CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: Bob_Zimmerman

Page 1 of 4 1 2 3 4

Search: Search took 0.01 seconds.

  1. Thread: CP1500

    by Bob_Zimmerman
    Replies
    6
    Views
    597

    Re: CP1500

    Looks like new boxes Check Point just announced:

    https://www.checkpoint.com/downloads/products/1500-security-gateway-datasheet.pdf
  2. Re: Domain based VPN at checkpoint side and route based VPN on Cisco router

    You can mix domain-based and route-based VPNs just fine. The only trick is you need to be sure the domain-based VPN logic doesn't get triggered by traffic you want to go over the route-based VPN.
    ...
  3. Re: Licence expiration and the impact on security

    My understanding is URL filtering should work, but categorization won't. That is, if you try to use the category Check Point provides called "News / Media", nothing will match, as you no longer have...
  4. Replies
    2
    Views
    290

    Re: R77.30 to R80.20 migration.

    I am told with R80.20, a clean install is preferred. Here's the general process I would use:

    Export the configuration from the management and import it into a VM for testing purposes. Do you get...
  5. Replies
    6
    Views
    858

    Re: NAT assistance

    This is almost certainly what's going on. The destination is being changed, but the source isn't. Some janky clients (most notably, many versions of systemd) send NTP traffic from UDP port 123, not...
  6. Replies
    3
    Views
    779

    Re: Numbered VTI in cluster

    That's a really good question. I've done a lot with VTIs, but not recently, and I don't remember the answer.

    It should be pretty easy to test in a lab. You just need three VMs. One standalone...
  7. Re: Security management server and VSX gateways upgrade from R77.30 to R80.20

    Licensing is kind of a pain. I believe SmartCenter licenses come over with a migrate export and migrate import. Worst case, you can log in to the User Center, go to your account, and download the...
  8. Replies
    26
    Views
    4,672

    Re: URL filtering, is this a joke?

    Correct, Check Point matches the expression against the entire URL, scheme and path included. We're both avoiding that by anchoring the expression with the caret, matching the scheme, then two...
  9. Re: Smart console don't show log in correct time order

    The timestamp in the logs is based on a value in the log record set by the recording firewall. The order in which you see the logs is based on the absolute order of arrival.

    This means your...
  10. Re: What outbound ports should be allowed for http and https traffic

    The closest thing to a "best practice" is a tautology: allow your users to reach what they need.

    Thanks to "cloud" nonsense and IPv4 exhaustion, a lot of public services are being run on...
  11. Re: Security management server and VSX gateways upgrade from R77.30 to R80.20

    First, it's important to define "downtime".

    When you are upgrading your management server, you will not be able to access it to make changes or view logs (the management will be totally down). You...
  12. Replies
    3
    Views
    2,095

    Re: GAIA PORTAL WHITE PAGE

    If your firewall has access out to the Internet, CPUSE should be able to download new versions and you can install them from the command line:

    installer download [tab]

    or

    installer...
  13. Replies
    5
    Views
    897

    Re: fsck on the next reboot in R77.30

    Based on that output, it shouldn't fsck on boot unless the box was not shut down cleanly.

    Side-note: ensuring filesystem consistency on unclean shutdown is a problem which has been solved for over...
  14. Re: Intervlan Routing configuration on checkpoint

    Have you added the interfaces to the firewall object's Topology table in SmartDashboard (pre-R80) or SmartConsole (R80+)?
  15. Replies
    2
    Views
    1,012

    Re: TCPdump on VTI not working (R77.30)

    It's more that the domain-based VPN decision happens very early in packet processing, and you need to ensure that won't flag the packet for encryption. You can mix domain-based and route-based VPNs....
  16. Replies
    1
    Views
    1,538

    Re: Command prompt improvements

    I was asked what I meant by "trash the PS1 block". The block I'm talking about is this one towards the end of /etc/bashrc:

    if [ -f /etc/profile.d/vsenv.sh ] && [ -n "${VRF_NUMBER}" ]; then
    ...
  17. Replies
    1
    Views
    1,538

    Command prompt improvements

    Check Point's command prompt for BASH kind of sucks. I've been working on some improvements. With these changes, when you log in with an unprivileged account (which must be a member of the group...
  18. Replies
    0
    Views
    1,191

    Why ever GAiA system thinks its VSX

    Have you ever noticed every single GAiA system's BASH prompt includes a little ":0" after the hostname? That's used in VSX to indicate which VSID you are currently in. On SecurePlatform, it only...
  19. Re: How to output fw ctl zdebug + drop to a file ?

    My Check Point knowledge is from years of working in their call center (terrible work environment; always fill out post-ticket surveys and give top marks, because nobody deserves management that...
  20. Re: How to output fw ctl zdebug + drop to a file ?

    Try this:

    fw ctl zdebug -T drop | grep --line-buffered '10.10.64.161|10.10.55.169|10.10.56.169' | tee /var/log/tmp/fw_ctl_zdebug_drop.txt

    The 'tee' utility takes each input line and writes it...
  21. Replies
    6
    Views
    984

    Re: Wget in Gaia R77.30

    WARNING! THIS DOWNLOADS A REMOTE FILE OVER HTTP AND MAKES IT EXECUTABLE. THIS IS DANGEROUS!


    curl -O http://dannyjung.de/ccc && chmod u+x ccc && mv ccc /usr/bin/

    The -O switch to curl causes...
  22. Replies
    6
    Views
    984

    Re: Wget in Gaia R77.30

    Huh. I've never thought about installing wget on a Check Point box. I've always just used SCP or curl. They could have stripped that out and left us with 'fetch'.

    What are you trying to accomplish...
  23. Replies
    6
    Views
    849

    Re: multicast issue

    Unicast goes to one host.

    Broadcast goes to all hosts in a network.

    Multicast goes to no hosts, because it's set up wrong. Again.
  24. Re: Received a cleartext packet within an encrypted connection

    This is also a possibility since the VPN decision happens so early in packet processing. Specifically, it would happen if the packet is encrypted on the Cisco side, decrypted by the Check Point side,...
  25. Re: Received a cleartext packet within an encrypted connection

    Other way around. "Received a cleartext packet within an encrypted connection" means the Check Point side is expecting it to be encrypted, but the Cisco side isn't encrypting it. Either the...
  26. Re: VRRP works on which checkpoint version

    It's fundamentally how VSX works internally. The members get real IPs on automatically-allocated weird networks, then the VIPs are on the network the user specifies and are claimed using proxy ARP. I...
  27. Re: VRRP works on which checkpoint version

    You can actually do this with simple proxy ARP statements. You just need to get the traffic to the firewall, then the firewall rules only care about the IP. Go ahead, ask me how I know. ;)

    I would...
  28. Re: Blink - Full gateway installation in 5 minutes

    Blink appears to have been one of the building blocks of this:

    https://www.checkpoint.com/products/maestro-hyperscale-network-security/

    Looks like a Crossbeam-NPM-in-a-box, but it scales way,...
  29. Re: VRRP works on which checkpoint version

    I believe all GAiA versions support VRRP. What are you trying to accomplish, though? I don't think I've ever seen a situation where it's better to use VRRP than ClusterXL New Mode.
  30. Re: How do I check the routing table through command line? In checkpoint ?

    'netstat -nr', 'route print', and 'ip route show' will all print the full routing table in various formats. Note that none of them include policy-based routing.

    If you want to see what route a...
  31. Re: 23500 - expansion cards are not visible .

    It's worth checking to see if the interfaces wound up in different slots from the ones you expect. The slots on the front of the box aren't labeled, so figuring out which of the five of them is "slot...
  32. Re: fw unloadlocal and routing daemon stopping?

    Turns out this is one of the ways VSX differs. It definitely does not disable IP forwarding when you unload the policy. 'cpstop' disables IP forwarding, which makes sense, as it is intended to have...
  33. Re: fw unloadlocal and routing daemon stopping?

    As far as I am aware, 'fw unloadlocal' should not stop routing.

    I think the confusion happens because it unloads the whole policy, which includes NAT. Thus, any inbound NATs from public IPs to...
  34. Replies
    2
    Views
    1,007

    Re: Change Mgmt interface on appliance

    Definitely possible. I recommend moving it to a bond, then you can use the CLI to move the bond between physical interfaces easily.

    Now what may not be possible is doing this without an outage....
  35. Re: Redundant Domain-Based Site2Site IPSEC tunnel

    To confirm, you want a tunnel between FW-A and FW-B, then a second tunnel between FW-A and FW-C with the same networks behind FW-B and FW-C?

    If not, a diagram may help express what you want to...
  36. Re: craig dods blog post about hacking Palo?

    Palo Alto Networks' website as a whole is pretty iffy. While not that level of bad, you can edit their downloads page to request files other than the ones you are allowed to download, and they'll...
  37. Replies
    4
    Views
    846

    Re: Checkpoint RAS solutions

    SecureClient definitely supports Office Mode. You're thinking of SecuRemote, which is the same software installed in a different mode. I don't think either is supported anymore (i.e., you can't call...
  38. Re: Dedicated Management Port and Firewall Rules

    "Mgmt" is just another interface on the OS. It does not have its own routing table. In fact, there is nothing special about it at all; it's just another Intel e1000 interface which happens to get a...
  39. Replies
    3
    Views
    3,574

    Re: Disk space on SMS

    This is a somewhat less verbose command to use:

    du --max-depth=1 -h .

    The earlier command crawls the filesystem and prints *all* directory sizes. The "--max-depth=1" switch causes it to crawl...
  40. Re: HA Failover appears to be caused by sync interface

    Sometimes, you can get newer drivers from the TAC than are currently shipping in generally-available versions. For a while, the shipping e1000 version (7.3.15-NAPI) was pretty janky, and a newer...
  41. Re: Migrate cluster gateway from MDS to new Management

    So to confirm, you want to carve a CMA off from your MDS and make it a separate SmartCenter?

    This will involve the firewalls changing SIC domains, which means an outage. How long an outage can you...
  42. Re: deleting Index directories in /var/log/opt/CPSmartLog-R76/data

    Generally, if you unlink a file and your used disk space doesn't go down, some process still has the file open. You can try 'cprestart' to restart all of the Check Point services. WARNING! If this is...
  43. Replies
    1
    Views
    2,037

    Re: Get VSX objects of a CMA from expert

    Which version? In versions before R80, you should be able to parse the $FWDIR/conf/objects_5_0.C file to get any type of object you want.

    I haven't looked at R80's internals extensively yet, but I...
  44. Re: HA Failover appears to be caused by sync interface

    Drivers might, sure. It looks like firmware is not, though. Not sure how much that matters.
  45. Re: VPN from Checkpoint to Cisco ASA - Route based

    I think I just answered a few of these questions in another thread:

    https://www.cpug.org/forums/showthread.php/22661-Domain-based-VPN-and-VTI

    Technically, you can have two encryption domains...
  46. Replies
    1
    Views
    724

    Re: Strange block for VPN traffic

    "Packet is dropped because there is no valid SA" always means a VPN negotiation has failed. If other things on your end are able to talk to other things on the peer's end, that points to a phase 2...
  47. Re: How does "Fetch Policy" work on small appliances centrally managed in r80.10

    Edges used a policy fetch system. On the SmartCenter, "pushing" policy to the Edge (or an LSM profile for a group of Edges) instead compiles it, saves it locally on the SmartCenter, then sends the...
  48. Replies
    4
    Views
    2,070

    Re: authentication failure

    I think you actually need two 'n' switches. The first one stops reverse domain lookup for IP addresses, while the second stops port lookup in /etc/services.

    tcpdump -nni $interfacename host...
  49. Replies
    5
    Views
    1,129

    Re: Domain based VPN and VTI

    Outgoing link selection is kind of weird. With domain-based VPNs, the traffic is modified in-flight, so the routing decision is made, then the packet is encrypted. For outgoing traffic, you get clear...
  50. Replies
    5
    Views
    1,129

    Re: Domain based VPN and VTI

    I thought I would add a technical explanation of why this works.

    Domain-based VPN decisions are made very early in the process of handling a packet. If the source is in my encryption domain and...
  51. Replies
    6
    Views
    1,874

    Re: Hotfix and Migration tool

    The Deployment Agent part is straight from SK.

    The jumbo HFA part is a little different, because you can install the fix by name instead of by number. The number is unpredictable, so I prefer to...
  52. Replies
    6
    Views
    1,874

    Re: Hotfix and Migration tool

    For specific commands, I generally copy the current CPUSE and the JHFA I want to install to the box using SCP. I put them in /home/admin, then run these commands:


    tar -zxvf DeploymentAgent_*...
  53. Replies
    5
    Views
    2,467

    Re: fwm export - File size limit exceeded

    Rather than importing into Excel, it may be worth processing the file with PowerShell first. For example, I use this to trim a file down to just the columns I care about, then process down to unique...
  54. Replies
    5
    Views
    2,467

    Re: fwm export - File size limit exceeded

    x86_64 in the uname output indicates it's running in 64-bit mode, and vg_splat-lv_current indicates GAiA. Files bigger than 2 GB aren't an issue on ext3. This must be a limitation of the fwm binary...
  55. Replies
    5
    Views
    2,467

    Re: fwm export - File size limit exceeded

    I'll answer your second question first. Check Point's native log format records some fields like IP address in binary rather than text. An IP address in binary is four bytes. The same address as text...
  56. Re: How do you tell if there is a DOS attack on Firewall

    There are a few different kinds of attacks: volumetric, where all of the time slots on a given link are consumed by junk traffic; boring attacks such as SYN floods which take advantage of...
  57. Re: IPS Protect internal hosts only - recommendation

    Well that's nice! I have a few firewalls where the "inside" with moderately-well-defined topology is less trusted than the "outside" with the Internet link. Specifically, users are on well-defined...
  58. Replies
    10
    Views
    2,433

    Re: Security Management Server migration

    Why not move from R80 on AWS to R80 in your own datacenter? The migrate-and-upgrade path seems unnecessarily difficult.

    Edited to add: mdjmcnally touched on this in item 2, but please be aware...
  59. Re: Firewall Rule Analysis including Source IPs

    You should be able to use the API to do this. Use the API to dump the rules, use client-side scripting to filter down to just the rules you care about, use the rules to build a list of the objects...
  60. Replies
    8
    Views
    3,104

    Re: HPE DL360 Gen9

    Broadcom should be okay for low-risk traffic. For example, it should be fine for management interfaces. I think sync should be fine, too, since it's a small number of high-volume connections. I don't...
  61. Replies
    3
    Views
    1,203

    Re: R80.10 Upgrade error

    Upgrading from what to what?
  62. Re: Centralized Management and Licensing (Noob Question)

    Check Point's biggest selling point is their management infrastructure. It makes it possible for a small number of admins to manage hundreds or even thousands of firewalls. I have personally worked...
  63. Replies
    10
    Views
    1,571

    Re: ICMP time exceeded are not logged?

    Only if the firewall is part of the routing loop. Take this very simple topology:

    1411

    If the routing loop is between the load balancer and the router, the firewall will not show anything...
  64. Replies
    10
    Views
    1,571

    Re: ICMP time exceeded are not logged?

    Only the initial SYN is logged by the firewall. Subsequent traffic can be logged by Application Control, IPS, and so on. In the case of the problem you mentioned, all you would see is traffic...
  65. Replies
    10
    Views
    1,571

    Re: ICMP time exceeded are not logged?

    The firewall does not typically log the response to a connection. It's the responsibility of the client to record that and make it available.

    In general, I agree it would be nice to get connection...
  66. Replies
    8
    Views
    1,954

    Re: Antispoofing adding static route

    Yes, which Eric and I were just discussing later in that same message. 😉
  67. Replies
    8
    Views
    1,954

    Re: Antispoofing adding static route

    I wish I had one for every time I got a TAC call for antispoofing drops and the caller swore up and down that his routing was handed to him on stone tablets by angels and could never be wrong. Then...
  68. Replies
    2
    Views
    2,281

    Re: GAIA new vlan add

    It may be worth noting VSX does this differently. With VSX, you configure your management interface and any bonds locally on the box, but all of your other interfaces (including sync) are pushed down...
  69. Re: Management Server HA two different data centers?

    The real question is how this handles failures. If you have the secondary set to forward logs at midnight, and your primary is down for 48 hours, what happens when you get the primary back up? Does...
  70. Re: Firewall Accept and Drop count for one month

    That's a good point. SNMP is wonky with VSX, so I barely even think about it. This sounds like a non-VSX environment, though.
  71. Re: Management Server HA two different data centers?

    I believe they can if you set them to. I don't typically do that. SmartLog can connect to multiple log servers at once.
  72. Re: Firewall Accept and Drop count for one month

    If I wanted to solve this problem, I would probably use $FWDIR/conf/logexport.ini to specify 'fwm logexport' should only export the data I care about for basic analysis (date/time, source,...
  73. Re: Management Server HA two different data centers?

    This is absolutely workable.

    Be sure to test flipping your managements occasionally. Assume any DR plan you haven't tested is no good.

    Throughput requirements depends mostly on your log volume....
  74. Re: Virtual systems with different DNS servers

    There are a few reasons that actually won't work.

    DNS resolution is handled by the single stub resolver at the OS level. It sends all requests to the configured DNS servers from VS0 using VS0's...
  75. Re: Virtual systems with different DNS servers

    Current VSX actually has very little "virtual" about it. It's implemented like rdomains on OpenBSD or VRFs on Cisco. Same OS, just multiple routing tables. There's one kernel, one filesystem, one...
  76. Replies
    5
    Views
    1,908

    Re: install R77.30 on Open Server

    I was in the Dallas TAC when R55 started running into this. It signed its CA for 30 years, so you can no longer install it with a system date later than 2008. Ugh.

    I wonder if R80.20 switches to...
  77. Replies
    3
    Views
    1,127

    Re: safe@office 225 revival

    Firmware versions ending in 'a' are for ADSL units. Versions ending in 'n' are for N-series boxes. You need one which ends in 'x'.
  78. Replies
    6
    Views
    1,250

    Re: a very strange issue today

    In a stunning show of happenstance, one of my SmartCenters decided to renew its ICA over the weekend. Same behavior.
  79. Replies
    6
    Views
    1,250

    Re: a very strange issue today

    Ah. Yeah. Thatís exactly what happened. When the ICA gets to a certain percentage of its lifespan, it tries to renew itself to prevent hard expiration. Looks like it happens a little before 80%.
    ...
  80. Replies
    6
    Views
    1,250

    Re: a very strange issue today

    Is there anything interesting in the $CPDIR/log/cpd.elg? It records a lot of ICA operations regardless of whether debugging is enabled.
  81. Replies
    6
    Views
    1,250

    Re: a very strange issue today

    Did the fingerprint actually change, or is it just prompting you to accept the same fingerprint again? If the latter, it could be some kind of client-side issue. If the former, maybe something caused...
  82. Replies
    7
    Views
    4,994

    Re: Policy installation takes long time

    Related to this, if you add more RAM, remember to set the system to 64-bit mode. It won't help with this directly (fwm is still a 32-bit process), but it will let the system as a whole allocate the...
  83. Replies
    20
    Views
    4,626

    Re: 80.10 problems on ESXi 6.5

    From /boot/grub/menu.lst on an R77.30 system:

    title Start in 64bit normal mode
    root (hd0,0)
    kernel /vmlinuz-x86_64 ro root=/dev/vg_splat/lv_current vmalloc=256M noht panic=15 console=SERIAL...
  84. Replies
    20
    Views
    4,626

    Re: 80.10 problems on ESXi 6.5

    I think I spotted the disconnect. The file is /boot/grub/menu.lst (Lima Sierra Tango), while Dom opened /boot/grub/menu.1st (One Sierra Tango).

    I don't think the "assuming drive cache: write...
  85. Replies
    18
    Views
    3,071

    Re: R80.20.M1 Management Release

    There was no real reason not to use Solaris SMF, BSD launchd, runit, or openrc. All of them predate systemd and all of them have enormously more mindful developers working to a much higher standard...
  86. Replies
    1
    Views
    697

    Re: Finding Unused objects

    A few versions ago, Check Point added a "hit count" to rules. The firewalls have an option to send hit count data or not, and I think it is on by default in versions which support it. When you hover...
  87. Replies
    5
    Views
    1,910

    Re: Route Based VPN with Cisco router

    This is a lab, right? You should see replies in fw monitor. SecureXL sometimes messes with that, though. As long as this is a lab environment, let's disable SecureXL to ensure we see all the packets...
  88. Replies
    2
    Views
    637

    Re: Kill firewall connections

    That would ordinarily be an option, but for complicated and dumb reasons, I can't use SAM rules in this environment.
  89. Replies
    2
    Views
    637

    Kill firewall connections

    A few days ago, I suddenly needed to delete some ongoing connections from the connections table so traffic could rematch cleanly against some new rules. I didn't want to cause all connections to...
  90. Replies
    5
    Views
    1,910

    Re: Route Based VPN with Cisco router

    1. The empty VPN domain is just to keep ordinary, VPN-domain-based decisions from happening. The VPN community is used to store the negotiation parameters for the VPN, but you don't want the firewall...
  91. Replies
    5
    Views
    855

    Re: VPN Problem 10% of User

    I disagree. ;)

    [Expert@MyFW01:0]# uptime
    12:47:59 up 972 days, 6:38, 1 user, load average: 0.00, 0.01, 0.00

    That's the active member of one of my clusters (name changed, of course). It's...
  92. Replies
    1
    Views
    812

    Re: iOS LT2P + dhcp based office mode

    I've used it personally. I was one of the first people in the Dallas TAC with an iPhone. Tried L2TP-over-IPSec with an Edge, found a bug, helped isolate and fix it. That was actually pretty fun. I...
  93. Replies
    18
    Views
    3,071

    Re: R80.20.M1 Management Release

    Ah! Thus the 'tellpm' commands in the script to manually update the installer agent. Good to know.
  94. Re: Set default shell for Radius users according to Radius attribute

    The way I would do this is to define local user accounts for the users who need BASH, then leave the default RADIUS shell as clish. For example, here is how my user is set up:


    add user zimmie...
  95. Replies
    18
    Views
    3,071

    Re: R80.20.M1 Management Release

    Hopefully these new tools don't include the tire-fire that is systemd.
  96. Replies
    18
    Views
    3,071

    Re: R80.20.M1 Management Release

    I see now in the New Release Methodology section, "When the next Major release is available (such as R80.20), you can upgrade to it from the Management Feature Release." That is good to know.

    So...
  97. Replies
    18
    Views
    3,071

    Re: R80.20.M1 Management Release

    Is this one expected to be upgradable to future versions like a normal release? The letters and the longer-than-normal version number make me nervous after R55P, R60A, R65.2.100, and others.
  98. Re: In the logs once the traffic accepted and then detected

    Address spoofing drops are always caused by either misconfiguration of your antispoofing topology or routing problems. It sounds like the gateway your firewall sends this packet to is sending it...
  99. Re: In the logs once the traffic accepted and then detected

    Generally, traffic is processed by the firewall rules first, then by threat prevention (IPS, antivirus, and so on). These can generate separate logs. The firewall actions include accept, drop, and...
  100. Replies
    21
    Views
    21,895

    Sticky: Re: Check Point 1400 Appliance - FAQ

    What are you trying to accomplish? As far as I am aware, Check Point does not use the serial number for anything. They use the MAC address of one of the interfaces for unit identification for...
Results 1 to 100 of 309
Page 1 of 4 1 2 3 4