CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: jeronimo

Search: Search took 0.00 seconds.

  1. Replies
    0
    Views
    5,549

    Logging Histogram in R80

    Hey,
    Does someone know how to activate the histogram in log viewer as we know it from previous releases?
    I always thought it gave a good feeling on the history of my query.
    It seems to have...
  2. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    Hey, Thanks for your effort, but still:

    It's unbelievable, either they don't get it or they just don't care. Both are not good for a security company.

    If they really want to use regular...
  3. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    Yeah, definitely what's in the sk article won't work.
  4. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    The mode applies to the text you apply it to. You had five possible matches (in five lines), and even though your regex only matched the first, you would never have seen if one of the others had...
  5. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    Your example also isn't entirely correct BTW; in the example you provided you didn't use multi-line mode so it wouldn't have matched anything beyond the first line anyway

    See here:...
  6. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    You didn't read all I wrote. The caret means a caret when used in non-regex mode, nothing more and nothing less.

    Non-regex mode: example.com
    Regex mode: ^example\.com

    What they wrote in the sk...
  7. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    I've taken a look at the update and it still seems strange. They write you should use:
    ^example.com, and
    .example.com

    I'm not sure what the caret does there, because usually that's part of a...
  8. Thread: Skype

    by jeronimo
    Replies
    13
    Views
    3,641

    Re: Skype

    I agree that only having to add STUN manually to the rule is not a disaster.

    From a security point of view, I was however wondering if that would not mean that STUN would be allowed for every...
  9. Thread: Skype

    by jeronimo
    Replies
    13
    Views
    3,641

    Re: Skype

    Well, yes I can but it doesn't help. I tested the following:
    I cloned the Skype service and since you can't customize the existing rules, I just used "Any" service for detection in the cloned Skype...
  10. Thread: Skype

    by jeronimo
    Replies
    13
    Views
    3,641

    Re: Skype

    So I contacted support and they suggested to include a whole bunch of apps, Microsoft Office, Outlook and what not to solve this.

    Is this how application control is supposed to work? I.e. if I...
  11. Thread: Skype

    by jeronimo
    Replies
    13
    Views
    3,641

    Re: Skype

    Thanks for the explanations.

    It's not about a user who has configured something strange. It's users demanding to use Skype so I was testing myself beforehand. I didn't have Skype installed so I...
  12. Thread: Skype

    by jeronimo
    Replies
    13
    Views
    3,641

    Re: Skype

    To be safe I carried out a manual update of the APCL database.

    The logo is still missing and the match rules show in a different order, however they are the same than you show in your screenshot....
  13. Thread: Skype

    by jeronimo
    Replies
    13
    Views
    3,641

    Re: Skype

    This is the policy
    1370

    And this is what the resulting log looks like
    1371

    As you can see, the "high port" connections, clearly related to Skype, don't seem to be caught by the rule supposed...
  14. Thread: Skype

    by jeronimo
    Replies
    13
    Views
    3,641

    Skype

    The goal is to allow Skype and only Skype (voice, chat and all) (the consumer version). Naive as I am, I thought this would be no problem with our new, bright and shiny firewalls.

    So I created an...
  15. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    If anyone asked me how I would want it to be, I'd say: Do it like ProxySGs:

    If the host specified is a domain name, all hosts in that domain (or any subdomain) will match. If a path is specified,...
  16. Replies
    2
    Views
    1,832

    Re: Annoying "Query Failed" on Logs tabs

    I am experiencing similar things...

    While I was trying to construct a view with a statistical table to show most hit rules (since that report from R77 is gone in R80), I was wondering why there...
  17. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    I see you mean this: https://sc1.checkpoint.com/documents/R77/CP_R77_ThreatPrevention_WebAdmin/102417.htm#o101841


    The meaning of the asterisk ( * ) depends on its use.
    In regular...
  18. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    Oh and BTW once you're in with regexes, who says that "\.example\.com" wouldn't match "x.example.com.bla"?

    To be on the safe side you'd have to make it
    ^(.*\.|)example\.com$
  19. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    What do you call "standard"? How would you define *.example.com without a regex?
  20. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    Forget my remark, you are right of course. I didn't immediately get the point you were making.

    It remains a pain anyway. To solve this you'll have to go to regex mode and include two URLs:
    1)...
  21. Replies
    26
    Views
    7,475

    Re: URL filtering, is this a joke?

    Yeah but if you want the base domain to match, you don't want ".example.com" to match but only "example.com".
  22. Replies
    26
    Views
    7,475

    URL filtering, is this a joke?

    Hey,

    Say I simply want to allow access to example.com and all of its subdomains. From what I read in sk106623 this is pure horror:

    1) You have to enable regex filtering for a task trivial as...
  23. Re: MTU issues: packets are always fragmented by firewall!

    [Expert@ckpt:0]# ethtool -S eth5 | grep -e err
    rx_crc_errors: 0
    rx_missed_errors: 0
    tx_aborted_errors: 0
    tx_carrier_errors: 0
    tx_window_errors: 0
    tx_deferred_ok: 0...
  24. Re: MTU issues: packets are always fragmented by firewall!

    I can't confirm that on our new 5600 appliances.

    These people at Cisco also don't think about it the way you describe:...
  25. Re: MTU issues: packets are always fragmented by firewall!

    For this to make misconfigurations have no effect in 100% of the cases you would need to set MSS ridiculously low, which is probably not a very optimal solution ;-)

    The problem is clear now: R7720...
  26. Re: MTU issues: packets are always fragmented by firewall!

    I don't know what exactly they're running on the network(s) behind the interface with the lowered MTU, there are probably tunnels and crypto and stuff.

    They do clamp the MSS, but that doesn't help...
  27. Re: MTU issues: packets are always fragmented by firewall!

    That's it. The MTU discrepancy on the link was at fault. In fact the old appliance running R77 was also at fault because it should never have let the traffic pass.

    The new appliance with R80...
  28. Re: MTU issues: packets are always fragmented by firewall!

    Ehm. What does this have to do with R7720 forwarding packets larger than the interface MTU? (as it seems)
  29. Re: MTU issues: packets are always fragmented by firewall!

    R8810 JHF56 was installed all the time.
  30. Re: MTU issues: packets are always fragmented by firewall!

    The core issue is that when we go from R7720 to R8010 (from old to new appliances with imported configuration), things break related to the interface with lesser MTU.

    Having rolled back to R7720...
  31. Re: MTU issues: packets are always fragmented by firewall!

    No worries :D

    We're currently running R77 again (it's 7720 not 30) and I see MSSs of 1460 all over the place, so I don't think there is any clamping there, except for the remote network sending...
  32. Re: MTU issues: packets are always fragmented by firewall!

    Ah, the basic uploader works.
    1364
  33. Re: MTU issues: packets are always fragmented by firewall!

    Here's a magnified screenshot... https://i.imgur.com/MURK95J.jpg
  34. Re: MTU issues: packets are always fragmented by firewall!

    There are two things I don't understand for now:

    1) Look at the following packet capture which consists of two simultaneaous remote mirrors, one in front (1.2.3.1) and one behind (1.2.3.2) the...
  35. Re: MTU issues: packets are always fragmented by firewall!

    It won't help with UDP traffic, but that is not the point anyway.

    I am still looking for differences concerning MTU and fragmentation behavior between R7720 and R8010.

    I am investigating this...
  36. Re: MTU issues: our R7720 and R8810 behaves differently cocnerning fragmentation

    I'm so sorry, my approach at tackling this was entirely wrong and I pointed you in the wrong direction.

    The first capture was taken on the server, apparently before segmentation takes place....
  37. Re: MTU issues: packets are always fragmented by firewall!

    Oh and yes, it's a static nat.
  38. Re: MTU issues: packets are always fragmented by firewall!

    There you go.


    > fw ctl pstat

    System Capacity Summary:
    Memory used: 6% (106 MB out of 1617 MB) - below watermark
    Concurrent Connections: 29% (13096 out of 44900) - below watermark
    ...
  39. MTU issues: our R7720 and R8810 behaves differently cocnerning fragmentation

    Hey,

    Today we had MTU problems biting us in the ass. It turns out our old appliances running R77.20 do not seem to care about the DF bit, and they were always fragmenting the packets. Why?
    ...
  40. Re: A/P ClusterXL ARPs using member address instead of cluster

    Well, linking it with a Cisco device on the other end will probably give you this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk44898
    ...
  41. Re: A/P ClusterXL ARPs using member address instead of cluster

    Because we had problems with VRRP before, and they suggested we at least go from IPSO VRRP to ClusterXL while leaving VRRP, in order not to replace old problems with new ones :)



    Yeah, that...
  42. Re: A/P ClusterXL ARPs using member address instead of cluster

    The question is: Why are the ARP REQUESTS sent using the individual cluster MEMBER IP?

    Let me illustrate what I think is happening.

    Network A: 192.168.1.254/29
    Network B: 192.168.1.253/30...
  43. Re: A/P ClusterXL ARPs using member address instead of cluster

    Well, it's ClusterXP but also VRRP (see attach).

    1146

    TBH I don't get what you mean with Proxy ARP. I don't think there is any need for Proxy ARP here. I was just wondering why the (local) ARPs...
  44. A/P ClusterXL ARPs using member address instead of cluster

    Hi all,

    We have a two-member active/passive ClusterXL setup in VRRP mode (Gaia R77).

    We were wondering why replacing a legacy stand-alone router with the Checkpoint as router/firewall wasn't...
  45. Re: GAiA R77.10 + HFA Take 131 - ClusterXL - routed crashed when bootp enabled

    Hi,

    Thanks for the detailed description. They will always help someone out there. I was just trying to draw potential parallels with our problems that started similarly (and where I made progress...
  46. Re: GAiA R77.10 + HFA Take 131 - ClusterXL - routed crashed when bootp enabled

    Hi,

    Do you mean you have to reboot the switches you're connected to in order to fix the firewall?

    How did you fix that issue in the end? Did you update the switches? Or was there finally a fix...
  47. Re: IP290 Gaia R77.20 VRRP backup becomes master problem

    FYI I may have found something.

    It turns out that issuing SNMP requests during a failover will bring routed to a halt.

    Do not try this at home: Start an snmpwalk loop over the VRRP MIB from...
  48. Re: GAiA R77.10 + HFA Take 131 - ClusterXL - routed crashed when bootp enabled

    Hey,

    I don't have any answer for your issue, but we have a similar scenario with ClusterXL (VRRP mode).

    Gaia R77.20 with very late JHF: routed crashing all over the place and nobody having any...
  49. Re: accessing NATed internal IP from outside not working (no translation happening)

    What you write makes sense.

    Maybe there were errors in the NAT before but the final config was OK. I also see correct translations. All ICMP packets are logged (except from some monitoring servers...
  50. Re: accessing NATed internal IP from outside not working (no translation happening)

    It's off already, so, unfortunately no incorrect output.



    That's exactly what I meant.



    I didn't know there was a setting like that, unfortunately it is enabled already.
  51. accessing NATed internal IP from outside not working (no translation happening)

    Hi,

    I have NAT problems.

    Outside clients are: 172.17.7.0/24
    Inside adresses are: 10.30.x.x
    Inside NATed addresses are: 172.29.255.x

    I have the following NAT rules
  52. IP290 Gaia R77.20 VRRP backup becomes master problem

    Hi all,

    We have problems where the backup VRRP routers of one of two IP290s running Gaia R77.20 becomes VRRP master thus trashing the network until we power it off.

    It seems to be related to...
  53. Replies
    2
    Views
    2,787

    Anti-spoofing config questions

    Hi,

    Checkpoint R71.30 here (yeah I know we'll upgrade soon).

    I have an issue completely understand anti-spoofing config:

    1) I create a group that I assign to the cluster interface's...
  54. Replies
    14
    Views
    15,372

    Re: Checkpoint VRRP failover issues

    The funny thing is, doesn't matter if I capture on the tagged (ethXcY) or parent interface (ethX), I always need to specify 'vlan' and the packets always look as if they are tagged, and even when...
  55. Replies
    14
    Views
    15,372

    Re: Checkpoint VRRP failover issues

    There simply seems to be a problem with tcpdump capturing tagged vrrp packets:


    # tcpdump -s 9999 -i eth2c1 'vrrp'
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode...
  56. Replies
    14
    Views
    15,372

    Re: Checkpoint VRRP failover issues

    Okidoki,

    I have now made headway.
    First some VLAN config on the switches was wrong. Damn, who made those? ;-)

    But it was only marginally wrong like:
    VLAN a -> port x untagged (oups)
    VLAN a...
  57. Replies
    14
    Views
    15,372

    Re: Checkpoint VRRP failover issues

    Hmm, I don't get this part. Using tcpdump, I am sniffing the wire, am I not? So if checkpoint would block the outgoing HELLOs, and that would be the reason why tcpdump doesn't show them, why would...
  58. Replies
    14
    Views
    15,372

    Re: Checkpoint VRRP failover issues

    Thanks cciesec2006 for your opinion.
    Indeed I too believe this is rather network than firewall related.

    However, I still wonder why I don't see what I'd like to see using tcpdump which doesn't...
  59. Replies
    14
    Views
    15,372

    Re: Checkpoint VRRP failover issues

    Not seeing packets because they get lost on the network is one thing, seeing packets on one Checkpoint incoming but not seeing them being produced/outgoing on the other checkpoint is what worries me....
  60. Replies
    14
    Views
    15,372

    Checkpoint VRRP failover issues

    Hi there,

    First let me say that I don't possess the 100% knowledge about the Checkpoint products. Yet, so far, I have managed to find my way around. Bear with me.

    Now to our setup and the...
  61. Replies
    2
    Views
    1,791

    Re: log file filter on command line

    Meanwhile I'm exporting to an SQL database and do the filtering there.

    How I do this:

    First you export the logs to CSV format as I said an get them onto your DB machine.

    Here's how I import...
  62. Replies
    0
    Views
    1,184

    Voyager syslog

    Hi there,

    I was wondering how to make syslogging more verbose.
    Currently the only stuff that gets logged (syslog) seems to be SSH logins and the like (= OS level).
    Now how do enable logging of...
  63. Replies
    2
    Views
    1,791

    log file filter on command line

    Hi there,

    when I'm doing audits I apply certain filters (query) in SmartView Tracker to the logging data to preprocess false positives.

    Now I'm trying to automate this, i.e. mail me the...
Results 1 to 63 of 63