CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: Routerkid1

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds.

  1. Replies
    4
    Views
    2,084

    Re: De-Introduction

    Really depends on the year to year $$$ renewal costs. I don't think the people who pay the bills really care about the technology involved. I support most platforms now and from week to week it may...
  2. Replies
    8
    Views
    4,563

    Re: Running Checkpoint on Cisco UCS servers

    Got my answer from checkpoint and it appears that only CP running on VMware esxi will be supported on the UCS chassis. it is a shame but CP needs to get this approved UCS taking your DataCenter by...
  3. Replies
    8
    Views
    4,563

    Re: Running Checkpoint on Cisco UCS servers

    Jim,

    I have a customer that would like to deploy a R77.20 GAIA HA cluster on UCS 220 boxes. Will this be supported?
  4. Replies
    0
    Views
    1,688

    New Check Point Training

    Hello Everyone,

    I would like to announce that I have a new home for my Check Point Training via PluralSight.com. This course will help you get off the ground with CP firewalls. I am in the process...
  5. Replies
    7
    Views
    1,508

    Re: Delay when connecting to certain resouces

    Check Smartview Tracker and see if you see the traffic coming in. Make sure you do not have two Nats that are hitting for the same object as well.
  6. Replies
    4
    Views
    3,594

    Re: Filtering a range of IP's

    Are you trying to filter all of the matches in SmartView Tracker? If you are do this is your filter search 192.168.1.* You can use the wildcard to filter in any octet. *Yea start using the wildcard...
  7. Re: Bulk migration of Automatic NAT entries for hardware upgrade

    Mike you may have solved this already but I was able to export all host objects with automatic nats to my desktop and import to new mgmt server. The install on option has to be set to all and this...
  8. Replies
    6
    Views
    5,093

    Re: File Path for Backups and Images

    Just ran into this and found the file with the following command


    [Expert@cpmodule]# find / -name \*.tgz -mtime -1 -ls
    786441 94888 -rw-rw---- 1 root root 97061038 Oct 17 19:26...
  9. Re: Checkpoint FW1 R75.30 web access error with Mozilla Firefox 9.x and 10.x

    This was a PITA when trying to upgrade a R75.10 box, I was getting the errors below and the webui just flat out not working. Well as you guys mentioned before that is problem I don't think the CP...
  10. Replies
    2
    Views
    2,209

    All OSPF users please chime in.

    For anyone that currently utilizes a CP 4200 and has OSPF configured please chime in. I need to know what OS you are running and your OSPF config information. I also need to know if we have a hard...
  11. Replies
    3
    Views
    7,620

    Re: ICA and SIC communication

    All you need to know:

    SIC (Secure Internal Communication) has taken the place of fw putkey in the NG release of FireWall-1. SIC can sometimes go out of sync or be "broken" for one reason or...
  12. Replies
    2
    Views
    1,490

    Re: Migration to Appliance 4205

    The general rule is you management needs to be at a higher or equal version of the firewall you would like to manage. So if you have an R75 firewall you can't manage with R71 for example.
  13. Replies
    50
    Views
    18,580

    Re: Check Point R77

    Thanks was wondering about the SK link.
  14. Replies
    0
    Views
    1,973

    2012 NPS server SNX

    All, has anyone successfully setup SSL network extender R75* to Authenicate against a Windows 2012 NPS server. If you have some tips please share on how to make this work. It has been a few years...
  15. Replies
    12
    Views
    10,733

    Re: Cisco NEXUS 5000 drops ccp

    Hey guys anyone using CP cluster with Nexus switches? Wonder what others have seen in the wild. Let us know of any issues and we can work to resolve them.
  16. Re: After upgrade_import on R75.40, not possible to login on smartdashboard

    Type in cpconfig and redo your gui clients. remove and re-add the hosts/network.
  17. Replies
    12
    Views
    10,733

    Re: Cisco NEXUS 5000 drops ccp

    I have an issue like this and I was able to stop the flapping but no long term fix yet.

    Well,

    I setup an HA multicast firewall config on R70.50 for a new setup with a Nexus 5K and I started...
  18. Replies
    2
    Views
    1,352

    Re: Preboot authorized User problems

    I have noticed this as well, I have made this change logged in with a good account updated policy and shutdown. I booted back up and still does not work! Not sure how this is supposed to work? Anyone...
  19. Replies
    2
    Views
    1,700

    Re: Pipe FW.log to Syslog, using TCP

    Brad,

    I am doing the same thing on my R70.50 server and the process keeps dying after like 5 minutes. Also check to see if your remains running after a backup or log switch process.
  20. Re: Disk Space Leak SPLAT R71 and R75 Smartcenter and Eventia confirmed

    R70.40, been fighting this stuff for a week before I found this.
  21. Replies
    4
    Views
    3,059

    Re: Message from webpage "undefined"

    Issue resolved had to have new lic for SNX to work on R75.30

    PVP-SNX-25-NGX CPVP-SNX-5-NGX+25 CPSB-SWB
  22. Replies
    4
    Views
    3,059

    Re: Message from webpage "undefined"

    Also tried this and it did not resolve my issue.

    SSL network users getting undefined error message



    Solution ID: sk43976
    Product: SSL Network Extender
    Version: NGX R65, R75
    Date...
  23. Replies
    4
    Views
    3,059

    Re: Message from webpage "undefined"

    Just changed the encryption to AES, 3DES, RC4 but did not resolve.
  24. Replies
    1
    Views
    1,723

    Re: SNX E75 - Firefox ?

    Yea something is jacked up after an IPS update on my R75.30. I get a blank screen on Firefox and undefined error on IE.
  25. Replies
    1
    Views
    1,629

    Re: SNX E75 on VSX 3070 R67.10

    See the thread above open Global Properties > Remote Access>SSL change to 3DES & RC4. Push policy and see what happens.
  26. Re: Problem with SSL Network Extender (page cannot be displayed)

    Yea it fixed my problem on R70.40, Thanks Mickeysoft
  27. Replies
    4
    Views
    3,059

    Re: Message from webpage "undefined"

    Yup running into the same issue on R75.30, I will keep at it and post the solution.
  28. Replies
    6
    Views
    6,829

    Re: R71.30 Load on Module Failed - No memory.

    I restored a DB revision control before I did an IPS update as of 11-30-11
  29. Re: Does this Identity Awareness thing actually work?

    I have IA running across several domains and it works fine for me. The main goal was to tie a user to a machine name and it does a great job of that. In 99% of most environments user's will not...
  30. Thread: IA and VPN?

    by Routerkid1
    Replies
    4
    Views
    1,810

    Re: IA and VPN?

    I have deployed across a few domains and if you can query the domain controller you get the logs. I have had success across remote and site to site vpn's.
  31. Replies
    5
    Views
    2,581

    Re: SAM Question

    Yes you can automatically block ip's on port scan's but you must have eventia analyzer and setup a policy to do so. really easy setup and you can do a 15 day eval to check things out. Let me know if...
  32. Replies
    14
    Views
    4,132

    Re: Your Favorite DELL Hardware for SPLAT

    you will be safe with the dell R610 as well. I have a R70.40 cluster running today with the nics I stated before. Yes I use the on board nics as well. The perc6i raid card will work for you.
  33. Replies
    14
    Views
    4,132

    Re: Your Favorite DELL Hardware for SPLAT

    Great boxes I use Intel quad port VT for my nics.

    lspci -v | grep Ethernet -A 1
    06:00.0 Ethernet controller: Intel Corporation 82575GB Gigabit Network Connection (rev 02)
    Subsystem:...
  34. Re: Senior Check Point Firewall Engineer Wanted

    Well the big problem I see with most Enterprise customers is fear of change because of a bad experience with an IT upgrade inthe past. It could be Lotus Notes, Exchange or Phones but the end result...
  35. Re: Senior Check Point Firewall Engineer Wanted

    I upgraded a client from 3.0B to R65 3 years ago. I was like grandpa tell me about the days when Nat started.
  36. Replies
    9
    Views
    3,419

    Re: FIB and ClusterXL

    Do you have a rule to allow the FIB between each cluster member ?
  37. Re: Is it just me or has this site turned into a Reality TV show?

    Yea has went down hill, I'm thinking about starting a new forum.
  38. Replies
    82
    Views
    27,428

    Re: Project Gaia

    Can anyone confirm that a EA is currently open. I sent a request to my SE about it and he sated he would get me on the list once it opened ?
  39. Re: Please stay away from Power-1 Appliance 11065

    What does the ilo Autoneg to on the switch or will it ?
  40. Re: Anyone have an idea about this message ''no machine eligible for policy installat

    You may need to right click on the firewall object and select convert to gateway. I see this with stand alone configs more then distributed.
  41. Replies
    30
    Views
    11,554

    Re: Check Point R70 R71 R75 Visual Road Map

    Care to state what does not work ?
  42. Replies
    30
    Views
    11,554

    Re: Check Point R70 R71 R75 Visual Road Map

    Very nice work.
  43. Replies
    8
    Views
    4,568

    Re: Does this Pstat look ok to you

    Well on a positive note the failed alloc value did not change in the last 24 hr's, Can someone with R70.40 deployed check the hmem value on your cluster for failed alloc?
  44. Replies
    8
    Views
    4,568

    Re: Does this Pstat look ok to you

    Both of mine are set to zero
  45. Replies
    8
    Views
    4,568

    Re: Does this Pstat look ok to you

    Current FW tab -s

    HOST NAME ID #VALS #PEAK #SLINKS
    localhost vsx_firewalled 0 0 0 0
    localhost ...
  46. Replies
    8
    Views
    4,568

    Re: Does this Pstat look ok to you

    Yea the alloc failed looked strange to me as well, I have my connections table set at 50000
  47. Replies
    8
    Views
    4,568

    Re: Does this Pstat look ok to you

    Found this in cpinfo

    Memory Leak?

    Hash kernel memory (hmem): Peak near limit: 16758 blocks of 17391 allocated
    Hash kernel memory (hmem): Peak near limit: 16758 blocks of 17391 allocated
  48. How to detect a memory leak on Security Gateway with SecurePlatform OS

    Saw this today and thought it could be helpful:

    sk35496



    Solution

    Memory leak is an abnormal growth of memory usage, caused by either in kernel space or in user space.
  49. Replies
    8
    Views
    4,568

    Does this Pstat look ok to you

    I had one of my gateways lock up and I cant find a root cause so far. I failed the cluster over and packets were flowing again. I had the 100% CPU bug in SMV ( sk36634 ). I applied R70.40 per the SK...
  50. Replies
    13
    Views
    4,751

    Re: Geo Protection in R70.30 not updating

    Excellent work Ray
  51. Re: Need review from customers on GEO Protection.

    Any new problems or comments on Geo?
  52. Replies
    5
    Views
    2,001

    Re: deployment of new cluster

    You will be fine, The rule for mgmt servers is typically equal or higher version then firewalls. Check Check Point release notes as well.
  53. Replies
    8
    Views
    4,026

    Re: Unable to ping Standby Physical IP

    I would just setup sic with the internal ip of each firewall and call it good. If your mgmt server is inside your network then i would not worry about it. if you are going across the internet to...
  54. Replies
    5
    Views
    2,001

    Re: deployment of new cluster

    What is the end goal to have the new Smart Center on a different Hostname /IP?

    Also do you have any vpn's ?

    This is easily done but takes a few steps.
  55. Replies
    8
    Views
    4,026

    Re: Unable to ping Standby Physical IP

    Do you see the packets hit the firewall via tracker? Also dump on the ext interface and see if the icmp packet appears. If you do not see the packet then look at your router upstream to see if...
  56. Re: Need review from customers on GEO Protection.

    Yea just build the exception rules for the ip's you wish to allow.
  57. Re: upgrade management server from R65 to R71.10

    Does you current policy name contain ~,
  58. Replies
    10
    Views
    2,999

    Re: Strange cluster issue!!!

    let's see a cphaprob - i list as well
  59. Re: Need review from customers on GEO Protection.

    Thanks Ray let me know how things turn out. I am putting in a test FW today.
  60. Need review from customers on GEO Protection.

    I need some feedback from customers that have this deployed and working as expected. I saw the post about North Korea but that is not a deal breaker. I have to justify this purchase to the CIO. So...
  61. Replies
    5
    Views
    2,130

    Re: using cli/expert to list/search objects

    You would need to cat or grep objects_5_0.C file.
  62. Replies
    2
    Views
    3,010

    Smart Dashboard to ACS 5.1 TACACS

    Anyone have this working,

    I have built an account, host, and setup the TACACS server in Dashboard. I see the packets leave my mgmt server and the logs from ACS state the connection was accepted....
  63. Re: SmartView Monitor always shows firewall at 100% CPU utilization

    D,

    Yea even after applying the fix to a few clusters the problem still comes back on one. I will just use the command line to keep tabs on that cluster.
  64. Re: Security Architecture Engineer Needed at Chase Paymentech in Salem NH

    I have all of those skills but not moving to NH
  65. Replies
    2
    Views
    1,169

    Who does not like R71 ?

    I am not a big fan of the new blade license warnings and the product stating it will disable IPS if a contract can not be found. I will stay at R70.20 for now.
  66. Replies
    6
    Views
    3,056

    Re: SPLAT VSX R67 upgrade experience

    lol, much easier then our last adventure to R65 together? I love the Dell R610 boxes
  67. Thread: Splat Tool

    by Routerkid1
    Replies
    1
    Views
    1,479

    Splat Tool

    Found this cool tool for splat: SmartSPLAT: Checkpoint Firewall Management Software
  68. Replies
    5
    Views
    3,027

    Re: Abra on UTM-1 Problems

    If the UTM is a Stand Alone setup right click on fw object and select convert to Gateway.
  69. Re: How to verify smart center server IP address from the Enforcement Module ?????

    OK try to more this file on the FW and it will list the ip address of my Mgmt Server. I see 99% of all installs use central licensing so this may work.


    more /opt/CPshrd-R70/conf/cp.license ...
  70. Re: How to verify smart center server IP address from the Enforcement Module ?????

    From expert run fw stat to see last policy install info. You can also look at this file on the FW to see current Smart Center.

    more $FWDIR/conf/masters


    [Policy]
    FW-Mgmt
    [Log]
    FW-Mgmt...
  71. Replies
    2
    Views
    1,709

    Re: error switching on cluster member

    Post up the output of the following from the command line. Remove any public ip's in the output before posting.

    cphaprob stat
    cphaprob -a if
    cphaprob -i list
  72. Replies
    5
    Views
    3,044

    Re: Checkpoint and cisco GLBP

    Forgot to mention that the core switches will be Cisco 6513.
  73. Replies
    5
    Views
    3,044

    Re: Checkpoint and cisco GLBP

    Anyone have GLBP setup in the Network Core going to R70 cluster, I assume I would need to put the firewalls in Load share but which mode Unicast or Multicast ?
  74. Re: Mandatory Hotfix for customers who have enabled the R71 SSL VPN Blade

    I suspect security bug like this one.

    US-CERT Vulnerability Note VU#261869
  75. Re: Upgrading to R70.20 and R70.30? A warning for Management Servers...

    I ran in to this one as well, Run an evconfig on the box and disable any of the eventia products you do not want and that should resolve any stability problems. I'm not sure what the thought process...
  76. Re: Sending Firewall logs to a different smart centre

    Let me make this really easy for you. This is the best way to manage a remote firewall.

    1. Add an automatic static nat to the smart center object for a unused public ip.

    2. Open the firewall...
  77. Re: Packet is dropped because there is no valid SA

    You can also use the option to disable Nat inside the VPN Community. This is located inside the advanced community settings
  78. Sticky: Re: How To: MPLS Setup with Automatic Failover to Public Circuit

    Great post, I do something similar with GRE & Ipsec between all remotes offices and corporate via hub and spoke config. It is always a good Idea to encrypt office to office data and provide...
  79. Replies
    12
    Views
    7,276

    Re: Cannot ping VIP address!

    A typical Cluster XL deployment will show you the sync interface when you enter cphaprob stat. Just make sure you have defined the same interfaces as sync interface in Smart Dashboard. Also make sure...
  80. Replies
    57
    Views
    20,158

    Re: Strange Issue with ClusterXL

    Hard to say at this point if you are not taxing the connections, I would give it a try.
  81. Replies
    57
    Views
    20,158

    Re: Strange Issue with ClusterXL

    Also what does the connections table look like? What connection limit do you have defined and are you getting close to the limit?

    fw tab-t connections -s
  82. Replies
    57
    Views
    20,158

    Re: Strange Issue with ClusterXL

    I have seen this before and I set the value to 30, typically you only see it on large policy install but it is worth a shot if you have time. I would like to know if it allows cluster member to stay...
  83. Replies
    24
    Views
    9,584

    Re: SPLAT and ssh issue

    what do you have in your hosts.allow file in /etc ?


    This comes to mind:

    Solution ID: sk33481 Average Rating:

    Cannot access WebUI or SSH on a SecurePlatform security gateway
    ...
  84. Replies
    24
    Views
    9,584

    Re: SPLAT and ssh issue

    Yea just like when a CCIE tells me to upgrade code on my core switch :)
  85. Replies
    24
    Views
    9,584

    Re: SPLAT and ssh issue

    Sucks build anew box
  86. Replies
    24
    Views
    9,584

    Re: SPLAT and ssh issue

    I have seen this before and I logged in via webui and created a new admin account. I then logged in to a 2nd webui with the new admin account and deleted and recreated the orig account.
  87. Replies
    15
    Views
    5,329

    Re: ClusterXL with VLANs (NGX65)

    For Eth0 make sure the network information is dead on then run an ethtool eth0 and post them up. Then check the switch port and see what the speed duplex vlan etc... match. Also if you have...
  88. Replies
    15
    Views
    5,329

    Re: ClusterXL with VLANs (NGX65)

    Yea you need to get the sync fixed as well why is it down? Are you using a crossover cable between the boxes?
  89. Replies
    15
    Views
    5,329

    Re: ClusterXL with VLANs (NGX65)

    Im sure you have seen this but want to make sure you are aware of it.

    Monitoring VLANs
    VLAN monitoring can only be set to monitor the lowest VLAN ID.
    The lowest VLAN ID indicates the status of...
  90. Replies
    15
    Views
    5,329

    Re: ClusterXL with VLANs (NGX65)

    let me see an ifconfig -a as well
  91. Replies
    15
    Views
    5,329

    Re: ClusterXL with VLANs (NGX65)

    Post up a Cphaprob -a if, Cphaprob stat, Cphaprob -i list
  92. Replies
    2
    Views
    1,384

    Remote Check Point Lab

    All,

    I am thinking about building a remote CP lab that would include all products. Any Interest ?
  93. Replies
    7
    Views
    2,464

    Re: (no) Nat rule partitial ignored

    Check you Connection Presistence* on the FW object, this may not take place if you have it set to keep all connections untile they die.
  94. Replies
    30
    Views
    7,191

    Re: Bug in NGx R71

    I have completely different names on the network objects.
  95. Replies
    30
    Views
    7,191

    Re: Bug in NGx R71

    I will agree with you on this one, I have a few network objects defined as 10.0.0.0 for diff vendors that enter the firewalls on diff paths. That would piss me off if that breaks an upgrade attempt....
  96. Replies
    3
    Views
    1,980

    Re: How to check patches from command line!

    I also use this dir /opt/CPsuite-R70 and you will see the patches and the uninstall scripts. The same dir you will see on all versions CPsuite-R65, R62 etc..
  97. Re: Building a R70 HA cluster from a single R65 gateway

    Good Point beat me to it, You could also build the cluster with another cluster ip from that subnet to allow you time to test your policy, routing etc with no downtime for users. Then switch the...
  98. Re: Building a R70 HA cluster from a single R65 gateway

    Keep in mind that arp entries on your switches/routers will reference your old R65 box. This will take time and maybe a reboot to make things line up
  99. Replies
    9
    Views
    1,913

    Re: *** ALERT !!! ALERT !!!! HELP ***

    No "Check out my live web cam" :)
  100. Replies
    15
    Views
    3,979

    Re: NGx R71 NIC teaming trouble

    We get the point QA sucks, No need to post about it everyday. Think about trying to QA every hardware platform and every possible config for that platform bridge, bond,vlan ....etc. My suggestion is...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4