CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: Felix001

Page 1 of 2 1 2

Search: Search took 0.00 seconds.

  1. Thread: Inpsect Code

    by Felix001
    Replies
    1
    Views
    1,066

    Inpsect Code

    Does anyone know what Inpsect Code is ?
  2. Replies
    2
    Views
    2,412

    Re: A script to add new policy

    The Checkpoint model is designed to so all administration on the policy is done by the Dashboard.
    I cant see why you would want to do it via the CLI.
  3. Replies
    4
    Views
    2,949

    Re: need scripts to monitor fw connections

    You may also find this useful :

    http://www.fir3net.com/images/resource_report_IPSO.txt

    If you need any other info on it just let me know...
  4. Replies
    33
    Views
    101,822

    Re: Nokia IPSO Command Line

    All the required files can be found at Checkpoint.com
  5. Replies
    1
    Views
    2,011

    Re: Database Revision Tool

    Version 3.1 has now been releases for this tool . This now includes size, enhanced list and the ability to delete all revisions before a selected ID. Enjoy.


    [Expert@sc-manger]# dbdel ?
    usage:...
  6. Replies
    4
    Views
    2,723

    Re: Endpoint Connect License

    Ok good stuff. So what does the macro file actually do ?
  7. Re: SecureClient and 64 bit Endpoint connect's co-existence and SCV

    Does anyone know when the EA of Discovery will be available ?
  8. Replies
    7
    Views
    21,581

    Re: Clear ARP Cache - SPLAT

    is the ip command only on the linux distos, and is there an counterpart on the IPSO platforms ??
  9. Replies
    5
    Views
    2,486

    Re: Upgrade Export Issue

    Thanks for your help .
  10. Replies
    5
    Views
    2,486

    Re: Upgrade Export Issue

    When you say :



    Do you mean replace the standard gtar binary ?
  11. Replies
    10
    Views
    2,032

    Re: Correlating DB Versions to Policies

    Ive pretty much finished this script.
    Details can be found here :

    http://www.cpug.org/forums/scripts-tools/13551-database-revision-tool.html#post58371
  12. Replies
    1
    Views
    2,011

    Database Revision Tool

    Ive created a wrapper for the Checkpoint program dbver. which allows you to easy remove 100s of DB Revs in one go.

    You can find the script and all the details for it below :

    Checkpoint Tool -...
  13. Replies
    10
    Views
    2,032

    Re: Correlating DB Versions to Policies

    Ok cool. Thanks
  14. Replies
    10
    Views
    2,032

    Re: Correlating DB Versions to Policies

    Im in process of writing a pre R70 script which will bulk remove db rev.
    All input is welcome and ill post the finished on here in a wk or 2.
  15. Replies
    10
    Views
    2,032

    Re: Correlating DB Versions to Policies

    I thought a db rev was just for that current policy but for global objects but i could be wrong.

    As for R71 that is a good idea ill check that out when i get 5 minutes.
    I appreciate what your...
  16. Replies
    10
    Views
    2,032

    Re: Correlating DB Versions to Policies

    I want to write a script which keep he last 5 db revs per policy and remove the remainder.
  17. Replies
    10
    Views
    2,032

    Correlating DB Versions to Policies

    Im trying to correlate the different database revisions to their Policies.
    It seems like it may be best to use the uid`s from the versioning_db.fws file.


    [Expert@R65-Manager]# cat...
  18. Replies
    5
    Views
    2,486

    Upgrade Export Issue

    Has anyone come across this before :


    Compressing the files... gtar: Only wrote 2047 of 10240 bytes to export.tgz.tar gtar: Error is not recoverable: exiting now
    Error: Failed to execute...
  19. Replies
    3
    Views
    1,717

    Re: MEP Failover Issue

    Can you confirm what you mean by explicit MEP ?
    Are all gateways are managed by the same SMS/CMA ?
    And I was using wire mode.


    To be fair though I was testing the whole environment using...
  20. Replies
    33
    Views
    101,822

    Re: Nokia IPSO Command Line

    Does anyone know a IPSO command to show which route a certain destination will use ? I think there is one on SPLAT such as `ip route` or something similiar.

    Thanks....
  21. Re: why the connections in table 'fwx_alloc' are much more than table 'connections'?

    I would take to much notice of the Values and this changes within the millisecond.
    Frm my understanding I can why the NAT table is higher as there are going to me a ton more entries due to things...
  22. Re: SecureClient and 64 bit Endpoint connect's co-existence and SCV

    What is discovery Ive never even heard of this ?
    With EPC I can see that the desktop polices are pulled down into a some config file but it doesn't seem to be enforced.
  23. Re: SecureClient and 64 bit Endpoint connect's co-existence and SCV

    In peoples experience with Endpoint Connect..............

    Do you have to use the Endpoint Security Server for any kind of (Client) Endpoint type of verfication (i.e local.scv) ?
    Can you use...
  24. Replies
    2
    Views
    1,594

    Re: Disabling SNX with Endpoint Connect

    I found that you didnt have to enable this get the EPC to work. But was wondering if it could cause problems if it wasnt enabled ?
  25. Replies
    2
    Views
    1,594

    Disabling SNX with Endpoint Connect

    I have 2 questions :

    Can you disable SNX when configuring Endpoint Connect? As you do you have to enable the SSL client Feature. Or can you only just enable vistor mode. Its just I want to lmit...
  26. Replies
    4
    Views
    2,723

    Endpoint Connect License

    How does licensing work with Endpoint Connect or just in general with Remote Access.

    It says that :

    Licensing principle: VPN clients (SecureClient, Endpoint Connect, Secure Access, SNX)...
  27. Replies
    0
    Views
    1,394

    Endpoint Connect MEP Issue

    I have an Endpoint Connect MEP setup. In this setup I have 2 Firewalls (FW1 and 2) which my 2 multiple entry points.

    I have set my MEP settings for first to respond for both the IPs of FW1 and 2....
  28. Replies
    23
    Views
    6,391

    Re: Is the Checkpoint CCSE 156-315.65 valid ?

    I haven't got a clue whats going on, I have tried calling Checkpoint. I got bounced around 5 departments before being pass over to someones VoiceMail.

    Can anyone let me know what the heck is going...
  29. Replies
    0
    Views
    1,535

    VRRP FW Agent commands

    Im trying to find a command that gives you on failures and history for the VRRP Checkpoint Monitor. I need something a bit like the cphaprob list command.

    So that when a cluster fails across I can...
  30. Replies
    4
    Views
    18,280

    Re: connection failed negotiation with site

    In the end the phase 2 was failing. This was in an internal lab and once i removed the layer 3 and slighty change the topology it started working.
  31. Thread: Vistor mode

    by Felix001
    Replies
    4
    Views
    1,589

    Re: Vistor mode

    Resolved. I found out that it was due to my gateway not being in a vpn community.
  32. Thread: Vistor mode

    by Felix001
    Replies
    4
    Views
    1,589

    Re: Vistor mode

    Fair point about the license trouble is i just need to test some stuff in the lab so i have no license.

    Ive treied disabling and moving the webui port to some other port which worked fine. but...
  33. Replies
    4
    Views
    4,315

    Re: vpn connection failed

    Ive had problems uing the Static NAT option of the link selection. Instead I use ongoing probing and create a dummy interface.
  34. Thread: Vistor mode

    by Felix001
    Replies
    4
    Views
    1,589

    Vistor mode

    Im trying to enable vistor mode on my gateway. I have enabled it within the object but i cannot see the port listening (??)

    Im using a trail license and the webui is using about port.
    Any ideas ??
  35. Re: Configruration VPN site to site between Checkpoint NGX and Router Cisco 1861

    what does the logs of the checkpoint say ?
  36. Thread: LDAP Issues

    by Felix001
    Replies
    2
    Views
    1,793

    Re: LDAP Issues

    Ok so if right i should be able to just add the servers and their priorities. And then as long as I can get the branches and what not from the user tab then I should be ok to push it out to the...
  37. Thread: LDAP Issues

    by Felix001
    Replies
    2
    Views
    1,793

    LDAP Issues

    On my manager I add my LDAP server. It says that it is unable to connect when I try and obtain the branches. But within the Users tab I can query the domain "tree" and see all the branches (???)
    ...
  38. Replies
    4
    Views
    18,280

    Re: connection failed negotiation with site

    On running the debug Im getting the point of :


    [vpnd 27306 1995355424]@R70-Firewall1[26 Apr 15:48:02] KillNegotiation: Killing negotiation 23 (0xa0b43d8) ...
    [vpnd 27306...
  39. Replies
    4
    Views
    18,280

    connection failed negotiation with site

    Ive set up a site for endpoint connect. But when i try to connect i get the error :


    connection failed negotiation with site failed

    Im runninig a vpn debug but still wading through the logs....
  40. Re: Blocked FTP Commands: how to allow other commands not in list?

    Theres a loads of files that reference these commands :


    grep -ri STOU $FWDIR/ | grep -vi binary | grep -i ftp
    Theres a file which may be worth having a look at :

    ...
  41. Replies
    2
    Views
    2,208

    Re: Double NAT on https

    If the 3 way handshake is completey then the NAT is working. The performace issues you are seeing could be down to an MSS issue.
  42. Replies
    23
    Views
    6,391

    Re: Is the Checkpoint CCSE 156-315.65 valid ?

    Good news. I have spoken to Checkpoint and they say that this is valid until the 30th May 2010.

    I have now successfully booked the exam. And Pearson Vue have no idea on what had "previously"...
  43. Replies
    23
    Views
    6,391

    Re: Is the Checkpoint CCSE 156-315.65 valid ?

    I only got through to the an account guy and they took my details as my time zone was GMT and I got through to the States.

    They did send me a link my service ticket but i cant access it as they...
  44. Replies
    23
    Views
    6,391

    Re: Is the Checkpoint CCSE 156-315.65 valid ?

    Does anyone know. whats going on ? I dont know if this a mistake my Checkpoint or it is actually not an expired exam and that I should start revising for R70.
  45. Replies
    23
    Views
    6,391

    Re: Is the Checkpoint CCSE 156-315.65 valid ?

    Good call. There is hope for us yet toastyhamster. :o)
  46. Replies
    23
    Views
    6,391

    Re: Is the Checkpoint CCSE 156-315.65 valid ?

    Fingers crossed this is a screw up. But we should know soon (I Hope)
  47. Replies
    23
    Views
    6,391

    Re: Is the Checkpoint CCSE 156-315.65 valid ?

    Im awaiting for a call back from the education dept at Checkpoint so I can fully clarify.

    I really dont want to have to now go through the huge PDFs to prepare for the R70 so I dont have to spend...
  48. Replies
    23
    Views
    6,391

    Re: Is the Checkpoint CCSE 156-315.65 valid ?

    I just spoke to someone at Pue Veason that told me about that. As in someone booking and turning up and being told no sorry.
    Not sure if you are the same person.

    I have called Checkpoint and they...
  49. Replies
    23
    Views
    6,391

    Is the Checkpoint CCSE 156-315.65 valid ?

    I have just spent the last 2 months studying and preparing for the 156-315.65 exam. I have just gone to book the exam and was told that this exam is no longer current.

    Does anyone know ?
  50. Replies
    9
    Views
    2,153

    Re: Configuring VTI`s

    Ok that is great but i would really like to understand how and where checkpoint uses this IPs within the VPN establishment for VTI based tunnels.
  51. Replies
    9
    Views
    2,153

    Re: Configuring VTI`s

    OK sure. My confusion is as they are external VTIs where do I obtain IPs which are not RFC1918. Or does this not matter. I cannot see that the traffic actually uses these IPs.

    My external...
  52. Replies
    2
    Views
    2,201

    Re: Checkpoint R60 SPLAT -> ESXi

    Yes it works fine. So far I have installed the following all without problems :


    R70 SPLAT
    R65 SPLAT
    R60 SPLAT
    R55 SPLAT
  53. Replies
    5
    Views
    2,537

    Re: VPN Tunnel Utility - Bug again?

    I am unable to clear the VPN SA`s using the vpn tu command | Checkpoint | Firewalls
  54. Thread: VTI Question

    by Felix001
    Replies
    2
    Views
    1,582

    Re: VTI Question

    Though I havent tried I imagine you would be ok if you changed this encryption domain to your actual enc domain. The only difference is the proxy ids will not be 0.0.0.0.
  55. Replies
    9
    Views
    2,153

    Re: Configuring VTI`s

    Yep there are numbered VTIs but i cant see where it uses the IP. So in thoery you could just put any thing in there.
  56. Replies
    9
    Views
    2,153

    Re: Configuring VTI`s

    So in other words it does matter what IPs i add. Do they need to be in the same subnet ??
  57. Replies
    9
    Views
    2,153

    Configuring VTI`s

    When configuring VTI`s does it matter which IP address you use ? Or should they relate to anything.

    I have 2 gateways :


    Site A outside 1.1.1.1 inside 172.16.1.1
    Site B outside 1.1.2.1...
  58. Replies
    3
    Views
    1,717

    Re: MEP Failover Issue

    Ive tested this somemore any everything fails over if I stop my current traffic. And then re initiate it. I can then see the new tunnel built and with wire mode enabled the traffic is sent back and...
  59. Replies
    3
    Views
    1,717

    MEP Failover Issue

    Ive set up a Site to Site MEP set up. The inital VPN is established without problems. I disable the external interface to test a failover. But the new VPN tunnel to the other gateway isnt...
  60. Re: Endpoint Connect - connection loss & 2nd site

    When creating a site within EndPoint Connect. If you are unable to connect to the gateway check to see if you can connect to the gateway via https.
    As it uses this for the inital creation.
    ...
  61. Replies
    6
    Views
    2,774

    Re: Akamai based Servers

    i agree the URI isnt really the best man for the job.
    Its a shame that the domain based objects are so badly implemented in Checkpoint with regards to the PTR checking.
  62. Replies
    8
    Views
    1,760

    Re: Congrats to Check Point !

    I have to disagree i think that it has changed for the worse.
  63. Replies
    6
    Views
    25,309

    Re: CCSE R70 Exam now live

    Unless you get the courseware from Checkpoint is there no other resourses for passing this course ??
  64. Replies
    6
    Views
    2,774

    Re: Akamai based Servers

    Thanks i found a soultion using the URI resouce for the HTTP security server.
    If anyone one needs the KB link let me know and Ill post the instructions.
  65. Replies
    6
    Views
    2,774

    Akamai based Servers

    What is the best way to allow traffic through a checkpoint for a server that is Akamai hosted ?? I need to allow access to windows and symantec update servers. Via FTP and HTTP.

    Thanks in advance..
  66. Replies
    17
    Views
    4,374

    Re: Blocking instant messaging traffic

    I wrote an article of this a while ago :

    Denying Instant Messenger Protocols via Policy Based Rules

    Im not sure how many of these are now akamai hosted though.
  67. Re: creating a rule for randomly generated ip addresses

    can you confirm which settings you used. Im trying to access ftp.symantec.com for which I have had no luck so far ...

    Thanks in advance...
  68. Thread: Auto Connect

    by Felix001
    Replies
    6
    Views
    2,605

    Re: Auto Connect

    ok ill give that a shot, also has anyone been able to get MEP working with Endpoint connect.
  69. Thread: Auto Connect

    by Felix001
    Replies
    6
    Views
    2,605

    Re: Auto Connect

    The feature of not creating a tunnel while in the encryption domain im cool with . But I would like to have the tunnel automatically connect if i try to access a host inside of that enc domain (is...
  70. Thread: Auto Connect

    by Felix001
    Replies
    6
    Views
    2,605

    Re: Auto Connect

    Interesting, does location aware just decides that you are in the enc domain or not.

    What about the previous link probing that you could use with Secure Client to allow you to connect to the...
  71. Thread: Project Gaia

    by Felix001
    Replies
    82
    Views
    32,605

    Re: Project Gaia

    Clish rocks. The fact you can use the "clish -c" within scripts, obtain previous stats of the box and easy take a back up is really useful.

    Long live CLISH .... ha ha
  72. Thread: Auto Connect

    by Felix001
    Replies
    6
    Views
    2,605

    Auto Connect

    Ive just set up Endpoint Connect R73 but even though I have the following settings configured I find when im disconnected and I try to connect to a host in the encryption domain it does not try to...
  73. Thread: Project Gaia

    by Felix001
    Replies
    82
    Views
    32,605

    Re: Project Gaia

    Is there any beta`s of Gaia that I can download and use ??
  74. Replies
    2
    Views
    1,726

    Re: IPSO 6.x and HFA

    HFAs are based on the Checkpoint software rather then the IPSO versions.
    R65 is currently up to HFA60 on all software platforms.

    But it is worth noting that there are different Checkpoint R65...
  75. Re: Policy Server does not allow traffic from other Interface

    Im currently not using secureXL.
    As for the FW monitor, I can see that the traffic is making it out of the Inbound Kernel (I), so the traffic must be making it to the Policy Server...


    ...
  76. Re: Site Update Connects to wrong IP when using a GW with an Internal IP address

    This was resolved by running the update when connected to the VPN.
    Ongoing probing to a dummy interface was added to ensure the GW IP used was the external IP address.
  77. Re: Policy Server does not allow traffic from other Interface

    Ive just checked and both of these options are enabled.
    Any other Ideas... ??
  78. Policy Server does not allow traffic from other Interface

    When trying to pull a policy from the policy server it fails. Everything else though connects without any problems.

    The issue is that My client is trying to connect to the IP address of the Policy...
  79. Replies
    11
    Views
    3,622

    Re: private IP use during Update site :-(

    The Public IP option on the GW Object is slightly awkward due to the way the customers network is setup....

    What puzzles me is .... isnt this the whole point of the Link Selection configuration...
  80. Replies
    11
    Views
    3,622

    Re: private IP use during Update site :-(

    Did you ever resolve this I am having exactly the same issue with the site update ???

    My other thread (which I opened before seeing this is)...
  81. Re: Site Update Connects to wrong IP when using a GW with an Internal IP address

    Thanks for the response.
    I had already looked into this SK but the option was already set to "true" when looking within GuiDBedit.

    Any other ideas... its odd as it doesnt seem to work as per...
  82. Site Update Connects to wrong IP when using a GW with an Internal IP address

    Currently Im using Secure Client with a Gateway which is sitting behind another device. The external IP of my Checkpoint GW is being NATT`d by this device.

    I can create the site and connect but...
  83. Replies
    2
    Views
    3,628

    How to read a IPSO Core dump ?

    Does anyone know how to read an IPSO core dump from the /var/crash directory ?

    I have both the vmcore and kernel files.

    Thanks in advance ...
  84. Replies
    4
    Views
    2,295

    Re: Can't configure SIC

    the license key and SIC are 2 different things.

    SIC is for Secure Communication between the gateway and manager.
    The license key is just for the activition of features.

    To enable SIC search...
  85. Replies
    4
    Views
    1,996

    Re: Dual Log Managers

    You can specify that only logs be sent to the log managers, and have to logs being sent or stored on the smart centre server.

    So with a 2 logs servers configured (on the firewalls) when you...
  86. Replies
    4
    Views
    1,996

    Re: Dual Log Managers

    But where do you tell it which one to point to ??

    I see the option in the Non log manager object to "not to save logs locally" and were to forward the logs to. Do you mean you have to log into the...
  87. Replies
    4
    Views
    1,996

    Dual Log Managers

    Ok heres the setup.

    1 Smart Centre Manager is set to log to a primary and backup Log manager. It is set to only log to the backup log manager in the event of a failure. But not save logs locally....
  88. Replies
    0
    Views
    1,346

    Automated Upgrade Export

    Im currently using the following command with a script to automate the backup of a smart centre server :

    /bin/backup_start all splat-backup

    But after it completes it stops the SIC port 18191...
  89. Replies
    2
    Views
    1,359

    Deleting a single connection entry

    Does anyone know how to delete a single connection/nat entry from the necessary table ??
  90. Thread: HFA50 Issues

    by Felix001
    Replies
    2
    Views
    1,598

    HFA50 Issues

    Has anyone had any issues with HFA50 and IPSO Nokias. Ive had so many problems its untrue.

    Ive upgrade loads of systems all without issues. But for some reason have faced loads of issues with a...
  91. Replies
    5
    Views
    1,451

    Re: Showing only one connection Profile

    Ok cool how do you enable it etc........
  92. Replies
    5
    Views
    1,451

    Re: Showing only one connection Profile

    Would this not involve new software (licenses).
    Is there no way to do this with the existing Secure Client ??
  93. Replies
    5
    Views
    1,451

    Showing only one connection Profile

    Currently I have 2 firewall gateways and I have 2 connection Profiles (1 per gateway)
    Each Connection Profile is configured for only one gateway and no backup policy server is set.
    Both Gateways...
  94. Replies
    11
    Views
    5,846

    Re: CBTNuggets and Check Point

    true but as far as i can see the only nuggets available are for the CCSA.
    The free link i provided was for topics covered within the CCSE.

    Anyway it was just a link. I agree CBT for CCSE would be...
  95. Replies
    6
    Views
    3,924

    Re: R65 or R70 CCSE

    Yer i kinda agree with you. Also I find that not many of my customers seem that eager to upgrade to R70. So even if I get the R70 material plus the CCSE exam passed... i may not even find myself...
  96. Replies
    6
    Views
    3,924

    Re: R65 or R70 CCSE

    Yer true, but how long will it take once the exam is out for the course material to come out as well... ?? It may take some time ...
  97. Replies
    6
    Views
    3,924

    Re: R65 or R70 CCSE

    thats some great feedback thanks ...
  98. Replies
    6
    Views
    3,924

    R65 or R70 CCSE

    considering there is only a month left until the R70 CCSE. In people opinions is it worth waiting for or might you just as well do the R65.

    is there any differences in the R65 to R70 which would...
  99. Replies
    11
    Views
    5,846

    Re: CBTNuggets and Check Point

    These are free....

    Temet Infomation Security

    felix001 - www fir3net.com
  100. Replies
    10
    Views
    6,295

    Re: SCP backup not working

    can you not just change were it is backed up to . There is a variable within the backup script within you can change to change the location...
Results 1 to 100 of 156
Page 1 of 2 1 2