Search:

Look at the Check Point docs & Release Notes, e.g. the "What's New in R80" sections in SK.

Lots of explanations here: https://www.google.com/search?client=safari&rls=en&q=checkpoint+drop+reject&ie=UTF-8&oe=UTF-8

Pick any of them

That is what they normally do. Sounds like they're being proactive here, rather than just hard dropping traffic. Shaping will help your overall throughput on those links.

So...what are they going to do if you *don't* shape your traffic? Allow it through?

_Normally_ what happens here is that ISPs will Police traffic, while it's better for you to Shape it. QoS gets...

That was the sort of thing I was going to suggest. Basically the problem is the traffic coming in the primary firewall, and going around to the secondary. Gets things a bit confused.

Can you draw a simple diagram showing the traffic flows here?

What firewall IP address is the management server trying to use, and where is that IP relative to the management server? Is your...

Trace the traffic through your network. When I've seen that behavior in the past, it was because traffic was arriving via an unexpected interface, and anti-spoofing was kicking in.

Traffic from...

Generally agree with @cciesec2006. Using Check Point HA tends to be more hassle than it's worth. Due to the nature of the separation between enforcement & management, it's fine to have a short delay...

What makes you think it is authentication-related?

If it's just accepts & drops, you used to be able to get that data via SNMP. Use the firewall's own counters, rather than analysing logs.

Then you can graph it over time, and it's just another...

Great to hear that you found it.

I've had similar experiences in the past, especially with deeply nested groups that someone slips an overly large subnet into...takes a little while to figure out...

Sounds like the NAT is happening on the primary gateway, *after* the packet has come out of the VPN tunnel from the remote site?

So might be worth going through all your NAT rules the primary...

Just as an aside, you should also remove snmp-trap. Managed nodes send SNMP traps *to* the monitoring system, not the other way around.

Years ago I worked at places that did not allow TCP/256 between firewall members, only UDP/8116.

If a firewall was restarted, full sync would fail. New connections would be synced. Over time, the...

Seems that's a far more important problem for them to solve?

I can never understand why people will spend hundreds of thousands/millions on hardware & software, and not put in basic monitoring...

Why would it *not* be paid by the company? Why would you buy your own Windows license to manage a company asset? That makes no sense.

> But even if this is the case why additional amount of money...

> It's a bit silly because I have to have license for this Windows which will cost me additional tax.

And what's the cost of that vs the amount your company has already paid to Check Point?

What does your monitoring system tell you?

You _do_ have monitoring in place, right?

Talk to the vendor. If they are in any way serious about selling this product into Enterprises they will have some way of dealing with this.

If they are not interested, then why are you using them?

So install one. Squid has been free for oh, 20 years or so.

We have a bingo

How does your public IP address range work? Is it a subnet that is in use between the firewalls & the upstream routers, and you take NAT IP addresses from that range?

Or is your upstream ISP...

I don't think I've ever seen it used outside the classroom in all the CP shops that I've worked in. Those have tended to be bigger places though, the sort that could invest in dedicated load...

Pay attention to those caveats though: you're using a feature that goes back a very long way, and is little-used.

You're better off using a proper load-balancer (ADC). There are free options these...

Only doing day trips at the moment, either riding around San Francisco area, or mountain biking trips like this one in Phoenix.

Currently plotting our next move. Would like to do a few short bike...

Hopefully not going to be too slow using SFTP? My experience was always that it was much slower than SCP. Never really dug into exactly why though.

I did lots of these around the R60(ish) days. Always worked pretty well, and thankfully I never had to deal with Global Policy.

So if they had it working well back then, you should be OK now.
...

If you don't remember what changes you made, and you don't have a revision control or backup, then you could try looking at the audit logs to see what you did, and manually undo those changes.

I would look at SD-WAN vendors for this sort of thing.

You can also run tcpdump for a real-time view of traffic, if you're doing live debugging. Doesn't help with historical analysis, but the above 'Accounting' trick will do it.

What happened when you did that? Arp cache no longer full, but firewall still unable to obtain & cache ARP entries, therefore unable to forward?

It's not a CheckPoint-level thing - it's at the OS level, so `cpstop;cpstart` isn't going to help. Have to clear the ARP cache.

Potentially. If it does go over threshold, garbage collector will kick in, and remove older/less frequently used ARP entries. If you've got a bunch of stale entries, it's probably no big deal. But if...

There were some ups & downs over the years, but his work getting this board established brought us together.

Hope his family is OK.

- Lindsay

That used to be one of those questions that used to get asked in old Check Point exam. I don't think I ever saw anyone ever actually implement it though.

You're better off using a load-balancer....

Why does passing encrypted traffic affect the firewall? Or are you encrypting at the firewall?

Isn't that one of the IPS options, to detect SSH on a non-standard port?

Off by default though.

Did you update the firewall object in SmartDashboard?

I've done it that way described above (with /32 routes on the hosts). You have to combine it with private VLANs, or protected ports, or similar.

But it's pretty ugly. If you don't want those...

Like the rest of you, I don't think I've ever seen any formal 90-day policies. I wouldn't have a formal policy like that, *but*: I do think it's a good thing to reboot systems regularly. Not because...

I know you checked available disk space, but did you check the disk space policies? The options that tell it to use no more than <x> amount of disk, or keep <Y> amount free?

Just a thought.

It won't be per-packet (per-packet load-balancing is problematic, as you can end up with out of order packets). It will be flow-based, using a hashing algorithm. All packets in a flow will take the...

Check the destination MAC on the captured traffic - is it the MAC you expect?
Check the mac address table on the switch - does it show that it thinks that that MAC is on the port connected to the...

You might need a NAT rule for that.

I was saying that certifications are less relevant today, especially for 'legacy' IT like networks, firewalls, etc.

People don't value them, companies see less value in them, and so the vendors...

Seems indicative of a broader trend away from certifications, especially for legacy/traditional products like CP. It's not just restricted to them.

I prefer to control those settings through SmartLog, where you can set either min space required, or retention settings. That way it's kept with the Check Point settings, and should survive...

I don't believe so, assuming my understanding of the topology is correct (it may not be). My assumption is that the ICMP redirect check would occur before the NAT step, so it should be OK.

Couple of possible options:

* Configure your NAT policy so that when those internal users access that public IP, source NAT is applied to hide them behind the firewall (or some other IP that will...

That's what I was wondering about. If I had 'ls -l' segfaulting I would have noticed it within minutes. Makes me wonder what was being patched that resulted in that behaviour.

Ever the optimist...I just assumed it was a typo

I'm pleased to see that I'm not the only one that gets upset about people clinging to FTP. These days I don't do much security work, it's mainly in networking space...you wouldn't believe the number...

Yep, +1 to this. I also find the NAT changes simpler than trying to remember which file to edit (which also risks getting lost on upgrade).

Yah. Overall I'd rather have more frequent, smaller updates. Don't like having infrequent monster updates. Reduced batch sizes for greater system throughput.

It's been fairly trivial to DoS systems for years now. Doesn't matter if it's "just http." For a few dollars I can easily saturate your Internet connection.

There are plenty of people that would...

The original request was about a "server hosted at AWS" - so while they could have some complex global/regional setup, it sort of implies there's a single EC2 instance + Elastic IP.

Of course, it...

If you're going to allow all AWS networks, you might as well just allow the entire Internet.

Surely the customer knows what IP address they use to connect to that system at AWS?

The AWS-hosted server may have a static IP. Or is this for some third-party application where you don't know what addresses they'll be using?

I'd be interested in knowing if it was making a connection, and SIC was failing, or if it was SIC unable to connect & timing out (e.g due to firewall policy)

I would not expect a Nessus scan to cause firewall problems. (If it did, all of our Internet-facing firewalls would be stuffed).

I wonder if it's some IPS protections you've got enabled causing...

That's a pretty disappointing response, especially since it is something that I & others have done successfully.

What sort of failures were you getting? SIC errors?

It's one of the great mysteries in life

Yep. I've been caught out by this in the past. The problem is that it the gateways can handle a gap in being able to communicate with the management server. If it's offline for a day or two, no big...

I've done similar changes in the past, following a generally similar process, and it went OK. Only problem was once when I had a locally-licensed firewall, as the changed IP invalidated the license....

Yes, it does seem silly. But if they don't officially tell you what it is, then they can change the specs later and not have to tell you then either.

nmap.org

Don't know why you've got that debug file there, but might be worth making sure your NMS is alerting on disk consumption on those boxes?

Don't get me wrong, you _should_ be able to resize the partition. But maybe if you start telling them that they'll have to take the box offline to resize, they'll re-think the necessity. I can...

I'm intrigued. Why do they want a larger swap? (I'm going on the basis that memory is cheap enough that you should not be using swap at all on a modern system)

What's the thinking behind splitting inbound/outbound like that? It isn't going to double your bandwidth.

What were you using, cat?

Use less, or vi. Then you can search by entering "/" followed by the expression you want to search for.

I always found that when groups with exclusions were in use, there are no quick answers. (Because it usually means there's some messed up routing design)

It's been a while since I dealt with this sort of problem, but I would look at running a cronjob on the gateways that looked to see if the file size of the local fw.log was increasing (indicating the...

My guess is that you won't find a specific entry for code 254. That sounds like a generic exit code.

I'd pay closer attention to what line 28 is trying to do.

Most important advice there. PCI-DSS is about two things:
* Limit the scope as much as possible.
* Understand the way your QSA thinks, talk your plans through with them, understand what they think...

You'll need to fix it.

Lazy fix - swap the order of the rules (move the more specific one above the less specific one).
Proper fix - look at why you've got overlapping rulesets, and clean them...

If cost (particularly short-term cost) is a driver, then Fortinet may well be the better option right now if you're going from a single box to an HA setup.

Regards ASICs/FPGAs vs x86...it really...

At your scale it doesn't really matter too much what you use. Both can meet your needs.

Price per Mbps is interesting at a certain scale, but really it comes down to your specific needs. What...

refid is the source used by the upstream server. So 10.2.1.246 is getting its time from 10.2.1.248.

Yes - it works very well, and means no mucking around with proxy ARP. It's the recommended way to do it.

Can you post the output from when you run 'backup' via CLI?

Yes - the future direction is clear to me. There's a lot of large customers running VRRP, so they won't get rid of it in a hurry, but you'll see a continued shift of resources towards Gaia +...

Yeah. It's complicated.

Yawn. ASA has had plenty of issues over the years.

What about a Check Point appliance?

It's probably worth thinking about that overall risk. What makes it so much safer if I'm connecting from a domain PC vs my home PC? What makes it acceptable if it's a contractor PC? What makes it OK...

Run shadowpeak's grep command again, but with a wider scope. Just do it against the whole box:

grep -ril ntp.ien.it / 2>/dev/null

Sometimes that's used as a bit of a cop-out. "Oh, we've got an API, you can just write some code to do that!" Yeah, that's not practical for most organisations to do, beyond basic scripting.

Part...

What's the real problem you're trying to solve here?

A/V scanning of Office 365-hosted email? What's the point in trying to do it yourself on a Check Point firewall? You've outsourced your email...

I wondered if that might be the case. Good to know.

Anyone know what happens if you disable hit count collection globally, push policy, then re-enable it?

That's my gut feel too. To the OP, what's the reasoning behind the change, if you've been running ClusterXL for years?

Oh no mcnallym, you breached the 12 hour guaranteed forum response time!!!

Aye, it does seem that way. I used to do this sort of setup when migrating between 530s, 650s, 740s, etc. Was all much simpler then.

Yes, it will start sending logs again, but it won't send the logs that it stored locally while it lost connectivity. So you end up with gaps in the logs on your management server.

If you want to...

Not exactly to merge them, but from within Tracker, you can get it to retrieve logs from the gateway, and store them with the other logs on your management server.

I would expect those changes to get synchronised.

Yeah, dbedit is probably the only way to resolve it.

I've seen something similar in the past. For whatever reason it didn't completely remove all the references when deleting from the GUI.

Make...

I've written some of this up in a bit more detail on my blog.

Ugly diagrams, but you get the idea.

If you're a beginner with Check Point, why are you worried about understanding SIC in detail? There's other areas that are more important to focus on first.

Maybe you should buy his book?