Search:

I'm using the curl_cli command to fetch the ccc script onto Check Point machines.

Example:

Thanks for bringing this to my attention. I improved the code and implemented a better checking routine in version 2.0

I really hope they'll extend support for R77.30 as well. Many critical functions, such as SmartWorkflow, are not yet available in R80.10 and also not planned for R80.20 to come....

1388

I always thought of having a simple Bash script that would allow me to run common Check Point CLI tasks without having to crawl for command cheat sheets, bookmarks, google, manuals, knowledge...

I just created a CheckMates thread for CPX360 2018:
https://community.checkpoint.com/thread/5946

Summary: The 1400 Embedded Appliance wasn't in charge. I am not surprised. If you expect enterprise behaviour from a SMB appliance, at least give it a chance and provide it with an enterprise...

The printserver is a feature of Check Point's UTM-1 Edge appliances. I removed this feature from the 1100 Appliance FAQ. Thanks for pointing it out.

You might want to read our article about the different methods of Web Visualizing R80 policies that we published in November 2016.
The english version as translated by Google can be found here.

I was referring to unnumbered interfaces, not unnumbered virtual tunnel interfaces (VTI).

Hi,

does someone have an idea why I'm geting all these !IP address mismatches on my SmartCenter for my VSX cluster for each an every Warp-connection? Is this because of unnumbered interfaces? And...

To show end users that Check Point's HTTPS inspection actually looks into the otherwise encrypted website I'd like to find a best-practice of how to capture a SSL-website's unencrypted headers and...

Check Point's 1100 appliance series doesn't yet have a successor model listed on their Support Life Cycle Policy > Appliances Support.

I created a 1400 Appliance FAQ you might want to follow.

http://techblog.esc.de/1400-faq-logo.png

Author: Danny Jung

Want more Check Point info? Read our tech blog!

http://techblog.esc.de/esc_logo.png


Q: What's the official product site ?

Don't change your shell! Create a scpuser.


add user scpuser uid 2600 homedir /home/scpuser
set user scpuser shell /usr/bin/scponly
set user scpuser password
save config

Want more Check...

Try a more recent firmware.
Like R77.20 HFA 11.

Hi experts,

instead of capturing fw monitor data to a file with the -o option, I'd like to know if there is a way of directly piping it to Wireshark? (through a SSH tunnel etc.)
We got it working...

We'd like to buy the PDF for use in our company, but the credit card payment doesn't work. Is there another way of paying? Btw, does the PDF use Adobe DRM?

CCSM - Check Point Certified Security Master

This highest level of certification exam #156-115.77 is available at VUE test centers today!
Check Point Certified Security Master is Check Point's...

We'd held a session and attend with two or three people at CPUGcon 2015 in Munich.

Best regards,
Danny Jung

http://techblog.esc.de/esc_logo.png

Taken from the Check Point 1100 Appliance - FAQ:

Q: How can I create a custom boot script ?
A: sk65015 describes a solution where a custom userScript can be created that will be loaded after each...

It was originally numbered 156-215.76 in April/May 2013, then got renumbered to 156-215.13 on May 30th, 2013 and now back again to the original numbering.

This is a public static FAQ. Please reply only if you have something interesting to add. For anything else please open another thread.

Yes, it is replacing the SG80 and the UTM-1 Edge at the same time.
The 600 series replaces the Save@Office models and cannot be managed centrally by a Check Point SmartCenter Server.

@Barry: I'd...

http://techblog.esc.de/1100-faq-header.png

Author: Danny Jung

Want more Check Point info? Read our tech blog!

http://techblog.esc.de/esc_logo.png


Q: What's the official product site ?

Guten Tag,

ich gehe davon aus, dass sowohl Ihr Check Point R75.10 Firewall/VPN-Gateway, als auch Ihre Außenstellen, zentral über Ihr Check Point Firewall Management und innerhalb einer VPN...

A customer is trying to implement domain objects, which is working quite well. The customer is aware of the impact this can cause to his firewall and knows about Check Points Best Practice Guide for...

On your SmartCenter server, edit $FWDIR\lib\implied_rules.def
and change #define ENABLE_TUNNEL_TEST to //#define ENABLE_TUNNEL_TEST
Then add a normal firewall rule via SmartDashboard that allows...

We removed 'tunnel_test' from implied rules.def and defined it explicitly, which solved the issue.

What's a good firewall management recovery procedure?

I just updated a standalone firewall from R65 HFA_40 to HFA_70. After rebooting the firewall works as before, establishes VPN tunnels and everything but it reports itself as disconnected in...

Is there a CLI command to show the interface topology of all Check Point Network Objects as configured in SmartDashboard?

fw tab -t management_list | sed '4!d' | sed 's/[^0-9a-f,]//g' | sed 's/,/\n/g' | sed 's/\(..\)/0x\1 /g' | xargs -r -n 4 printf '%d.%d.%d.%d\n'

Ok it seems that the Media Encryption exam is the hardest one to get for your CCEPA certification.

I studied, testet and trained myself so much on ME.. but it's not enough to reach the 70%...

Hi, I'm searching for some Check Point slides that cover VPN topics in general. Traditional Mode vs. Simplified Mode, Site-to-Site VPN vs. RemoteAccess VPN, IPsec based VPN vs.RemoteAccess VPN,...

CCEPA here I come ;)

60 questions, 90 minutes, 70% required to pass. Probably the second easiest Endpoint security exam. You need to know the courseware by heart and must have almost no practical...

CCEPA here I come ;)

80 questions, 90 minutes, 70% required to pass. Probably the easiest Endpoint security exam. As always you need to know the courseware and must have a bit of practical...

I figured out that tunnel_test doesn't seem to work (at least I don't see it in SmartView Tracker). When I permanently ping through the tunnel it stays connected. When I stop pinging the VPN tunnel...

When setting up R70 for new customers I started to recommend using the new Endpoint Connect VPN client instead of the old SecureClient. These customers just use the normal IPsec routines of their...

So how?

What about this way:
http://img694.imageshack.us/img694/1007/want.png

Hello,

I'm just preparing a Load Sharing cluster. The licenses are not there yet so everything is running in trial mode (15 days). I checked ClusterXL and Load Sharing (Unicast). Everything...

I need your help. Just upgraded a R55 firewall to R70. Simple NAT rules, identical in both firewall versions.

Simple network:
WAN: 90.90.90.0 / 24 eth0
DMZ: 80.80.80.0 / 24 eth1
LAN:...

Endpoint Connect seems to work just fine under Windows 7. However, I'm missing the possibility to change between my "VPN connection profiles". This is essential to me. I'm asking myself which VPN...

Just install expect for Microsoft Windows and change the script to Windows-format (i.e. create a batch file .bat). That should be really easy and just take you two minutes.
URL: Expect for Windows

Hello,

Check Point says that Connectra delivers native support for Citrix environments.

A customer runs two Citrix Servers and is connecting from the LAN to them via a Citrix Client. No use of...

Hi,

I have a Nokia IP390 IPSO 4.1 NGX (R62) UTM-1 running that I want to upgrade to IPSO 4.2 build 096 NGX (R65) HFA_40 Power. How would I do that and how can I check if UTM or Power is...

I just installed R70 for SecurePlatform onto a new server. Enforcement Module, SmartCenter Server and Endpoint Server all on one system. https://ip-of-server-in-testlab works ok. Now I change the...

Hello,

I'm just writing a script which shall connect via SSH to all centrally managed UTM-1 Edges to process automated commands. At first the script needs to read out the external IP's of all...

Just change the static IP address assignment in your Edge object to a dynamic one. Then take your Edge offline. You gateway will not and cannot send any packets because it doesn't know the IP of...

There is little detailed provided here why someone needs to administrate 250k hosts. Where is this large number of hosts coming from? Does it ever change or are these static IP's that never change?

Again, please read the UTM-1 Edges FAQ carefully.

You don't do you job right if you want to handle ALL (and you even wrote it in big letters) or ANY ports. That's not what security business is...

NGX (R65) HFA_40 adds support for the major firmware version 8.x
NGX (R65) HFA_40 brings in all the functions that come with NGX (R70).
Both, NGX (R65) HFA_40 and NGX (R70) come with libsw version...

I would read the UTM-1 Edges FAQ and then configure a simple port mapping like this and avoid all the NAT complications:

http://img23.imageshack.us/img23/4452/natvsmapping.png

This is just an...

Thorpuse is right. Just enter cpconfig at the linux box and delete the admin account. Create a new admin account with a new password. You won't loose your ScmartCenter configuration by recreating...

I cannot extend the UTM-1 Edges FAQ anymore as I reached the above limitation.

How does a SecuRemote/SecureClient user connect to an UTM-1 Edge that has a dynamic IP address? Of course, creating and connecting to the VPN site (for example: cpug.dyndns.org) works.. as long as...

sk37232

Copy & paste.

Nah. Check Point now even supports the new 3G Edges in R70. You can also add this manually to your current SmartCenter as sk36189 describes.

http://img18.imageshack.us/img18/8362/sofaware3g.png

CPX2009 in Paris is nearly over. Lots of talk about upcoming products. The Software Blades, R70, SmartProvisioning, SmartWorkflow, Abra (SWS on a USB stick), SSO Enpoint Connect. The frst day was...

Hallo,

wir empfehlen ein Update auf NGX (R65). Der Support für NG (R54) ist ja bereits im vergangenen Jahr ausgelaufen. Check Point empfiehlt allen Kunden "Please upgrade to a supported...

Hallo nochmal,

mein erster Link enthielt die deutliche Aussage Check Point's zu
Policy installation fails when non-ASCII characters are used in a rule name oder anywhere else

Product: VPN-1...

Hallo,

Ihre Vermutung ist ganz richtig. Umlaute und Sonderzeichen werden durch Check Point nicht unterstützt. Sogar ganz offiziell. Check Point's Secure KnowledgeBase enthält dazu folgende...

We don't have a forum for SofaWare's Safe@Office appliances here. SofaWare runs a forum here.

Mhh. I would solve the overlapping encryptions domains first, really.

Then I'd open guidbedit and set 'ike_use_largest_possible_subnets' to false.

Afterwards I'd set the VPN community to...

The easy way:
Step 1: Set up your firewall and VPN rules in simplified mode using VPN communities
Step 2: Choose a client 'gui_client' that shall connect to the Web-based management GUI of your...

Exactly what our UTM-1 Edges FAQ says. Edges only handle up to 100 Security Associations (SA's). So always check "One VPN tunnel per Gateway pair" to keep the used SA's as low as possible. Uncheck...

Just set the system clock back to the date at which you installed the system. ;)

Hmm. Never tested this.

What I would do is to set this up on a Safe@Office box with the help of the SofaWare Chat supporters. (They will only do this if you are using or pretend to use a Safe@...

I'm using an extension cable as well. Works like a charm. There is not much that can go wrong extending the antenna.

I just would like to provide a solution in my UTM-1 Edges FAQ for this kind of request. I can't since I have no access to an iPhone. If I could get it to work with a testing firmware I'm sure one...

I would love to try this out and get it to work. Too bad I don't have an iPhone. I think I could manage something out since I can ask the programmers to make adjustments to the firmware for a test.

First I would need to know if the enterprise site was really not configured on your Edge anymore. From what I have seen the vpn enterprise site was always part of the exported configuration. A...

Sound's like an overlapping encryption domain. Is your Edge centrally managed?

What you could try is to:
1. Configure the VPN tunnel locally instead centrally
2. Change the LAN network for a...

I just noiced that the answer to hotice_'s question was already part of my UTM-1 Edges FAQ. ;)

Q: My UTM-1 Edge says it's successfully connected to a Service Center. It receives new policies but...

What do you mean by this?
Did you fully reset or just refresh the service center connection? Because what Thorpuse described is a reset. So it should have helped you.
Usually you would just...

Hrmm. Oh well, something is set up a bit strange here. The official recommendation is that your syslog server is located at the internal network of an Edge for debugging. Even if your Edge gets...

Have you tried all the debugging options as described in our UTM-1 Edges FAQ?

What did the debug log tell about the connection loss?

A new major firmware update (8.0.35) got released a month...

If you talk about performance and speedious downloads.. UTM-1 Edge is not for you. Edges are embedded devices. They don't have anything built inside that gives you a high performance. Edges are...

The latest firmware is 8.0.35
Update your libsw files and your firmwares to this version.

Hello all,

has anyone of you made any experiences yet setting up endpoint security in more advanced environments (5000+ remote users)? I mean with SmartCenter HA and everything. Distributed...

People always shout at Edges while they never take the time to understand how everything works. I don't recommend using Nokia IP40's at all. ;)

See update posted above. This is an old issue/behaviour I encountered with older versions as well. Maybe it's by design of the product.

Get some hands-on training and blaim Nokia, not me.

The latest firmware release from the 7.0 series is 7.0.52, which Check Point offers for download. These versions are not even supported anymore.

It really shouldn't have any impact replacing the...

Just go to Services > Connect and uncheck the Service Center connection. Next > Next > Finish. Connect the IP40 to the Service Center again and everything should be fine. You should have an IP or...

What? I didn't say a word about Customer Management Add-Ons (CMAs) <- I even had to Google it to understand what your abbreviation means. Are you talking about Provider-1 and centrally managed...

Wrong forum and read the FAQ before opening such threads that are already answered.

Q: While using a centrally configured security policy my UTM-1 Edge appliance behaves like the local default...

ATTENTIONE !!

There is a slight issue I encountered on nearly every UTM-1 Edge that was updated to 8.0.35. The DMZ port assignment was lost. This causes address spoofings in the security log as...

You can grab it directly from Check Point.
Firmware Version 8.0.35x
Firmware Version 8.0.35a for ADSL
8.0.35 libsw for Linux and Solaris
8.0.35 libsw for Windows

SofaWare has just released a new major firmware version 8.0.35 to the general public.

Make sure to read the Embedded_NGX_8_GA_ReleaseNotes.pdf (General Availability Version) carefully for all the...

Hi,

a customer bought a SCPRO (SmartCenter Pro) license for his SCS.
The SCS is a single primary SmartCenter Server NGX (R65) HFA_02 running on SPLAT. The installation says it's a UTM...

Da gibts wohl Probleme bei Aufbau der VPN Phase 1 (IKE). Einfach mal VPN in Debug Mode setzen und schauen, was da schief läuft.

Hi folks,

I'm just investigating on the following scenario:
An old SmartCenter Server NGX (R60) needs to be replaced by a new one, based on NGX (R65). Everything has to be created from scratch,...

Hello,

we have a Nokia firewall cluster (Nokia IP Clustering with Loadsharing). The SmartCenter Server (SCS) broke and I coded a new one from scratch (NGX R65). How can I establish the SIC and...

A service provider manages the Check Point firewall environment of his customer.
The firewall environment consists of a HA-cluster (enforcement modules) and a single firewall management (SmartCenter...

A map would be easier ;)

INTERNET
-----|
-----| WAN (Edge, external address)
|----|---------------------------------------|
|--------------------------------------------|...

I just chatted with Wendy from SofaWare about this. Here is the transcript:
Wendy: Hello Danny
Danny: Hello Wendy
Danny: Can SmartDefense be disabled on a locally managed Sofaware appliance?
...

You can't turn off SmartDefense on your UTM-1 Edge. So you have to find a configuration that won't cause an Anti-Spoofing error message. Please explain us a little more how you set up your...

Hello,

I just wanted to install NGX (R62) or NGX (R65) right from the original CDs on a new HP ProLiant DL365 server. 2GB RAM, 1.8 GHz AMD CPU, 2x 72 HDD, Gigabit Interface card. Installed just...

Advanced Technical Reference Guide NGX (R60) - May 11, 2006 - ATRG-NGX.pdf
Advanced Technical Reference Guide NG - December, 2001 - ATRG-NG.pdf
Advanced Technical Reference Guide NG AI - Revision:...

Solved. The implied rules had to be deactivated.

You can define an exposed host, sure.