CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: msjouw

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds.

  1. Replies
    13
    Views
    1,106

    Re: First time configuration wizard hanged up

    Did you change anything in that particular window? it is best NOT to do so.
  2. Replies
    2
    Views
    684

    Re: Installing R77.30_T204

    The T204 package is old and not suitable anymore to be installed on any device, one of the reasons being that it still uses a cert that will be generated in the future past the Epoch date, therefore...
  3. Re: Primary bond interface takes 30 sec to recover

    Make sure Spanning Tree Portfast is enabled on the switch, the switch will keep the port from sending traffic until it has determined that the port is not causing a loop.
  4. Replies
    6
    Views
    1,083

    Re: New install CP Management Server R80.10

    Are you sure you have used the latest version of the ISO, if not make sure to update to the latest jumbo and first try to return the date to a date pre feb 2018, as the certificate that will be...
  5. Re: jumbo hot fix acc. on r80.10 on the gateway not showing after installation.

    This is what I get with Jumbo 112:


    This is Check Point CPinfo Build 914000182 for GAIA
    [KAV]
    HOTFIX_R80_10

    [IDA]
    HOTFIX_R80_10
  6. Replies
    3
    Views
    924

    Re: Resetting the cadmin password

    Users are not "controlled by" cadmin but by a user with the RBA Admin role.
    What I mean by adding a space, is you login with ssh to the FW and use the admin account, you should see a prompt showing...
  7. Replies
    3
    Views
    924

    Re: Resetting the cadmin password

    Anything that is cloned in the Cloning group is really copied to both members and stored locally in each members own config.

    In the WebUI you should be able to overwrite the password.
    Just for...
  8. Re: cpview to find out the source and destination that uses the most BW

    Network - > Top-Connectiuons?
  9. Re: adding/configuring interface causing error in cluster setup - policy error

    You should collect the members info from the 2 gateways and manually add the cluster interface information and topology, on the cluster interfaces, on the sync interfaces you need to set the topology...
  10. Replies
    5
    Views
    1,905

    Re: install R77.30 on Open Server

    The epoch date issue?
    There is a new R77.30 image, or while installing make sure the date is set back to pre feb 2018
  11. Replies
    21
    Views
    21,889

    Sticky: Re: Check Point 1400 Appliance - FAQ

    We have been looking for the same information for a while, but it does not look like it is possible. The only way to find the Serial, connected to the MAC is to go into the Usercenter and click on...
  12. Replies
    2
    Views
    558

    Re: Network Objects Creation via CLI

    Following sk30383 it tells you a couple of things, first when using Multi Domain, to use globallock:
    mdsenv <Name of Domain Management Server>
    dbedit -local -globallock -f...
  13. Re: Endpoint is prompting for password again and again for Remote access site

    Turn on password caching in the global settings. MEP has nothing to do with this, this is caused by Secondary Connect, when you add both gateways in the Remote Access community, it wil connect to the...
  14. Re: Is it possible to do a Proxy ARP on a whole network?

    Yes you will need to add all 100 Proxy ARP commands. Been there done that, not as many as this, but nonetheless.
    In clish you can use this command, taken that the incoming interface is eth3 and the...
  15. Replies
    11
    Views
    1,222

    Re: Cant Access Local VMs when on VPN

    Have you tried to create a local static route? That should override the client behavior.
  16. Replies
    8
    Views
    2,473

    Re: Upgrade from R70 to R80.10

    That meas you have to do another step in between, I know that 71.30 can be imported to the R75.40 so you should be ok with taht extra step in between.
  17. Replies
    8
    Views
    2,473

    Re: Upgrade from R70 to R80.10

    Ok you have a R70 SMS, you need to:

    create a R75.40 SMS VM as well
    then first export the R70 with the R75.40 export tools
    move the export file to the R75.40 VM and import the file
    make...
  18. Replies
    8
    Views
    2,473

    Re: Upgrade from R70 to R80.10

    You will have to build at least a SMS in R75.40 to import the export file, as you cannot do it in one step, so you have to go back to the customer and give them the R75.40 export tools and do the...
  19. Replies
    11
    Views
    1,222

    Re: Cant Access Local VMs when on VPN

    Not to my knowledge.
  20. Replies
    11
    Views
    1,222

    Re: Cant Access Local VMs when on VPN

    All settings that you do to trac_client_1.ttm on the gateway will be applied to all clients, there are some options that you can set to Client_Decide, but I don't know if this holds true for one.
    ...
  21. Replies
    8
    Views
    1,151

    Re: CMA import fails to R80

    Bob, As I posted already the logging of that command is stored in cpm.elg, which is the actual migration process.
  22. Replies
    11
    Views
    1,222

    Re: Cant Access Local VMs when on VPN

    Jessica,

    You are using what they call Hub mode, so looking for that on the knowledgebase I found sk121766 for you:
    In Endpoint Security VPN Client E80.70 or higher, it is possible to exclude...
  23. Replies
    8
    Views
    1,151

    Re: CMA import fails to R80

    Jessica,

    Have a look at the cpm.elg in the dir /var/log/opt/CPsuite-R80/fw1/log/ maybe you see some indicators there.
    This is where the process will store the actual process logs of the import....
  24. Replies
    8
    Views
    1,151

    Re: CMA import fails to R80

    There has been a update on the migration tools 2 to 3 moths ago, so do make sure that you have the latest version.
    Been having similar problems also when the Globals were not removed until I finally...
  25. Replies
    11
    Views
    4,960

    Re: Moving CMA from one MDS env to a different one

    For all the others as well, for a target R77.30 MDS these are the steps to migrate a CMA to another MDS, either with a higher version or with other name / IP. The migration towards R80.10 is quite...
  26. Replies
    13
    Views
    3,012

    Re: unable to use clish

    So, you login, into clish, you instantly go into expert mode and try to get back to clish mode. Then it all works as designed.
    When you start in CLISH, the FWMANAGE01> prompt, shows you are in CLISH...
  27. Replies
    13
    Views
    3,012

    Re: unable to use clish

    What is the prompt when you get when you logon in ssh?
  28. Re: Enforce source IP address change for Gaia 80.10

    Than read again what I said, hide the 172 IP's behind a 10 address!
  29. Re: Enforce source IP address change for Gaia 80.10

    First of all it is remarkable that you do get it to work with the default gateway outside the network of your external interface, to me it looks like you are in a /24 but define a /29 instead?...
  30. Replies
    11
    Views
    4,960

    Re: Moving CMA from one MDS env to a different one

    Last year at this time I finished moving a set of 110 R77.30 CMA's and 50 more form 2 sets of different (VM and physical) servers to a new set of 3 MDS servers. Only snags I had was that sometimes...
  31. Re: Centrally managed remote cluster + VPN site to site

    Make you exclude the Check Point services (ports 256 and 257) that take care of the Management traffic from the mangement server and the log towards the management server.

    Service exclusion is in...
  32. Re: MTU issues: packets are always fragmented by firewall!

    Clamping MSS is ALWAYS better than allowing fragmentation. Instead of chopping the packet in 2 packets and adding overhead, you tell both sides that the MSS is lower, as an MSP we have a lot of...
  33. Re: Installation failed. Reason: Load on module failed - no memory

    We see this quite often, mostly on reasonably busy firewalls, when we do the install during low traffic moments, it mostly finishes just fine, otherwise check the uptime, when the firewall is pushed...
  34. Replies
    1
    Views
    792

    Re: ingress/egress on same interface

    Yes you can do this, but you will have problems if not all traffic (forward and return) is passing through the FW, most of the times only the forward part is seen by the FW and then it will not allow...
  35. Replies
    3
    Views
    613

    Re: upgrade to GAIA 80.10 "command not found"

    try: ./upgrade_import

    When you go from clish to expert mode you need to exit from bash to go back to clish, to do so press <Ctrl>-d
  36. Replies
    6
    Views
    1,687

    Re: Remote console and/or RDP (or VNC) access

    For simple single port units we use Startech net-rs232 network devices and for DC setups we use the 32 port units from Raritan.Main advantage is that there is a normal power and you connect through...
  37. Replies
    25
    Views
    7,334

    Re: R80.10 in VMware

    Try using a different browser.
  38. Re: Migration from standalone gateway to HA cluster pair

    When you first upgrade the current GW to R80.10 you will have 2 times downtime, when you first migrate to cluster you have one time downtime.
  39. Re: Migration from standalone gateway to HA cluster pair

    If you say you have a Multi Domain server, do you mean you have a R80.10 only or do you need to migrate both the management and the gateway to R80.10?
    How much down time is allowed?

    to give you...
  40. Thread: PPPoE problem

    by msjouw
    Replies
    12
    Views
    2,181

    Re: PPPoE problem

    These messages are about Content scanning, which you can safely ignore.

    Did you get any further with this?
  41. Replies
    6
    Views
    1,137

    Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    Best is to move the Proxy arp's to the VS's clish area or even better use Automatic NAT if you can.
    Make sure you have, in the global settings, merge local arp turned on.
    Any time you make a...
  42. Thread: PPPoE problem

    by msjouw
    Replies
    12
    Views
    2,181

    Re: PPPoE problem

    have a look at this article https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101219&partition=General&product=IPSec
    Keep in mind that the...
  43. Thread: PPPoE problem

    by msjouw
    Replies
    12
    Views
    2,181

    Re: PPPoE problem

    Which hardware platform and what OS version?
  44. Replies
    13
    Views
    3,491

    Re: Not responding to arp-who-has

    In the global settings check the NAT page for ARP settings, do not forget that Cisco routers have a 4 hour ARP cache and you need to use arping to make sure to overwrite that cache or reset the...
  45. Re: Gateway as a Proxy - NAT Hiding Address Selection

    Don't forget you also need 1 more NAT rule for the cluster IP as well.
    Next to that ALL traffic from the gateway itself will also be hidden behind the hide address, ie when you use snmp traps...
  46. Replies
    9
    Views
    1,910

    Re: fw ctl zdebug command question

    Or use 'vsx stat -v'to get the correct VS number and use 'vsenv <ID>' to go to the CLI of that VS and and then run 'fw clt zdebug drop' from that context, as you do with all the commands you want to...
  47. Replies
    4
    Views
    854

    Re: NAT Issue DMZ INSIDE

    When you use automatic NAT the Proxy ARP is also automatic (make sure the setting in Global Properties is set correctly). Your internal to DMZ (10 address) should now respond correctly, when you...
  48. Replies
    4
    Views
    854

    Re: NAT Issue DMZ INSIDE

    Your no-NAT rules should be created above the automatic NAT, how to, you ask? First create a Section title Above the Automatic NAT, then you can easily add a rule above that section title.there put...
  49. Replies
    5
    Views
    1,551

    Re: MTU on VPN traffic

    You better check out sk101208 regarding MSS and MTU and if you really want an article explaining the whole shebang in a really proper way look at this document on Cisco PMTUD:...
  50. Re: VPN star community but with per peer settings?

    You do not need a single Star topology to route between different communities, however you should use meshed instead of star topologies for the different vpn's.
    Just make sure the remote VPN site...
  51. Replies
    3
    Views
    2,866

    Re: ospf default route advertisement in ip295

    Yes it will just redistribute the default route into OSPF, with the IP of the FW as the next hop.
  52. Re: Migrating from VRRP Cluster to Load Sharing CLuster XL

    If you can pull the Mobile access functionality away from the other functions the GW has, you could think about VSX with VSLS, where you creatae 2 Virtual FW's each with their own set of functions...
  53. Replies
    17
    Views
    1,874

    Re: FTP issue in R77.30 with JHFA 216

    From sk62485: If you want to allow both Passive and Active mode, but are experiencing issues with non-compliant RFC traffic, then use "ftp-basic" in your rule.
    The old Smartdefence protection is...
  54. Replies
    17
    Views
    1,874

    Re: FTP issue in R77.30 with JHFA 216

    If you can and are allowed on the ftp server limit the portrange used for passive FTP to a range ie between 40000 and 50000 depending on the number of concurrent connections needed. But most of the...
  55. Re: One-way VPN between a 1490 and an Open Server? And then no VPN traffic after topo

    In the VPN community under advanced - advanced check the "do not NAT" option, to make sure none of the traffic will be NATted to the outside interfaces.
  56. Replies
    5
    Views
    1,377

    Re: Disable Split Tunelling

    You need to make sure that in the Gateway policy you allow and NAT traffic towards the internet with the source network that you have used for the Office Mode Pool.
  57. Replies
    5
    Views
    1,377

    Re: Disable Split Tunelling

    In the global settings go to remote access, under this section you have Secureclient Mobile and Endpoint Connect, in both sections tick the box "Route all traffic to gateway" push policy and you are...
  58. Re: Gateways per CMA? Large scale deployment experience?

    Whoow, we do have a lot different devices we manage but the max per CMA is about 25 ATM and we do not use LSM at all, never used it either.
    We did however run a scripted policy push on a overnight...
  59. Replies
    11
    Views
    2,050

    Re: Upgrading Check Point 1490 cluster

    I don't even think there was any 1400 that came with R75.20.xx? As I recall they came with R77.20.xx as a minimum.
  60. Replies
    19
    Views
    1,732

    Re: VSX Cluster Questions

    That can only be done by using the shared template while creating the cluster.
    it took me about 5 minutes in the R77 VSX admin guide to know that part.
  61. Replies
    19
    Views
    1,732

    Re: VSX Cluster Questions

    On the machine itself you setup an interface with the IP to manage the box, right?
    Next in dash you create a VSX cluster with 2 members, during the adding of the members you tell it what IP to use...
  62. Replies
    19
    Views
    1,732

    Re: VSX Cluster Questions

    Just assign an IP to the management and do not add the Management interface as a Trunk, it is Dedicated...
  63. Replies
    19
    Views
    1,732

    Re: VSX Cluster Questions

    then use custom template, this way you will have 1 dedicated Management interface a sync interface and all other are available for trunks.
  64. Replies
    19
    Views
    1,732

    Re: VSX Cluster Questions

    Did you choose to use the Shared Interface Creation template?
    You would do this when you need to share the external interface with your VS's.
  65. Replies
    19
    Views
    1,732

    Re: VSX Cluster Questions

    Are you sure you are on R77.30?
  66. Replies
    7
    Views
    1,883

    Re: Use SFP port on a 1490 as the WAN interface?

    While configuring the Internet connection you just tell it which port to use. In your case the DMZ - SFP port.
    We use this port to pre-configure the boxes and ship them with the final config on the...
  67. Replies
    19
    Views
    1,732

    Re: VSX Cluster Questions

    If I understand you correctly you are referring to the management interface of the VSX machine itself?
    If so this has to be a dedicated interface. Same goes for the Cluster Sync interface. These 2...
  68. Replies
    7
    Views
    1,883

    Re: Use SFP port on a 1490 as the WAN interface?

    The 1490 supports a fiber 1GBb SFP.
  69. Replies
    19
    Views
    1,732

    Re: VSX Cluster Questions

    On the cluster itself you do not define the vlan's, you just tell the cluster which physical port is setup as a trunk on the switch.
    Once you create a Virtual system you select that port and add the...
  70. Replies
    7
    Views
    1,883

    Re: Use SFP port on a 1490 as the WAN interface?

    On a 1400 the DMZ port is a internet usable port, so Yes this should work fine.
  71. Replies
    20
    Views
    7,499

    Re: BGP Failover Time

    indeed indeed, why are you not using the VIP, this exactly what I was wondering?

    @cciesec2006 we run around 500 gw's for about 150 customers worldwide and in the civilized countries where most...
  72. Replies
    20
    Views
    7,499

    Re: BGP Failover Time

    Switching members off is not a most common failure method, also test the time it takes when you fail over software wise, by ie detaching a cable or using clusterXL_admin down on the primary member....
  73. Replies
    2
    Views
    3,623

    Re: License Data Collector tool

    What an MSP always needs to do is compare the info from the different Domains and the Usercenter and the customer contracts, in the meantime my son was able to crack it and use a PHP script to...
  74. Replies
    2
    Views
    3,623

    License Data Collector tool

    Has anybody used the above tool from sk88240 and moved the information into a database?
    As this tool is the one tool that can collect the actual situation data, it would be useful to be able to move...
  75. Replies
    4
    Views
    1,272

    Re: 1430 using 3G/4G Dongle

    try all different USB ports, I knwo with the Edge devides we had some issues with some locations of the USB stick.
    Also make sure to have the latest firmware loaded.
  76. Thread: VMAC question

    by msjouw
    Replies
    3
    Views
    1,378

    Re: VMAC question

    This is absolutely not a disruptive action. Why? Well due to the fact you have ARP cache, the current active physical MAC address for the bond interface and every new ARP request will get the new...
  77. Re: r77.30 recover admin password from expert mode

    Go into clish and execute:
    set user admin password
    now you can enter the new password, do not use the normal linux commands as the Clish entered commands will overrule the password the next time...
  78. Replies
    7
    Views
    1,802

    Re: Does A Firewall Filter Traffic From

    For the simple IP and Port based filtering the type of interface is irrelevant, on Check Point this is mainly relevant for Anti-Spoofing.
    For the additional blades it depends on the blade as well.
  79. Re: cant access webUI interface on remote GW over IPSEC

    try using the LAN IP for the GUI access not the WAN address.
  80. Replies
    3
    Views
    2,674

    Re: FW Monitor - Seeing only small i

    Lets say you are doing the following command
    fw monitor -e "accept host(1.1.1.1) and (host(2.2.2.2) or host(3.3.3.3));"
    where
    1.1.1.1 is the source public IP
    2.2.2.2 is the destination...
  81. Re: can NOT ssh from Active to Standby and from Standy to Active firewalls.

    A firewall will only accept SSH sessions when they have been set to be allowed, so you can tell the FW it is allowed to accept Outgoing SSH connections, but that does not allow Incoming SSH...
  82. Thread: nat problem

    by msjouw
    Replies
    3
    Views
    1,789

    Re: nat problem

    you are trying to HIDE NAT 3 IP's behind 1 IP, so set the NAT Type to Hide.
  83. Replies
    4
    Views
    4,924

    Re: adding a static route

    Check with "show configuration static-route" to see if the routes that are there are all correct, it sounds like there is another route that causes this error to pop up.
    Next check with "show...
  84. Replies
    14
    Views
    2,945

    Re: Huge Backup on R80?

    There is a big difference in revisions for R77.30 and DB revisions for R80, in R77.30 the revison was a complete copy of the full fileset, while R80 only keeps the changes.
    I have seen exports and...
  85. Re: Cluster in a Lab environement (cluster not working)

    one search on google gave me SK106855 and this forum entry.
  86. Re: Under the gun. How long will VPN's survive with MGMT down?

    I once had a P1 fail with about 25 customers on it, while rebuilding after 2 days we started seeing tunnels (all where based on cert's) fail the cert check, but most lasted 5 days.
  87. Re: werid NAT show up in SmartDashboard. is that normal?

    It is not what I see in my Dashboard I have version R77.30 build 990180413, but more important, besides the visual issue, does the NAT work?
  88. Re: werid NAT show up in SmartDashboard. is that normal?

    Right click on the Source translated, choose NAT method.
  89. Re: applying license to a clusterXL H/A R77.30 with JHFA 216

    Call Ottawa, the old Nokia support team.
    I can't imagen them doing away with it soon.
  90. Replies
    5
    Views
    1,623

    Re: Domain Migration with VSX

    I only have 1 answer for you: forget doing it yourself.
    You need to export and import he CMA with all VSX stuff in it, then in the new setup you can start building new CMA's for the VS'es and start...
  91. Re: applying license to a clusterXL H/A R77.30 with JHFA 216

    Or use VRRP instead of clusterXL.
  92. Replies
    5
    Views
    1,623

    Re: Domain Migration with VSX

    I just finished migrating 2 sets of Provider 1 R77.30 setups with a total of 110 domains with heavy VSX usage through both provider 1's and we moved it all to 1 new set of 3 servers, make sure you...
  93. Replies
    7
    Views
    1,615

    Re: DMS Migration issue

    Domain Management Server?
  94. Replies
    7
    Views
    1,615

    Re: DMS Migration issue

    cache files removal:
    mdsstop -m
    mkdir -v /var/log/GUI_cache_bkp_MDS
    mv $MDSDIR/conf/mdsdb/CPMILinksMgr.db* /var/log/GUI_cache_bkp_MDS
    mdsstart -m

    wait 5 to 10 minutes for rebuild, depending on...
  95. Replies
    7
    Views
    1,615

    Re: DMS Migration issue

    There is a customers file, check if the domain is still mentioned in there, if so remove the section there, now go to the customers directory and make sure the directory is gone. When these 2 steps...
  96. Replies
    9
    Views
    3,027

    Re: R77.30 with R80 management server

    Sorry guys, but I do not see the contracts for AV, APCL, URLF or ABOT? All I see is Threat Extraction and IPS.
    If you do have the contracts for this license (check in the Usercenter) you need to...
  97. Replies
    10
    Views
    2,929

    Re: Sonos across vlan defined in a 600 appliance

    It could very well be, I'm on R77.20.40 at the moment for this one.
  98. Replies
    10
    Views
    2,929

    Re: Sonos across vlan defined in a 600 appliance

    What version do you have on the 600? I recently updated a 1450 with the R77.20.51 firmware and after that my VLAN's no longer worked, they were on the DMZ port as well..
  99. Thread: Rule history

    by msjouw
    Replies
    10
    Views
    3,050

    Re: Rule history

    1 average customer, changes 1 per week, 12000 records per year, filesize 2.9MB.
    1 busier customer, changes 2-5 per week, 62000 records over 2 years and 8 months, filesize 158MB.

    so really do not...
  100. Thread: Rule history

    by msjouw
    Replies
    10
    Views
    3,050

    Re: Rule history

    It does not at all.
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4