CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: jacobsen

Search: Search took 0.01 seconds.

  1. Replies
    27
    Views
    5,782

    Re: sim affinity in R77.30 or R80?

    Hi thee,

    Valerie, can you give a short example of how to bind the NICs to SNDs and how to verify that?

    I'm having a HA cluster of 23800 here and it feels much slower then the 21600 we had...
  2. Replies
    2
    Views
    3,978

    VE hypervisor R77.10 is out, but.....

    can only be managed by R77.10.
    In other words, if you have your smartcenter or multi-domain server already updated to R77.20, you can't use VE R77.10 for now.
    Got this from our support and key...
  3. Replies
    10
    Views
    3,535

    Re: Installing Gaia R77.10 on an IP390

    We've already updated IP 390 appliances to gaia R77.10. No problem so far.
    @Phoneboy: Do you suggest to not install gaia on IP appliances at all? Why is that? Gaia is meant to be installed on IP...
  4. Replies
    22
    Views
    13,316

    Re: Check Point R77.10

    Hi,

    any idea, when Virtual Edition (CP VE) R77.10 comes out?
    PhoneBoy maybe?

    Thanks
    J
  5. Re: Parameters and format for editing queries.conf

    Hi,

    how about using dbedit instead?

    [Expert@fw-mgmt]# cat test_query.txt
    print network_objects firewall_admin_group
    [Expert@fw-mgmt]#

    [Expert@fw-mgmt]# dbedit -local -f test_query.txt |...
  6. i've discovered the same tcp options in packets...

    i've discovered the same tcp options in packets leaving our external firewall and asked our WAN guys for support.

    What exactly might happen if it wont or cant be fixed?
  7. thats an IP appliance or Nokia box. whatever,...

    thats an IP appliance or Nokia box.
    whatever, you are within ipso's clish

    you should be able to set admins login shell to bash with:
    set user admin shell /bin/bash
    save configuration

    log...
  8. you are right on this part:

    you are right on this part:
  9. why "LOL"? He's right and I agree.

    why "LOL"?
    He's right and I agree.
  10. where is point 3 (make FW a non transp. prox) to...

    where is point 3 (make FW a non transp. prox) to be configured?

    J
  11. Replies
    8
    Views
    2,482

    Re: CMA seen with "? Status Unknown" in MDG

    why do people not post about solutions?
    I wish he would have.
  12. Re: FWM of CMA crashes on policy install after upgrade to R75.30

    Hi,

    we have P-1 R75.30 with 15CMAs (HA) running on SPLAT and no problems with crashing processes.
    The only odd thing is that policy verification takes a damn lot time. Even if the servers are...
  13. Replies
    5
    Views
    2,548

    hi barry, here is the error message: cannot...

    hi barry,
    here is the error message:

    cannot connect to forum.
    this forum is either restricting
    access from Tapatalk HD or the
    installed Tapatalk HD is not
    working.

    j
  14. Replies
    6
    Views
    5,119

    Re: put in crontab some Checkpoint commands

    Hi,

    well, i guess, using the days with commas should work, and by the way, isnt it a vixie cron (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)?
    But to be sure that its...
  15. Replies
    5
    Views
    2,548

    barry, can you please install the new tapatalkHD...

    barry, can you please install the new tapatalkHD plugin as well?
    thanks!
  16. brilliant! it works again. thanks and enjoy your...

    brilliant! it works again.
    thanks and enjoy your weekend
  17. Re: It looks like we're going to stay with HTTPS for CPUG.org for good

    Hi Barry,

    is this the reason why I cant use tapatalk anymore to read cpug?

    best greetings
    J
  18. Replies
    8
    Views
    4,118

    Re: Upgrade from R65 to R71.10

    @Maarten:

    your tipp for ex- / importing the global policy is a piece of gold.
    Thanks a lot for that!

    J
  19. Replies
    2
    Views
    1,870

    Re: Save SmartDefense Config for Documentation

    sorry for the late reply.
    I just came to the same question and found your posting.

    here is the solution (works also with R65):
    -switch to the smart defense tab
    -choose "protection overview"...
  20. Replies
    9
    Views
    6,421

    Re: ip565 swi1: net_taskq0 using 99%cpu

    welcome to my world of pain:

    ifphys:eth-s1/s1p2:errors:in_qdrops = 1547129
    root 20 25.3 0.0 0 16 ?? WL Sat05PM 1038:34.94 [swi1: net_taskq0]
    uptime is nearly 5 days.

    last week,...
  21. Replies
    9
    Views
    6,421

    Re: ip565 swi1: net_taskq0 using 99%cpu

    Hi Mark

    afaik:
    net_taskq will be triggered by IRQs send by the NIC to get the Data out if the ring descriptor.
    This happens either after a timer runs out or if that ring descriptor buffer is a...
  22. Replies
    7
    Views
    17,875

    Re: “top” does not show all CPU cores.

    sorry for that late answer.

    "top -p" will do it.
  23. Re: Trying to run a CST on my Nokia, but it seems to be taking forever

    i had the same issue with an older CP version running on ipso.
    whenever i started a cst, it just hang.
    cst is doing a lot of things. and besides that, it grabs some CP tables with "fw tab"
    That...
  24. Replies
    30
    Views
    11,584

    Re: Check Point R70 R71 R75 Visual Road Map

    Thanks a lot for that picture. Very well made, mate.
  25. Re: IP Series or Open Server for high bandwidth demands?

    ja genau, Carsten. Das finde ich aber auch :-)
    Frag halt Manu.
  26. Replies
    14
    Views
    4,893

    Re: Fw Monitor- Mask Interpretation

    @manuadoor:
    what about secureXL? is fwaccel set to on or off during the fw monitor?

    J
  27. Replies
    11
    Views
    2,925

    Re: ICMP test to VRRP cluster

    you're config on the secondary is surely messed up.
    if .9 is the primary and if the primary is down, .9 cant answer.

    Look at your secondary Nokia.
    what shows
    ifconfig -a
    and
    clish -c "show...
  28. Replies
    7
    Views
    2,106

    Re: Is Checkpoint TAC high on crack?

    upgrade_export works on P1. At least on a cma level.
    I've never used upgrad_import to build up a new cma.

    J
  29. Replies
    6
    Views
    3,119

    Re: IPSOs MSS default value

    there is still the question left, why it's set to 1024.
    Whenever the Nokia send it's backup data (with scp) to an backupserver,
    the mss used is 1024. Thats not so good.
    It might be a good idea to...
  30. Replies
    6
    Views
    3,119

    Re: IPSOs MSS default value

    guess I can answer that by myself now:

    I ran wireshark on my client while I established a connection to a webserver which is secure by a Nokia appliance.
    Both, the client and the webserver had...
  31. Replies
    6
    Views
    3,119

    IPSOs MSS default value

    Hi all,

    Ipso's default MSS is set to 1024.
    according to the check point documentation this is due to historical reasons (has anyone further infos on this?) . They point out, that this value can...
  32. Replies
    4
    Views
    2,274

    Re: figure out the hfa version from firewall

    try this:

    ckp_regedit -p "//SOFTWARE//CheckPoint//FW1//6.0//HotFixes"

    for me it gives this output:




    works on the modules and on the smartcenter server
  33. Replies
    1
    Views
    1,440

    Re: Easy export of address translation rules?

    Hi Kheiron,

    this is quite easy:
    download the Check Point Web Visualization Tool, install it on your Smartcenter Server, read the tiny documentation and let it run.
    The tool will dump your...
  34. Replies
    7
    Views
    2,266

    Re: Proof of password changes on IPSO

    Hi,

    here is an other approach:

    if you activate the password expiration and set it for lets say to 90 days, you can show your managment that
    a) password expiration is set (that makes them feel...
  35. Replies
    5
    Views
    5,965

    Re: R65 Smart Dashboard under Windows 7

    I tried SmartConsole and MDG R70.20 with an P-1 R65 HFA 60 Installation.
    Did not work.




    SmartConsole has never been compatible with older server versions.
  36. Replies
    7
    Views
    2,301

    Re: TOP Alternative

    while loop in csh isnt that difficult:


    while (1)
    ps auxwww
    end


    or like this
  37. Replies
    8
    Views
    4,847

    Re: IPSO route table backup

    Hi,

    just extract the routing information out of the initial file, run it through an awk one liner and build the clish commands for later usage:




    have a nice week
  38. Replies
    7
    Views
    4,051

    Re: fw monitor log / ping

    Du hast wohl ein NAT eingerichtet.
    die source IP 10.55.5.250 wird mit der IP 145.253.175.196 genattet.

    Log Dich doch mal auf der 10.55.8.10 ein und schick mal n traceroute bzw. tracert in...
  39. Replies
    7
    Views
    4,051

    Re: fw monitor log / ping

    Hi,

    wie hast Du FW Monitor aufgerufen?
    Mit einem Filter auf source 10.55.5.250?
    Sollte 10.55.5.250 genattet werden, würde die post-out (O) source IP nicht matchen und
    fw monitor würde post-out...
  40. Thread: RSS Feed

    by jacobsen
    Replies
    1
    Views
    1,763

    RSS Feed

    Hi Barry,

    it would be nice if there's a RSS Feed we can subscribe to.


    Jörg
  41. Replies
    13
    Views
    4,092

    Re: Checkpoint NGX Chat

    Hi,

    i'd like to join the channel too.
    either on effnet or freenode.
    well on freenode some guys are there but not talking. And on effnet I'm getting this:

    #checkpoint unable to join channel...
  42. Re: New SPLAT SmartCenter - upgrade_import fails

    I had the same situation.
    check if conf/plugins.txt exists in your exported file.
    If you dont have any plugins activated on your source smartcenter, then just create an empty plugins.txt file.
    ...
  43. Replies
    2
    Views
    2,218

    Re: Microsoft DTC RPC

    Hi,

    I would capture the traffic and examine it with wireshark.
    I'm pretty sure, you'll see the prog number in the requests.

    J
  44. Replies
    3
    Views
    1,974

    Re: rename Customer

    Hi Pascal,

    thanks for your reply.
    Yes, we did the "hard" way (copy to temp customer, delete old customer, copy to new customer, delete temp customer) several times.

    renaming the CMA only...
  45. Replies
    3
    Views
    1,974

    rename Customer

    Hello dear all,

    I need to rename one of our customer inside our P-1 environment.
    At the CPUG Conf in Chur, two guys (sorry, I dont remember your names)
    mentioned, there is an easy to do that by...
  46. Replies
    9
    Views
    18,306

    Re: How to get serial number

    sweet. Didnt know that.
  47. Replies
    9
    Views
    18,306

    Re: How to get serial number

    Hi,

    which platform?
    for Nokia it would be:

    clish -c "show asset hardware" | awk '/Chassis/ { print $4 }'

    have a nice day
    J
  48. Replies
    7
    Views
    2,167

    Re: crashdump on ipso

    have a look into $FWDIR/log and $CPDIR/log.
    Maybe you find some useful information in fwd.elg or cpd.elg or any other elg file.

    also the Voyager reports (System\Monitor\Reports) can sched some...
  49. Replies
    7
    Views
    2,167

    Re: crashdump on ipso

    crash dumps can be found under /var/crash


    greetings
    J
  50. Replies
    2
    Views
    1,474

    Re: VRRP error upon loading the policy

    Hi

    I also had this a while ago.
    Policy installation is under some conditions very cpu intense and fwd or cphad might not have responded within the 5 sec timeout to the cphad / fwd failure...
  51. Replies
    10
    Views
    2,423

    Re: Reasons to move to Provider-1

    we're using global objects and global rules with pleasure.
    It saves a lot of work.

    cheers
    J
  52. Replies
    6
    Views
    1,947

    Re: Northlandboy has re-entered the building!

    welcome back :-)
  53. Replies
    5
    Views
    2,169

    Re: primary firewall logs not showing

    well after setting the fwd into debug mode, I found this in the fwd.elg:


    sendLogs: Conn ID=76, Last Seq=2147483610, New Seq=-2099273116
    sendLogs: Fatal error, Conn ID=76, Last Seq=2147483610,...
  54. Replies
    5
    Views
    2,169

    Re: primary firewall logs not showing

    surprisingly I have the same problem here.
    Well, the firewall modules are Nokias not Splat.
    I'll spent some time to analyse it. If I cant get the cause, I'll reboot the module.

    What happend with...
  55. Replies
    6
    Views
    2,727

    Re: checkpoint sk33821 and hotfix 249

    Hi,

    how about to query the cp registry:


    [Expert@fw]# ckp_regedit -p "//SOFTWARE//CheckPoint//FW1//6.0//HotFixes"
    //SOFTWARE//CheckPoint//FW1//6.0//HotFixes : { HOTFIX_R65_02=[s]1...
  56. Replies
    3
    Views
    1,822

    Re: next hop in cli

    Hi try this
  57. Replies
    5
    Views
    2,579

    Re: Incoming, outgoing, internal traffic

    the same here.
    We have a Provider-1 environment.
    Reports of some customers are fine.
    But some cant be differentiated to incoming/outgoing direction. It shows only "other"
    Topology config on the...
  58. Replies
    9
    Views
    4,306

    Re: R65 on Ipso 4.2

    Hi,

    @Abusharif:
    why do you disable SecureXL?

    J
  59. Replies
    1
    Views
    1,228

    Re: Report Generation

    Hi,

    have a look at cacti.

    regards
    J
  60. Replies
    5
    Views
    20,180

    Re: TCP packet out of state

    Hi,

    I had the same issue.
    I've figuered out, that disabling SecureXL lowers the amount of "tcp out of state" pretty much.

    fwaccel stat
    fwaccel off

    give it a try.
  61. Replies
    16
    Views
    3,896

    Re: New TK20 is out

    Hi,

    what is tk20?
  62. Replies
    6
    Views
    5,483

    Re: cphaprob state: 'during cluster upgrade'

    I've experienced the same.
    The only thing that helped me was to change the state sync between both nodes to different interfaces. Afterwards cphaprob stat showes both nodes as active and fw...
  63. Replies
    7
    Views
    3,451

    Re: Anti Spoofing Issue

    we have nearly the same config like futureechos has.
    the solution lammbo mentioned might work, but if (like in our scenario) there are too many class C subnets out of 10.0.0.0/8 used on the LAN side...
  64. Replies
    14
    Views
    6,645

    Re: http://checkpoint.homeip.net/

    what is pa.exe and vce.exe supposed to be for?
  65. Re: TCP packet out of state, th_flags description

    th_flags are tcp header flags (FIN,SYN,RST,....)
    (have a look at $FWDIR/lib/tcpip.def)

    0x10 = ACK
    0x11 = ACK, FIN
    0x18 = PSH, ACK

    have a nice week
  66. Replies
    1
    Views
    3,138

    Re: Nokia Static routes

    Hi,

    maybe ip forwarding is disabled.
    enable it with ipsofwd:

    #ipsofwd list
    net:ip:forward:noforwarding = 0
    net:ip:forward:noforwarding_author = admin
    net:ip:forward:switch_mode = flowpath...
  67. Replies
    3
    Views
    5,025

    Re: anti-spoofing pushes me to the edges

    Hi Danny,

    thanks for the reply.
    actually, the LAN if is configured with an /24 address. My intention is to clarify that the LAN side consist of different subnets out of 10/8.
    The object name for...
  68. Replies
    3
    Views
    5,025

    anti-spoofing pushes me to the edges

    hello dear friends,

    Our Antispoofing is not working like expected.
    There are always some packets dropped due to anti-spoofing - even if
    antispoofing and the topolgy settings are configured like...
  69. Re: PS -AUX shows low CPU, but CP Smartview Monitor shows extremely high CPU usage

    thanks for sharing your experiences. :-)
  70. Replies
    0
    Views
    3,210

    mdsquerydb / cpmiquerybin

    Hi all,

    today I was asked to run some queries on the firewall.
    Because the dashboard seems not to be very useful for getting information like "show me the name, ipaddress and comments of all...
  71. Replies
    2
    Views
    1,580

    Re: Build 13 or Build 15?

    thanks a lot.
    I'll have a look for 4.1

    have a nice weekend.
  72. Replies
    2
    Views
    1,580

    Build 13 or Build 15?

    happy weekend greetings,

    I'm a little bit confused.
    "cpshared_ver" and "fw ver -k" shows different build versions.
    does anyone know why?




    strange, isn't it?
  73. Replies
    2
    Views
    1,781

    Re: Eventia Output Format

    yes great.
    that works!

    thanks a lot
  74. strange deallocate_port_ex entry in /var/log/messages

    good day dear comunity,

    i've found on some of my nokias (ipso 4.1-13, R60hfa3) some strange entries in the /var/log/messages file, which I dont understand.
    Maybe someone can shed light on this...
  75. Replies
    0
    Views
    1,497

    Eventia Reporter Filter

    Hello,

    today I noticed that I cant set any filter in my reports.
    There are no objects shown in the column "available Values".
    Neither for Source or Destination. Services shows only generic...
  76. Replies
    2
    Views
    1,781

    Eventia Output Format

    Hello,

    best greetings to you all!

    we're using Eventia Reporter NGX R60 Build 83.
    Is there any way, to export reports into pdf documents?
    (if not, this might be a RFE for Check Point)

    And...
  77. Replies
    1
    Views
    2,742

    Re: Peer not reachable management HA

    thanks a lot for your howto.
Results 1 to 77 of 77