CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: Izzio

Search: Search took 0.00 seconds.

  1. Somebody knows how to export data from smartview monitor

    Hi,

    maybe somebody knows if it is possible to export in CSV form the informations (gateway name, version, license key, etc.) showed by the smartview monitor?

    Any feedback is appreciated.
    ...
  2. Re: R65 SMC Upgrade: better to R70.40 or to R71.10?

    Thanks everybody for your feedbacks.

    Since I've to migrate this month and I've worldwide about 24 gateways still working with R61 (no more supported by R71) I will migrate to R70.40.

    Ciao...
  3. R65 SMC Upgrade: better to R70.40 or to R71.10?

    Hi everybody,

    if someone can give me some "real life" feedback (...the answer of CP is clear ;) about the topic above I will appreciate it.

    Thank you!
    Maurizio
  4. Re: Check Point R65 (Solaris) to R71.10 (SPLAT) Guide

    I've tried it in my lab and it doesn't work :-(

    An additional "configuration file" is requested from the Import tool of R71.1
    ...so this tool seems to be not compatible with the result of the...
  5. Re: Check Point R65 (Solaris) to R71.10 (SPLAT) Guide

    ...thank you for the detailled description!
    If I've right understood you setup a R65 2.6SPLAT system and import the DB from your R65 Solaris system and afterthat you upgrade to R71.10.
    Question:...
  6. Re: Network access issue using "generic" profiles and external user DB.

    ...it could work ;-) I will test it.
    Thank you again!

    Maurizio
  7. Re: Network access issue using "generic" profiles and external user DB.

    Thanks ...but it doesn't match my issue.
  8. Network access issue using "generic" profiles and external user DB.

    Sorry for the long title and the long text;-)

    Into an environment with R65 GW and R60HFA2 SC, I've following situation:

    1. About n-tousend SC internal users that need access to the internal...
  9. Thread: Match for Any

    by Izzio
    Replies
    4
    Views
    5,882

    Re: Match for Any

    1. ...better is to have only one service object per port that is matching to "any".
    2. If you have applications that are working on port tcp/21 but it is not using the FTP protocol, then I suggest...
  10. Replies
    9
    Views
    3,077

    Re: Downgrade R71 to R70.40 ?

    Fyi ...the R71.10 upgrade_export/import tools seem to be not compatible with the same tools of the versions before R71.10 :-(

    ...I've tried to import a DB from R70.40 to R71.10, result: the R71.10...
  11. Replies
    4
    Views
    3,239

    Re: SPLAT password recovery

    Hi!

    In order to "Recover/Change" the password on SPLAT there is at the least following method:

    #1: boot up with CentOS 5.3 CD1 iso. Go to "F5" to for rescue, then enter "linux rescue"
    #2: do...
  12. Thread: SmartCenter log

    by Izzio
    Replies
    4
    Views
    2,314

    Re: SmartCenter log

    ... set up over the smartdashboard by the smartcenter object under "logs and masters" to delete automatically the "old" logs could be a good idea.

    Ciao
    Maurizio
  13. Replies
    3
    Views
    2,669

    Re: Checkpoint UTM-1 & Netscreen N25

    ...sk39419 maybe will help you.

    Ciao
    Maurizio
  14. Replies
    2
    Views
    1,244

    Re: Mixed Platform Environment (Splat & Appliance)

    ...on UTM or Power Appliances you will find the same OS (SPLAT) so considering the management I don't see big differences from an HP server with SPLAT.

    The EDGE appliances (for locations up to...
  15. Replies
    9
    Views
    2,288

    Re: Power supply issue

    ...the box can work with 9VAC or with 12VDC and till now this problem is occurred just only with 9VAC power suppliers (by the newer boxes no more delivered from CP ...coincidence?;)

    We think that...
  16. Replies
    9
    Views
    2,288

    Power supply issue

    Hello!

    In the last 4 months from over 50 Edges installations 3 CP original power supplies in 3 differents countries got damage.

    Knows somebody any issue in conjuction with the Edge power...
  17. Re: How to set Edge "service center" in a HA Management environment?

    Thank you!

    I'm playing the situation in my lab and it doesn't really work (logs are still send to the standby mgmt="service center" and over LSM is not possible to push the policy)

    ...but I...
  18. How to set Edge "service center" in a HA Management environment?

    Hello!

    Somebody knows if is it possible to define by the Edge a "secondary" service center?

    Issue: After a Firewall Management failover the Edge has no idea about the secondary smartcenter and...
  19. Replies
    3
    Views
    4,762

    Re: CLI Command for HA Status

    -> "I've not got Mgmt HA set up in VM so I can't verify. Do post back if this works for you."

    ...it works! Thanks!

    cpstat mg

    Product Name: Check Point SmartCenter Server
    Major version: 6...
  20. Replies
    7
    Views
    2,093

    Re: R70.1 or R65 with HFA04

    ...is R65 HFA_50 already available?
  21. Replies
    4
    Views
    1,495

    Which is the CP VPN Client product strategy?

    I've to think in the medium term on how to replace our SecureClient infrastructure and at the time I'm a "little bit" confuse about CP VPN Client (here with focus on mobility/connectivity and not...
  22. Re: Automatically Remote Access Entry Point Selection

    Thank you very much for your feedbacks!
  23. Re: Automatically Remote Access Entry Point Selection

    I've read the online help and the documentation but I haven't found how to setup SC in a way that it will choose automatically the entry point dependtly on a "First to respond" procedure.

    Reading...
  24. Re: VPN von R65 zu R61 steht, Ping kommt nicht durch

    ... Encryption Domain mismatch?
    Werden die ICMP packete bei R65 encrypted und bei R61 decrypted?
    Wie sieht es andersum aus?
    Wie sieht es mit anderen Protokollen aus?
    Was passiert wenn Du...
  25. Re: Bypassing SecureClient when connected to Local Network

    ... the connection is probably blocked from your desktop security policy.

    I normally allow by the client the bidirectional connection between the encryption domain and "All Users@any" on any...
  26. Automatically Remote Access Entry Point Selection

    Hello everybody!

    For a worldwide network I'd like to setup three remote access points (MEP) one for each network region (Europe/Africa, America, Asia/Pacific) it means that by the SecureClient I...
  27. Re: VPN-Client kann nicht auf neues Netzwerk zugreifen.

    ...bei den global properties -> Remote Access kannst du das Topology Site Update automatisieren.

    Beim "Site Update" holt sich den client alle netzwerke die zur Gateway Encryption Domain Gruppe...
  28. Replies
    9
    Views
    2,200

    Re: Perfect Forward Secrecy

    it depends from the platform what you are going to use ...just try it.

    Some year ago I've got stability problems by a VPN tunnel established between a CP 4.1 gateway and a CP R55 gateway that were...
  29. Replies
    9
    Views
    2,200

    Re: Perfect Forward Secrecy

    ...I see at the least two reasons:

    - better gateway performances (-> less load)
    - better interoperatibility with "no Check Point" gateways or with different SW release.

    Ciao
    Maurizio
  30. Replies
    5
    Views
    1,960

    Re: Remote management using https

    ...on the internal interface try to use HTTP.
  31. Replies
    11
    Views
    2,539

    Re: FW-1 Encryption Module

    ...ehm it looks like as our SC license is a little bit oversized ;-)

    cpstat polsrv -f default

    Status Full Description: Policy Server is up
    Licensed users: 4294967294
    Connected users:...
  32. Thread: Core Dump File

    by Izzio
    Replies
    1
    Views
    2,873

    Core Dump File

    Anybody knows how (I mean with which tool) is possible to read a core dump file?

    Any feedback is welcome!

    Thanks!
    Maurizio
  33. Replies
    5
    Views
    1,809

    Re: Problems Pinging Cluster Address

    ...following parameter:

    fw_allow_simultaneous_ping=1

    in fwkern.conf could maybe help.

    For more details please refer to the dedicated SK.

    Ciao
    Maurizio
  34. Re: Cluster XL: Found another machine with same cluster ID...

    ...if you have two different clusters connected over a common VLAN then you need to change by one cluster the magic MACs in fwkern.conf ...there is surely a detailled SK about.

    Ciao
    Maurizio
  35. Re: Meaning of the column "Context" by the "Where Used..." dialog box

    ...Thank you very much for your detailled answer!

    Ciao
    Maurizio
  36. Thread: R65 und UTM-1

    by Izzio
    Replies
    11
    Views
    3,854

    Re: R65 und UTM-1

    ...eine "NO NAT" rule vor der "Hide NAT" zum Internet soll dabei helfen...

    ungefähr wie folgt:

    src dst NATsrc NATdst

    intern intern original original
    intern any Hide-GW ...
  37. Replies
    6
    Views
    2,322

    Re: Licence IP counting

    ..."internal interface" is every interface that is not defined as "external"
  38. Replies
    2
    Views
    6,029

    Re: Howto restart Edge from CLI?

    ...from Check Point Embedded NG CLI Reference Guide V5.pdf:
    "The reset gateway command is used to reboot the Embedded NG appliance."

    Ciao
    Maurizio
  39. Meaning of the column "Context" by the "Where Used..." dialog box

    Has somebody an idea about the meaning of this column?

    Starting a "Where used..." by a particular network "network object" (I think it was created automatically) I see that this object is...
  40. Replies
    6
    Views
    4,417

    Re: Encryption Domain with Exclusion Group

    Do you know about any SKs regarding this issue?

    In NAT rules is not allowed and to use Exclusion groups ...but I haven't found any article about encryption domain.

    Thanks!
  41. Replies
    6
    Views
    4,417

    Encryption Domain with Exclusion Group

    I've tried to exclude some subnets from a Class-B Group using an Exclusion group and use then the result as encryption domain.

    After that the R65 Gateway didn't really recognize his encryption...
  42. Replies
    3
    Views
    1,320

    Re: Help of checking up module by CLI

    ->1: perhaps over the license string? -> cplic print
    ->2: ...
    ->3: cpstat fw

    Ciao
    Maurizio
  43. Replies
    4
    Views
    5,786

    Re: need to find out NIC Product Name

    ethtool -i <NIC name>

    examples:

    Intel Pro/1000:

    ethtool -i eth1

    driver: e1000
    version: 7.3.15-NAPI
  44. Replies
    5
    Views
    2,639

    Re: Libsw 737 (-> 8.0.36)

    Thank you very much for your feedback.

    @Stretch: Purely for budget availability reasons we are implementing Edge devices by all locations with less then 50 people, and particularly in this period...
  45. Replies
    5
    Views
    2,639

    Re: Libsw 737 (-> 8.0.36)

    I'm not enthusiastic to update the firmware remotely by many boxes if this it is not really necessary ...and I've not found any document from CP or Sofaware saying that the libsw release 737 are not...
  46. Thread: R65 und UTM-1

    by Izzio
    Replies
    11
    Views
    3,854

    Re: R65 und UTM-1

    ...an welche email adresse?

    Ciao
    Maurizio
  47. Thread: R65 und UTM-1

    by Izzio
    Replies
    11
    Views
    3,854

    Re: R65 und UTM-1

    Bitte prüfen ob auf dem router (=x.x.x.5) folgende host-route vorhanden ist:

    x.x.x.4/32 -> x.x.x.6

    und ob auf dem FW(=x.x.x.6) folgende NAT eingerichtet ist:

    src dest ...
  48. Thread: R65 und UTM-1

    by Izzio
    Replies
    11
    Views
    3,854

    Re: R65 und UTM-1

    Es wird benötigt entweder
    1. eine host route beim Internet router zur FW GW für die public IP vom SC (zu empfehlen)
    oder
    2. local.arp bei der FW GW mit dem Ext.NIC MAC und die public IP vom SC...
  49. Replies
    0
    Views
    1,208

    Desktop Policy Download Failed

    Hello!

    I've a couple of clients that cannot download the desktop policy from the policy server. The VPN connection is successfully established but the client has not FW protection. By the...
  50. Re: help with cleaning up un-used objects in SmartCenter

    tufin securetrak is a great tool to find out unused rules and object utilization inside the rules but it isn't for free ...during a 30days evaluation time is possible to make a good clean up session...
  51. Replies
    5
    Views
    2,639

    Libsw 737 (-> 8.0.36)

    Hi,

    I've implemented in Lab the newest Libsw(737) and after that I've installed a policy on a VPN-1 Edge X working with the firmware 5.0.92 the box was no more reachable from the Smartcenter and...
  52. Thread: Sys_message

    by Izzio
    Replies
    0
    Views
    2,128

    Sys_message

    I've a clusterXL HA new mode SPLAT R61 HFA01 installation and since some day the active member has stopped to send log information to the R65 smartcenter.

    The last log record was:

    sys_message:...
  53. Replies
    2
    Views
    1,396

    Re: Securing VPN connectivity..

    ...if I have right understood your issue then you can "label" your asset with a "secret" RegKey (users shouldn't the right to view the registry) and then use SCV checking the presence of this key.
  54. Re: Packet Processing Order? NAT > Rulebase > Route ???

    ...a little bit more exactly and in case of the SYN packet is accepted:

    Packet IN -> AS -> Rule base (Connection Table) -> NAT for destination -> Routing -> NAT for source -> (NATTed) Packet OUT ...
  55. Replies
    12
    Views
    3,669

    Re: UTM SSH password prompt after 20 Seconds

    ...just remove the DNS servers and the login should go quicklier.
  56. Firefly M8 on IBM 3650 series with Intel Quad-Card PT PCI-Express

    Hello,

    since a couple of weeks we are using an additional port of the intel quad-card PT (PCI-Express) installed in our firefly M8 clusterXL and from time to time this port seems to play crazy.
    ...
  57. Replies
    6
    Views
    2,330

    Re: Edge X16 IP Conflict

    I've got the same problem since a couple of days on VPN-1 EDGE X32 with 6.0.63 firmware.

    The LAN behind the box is reachable ...but one IP of it not!
    Activating the sniffer on this IP as DST the...
  58. Replies
    5
    Views
    3,024

    Re: SPLAT interface numbering

    back to the original question: Disabling the on board cards eth0 & eth1 will be assigned surely to a quad card and adding or removing interfaces by splat could cause an interface renumbering.

    Ciao...
  59. Replies
    7
    Views
    2,741

    Re: Nokia sells their security line..

    ...strategy of my company:

    for locations with less than 50 people Edges (low concurrent session limit can be here an issue) else SPLAT on HP or IBM servers or better (=cheaper:) UTM appliances. ...
  60. Replies
    2
    Views
    2,257

    Re: NGX secure remote/client

    The last version I think is called "NGX R60 HFA2 Suppl.2 (Build 052)" and it works with both NGX as like with NG gateways.

    Ciao
    Maurizio
  61. Replies
    6
    Views
    2,651

    Re: mii-tool and ethtool

    don't ask me why but mii-tool without arguments shows just only the first 8 nics.

    On systems with >8 nics I usually create a "emii-tool" script containing following line (i.e. 12nics):

    mii-tool...
  62. Replies
    5
    Views
    1,623

    Re: clusterXL both servers active

    To be honest I've never seen this situation before ...some questions:

    Have you upgrade to R65 the Smartcenter too?

    Can you install the policy on both members without problems? (if a member has...
  63. Replies
    6
    Views
    1,687

    Re: Automatic object creation from text file

    Is the tool of Martin Hoz that can be useful for import/export objects over the dbedit interface to/from the CP object repository DB.

    At the best just google and you will find it with a detailled...
  64. Replies
    6
    Views
    1,687

    Re: Automatic object creation from text file

    ofiller (based on dbedit interface) can help you by this task.
  65. Thread: Default route

    by Izzio
    Replies
    2
    Views
    1,933

    Re: Default route

    Default route = The IP set as default gateway by the "internet" interface.

    Ciao
    Maurizio
  66. Re: ClusterXL load sharing SPLAT performances issue

    About point 5:
    I've implemented CoreXL (Firefly M8 "appliance") in our production environment 2W ago and till now I've a very good impression about it.
    The load is distributed equally to all...
  67. Replies
    5
    Views
    2,112

    Re: smartdashboard crash

    No. Reading the release note it doesn't not seem that this HFA addresses the problem ...anyway I will try it.
    Thanks!
    Maurizio
  68. Replies
    5
    Views
    2,112

    Re: smartdashboard crash

    Thanks for your feedback. No HFA installed on the smartcenter ...but it looks like a smartconsole issue.
  69. Replies
    5
    Views
    2,112

    smartdashboard crash

    Maybe can be interesting to know that using smartdashbord R65 wenn I try to create an "host" object directly from a group object then the Smartdashboard crash.

    Creating the object in any others...
  70. Replies
    4
    Views
    2,354

    Re: SmartView Monitor - settings lost

    @Dantro: Thank you very much for your help!
  71. Replies
    6
    Views
    2,333

    Re: Searching for CoreXL documentation

    Just check following links:

    Check Point Software Technologies: Download Center
    User guide

    Check Point Software Technologies: Download Center
    Advanced configuration guide

    Check Point...
  72. Thread: Intro al NAT

    by Izzio
    Replies
    14
    Views
    4,481

    Re: Intro al NAT

    in automatico non hai bisogno di preoccuparti del "local ARP".
    Peró perdi flessibilitá e i NAT automatici te li porti dietro in tutte le "rulebases".

    Ciao
    Maurizio
  73. Replies
    6
    Views
    2,333

    Re: Searching for CoreXL documentation

    Thank you for your feedback! @chillyjim: following your link I get the "ClusterXL Admin guide" ;-) In the meantime I've received the CoreXL Admin guide, the CoreXL Advanced Configuration Guide and...
  74. Replies
    6
    Views
    2,333

    Searching for CoreXL documentation

    Hi Everybody,

    I will appreciate if somebody can send me a link to a CoreXL documentation.

    I'm in front of to implement a firefly M8 and it offers 12G throughput just only in conjunction with...
  75. Replies
    7
    Views
    1,727

    Re: Fresh Installation & NO Products

    Card was correctly (ethtool -i shows right driver) recognized and the 4ports are up and useable.
    In the meantime I've installed the SW over RPM -i and everything seems to be "normal" ...but I've...
  76. Replies
    7
    Views
    1,727

    Re: Fresh Installation & NO Products

    During the sysconfig script after configuring the base platform, routes, interfaces, time etc you select the next and before going to the Check Point Product install then it asks if you want to...
  77. Replies
    7
    Views
    1,727

    Re: Fresh Installation & NO Products

    [You didn't say that wanted to import from file originally did you and then selected new installation afterwards?]

    -> Sorry I don't understand the question.

    [Did SPLAT identify your Network...
  78. Replies
    7
    Views
    1,727

    Fresh Installation & NO Products

    Hi!

    I've installed SPLAT R61 and after the reboot I've started sysconfig for the first setup of the FW.
    Everything looked good but... I was not asked to install any product (smartcenter,...
  79. Thread: VPN + ISP Links

    by Izzio
    Replies
    9
    Views
    3,297

    Re: VPN + ISP Links

    ...if with "vpn" you mean a vpn site2site tunnel with another CP FW then you need to set up the link selection feature.

    Which version are you using?
  80. Thread: Site to Site VPN

    by Izzio
    Replies
    6
    Views
    9,655

    Re: Site to Site VPN

    if the network behind the EDGE is a "trusted" one, than you can set the as managed from your smartcenter and use the "enterprise" VPN profile. This is created automatically inserting the EDGE in a...
  81. Replies
    5
    Views
    2,828

    Re: NGX Primary HA active node hard lock

    I have had a similar experience with R61, SPLAT, SecureXL, HP380 and Intel Quad GT cards.
    The primary member, after that the secondary was stopped for maintenance, is crashed (it runs about 48h) and...
  82. Replies
    7
    Views
    3,160

    Re: Clustering supports VLANs?

    The only limit that I know is: "Cluster Sync should take place over a real (no trunked) interface".

    Which version are you using?

    Ciao - Maurizio
  83. Re: manual site-to-site vpn working with smartcenter it does not work

    Which Edge firmware and smartcenter version are you using?
    Is the "Enterprise" VPN-Tunnel present?

    Normally you will find by "Reports -> Event log" informations about the Tunnel Key Exchange...
  84. Replies
    3
    Views
    2,995

    Re: VPN-1 Edge X-Series - RS-232 Console

    Thanks a lot for your tip!

    It is also documented into the EmbeddedNGX6.0CliGuide.pdf.

    Ciao - Maurizio
  85. Replies
    3
    Views
    2,995

    VPN-1 Edge X-Series - RS-232 Console

    Hi,

    I'm getting some problem connecting over console 0-modem cable to a CP VPN-1 Edge X-Serie device.
    With the same cable and the same terminal client (Win Hyperterminal) I can connect without...
  86. Replies
    1
    Views
    2,913

    Re: ndb_open: database 'magic number' corrupted

    I've had similar problem with the session.NDB file. It was corrupted and VPN does not work.
    CP sk11442 suggests in this case to stop the Mgmt, remove/rename the file, start the Mgmt and install the...
  87. Replies
    3
    Views
    3,871

    Re: SecureXL/Performance Pack

    ...thank you for the feedback. Have you made already some experience with Perf.Pack/SecureXL ?

    Sincerely reading your post I just only undestand that both are SW acceleration module but not really...
  88. Replies
    13
    Views
    5,283

    Re: ClusterXL not started.

    I suggest you with cpconfig by each node to activate "ClusterXL" for the state table sync.
    Sync. should happen on a separated (secure) interface, at the best connect with a crossover on a reserved...
  89. Replies
    3
    Views
    3,871

    SecureXL/Performance Pack

    Hi everybody,

    please somebody can explain me the difference between SecureXL and Performance Pack?

    Need SecureXL/Perf.Pack an additional HW (TurboCard?) or License to be used?

    Has somebody...
  90. Thread: SSH to Server

    by Izzio
    Replies
    3
    Views
    2,603

    Re: SSH to Server

    SSH should work.

    If you have already installed the FW and reboot the machine then can be that the initial policy not allow you to connect to the box. In this case just try to remove it...
  91. Replies
    4
    Views
    2,642

    Re: ClusterXL long switching time by failover

    The problem was probably not a real problem ;-)
    ...and anyway has concerned just only ping to cluster IP.

    Adding following line:

    fw_allow_simultaneous_ping=1

    to...
  92. Replies
    4
    Views
    2,642

    Re: ClusterXL long switching time by failover

    In HA (Hot standby) mode the Cluster IP MAC = Active Member MAC (e.g.: 00:16:35:06:1F:33)

    In Load Sharing a Mcast MAC is used.

    In both cases the failover switching takes about 1 minute.
    ...
  93. Replies
    4
    Views
    2,642

    ClusterXL long switching time by failover

    Hello!

    I'm setting ClusterXL in Hot Standby new mode on SPLAT R55 HFA13 over 2 Cisco 3750 switches. Everything works fine but by a failover the switching time is relatively long: about 1 minute!...
  94. Replies
    3
    Views
    2,420

    Re: SecureClient office mode route woes...

    I know two routing behaviours by SC:

    1. SC catches only packets with a dest. IP belonging to an encryption domain. SC encrypts it and routes it to the corresponding gateway (see userc.C).

    2. By...
  95. Replies
    10
    Views
    4,576

    Re: State Sync does not supports VLAN ?

    Hi Al,

    I think that you can connect your 3 nodes over a dedicated VLAN, you have to take care that the switch ports must be "untagged" (no trunk) and by the FWs on the sync nic no VLAN is set.
    ...
  96. Replies
    10
    Views
    4,576

    Re: State Sync does not supports VLAN ?

    I know that the sync nic cannot be "tagged" with more VLANs, else state table sync will not work.

    But it should be not a problem to connect over "untagged" switch ports belonging to a particular...
  97. Replies
    13
    Views
    4,685

    Re: Radius authentication over Site-to-Site

    Hello people,

    I've the same problem.
    The interesting question for me is:
    How is possible to deactivate one or more implied rules of the "accept VPN-1 & FW-1 control connections" group?
    ...
  98. Replies
    5
    Views
    6,423

    Re: How to mount an USB storage stick on Splat

    Thanks a lot for the feedback!

    following this procedure it works:

    modprobe usb-storage
    fdisk -l -> just to check which device was bound. e.g. /dev/sda1
    mkdir /mnt/usbdisk -> mount point...
  99. Replies
    5
    Views
    6,423

    How to mount an USB storage stick on Splat

    Hi!

    Somebody know how it possible to mount an USB storage stick on Splat R55 or R60?

    I will appreciate any feedback!

    Thanks,
    Maurizio
Results 1 to 99 of 99