CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: david

Page 1 of 2 1 2

Search: Search took 0.00 seconds.

  1. Thread: cpconfig problem

    by david
    Replies
    2
    Views
    1,619

    Re: cpconfig problem

    In 4.1 there was a way to remove a file, so that you could run cpconfig from scratch (product.conf i think).

    I don't think you can do that in later versions, so you will have to re-install the...
  2. Replies
    3
    Views
    1,818

    Re: General Versions question.

    Looks like R55 is supported until June 2008.

    Check Point Software: Check Point Products and Enterprise Support Periods
  3. Thread: R55 HFA.

    by david
    Replies
    2
    Views
    1,554

    Re: R55 HFA.

    R55 on 3.8 is a different version, R55P.
    I'd hold off installing HFA 20 anyway, looks like Nokia has discovered an issue with installing this on IPSO & are advising customers not to install for now.
  4. Replies
    2
    Views
    1,349

    Re: Total connections

    "fw tab -s -t connections" will give you the current number of connections
  5. Thread: Passed

    by david
    Replies
    2
    Views
    2,729

    Re: Passed

    I have about 2 years hand-on experience with P1.
    As for reading, I read the Checkpoint Provider-1_SiteManager-1 PDF.

    Also, built a VMWare lab with a couple of PC's to practice.

    Good luck!
  6. Replies
    3
    Views
    1,774

    Re: Running HFA on IPSO

    I usually transfer the file with SCP.
    (Putty's pscp.exe is a good option if you are running windows)
    As long as you have SSH access to the box, this should work.

    e.g.

    scp file.tgz...
  7. Replies
    9
    Views
    3,345

    Re: All of a sudden, cannot logon to Policy editor.

    Is the computer you are trying to access the Dashboard from defined as a GUI client?

    can you telnet to port 18190 of the management server?
  8. Re: How to gain acces to a IP260 when you have absoloutely no info

    Here's how to reset the admin password.

    http://www.cpug.org/forums/nokia-ipso/314-password-recovery-nokia-ip.html
  9. Replies
    12
    Views
    3,423

    Re: Management HA: can't synch

    Is it a HA license?
    I had a similar problem a couple of years ago with NG FP3 & it turned out that the smart center license wasn't enabled for HA.
  10. Replies
    6
    Views
    1,675

    Re: Tuning the automatic updates (AV in R65).

    The R65 wrapper for IPSO is available for download now.
  11. Thread: Passed

    by david
    Replies
    2
    Views
    2,729

    Passed

    Passed today, 84% :)

    I had pretty much the same experience as tangerine0072000 & gahsan .

    Had to laugh at one of the questions though.
    Was a network diagram, & you have to identify if it's a...
  12. Thread: Failed to Fork

    by david
    Replies
    2
    Views
    1,868

    Re: Failed to Fork

    what version of fw are you running?
  13. Replies
    4
    Views
    1,441

    Re: PANIC: ip_flow_egress_mask is not mcast dist

    i don't think if r55 ngai is supported on ipso 4.2, only NGX.

    you can run r55p for ipso 3.8, on ipso 4.01 & 4.1,
    will need to contact nokia though, & agree to an selective availability...
  14. Re: Please suggest the Material for preparing to take CCSE+ Exam.

    I haven't taken the CCSE+ myself, but I think the 'advanced technical reference guide" is a good resource for this exam.
    I took the MgtIII course at NGAI level, & the ARTG has a lot of the same...
  15. Replies
    1
    Views
    1,863

    Re: FTP gets Rejected.

    take a look at sk26049
    i had the same problem & this resolved it for me.

    good luck!
  16. Re: how long it will take to get certification kit from Check Point after exam?

    If memory serves my right, it took exactly 2 weeks for my certifications to appear in my user center account. I got the certificate around 3 months after the exam.
  17. Replies
    8
    Views
    3,371

    Re: how to export policies, NAT, VPN etc

    if you want your rules/objects etc in a spreadsheet format, a good option would be the odumper utility.

    ChatScope.com
  18. Replies
    2
    Views
    2,635

    Re: What will this exam get me (156.915.1)

    Hi,

    this exam is if you already have CCSE NG with AI (previous version to NGX).
    you can take this exam, rather than have to start from scratch.

    If you do not already have this you will need to...
  19. Replies
    3
    Views
    2,359

    Re: NGX memory requirements.

    hi, heres a link to the supported platforms & requirements for r62

    Check Point Software: NGX Upgrade Center - Supported Platforms and Requirements
  20. Replies
    3
    Views
    2,043

    Re: Radius configuration help

    the "Checkpoint_NGX_Firewall_SmartDefense_User_Guide.pdf" has a good section about configuring Radius.
  21. Thread: State table

    by david
    Replies
    2
    Views
    1,655

    Re: State table

    fw tab -s -t connections

    this will give you a summary of the connections table
  22. Replies
    3
    Views
    2,043

    Re: Export the Ruleset

    you can also use odumper to export the rulebase to a .csv file.
  23. Replies
    3
    Views
    1,759

    Re: NGX R61 Nokia Cluster / Antispoofing problem

    may be a daft question, but are you pushing policy after updating the anti-spoofing configuration?
  24. Re: Include several network groups into a group via DBEDIT

    have you seen ofiller/odumper?

    http://www.chatscope.com/
  25. Replies
    3
    Views
    1,566

    Re: user account on IPSO 4.1 BUILD19

    yes it is possible.
    take a look at role based administration
  26. Replies
    2
    Views
    1,886

    Re: 2 WAY NAT VS BI-DIRECTIONAL NAT

    bi-directional nat allows a packet to match more than 1 nat rule.
    whereas normally once a packet matches a nat rule, the fw does not process any more nat rules.

    this only applies for automatic...
  27. Replies
    2
    Views
    1,520

    Re: CLI - Creating New Database Revisions

    this works on R65

    dbver -s server -u user -w password -m 'create test test'
  28. Replies
    2
    Views
    16,235

    Re: Track by NAT Rule Number

    you will need to enable 'NAT rule number' from the view, query properties menu to be able to see this.
  29. Replies
    1
    Views
    1,536

    Re: NAT for public access

    may be easier use automatic nat instead?

    create an object with the internal address of your mail server, then on the nat tab select automatic & enter the public ip.

    if you want to use manual...
  30. Re: Performing database revision control via a script

    this works on R65, i don't have access to a R60 box to test.

    dbver -s server -u user -w password -m 'create test test'
  31. Replies
    7
    Views
    2,911

    Re: Static NAT to SMTP server

    what do you see in the fw logs? (make sure that under query properties you have xlatesrc/xlatedst enabled.)
  32. Replies
    7
    Views
    2,911

    Re: Static NAT to SMTP server

    when you setup the static NAT rule do you have one for outbound?

    i.e.

    Original Source: private IP of SMTP server
    Original Destination: any
    Original Service: SMTP
    Translated Source: = public...
  33. Replies
    2
    Views
    1,748

    Re: Checkpoint to noneCheckpoint Config needed

    have you seen this?

    http://updates.checkpoint.com/fileserver/ID/5868/FILE/IPsecInteroperability.pdf
  34. Replies
    1
    Views
    2,278

    Re: add new users from command line

    with NGX, you have to add additional admins via the dashboard.

    you can only add one user via cpconfig.
  35. Replies
    4
    Views
    4,150

    Re: Check Point Unveils NGX (R65)

    hmm, yeah i don't see an option to download for IPSO either.
  36. Replies
    2
    Views
    1,224

    Re: Emergency power down of Nokias

    i wouldn't recommend just flipping the switch.
    take a look at 'role based administration' in voyager.
    there is a 'reboot or shutdown system' role you could create & assign to a user account.
  37. Replies
    12
    Views
    5,897

    Re: Clarify a few CCSE Plus test questions.

    yes it is, search securekb for sk31221
  38. Thread: NSA exam

    by david
    Replies
    3
    Views
    3,438

    Re: NSA exam

    great, thanks.
  39. Thread: NSA exam

    by david
    Replies
    3
    Views
    3,438

    NSA exam

    how does one actually register to take this exam?

    I cannot see it available as an option on VUE, & cant find anything on the Nokia site.

    Thanks!
  40. Re: VPN against PIX: only incomming traffic works correctly

    check the interoperable device you have for the pix.
    does it have 'support key exchange for subnets' unchecked?

    see sk31803 for more info.
  41. Re: How to configure an interface with ip and netmask on ipso

    have you added the new ip address to the firewalls topology & pushed policy?
  42. Re: How to configure an interface with ip and netmask on ipso

    heres how to do it via clish,

    clish
    set interface eth3 speed 100M duplex full
    set interface eth3c0 enable
    add interface eth3c0 address 1.2.3.4/24
    save config
  43. Replies
    2
    Views
    2,011

    Re: Tarball Error - Ip390 with Ipso 4.1 Build 22

    you can run R55 on 4.1, you have to download 'R55P for Ipso 3.8'
    contact Nokia, as i think you have to complete a selective availabiltly agreement, otherwise it's not supported.
  44. Replies
    4
    Views
    9,518

    Re: Default Root Password on Nokia 560

    as far as i know there isn't one, as you supply one during the initial config.
    if you don't know the password, there is a way you can reset it if you have psychical console access
  45. Replies
    2
    Views
    2,158

    Re: Getting list of object

    you might be able to use odumper to get what you need,

    http://www.chatscope.com/
  46. Replies
    14
    Views
    5,938

    Re: When did you receive your actual certificate?

    received mine around 8 weeks after the exam, so I wouldn't worry yet.
  47. Replies
    2
    Views
    1,580

    Re: IP 390 and management

    when you run cpconfig, are you selecting 'smartcenter' on the product selection screen?
  48. Replies
    2
    Views
    1,356

    Re: Delete newer IPSO in order to go back

    have you tried doing a fresh install from bootmgr?
  49. Thread: ccsa help needed

    by david
    Replies
    2
    Views
    1,769

    Re: ccsa help needed

    the certs get added to your user center account 2 weeks after passing the exam
  50. Replies
    14
    Views
    4,368

    Re: VRRP Issue two masters

    try

    fw monitor -e 'accept dst=224.0.0.18;'
  51. Replies
    14
    Views
    4,368

    Re: VRRP Issue two masters

    hmm, what about the topology on the checkpoint object?
    does that have all the correct ip/mask information on the cluster object, & each individual member.

    had a similar issue in the past, & was...
  52. Replies
    14
    Views
    4,368

    Re: VRRP Issue two masters

    are you using legacy vrrp?
    double-check the priority settings on the interface you are having the issue with, do they match the other interfaces on your firewalls?
  53. Replies
    3
    Views
    2,364

    Re: Diffrence between 156-215 & 156-215.1

    i don't think you can take 156-215 any more.
    156-215.1 is the current CCSA NGX exam.

    read through the pdf's from here.

    http://www.checkpoint.com/support/technical/documents/docs_r62.html
    ...
  54. Replies
    1
    Views
    1,331

    Re: Rules on Dashboard for VPN

    you could create a rule that looks like this
    to add the allusers@any you will need to select 'add users access'

    source destination vpn ...
  55. Replies
    8
    Views
    2,798

    Re: Local LAN access?

    are you using secure client?
    there is a setting on the client somewhere under connections called hub mode.
    i think that if this is enabled all traffic is sent to the vpn gateway.
  56. Replies
    1
    Views
    1,767

    Re: Session Authentication Agent

    it's on CD2 under \windows\cpsessionagt-50
  57. Replies
    14
    Views
    3,416

    Re: IP530 image age ?

    Hi Joe,
    what i meant was, when you launch smart dashboard, where you enter your login details, it says 'smart center server', is this name/ip the name/ip of your nokia box?
  58. Replies
    14
    Views
    3,416

    Re: IP530 image age ?

    sounds like you are running the management module on the firewall as well.
    is the IP/name of the server that you connect with smartdashboard, the same as the IP530?

    all of the firewall...
  59. Replies
    14
    Views
    3,416

    Re: IP530 image age ?

    this should get you what you need,

    https://support.nokia.com/home/static/productsSupported.htm
  60. Replies
    7
    Views
    2,264

    Re: Question on the 156.215.1 exam

    hi,

    on the exam there are 73 questions total.
    3 of these do not count towards your total score, so no matter if you get these right or wrong, they are not scored.
  61. Replies
    1
    Views
    1,417

    Re: VRRP Firewall Failover Proving Schedule

    are you also using state sync?

    i guess you could telnet to a host behind the firewall, failover to the standby firewall, then make sure the connection is still established?
  62. Replies
    7
    Views
    2,264

    Re: Question on the 156.215.1 exam

    the exam is 73 questions, 3 of which are not marked.
    you have to get over 70% to pass.
  63. Replies
    5
    Views
    2,277

    Re: NGX R61 VPN mistery... (help!)

    on your new setup, on your remote access community, do you have it setup with the new firewall?
  64. Replies
    11
    Views
    3,280

    Re: IP address of ClusterXL outgoing traffic

    what do you have set on the NAT tab of the cluster?
  65. Replies
    11
    Views
    3,280

    Re: IP address of ClusterXL outgoing traffic

    sorry mate, didn't see that in your previous post, i should have read it properly =)
  66. Replies
    11
    Views
    3,280

    Re: IP address of ClusterXL outgoing traffic

    you will have to add 2 rules with clustermemberA in one, then clustermemberB in the other.
  67. Replies
    3
    Views
    2,848

    Re: rule uid in log of CheckPoint

    yeah, this was a new feature in r60 for sure.
  68. Thread: Passed 156-315.1

    by david
    Replies
    9
    Views
    4,446

    Re: Passed 156-315.1

    I passed today, 82% :-)
    Also got 0% on the admin utilities, been racking my brain & can't figure out what the questions in this section where. oh well.
  69. Replies
    7
    Views
    2,512

    Re: Passed Exam Today=)

    The Firewall/Smartdefense one contains a lot of information that was on the exam. NAT & Smartdefense in particular.

    Also had several questions from the Smartcenter pdf, has a lot of good info...
  70. Replies
    7
    Views
    2,512

    Re: Passed Exam Today=)

    here you go, will need a user center account to download,

    http://www.checkpoint.com/support/technical/documents/docs_r61.html

    also, the docs for R62 are out know, so probably worth using them
    ...
  71. Replies
    10
    Views
    3,788

    Re: Passed CCSA NGX with 84%

    i thought way they worded the NAT questions was the hardest part, once i got my head around that the questions weren't too bad.

    if you have read & understand chapter 3 of the...
  72. Replies
    4
    Views
    2,116

    Re: Proxy Arp issue!!!

    Hi Lee,

    yes you should use the VRRP mac for the arp. that way way only one of the firewalls will arp for that ip as only the VRRP master will have the virtual mac assigned to one if its...
  73. Replies
    4
    Views
    2,116

    Re: Proxy Arp issue!!!

    do you already have a proxy arp setup? if so what mac is it using?

    if you don't have a static route on the outside of your firewall which points 1.1.1.10 to the VRRP IP of the firewall, I would...
  74. Replies
    2
    Views
    2,299

    Re: Logon to AD via Secure Client

    the only way i know to do this is to enable 'secure domain login' within secure client
  75. Replies
    1
    Views
    2,375

    search service properties

    be nice to have the option to search properties of services (like you can with network objects by clicking 'more') within the dashboard.

    e.g, port number, protocol etc.

    i know you can grep the...
  76. Replies
    5
    Views
    2,553

    Re: No logs appearing in SmartView Tracker!

    nah, i mean creating a new log file.

    can do it two ways,
    via smart tracker, select 'file' 'switch active file'

    or from the cli, 'fw logswitch'

    this will write the current log to a file...
  77. Replies
    5
    Views
    2,553

    Re: No logs appearing in SmartView Tracker!

    have you tried doing a manual log switch?
  78. Replies
    4
    Views
    1,516

    Re: Installed policy is incorrect - problem

    you could look in smart tracker audit mode.
    look for the last policy installation event, then see if there are any entries afterwards, showing people making changes
  79. Replies
    3
    Views
    2,583

    Re: need help for VRRP issue

    i haven't had to do this for a while, so i'm a bit fuzzy on this.
    i think that within the legacy vrrp configuration, you have to set the mode to be off on each interface, then apply the config.
    you...
  80. Replies
    4
    Views
    1,516

    Re: Installed policy is incorrect - problem

    run 'fw stat' from the command line of the nokia box, this will print the policy name & also the date/time of installation
  81. Replies
    3
    Views
    2,583

    Re: need help for VRRP issue

    if you want to switch from full mode to simple mode, you will have to delete the VRID for each interface & recreate them in simple mode.
    in simple mode you only have to specify the VRID, priority,...
  82. Thread: VPN DNS servers

    by david
    Replies
    3
    Views
    1,530

    Re: VPN DNS servers

    is this a remote access vpn, & are you using office mode?

    if so create a new object to represent the additional DNS server.
    then edit the firewalls properties & go to 'remote access' then 'office...
  83. Replies
    2
    Views
    4,824

    Re: Did This Certification Just Get Renamed?

    just looked at an old e-mail from CP.
    definitely was Check Point Certified Master Security Architect (CPMSA) previously.
  84. Replies
    3
    Views
    2,126

    Re: How to kill IPSEC tunnel using fw sam?

    can you not use the vpn tu utility?

    run this & choose "Delete all IPsec+IKE SAs for a given peer"
  85. Replies
    9
    Views
    2,642

    Re: Can't Telnet to IP390

    if you run a tcpdump on the nokia, do you see the packets coming from your telnet client?
  86. Replies
    7
    Views
    1,516

    Re: Import a Windows rulebase to a Nokia ?

    is this a distributed setup?
    if so you can just build the nokia with the same IP topology as the windows box, change the firewall object to reflect the new interfaces/OS etc, reset sic & push policy
  87. Replies
    9
    Views
    2,642

    Re: Can't Telnet to IP390

    so if SSH is succesful, can you not use that instead, it is more secure afterall.
  88. Replies
    9
    Views
    2,642

    Re: Can't Telnet to IP390

    yes, you need to run this from the command line of the firewall.
    can you access via SSH? this will be enabled by default, & assuming you have a rule to allow access to the firewall on port 22 in...
  89. Replies
    9
    Views
    2,642

    Re: Can't Telnet to IP390

    if you run this command on the firewall,

    netstat -an | grep 23

    do you see the firewall's ip listening on this port?
  90. Replies
    9
    Views
    2,642

    Re: Can't Telnet to IP390

    do you see the connection being accepted in the fw logs?

    also why are you using telnet & not ssh?
  91. Replies
    7
    Views
    1,821

    Re: suggestion for buying nokia appliance

    hi,

    if you are planning on running NGX, you will need to have at least v3.9 of IPSO.

    if you purchase a support/maintaneace agreement with your hardware, you can just download the latest images...
  92. Replies
    7
    Views
    1,821

    Re: suggestion for buying nokia appliance

    these devices will no longer be sold after november this year, however they will be supported until 2011.

    4.1 is supported on both the 350 & 390.
  93. Thread: Nokia IP390

    by david
    Replies
    3
    Views
    2,572

    Re: Nokia IP390

    i setup some 390's recently, & they had 4.1 pre-installed.
    also had R60 package on them, just needed to activate it.

    just curious, if this is a single module how are you going to use vrrp?
  94. Replies
    5
    Views
    3,860

    Re: Packet capture in Firewall Logs?

    fw monitor is a command line utility.
    are you wanting to open a capture file to view in smartracker? this is not possible.

    you can use tcpdump & redirect the output to a file, then open with a...
  95. Replies
    40
    Views
    17,449

    Re: Check Point Master Security Architect

    wow, an 8-hour practical exam too!
    very interesting, like northland boy says suprsied you need all the other certs first.
    i'm working on my ccse at the moment, so will be a while before i even...
  96. Replies
    2
    Views
    3,052

    Re: CCSE NGX courseware...

    there is also a state sync sample chapter
  97. Replies
    5
    Views
    16,280

    Re: Configuring static routes using Nokia CLI

    also make sure you do 'clish -s' otherwise the config will not be saved, & will be lost after a re-boot.
  98. Replies
    3
    Views
    12,938

    Re: encryption failure: no response from peer

    the "no vaild sa" error is usually caused when the encryption domains do not match on the peers.

    have you verified they are ok?
  99. Replies
    83
    Views
    37,784

    Re: Don't make the mistake I made with CCSA NGX

    you wont have this option if this is a stand-alone install.
    only appears in a distributed install.
  100. Replies
    27
    Views
    10,084

    Re: Testking Wrong answers. Identify here!!

    hmm, thats a strange question. i beleive A & B are both correct.
Results 1 to 100 of 142
Page 1 of 2 1 2