CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: laf_c

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds.

  1. Replies
    1
    Views
    928

    De-Introduction _ LAF

    Hi guys,

    About 4 years later since we met here I am taking a break. I just changed my role and company and there's no CP box here believe it or not.
    I would like to personally thank to each and...
  2. Replies
    8
    Views
    1,030

    Re: Hide NAT only half working

    Let's also see

    fw monitor -e "host(10.10.10.5), accept;" -p all
  3. Replies
    8
    Views
    1,030

    Re: Hide NAT only half working

    I would also bet on this idea: traffic not returning to the firewall.
  4. Replies
    8
    Views
    1,030

    Re: Hide NAT only half working

    If the pool IP sits on connected interface you need to setup a proxy arp entry, install policy again and you are done.
  5. Replies
    4
    Views
    962

    Re: SIP - the other side of one of the fences

    Someone is still passionate about Cisco's Security line of products : )). Now do you know if Cisco really intends to move on with a FW centralized mgmt also?
  6. Re: DPD configuration between checkpoint and fortigate

    sk97746 gives some info about, but honestly I can't find any method to ENABLE DPD on CP (as transmitter) unless you use IkeV2 .

    L.E. ikeV2 between Fortigate 5.4.5 and CP R77.30 can give you some...
  7. Replies
    1
    Views
    644

    Re: Local domains in IPSEC between CP and AZURE

    We need to see the errors you receive and also the config being used before anything else.
  8. Replies
    14
    Views
    1,645

    Re: VPN with 3rd party ASA

    I am not following here. What's the difference between star and mesh community as long as there are only TWO VPN_endpoints?
  9. Replies
    14
    Views
    1,645

    Re: VPN with 3rd party ASA

    We just to make sure you configured this right!
    Let's take three networks:
    - A aka your local network
    - B aka your local network being SourceNAT to whatever public IP
    - C aka your remote...
  10. Replies
    16
    Views
    4,382

    Re: Check Point "e-kits"

    I am fairly new with CP (about 4 years), but I don't think it's the first time they take some controversial decisions (remember licensing?).

    But for me, it's what it is. A weird vendor with good...
  11. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Actually it doesn't sumup to 0.0.0.0/0 but to only the group of subnets I setup as either source or dst.
    Still the way it deals with them when building the SPI differs. I ll ask Fortinet TAC support...
  12. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    First time you build Phase2, if you make no change you end up with 0.0.0.0/0 as proxy ID. If I do IPSEC with another Fortigate I usually leave it like this as I always use route-based tunnels.
    Now...
  13. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    After 4 months of continuous site-to-site packet loss I see the light on this.
    CP support needed about 9 weeks to be able to say that: partner VPN endpoint is deleting SPIs hence the degradation of...
  14. Replies
    7
    Views
    1,338

    Re: Anyone interested in scientific research?

    Please add me on your project list as head of testing team. I am able to coordinate a team of highly skilled people on this field.
  15. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Fortinet came back to me today, suggest to enable DPD on both sides.

    I read sk97746, but I honestly missed the point: since Fortinet does send DPD messages is it enough to enable DPD responder...
  16. Replies
    16
    Views
    3,808

    Re: OSPF Route-based VPN questions

    I had setup this 2 years ago: VPN ENC domains are empty on all route-based FWs. I was lucky that I started from scratch so I could test and tweak without any time pressure.

    FW rules state as 1st...
  17. Replies
    5
    Views
    838

    Re: Route Based VPN VTI configuration

    I configured something similar 2 years ago and nothing since then so I had to review the config:
    - tunnel ID is significant for the two peers that establish the tunnel.
    - here's how I have it...
  18. Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    How the hack do you know that many tricks? ARE you a CP instructor?
  19. Replies
    13
    Views
    2,823

    Re: R80: object explorer: unused objects

    To sum up things, if an organization does not USE Automatic NAT rules and upgrades to R80, then it's safe to delete all unused objects?
  20. Replies
    4
    Views
    871

    Re: Changing hardware for R77.3 gateway - HELP

    Yet another enticement to do advanced routing with CP boxes : )) - thanks for sharing this tip, mate!
  21. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    This is gold, thank you sir!
  22. Replies
    7
    Views
    1,620

    Re: Slow SSL VPN Reason

    Why is that? Is it because of the Software client or Hardware poor performance/optimization on SSL tunneling?
  23. Re: Site-to-Site VPN Checkpoint behind Firewall/ NAT

    Can you maybe detail a bit your exact scenario?
  24. Replies
    4
    Views
    864

    Re: Which Command Is This

    Did you look over fw monitor?

    Here are some quick examples:

    fw monitor -e "src=109.166.141.125 or dst=79.41.67.186 or dst=172.16.151.95 or dst=109.166.141.125, accept;" -o /var/log/fw_mon3.cap...
  25. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    I had today 90' remote session with Fortinet TAC. After getting rid of Level1 this engineer performed a full head to tail scenario inspection just in case I missed something like interface line rate,...
  26. Replies
    6
    Views
    2,138

    Re: So I tried loading pfSense on a 4600

    What I can tell you: many years ago I set up a site-to-site between two pfsense VMs.

    Both VMs were using same NIC, labeled external and no matter what I did VPN was down. Then I found our that if...
  27. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    1) We have three Fortigate cluster: 2x 100D and 1x 60E. I can't call 100D as SOHO, but I ll ask Fortinet support about any limitation.

    2) I have disabled DPD on the 60E and I have disabled on 100D...
  28. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Nope - both sides 're using PSK. Where did you get that cert issue?
  29. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Any idea if vpn debug on mon command can be used on R77.30 or newer? I just tried it but didn't work.

    I also attached the ike.elg file 1344 and captured traffic after deleting the "trouble...
  30. Re: View internal network traffic with a Checkpoint T110

    Try enabling Netflow configuration, then try a 30 day Netflow aware product and this should be enough for your "temporary" problem.
  31. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Seems I cannot download it; I asked the case owner to give me more info and maybe the document.

    I ll keep you posted, guys!
  32. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    I am not sure what each settings does, but we currently have all options ticked, but ike_send_initial_contact

    Will this help significantly?
  33. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    vpn debug was collected by CP TAC about 1 month ago - for the record this is now a 2 months old case - I ll try to find it on the case attachments.
    Until last week we ran on traditional mode on the...
  34. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    I just uploaded the capture file along and with the cookie/enc keys

    13381339

    Tunnel gets established and traffic is flowing back and forth. It's just some of the traffic 1-2% is being dropped....
  35. Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Hi guys,

    We're now on our 3rd Fortigate cluster being deployed. All three clusters are running 5.4.5 (FortiOS) and are connecting to DataCenter where Checkpoint 5400 using R77.30 sits.

    All...
  36. Replies
    8
    Views
    9,519

    Re: How to use LOM interface on CP 12600

    I put it behind our VPN concentrator - thanks for the follow-up.
  37. Replies
    8
    Views
    3,200

    Re: Check Point debugging GUI

    Was this developed by CP TAC? Who's behind this?
  38. Re: IPSec VPN - Site To Site - all session resets time to time

    To override what the Checkpoint thinks it should send for Phase2 negotiations editing the appropriate user.def files.
    sk98239 covers which file to use.
    sk108600 Section 1 covers off how to force...
  39. Re: IPSec VPN - Site To Site - all session resets time to time

    This is tricky but can be solved. What vendor exactly does your VPN_peer use? You better ask him for Phase2 config then we can act upon it.
  40. Replies
    3
    Views
    3,492

    Re: R77.30 Upgrade to R80.10

    First of all did you update already your mgmt. server?
  41. Replies
    8
    Views
    3,754

    Re: IPSec VPN - Unknown SPI for IPSec packet

    fwaccel off - and see how this goes? What's your current load on the FW?
  42. Replies
    8
    Views
    3,754

    Re: IPSec VPN - Unknown SPI for IPSec packet

    I would check Smartview Tracker to see what's the exact proposal each equipment sends/receives. As mentioned this is about ENC/HASHING parameters.
  43. Replies
    8
    Views
    9,519

    Re: How to use LOM interface on CP 12600

    Ok, I now found time to read this short sk.
    Now before I enable this - is anyone using it? If YES, what's the setup?

    I am concerned this LOM is not firewalled, meaning it hasn't its own...
  44. Replies
    8
    Views
    9,519

    Re: How to use LOM interface on CP 12600

    Hi guys,

    I looked over that LOM Guide, but I couldn't find anything about:
    - how to setup IP address from CLI (lomipset is pretty vague)
    - how to see status/link of LOM interface from CLI
    -...
  45. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    This is similar to guys getting married: thing go very well for them and they hope things will stay the same after it.
    Take away message: if you're married get R80, if not let it mature then we will...
  46. Re: IPSEC tunnel see Phase1 and Phase 2 details from CLI

    Yep, I used -fr and it resulted into method ID 533. What does this suppose to mean?
  47. Re: IPSEC tunnel see Phase1 and Phase 2 details from CLI

    That's way better than I hoped.
    Now where can I find out more about the methods:

    15:42:20 6x.4y.6z.6 > : (+); PeerGW: 6x.4y.4z.4; ,Methods1: 533; ,Methods2: 2;
  48. IPSEC tunnel see Phase1 and Phase 2 details from CLI

    Hi guys,

    Any chance I can see details about negotiated Phase 1 parameters from CLI?
    I have a site-to-site between two internally managed CPs and want to find out what are the NEGOTIATED...
  49. Re: How can I advertise all directly connected routes VIA OSPF without using a route

    Here's what I found out on GAIA r77 Advanced routing guide:

    Configuring Route Redistribution - WebUI
    Route redistribution allows routes learned from one routing protocol to be propagated to...
  50. Replies
    6
    Views
    1,885

    Re: Newbie Question - What Does Prob Stands For?

    cphaprob state

    Cluster Mode: High Availability (Revert to Primary cluster member when possible) with IGMP Membership

    Number Unique Address Assigned Load State

    1 (local) ...
  51. Thread: VoIP question(s)

    by laf_c
    Replies
    19
    Views
    1,817

    Re: VoIP question(s)

    That's a thing I did NOT know. Thank you!
  52. Thread: VoIP question(s)

    by laf_c
    Replies
    19
    Views
    1,817

    Re: VoIP question(s)

    How exactly can you see this? I mean the drops?
  53. Re: encryption failure: wrong peer gateway for decrypted packet (vpn error code 01)

    I think you simply need to put more details and config screenshot if you seek for any help.
    Next to that, what's your scenario a config request or an incident aka it worked until one day?
  54. Replies
    11
    Views
    1,999

    Re: Upgrading Check Point 1490 cluster

    I am willing to bet many dollars, the moment CP will add cluster upgrade with one click aka one image upload to the cluster, they ll boost this feature as the product of the year.

    Shame on you CP...
  55. Replies
    20
    Views
    7,350

    Re: BGP Failover Time

    To sum up this story, was this a bug or a missing feature u enabled after reboot?
  56. Replies
    20
    Views
    7,350

    Re: BGP Failover Time

    Here's what I would try: run a sniffer on both units for TCP/179 and paste what you see there.
  57. Replies
    20
    Views
    7,350

    Re: BGP Failover Time

    Let's see:), what are the value for keep alive and hold timers?

    Or simply said: post your BGP config on both router and the other peer.
  58. Replies
    2
    Views
    941

    Re: What rules for DHCP server are required

    I would allow FW to Broadcast and the other way: Broadcast host: 255.255.255.255
  59. Replies
    2
    Views
    1,804

    Re: Phase 2 Quick mode failed (Fortinet to CP)

    In the meantime, I solved it then reading alienbaby comments just confirmed my findings: Phase2 fails due to Fortinet using address groups (multiple networks bundled under same name).

    Now while...
  60. Replies
    2
    Views
    1,804

    Phase 2 Quick mode failed (Fortinet to CP)

    Hi guys,

    I have a new site-to-site tunnel that fails to work as expected.
    Peer 1: Checkpoint R75.47 - Build 171 (Nokia IPSO)
    Peer 2: Fortigate 60E - 5.4.5

    Problems:
    - if I initiate...
  61. Replies
    5
    Views
    2,384

    Re: IPSEC tunnel NAT question - Cisco DMVPN

    Can you detail what's to be taken from there? You want him to double check its DMVPN config?
  62. Replies
    5
    Views
    2,384

    Re: IPSEC tunnel NAT question - Cisco DMVPN

    That is cool, I love DMVPNs ;)

    So you have two Checkpoint firewall controlled sites, but each site also uses DMVPN. Has this come as an incident lately or has been a nagging problem for some time...
  63. Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    What do you mean by that?
  64. Re: Not Exactly a Checkpoint Question but here goes

    It depends of how you pushed proxy for your users.
    If it's implicit, then WEB traffic will go to proxy and then proxy traffic will go to firewall (probably one traffic rule ONLY on the firewall).
  65. Re: How Do I Find Out The Virtual IP Of the ClusterXL firewall?

    What about topology menu? It should be visible there.
  66. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Indeed I would also be very interested in more details about Phase 2 from CP cli.

    L.E. I just tried fw tab -u -t vpn_routing

    Crazy amount of info for only 6 tunnels up -- not that useful,...
  67. Replies
    15
    Views
    8,225

    Re: Export SmartDashboard objects to a text file

    Spent like 1/2h than it generated two reports:
    - Converted which was BLANK
    - Unconverted which was full of errors;

    I ll test my grep and sed skills on the exported SmartDashboard file.
  68. Replies
    9
    Views
    1,958

    Re: IPSEC Phase1 MM packet 1

    Phase 1 was down all this time.
  69. Replies
    15
    Views
    8,225

    Re: Export SmartDashboard objects to a text file

    I didn't; where are you located? I have to dispatch some beer already!

    Now for anyone else reading this, let's move on to the actual conversion:
    1. FortiConverted asks for for objects_5_0.c file...
  70. Replies
    15
    Views
    8,225

    Re: Export SmartDashboard objects to a text file

    Fortigate with centralized mgmt. server: FortiManager
  71. Replies
    15
    Views
    8,225

    Re: Export SmartDashboard objects to a text file

    Hey guys,

    Thanks for the replies: more than I expected.
    Now let's sum up a bit my options:
    - right click --> export; it will generate a big .ckp file with all CP object logic behind. Here's an...
  72. Replies
    15
    Views
    8,225

    Export SmartDashboard objects to a text file

    Hi guys,

    Part of replacing one IPSO cluster is "recreating" on another vendor's CLI a big object group with about 200+ objects.
    Any hint of how can I do that please?

    I am thinking at guidbedit...
  73. Replies
    8
    Views
    4,817

    Re: Check Point firewall flow

    I couldn't find an image at this moment but immediately looked over CP_R77_Firewall_AdminGuide (pdf file); page 94 give some intro about packet flow using SecureXL.
  74. Replies
    9
    Views
    1,958

    Re: IPSEC Phase1 MM packet 1

    I did check with vpn tu, but there was no phase1 showing up.
    After all if vpn debug trunc was showing just MM1 packets, how come Phase 1 could show up as completed on vpn tu ?
  75. Replies
    9
    Views
    1,958

    Re: IPSEC Phase1 MM packet 1

    I just looked over but Scenario 4, is unrelated to the outage we experienced last week.
    RFO provided by our partner: misconfiguration of VPN settings on their side. They couldn't go into more...
  76. Replies
    9
    Views
    1,958

    Re: IPSEC Phase1 MM packet 1

    SW wise we are running:

    fw ver
    This is Check Point's software version R77.30 - Build 048

    installed_jumbo_take -n
    216

    Tunnel came up after couple hours with RFO: vpn config error on the...
  77. Replies
    9
    Views
    1,958

    IPSEC Phase1 MM packet 1

    Hi guys,

    Had over the weekend a failed IPSEC tunnel.
    Here's ike.elg output:

    MM packet 1 (06:10:50)- Sun Jun 11 2017

    Transport: UDP (IPv4)
    PeerIP: 9f
    PeerPort: 500
  78. Thread: ipvanish vpn

    by laf_c
    Replies
    4
    Views
    985

    Re: ipvanish vpn

    Probably not; what's your issue?

    Did you run vpn debug trunc
  79. Replies
    5
    Views
    4,067

    Re: SNMP for cluster state

    It says I don't have sufficient privileges; what type of account is needed?

    Now about ClusterXL traps, can someone provide more in depth procedure how to enable them?
    On sk90470 I just had a...
  80. Replies
    5
    Views
    4,067

    Re: SNMP for cluster state

    I am also interested in that; a quick check on Gaia shows no real hope:

    show snmp traps

    ColdStart: A coldStart trap signifies that the SNMP entity,
    acting in an agent role, is reinitializing...
  81. Replies
    10
    Views
    4,036

    Re: ClusterXL unexpected/hidden failover

    That was part of my original question :). My assumption was based on

    Time since last report: 81106.9 sec

    But since I couldn't find any SmartViewTracker wrench info, now I doubt "when failover...
  82. Thread: CPUG for Linux

    by laf_c
    Replies
    3
    Views
    2,352

    Re: CPUG for Linux

    Thanks mate! Since I am getting old already I met Linux before on some aspects you mentioned: iptables, Quagga, containers. It's just I never took it to the professional level. Now I want to take...
  83. Replies
    22
    Views
    11,038

    Sticky: Re: Latest CCSE R77 exam information

    Fair enough then, I will schedule for 915.77 to add CCSE for 2 more years.

    Thanks guys!
  84. Thread: CPUG for Linux

    by laf_c
    Replies
    3
    Views
    2,352

    CPUG for Linux

    Hi guys,

    I am on my way of getting much better with Linux; I started some Linux training from CBT and got some small projects on my weekly tasks.
    Still I just realized a forum similar to CPUG but...
  85. Replies
    22
    Views
    11,038

    Sticky: Re: Latest CCSE R77 exam information

    Now I could finally see IT! Thanks!

    Back to CP Training FAQ udpate on April 2017:

    Q: Why has the 156-915.77 exam been removed from the exam list?
    A: The 156-915.77 exam was retired as soon as...
  86. Replies
    22
    Views
    11,038

    Sticky: Re: Latest CCSE R77 exam information

    Meaning same R77 CCSE or is it a special exam labelled update?
  87. Replies
    22
    Views
    11,038

    Sticky: Re: Latest CCSE R77 exam information

    My CCSE expired May 26th. What is the upgrade exam number?
    PersonVUE Exam list makes returns none for keyword: upgrade..

    1274
  88. Replies
    10
    Views
    4,036

    Re: ClusterXL unexpected/hidden failover

    I looked over, but I couldn't find any explanation/message that says anything about a failover occurring hence my forum post...
    Isn't there any other system file on firewall that would tell me more?
  89. Replies
    10
    Views
    4,036

    ClusterXL unexpected/hidden failover

    Hi guys,

    I noticed today that last evening a failover occurred

    [Expert@krak-001b:0]# cphaprob -l list

    Built-in Devices:

    Device Name: Interface Active Check
    Current state: OK
  90. Replies
    4
    Views
    2,421

    Re: 5500 Appliance LOM not working

    Actually I like your question, still the answer should be on the invoice that came with the equipment.
    Still we bought recently some 5100 with LOM :D and we had issues using it: high packet drop...
  91. Replies
    7
    Views
    1,845

    Re: TCP “out-of-state” drop- Please Help

    Tricky one, at least for me :cool:
    Let's find out more:
    - what's in the path between server and clients? Just CP firewall? Maybe a site-to-site VPN? OR a leased line?
    - I am sure some clients...
  92. Re: traditional mode VPN still supported in R80.10?

    Finally !!
  93. Thread: De-Introduction

    by laf_c
    Replies
    4
    Views
    2,223

    Re: De-Introduction

    Good luck, mate!

    While you're still here can you share some insight about the decision? Is it cost, overall knowledge of the team, yearly renewal fee?
  94. Thread: ntpd issues

    by laf_c
    Replies
    7
    Views
    1,581

    Re: ntpd issus

    Can you quickly spell the difference between hpet and tsc?
    How much CPU increase (on average) did you record after starting to use hpet?

    Thanks!
  95. Replies
    11
    Views
    1,912

    Re: Cluster stopped passing traffic

    Unfortunately, no logs --> no clue. What does monitoring right before the event shows? CPU spike, traffic spike, maybe no of sessions spike?
  96. Replies
    3
    Views
    1,222

    Re: ASA behind CP 77.30 for AnyConnect User

    I never XP that, but I received same request couple years ago. What I did: public IP straight to Cisco ASA. After all it's a security appliance, not a plain server. This also helped me one time, when...
  97. Replies
    2
    Views
    1,835

    Re: Ipsec VPN with fortigate

    How does P2 enc domain look like on FGT side?
  98. Re: IPSEC site-to-site " Already have this request "

    Both issues are on TAC's list for couple weeks now. Just PM you.

    Thanks!
  99. Re: IPSEC site-to-site " Already have this request "

    Definitely not :). That's out of question. I also checked /var/log/messages everytime an outage occured for any split brain traces, but there's no such a thing.
  100. Re: Migration Ironport Web Proxy into App & URL Filtering

    Hello,

    For how long did you use Ironport solution? Can you make a quick pros / cons vs Checkpoint?
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4