Search:

cciesec2006:
Nice to see you posting. I've been out of CP for three years now, gave up the working world and joined the leisure class.

Curious to know about your PA experiences and the good/bad...

You may want to point the bean counters in your organization to PA financials... https://finance.yahoo.com/quote/PANW/financials?p=PANW

I would not be comfortable migrating to a company that has...

It appears you have "DNS Trap" enabled, typically this is desirable, your requirements may dictate otherwise.

With DNS Trap active a detect is expected for the DNS server traffic. When the client...

Well, "other duties as assigned" prevented my testing yesterday. I did so today and have encouraging results. Thank you for the great insights Zimmie.

I now have an Excel error stating not...

Thank you very much!

I was using CP_R77_CLI_ReferenceGuide for command structure, they do not note the -z or -s switches, this is nice to know. I will be trying your string shortly and reporting...

SM225 running R77.30

Our logs rollover at midnight every day. Typical log file contains 6-7 million records and a size of approx 1.3 GB. Having a need to export multiple days of logs into a .csv...

Thank you for quick response.

Clarification regarding usage on R77.30:
- https://cpdbl.net/ shows recommended usages, some are incoming, some are outgoing.
- readme.txt states blocking is only performed inbound.

Can the...

That is attractive and thank you for pointing it out. We may well take that path if Outgoing traffic were also to be inspected (hopefully is still on the roadmap).

R77.30 in impacted environment, SMS Smart-1 225 and 5800 HA Clusters.

On April 5 SANS moved to a new TLS certificate and removed support for TLS 1.0, since that time the DShield block list has...

Correct, this is from SmartReporter.

https://www.cpug.org/forums/attachment.php?attachmentid=1390&stc=1

R77.30 in my environment.

In Definitions, Standard, Predefined, go to Content Inspection and User Activity. Under the Filter tab check Product, then select Specific Match Values for Check Point...

Used with good results in our environment (R77.30). As with post by Zimmie, our heaviest usage is the integration with SmartEvent.

Couple Check Point documents that may be useful:

- What is FW Monitor: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30583
- R77...

Thank you for posting that information.

Thank you for the response.

- Packet captures have been taken, invalid characters have not been identified. It would seem this is the key to a solution.
- We have ASCII Only Request enabled,...

- Smart-1 225 SMS
- Two 5800 Active/Standby clusters
- All running R77.30 Build 092 with Jumbo HFA 286

In early August we enabled IPS protection for Non HTTP Traffic over HTTP port, immediately...

With recent news stating the US Government is headed towards banning Kaspersky products, I am seeking clarification on the A/V used within Check Point products. Specifically within R77 and R80...

I received a timely answer from Check Point 3rd-tier support late yesterday afternoon:
"I have consulted with escalations on this matter and we don't appear to have any documentation stating it but...

Do the other sites NAT your outgoing traffic behind the cluster VIP?

In your gateway object, under ClusterXL and VRRP, do the other sites have "Use Virtual MAC" enabled?

SMS Smart-1 25 running Gaia R77.30
12200 HA Cluster running Gaia R77.10
No third-party software installed.
Gateway enabled blades: FW, VPN, IPS, Anti-Bot, Anti-Virus, Monitoring, ClusterXL
SMS...

So Check Point would not allow our support partner to piggy-back my problem on SR 1-9374382131. A new SR was opened on June 8 for my issue, there were several requests for info but no resolution.
...

SK116255 is very nice, thank you for pointing it out.

To take a trip down memory lane, FW Monitor documentation was also informative in detailing flows. Pages 14 and 19 from here was useful for...

Thank you Boaz.

I will submit the HKLM_registry.data info to my support vendor and have them reference SR 1-9374382131 for follow up with Check Point.

Correct, on the left is inaccurate information. For comparison, in this same environment I have a IP-567 running the same CP code (upgraded from IPSO 6.2 couple years ago, which is story unto...

12200 Active/Standby Cluster, R77.10 Gaia Take 151

About 3 weeks back, using the WebGUI Status and Actions section, I updated this cluster from CPUSE version 1130 to 1283. Installed HotFixes are...

These are IP-560's, we have 7 active VRID's on them, couple years ago we had 15. These boxes will be replaced with 12200's later this year. The last of my devices running IPSO and I will miss that...

laf_c,

Thank you for the feedback. I rebooted my standby member, then disconnected a cable from the primary member, failover occurred. I then rebooted the primary cluster member, re-connected...

So last week I bragged on CPUG about a couple IPSO boxes running in my environment that have been up for well over a year. That bragging seems to have jinxed me, I now have an issue with VRRP and...

Possibly the Index Size was inadvertently modified, see SK96546.

I still have a couple IP-560's in our ICS environment running IPSO 6.2. One has been up for 707 days, the other for 368 days.

These are scheduled to be replaced this year, I will be sad to see...

If you are licensed for "Application & URL Filtering" the Anonymizer category may be helpful for you. Tor is defined application within that category.

Kind regards,
dbrown

Handy indeed, this will be very useful. Thank you.

Many years back I was involved with a project similar to yours. We got by without any dedicated A/C units but, given your location YMMV with this approach.

Keeping the generated heat isolated...

Nice, very nice! :)

Thank you. Feeling a bit embarrassed I did not try in Expert, was just searching in clish mode. Thanks again.

IP-567 Appliance, IPSO 6.2-GA083a02, R75.47

I have a requirement to report/monitor the status of IPS on IPSO box listed above. I am not finding a way to get this from the CLI. On my Gaia boxes,...

cciesec2006 is not a troll. His contributions to this site have been of enormous help to me over the years.

Kind regards,
dbrown

Thank you ShadowPeak and jflemingeds, good info for me to proceed with.

BTW, I checked and lsof not in IPSO.

Thank you jflemingeds, that is helpful. sockstat -4 is returning more than I wish, notably loopback at 127.0.0.1 and TCP high ports. Got rid of loopbacks with this, sockstat -4 | grep -v 127.0.0.1,...

That SK lists the ports that "could" be used by Check Point. My requirement is to report on and monitor the ports that "are" in use, generating an alert when a deviation occurs from my established...

IP-567 Appliance, IPSO 6.2-GA083a02, R75.47
12200 Appliance, Gaia R77.10

For NERC-CIP regulatory reasons I need to document and monitor open ports on devices in my environment. Streaming Unix...

Smart-1 225 Appliance, dedicated for SmartEvent/SmartReporter, R77.20

In some infrequent situations the SmartEvent device will cause a DOS in our environment. I have Network Quota enabled on our...

Update:
I changed my Phase 2 setting from AES-256 to 3DES, now working fine.

vonunov:
Thank you. I am curious as to why AES fails to work, but 3DES is acceptable.

These are my P1 and P2 encryption settings, no single DES, would you advise any changes?

960961

Smart-1 25 Mgmt Server, R77.2, Gaia
IP-560 Active/Standby Cluster, R75.47, IPSO 6.2
Endpoint Security VPN Client, R80.41
Office Mode using static IP assignments.
This VPN solution is internal...

It has been several years since I performed this task, but I recall it as being straightforward and painless. Basically just followed the paint by number steps in the LogRhythm Help PDF file. Grab...

Security Management Server admin guides will give you a good overview of SIC. R75.4 is here:...

I have 2 independent SMS's, along with 10 gateways licensed for IPS. After sk102673 was updated on Thursday stating a IPS signature had been released...

SK102673 lists Gaia and SecurePlatform OS. My testing shows IPSO 6.2-GA083a02 also vulnerable.

Indeed, cut/paste error from me. The URL's in question were:
http://www.checkpoint.com/defense/advisories/public/updates/r634/update_info.html
and...

Cross-posted over on CPShared forum, just became aware this site is back, so asking here too.

This page seems to not be updated with new IPS protections:...

On my IPSO 6.2 boxes this command in the IPSO shell will show speed/duplex: 'ifconfig -a'

My IPSO 6.2 CLI reference guide states these commands in the CLI shell should show speed/duplex info...

If you are licensed for it, the URL Filtering blade could be of some use here, but you'll still have a few headaches. There is likely some amount of sites in the "streaming media" category you want...

I received verification from my VAR that Kaspersky is the provider of the A/V definitions.

UTM-2076's and UTM-3078's, R71.3, a/v inspections of HTTP traffic enabled.

I seem to recall that the a/v in R65 was provided by Kaspersky. Is this still true for R71.x and R75.x releases?

My...

UTM-2070 and UTM-3070's
R71.3
URL Filtering Enabled

In the URL column in Tracker, the default field length appears to be 50. Anything beyond that is truncated with ...

Why was 50 chosen as...

I would maintain that segregation via VLAN's does not offer much in the way of security on its own. Other than as has been previously noted, you have the ability to isolate segments should an...

To add more to suggestion from alienbaby, this document will hopefully provide useful information on altering where in the chain monitoring takes place, have a look at page 19..... ...

After some initial adjustment to the new look I am liking it. A bigger font would be nice.

Kind regards,
dbrown

At the time we retired our IP530's they were running IPSO 4.2 and R62. These versions were supported by Check Point on that platform. R65 will probably run on a 530, but it was never officially...

I am speculating here, could it be possible CP is cautioning against using two switches simply interconnected by a port to port connection? That is the only sense I can make of the documentation.
...

Due to a support arrangement with a very capable VAR I never have to interact directly with CP TAC. But I am somewhat curious/confused by the above statements. Is this interpretation correct:

-...

cciesec2006:

Is there some compelling reason that you must buy support direct from CP? It sure appears they are not meeting your needs.

My support is from a VAR (headquartered in Kansas City)...

Both of you forgot to include fluency in TCP/IP. :)

Kind regards,
dbrown

Some time back I hunted for these files on my UTM-2076's running on R65. In my case the backup files were in path /var/log/CPbackup/backups/NGX_R65_/xyz.tgz

I had assistance from very capable...

If you need to use Office Mode for your users, the upcoming SR/SC release may not return you to normal.

Back in August I was on the same path as you, an immediate need for a 64 bit VPN client. I...

Thank you.

I may have a regulatory requirement coming up that will require an "acceptable usage" message be displayed when connecting to devices via the serial port. NERC CIP regs for those interested.

This...

Analog Visio, used heavily back in the overhead projector days if memory serves correctly.

This thread might be helpful to you. I had a similar issue with certain web sites not loading, increasing the http_buffer_size took care of the problem.
...

Thanks apachepro, that is good info.

Thanks belvdr, that UNIX guide is a nice reference.

Did you test that before posting, or use it successfully in the past? It did not work for me.

One of our Linux guys wandered by, so I grabbed him. He had me look in /etc/syslog.conf for...

UTM-2076's HA, Open Server SMS
All on R65 HFA40
IP560's HA and IP350 on R65 HFA01

When I SSH or HTTPS to my IPSO boxes there are log entries in /var/log/messages for the username and the...

Quote:
Originally Posted by plamy
Bozo filter added.


My opinion, the comments from both of you are shameful.

Interesting to me that Check Point is capable of 180' turns. First removing the waiting period between CCSA and CCSE exams, now this:

Check Point kills scareware-style pop-up campaign ? The...

Ignore previous post, there is not a mismatch of the MD5 checksum. Confusion came about due to my lack of understanding of the GUI operation. Save to desktop and save to appliance are two different...

UTM-2076's Active/Standby
NGX R65 HFA40

Using the GUI to perform a backup to desktop. When I compare the MD5 of the file on my desktop to the file located here there is a mismatch: [UTM-2]# pwd...

Congratulations to you! Nice way to start off the holiday weekend.

Kind regards,
dbrown

Thanks lammbo, that is good info.

All I need is Win7 64-bit support, IPsec and OM, none of that other crap for me either. :)

I'll get on with my testing....

Regards,
dbrown

Page 25 of this document is what led me on the path of needing the plug-in:

Check Point Software Technologies: Download Center

If you choose to install HFA40 on the VPN-1 gateway without...

I need to support remote users that have Win7 as their OS, 32 and 64 bit. R73 Endpoint Connect Discovery product was recommended to me by the regional Check Point sales rep. I have the client .msi...

SANS diary entry announcing the change, and further details, can be found here:

Changes to Internet Storm Center Host Name

Kind regards,
dbrown

For myself, it usually means my glass is twice as large as it needs to be.

Kind regards,
dbrown

I am also seeing this on my UTM-2076's, running R65 HFA40.

Have a look at this thread:
http://www.cpug.org/forums/check-point-ip-appliances-ipso-formerly-nokia/11572-what-kind-ram-do-old-ip260-ip350-take.html

Regards,
dbrown

I received an email from SANS today regarding CISSP online instruction. It may be of interest if you have the funds available. See here for the details: SANS vLive! - MGT414 - Eric Conrad

They...

So, New Zealand is truly Nirvana! :)

Thanks to all for the comments, much appreciated.

Regards,
dbrown

UTM-2076 HA, NGX R65 HFA40
IPsec users running SecureRemote (not SecureClient)

I have been requested to disable split-tunneling for my SR users. Request is based upon an article recently read by...

On my IPSO 4.2 boxes I use CLISH, then enter "show route" at the prompt.

Fully agree with the above, sage advice.

SANS has some comment today about DNSSEC going live... DNSSEC...not a bang but a whimper?

They also provide a link to a good article written by the ISC...

My opinions:
- From an admin side CP is less complex than Cisco, is that not a CP marketing point? The underlying CP code is perhaps more complex to get this ease of administration, I would...

manuadoor:

If you have not read it already, another reference that may be of interest to you is the NGX Advanced Technical Reference
Guide, located here:...

This is correct, NAT occurs after outbound inspection (o), not between (I) and (o). IP routing occurs after NAT operations. If after NAT operations your packet has no defined path in your routing...

In my environment we provide wireless access to two distinct groups of users, internal and guests. Guests having internet access only, no permissions to access any internal resources.

The AAA is...

Some of your conclusions may be in error. I added some comments to your statements.

See this Nokia white paper for a good read on FW Monitor:...

I have different hardware and enabled features:
UTM-2076's HA, NGX R65 HFA_40, A/V enabled, URL content filtering enabled, "lots" of SmartDefense protections.

Like you, I experience problems...

I apologize for being off-topic, but lammbo started it. :)

It is worth noting that while Cisco sells hardware, they are a software company. Fact is, nearly all of their manufacturing is...

I don't believe "top" will work for you on IPSO, good for SPLAT machines though. It does not work on my IPSO 4.2 boxes.

ps -auxww should give the output you're looking for.

Regards,
dbrown

UTM-2070 HA Cluster, NGX R65 HFA40

For several months I've had a nagging issue of a couple web sites not loading for some people. Notably cisco.com IOS download page and dell.premier.com. No...