CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: Dom2201

Search: Search took 0.00 seconds.

  1. Replies
    20
    Views
    6,582

    Re: 80.10 problems on ESXi 6.5

    Hi Zimmie,

    do I have to reload the GRUB, because I have tried this on a 80.10 and I donīt see the boot messages.

    If I have to reload the GRUB, do you know the commands I need to use?

    (I have...
  2. Replies
    20
    Views
    6,582

    Re: 80.10 problems on ESXi 6.5

    Hi Zimmerman,

    thank you for the hint, can you explain me how to disable the "quiet boot option".





    Thanks
  3. Re: Outlook365 traffic is getting dropped, on R80.10

    HI,

    maybe you should open a case. If the problem already exists.

    Greezt
  4. Replies
    6
    Views
    1,305

    Problem solved!!

    Hi everyone,

    so I had a case with checkpoint support to clarify this problem.

    It turns out, that the SmartConsole has some issues, the techician could rebuild this problem in his environment. ...
  5. Replies
    3
    Views
    1,168

    Re: Site2Site between 2 Cisco ASA

    Ok,

    thank you for your comment.

    Actually I made 2 Star Communities, for every ASA one Star Community.

    I will change this and try again. So Checkpoint devides 2 Star Communities strictly...
  6. Replies
    3
    Views
    1,168

    Site2Site between 2 Cisco ASA

    Hi everyone,

    I am doing some learning Labs an I have a question to a special szenario. Maybe it is easy, but I am not able to get the solution.

    This is my Lab environment:

    1381


    - HQ is...
  7. Replies
    20
    Views
    6,582

    Re: 80.10 problems on ESXi 6.5

    Hi, this worked? If yes it is a great „easy“ solution.



    Gesendet von iPhone mit Tapatalk
  8. Replies
    6
    Views
    1,305

    Confirm Policy Override Question/Problem

    Ok I will do this and write the solution, if there is one. ;)
  9. Replies
    6
    Views
    1,305

    Re: Confirm Policy Override Question/Problem

    I don’t think this is correct, because the Objekt (Icon) is only one of my Gateways. The name of the object ist not the cluster object name. It shows only SG2, and not CLUSTER (how I named my cluster...
  10. Replies
    6
    Views
    1,305

    Confirm Policy Override Question/Problem

    Hi,

    I have a question, and maybe a problem.

    In my test environment I have a distributed depoyment with gateways running on ClusterXL.

    If I want to install a new Policy Package the warning...
  11. Replies
    4
    Views
    2,389

    Re: wiered r80.10 error when pushing policy

    Hi,

    I had a simmilar problem too, with the contract information for IPS on my Gateways

    The solution was, to go on the gateways and use the "cpconfig" tool, to fetch the License and the...
  12. Replies
    20
    Views
    6,582

    Re: 80.10 problems on ESXi 6.5

    I donīt understand the question. I opened the file /boot/grub/menu.1st and added this line acpi_mcfg_max_pci_bus_num=on.

    p.s. the file was empty as I opened it.

    But by the way, I donīt think...
  13. Replies
    20
    Views
    6,582

    Re: 80.10 problems on ESXi 6.5

    I tried several things on my ESXi 6.5 but I couldnīt find something to downgrade the VM.

    Now I made a snapshot of the "problem VM" and import it to a new R80.10 VM container without upgrading the...
  14. Replies
    20
    Views
    6,582

    Re: 80.10 problems on ESXi 6.5

    I added the line (acpi_mcfg_max_pci_bus_num=on) you suggested in the /boot/grub/menu.1st file. But no changes at bootup.
  15. Replies
    20
    Views
    6,582

    Re: 80.10 problems on ESXi 6.5

    Where can I find this file?

    No I didnīt try this. But I didnīt want to change this "deep" settings. In my opinion if checkpoint says that they support ESXi 6.5 then it has to run without changing...
  16. Replies
    20
    Views
    6,582

    80.10 problems on ESXi 6.5

    Hi everyone,

    I had some boot up problems with a checkpoint r80.10 on a ESXi Server 6.5.

    Now I want to tell you my problem and how I fixed it.

    1365

    I made several installations on my ESXi...
  17. Replies
    2
    Views
    1,536

    Re: VPN IP renew 900 seconds

    Thank you for the help. Your explanation make sense to me ;-) I had not thought about this.

    Topic closed


    Gesendet von iPhone mit Tapatalk
  18. Replies
    2
    Views
    1,536

    VPN IP renew 900 seconds

    Hi

    I have a question, is it possible to change the IP Address renew (release) from 900 to an other value?

    Becaus when I log in to my testlab I see in the logs the following entry for the...
  19. Replies
    2
    Views
    3,769

    Re: Letīs encrypt with Checkpoint

    Yes maybe it is easier, but for security reasons I should offer a real Certificate from a trusted CA to the people who wants to connect to the Gateway.


    Gesendet von iPhone mit Tapatalk
  20. Replies
    2
    Views
    3,769

    Letīs encrypt with Checkpoint

    Hi,

    has anybody experience with Lets encrypt certificates and checkpoint firewalls?

    Is it possible to Implement a Lets encrypt certificate for the VPN and VPN Portal?

    Greetz
    Dom
  21. Replies
    4
    Views
    1,166

    Re: NAT Issue DMZ INSIDE

    Problem solved.

    It was on the one hand the global properties of the Proxy Arp, and on the other hand a routing problem ... and the routing problem was on the router, not on the firewall itself....
  22. Replies
    4
    Views
    1,166

    Re: NAT Issue DMZ INSIDE

    HI

    I Changed the Rule order, but no effect. Maybe some Problem with Proxy Arp or something like that?
  23. Replies
    4
    Views
    1,166

    NAT Issue DMZ INSIDE

    1346


    Hi I have a serious problem and I donīt know how to fix it.

    The following picture shows my testlab.

    Here my Problem:

    Like the Picture shows, I have a DMZ with a Server. This Server...
  24. Re: Upgrade Gateway from r77.20 to R77.30 not possible

    Hi everyone, the problem is solved.
    In former times Checkpoint created a Special Hotfix only for our scenario. The hotfix was about IPv6 dhcp relay for the r77.20. the problem is that this hotfix is...
  25. Replies
    7
    Views
    4,259

    Re: Delete old tgz files from /var/log/CPda ?

    So i have the solution for my issue.

    I talked to checkpoint and they said as the most of you, that I shouldnīt delete any files of this folder.

    In the R80 versions it is possible to delete...
  26. Replies
    7
    Views
    4,259

    Re: Delete old tgz files from /var/log/CPda ?

    I though it would possible, but in 77.30 I can't delete the files from the webGui. The option "delete" is not displayed if I right klick on the package.



    Gesendet von iPhone mit Tapatalk
  27. Replies
    7
    Views
    4,259

    Re: Delete old tgz files from /var/log/CPda ?

    Is it possible to delete old files in the /downloads folder? Because now there are 2 same update files on the machine. One in the download folder and one in the /var/log/


    Gesendet von iPhone mit...
  28. Replies
    7
    Views
    4,259

    Re: Delete old tgz files from /var/log/CPda ?

    OK, the problem is that I want to save space on the VMs and I donīt need the repository uninstall feature again.
  29. Replies
    7
    Views
    4,259

    Delete old tgz files from /var/log/CPda ?

    Hi,

    I updates a Managementserver from r77.20 to r77.30. and installed a JumboHotfix.

    To save space on the Managementserver I want to delete old files.

    Does anybody know if the files ind...
  30. Replies
    4
    Views
    3,190

    Re: 5500 Appliance LOM not working

    Hm ok, thank you @abusharif you are right. Unfortunately we bought the Appliances without LOM card.

    So the problem is solved ;-)

    Thanks to everybody!



    Gesendet von iPhone mit Tapatalk
  31. Replies
    4
    Views
    3,190

    5500 Appliance LOM not working

    Hi I have a small issue to the checkpoint 5500 Appliance.

    https://uploads.tapatalk-cdn.com/20170527/9bf78281d45222d83a96f63788d0cc0b.jpg

    In the picture I uploaded there is (2) a Lights Out...
  32. Replies
    4
    Views
    1,829

    Re: Easy VPN at Checkpoint?

    Ah thank you now I get it... so I will do my best and try it ;)
  33. Replies
    4
    Views
    1,829

    Re: Easy VPN at Checkpoint?

    I am sorry, but I can't find any answer to my question with this link.

    In the link you posted, they talk about certificates and not about Site2Site von tunnels with dynamic adresses...
  34. Replies
    4
    Views
    1,829

    Easy VPN at Checkpoint?

    Hi

    Does anybody know if Checkpoint R77.30 VPN Blade supports something like the EASY VPN configuration like the Cisco asa does?

    Because I need to connect a small office (ASA) with no static IP...
  35. Replies
    4
    Views
    15,615

    Re: 156-215.80 CCSA R80 Exam study materials

    Hi

    I don't know if you are German, but if you need some good material to study in German language my favorite book is CHECKPOINT VPN-1 from Yasushi Kono
    ...
  36. Replies
    17
    Views
    16,873

    Re: Firewall Policy Achitecture and Best Practices

    I have another useful suggest.

    I like to name my objects as followed:

    h-<Name> for Host Objects
    hg-<Name> for Host Groups
    net-<name> for networks
    ng-<name> for network groups

    So if you...
  37. Replies
    3
    Views
    1,488

    ASA behind CP 77.30 for AnyConnect User

    Hi I have question,

    I want to implement a Checkpoint Firewall and behind the Gateways I want to use a Cisco Asa for the remote access VPNs.

    Has anyone some experience for me, is there something...
  38. Re: Upgrade Gateway from r77.20 to R77.30 not possible

    Yes the problem I was faced is that my former colleague did something with this Gateways and i don't know what. Oh think he upgraded them from 70 to 77 in former days, but he did no documentation of...
  39. Re: Upgrade Gateway from r77.20 to R77.30 not possible

    Hi
    Thank you for your hints,

    So finally I had a remote session with a checkpoint technician. He succeeded in uninstalling one of the Gollum Hotfix. (This was a hotfix for IPv6 DHCP Relay fix)...
  40. Upgrade Gateway from r77.20 to R77.30 not possible

    Hi everyone,

    iīve got a problem.
    I want to upgrade my Gateway Cluster from R77.20 to R77.30.

    But I always get this error message when I try to install the Upgrade:

    [Expert@GW:0]#...
  41. Re: Check Point introduces new licensing model. Again

    Hi,

    is there a new License Guide available? I only got the Checkpoint License Guide from 2012. I need a newer License Guide to check out what my company needs.
  42. Re: Simplified VRRP error: delta would be too large when backup address is added to V

    Hi Jejerod,

    thank you for the answer, I read the rfc too, but it was not so easy for me to understand. But with your description I get the point!

    Best regards

    Dom
  43. Re: Simplified VRRP error: delta would be too large when backup address is added to V

    Hey I found a useful hint to the case.

    I made a few tests and a few calculations and figured out something:

    Priority delta x Number of virtual IPs <= 254

    20 x 11 = 220 :-)
    20 x 12 = 240 ...
  44. Simplified VRRP error: delta would be too large when backup address is added to VRID

    Hi everyone i have a question about a checkpoint sk article. The article sk39123 describes a behaviour of the simplified vrrp configuration and the priority delta.

    Sk39123:
    "Symptoms
    When...
  45. Replies
    10
    Views
    4,163

    Re: VPN and VRRP Cluster

    Perfect, then I figured out the mechanism :-)

    thanks varera and everyone who helped me.

    :-D
  46. Replies
    10
    Views
    4,163

    Re: VPN and VRRP Cluster

    I configured the GW-Cluster with a sync interface where the GW1 snd GW2 are directly connected.
    When I tcpdump the sync connection I see ccp packages, so maybe they syncronize due to vrrp.
  47. Replies
    10
    Views
    4,163

    Re: VPN and VRRP Cluster

    Yes I think my vpn peer (securepoint) is the problem. I try to test an other vpn product for my lab.



    I choose the VIP to establish the tunnel, but maybe the 3rd party device is the problem.
    ...
  48. Replies
    10
    Views
    4,163

    Re: VPN and VRRP Cluster

    The failover works properly how it should be. I think my "interoperable device" (my vpn peer) is not working properly. I will test it with some other vpn-peer products to verify my case.
  49. Replies
    15
    Views
    4,899

    Re: Multicast Forwarding

    The fact is that we trust in the hint of the checkpoint support. I think they got a reason why we should disable it and not only set to "detect". The problem is we produce the firewall and ship it to...
  50. Replies
    15
    Views
    4,899

    Re: Multicast Forwarding

    Yes, we need the igmp for our Checkpoint vrrp Cluster. The sk97872 was the official hint of checkpoint support, so we have to do that.
  51. Replies
    15
    Views
    4,899

    Re: Multicast Forwarding

    Hi,

    We ve got the same problem too, with multicast traffic and cisco devices. The solution from the Checkpoint support was the use of sk97872. This article is about to disable antispoofing on...
  52. Replies
    10
    Views
    4,163

    VPN and VRRP Cluster

    Hi everyone,
    I ve got a question about the default behaviour of a VRRP Cluster and VPN Connections.

    I have 2 CP 77.20 in a vrrp cluster to the outside and the inside Network. Now I made some...
  53. Thread: Helpful Blogs

    by Dom2201
    Replies
    0
    Views
    2,132

    Helpful Blogs

    Hi Everyone,

    here I want to post a few websites I really like:

    http://firewalltipss.blogspot.de/

    https://blog.lachmann.org/

    http://expert-mode.blogspot.de/
  54. Replies
    8
    Views
    3,326

    Re: NTP Config with VRRP Cluster

    Ok, this seems to work. I tested this solution and you are right.

    But this means that Checkpoint make an implicit natting with everyting what comes from the GW Members. Due to security reasons (to...
  55. Replies
    8
    Views
    3,326

    Re: NTP Config with VRRP Cluster

    Hi,

    yes i think you are right ccie* . Change the Default GW from the NTP is not a good idea.

    Every packet that comes from any Member of my Cluster has the VRRP Cluster IP Adress. So the Passive...
  56. Replies
    8
    Views
    3,326

    Solution=> NTP Config with VRRP Cluster

    Found my problem....

    the Gateways are communicating with the correct source to my NTP-Server (192.168.1.200)
    (ip route get 192.168.1.200 shows the correct source IP from the Gateway)

    But my...
  57. Replies
    8
    Views
    3,326

    NTP Config with VRRP Cluster

    Hi everyone,

    Iīve got an problem. Here are my stats:

    I am using a Checkpoint r77.20 GW Cluster in VRRP Mode.
    A NTP-Server is running in my environment and it is reachable.

    I configured...
Results 1 to 57 of 57