Search:

Nicely done! Looks like it's time to upgrade my Hackintosh VM again ;)

-E

The use of a secondary/dummy log server is all to common. It stems from the fact that CP leans toward using the "Main" IP addresses of objects for internal communications. It's most often seen when...

We agree, and I didn't mean to say that SIC does/should break often at all - but we may be referring to slightly different things. It sounds like you're talking about times that you've had to...

Correct. The points that I would add (or expand on - for the benefit of others):

SIC can also be established with/from a secondary management server, as long as it's active
Once established,...

Yep - that's the one (or at least most common) thing outside of CP that we always point out and prep for when replacing/upgrading/etc. If a client doesn't have access/rights to flush the ARP cache...

One important afterthought (before someone else brings it up):

This changes a bit if/when the customization in question has been at the direction of CP TAC (or other official Check Point...

This is also why such changes should be documented. I know that's not traditionally a favorite word among us engineers (or even in our vocabulary), but keeping a folder/document with "non standard"...

I love the idea and applaud the effort. This is, I believe, a large part of why CP has put so much effort into developing/advancing API's.

I'd be happy to play with it for you, but I haven't even...

Info sent.

If you're only upgrading management devices, then definitely go for it. As always, just make sure you have [good] backups first - and take snapshots.

-E

While you haven't said what version you're coming from, I say "go for it". Loads of new features and enhancements, and minimal fear/risk.

We've updated numerous clients with very little issue -...

This post isn't exactly critical, and SIGRed isn't exactly new anymore (in cybersecurity time). However, I figured it may be a good way to start things off here. The only Check Point related aspect...

I'm going to try really hard not to go into a full-on rant here...

Disclaimer: All of this is just from my own experiences/observations/conversations, and therefor somewhat subjective. Your...

Nice work, Zimmie (as always).

-E

If I understand you correctly, I'd think a query string like this should do the trick. You'd just need to replace "Internal_Networks" with a group containing all destinations you want excluded, or...

That makes perfect sense. If the server is on the same subnet, Exchange servers will reply directly. You could work around this by NATing the traffic, making the Exchange servers think it's coming...

I agree with Zimmie. If your client is coming from the same subnet as the servers, but trying to hit the public IP, you're likely creating a hairpin situation that could confuse things a bit.
...

Key word in your initial question is "supports". CP will tell you that ClusterXL requires identical appliances and could possibly deny support in your case (but likely would only do so if they truly...

Just for kicks (and possibly a "solution"), can you take a successful export with R80.30 tools?

-E

Yes, definitely a good forward move - newer hardware/performance/version (anyone else notice the USB-C console port?).

I'd still love to see these move to a more standard GW code base, while...

Are you in CLISH or bash/expert? "cp_log_export" is not a CLISH command and needs to be executed from "expert" mode (bash).

Seems like I just gave a similar reply a few weeks ago ;)


-E

Don't take this the wrong way, but are you sure you're in export mode (bash)?

"fw" commands will work from clish, but grep won't.

-E

Also verify that both GW's are configured identically - especially as far as routing. Symptoms almost sound like secondary is unable to route packets properly.

This can be avoided by a...

Glad we could help :)

-E

I'm not sure what you downloaded, but grab the file from the link I gave (again here). Extract that to a folder and run the pre_upgrade_verifier directly from there.

-E

Exactly as Tim said. To expand a bit...

- The command you found is specific to Multi Domain Server (MDS), a much bigger and more complex beast.
- If you downloaded the correct package, the...

Try the original/older fix...paste this into expert/bash CLI:
cp /web/htdocs2/js/login.js /web/htdocs2/js/login.js.orig; sed -i 's/if( form.isValid() ){/if( form.isValid()...

Unfortunately, no. For better or worse, CP has protected the documents and restricted permissions.

We can discuss reasons/merits, but I will preemptively warn that any posting of copy-written...

Wow - you guys decided to dive right in to the specific use cases, where I just left it at "granularity/control" ;)

To add to the specific reasons above, one of the cool "old school" uses was to...

VRRP was introduced in GAIA (which was introduced in R75.40).

One of the primary reasons for the introduction of GAIA was to consolidate/replacement both SPLAT and IPSO. The goal was to offer all...

What browser? Have you tried another?

-E

First 2 thoughts:
- Did you install it as a "standalone" with both management and gateway? If so, try "fw unloadlocal".
- Are you sure it's done loading/booting? The database in R80.x takes quite...

Or just paste the following into an expert/bash shell of any Gaia device. It fixes the javascript code:

cp /web/htdocs2/js/login.js /web/htdocs2/js/login.js.orig; sed -i 's/if( form.isValid()...

If only I had a nickle for every hour I've spent explaining/teaching anti-spoofing...it's quite capable and simple (once understood), but far from intuitive.

mdjmcnally is correct, but I'll take a...

Yup (and I don't often say that...I usually stick with "it should").

For reference, the SK was 122612.

-E

^ Beat me to it ^

Definite case where setting the date correctly will kill it. Notoriously unhelpful failure message, but at least an easy fix (apply newer HFA and re-sign CA).

-E

New installs are granted a 15-day "trial mode" which allows all features.

You can find the latest Management release (R80.20.M1) here.

And the latest gateway-supported version (R80.10) here.
...

Anyone attending this week's "mini" CPX event in New York City? If so, stop by the Netanium / Atlantic Data Security table and say "hi".

For anyone who wasn't aware, there's more info here.

If...

Understood, and completely valid. I didn't mean to imply otherwise.

My preferred solution is to create a separate account (i like to use "adminbash") that defaults to /bin/bash. For a larger...

So, you were trying to go from clish >to> bash >to> clish? Definite no-go.

However, if your default shell is bash, you can launch clish as a secondary shell. Very common/useful for those who...

I remember there be something about clish lock files in /tmp. Are there files in there? Try deleting (or temporarily moving them elsewhere).

-E

Can we assume you're on R7x? I believe the syntax you're looking for with dbedit is "rule_adtr"...

modify fw_policies ##Standard rule_adtr:3:disabled true


If you were running R80.x this...

The problem is with this statement:



How do you know you need something if you don't know what it is? If you could explain why you think you need it we may be able to help.

-E

Best wishes, and we look forward to your return.

-E

2018 promises to be a big year for CPUG, especially with the return of CPUGcon (but more on that later).

For those attending CPX360 this week (Feb 6-8) in Las Vegas, make sure to stop by the...

So...who else is in (or coming to) Vegas?

-E

Great meeting you too, Bhav! I always enjoy it when community members come say "hi".

To everyone coming to Vegas, make sure and stop by the Infinity Scavenger Hunt booth, and attend the sessions...

LOL...I'll stick with Phil Collins.

Here's on e a bit more recent (like a few hours). See if you can identify the others. Hint: we're all members here.

-E

1360

Photo credit/blame: Toni...

I will be in Barca and Vegas as well.

More info will be posted soon (this weekend?) on this year's CPUG Challenge. For know, I'll let everyone know that I'll be hanging out quite a bit with...

I would try this, in hopes of forcing things a bit:
- Remove VPN option (uncheck box) on cluster and remote GW (will have to remove both from community first)
- Install policy to both
- Re-enable...

Agreed. As incorrect as it may be, Check Point often seems to refer to "open server" as another form of "Check Point appliance". Maybe they see an open server install as assimilating the device,...

What Tim said.

I still have a few hardcopies that I can heavily discount. However, depending on where you are, shipping may make the e-kit more affordable. Let me know if you're interested.

-E

Correct, IP Pool NAT is not the same thing. Historically, prior to Office Mode, IP Pool NAT was commonly employed for remote users - giving each one's inbound traffic a unique source IP address from...

Please don't read this as an argument that this shouldn't be a concern. Rather, it's just the perspective of an optimist interested in avoiding unnecessary knee-jerk reactions...

While I won't...

Godspeed, Val, and good luck with the new gig.

-E

Very cool! Looking forward to playing...

-E

Contrary to CP marketing/sales/support, it is entirely possible to add any model of appliance to the cluster, the issue is one of cores (it wouldn't be possible to sync 8 fw kernels onto a box with...

I hear you, and understand the restrictions (and resulting frustrations). I like the idea of a network-based config as well, and it may even be possible in one way or another with hacks to...

One word: ISOmorphic

If I understand you correctly, it should do most (if not all) of what you're looking for. Check SK65205

While I hate to have to kick people over to SK, since the tool can...

config_system still works, and can actually be quite powerful when used properly ;)

-E

Located in Boston (MA - 12/14), Buffalo (NY - 12/14), or Rochester (NY - 12/15) areas? Want to see the new Star Wars flick before everyone else - for free?

While not officially a CPUG event, I've...

In case you'd missed it, Check Point has entered the "Cyber MondayWeek" craze with a 25% discount on certification exams. The code (which is "Cyber Monday") is supposed to be good on CCSA, CCSE, and...

Since we're stuck anyway, and have a backup (sort of), how about just deleting the offending object it with GUIdbedit? Still works in R80.x as well.

-E

Upon further reflection, I'd definitely give this a shot. If there had been corruption prior to the backup, the corruption would be included in the backup and restore. Export/import does more of a...

I have come across cases of R80.x database "corruption". In one memorable instance, any click to enable "HTTPS Inspection" on any gateway would crash SmartConsole.

One possible workaround (which...

This is a pretty well-documented concept (see sk30197, and the information you've provided is a bit limited.

A few basic questions/ideas:

Was your previous setup SPLAT or Gaia?

Did you...

This is expected. _Dedicated_ management servers don't enforce policy, and therefore don't _need_ "topology" defined. It can't be "fetched" because they don't have the same components that gateways...

If the Automatic Hide NAT is fine, and you're seeing the outbound Static's being NATed properly, but not getting replies, then yes, this seems to be an ARP issue, and yes, ClusterXL is a very likely...

But if the Static NAT rules come before the Hide NAT (which they will if they're all Automatic), then even the outbound connections will be source-NATed as coming from their public address. If ARP...

One thing to keep in mind is that R8x management servers take considerably longer than prior versions to initialize/boot, especially on under-powered systems. How much RAM does this system have?
...

I think the first question you'll get from most is about the hardware specs. Yes, SmartLog can be very fast to return results, even with your numbers. However, running on under-powered gear can...

Are you positive the file is intact? Did you maybe transfer it via non-binary FTP?

Maybe try gunzip, just to see if you get a .tar as a result? (should just be "gunzip [filename]")

You can...

Did this recently with a client. SK111111 details the grep command that will find the "offending" characters.

I believe the "sem" files are the database copies used by SmartEvent. Just made the...

Thanks, Ofer, and you're welcome. Always happy to help further the cause!

-E

That's a great and timely question, that unfortunately has many possible answers - none of which are perfect in every case.

I'll give a quick nod to odumper. It's quick and efficient, but dated...

Anyone with a support account on Check Point's site.

I'm not sure what access/contract level is required, but you can find the file here.

It's inappropriate/illegal to distribute Check Point...

This has been mentioned multiple times in this thread, but I'll try to expand/clarify...

The WebUI and CLI are used to access/configure the operating system. In most cases (nowadays), you're...

Well, you're finally getting very close. :)

What the above tells you is that the current software (as opposed to operating system) administrative account is "fwadmin". That is what you should be...

First, this thread has gotten waaay off-topic. Please create a new thread (or threads) for questions that are unrelated to infoview.

Second, many of the questions you've been asking would be...

First, welcome to the community!

Second, you're using a pretty dated version of the remote access client. Is there a reason? Have you tried a newer client?


While it's a rather...

You need to remember that the Gaia operating system is separate from the Check Point software. The accounts used to log into the CLI and WebUI (to administer the OS) are not necessarily the same...

Another simple oldie-but-goodie trick is to use cpconfig.

Simply type cpconfig from the CLI (either clish or bash/expert) and observe the menu options available.
- If there are options for...

** Please don't just re-post what was in the original request.

That said, are you positive you're running the latest version? I've just re-downloaded and installed/ran fine on Win10. ...

First question I like to ask: What do the logs tell you?

I instill in my students that the logs can often save you from a bunch of fruitless troubleshooting. Especially for the beginner, they're...

Good to hear. Thanks for the confirmation!

-E

Yes, basically WebUI = CPUSE (now). The "old" method is now called "Legacy" in the WebUI. No? Just make sure CPUSE has been updated (SK in prior post).



Ran into [what may be] a similar...

Maybe it's just me, but from the statement you boldly quoted, I would assume that if R80 to R80.10 requires CPUSE, then older versions can't do it any other way either. The only mentions of R7x SMS...

No idea what happened, but as I read through the steps you performed I was waiting for the mention of "migrate export/import". That is by far the way I would recommend for migrating a management...

Just to add to the confusion...

- I built a new/clean MDS with R77.30
- I did not create any CMA's
- I mounted R80.10 ISO
- I ran linux/p1_install/mds_setup script
- I got the exact same...

Woooah...I don't "agree" with the logic either (if it's even true). I'm not trying to excuse CP for not accommodating an empty SMS, but figure out how it could have been missed (if it even has...

Just to cover our bases, if you're referring to adding them within SmartConsole (instead of Gaia), you'll both object types under:
More, Server, More...

-E

1312

While I agree that this should work, it's at least possible that it won't due to the somewhat illogical/unrealistic scenario. In production, either an existing MDS would have at least one CMA, or,...

I have a bit more of a fundamental question: Why are you using EA release? 394 was pretty late in the process, but I'm pretty sure there were MDS limitations with some EA releases (can't find...

Glad to hear it! Don't underestimate the "hunger" of R80 management ;)



Forget that book - it's trash (just kidding!)

Actually, Tim is known (rather well) around here as ShadowPeak. You'll...

LOL. If I didn't know him personally, I'd seriously wonder if he was a "bot".



We've been installing R80 for management for new customers for about a year. That was driven primarily by not...

But...after a few years, aren't you supposed to trade your spouse in for a newer model? ;)
(not that she'll read this, but I'm actually happily married for many years, and not shopping)

I...

What, me? Verbose? Never. I'm also never sarcastic (or use parentheses).

I'll definitely admit that I can ramble on a bit, especially when I get passionate and excited about something (there...

What browser are you using? I've definitely seen similar issues, and I seem to remember resolving with a different browser (usually Chrome).

-E

Let me just take this opportunity to clarify a few things that I've seen a bit of confusion over...

Layers are not a new thing, not even to Check Point - what's new is calling them "Layers". In...

A couple of quick notes...
- As Phoneboy indicated, the action of Rule 5 would not be Accept or Drop, but rather to fire the "blason's Approved Apps" layer (or whatever name you give it)
- Access...

In response to the OP, while 4200's can run standalone (pre-R80), it's never really been an ideal situation.

All of the performance specs given for any gateway devices are based on them being run...