CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Search:

Type: Posts; User: ddarby1

Search: Search took 0.01 seconds.

  1. Replies
    0
    Views
    1,638

    Upgrade path from R65 to R70

    Please remove this post
  2. Re: Where & how to install upgrade_export on Solaris 8

    Thanks for your replies and help. My unix is a bit rusty/not great, so it took me a while to unzip and extract the tar file to the correct place.

    As for the reply from chuachongchee, yes I think...
  3. Where & how to install upgrade_export on Solaris 8

    Hi folks,

    I've got the following issue if anyone can help:

    I need to dump out the security policy from a Solaris 8 Management Server prior to an upgrade (we're running 4.1).

    I've downloaded...
  4. Replies
    1
    Views
    1,205

    No policies in GUI - ver 4.1

    Hi Folks,

    I've got a problem with Policy Editor / Management Server, running ver 4.1 (old I know):

    I was connected to the Managment Server via Policy Editor, but this connection was broken due...
  5. Replies
    9
    Views
    2,806

    Re: Problem with tunnel dropping every 1440 min

    For reference, how to enable PFS on a PIX v 6.2 - there's still a lot running 6.2(2) around:

    at the global config level (conf t):

    crypto map map-name seq-num set pfs [group1 | group2]

    A...
  6. Replies
    83
    Views
    38,379

    Re: Dont make the mistake I made with CCSA NGX

    Yep, agree with you 'stuartgreen' but I'd go a bit further - it might be difficult to resist a cram sheet with exact wordings of the questions but it's cheating, plain & simple.

    Get some hands on...
  7. Replies
    1
    Views
    3,246

    Re: Central vs Local

    Central gives you more flexibility:

    Quite simply your Smart Center holds the license repository, from where you can install the licenses onto the Enforcement Modules as required.

    This is...
  8. Replies
    2
    Views
    2,284

    Re: License Requirements

    Thanks for your reply kva.kva. I got the definitive answer from Check Point in the end.

    We needed 1 x Enterprise License, which includes Smart Center Management and an unlimited license for 1...
  9. Replies
    2
    Views
    2,284

    License Requirements

    A question for those of you who have experience with Check Point licensing:

    The scenario is that I have 4 completely seperate (no HA for example) Enforcement Modules and a SmartCenter Server. The...
  10. Replies
    16
    Views
    3,594

    Re: problem with accessing internet

    We're probably going to need some more specific info, but can you answer the following questions and try a couple of things(kva.kva has already mentioned a couple of points):

    1) Add a security...
  11. Replies
    5
    Views
    2,435

    Re: is there any book on NGX

    As per the other thread you started;

    http://www.cpug.org/forums/showthread.php?t=1026

    Why not try Check Point's official pdf's. There is a lot of material to get through, but they were are all...
  12. Replies
    4
    Views
    6,938

    Re: Again: a port=18191 TCP connectivity failure

    Welldone Jean-Marc.

    That's a common mistake; the address in the general properties of the enforcement module should always be the externally facing one - VPN's will not work otherwise.
  13. Replies
    16
    Views
    3,594

    Re: problem with accessing internet

    A few things guys;

    if the info. supplied is correct,

    The IP forwarding registry setting for Windows isn't required because according to stevenalau, a SPLAT machine is configured as the...
  14. Replies
    1
    Views
    1,721

    Re: any books on ngx

    Hi,

    There is 'Configuring Check Point NGX VPN-1/FireWall-1 by Syngress' ISBN: 1597490318 or a large number of useful .pdf's on Check Point's web site:
    ...
  15. Replies
    4
    Views
    2,398

    Re: Remote Access VPN problem

    The rule post wasn't that clear:

    SOURCE: remote_access_group

    DESTINATION: internal_network (or host, etc.)

    VPN: Remote Access

    Action: Accept
  16. Replies
    4
    Views
    2,398

    Re: Remote Access VPN problem

    That's correct, you don't get assigned an IP address unless using Secure Client and Office Mode.

    Therefore you're client 'exists' as 192.100.152.x, but on the inside interface of the firewall.
    ...
  17. Re: Unterschied Checkpoint Enterprise Express Pro und Checkpoint Express

    Hi Stephan,

    If possible, please post in English.

    The main difference between Check Point Express & Enterprise/Pro is the size of the user base that the product is aimed at. Express is aimed at...
  18. Thread: ScuRemote 6.0

    by ddarby1
    Replies
    1
    Views
    1,804

    Re: ScuRemote 6.0

    If you're referring to the feature where an internal IP address from inside your organisation is assigned to your client when connecting then you're lookin for something called Office Mode (you'd...
  19. Replies
    3
    Views
    1,811

    Re: Newbie help with VPN-1

    rasoftware,

    you need to read up a bit on Check Point and Firewalls.

    Most firewalls, unlike routers are paranoid by default, though some will allow inbound to outbound by default, but certainly...
  20. Re: Server to client packet of an old UDP session

    I think this is what you're looking for Global Properties > Stateful Inspection (review the options)

    This can also be done per service by double clicking on the service in question > Advanced...
  21. Replies
    4
    Views
    1,921

    Re: Policy Installation Error

    Following on from Sergej's previous post, can you confirm that there is nothing shown in the Web Intelligence Tab > Web Servers View as it sounds like there might be (for example, it's possible that...
  22. Replies
    3
    Views
    3,842

    Re: SecureClient NGX msi editing with cpmsi_tool

    C:\Program Files\CheckPoint\SmartConsole\R60\PROGRAM\util>cpmsi_tool.exe

    Damn, wrong again. I haven't used this tool but had a quick look at the options for it.

    There's also a small amount of...
  23. Replies
    0
    Views
    2,253

    CCSE Looking for Work

    *No longer looking*
  24. Thread: cpconfig

    by ddarby1
    Replies
    10
    Views
    4,726

    Re: cpconfig

    Hi Humayun,

    You don't have the option for 'Secure Internal Communication' via cpconfig when it is a managment install.

    This is because it is typically reset at an enforcement module, then...
  25. Replies
    22
    Views
    5,908

    Re: VPN behind Checkpoint firewall

    Apologies Sergej, even the picture shows it not ticked - my mistake.
    I was using the Cisco VPN Client for Windows 4.6 as reference and noticed that the 'Enable Transport Tunneling' box was hecked as...
  26. Replies
    4
    Views
    6,938

    Re: Again: a port=18191 TCP connectivity failure

    Hi Jean-Marc,

    It's a bit hard to decipher exactly what's going on there, but you're definitely correct in that the routing you setup is not valid on the internet. The 'Internet' - in this case...
  27. Replies
    3
    Views
    3,842

    Re: SecureClient NGX msi editing with cpmsi_tool

    This one is closer to home than you probably thought.

    I think you're reffering to the SecureClient Packaging Tool, this is included with the Check Point GUI clients and does indeed enable you to...
  28. Re: IPSec VPN using certificates between Checkpoint and Pix

    Hi,

    I guess this is a less common scenario, due to most of the site-to-site CheckPoint-PIX VPN's being of the Shared Secret type (all the ones I've done have been shared secret for example).
    ...
  29. Replies
    22
    Views
    5,908

    Re: VPN behind Checkpoint firewall

    Slight correction guys:

    The IPSEC over UDP (NAT/PAT) is selected by default on the Cisco VPN Client.

    What is the version of Check Point S/W and the exact syntax of the rule in question?

    I...
  30. Re: How to monitor and count connected RemoteAccess VPN User

    Hi Sergej,

    I guess you know about using SmartView Monitor to see what Remote Users are currently connected, VPN stats, related traffic, etc.

    I setup and used Eventia Reporter as part of CCSE...
  31. Thread: cpconfig

    by ddarby1
    Replies
    10
    Views
    4,726

    Re: cpconfig

    It's definitely a management install, the (3) GUI Clients gives this away for example.

    I think it might be a standalone install though with that number of options. Is it a Nokia install by any...
  32. Re: Help needed-Console shows Nothing when connected to Nokia firewall

    As sergej says, you should at least see something (i.e. the BIOS, memory check, etc.) before it gets to the bootloader, because the terminal connection is configured in the BIOS. So you would still...
  33. Replies
    9
    Views
    10,253

    Re: Securemote and Office Mode

    Hi Philuxe,

    You're correct in that SecuRemote does not support Office Mode.

    Unfortunately what I think this means for you is that the 'Office Mode' check box will never be available...
  34. Replies
    4
    Views
    1,921

    Re: Policy Installation Error

    Hi Sourav,

    It would be useful to have a bit more information in order to troubleshoot this problem, for example:

    Versions of Check Point Software
    Type of Environment if you know it (e.g....
  35. Thread: Boson Tests

    by ddarby1
    Replies
    7
    Views
    3,552

    Re: Boson Tests

    For anyone stumbling across this thread, interested in the Boson CCSA, CCSE Exam Sims, jeepee was spot on, the CCSE sim was worse.

    The quality of the CCSA exam was pretty poor at the start, but...
  36. Replies
    6
    Views
    4,755

    Re: CPD is running?

    The Smart Center Server cannot contact the Enforcement Module in order to manage it.

    Either the Check Point Daemon (CPD) is not running on the enforcement module and/or communications are being...
  37. Replies
    2
    Views
    1,980

    Re: profile updates.

    Hi,

    Both my CCSA and CCSE took exactly 2 weeks (took them in Jan. this year)
  38. Replies
    6
    Views
    2,678

    Re: Backup of SecurePlatform

    Download the 'CheckPoint_NGX_SecurePlatform_SecurePlatformPro_User_Guide.pdf' from Check Point's Web Site:

    http://www.checkpoint.com/support/technical/documents/docs_r60.html
  39. Replies
    19
    Views
    7,507

    Re: Courseware for NGX !! (HTH)

    With that price my tip would be to use Check Point's downloadable .pdf files.

    They're free and were enough to get me through CCSA & CCSE NGX on their own.
  40. Replies
    6
    Views
    2,678

    Re: Backup of SecurePlatform

    Use upgrade_export.exe found in the \Windows directory of your NG AI/NGX CD.

    It's a simple command-line tool
  41. Replies
    7
    Views
    2,417

    Re: CPAS_TCP_PASS in event log

    Just a guess here:

    Looks like a QoS type error message? Do you perhaps have Microsft's QoS installed as a service on one of the LAN connections?

    Is anything failing or particularly slow as a...
  42. Replies
    3
    Views
    3,089

    Re: Very strange Nokia IPSO issue

    I had an interesting case which is possibly related:

    I had an IP330 but forgot my regular cable and so bought a stock Null Modem Cable from a Computer Shop. It worked fine on mine.

    However, my...
  43. Re: Importing configurations from temporary SmartCenter to existing SmartCenter server

    Thanks for the correction.
  44. Replies
    3
    Views
    1,747

    Re: Transparent redirect with CP R55

    Hi,

    I've got an idea that what you're after is not a NAT rule, but a security rule using an SMTP resource (defined under 'Resources' in the left hand GUI).

    In the resource properties you would...
  45. Re: Importing configurations from temporary SmartCenter to existing SmartCenter server

    Use the upgrade_export and upgrade_import tools on the NG_AI or NGX CD (I haven't used them previous to this).

    It's worked fine for me -comments from other people?

    Doesn't upgrade the license...
  46. Re: Tools/ideas to test new checkpoint firewall...

    I'd suggest Nessus - www.nessus.org running on linux.

    If you head over to http://www.insecure.org there's alarge list of tools available.

    Nmap is another useful tool: www.insecure.org/nmap
  47. Replies
    12
    Views
    8,173

    Re: SmartView Tracker not receiving logs

    Hi again,

    I had a quick go on what I presume is a similar configuration: it worked using the 'nat 0' command on the PIX for both the Management/Log Server and the Enforcement Module (causing the...
  48. Replies
    12
    Views
    8,173

    Re: SmartView Tracker not receiving logs

    Hi,

    Just a thought, but I'd start by ruling out the PIX completely if possible. I don't know the configuration on your PIX, but its likely to be NATing the connection between the enforcement...
  49. Replies
    19
    Views
    7,507

    Re: Courseware for NGX !! (HTH)

    Guys,

    I sat the exam in early January (just about to do CCSE), also user 'jasond' after me. Both of us only really scraped a pass and both agreed the exam was harder than we expected (for example...
  50. Thread: re-install ngx

    by ddarby1
    Replies
    4
    Views
    2,130

    Re: re-install ngx

    'SIC reset' I assume would refer to running cpconfig at the command line and changing the activation key, thereby resetting SIC (most easily done via a serial connection to the Nokia box).

    However...
  51. Replies
    19
    Views
    7,507

    Re: Courseware for NGX !! (HTH)

    bvanniekerk,

    Cheers for that.

    Anyone used this courseware, opinions on it?

    Personally, I've used Check Point's official .pdf's extensively (see Check Point site and/or NGX evaluation CD)...
  52. Thread: re-install ngx

    by ddarby1
    Replies
    4
    Views
    2,130

    Re: re-install ngx

    Deactivating NGX, then deleting the package file from the Nokia box followed by ftp'ing the file back across, unpacking and enabling it will definitely work.

    Bit of a pain though.

    I wonder if...
  53. Replies
    2
    Views
    2,221

    Re: SPLAT or Windows 2003?

    If your configuration is already running fine, do you have some other motivation for moving from W2K3 to SPLAT like freeing up the windows licenses?

    As regards performance, I don't have any...
  54. Replies
    6
    Views
    4,211

    Re: Monitor traffic on my Check Point

    Kevin,

    I'm not an expert, but a few things I could suggest are: the 'fw monitor -l len' command to limit the length of the captured packet, ommiting large payloads.

    However, this doesn't...
  55. Thread: NGX VPN issue.

    by ddarby1
    Replies
    12
    Views
    4,713

    Re: NGX VPN issue.

    Hi,

    You need to add an 'interoperable device' - Manage > Network Objects > New > Interoperable Device then define it's topology etc.

    Once defined, you'll be able to add it in the 'Participating...
  56. Replies
    5
    Views
    2,049

    Re: Requesting an evaluation keys

    No, you don't have to pay for it.
  57. Replies
    5
    Views
    2,049

    Re: Requesting an evaluation keys

    Or if you have a Media Pack (DVD Box) and haven't used it yet, you can register the Certificate Key on the back of the DVD box with a User Center account to obtain a 30 Day Trial License.
  58. Thread: CCSA NGX Exam

    by ddarby1
    Replies
    2
    Views
    4,346

    Re: Ccsa Ngx

    Read through previous posts on this. Basically, the Syngress 'Configuring Check Point NGX' book gives a solid base to work from but isn't exam focused.

    Probably the best thing you can do is look...
  59. Replies
    2
    Views
    2,132

    Re: SPLAT on a simple PC

    What does your security policy specify?

    Have you set up the SPLAT platform since installing it with sysconfig?

    If so, is there a security policy installed (the default filter will block...
  60. Replies
    3
    Views
    5,359

    Re: Add IP to GUI client list

    For anybody else viewing the thread, run cpconfig on the Smart Center server
  61. Replies
    1
    Views
    1,434

    Re: disconnecting mapped network drives

    Anand,

    Can you supply some more details. are the mapped drives actually traversing the firewall (going across it's interfaces to get from one network to another).

    If so, it might be the TCP...
  62. Thread: VPN Problem

    by ddarby1
    Replies
    10
    Views
    4,300

    Re: VPN Problem

    Forget the request for the hotfix, I've just got my access.

    Regards
  63. Thread: VPN Problem

    by ddarby1
    Replies
    10
    Views
    4,300

    Re: VPN Problem

    Jim,

    Interesting, I tried your config on a Nokia platform w/ Check Point NGX (no hotfix) and PIX 6.3(5) and just could not get it to work properly.

    As regards the NAT behaviour, this might date...
  64. Replies
    4
    Views
    5,338

    Re: Passed CCSA NGX

    Congratulations jsond.

    From what you've written, your experiences match almost exactly mine (I took the CCSA 2 weks ago).

    If you're planning to take the CCSE exam, please post on the forum. I'm...
  65. Thread: VPN Problem

    by ddarby1
    Replies
    10
    Views
    4,300

    Re: VPN Problem

    Spotted another minor error:

    You've listed the masks as /30 but on the PIX the outside address is 202.202.1.2 255.255.255.248. This is a 29 bit mask.

    Regarding your question, yes, SmartView is...
  66. Thread: VPN Problem

    by ddarby1
    Replies
    10
    Views
    4,300

    Re: VPN Problem

    Can you definitely see the PIX dropping the icmp packets?

    You'll be able to see them being dropped by enabling logging (from a console connection):

    logging on
    logging console debugging

    I'm...
  67. Replies
    2
    Views
    3,372

    Re: on splat cpstop and ip forwarding disabled

    Not sure if this is such a dumb question.

    Executing cpstop or cpstop FW1 will always disable ip forwarding, but on SPLAT, I suppose the answer might be provided by knowing which config file to...
  68. Replies
    3
    Views
    2,471

    Re: Web interface problems on NXG

    Interesting problem, I always get this problem when accessing SmartPlatform R60 when it's running in VMWare and using the host PC browse to access it.

    Don't get the problem when using another...
  69. Thread: NGX Problem

    by ddarby1
    Replies
    6
    Views
    2,211

    Re: NGX Problem

    I'm not an expert either, but have done a succesful install on an IP330.

    Normally I'd expect to use a distribued install, with the IP330 as the Enforcement Module and something like a Windows...
  70. Replies
    4
    Views
    4,823

    Re: CCSA NGX Feedback

    As for LDAP, it's usually briefly covered in the Authentication sections of various books, e.g. Sybex CCSA; Chapter 6, Essential Check Point Firewall-1 NG; Chapter 8, Syngress NGX; Chaper 9 (very...
  71. Replies
    4
    Views
    4,823

    Re: CCSA NGX Feedback

    Regarding your questions, there wasn't anything on VOIP, and it's not on the published CCSA objectives, but is for CCSE.

    Quite a few questions on LDAP and SmartDefense. I've no doubt that its...
  72. Thread: CCSE NGX Exam

    by ddarby1
    Replies
    2
    Views
    4,625

    CCSE NGX Exam

    Anyone taken, intending to take the CCSE NGX. Looking for study tips if anyone has some.

    I don't have access to the courseware manuals, so am intending to use bits of the old SYBEX CCSE book,...
  73. Replies
    4
    Views
    4,823

    CCSA NGX Feedback

    Hi Folks,

    Passed CCSA NGX last week so just thought I'd pass on some feedback which might be helpful to others taking the exam:

    Boson NGX Tests: Agree with previous posts - the quality is far...
Results 1 to 73 of 74