk84561. In the process of collecting evidence my connection to portal was magically restored, probably as a result of restarting httpd2...

I have the same problem, can't reach R80 with mgmt gui , and I want to upgrade it to R80.10. Restart doesn't help

I believe that policy creation should be vendor agnostic , even at the cost of having 10k rules...put some of my thoughts together here .

These best practices address only initial, manually created part of the policy. In my opinion after this is done, the rest of rules should be created automatically thru API, based on approved...

Here is the ticket number 1-9572412401, thnx

Yeah, ticket opened. I disabled wireless trying to change DNS settings on too many appliances this week ;( To make things even worse I couldn't re-enable it with CLI (was getting 'unkown error') so...

Changing DNS settings on 1100 is causing wireless to be disabled, anyone seen this behavior ? This happens across all versions, including 77.20 below



Irek-11> show wlan vap CPHome
…...

Thnx, added to the calendar. Btw , what's the max number of rules (and/or subrules?) in CP ?

But it would require some extra program logic to find out where to put the rule instead of straightforward 'next to the bottom'

So far my rule base is close to 100 per firewall;) But this is because requests are manually implemented and optimized in GUI (i.e. integrated into existing ones by adding a port or address, here...

So does the number of rules matter, is there a difference in packet delay (processing) between rule set with 100 and 10k rules ?

Is Checkpoint policy first-match or is rather TRIE-based, where rules are converted to 'n-ary tries' (graphs) ? I think Paloalto is using Trie-Based Policy

Split tunneling is based on vpn encryption domain which from what I know can only be a group of address objects. Updating group of address objects through dbedit automation scripts is supported by...

Where you able to upgrade R 75 1100 To R77.20 (remotely)? We have firmware upgrade issuers

I was told that all 1100 appliances can be centrally managed, whether management server runs R77.30, R80 or R80.10. Do you know if it includes 1100 with R75 ?

Program can be run outside of mgmt server, only to generate dbedit files ;)

I developed program in Go called 'ochepist' which I use to pull list of i.e. Office 365 IP addresses from provided url and write them to the file in CP dbedit format creating group object (see g-o365...

Sounds great. Unfortunately I have 77.30. So how do I setup CPDBL on 77.30 to whitelist Office 365 address ranges (I have https feed with ranges) ?

Is it possible to possible to use CPDBL to whitelist custom list of addresses i.e. Office 365 below (served from https) ?


104.210.43.160-104.210.43.160
104.41.155.129-104.41.155.129...

Do you know how to disable RC4 cipher on CP firewall ?

I'm not believing what Smartview is showing for CPU, I rely on top because I can look at processes I want to, like 'fw_worke'r. On each gateways I have simple bash script running every 10sec which...

I am changing IP address of multi domain management server (P1 - MDS with couple of CMAs, 77.30) but I would rather avoid resetting internal CA (fwm sic_reset on CMA). It will leave old CMA IP inside...

It's definitely unlimited, number exceeded 500 ... I haven't found correct syntax for that command yet Thnx again

I have two license for sslvpn applied, CPSB-SSLVPN-500 and CPSB-SSLVPN-U. Last one is eval, but active. So what is my current limit of SSLVPN connections, 500 or unlimited ?

CP support ? ;)

Maybe I can get myself ftp client which will be able to transfer files thru tunnel (pick src interface other than public;), or quickly install any of missing tools like i.e. curl.

I quickly tested Go cross compilation of simple web server to Checkpoint 1100 appliance, see my blog post here. It's super easy and I do not need compiler on 1100

Looks cool http://qostechnology.in/blog/syslog-integration-with-checkpoint/

I haven't used c++ for looong time, instead of re-learning I started to use Go

Right, you are looking for log generator but for rule specific logs, not syslog , correct ? I wrote syslog generator for PAN , CP is more challenging because of encryption ;(

this one is good https://blog.rootshell.be/2014/08/28/check-point-firewall-logs-and-logstash-elk-integration/

Interesting, I can try on VSX

this is it , thnx !

This is worth reading https://blog.rootshell.be/2014/08/28/check-point-firewall-logs-and-logstash-elk-integration/

I've seen a post about rule testing utility some time ago . I just can't remember what name or sk number it is.

thnx

I saved pcap in root directory of 1100 but it is gone after reboot. What directory would you recommend for tmp storage on 1100 ?

I have the same problem, haven't found a solution.

Is it standalone or centrally managed 1100 ?

I was looking to use CP as VPN concentrator only in my current topology. Any-Any-Accept on CP still does inspect traffic

this is default number of tunnels to be monitored by SmartPro

Makes sense..now I remember that limit of 200 of vpn test;)

I have table tnlmon_listener_list hitting the roof, but I dont know what tnlmon_listener_list is ?


# fw tab -t tnlmon_listener_list -s
HOST NAME ...

Right, response from CP was 'The firewall without a policy will act as a router. We have to push at least a policy that allows any to any and push the vpn configuration to the gateway. The firewall...

Thnx, look like it is what I am looking for, not sure if VPN will still work. I can see 'ip_forward' is already 1 ?
#cat /proc/sys/net/ipv4/ip_forward
1

I am using UTM-1 3070 as central VPN gateway (R77.30), don't really need security policy because this is behind main firewall. Is there a way to disable security policy without individually disabling...

It shouldn't be a problem. I'm just in process to create tunnel where I have all public IP addresses in VPN domain;)

I was using only one interface 'Internal' on my UTM-1 . Now I added External in clish, can see it from bash, ping from it etc. But in GUI I can't add External interface (Topology Section) , neither...

Yeah, looks like too many of these where clish doesn't create bash user are R77.20.00 - Build 289...I found 3 more. It doesn't happen on R75.x neither R77.20 except build 289 ;(

Correct, nothing in /etc/passwd. I was going to add user and make it using bash as default lol

I have many cases where I can't login to existing account ('newadmin' below) on 1100 and at the same time /var/log/messages shows message 'authpriv.warn dropbear[640]: [SSH] Login attempt for...

I ma using global policy to install all polices in given CMA, below excerpt from global_autopolicy.sh


mdscmd install-globalpolicy -install -l CMA1 2>&1

then save output in the file (see cron...

;) correct bash user works only for admin

There is a way to setup user with expert privileges on gaia typing 'set user user_name shell /bin/bash' but not on gaia embedded (1100/1400). On gaia embedded I can add user in clish but then have to...

I agree, depends but I think direction is to use inspection and identity awareness like access. I was never able to answer simple question of who have access to what based on any policies I've seen...

I posted discussion here regarding security policy strategy. Basically I would like to know your opinion on whether to use granular, 'one off' rules or just intrusion and malware inspection. I think...

I use Jenkins to schedule backup tasks , see here . It includes starting ftp server, transfer and then stop ftp server. I don't know how to automate sftp, but even if I knew I would still use Jenkins...

Checkpoint doesn't natively support sending firewall logs (rules related logs) to syslog, it can send only OS logs to syslog. Log server in your case means external CP log server (separate product)....

Sure thing, thnx again

yeah , in that log I can see entries like this below (I tried to remove from GUI as well)

[6110:Thu May 19 11:16:25 2016] CSuRemovePackageHandler::RemovePackage: Failed to remove package...

I am trying to remove R77.20 packages and add one back (most recent). Buy I am getting Segmentation fault (core dumped) when typing cppkg del , see below. I can't do it from GUI at MDS level, don't...

Yes, I am using similar script. Soemtimes it was freezing during mds start process (and not being able to transfer my backup file later in the same script). Now I am doing it all from Jenkins with...

Smartlsm firmware upgrade works fine in fresh lab install, but for some reason not in my production. CP was not able to fix it so far and I had no time to look under the hood

It was discussed https://www.cpug.org/forums/showthread.php/20400-can-t-ssh-to-1100-using-kyes?highlight=ssh+password I think I changed uids , and it worked But since I am fine to ssh with...

'raw' module is all I have, not bad . but ..full python stack, would be really nice ! CP doesn't even want to support key based ssh access to 1100. I was told that my workaround can be overwritten by...

I have to change passwords on my fifteen hundreds of 1100 soon, maybe next week. But I will use Jenkins with Ansible plugin. Already used to change syslog setting (any gaia or bash settings). I got...

I was using this script below in cron. Recently moved to Jenkins , see my blog post

# cat /var/scripts/autopolicy-jenkins.sh
#!/bin/bash
# Source the Check Point profile for library and...

I will be there , hopefully John will have presentation of 'strace' stuff, can't wait ;)

I am waiting for SSL (or SNX) to be supported in Win10 , according to sk107132 (updated on March 23) it is not yet supported in Chrome buils 45 and above (until Q2 2016). I don't know why the...

I am looking for the best way to obtain network throughput on VSX , per phy interface or per VS (CLI) . I know I can do below , but this only works for VS0


[Expert@VSX-1:0]# cpview -p | grep...

There is excellent post on CRL here I think default is 24h

What it is ?;)

Yes, there is core dump in /var/log/dump/usermode/. See /var/log/fwd.debug...


[Expert@mlm1w:0]# ls -l /var/log/dump/usermode/
total 53624
-rw-r--r-- 1 admin root 54848174 Mar 1 09:45...

I tried to restart manually also followed sk35628 but FWD.clm2w still down


[Expert@mlm1w:0]# /opt/CPmds-R77/customers/clm2w/CPsuite-R77/fw1/bin/fwd -n
fwd_monitor_init: fwd_monitor_active was...

One of my CLMs (ip address ending with 142) stopped to collect logs, file fw.log is not growing anymore. Based on tcpdump there is traffic on port 257 coming from gateways to that clm and even...

Interesting, they claim it is possible to use RESTful API in 77.20-30. I will ask CP support

Did you setup OSPF neighborship over IPsec or locally in LAN ? I know it is possible using unicast addresses, instead of default multicast. Also was it for centrally or locally managed 1100 ?

Yeah, I wouldn't count on R&D , they were not even opened to allow ssh using key instead of password without workaround. I would love to have curl

Interesting , do you know where I can find info about changing the IPS profile of a gateway ?

OSPF over IPSEC ? I think OSPF doesn't work over IPsec. Also on centrally managed 1100 (at least Smartpro) you are limited to domain based VPN with statically configured destination subnets. In case...

Forgot to update, I fixed it. The problem was that CP IPS was dropping URLF updates, the second http one (not https)


curl -v https://secureupdates.checkpoint.com
curl -v...

I got answer from CP tech support 'No, unfortunately there is no command line way to change this value' ;) Don't know what they mean probably that there is no cli to change default timeout, but...

Is there CLI command to clear user/IP association ? it's set to 720 min by default but I need to clear it before that timeout

Interesting , thnx for sharing. That McAfee Evader looks pretty cool, are there any similar tools ?

Hey, see attached debug. CP guy is still looking ;)

Did you install multi-management ? I think EA supports only single server