Search:

Gave up on the progress meter for now, and learned to do this instead:

1448

I now have support for dragging objects from the sidebar into the source, destination, and service fields of rules,...

Ran into the group-members-are-sometimes-objects-and-sometimes-UUIDs thing again, but this time with tags. I suspect this inconsistency will bite me a few more times before I've tracked down all the...

Eh. GNS3 is only mildly weird. I was hoping for something like an x86 emulator on a Raspberry Pi emulated by an UltraSPARC. ;p

So a Fortinet VM inside a PAN VM inside a Check Point box? Please tell me that's also a VM on something weird.

At some point, sure. For now, I figure I have about 20% the functionality of SmartDashboard. Lots left to add, but it's mostly view-side code in MVC. The object model changes put me in a better...

Spent a while completely rewriting my entire import architecture and my entire object model. Previously I had been using one single object definition for everything. Hosts, networks, services,...

'show object' returns a JSON structure with a top-level key of "object" which has its value set to the JSON structure for the object you are trying to get:


[Expert@mySmartCenter:0]# mgmt_cli -r...

No screenshots to really show this off, but a small update.

I have just made my first successful API call to change the properties of an object based on changes made locally in my client.

While...

Made some advances and thought I would show them off.

1446

Dark mode actually worked perfectly right out of the gate.

Dramatically improved login. That's the phone button at the far left of...

Ran into some issues, which stalled my progress for a while. I decided the fix was to rewrite most of the UI. Still not done with that, and still not past the issues in question, but I think I'm...

Change management's name? Need to reset the ICA and all trust relationships. I hit that mostly when rebuilding a failed management (I wrote the process for the three-file rebuild, and used it on a...

Elaborating on this one a bit. Resetting SIC should almost never be necessary, and it often makes problems worse and reduces your ability to troubleshoot the problem. While building your...

The trust establishment negotiation is actually from the management to the gateway and from the management to the log server. The rest is accurate, yes.

There was also SunOS/Solaris, and I think you could install FW-1 on Redhat as well for a while.

The level of sensitivity to Solaris patches was a huge pain. That build also didn't get great...

Sure, but there's a great saying among programmers: the best code is the code you don't have to write. If you can arrange other things such that you don't need the modification, that's vastly...

I try really hard not to make modifications to files like the table.def, implied_rules.def, and so on. This is why. Upgrades always wipe them out, and updates sometimes do as well. Rediscovering all...

'show changes' is so close! It provides enough information to highlight items which were changed. Unfortunately, it doesn't provide enough to actually merge those changes from just the 'show changes'...

Still working on the ordering of empty sections.

Since I last posted, I have:

Added NAT rulebase display.
Added a picker to choose the policy package you want to view. It also has a special...

And back to hair-pulling frustration.

If you run 'show objects', and you get a group, that group's members are given as a list of UUIDs.

If you get the same group via 'show object', the group's...

For my initial development, I skipped dealing with certificates and so on. Instead, I coded it to use custom TLS trust evaluation, and to blindly trust any certificate presented by a particular IP...

Just ran into a more pleasant surprise! 'show object' appears to work with any UUID. Object, policy package, layer, even individual rules. I noticed when I made a mistake handling inline layers and...

Entirely possible. That said, if somebody else wants to build tools like the ones I build, this might help them avoid some of the data model potholes I've hit. It took me days to convert from a...

Found a new one. I'm probably going to report this as a bug.

Access sections don't give you their position. They have a 'from' integer and a 'to' integer for the rules inside them, but no position...

Your comment did remind me I forgot to handle cell negation. Simple enough fix. I just added a "negate" variable in my cell view, and fed it the appropriate value from the working row. SwiftUI is...

That's actually the thing I find most disappointing about the API. It was a chance for a clean break. You could have provided a VCS like Hg or Git (or even non-distributed; something like SVN), but...

It's 100% Swift 5.2. It's a very nice language. Easy to reason about. Automatic reference counting for memory management, a good static analyzer, good exception handling capabilities.

The UI is a...

I was not aware, but web applications are universally pretty awful. You have reduced working space due to the browser's chrome on top of the application chrome. In-page state interacts in really...

Funny this should be the most recent thread in the off-topic forum. I was just trying to determine where to ask if anybody was interested in a little application I've been working on.

I'm solving...

That would be my expectation. Kernels are easy to swap. It’s a single binary image stored on the disk. Point to a new one, done.

Filesystems are much harder to swap (though not impossible; Apple...

I upgraded my personal 2200 from R80.20 to R80.40 over the weekend. It has a 1.8 GHz dual-core processor, 4 GB of RAM, and a SATA SSD. Except for the SSD, it's pretty close to a worst-case scenario....

I converted my code to use a single class for all objects, then switched to using 'show objects' to get everything.

Tags aren't included in 'show objects'.

Are you kidding me?



I'm also...

Ah. Yeah. By convention, brackets indicate optional arguments in UNIX/Linux, and less-than and greater-than indicate mandatory arguments. In both cases, the enclosing characters need to be removed as...

Found another one. Some API endpoints are case-insensitive, while others (the specific one I hit was where-used) don't return anything for uppercase UUIDs. It's easy enough to just add a...

I'm trying to do more with the management API, and it is insanely frustrating to deal with. Thought I would vent a little here.

First, something actually very good: the API is versioned. Version...

My knowledge of Palo Alto is limited, but I know their feature to identify users on endpoints (like Identity Awareness) is trivial to misconfigure. I've seen a few Palo Altos with that feature...

SSH keys are a user-level thing. Check Point doesn't use them directly for anything, and they won't interfere with anything Check Point does.

I'm working on SCP stuff myself (specifically, still...

The file should be created as soon as you touch it, and it should have contents as soon as the >> is run. My bet would be time zone confusion (maybe he checked before the script had run?) or node...

Remove the "return 1;" from the end of line 1129, and config_system will happily set up your 2200 as a standalone system.



For some reason, I couldn't post (or preview) with that final line of...

I recently needed to get a personal Check Point license for some development work I'm doing. Getting a new software license would be hundreds to thousands of dollars, while Check Point branded...

Thanks for the comment! I'm never sure if anybody else cares about this kind of thing.

I just updated my MDS past the versions in sk163300, which changed mds_backup to no longer gzip the final tar file. That broke my file renaming logic. Testing a fix.

Edited to add: This should...

IPSec VPNs are negotiated by the gateways for pairs of endpoints. An "endpoint" in this context can be a single host or a network (including the network 0.0.0.0/0, which includes all IPv4 addresses)....

I normally use mds_backup -b -i -l. The b sets batch mode, which doesn't prompt for anything. The i includes the rule hit counts. The l (lowercase L) excludes logs (I have separate MLMs, so this is...

So you're aware, the last step in that list undid all the earlier steps in that list. That button exists specifically for people who don't want to build the interface themselves. I would guess that...

The first screenshot is telling you someone else is making changes to gate01, so you can't make your changes.

The second screenshot is telling you it doesn't like something about the change you...

To me, the single biggest selling point of Check Point's software is just that: it's software you can throw on your own server or VM. You can download the installer ISO for all the current versions...

I doubt the firewall would do automatic proxy ARP for the virtual server. You could try adding a proxy ARP statement or using a VIP which isn't on any real network you use.

Python has a concept of modules. A module provides functions and object types which Python by itself does not.

Apparently this script requires one called "rulebasecsv", which isn't on the system...

To expand on this, the "^M" part of the error is a control character. Control-M is a carriage return.

Different platforms encode line endings in different ways. Specifically, classic Mac OS used a...

A Check Point SmartCenter or MDS runs an internal certificate authority (ICA). It is self-signed, and is the root of trust for the SIC domain. Secondary managements, log servers, firewalls, and so on...

Are the public IPs close to any public IPs you have defined? In the same /24, for example? You can do static NAT between two network objects of the same size, so that can cause NAT to IPs you don't...

I am very much not a fan of Check Point the company, so I prefer to post here. My posting on CheckMates is mostly just code and quick answers I know off the top of my head to questions about some...

It's more the CoreXL config. Last I tested, you can use a 16-core box to replace a 4-core box in a cluster as long as you change the new one from the default CoreXL config to be the same as the...

I recently had a need to find which interfaces on a VSX system are in use, thereby letting me know which interfaces are available for future expansion. I wrote this quick script and thought it may be...

I don't know about documentation, but I know it works. You need the same CoreXL and SecureXL config on all members.

Same version down to the patch level is a good idea, but you can force...

Sounds like at this point, your best bet is to treat it as a completely failed primary SmartCenter. I don't know the process for R80-family management off the top of my head, but support should...

Who said managing R80.20 firewalls from an R80.20M1 SmartCenter isn't supported? That doesn't sound right at all. Last I heard, managing R80.20 firewalls from R80 (no dot) is supported, you just...

Considering Docker is STILL based on chroot (just with cgroups added), it's a new-school container, too!

I wish GAiA had been based on IPSO instead of SecurePlatform. Then we could have ZFS,...

To be clear, this is just a chroot, right? It's running the same instance of the same kernel, not a full hardware VM?

That's almost certain to be a routing loop. Run an fw monitor when you see the problem. I bet you will see a SYN pass through the firewall, then the same SYN hit the firewall on the interface it just...

Looks like new boxes Check Point just announced:

https://www.checkpoint.com/downloads/products/1500-security-gateway-datasheet.pdf

You can mix domain-based and route-based VPNs just fine. The only trick is you need to be sure the domain-based VPN logic doesn't get triggered by traffic you want to go over the route-based VPN.
...

My understanding is URL filtering should work, but categorization won't. That is, if you try to use the category Check Point provides called "News / Media", nothing will match, as you no longer have...

I am told with R80.20, a clean install is preferred. Here's the general process I would use:

Export the configuration from the management and import it into a VM for testing purposes. Do you get...

This is almost certainly what's going on. The destination is being changed, but the source isn't. Some janky clients (most notably, many versions of systemd) send NTP traffic from UDP port 123, not...

That's a really good question. I've done a lot with VTIs, but not recently, and I don't remember the answer.

It should be pretty easy to test in a lab. You just need three VMs. One standalone...

Licensing is kind of a pain. I believe SmartCenter licenses come over with a migrate export and migrate import. Worst case, you can log in to the User Center, go to your account, and download the...

Correct, Check Point matches the expression against the entire URL, scheme and path included. We're both avoiding that by anchoring the expression with the caret, matching the scheme, then two...

The timestamp in the logs is based on a value in the log record set by the recording firewall. The order in which you see the logs is based on the absolute order of arrival.

This means your...

The closest thing to a "best practice" is a tautology: allow your users to reach what they need.

Thanks to "cloud" nonsense and IPv4 exhaustion, a lot of public services are being run on...

First, it's important to define "downtime".

When you are upgrading your management server, you will not be able to access it to make changes or view logs (the management will be totally down). You...

If your firewall has access out to the Internet, CPUSE should be able to download new versions and you can install them from the command line:

installer download [tab]

or

installer...

Based on that output, it shouldn't fsck on boot unless the box was not shut down cleanly.

Side-note: ensuring filesystem consistency on unclean shutdown is a problem which has been solved for over...

Have you added the interfaces to the firewall object's Topology table in SmartDashboard (pre-R80) or SmartConsole (R80+)?

It's more that the domain-based VPN decision happens very early in packet processing, and you need to ensure that won't flag the packet for encryption. You can mix domain-based and route-based VPNs....

I was asked what I meant by "trash the PS1 block". The block I'm talking about is this one towards the end of /etc/bashrc:

if [ -f /etc/profile.d/vsenv.sh ] && [ -n "${VRF_NUMBER}" ]; then
...

Check Point's command prompt for BASH kind of sucks. I've been working on some improvements. With these changes, when you log in with an unprivileged account (which must be a member of the group...

Have you ever noticed every single GAiA system's BASH prompt includes a little ":0" after the hostname? That's used in VSX to indicate which VSID you are currently in. On SecurePlatform, it only...

My Check Point knowledge is from years of working in their call center (terrible work environment; always fill out post-ticket surveys and give top marks, because nobody deserves management that...

Try this:

fw ctl zdebug -T drop | grep --line-buffered '10.10.64.161|10.10.55.169|10.10.56.169' | tee /var/log/tmp/fw_ctl_zdebug_drop.txt

The 'tee' utility takes each input line and writes it...

WARNING! THIS DOWNLOADS A REMOTE FILE OVER HTTP AND MAKES IT EXECUTABLE. THIS IS DANGEROUS!


curl -O http://dannyjung.de/ccc && chmod u+x ccc && mv ccc /usr/bin/

The -O switch to curl causes...

Huh. I've never thought about installing wget on a Check Point box. I've always just used SCP or curl. They could have stripped that out and left us with 'fetch'.

What are you trying to accomplish...

Unicast goes to one host.

Broadcast goes to all hosts in a network.

Multicast goes to no hosts, because it's set up wrong. Again.

This is also a possibility since the VPN decision happens so early in packet processing. Specifically, it would happen if the packet is encrypted on the Cisco side, decrypted by the Check Point side,...

Other way around. "Received a cleartext packet within an encrypted connection" means the Check Point side is expecting it to be encrypted, but the Cisco side isn't encrypting it. Either the...

It's fundamentally how VSX works internally. The members get real IPs on automatically-allocated weird networks, then the VIPs are on the network the user specifies and are claimed using proxy ARP. I...

You can actually do this with simple proxy ARP statements. You just need to get the traffic to the firewall, then the firewall rules only care about the IP. Go ahead, ask me how I know. ;)

I would...

Blink appears to have been one of the building blocks of this:

https://www.checkpoint.com/products/maestro-hyperscale-network-security/

Looks like a Crossbeam-NPM-in-a-box, but it scales way,...

I believe all GAiA versions support VRRP. What are you trying to accomplish, though? I don't think I've ever seen a situation where it's better to use VRRP than ClusterXL New Mode.

'netstat -nr', 'route print', and 'ip route show' will all print the full routing table in various formats. Note that none of them include policy-based routing.

If you want to see what route a...

It's worth checking to see if the interfaces wound up in different slots from the ones you expect. The slots on the front of the box aren't labeled, so figuring out which of the five of them is "slot...

Turns out this is one of the ways VSX differs. It definitely does not disable IP forwarding when you unload the policy. 'cpstop' disables IP forwarding, which makes sense, as it is intended to have...

As far as I am aware, 'fw unloadlocal' should not stop routing.

I think the confusion happens because it unloads the whole policy, which includes NAT. Thus, any inbound NATs from public IPs to...

Definitely possible. I recommend moving it to a bond, then you can use the CLI to move the bond between physical interfaces easily.

Now what may not be possible is doing this without an outage....

To confirm, you want a tunnel between FW-A and FW-B, then a second tunnel between FW-A and FW-C with the same networks behind FW-B and FW-C?

If not, a diagram may help express what you want to...

Palo Alto Networks' website as a whole is pretty iffy. While not that level of bad, you can edit their downloads page to request files other than the ones you are allowed to download, and they'll...

SecureClient definitely supports Office Mode. You're thinking of SecuRemote, which is the same software installed in a different mode. I don't think either is supported anymore (i.e., you can't call...

"Mgmt" is just another interface on the OS. It does not have its own routing table. In fact, there is nothing special about it at all; it's just another Intel e1000 interface which happens to get a...

This is a somewhat less verbose command to use:

du --max-depth=1 -h .

The earlier command crawls the filesystem and prints *all* directory sizes. The "--max-depth=1" switch causes it to crawl...

Sometimes, you can get newer drivers from the TAC than are currently shipping in generally-available versions. For a while, the shipping e1000 version (7.3.15-NAPI) was pretty janky, and a newer...