CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: plamy

Page 1 of 4 1 2 3 4

Search: Search took 0.01 seconds.

  1. Replies
    9
    Views
    6,487

    Re: ip565 swi1: net_taskq0 using 99%cpu

    You don't need a license to run SXL on IPSO -> turn it on!!!
  2. Replies
    9
    Views
    6,487

    Re: ip565 swi1: net_taskq0 using 99%cpu

    Wow, everything you guys have been told about how to fix it, or what causes it, is a load of sh*t.

    The CPU is busy processing interrupts with its interrupt handler, net_taskq. This is because...
  3. Re: This new forum on Check Point Technical Support

    Israeli humor ;-)
  4. Re: Beginning with version 3.8 IPSO supports PPPoE connections

    You'll need to file an RFE with a business case. To be honest you would have better luck requesting it to be supported in Gaia. I doubt they would import a new ppp to support IPv6 in IPSO 6.2
  5. Replies
    3
    Views
    2,256

    Re: Backing up IPSO flash based system?

    The /config/db/initial is sufficient for most purposes.
  6. Re: How to not overwrite fwkern.conf during upgrade to R75

    I sent myself a note to update the SK Monday.
  7. Replies
    13
    Views
    3,540

    Re: OpenSSH vulnerability in SPLAT

    To be sure you'll need to open a case. You can check the version while you're on the box:

    ipso-vm-lab1[admin]# uname -a
    IPSO ipso-vm-lab1 6.2-GA045 releng 1 09.08.2010-045452 i386...
  8. Thread: Sharing cpinfo

    by plamy
    Replies
    25
    Views
    8,175

    Re: Sharing cpinfo

    That's not what I said. In fact you're seriously wrong.



    I didn't say this either. It's not true.



    Did I say that? And also not true. When I say "I admit", that's me admitting...
  9. Thread: Sharing cpinfo

    by plamy
    Replies
    25
    Views
    8,175

    Re: Sharing cpinfo

    Because the restaurant is Check Point, and the TAC engineer is the waitress. How many "bad waitress reviews" do you see in newspapers?
  10. Thread: Sharing cpinfo

    by plamy
    Replies
    25
    Views
    8,175

    Re: Sharing cpinfo

    There's a big difference between keeping a list of people you don't like, and publishing a list like that and stating flat out that they are incompetent. Personally there are a lot of changes that I...
  11. Thread: Sharing cpinfo

    by plamy
    Replies
    25
    Views
    8,175

    Re: Sharing cpinfo

    Go ahead with that harebrained scheme. I am sure you will get sued and be out of business almost immediately. This is one of your most stupid comments that you have indeed posted over and over....
  12. Thread: Sharing cpinfo

    by plamy
    Replies
    25
    Views
    8,175

    Re: Sharing cpinfo

    I made a comment that I think went over your head (I was being sarcastic).

    Also I think you are probably not dealing with the right Diamond engineer for your needs and you should request a new one...
  13. Replies
    3
    Views
    2,756

    Re: BGP design question on VRRP Firewalls

    No idea. Also I am not really clear on the question :)
  14. Replies
    3
    Views
    3,134

    Re: Scripting the config in IPSO/CLISH

    You can hire Professional Services for a few days to help you with this.
  15. Thread: Sharing cpinfo

    by plamy
    Replies
    25
    Views
    8,175

    Re: Sharing cpinfo

    We get cpinfo's from Banks, Financial Services customers all the time. Are your data protection requirements much heavier than this? If so, purchase 100's of days of Professional Services to...
  16. Re: IP Series or Open Server for high bandwidth demands?

    It depends on too many things, you were not specific enough with your requirements and expected traffic. Talk to Sales or a Check Point partner.
  17. Replies
    8
    Views
    4,645

    Re: Does this Pstat look ok to you

    The number you set in the Capacity Optimization tab allocates memory for the firewall to use. It only (in the kernel-space) uses memory that you allocate here. You should always set it to the maximum...
  18. Replies
    3
    Views
    2,756

    Re: BGP design question on VRRP Firewalls

    VRRP + dynamic routing protocols is not stateful. With IP Clustering, it is.
    With both VRRP and IP Clustering, it is highly recommended to use the virtual address option to terminate BGP (and...
  19. Replies
    1
    Views
    2,247

    Re: Tcpdump traffic loss on IP390/IP290

    I believe this is resolved in IPSO 4.2 b 111 (PR85157, CR00256143, CR00507690)
  20. Re: v6 installed on R71.10 splat cant ping virtual int

    I believe that with the IPv6 pack for R70, most clustering functions are supported. You can download the release notes and admin guide off of the support site.
  21. Re: v6 installed on R71.10 splat cant ping virtual int

    This is a product limitation. It may even be present in the IPv6 pack (can't remember).
  22. Replies
    7
    Views
    2,229

    Re: Upgrading flash based IP390

    The disk layout changed between 4.2 and 6.2. It could be related to that.

    Also, when you do the second dd are you starting at block 0 or 63? Did you write zeros to the disk before you started,...
  23. Replies
    5
    Views
    3,332

    Re: UDP Stateful Inspection in R71

    Because the difference between a state table lookup and a rulebase lookup is significant in terms of CPU time.
  24. Re: ip2255 cluster active member freezes on policy install

    Try fw ctl pstat and look for alloc failures.
  25. Replies
    15
    Views
    8,204

    Re: State of ipv6 in Check Point products

    I ran with R65 IPv6pack on IPSO 4.2 for about 6 months. For basic filtering and logging it was fine, though had the same limitations you mentioned. R70.1 HCC + IPv6 pack is the same thing, but with a...
  26. Replies
    3
    Views
    2,875

    Re: ospf default route advertisement in ip295

    Go to the Route Redistribution page and follow the links as appropriate (static to OSPF).
  27. Re: ip2255 cluster active member freezes on policy install

    Run a script on the console to check memory while you push policy. You're probably running out.
  28. Replies
    11
    Views
    3,716

    Re: ip2450 restarting throwing page fault errors.

    If it's coring out like you said, someone should have done a core trace. If they found a matching issue, it should be easy for the TAC engineer to say it's fixed in XX version, or, here is a hotfix....
  29. Replies
    11
    Views
    3,716

    Re: ip2450 restarting throwing page fault errors.

    Hard to say without a core file, but it could possibly be a chassis problem. If it never completes boot, you would need a chassis RMA at a minimum. If it does finish boot, check for a core file in...
  30. Replies
    11
    Views
    4,129

    Re: Active Connections

    In the IPSO Voyager Release notes, the max supported number is stated. I don't know if there is a public best practices document that states to set it to max, or the numbers of every platform.
  31. Replies
    4
    Views
    1,028

    Re: how "secure" is secure?

    Depends on the attacker. If it's a person, I don't think anything less than years. For a national entity (NSA and equivalents), assume they can decrypt it before you do.

    It's not just about...
  32. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    The conclusion is that you should use a professional methodology. There are a couple RFCs that outline how to do performance testing, such as RFC2544 and RFC3511.

    RFC2544 - Benchmarking...
  33. Thread: VPN and SecureXL

    by plamy
    Replies
    5
    Views
    1,839

    Re: VPN and SecureXL

    Latest IPSO has fixes related to these types of problems. Both 4.2 and 6.2.
  34. Thread: no valid sa

    by plamy
    Replies
    10
    Views
    5,589

    Re: no valid sa

    No valid SA error message is not very descriptive, it's a horrible message :)

    In this case I would check first the clocks. I doubt that it's to do with the encryption domain, since the tunnel does...
  35. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    Bozo filter added.
  36. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    It's serlud, don't ask questions you already know the answer to.
  37. Thread: GUI improvements

    by plamy
    Replies
    6
    Views
    2,690

    Re: GUI improvements

    Submit RFEs through Sales with a business case. Support won't be able to help.
  38. Replies
    2
    Views
    1,233

    Re: Upgrade IP 530 Version Software.

    For someone in a lab, an IP530 w/ 512mb RAM and IPSO 4.2 + R65 will run fine, and will be a good first platform.
  39. Replies
    11
    Views
    4,066

    Re: Nokia IP380 performance...

    Or gather a tcpdump and look at the stats in Wireshark.
  40. Replies
    5
    Views
    2,227

    Re: Next business day?

    There's basically only 2 service levels: NBD and 4 hour onsite. There is no "6 hour" plan.

    The onsite boxes are stored within a certain radius of the customer, and an engineer will drive out to...
  41. Re: Problem to explain which daemon is taking the CPU

    Too much traffic as seen in net_taskq. You will need to upgrade the HW.
  42. Replies
    10
    Views
    2,626

    Re: Hardware Upgrade Options

    If you decide to get an Open Server, make sure to spec it well for the workload. The NIC cards (manufacturer and bus speed), and the memory (DDR3 is best) are the most critical after CPU.
  43. Re: Random failover event from one GW in Act/Stby pair

    Do you guys go to CPX? It's an opportunity to get face time with the support management team. They listen to complaints and work to address them. Same thing with escalations via Sales or manager...
  44. Replies
    9
    Views
    2,743

    Re: Installing R65 HFA50 on Nokia IPSO 4.2 -- Help

    Agree with last post. Personally I would blow away the R60 and clean install R65 + HFA70. Take about as much time and you'll be rid of any old junk.
  45. Re: Installation failed. Reason: Load on Module failed

    It's unfortunately a very generic message with a lot of possible solutions. Hopefully the debug you generated will provide the specific cause in your case.
  46. Re: Random failover event from one GW in Act/Stby pair

    They are all valid complaints and you should raise this. If you want to send me the SR# I can email the TAC director of the engineer in question.

    Also I did not think you were mixing systems :)
  47. Replies
    5
    Views
    1,550

    Re: New rule installed but traffic dropping

    I agree with Northlandboy, you messed up the rule. Ping working has nothing to do with a different service being allowed/denied. Check the service, and compare the entire rule against a tcpdump or...
  48. Re: Local Interface Address Spoofing after swapping external address

    If reboot doesn't fix it, try clearing the state directories (documented in SK)
  49. Re: Management High Availabilty in Dashboard greyed out

    First step should be to check the license. Then check the SK system, and then open a case.
  50. Re: What's with this "log unification failure" problem in R70?

    You should really open a case for this.
  51. Re: Random failover event from one GW in Act/Stby pair

    If you want to get your case actioned as quickly as possible, follow these steps:

    * Don't wait for us to ask for files. Provide a cpinfo and a CST, debug messages, log files, screenshots etc right...
  52. Re: Random failover event from one GW in Act/Stby pair

    So let me paraphrase the last guy:

    Do nothing. Call TAC and claim it's a bug. Wave your arms around and pray to the sun gods that it fixes the problem.

    Or you can try my suggestion, which won't...
  53. Replies
    1
    Views
    1,218

    Re: Basic Question on Operating System

    None since in a few months Gaia will supercede both.
  54. Replies
    10
    Views
    2,626

    Re: Hardware Upgrade Options

    If you use IPSO today and like it, you can still get units - the 2 units you mentioned are fine. the 290 disk based is a good box. I am not a fan of any of the UTM boxes below UTM-5070 and consider...
  55. Replies
    7
    Views
    7,529

    Re: Packet Flow Through the INSPECT Engine

    Here is the proper abbreviated sequence

    NIC hardware
    -The network card receives electrical signalling from the link partner.

    NIC driver
    -Sanity checks
    -The NIC hardware decodes the signal...
  56. Replies
    8
    Views
    2,451

    Re: R65 Management server upgrade to R71 on VMWARE

    You're talking about an oversubscribed ESX host, not a CP limitation.
  57. Re: Random failover event from one GW in Act/Stby pair

    If it's possible, try using another layer 2 switch, and move from a crossover cable to a layer-2 segregated network segment for sync. Make sure it's a gig port also. Finally, make sure to use recent...
  58. Replies
    1
    Views
    1,314

    Re: Training Centers and Seminars

    CISSP is more of a paper cert. If you're new to security it's not bad. If you're highly technical and/or you're doing this to expand your own knowledge, SANS certs and training is well regarded.
    ...
  59. Re: SFTP the backup file from IPSO - PCI requirement

    I am sure someone would be able to help out in the Scripts forum.
  60. Re: IPv6 addresses assigned, but how did it happen?

    Since it's an enforcement point, you can rebuild the box easily enough.

    But why bother since it's not passing v6?
  61. Replies
    11
    Views
    4,129

    Re: Active Connections

    Also don't use the Active Connections tab in Smartview Tracker unless you really want to start dropping traffic. In the enforcement point object properties in SmartDashboard, always set the max...
  62. Replies
    8
    Views
    2,451

    Re: R65 Management server upgrade to R71 on VMWARE

    Unless you have a really massive rulebase, 2gb is sufficient, and 1gb is a minimum.

    Remember that unused host memory in vmware is available to other VMs. Assigning a lot doesn't necessarily mean...
  63. Replies
    5
    Views
    3,332

    Re: UDP Stateful Inspection in R71

    I asked the code owners. Here is the reply:

    "There is no such thing UDP out of state, since UDP is stateless.

    The Checkbox was never actually doing anything, and thus removed from the GUI."
  64. Replies
    3
    Views
    6,687

    Re: Checkpoint sflow or netflow

    Talk to your CP sales person and request to have it included in Gaia. It is probably already scheduled to be included, but it can't hurt to request it.
  65. Replies
    6
    Views
    2,331

    Re: high CPU on the standby firewall

    It was ported to Gaia very early on, and it's about fully integrated right now afaik. The devs had already done a port to IPSO-LX, so all the pieces were already in place to do this.
  66. Replies
    13
    Views
    4,925

    Re: Check Point Best Practices and Performance book

    My job has changed, I never received a blessing from CP from a legal perspective, and my personal life is quite busy. It has not gotten very much time worked on, in about 6 months.
  67. Thread: Good to be here

    by plamy
    Replies
    13
    Views
    3,426

    Re: Good to be here

    Most of the debug information from Man3 is still valid. Just because you can't get a cert in it doesn't mean much. I am sure they will come out with something new at some point.
  68. Replies
    5
    Views
    5,125

    Re: Useful tool indeed. Is it Possible?

    Your sense make question no.
  69. Thread: Good to be here

    by plamy
    Replies
    13
    Views
    3,426

    Re: Good to be here

    The best way to learn, is to do lab work. Build clusters, VPN, remote access etc.

    The best of the courses is the Management III, aka CCSE+. I found it to be the only worthwhile book, the other...
  70. Re: What affects performance? (CPU, Disk Speed, Memory, etc)

    Splat is not currently 64 bit, so no. But there is a project to make a 64 bit Splat, I am guessing that it should be out late this year (don't know for sure). Once that is available you will be able...
  71. Replies
    26
    Views
    9,155

    Re: IPSO 6 CLuster in forwarding mode problems

    Either you installed it wrong, or they gave you the wrong patch. In either case you need to go back to the TAC engineer and find out.
  72. Replies
    16
    Views
    6,009

    Re: Damaged Boot manager

    There's 2 parts to boot: the boot from the mbr, and the boot0. Simply copying the IPSO bootmanager image won't copy the relevant bootblocks.

    dd if=another_working_flash_card of=backup
    dd...
  73. Replies
    26
    Views
    9,155

    Re: IPSO 6 CLuster in forwarding mode problems

    Why do you think that problem is related to IPSO and not the firewall?

    Update SmartDefense, and if the problem persists open a case with TAC. I am sure we have seen this before.
  74. Replies
    3
    Views
    1,500

    Re: BIOS 2.14.10 working with IPSO 4.2 ?

    The level of the BIOS will not prevent IPSO 4 from booting up.
  75. Replies
    13
    Views
    3,417

    Re: Nokia IP440 Boot Disk

    It's possible I'm wrong. Send me nudie pics of your IP260. :)
  76. Replies
    9
    Views
    2,657

    Re: VPN accelerator card

    You mean Floodgate + CoreXL?

    Not that many people use QoS at all, and it really kills the performance of the box to go slowpath.

    I don't know what the plans are for this but I imagine that it...
  77. Replies
    13
    Views
    3,417

    Re: Nokia IP440 Boot Disk

    You must be thinking of the IP290, which does use the front panel screws to slide out the mobo assembly.
  78. Replies
    13
    Views
    3,417

    Re: Nokia IP440 Boot Disk

    There are 15 screws - I counted. The 2 front panel "screws" just lock the top chassis plate to the bottom (http://www.userid.org/cpug/2.jpg). You can see in this picture...
  79. Replies
    13
    Views
    3,417

    Re: Nokia IP440 Boot Disk

    On the IP260 and 265 there should be a standard CF flash card that the boot manager sits on. It's not supported to crack open one of those units to repair it, and you have to take out around 15...
  80. Replies
    7
    Views
    3,255

    Re: Test Lab in VMware

    Why would you use Vyatta instead of any BSD or Linux to do straight routing?
  81. Replies
    9
    Views
    2,657

    Re: VPN accelerator card

    I was going to say the same thing. You need to get a pretty kick ass card nowadays to beat multicore systems. You need a really specific requirement to get some benefit from it. Low end boxes still...
  82. Replies
    8
    Views
    2,100

    Re: Moving Security Gateways to new Hardware

    I *highly recommend* the use of a VAR or MSP if you are doing a critical one time change and need to reduce risk and ensure connectivity.

    How to Buy Check Point Products - Partner Locator

    These...
  83. Re: TCP option scrubbing & sequence number checking

    TCP options are contained in the header of the TCP portion of a packet.

    Transmission Control Protocol (TCP) Option Numbers

    "The Transmission Control Protocol (TCP) has provision for optional...
  84. Replies
    2
    Views
    2,526

    Re: IP2200 series: Using CLISH

    That's correct, make sure to put in the c0
  85. Replies
    2
    Views
    1,688

    Re: IP2270: Setting up Etherchannel

    Simply create your LAG group, add the interfaces, IP address etc but that's pretty much it on the IPSO side.

    If you leave the defaults alone, the cisco config looks (something) like

    po66...
  86. Replies
    2
    Views
    3,939

    Re: Greater benefits for certified engineers

    Tier 1 support is VARs, MSP etc
    -Filters cases to Tier 2

    Tier 2 support aka Customer Support Engineer
    -Filters cases to Tier 3
    -Gets escalations from Tier 1
    -Gets direct cases from customers...
  87. Replies
    26
    Views
    9,155

    Re: IPSO 6 CLuster in forwarding mode problems

    The fix for forwarding mode is included in MR2 of IPSO 6.2, aka IPSO 6.2 GA039.

    It's due out soon, they are just working on the release notes. As with all versions of IPSO you guys are really...
  88. Replies
    13
    Views
    3,540

    Re: OpenSSH vulnerability in SPLAT

    If I'm not careful I'll crack 1k resolutions this year :-/ carryover from Nokia and all the rest.
  89. Replies
    4
    Views
    1,895

    Re: Re-install security policy for Nokia IP690!?

    You sure about that? I don't think the IP690 supports IPSO 4.0. And 4.0 has been out of support for a while.
  90. Re: What affects performance? (CPU, Disk Speed, Memory, etc)

    The single biggest thing that affects performance on a firewall is the bus between the memory and CPU. Buy a modern northbridge chipset mobo and DDR3. Any CPU that runs on that will be fast enough,...
  91. Replies
    4
    Views
    1,895

    Re: Re-install security policy for Nokia IP690!?

    You should open a Check Point SR for this.

    Do you have core files in /var/crash?

    What versions are you using for IPSO and Check Point?
  92. Replies
    13
    Views
    3,540

    Re: OpenSSH vulnerability in SPLAT

    I mis-spoke. Fixed in that version and above.
  93. Replies
    2
    Views
    1,481

    Re: VRRP question about backup fw

    Just add a no-nat rule from cluster object to any. Should fix the problem.
  94. Replies
    33
    Views
    101,113

    Re: Nokia IPSO Command Line

    lolz

    You could do it in hardware too, by removing all but one layer 1 connection that points upstream.
  95. Thread: Upgrade Matrix

    by plamy
    Replies
    3
    Views
    2,770

    Re: Upgrade Matrix

    Either contact your CP sales person, or talk to your VAR. Either contact point should have a product matrix to help you choose a solution.

    Now that SXL is supported on the UTM line, you might want...
  96. Replies
    13
    Views
    3,540

    Re: OpenSSH vulnerability in SPLAT

    That solution dates back to R62 days. It's fixed in rpm versions equal to or above 3.6.1p2-33.30.39cp

    What versions are you running?
  97. Replies
    10
    Views
    3,264

    Re: Replacing implied rules with explicit

    Come work for TAC, lammbo!
  98. Replies
    23
    Views
    5,730

    Re: USB-1 ABRA users - are there any?

    Personally I think it's not a bad idea at all. The ability to haul around a USB stick instead of a laptop is the big seller. For disaster recovery, third party access to your networks etc, it could...
  99. Replies
    26
    Views
    9,155

    Re: IPSO 6 CLuster in forwarding mode problems

    You should be fine to simply use multicast or unicast. Hardcode the new cluster MAC addresses to the switch ports.

    I believe that the fix is in MR2 which is due out "soon". They were still working...
  100. Replies
    16
    Views
    3,043

    Re: anyone on R65 HFA70?

    Different customer base... and more capable products (more complex too)
Results 1 to 100 of 320
Page 1 of 4 1 2 3 4