CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: EricAnderson

Page 1 of 4 1 2 3 4

Search: Search took 0.01 seconds.

  1. Re: Secure Internal Communication (SIC) Basics

    The use of a secondary/dummy log server is all to common. It stems from the fact that CP leans toward using the "Main" IP addresses of objects for internal communications. It's most often seen when...
  2. Re: Secure Internal Communication (SIC) Basics

    We agree, and I didn't mean to say that SIC does/should break often at all - but we may be referring to slightly different things. It sounds like you're talking about times that you've had to...
  3. Re: Secure Internal Communication (SIC) Basics

    Correct. The points that I would add (or expand on - for the benefit of others):

    SIC can also be established with/from a secondary management server, as long as it's active
    Once established,...
  4. Replies
    3
    Views
    588

    Re: All that's old is new again.

    Yep - that's the one (or at least most common) thing outside of CP that we always point out and prep for when replacing/upgrading/etc. If a client doesn't have access/rights to flush the ARP cache...
  5. Replies
    13
    Views
    1,636

    Re: Upgrade to 80.40

    One important afterthought (before someone else brings it up):

    This changes a bit if/when the customization in question has been at the direction of CP TAC (or other official Check Point...
  6. Replies
    13
    Views
    1,636

    Re: Upgrade to 80.40

    This is also why such changes should be documented. I know that's not traditionally a favorite word among us engineers (or even in our vocabulary), but keeping a folder/document with "non standard"...
  7. Replies
    19
    Views
    9,898

    Re: SmartDashboard on macOS

    I love the idea and applaud the effort. This is, I believe, a large part of why CP has put so much effort into developing/advancing API's.

    I'd be happy to play with it for you, but I haven't even...
  8. Replies
    13
    Views
    1,636

    Re: Upgrade to 80.40

    Info sent.

    If you're only upgrading management devices, then definitely go for it. As always, just make sure you have [good] backups first - and take snapshots.

    -E
  9. Replies
    13
    Views
    1,636

    Re: Upgrade to 80.40

    While you haven't said what version you're coming from, I say "go for it". Loads of new features and enhancements, and minimal fear/risk.

    We've updated numerous clients with very little issue -...
  10. Replies
    0
    Views
    1,442

    SIGRed - a silly little overview

    This post isn't exactly critical, and SIGRed isn't exactly new anymore (in cybersecurity time). However, I figured it may be a good way to start things off here. The only Check Point related aspect...
  11. Replies
    9
    Views
    1,999

    Re: Business case to keep Check Point

    I'm going to try really hard not to go into a full-on rant here...

    Disclaimer: All of this is just from my own experiences/observations/conversations, and therefor somewhat subjective. Your...
  12. Replies
    12
    Views
    2,592

    Re: automated MDS backup

    Nice work, Zimmie (as always).

    -E
  13. Replies
    1
    Views
    1,982

    Re: Logs and Reporting - Views

    If I understand you correctly, I'd think a query string like this should do the trick. You'd just need to replace "Internal_Networks" with a group containing all destinations you want excluded, or...
  14. Replies
    4
    Views
    2,667

    Re: Network Load Balancing Server

    That makes perfect sense. If the server is on the same subnet, Exchange servers will reply directly. You could work around this by NATing the traffic, making the Exchange servers think it's coming...
  15. Replies
    4
    Views
    2,667

    Re: Network Load Balancing Server

    I agree with Zimmie. If your client is coming from the same subnet as the servers, but trying to hit the public IP, you're likely creating a hairpin situation that could confuse things a bit.
    ...
  16. Replies
    4
    Views
    3,242

    Re: Mixing different hardware in a cluster

    Key word in your initial question is "supports". CP will tell you that ClusterXL requires identical appliances and could possibly deny support in your case (but likely would only do so if they truly...
  17. Replies
    4
    Views
    1,382

    Re: Issues with SMS running R80.20M1

    Just for kicks (and possibly a "solution"), can you take a successful export with R80.30 tools?

    -E
  18. Thread: CP1500

    by EricAnderson
    Replies
    6
    Views
    4,708

    Re: CP1500

    Yes, definitely a good forward move - newer hardware/performance/version (anyone else notice the USB-C console port?).

    I'd still love to see these move to a more standard GW code base, while...
  19. Replies
    3
    Views
    1,317

    Re: Problem running Log Exporter

    Are you in CLISH or bash/expert? "cp_log_export" is not a CLISH command and needs to be executed from "expert" mode (bash).

    Seems like I just gave a similar reply a few weeks ago ;)


    -E
  20. Re: Grep won't apply when running fw ctl zdebug + drop

    Don't take this the wrong way, but are you sure you're in export mode (bash)?

    "fw" commands will work from clish, but grep won't.

    -E
  21. Replies
    4
    Views
    1,120

    Re: Web Server Error

    Also verify that both GW's are configured identically - especially as far as routing. Symptoms almost sound like secondary is unable to route packets properly.

    This can be avoided by a...
  22. Replies
    6
    Views
    2,976

    Re: Advanced Upgrade to R80.30

    Glad we could help :)

    -E
  23. Replies
    6
    Views
    2,976

    Re: Advanced Upgrade to R80.30

    I'm not sure what you downloaded, but grab the file from the link I gave (again here). Extract that to a folder and run the pre_upgrade_verifier directly from there.

    -E
  24. Replies
    6
    Views
    2,976

    Re: Advanced Upgrade to R80.30

    Exactly as Tim said. To expand a bit...

    - The command you found is specific to Multi Domain Server (MDS), a much bigger and more complex beast.
    - If you downloaded the correct package, the...
  25. Replies
    3
    Views
    3,739

    Re: GAIA PORTAL WHITE PAGE

    Try the original/older fix...paste this into expert/bash CLI:
    cp /web/htdocs2/js/login.js /web/htdocs2/js/login.js.orig; sed -i 's/if( form.isValid() ){/if( form.isValid()...
  26. Replies
    2
    Views
    7,100

    Re: CCSA R80.10 Student and Lab Manual

    Unfortunately, no. For better or worse, CP has protected the documents and restricted permissions.

    We can discuss reasons/merits, but I will preemptively warn that any posting of copy-written...
  27. Replies
    9
    Views
    1,751

    Re: VRRP works on which checkpoint version

    Wow - you guys decided to dive right in to the specific use cases, where I just left it at "granularity/control" ;)

    To add to the specific reasons above, one of the cool "old school" uses was to...
  28. Replies
    9
    Views
    1,751

    Re: VRRP works on which checkpoint version

    VRRP was introduced in GAIA (which was introduced in R75.40).

    One of the primary reasons for the introduction of GAIA was to consolidate/replacement both SPLAT and IPSO. The goal was to offer all...
  29. Re: First time configuration wizard hanged up

    What browser? Have you tried another?

    -E
  30. Replies
    6
    Views
    1,710

    Re: New install CP Management Server R80.10

    First 2 thoughts:
    - Did you install it as a "standalone" with both management and gateway? If so, try "fw unloadlocal".
    - Are you sure it's done loading/booting? The database in R80.x takes quite...
  31. Replies
    6
    Views
    1,770

    Re: WebUI for FCW not opened

    Or just paste the following into an expert/bash shell of any Gaia device. It fixes the javascript code:

    cp /web/htdocs2/js/login.js /web/htdocs2/js/login.js.orig; sed -i 's/if( form.isValid()...
  32. Replies
    8
    Views
    2,942

    Re: Antispoofing adding static route

    If only I had a nickle for every hour I've spent explaining/teaching anti-spoofing...it's quite capable and simple (once understood), but far from intuitive.

    mdjmcnally is correct, but I'll take a...
  33. Replies
    5
    Views
    2,711

    Re: install R77.30 on Open Server

    Yup (and I don't often say that...I usually stick with "it should").

    For reference, the SK was 122612.

    -E
  34. Replies
    5
    Views
    2,711

    Re: install R77.30 on Open Server

    ^ Beat me to it ^

    Definite case where setting the date correctly will kill it. Notoriously unhelpful failure message, but at least an easy fix (apply newer HFA and re-sign CA).

    -E
  35. Replies
    1
    Views
    812

    Re: Where to get 80.10 trial version?

    New installs are granted a 15-day "trial mode" which allows all features.

    You can find the latest Management release (R80.20.M1) here.

    And the latest gateway-supported version (R80.10) here.
    ...
  36. Replies
    0
    Views
    1,317

    CPX "mini" in NYC?

    Anyone attending this week's "mini" CPX event in New York City? If so, stop by the Netanium / Atlantic Data Security table and say "hi".

    For anyone who wasn't aware, there's more info here.

    If...
  37. Replies
    13
    Views
    4,618

    Re: unable to use clish

    Understood, and completely valid. I didn't mean to imply otherwise.

    My preferred solution is to create a separate account (i like to use "adminbash") that defaults to /bin/bash. For a larger...
  38. Replies
    13
    Views
    4,618

    Re: unable to use clish

    So, you were trying to go from clish >to> bash >to> clish? Definite no-go.

    However, if your default shell is bash, you can launch clish as a secondary shell. Very common/useful for those who...
  39. Replies
    13
    Views
    4,618

    Re: unable to use clish

    I remember there be something about clish lock files in /tmp. Are there files in there? Try deleting (or temporarily moving them elsewhere).

    -E
  40. Replies
    3
    Views
    1,090

    Re: Disable NAT rules using Script

    Can we assume you're on R7x? I believe the syntax you're looking for with dbedit is "rule_adtr"...

    modify fw_policies ##Standard rule_adtr:3:disabled true


    If you were running R80.x this...
  41. Thread: Dual NAT

    by EricAnderson
    Replies
    6
    Views
    2,402

    Re: Dual NAT

    The problem is with this statement:



    How do you know you need something if you don't know what it is? If you could explain why you think you need it we may be able to help.

    -E
  42. Replies
    1
    Views
    1,408

    Re: De-Introduction _ LAF

    Best wishes, and we look forward to your return.

    -E
  43. 2018 CPUG Challenge and the return of CPUGcon!

    2018 promises to be a big year for CPUG, especially with the return of CPUGcon (but more on that later).

    For those attending CPX360 this week (Feb 6-8) in Las Vegas, make sure to stop by the...
  44. Replies
    12
    Views
    3,203

    Re: Anyone attending CPX360 2018?

    So...who else is in (or coming to) Vegas?

    -E
  45. Replies
    2
    Views
    1,428

    Re: The Old Guard at CPX360 Barcelona

    Great meeting you too, Bhav! I always enjoy it when community members come say "hi".

    To everyone coming to Vegas, make sure and stop by the Infinity Scavenger Hunt booth, and attend the sessions...
  46. Replies
    12
    Views
    3,203

    Re: Anyone attending CPX360 2018?

    LOL...I'll stick with Phil Collins.

    Here's on e a bit more recent (like a few hours). See if you can identify the others. Hint: we're all members here.

    -E

    1360

    Photo credit/blame: Toni...
  47. Replies
    12
    Views
    3,203

    Re: Anyone attending CPX360 2018?

    I will be in Barca and Vegas as well.

    More info will be posted soon (this weekend?) on this year's CPUG Challenge. For know, I'll let everyone know that I'll be hanging out quite a bit with...
  48. Replies
    6
    Views
    1,190

    Re: Something weird with VPN

    I would try this, in hopes of forcing things a bit:
    - Remove VPN option (uncheck box) on cluster and remote GW (will have to remove both from community first)
    - Install policy to both
    - Re-enable...
  49. Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Agreed. As incorrect as it may be, Check Point often seems to refer to "open server" as another form of "Check Point appliance". Maybe they see an open server install as assimilating the device,...
  50. Replies
    5
    Views
    6,147

    Re: CCSM exam materials

    What Tim said.

    I still have a few hardcopies that I can heavily discount. However, depending on where you are, shipping may make the e-kit more affordable. Let me know if you're interested.

    -E
  51. Replies
    9
    Views
    4,101

    Re: Hide NAT Address Range

    Correct, IP Pool NAT is not the same thing. Historically, prior to Office Mode, IP Pool NAT was commonly employed for remote users - giving each one's inbound traffic a unique source IP address from...
  52. Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Please don't read this as an argument that this shouldn't be a concern. Rather, it's just the perspective of an optimist interested in avoiding unnecessary knee-jerk reactions...

    While I won't...
  53. Re: Goodbye Check Point, hello Guardicore, wish me luck, etc

    Godspeed, Val, and good luck with the new gig.

    -E
  54. Re: Blink - Full gateway installation in 5 minutes

    Very cool! Looking forward to playing...

    -E
  55. Re: Migrate Cluster 77.30 appliance to new 80.10 cluster applliance (Replace)

    Contrary to CP marketing/sales/support, it is entirely possible to add any model of appliance to the cluster, the issue is one of cores (it wouldn't be possible to sync 8 fw kernels onto a box with...
  56. Replies
    25
    Views
    9,261

    Re: R80.10 in VMware

    I hear you, and understand the restrictions (and resulting frustrations). I like the idea of a network-based config as well, and it may even be possible in one way or another with hacks to...
  57. Replies
    25
    Views
    9,261

    Re: R80.10 in VMware

    One word: ISOmorphic

    If I understand you correctly, it should do most (if not all) of what you're looking for. Check SK65205

    While I hate to have to kick people over to SK, since the tool can...
  58. Replies
    25
    Views
    9,261

    Re: R80.10 in VMware

    config_system still works, and can actually be quite powerful when used properly ;)

    -E
  59. Free, EARLY Star Wars: Last Jedi screening

    Located in Boston (MA - 12/14), Buffalo (NY - 12/14), or Rochester (NY - 12/15) areas? Want to see the new Star Wars flick before everyone else - for free?

    While not officially a CPUG event, I've...
  60. Replies
    0
    Views
    1,740

    Sale on certification exams

    In case you'd missed it, Check Point has entered the "Cyber MondayWeek" craze with a 25% discount on certification exams. The code (which is "Cyber Monday") is supposed to be good on CCSA, CCSE, and...
  61. Re: All Objects and Categories disappeared from Objects tab

    Since we're stuck anyway, and have a backup (sort of), how about just deleting the offending object it with GUIdbedit? Still works in R80.x as well.

    -E
  62. Re: All Objects and Categories disappeared from Objects tab

    Upon further reflection, I'd definitely give this a shot. If there had been corruption prior to the backup, the corruption would be included in the backup and restore. Export/import does more of a...
  63. Re: All Objects and Categories disappeared from Objects tab

    I have come across cases of R80.x database "corruption". In one memorable instance, any click to enable "HTTPS Inspection" on any gateway would crash SmartConsole.

    One possible workaround (which...
  64. Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    This is a pretty well-documented concept (see sk30197, and the information you've provided is a bit limited.

    A few basic questions/ideas:

    Was your previous setup SPLAT or Gaia?

    Did you...
  65. Re: R80.10 Security Management get interfaces error from Dashboard

    This is expected. _Dedicated_ management servers don't enforce policy, and therefore don't _need_ "topology" defined. It can't be "fetched" because they don't have the same components that gateways...
  66. Replies
    13
    Views
    5,034

    Re: Not responding to arp-who-has

    If the Automatic Hide NAT is fine, and you're seeing the outbound Static's being NATed properly, but not getting replies, then yes, this seems to be an ARP issue, and yes, ClusterXL is a very likely...
  67. Replies
    13
    Views
    5,034

    Re: Not responding to arp-who-has

    But if the Static NAT rules come before the Hide NAT (which they will if they're all Automatic), then even the outbound connections will be source-NATed as coming from their public address. If ARP...
  68. Re: Smart Console 'Unable the connect server'

    One thing to keep in mind is that R8x management servers take considerably longer than prior versions to initialize/boot, especially on under-powered systems. How much RAM does this system have?
    ...
  69. Replies
    2
    Views
    4,652

    Re: Smartlog slow to return results

    I think the first question you'll get from most is about the hardware specs. Yes, SmartLog can be very fast to return results, even with your numbers. However, running on under-powered gear can...
  70. Re: Trying to extract but it does not look like its working

    Are you positive the file is intact? Did you maybe transfer it via non-binary FTP?

    Maybe try gunzip, just to see if you get a .tar as a result? (should just be "gunzip [filename]")

    You can...
  71. Replies
    9
    Views
    3,919

    Re: Eliminate non-UTF-8 encoded chars

    Did this recently with a client. SK111111 details the grep command that will find the "offending" characters.

    I believe the "sem" files are the database copies used by SmartEvent. Just made the...
  72. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Thanks, Ofer, and you're welcome. Always happy to help further the cause!

    -E
  73. Re: Migrate policy from r77.30 to r80 management

    That's a great and timely question, that unfortunately has many possible answers - none of which are perfect in every case.

    I'll give a quick nod to odumper. It's quick and efficient, but dated...
  74. Replies
    3
    Views
    9,470

    Re: ISOmorphic download

    Anyone with a support account on Check Point's site.

    I'm not sure what access/contract level is required, but you can find the file here.

    It's inappropriate/illegal to distribute Check Point...
  75. Re: InfoView does not work on Windows 10 or 2012

    This has been mentioned multiple times in this thread, but I'll try to expand/clarify...

    The WebUI and CLI are used to access/configure the operating system. In most cases (nowadays), you're...
  76. Re: InfoView does not work on Windows 10 or 2012

    Well, you're finally getting very close. :)

    What the above tells you is that the current software (as opposed to operating system) administrative account is "fwadmin". That is what you should be...
  77. Re: InfoView does not work on Windows 10 or 2012

    First, this thread has gotten waaay off-topic. Please create a new thread (or threads) for questions that are unrelated to infoview.

    Second, many of the questions you've been asking would be...
  78. Re: Connectivity with VPN service is lost - Checkpoint

    First, welcome to the community!

    Second, you're using a pretty dated version of the remote access client. Is there a reason? Have you tried a newer client?


    While it's a rather...
  79. Re: InfoView does not work on Windows 10 or 2012

    You need to remember that the Gaia operating system is separate from the Check Point software. The accounts used to log into the CLI and WebUI (to administer the OS) are not necessarily the same...
  80. Re: InfoView does not work on Windows 10 or 2012

    Another simple oldie-but-goodie trick is to use cpconfig.

    Simply type cpconfig from the CLI (either clish or bash/expert) and observe the menu options available.
    - If there are options for...
  81. Re: InfoView does not work on Windows 10 or 2012

    ** Please don't just re-post what was in the original request.

    That said, are you positive you're running the latest version? I've just re-downloaded and installed/ran fine on Win10. ...
  82. Re: "ERR_CONNECTION_REFUSED" error is displayed in web browser when connecting to Gai

    First question I like to ask: What do the logs tell you?

    I instill in my students that the logs can often save you from a bunch of fruitless troubleshooting. Especially for the beginner, they're...
  83. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Good to hear. Thanks for the confirmation!

    -E
  84. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Yes, basically WebUI = CPUSE (now). The "old" method is now called "Legacy" in the WebUI. No? Just make sure CPUSE has been updated (SK in prior post).



    Ran into [what may be] a similar...
  85. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Maybe it's just me, but from the statement you boldly quoted, I would assume that if R80 to R80.10 requires CPUSE, then older versions can't do it any other way either. The only mentions of R7x SMS...
  86. Re: Weird issue faced while moving/migrating management server

    No idea what happened, but as I read through the steps you performed I was waiting for the mention of "migrate export/import". That is by far the way I would recommend for migrating a management...
  87. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Just to add to the confusion...

    - I built a new/clean MDS with R77.30
    - I did not create any CMA's
    - I mounted R80.10 ISO
    - I ran linux/p1_install/mds_setup script
    - I got the exact same...
  88. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Woooah...I don't "agree" with the logic either (if it's even true). I'm not trying to excuse CP for not accommodating an empty SMS, but figure out how it could have been missed (if it even has...
  89. Thread: tacacs

    by EricAnderson
    Replies
    2
    Views
    1,591

    Re: tacacs

    Just to cover our bases, if you're referring to adding them within SmartConsole (instead of Gaia), you'll both object types under:
    More, Server, More...

    -E

    1312
  90. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    While I agree that this should work, it's at least possible that it won't due to the somewhat illogical/unrealistic scenario. In production, either an existing MDS would have at least one CMA, or,...
  91. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    I have a bit more of a fundamental question: Why are you using EA release? 394 was pretty late in the process, but I'm pretty sure there were MDS limitations with some EA releases (can't find...
  92. Re: R77.30 First time Configuration wizard is stuck in VMware workstation

    Glad to hear it! Don't underestimate the "hunger" of R80 management ;)



    Forget that book - it's trash (just kidding!)

    Actually, Tim is known (rather well) around here as ShadowPeak. You'll...
  93. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    LOL. If I didn't know him personally, I'd seriously wonder if he was a "bot".



    We've been installing R80 for management for new customers for about a year. That was driven primarily by not...
  94. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    But...after a few years, aren't you supposed to trade your spouse in for a newer model? ;)
    (not that she'll read this, but I'm actually happily married for many years, and not shopping)

    I...
  95. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    What, me? Verbose? Never. I'm also never sarcastic (or use parentheses).

    I'll definitely admit that I can ramble on a bit, especially when I get passionate and excited about something (there...
  96. Re: R77.30 First time Configuration wizard is stuck in VMware workstation

    What browser are you using? I've definitely seen similar issues, and I seem to remember resolving with a different browser (usually Chrome).

    -E
  97. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Let me just take this opportunity to clarify a few things that I've seen a bit of confusion over...

    Layers are not a new thing, not even to Check Point - what's new is calling them "Layers". In...
  98. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    A couple of quick notes...
    - As Phoneboy indicated, the action of Rule 5 would not be Accept or Drop, but rather to fire the "blason's Approved Apps" layer (or whatever name you give it)
    - Access...
  99. Replies
    12
    Views
    3,616

    Re: R80.10 performance on standalone 4200

    In response to the OP, while 4200's can run standalone (pre-R80), it's never really been an ideal situation.

    All of the performance specs given for any gateway devices are based on them being run...
  100. Replies
    12
    Views
    3,616

    Re: R80.10 performance on standalone 4200

    I spite of cciecec2006 venting his frustrations (understandable as they may be), let me welcome you, Gilad.

    While some may take your presence here as an opportunity to vent frustrations , I'd like...
Results 1 to 100 of 366
Page 1 of 4 1 2 3 4