Search:

I enabled the SmartEndpoint on my MGMT server, imported the version 80.65.2516 and downloaded the initial client to my PC.

After the installation I receive an error message: "The Endpoint Security...

I just got a random Alert when I was using the SmartDashboard:

JavaScript Alert

Failed to load the bootstrap javascript:
./../VAADIN/vaadinBootstrap.js

Any clue about this alert? For some...

Hey everyone,

I was trying to use the SmartView Web from my management server IP, everytime I use it the SmartEvent (different server) CPU hits 100%.

Running top command:

4336 admin 34...

My problem was solved after some time, trying to update to R80.10.

For some unknown reason the upgrade worked and the webui return back.

Yonatan, yes, still getting this error.

I already tried a cpstop, cpstart, reboot.

I have some coredumps, but none from this month;

drwxrwx--- 2 admin root 4.0K May 10 04:36 CPM.4002...

Yeah, sure.

The problem here is, this Firewall has 2 interfaces, both are configured as "internal", I cannot even configure an exception!

Understood, I already did like you said and is pinging!

Hey, a topology with a External Firewall that connects directly to the internet and another one Internal Firewall that only cares Internal servers and Internal network.

Make sense to configure...

lol john, it's working man, I can ping.

I can ping myself, don't believe that this is the problem.

THe problem is with this both services that doesn't starts.

John, no error, pinging normally.

[Expert@xxxx:0]# ping xxxx
PING xxxx (10.0.0.234) 56(84) bytes of data.
64 bytes from xxxx (10.0.0.234): icmp_seq=1 ttl=64 time=0.028 ms
64 bytes from xxxx...

john, I will do this tomorrow, but I can ping myself using hostname.

Hey john! This command should work? I can ping itself, but not like this command.

Thanks!

Hey, I tried for the first time in my life to update the R80 to R80.10 using CPUSE.

I always upgrade using CLI and this time some problem happened.

Now I try to connect to Gaia Portal and...

I sent you a PM.

Valeri, thanks for the reply, but no success.

[Expert@xxxxxxx:0]# cd $FWDIR/conf/db_versions
[Expert@xxxxxxx:0]# ls
database
[Expert@xxxxxxx:0]# cd database
[Expert@xxxxxxx:0]# ls...

Does anyone already configured or used Remote Access VPN authentication with a Smart Card?

I did this already, nothing was shown.

[Expert@xxxxx:0]# dbver
Enter Server name (ENTER for 'localhost'):

Please enter a command:

export <version_numbers> <delete | keep>
import...

And when you enter the link of this T132 it says "This image contains Take_76 of R80 Jumbo Hotfix Accumulator" lol
...

Yes and is painful. I decided to use R80 because I support many customers and decided to use internally first in production, my mistake.
I always keep the last Hotfix, and I'm using the last take,...

Just to let you know guys, I removed almost all of the revisions, from 200 to 20.

The backup still have 3.3GB.

Am I the only one with so many problems with R80?

Many timeouts when try to connect to dashboard.
So many crashs while using the SmartConsole.
Many times crash when push policy.
Trying to...

Yeah for sure, but this is by default here in R80. I will take a look at the settings and try to change this.

THanks!!!

This is enabled by default, it's a good practice?

There is an automatic maintenance for that?

I'm not backing up the logs, I believe that is the revision, almost 200!

I will purge and test again!

Oh man I just realize that we have almost 200 revisions here. lol

I will purge them, It's really a best practice maintain this?

Hey, I ran a backup from migrate export and realize that it's huge!

Almost 4GB, our rulebase has 67 firewall rules and almost all blades enabled, but I think is a small amount of resources to this...

The track option "Account" will show on tracker the byter transferred and some other informations, under the account we can see many "Log type".

The question is: The account is the sum of all this...

Yes, it works!

You can add from the GUI or from CLI you need to add the interface vlan first, then set the interface ip.

Cya!

We want to migrate ou AD to Azure AD, so we will not have the physical server anymore.

My question is:

Is possible to integrate our Check Point Identity Awareness to Azure AD? Never did that.
...

Veja se te ajuda.

sk94671.

Abraços!

Thanks for that! Nice one!

Hey, thanks for the reply.

Do you know if there is any document explaining that?

We are getting an error message when we open the IPS blade.

"error occurred while checking for updates..."

When we open SmartDashboard, does the Manager uses my connections to verify updates?...

Lol, we can continue in English :D

Thanks for the help.

I already read all this website. lol joking. :D

Before it all:

http://www.wikihow.com/Be-Funny

Now about CP.

fw ver
This is Check Point's software version R77.30 - Build 503

Not sure what Brazil's president can do with ISP redundacy ;)

You are the guy that votes on Donald Trump and agree with his thoughts.

Cya bro, if you want to help with the topic, I'm all ears.

I'm from Brazil, GMT -3.

Maybe we can talk using Skype, what you think?

:D

We already have a case with CP, I sent my findings and hope they check the document.

Yes, It's already set to use the clamp.

[Expert@xxxxxx]# fw ctl get int fw_clamp_tcp_mss
fw_clamp_tcp_mss =...

When I use the not pppoe as the default gw, both interface (pppoe and the other) uses MSS 1460.

Then sometimes the browsing works (going to non pppoe), sometimes not (going to pppoe).

When the...

Hey guys, yesterday I did some captures and got a conclusion.

When the ISP redundancy is configured as Load Sharing, both interfaces uses the MSS from the “main” interface.

Example:

The...

Nice one, I will try to capture today and take a look at the findings.

lol

If you join me on the troubleshoot, no problem hahahaha

I will, I want to know what is the capture MSS when the pppoe is the only active.

You got a Hat trick ahaahhaa

We have R77.30 without SecureXL.

Yes, the clam is enabled on the Firewall (CLI) and Manager (GuiDBEDIT)

I will run another capture this night, but I'm trying to find out this cap that I already...

Maybe that's the problem, the MSS on the wireshark shows 1460, and should be 1452, since is using pppoe.

Wonder if the tcp header is 40 bytes.

Take a look at this:

1124

first 4 packet is...

We have customers that uses ISP Redundancy and works, the problem here is that I'm the only one who uses one of the interfaces as pppoe.

Check Point doesn't help all the time, that's a fact.
...

1500 is the default MTU, but configured for pppoe is 1492.

We are using R77.30

SecureXL is not enabled.

I can run a tcpdump.

But checking the wireshark here, I can see the MSS=1460. The interface MTU is 1492.

We did an open fw monitor.

You mean both interfaces (pppoe and the ethernet ISP)?

Hey cciesec2006, I understand that and I agree in parts. We are using here ISP Redundancy that is most likely a script running on the background.

I agree that is not a routing or switching...

I changed only for the pppoe interface, since I believe is the one that "needs".

You're correct, using only pppoe works fine.

Yes, it creates a virtual interface, just need to indicate from...

Hey jflemingeds, I already did all of this SK, changed the MTU.

If this was the problem, when we use the pppoe as the default ISP (only this one active without the ISP redundancy) shouldn't work...

Hey guys, we have here a Check Point Gaia R77.30.

We have two ISP:

1- Dedicated ethernet ISP
2- pppoe ISP

Using the dedicated as default gw, works fine, same with pppoe.

I'm trying to...

Does anyone knows if enabling the Proxy option on Global properties will redirect all the traffic going to the internet to this proxy?

Example.

I enable HTTP + HTTPS proxy on my firewall....

Nice one, the traffic are managed by STP, right?

We have a customer that already use their Firewall with ClusterXL, but right now they want to configure two interfaces as bridge mode, is possible to use this with Cluster? HA or LS?

Thanks

sk103598

Regards!

R77.30 Gaia

I'm sorry that this was too late, but here is the solution.

How to control of the Maximum Segment Size (MSS) of TCP SYN and TCP SYN-ACK packets on Security Gateway
Rate This
My Favorites Email...

It's not even enabled :S

Thanks for the reply, but why are telling me about the SecureXL?

I believe that here is another problem, the problem is that the PBR doesn't work when the two pppoe are enabled.

I have 3 external interfaces here in our company, 2 from the same ISP and 1 from another different one.

One is a dedicated and two is pppoe. This both pppoe have the same default gw.

What we...

Yes, I already have. Just opened here to share with you and try to find someone else that have the same problem.
Thanks

Oh, thanks.

I saw the link, but I believe I don't have the knowledge to understand this yet. There is only one answer that I don't know what means.

Returning to the specific problem, I...

No I don't, I don't know how to do it.

I was looking for how to, but didn't find.

I'm sorry, but didn't understand what you mean with backtrace on it.

About the cpsemd.elg, I didn't get any error, only something about a license, but I generated a eval with all and the same...

Yeah, I see and they already have.

They sent me 3 hotfix, none solves the problem :S

My MGMT is R77.30 with JumboHotfix take 84.

I enabled the SmartEvent + Correlation Unit on my MGMT, but cannot open the SmartEvent dashboard.

I got on Monitor that the CPSEMD process is not...

Hey lil, i tried everything and To me this is a version problem.

The way I solved this problem was configuring Checkpoint NTP and this worked.

Hope someone find a better way for that.

One...

I'm CCSE and is about to expire, anyone took the 156-915.77 CCSE Update exam?

I had the same question, but you need to take CCSE again.

I tried ntp1.checkpoint.com and ntp2.checkpoint.com, only the ntp2.checkpoint.com worked.

Now the strange thing is, the Check Point NTP is outside the internet, and mine NTP is inside my network....

Now I'm trying in my environment and not on the customer, same thing.

[Expert@xxxxxmanager:0]# cat /config/active | grep ntp
process:ntpd:arg:4 /etc/ntp.conf
process:ntpd:arg:3 -c...

@alienbaby.

1- I already set manually the time to the correct time and set the NTP, didn't work.
2- I am trying right now only with the Management Server that is on the same network of the NTP...

Yes I understand, but the odd is that all the servers are configured to use this NTP.

The command ntpdate works for me too, but what doesn't works is the configuration itself.

We have here 4 Firewalls and 1 Management server, I tried NTP on all of them and doesn't works.

Thanks for your help.

And yes, ntpdate is a hack that I not sure that I want to use.

Here is the commands that you sent:

ntpq> associations

ind assID status conf reach auth condition ...

Look at this right now:

ntpq> peers
remote refid st t when poll reach delay offset jitter
==============================================================================...

Yes I know, I already did and is attached to this post.

The problem is that CP send the traffic and the server responds.

Hmmmm, understood, we can do that.

But even with this, I wanted to understand why this is not working.

Cannot being blocked because is on the same network, there is no Firewall.

Using this command, worked. But will not be synced everytime, right?

If I get a problem with my manager, and the time changed, will be changed and not synced.

[Expert@smartcenter]# date
Tue...

I tried to use the IP too, but didn't try to use another server, since the customer just told me one single server for that.

I changed the version to 3, as I checked on tcpdump that the server was...

Yes, I already did. Didn't work.

Try this sk39268.

;)

Make sure you have enough space disk on /opt. At least 3.5GB

;)

Yes, I'm sure:

smartcenter> show ntp active
Yes
smartcenter> show ntp current
No server has yet to be synchronized
smartcenter> show ntp servers
IP Address Type ...

Is just me or someone else has the same problem?

I configured a NTP on Gaia but received this message:

"Time is set automatically via NTP
No server has yet to be synchronized"

I followed...

Removing all files inside this folder will not clear the overview of those blades.

I can reimage, but I believe it's easier just remove the logs.

Hey everyone, I have a question about how to clean every log from the MGMT/FW after a Security Checkup POC. I already cleaned the Database from SmartEvent.

But I'm still able to see on overview...

Problem solved using:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk61221

Thanks!

Hi all, I'm trying to configure a pppoe on my R77.20 Gaia, but for some reason it's not working at all.

The modem is configured to bridge.
Firewall get the IP correctly.

When I try to use the...

Chakapoint, thanks for the solution.

One question that I have and I use PRTG too, if I configure this and install the hotfix, can I monitor if the tunnel is up or down? If yes, I can integrate...

This setup must have a problem.

Because on FWB we need to have a meshed VPN with the 3 Firewalls.

And if I have another "FW D" I cannot share the same community on FWB, I needed to create...

Yes, that I was thinking about it.

But possible I got a solution for this with meshed.

I will write here:

Config on FW A

FW A - FW B (VPN Meshed)
VPN Domain:

- Is two ISPs
- I'm not using yet, its a new environment.

One question that I have is, the other peer needs to connfigure too the OSPF right? If the other doesn't have ADN license? Is this a...

Hmm I will ask the client to call to MPLS ISP.

What kind of config they must do? I'm a little new in OSPF of CP and don't know how to config this.