CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: NetworkNubbin

Page 1 of 2 1 2

Search: Search took 0.00 seconds.

  1. Replies
    8
    Views
    2,927

    Re: Per-flow throughput limitations?

    Well... Juniper is handling 100Gbps flows, Check Point is, uh... much less. Not sure we're allowed to disclose actual numbers. I was hoping there'd be an official number somewhere

    Use-Case is just...
  2. Replies
    8
    Views
    2,927

    Re: Per-flow throughput limitations?

    Packet mix is IMIX - just FW today. Not really interested in troubleshooting (think I've done this once or twice..), looking for official single-flow performance numbers. We're doing a bakeoff...
  3. Replies
    8
    Views
    2,927

    Re: Per-flow throughput limitations?

    Hey,

    This device is in a lab, no other traffic other than what's being sent via IXIA/Spirent. If I test with a single flow (IMIX), I'm seeing less than 1Gbps sustained throughput. I can of course...
  4. Replies
    8
    Views
    2,927

    Per-flow throughput limitations?

    Hello,

    I'm running some benchmarks and seeing some relatively low per-flow performance on our 61k. We've got 4x SSM and 4x SGM 260's if it matters.

    What kind of throughput should we be able to...
  5. Re: View Sync state from command line (Provider-1)

    Thats perfect, thank you serlud :)
  6. View Sync state from command line (Provider-1)

    Hi everyone,

    I could have sworn this was possible, however I haven't been able to figure out/remember how to do it today...

    I want to see whether or not a CMA pair is fully synchronized, or if...
  7. Re: Checkpoint Top Talkers Script - Display top 50 Source/Destinations

    Looks like I should have dropped this into Scripts/Tools. Barry, would you mind moving it?

    Thanks!
  8. Checkpoint Top Talkers Script - Display top 50 Source/Destinations

    Hi everyone,

    I figured I may as well drop this here as well. It'll allow you to find the chattiest hosts on your network for whichever protocol you like.

    Expert Mode: Checkpoint Top Talkers...
  9. Replies
    25
    Views
    12,132

    Re: Security Power calculator

    Still haven't heard anything unfortunately :\
  10. Replies
    3
    Views
    1,999

    Re: Binary data in the cpd.elg

    Yeah, I'm definitely in the second catagory. If I ever do run debugs, I use a script that disables log_rotate automatically, so I dunno. Still no answer

    I think the SK you were looking for was...
  11. Replies
    3
    Views
    1,999

    Re: Binary data in the cpd.elg

    Bit of thread necro, but this is happening to me on at least two pairs of UTM clusters on different versions of 75. It's not just relegated to CPD though, vpnd has also been afflicted by it....
  12. Replies
    3
    Views
    1,516

    Re: SPLAT (R7x) on RHEL KVM?

    I actually had a few issues getting it up and running (source for .img's were on DMRAID), but they were all resolved by switching the "Disk Bus" section to SATA.

    Hope that helps :)
  13. Replies
    2
    Views
    2,597

    Re: R70 Upgrade Troubles

    Hey guys,

    I know this is a bit of thread necro, but this happened to me tonight going to R70.50 from .30/.40. Figured this could possibly help someone else out:

    Expert Mode: Upgrade to R70.50...
  14. Replies
    2
    Views
    1,456

    Mismatched FW/MGMT versions

    Morning everyone,

    Here's the hypothetical situation:
    Firewalls are at R71.40
    CMA/CLM are at R71.20

    No issues are currently occuring.

    What are the possible repercussions of this scenario?
  15. Replies
    0
    Views
    1,524

    CMA Export Script moving to CMAs

    This is a really simple (but useful) one:

    Expert Mode: CMA Customer Export Script

    Enjoy! :)

    Edit:: If you are able to submit RFE's, please check out sk33067 and push for this. It would be a...
  16. Replies
    8
    Views
    3,047

    Re: R70.40 to R71.40 Upgrade

    That doesn't look fine at all.

    You've got 'about to install 'x', but no 'installing <x> product...doesn't look fine to me at all.

    Also, why is FWM not running?
  17. Replies
    8
    Views
    3,047

    Re: R70.40 to R71.40 Upgrade

    They will be in your install CPInstLog directory (/opt/CPInstLog) - look at the relevant one.

    If FWM is down, you'll never be able to login to dashboard...
  18. Replies
    8
    Views
    3,047

    Re: R70.40 to R71.40 Upgrade

    Is FWM up and running...?

    What did the install log say - did you get any errors or oddities?
  19. Replies
    5
    Views
    2,405

    Re: Fiasco with R75.10 SmartEvent

    Hey Valeri,

    I had this issue a 'long' time ago...I would have thought it would be fixed by now with the new GUI's.

    Check out sk32689 (may want to check with support first).

    Granted if this...
  20. Replies
    2
    Views
    2,045

    Re: Etherchannel on SPLAT

    Hey Valeri,

    I assume you mean Bonding (as mentioned above - It's not Cisco!)? :)

    I use it everywhere possible when dealing with 2.6 and above. It was a little sketchy on the 2.4 kernel, however...
  21. Replies
    11
    Views
    3,243

    Re: Differences R70 / R71 CCSA

    Congrats
  22. Re: What is your personal gain from having CP certification?

    I suppose :)
  23. Re: What is your personal gain from having CP certification?

    Aww...I thought that was the only benefit of having a CCMA...oh well.

    Most job opportunities seem to just be looking for CCSE - for the amount of time investment required it seems to pay off...
  24. Re: What is your personal gain from having CP certification?

    We both get 'expert' access out our CCMA's for free :)

    Other than that, I can't say that having any one of CPs certs (I suppose I have all of them now...) has ever hurt me when competing for work;...
  25. Re: R71.40 upgrade with WEBUI...on splat..Failed.....

    Sounds odd - if it's failing to extract it may be an issue with your gtar.

    Can you install it via cmd line instead? :)
  26. Re: USB CD emulating flash drive under development.

    A bunch of us have started using a Zalman product that lets you boot any ISO you want off an SSD/HDD

    It's awesome :)

    ::: Zalman, leading the world of Quiet Computing Solutions :::
  27. Replies
    4
    Views
    2,861

    Re: Can't configure AntiSpoofing on VSX

    ++

    Unfortunately if you do it that way you can't manually define anti-spoofing :(
  28. Replies
    4
    Views
    2,546

    Re: Like New R70 CCSA/CCSE Courseware

    Hmm... He quoted you the price in the OP. If you send him your address he'll be able to determine the cost of shipping.
  29. Replies
    4
    Views
    2,861

    re: Can't configure AntiSpoofing on VSX

    That's normal IIRC - checkout sk32500
  30. Re: Packets drops during policy installation on Power-1 9070

    RxIntDelay=1024 should be in your modprobe.conf along with the buffer size increases. Also, you should be increasing your Tx ring in addition to your Rx ring
  31. Re: Policy install fail without detail error

    They are able to run the same debugs as you can. They would receive the same error if they had.

    As to why it didn't originally show up, I don't think I have a reason. I've seen the behaviour...
  32. Re: Packets drops during policy installation on Power-1 9070

    Increase your Int delay as well.

    Bond your interfaces to increase the buffers further and assist servicing, but other than that, my original statement stands. It's not unexpected.
  33. Re: Policy install fail without detail error

    Oh...that 'was' the error...

    If you've got a rule hiding another rule (as the error suggests), you can't install the policy.

    That's it.

    The other user made a bogus rule. Don't worry about it.
  34. Re: Policy install fail without detail error

    Can you clarify what the error is you're seeing using the superuser account?

    Have you tried doing an fwm load / fw fetch in debug mode to get more details?
  35. Re: Packets drops during policy installation on Power-1 9070

    I don't think your being realistic at all...but you can think what you want.

    Either way, let's not further derail this thread.
  36. Re: Packets drops during policy installation on Power-1 9070

    Are you saying that each VS has 5000 rules or each VS has 500 rules?

    The databases are completely separate on VS. Each VS having 500 rules is still 'high' for VSX (you should be able to do better...
  37. Re: Packets drops during policy installation on Power-1 9070

    I'm going to have to respectfully disagree. A single firewall cluster is not the solution to manage this size of rulebase. This is where VSX and/or separate clusters and/or P-1 needs to be deployed....
  38. Re: Packets drops during policy installation on Power-1 9070

    From the information you've posted, I don't see this being unexpected at all.

    You can probably increase the ring descriptors on the interfaces (as well as IntDelay) to compensate for the lack of...
  39. Replies
    9
    Views
    3,148

    Re: Iphone L2TP with R75

    Not a really useful one, but you could always supernet :)
  40. Replies
    4
    Views
    2,584

    Re: UTM-1 http performance

    I came back because I forgot to post this :)

    toffen -> easiest way to 'visualize' possible L1/L2 drops would be to write a really quick script to poll 'netstat ni' every second.
    Can try something...
  41. Re: Migrate Security Management Server from Windows to Splat

    That's pretty out of date, and at no point even mentions running 'upgrade_import' on the new SPLAT SCS...

    Realistically, any way you do this, you're going to have to reset SIC on the FW's and this...
  42. Replies
    4
    Views
    2,584

    Re: UTM-1 http performance

    What blades are enabled on the 270?

    Are you 'sure' CPU is low? Can you paste the output from 'top' during an upload?

    I'm betting it's probably an interface buffer issue if you aren't pegging...
  43. Replies
    4
    Views
    2,555

    Re: OSPF Configuration question

    I may be misunderstanding something - but you want to inject a route into OSPF that you currently don't have configured on your firewall/ isn't in your routing table from someone else injecting in?
  44. Re: [Urgent] Nokia IP clustering makes Internet Slow

    That's your choice really.

    1) Yes, go to MR3 regardless
    2) This is just a test. Don't leave your cluster in single-member state :)
    3) This would resolve the 'forwarding' bug as well, however for...
  45. Replies
    9
    Views
    2,703

    Re: R70.40 Backup Issues

    SFTP/SCP is the way to go generally :)
  46. Replies
    4
    Views
    2,079

    Re: Dynamic/Advanced Routing Solution?

    You said nothing about S2S VPN's :)

    This is totally doable with VTI's, and is actually quite simple if you already know OSPF.
  47. Re: [Urgent] Nokia IP clustering makes Internet Slow

    I should also note that there is another similar issue which can be caused by misclicking ClusterXL during the initial configuration of the cluster.

    Make sure the number of interfaces you're...
  48. Re: [Urgent] Nokia IP clustering makes Internet Slow

    Well, that's your problem right there.

    There are known bugs within forwarding mode that didn't get fixed until MR3 (build 055). Switching to multicast/unicast should resolve the problems if you...
  49. re: Advanced upgrade with R71.40 - plugin errors

    :(
  50. Re: Cluster Nodes Not Responding but not failing over

    Oh, and we haven't tried downgrading, so I'm not sure about version specificity. We're on R75.10 as well.
  51. Re: Cluster Nodes Not Responding but not failing over

    For Security's sake I can't divulge exactly what the issue is until I have a fix, but the gist of it is relating to DCE-RPC packets & and a specific protection.

    Disabling IPS should prevent the...
  52. Re: [Urgent] Nokia IP clustering makes Internet Slow

    There are some known issues with certain clustering modes.

    What version of IPSO are you running?


    uname -a

    What mode is the cluster currently in? (Multicast/Unicast/Forwarding etc)

    Also,...
  53. Re: Cluster Nodes Not Responding but not failing over

    There is a known issue with dce-rpc/dcom that is causing FW's to panic when in R75.

    Until we have a fix for it we can't route it back :)
  54. Re: Cluster Nodes Not Responding but not failing over

    @ ShadowPeak - I don't miss that issue at all :)

    As for the OP, I'm not sure if TAC has had you drop into kdb to gather a trace or not, but it will eventually get to that point.

    Have a look at...
  55. Re: Sr. Security Engineer for Charlotte, NC -- Check Point R65 !!!

    She was actually quite quick to respond via PM.

    Thanks though Barry :)
  56. Replies
    6
    Views
    2,383

    Re: IP650 with IPSO 4.0

    Also, I'm suprised you found this forum without knowing about Check Point. If you check the banner of the website you'll notice that this is the 'check point user group' :)

    Check Point - Security...
  57. Replies
    6
    Views
    2,383

    Re: IP650 with IPSO 4.0

    It's definitely not free :)

    You can still install R60 (maybe R62) on it without issues. The 650's can still push a decent amount of traffic.
  58. Re: Cluster Nodes Not Responding but not failing over

    Just curious, are you running any DCE-RPC/DCOM/EPM through the Firewall?

    And if so... what version of Windows Server are you using?

    We're having similar crashes on one of our clusters. It's...
  59. Replies
    6
    Views
    2,383

    Re: IP650 with IPSO 4.0

    Generally speaking you need to install Check Point on it for Hide/Static/IP Pool NAT :)

    HOWEVER

    There is an extremely limited NAT built into IPSO which you can access under Config -> Routing ->...
  60. Replies
    11
    Views
    5,445

    Re: VPN site-to-site on R75 issue

    I figured it would be routing :)

    As for the 'how to run kernel debugs', all of the basic/useful ones can be found in the Advanced Technical Reference Guide 'or' if you can find a copy of the CCSE+...
  61. Replies
    11
    Views
    5,445

    Re: VPN site-to-site on R75 issue

    Oops, forgot one thing :

    Since your using ICMP to bring up tunnels (bad idea), you should probably check your global properties ICMP settings (First/before last/last etc).

    Try using something...
  62. Replies
    11
    Views
    5,445

    Re: VPN site-to-site on R75 issue

    Well, we probably need a bit more information, but a good start would be:

    1) Verify routing. The packets may be leaving the completely 'wrong' interface (and your FW monitor filters may have been...
  63. Re: Sr. Security Engineer for Charlotte, NC -- Check Point R65 !!!

    You've got a PM :)
  64. Re: SmartEvent mail unreadable with Lotus Notes

    Hi phlegm,

    I know of a colleague who had the same issue (actually lots of issues with Lotus Notes / MAPI in general) that were all resolved simply by upgrading to the latest version fo LN.

    I'm...
  65. Re: Baffling connection problem between SCM and FW-1 gateway management interface

    Yup. This is what we usually end up doing. Managing CP externally (or even just on a different subnet) isn't as intuitive as it could be...
  66. Replies
    5
    Views
    2,209

    Re: Setup VLAN 1 IP address on ClusterXL

    sk44084 has your answer
  67. Replies
    11
    Views
    3,243

    Re: Differences R70 / R71 CCSA

    You should try CCSA/CCSE R65, or heaven forbid the CCMA written exam. *That* was the worst written exam ever :)
  68. re: VRRP Multicast logs not coming on smartcenter server

    Well, VRRP is definitely broken. Your master thinks it's alone.

    It isn't receieving any hellos from the backup (tcpdump confirms this):

    From the Master:
    Rx Advertisement: 4...
  69. re: VRRP Multicast logs not coming on smartcenter server

    Alright - lets forget logs at this point.

    Did you collect the tcpdumps I asked for?

    Can you provide the same logs during a problem state?

    Also, cphaprob -i list isn't showing SYNC as a...
  70. Replies
    5
    Views
    2,463

    Re: Management HA - Secondary Management

    If you say so :)
  71. Replies
    4
    Views
    1,575

    Re: Routing Issue

    Definitely check the route back. Also, since it sounds like you own the networks between the hosts, start running tcpdump/snoop/whatever on the hosts between and see where the failure is occurring.
  72. Replies
    6
    Views
    1,950

    Re: Install fw1_HOTFIX_FLO_HF_HA40_744

    Mcarey - check the sk for e75 - it has the links to the appropriate fixes.

    In addition to what petter said, it is important to verify any fix post-reboot.

    To do this your going to have to be...
  73. Replies
    6
    Views
    3,115

    Re: Taking R71 exam 156-315.71

    He specifically asked for "exam dumps"....
  74. Replies
    6
    Views
    3,115

    Re: Taking R71 exam 156-315.71

    Really?

    You're coming to this forum to ask how to cheat on the exams, which will only result in lowering the value of our already attained certifications?

    Wow.
  75. Replies
    5
    Views
    2,463

    Re: Management HA - Secondary Management

    It sounds like you've installed Firewall on the secondary SCS...

    If you run 'fw stat' what is the output from the secondary SCS?
  76. re: VRRP Multicast logs not coming on smartcenter server

    Are you looking to troubleshoot the 'missing' logs (do you really *want* to log VRRP hello's?)

    Or

    Are you looking to see why both devices are entering backup state?

    Before enabling FW-1...
  77. Re: Checkpoint CCSA NGX R65 or R70 Exams No Longer Available ...?

    Testkings :)

    The lifespan of CP code is actually rather long (5 years since initial release). See:
    Check Point Enterprise Support Lifecycle Policy | Check Point Software

    They will always try...
  78. Re: Getting into CLI on Windows 2003 Server!

    You'll probably want to open a command prompt and navigate to the bin directory within %FWDIR% to execute most of the FW commands.

    NLB is right though - use SPLAT :)
  79. Re: Installing IPSO 4.2 after installing IPSO 6.2

    That's not true at all. You can directly upgrade from 4.2 to 6.2 without issues. You'll need to be careful about which CP packages are enabled before you try this (and ipfw for that matter), but the...
  80. Replies
    4
    Views
    2,079

    Re: Dynamic/Advanced Routing Solution?

    Policy based routing is what you're looking for. The implementation is going to depend on what platform you're using as gateways (SPLAT/IPSO/XOS)
  81. Replies
    4
    Views
    2,357

    Re: CCMA looking for work in North America

    I am indeed. However I don't have much desire to go work for CP directly (especially sales).

    Thanks for the offer though :)

    Cheers,
    NN
  82. Re: R65 NGX HFA 60 Smartcenter - New hardware

    if CP processes aren't running when they should be you should be checking on them via
    cpwd_admin list

    If you notice that some of them don't have any PID's associated with them, start them with...
  83. Replies
    4
    Views
    2,357

    Re: CCMA looking for work in North America

    Wow. I'm not sure what to say.

    Thank you for the glowing endorsement cciesec, truly.

    BR,

    Edit:: If you do ever manage to convince HR, please do let me know :)

    Cheers,
  84. Re: 2011-03-20 Looking for a Network Security Engineer in Missouri

    Not sure what else to say other than 'lol'.

    Good luck getting a combined CCSE/CISSP/CCNP for
    Rate Range: $30.00-$39.00Hr

    :\

    Edit: Oops, they also want "VSX Certification Expert Required"
  85. Replies
    4
    Views
    2,357

    CCMA looking for work in North America

    Morning everyone,

    I am on the hunt for my 'perfect job', and am curious what kind of opportunities currently exist for someone with my specific skill set.

    I'm currently a resident of Canada,...
  86. Re: Script for IPSO/VRRP: Switch VRRP-Master > Backup

    I've wrote up a similar one of these before...it's not too difficult.

    There are easier ways of doing this however.

    What are you trying to achieve with the script?

    An easier way if you are...
  87. Replies
    2
    Views
    1,663

    Re: Looking for Network/Firewall engineer

    You've got a pm :)
  88. Replies
    5
    Views
    2,680

    Re: Proxy Arps

    Hey Lammbo, I've been beating that dead horse for days now...for the time being it's not going to happen (don't even ask why...)

    Just a quick question about proxy arps -> will the ISP router even...
  89. Replies
    5
    Views
    2,680

    Proxy Arps

    Morning everyone,

    I have a simple question to a problem I'm not entirely sure I understand;

    For the example lets say I have three nodes;
    A) A host in my DMZ with an externally routable IP -...
  90. Re: Network Security Engineer - Open Permanent Position in North Switzerland

    While I've never thought about living in Switzerland, the fact that Varera works with you intrigues me.

    Please send me any details you have available via PM.

    Also, as a side note, I just...
  91. Sticky: Re: Panic When SecureXL and NAT Are Used and a Malformed Packet Is Received

    This isn't related to what PhoneBoy posted. There are at *least* two ADP issues I know of in build 096, as well as there being another known SecureXL issue that is resolved in build 105.

    I've got...
  92. Re: change Standalone mode to distributed mode, "cpconfig"

    Just curious, but is this still supported by TAC in R65/R70? Just tested the commands and they seem to work but...TAC always says fresh install :)
  93. Replies
    4
    Views
    2,686

    Re: Policy Based Routing In Nokia IP560

    Also since you are doing NAT, keep in mind that source based routing takes effect before NAT. Most people try and use the NAT'd IP's for this (doesn't work- all traffic will leave the default route)....
  94. Re: Blocked FTP Commands: how to allow other commands not in list?

    MLSD being blocked is actually a known issue. You'll have to request a hotfix from TAC re fix number: 00504752

    Cheers,
  95. Replies
    1
    Views
    2,061

    Re: Command:MLSD was blocked

    There is actually a hotfix for HFA_60. You'll need to request this from TAC :)

    Edit for fix number:00504752
  96. Replies
    2
    Views
    1,623

    Re: DB Synchronization Error

    That's normal :)

    On average it will take up to 2 hours to complete sync.

    Are you still experiencing the issue now?
  97. Re: My company looking for Checkpoint Engineer

    If you woudn't mind, could you email me the details of your job posting? Cheers,
  98. Re: Gatineau/Ottawa - IT Security Analyst (Check Point)

    Just curious, but are you still looking for someone to fill this job?
  99. Replies
    5
    Views
    4,587

    Re: What to Expect: CCMA Written Exam

    Thanks for the encouraging words :)

    I was (pleasantly) surprised by the amount of IPS-1 related questions. Technical details on specific attacks was not what I was expecting at all.

    My lab is...
  100. Replies
    5
    Views
    4,587

    Re: What to Expect: CCMA Written Exam

    Point well taken. I do apologize for how I came off there. Guess it was a lot to ask :)

    Either way, missed the written by 3 questions unfortunately. Got a few of FP3 migration questions and some...
Results 1 to 100 of 102
Page 1 of 2 1 2