CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: Bob_Zimmerman

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds; generated 5 minute(s) ago.

  1. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    While building some test data to confirm I handle policy installation targets correctly, I noticed I didn't import clusters at all. I think I started developing this client against R80.20, which...
  2. Replies
    1
    Views
    170

    Re: VPN Statically NATted IP

    Let's say you have gateway A (with only private addresses) which goes through gateway B, which NATs A's private address to a public address. That option exists to let you form a VPN straight from A...
  3. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Just added the ability to push policy! The UI is still a work in progress, but it's usable.

    1462

    Right now, the installation targets list just shows all firewalls. I don't currently interpret...
  4. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Just finished adding the ability to add and delete access and NAT rules and sections. I create rules disabled to let you build the rule before enabling it. This isn't as big a deal as it was before...
  5. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Still thinking about the right way to calculate rule numbers. I do have some minor things to share. I've added the ability to disable NAT rules (and to show that they are disabled), as well as the...
  6. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Well, I just discovered that while policies have automatically-generated NAT sections which you can't modify at the top, you can add NAT rules above them. So that's fun. Time to rework a chunk of my...
  7. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    It's extremely limited right now. Shows most things, but can only manipulate a few of them. The login flow is iffy (it defaults to my lab SmartCenter's address and doesn't remember any others you log...
  8. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    I think I've finally cracked it. Removed some debugging code I had added, and now drag-and-drop is working from inside a section to outside a section, from outside a section to inside, between...
  9. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Duplicate post.
  10. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Even if it comes after browser-based management, I won't be too disappointed. I'm one person doing this in my spare time, after all. ;) I will always prefer the performance achievable with a thick...
  11. Re: Anyone remember the command on the gateway to see which Terminal Servers are conn

    You can use 'who' to find out who is currently connected and how:

    [Expert@LabSC]# who
    admin pts/2 Aug 12 17:42 (10.20.30.40)
    admin pts/3 Aug 12 17:42 (10.20.30.40)
    The...
  12. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Databases are one of those things I really donít understand all that well. Key-value observing is another. This, unfortunately, combines both, so it has taken me a long time to learn what I need to...
  13. Replies
    1
    Views
    1,034

    Re: Threat Protections and SSL Inspection

    It depends if you offer or use unencrypted services. For example, if you host an FTP site or if you access somebody else's, then IPS, threat emulation, and so on could see the traffic and provide...
  14. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    So it took me waaaay longer than I expected to figure out live UI updates in response to database changes, but I think I have it mostly working now. And it turns out it involves using a Cocoa...
  15. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Figured out how to update the rule ordering criteria and rule numbers. Now dragged-and-dropped rules gets reordered in the UI, and they get the correct rule number (or at least, I'm not aware of any...
  16. Replies
    6
    Views
    2,799

    Re: Management API performance

    I've collected enough data for what I care about. It's posted here:

    https://github.com/Bob-Zimmerman/CPAPI-Stats

    There's an Excel spreadsheet with a tab for each configuration and a column for...
  17. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Over the weekend, I added color swatches to the object color picker. That was WAAAAY harder than it seems like it should have been, but it's working now:
    1456
    And just now, an hour before the WWDC...
  18. Replies
    6
    Views
    2,799

    Re: Management API performance

    Here's the script I've been using with VMs:

    #!/usr/bin/env bash
    TIMEFORMAT='%R'
    filePrefix="vm$(egrep "^processor\s" /proc/cpuinfo | wc -l)$(grep MemTotal /proc/meminfo | awk '{GB = $2/1000000}...
  19. Replies
    6
    Views
    2,799

    Re: Management API performance

    It may just be down to having more thermal headroom. The Atom was originally a reimplementation of the core x86 instructions without power-hungry features like branch prediction and speculative...
  20. Replies
    6
    Views
    2,799

    Re: Management API performance

    I am indeed. A while ago, I found out how to modify config_system to let me set it up as a standalone. The firewall part has one rule: any, any, any, accept.

    This performance is surely why...
  21. Replies
    6
    Views
    2,799

    Management API performance

    So I've been working on adding drag-and-drop rule rearrangement to my Mac-native client, and it's presenting a problem. Refreshing the rule positions after a drag operation would require re-fetching...
  22. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Lots of visible updates! I've been adding menus to access rule fields and items within those fields. While most of the menu items aren't hooked up to anything yet, I do have this one which I think is...
  23. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Just got object search working in the sidebar. It's not quite as smooth as I want it. It searches automatically as you type and shows the results live in the sidebar, but it closes the object types....
  24. Re: CMA appears to be down, while in CLI its up

    When the GUI disagrees with the command line (or with itself), I generally jump right to trashing the applications.C* and CPMILinksMgr.db*. They're all in $FWDIR/conf. cpstop the MDS, trash them (or...
  25. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    My client has long had a big, gross limitation which isn't really obvious in screenshots: it didn't handle data updates very well. You could download objects, edit existing objects, and now make new...
  26. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    I've figured out enough about contextual menus to allow for object deletion.
    1451
    This required more "fun" with Objective-C selectors. Selectors are basically function calls, but you can't pick...
  27. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    While figuring out some menu stuff, I decided it's time to learn more about how localization works on macOS (this was actually to help me reliably place the "Add Object" menu in the menubar). Turns...
  28. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Took a bit longer than I thought to finish shaving some other yaks and get back to directly working on this project. I'm happy to report I was able to figure out enough about menus to allow for the...
  29. Replies
    1
    Views
    3,427

    Re: API target for development

    I eventually decided using snapshots for this is too slow. I have a ludicrously powerful desktop (2x Xeon X5675 [3.06 GHz, 6 cores plus hyperthreading], 96 GB of RAM), and it was still taking over 20...
  30. Replies
    2
    Views
    2,863

    Re: Standalone 2200 with R80.10 and up

    I just confirmed the 2200 can handle 8 GB of DDR3 RAM in the form of two 4 GB SODIMMs. Mine have eight chips on each side, 16 chips per stick, so 256 MB per chip. I hear sticks with 512 MB chips...
  31. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Now that I have a good way to build an MDS for testing, I'm starting to work with the multi-domain parts of the API. This leads to a big question:

    How should connecting to an MDS work?

    It would...
  32. Replies
    1
    Views
    3,427

    API target for development

    Most of my development work so far has been against a 2200 which I personally own. It has a perpetual license, but it's sometimes a little unpredictable. The API service sometimes crashes. It has a...
  33. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Finding some rough edges when it comes to application/site objects and their relationships with categories. Suspending my work on that for now.

    I think I've figured out how to make new objects. It...
  34. Re: When you thought 2020 couldn't get worse

    You should look up the Cherpumple.
  35. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Gave up on the progress meter for now, and learned to do this instead:

    1448

    I now have support for dragging objects from the sidebar into the source, destination, and service fields of rules,...
  36. Replies
    10
    Views
    4,721

    Re: API Irritations

    Ran into the group-members-are-sometimes-objects-and-sometimes-UUIDs thing again, but this time with tags. I suspect this inconsistency will bite me a few more times before I've tracked down all the...
  37. Re: When you thought 2020 couldn't get worse

    Eh. GNS3 is only mildly weird. I was hoping for something like an x86 emulator on a Raspberry Pi emulated by an UltraSPARC. ;p
  38. Re: When you thought 2020 couldn't get worse

    So a Fortinet VM inside a PAN VM inside a Check Point box? Please tell me that's also a VM on something weird.
  39. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    At some point, sure. For now, I figure I have about 20% the functionality of SmartDashboard. Lots left to add, but it's mostly view-side code in MVC. The object model changes put me in a better...
  40. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Spent a while completely rewriting my entire import architecture and my entire object model. Previously I had been using one single object definition for everything. Hosts, networks, services,...
  41. Replies
    10
    Views
    4,721

    Re: API Irritations

    'show object' returns a JSON structure with a top-level key of "object" which has its value set to the JSON structure for the object you are trying to get:


    [Expert@mySmartCenter:0]# mgmt_cli -r...
  42. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    No screenshots to really show this off, but a small update.

    I have just made my first successful API call to change the properties of an object based on changes made locally in my client.

    While...
  43. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Made some advances and thought I would show them off.

    1446

    Dark mode actually worked perfectly right out of the gate.

    Dramatically improved login. That's the phone button at the far left of...
  44. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Ran into some issues, which stalled my progress for a while. I decided the fix was to rewrite most of the UI. Still not done with that, and still not past the issues in question, but I think I'm...
  45. Re: Secure Internal Communication (SIC) Basics

    Change management's name? Need to reset the ICA and all trust relationships. I hit that mostly when rebuilding a failed management (I wrote the process for the three-file rebuild, and used it on a...
  46. Re: Secure Internal Communication (SIC) Basics

    Elaborating on this one a bit. Resetting SIC should almost never be necessary, and it often makes problems worse and reduces your ability to troubleshoot the problem. While building your...
  47. Re: Secure Internal Communication (SIC) Basics

    The trust establishment negotiation is actually from the management to the gateway and from the management to the log server. The rest is accurate, yes.
  48. Replies
    3
    Views
    5,749

    Re: All that's old is new again.

    There was also SunOS/Solaris, and I think you could install FW-1 on Redhat as well for a while.

    The level of sensitivity to Solaris patches was a huge pain. That build also didn't get great...
  49. Replies
    13
    Views
    3,784

    Re: Upgrade to 80.40

    Sure, but there's a great saying among programmers: the best code is the code you don't have to write. If you can arrange other things such that you don't need the modification, that's vastly...
  50. Replies
    13
    Views
    3,784

    Re: Upgrade to 80.40

    I try really hard not to make modifications to files like the table.def, implied_rules.def, and so on. This is why. Upgrades always wipe them out, and updates sometimes do as well. Rediscovering all...
  51. Replies
    10
    Views
    4,721

    Re: API Irritations

    'show changes' is so close! It provides enough information to highlight items which were changed. Unfortunately, it doesn't provide enough to actually merge those changes from just the 'show changes'...
  52. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Still working on the ordering of empty sections.

    Since I last posted, I have:

    Added NAT rulebase display.
    Added a picker to choose the policy package you want to view. It also has a special...
  53. Replies
    10
    Views
    4,721

    Re: API Irritations

    And back to hair-pulling frustration.

    If you run 'show objects', and you get a group, that group's members are given as a list of UUIDs.

    If you get the same group via 'show object', the group's...
  54. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    For my initial development, I skipped dealing with certificates and so on. Instead, I coded it to use custom TLS trust evaluation, and to blindly trust any certificate presented by a particular IP...
  55. Replies
    10
    Views
    4,721

    Re: API Irritations

    Just ran into a more pleasant surprise! 'show object' appears to work with any UUID. Object, policy package, layer, even individual rules. I noticed when I made a mistake handling inline layers and...
  56. Replies
    10
    Views
    4,721

    Re: API Irritations

    Entirely possible. That said, if somebody else wants to build tools like the ones I build, this might help them avoid some of the data model potholes I've hit. It took me days to convert from a...
  57. Replies
    10
    Views
    4,721

    Re: API Irritations

    Found a new one. I'm probably going to report this as a bug.

    Access sections don't give you their position. They have a 'from' integer and a 'to' integer for the rules inside them, but no position...
  58. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Your comment did remind me I forgot to handle cell negation. Simple enough fix. I just added a "negate" variable in my cell view, and fed it the appropriate value from the working row. SwiftUI is...
  59. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    That's actually the thing I find most disappointing about the API. It was a chance for a clean break. You could have provided a VCS like Hg or Git (or even non-distributed; something like SVN), but...
  60. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    It's 100% Swift 5.2. It's a very nice language. Easy to reason about. Automatic reference counting for memory management, a good static analyzer, good exception handling capabilities.

    The UI is a...
  61. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    I was not aware, but web applications are universally pretty awful. You have reduced working space due to the browser's chrome on top of the application chrome. In-page state interacts in really...
  62. Replies
    51
    Views
    21,277

    Re: SmartDashboard on macOS

    Funny this should be the most recent thread in the off-topic forum. I was just trying to determine where to ask if anybody was interested in a little application I've been working on.

    I'm solving...
  63. Replies
    13
    Views
    3,784

    Re: Upgrade to 80.40

    That would be my expectation. Kernels are easy to swap. Itís a single binary image stored on the disk. Point to a new one, done.

    Filesystems are much harder to swap (though not impossible; Apple...
  64. Replies
    13
    Views
    3,784

    Re: Upgrade to 80.40

    I upgraded my personal 2200 from R80.20 to R80.40 over the weekend. It has a 1.8 GHz dual-core processor, 4 GB of RAM, and a SATA SSD. Except for the SSD, it's pretty close to a worst-case scenario....
  65. Replies
    10
    Views
    4,721

    Re: API Irritations

    I converted my code to use a single class for all objects, then switched to using 'show objects' to get everything.

    Tags aren't included in 'show objects'.

    Are you kidding me?



    I'm also...
  66. Replies
    12
    Views
    5,971

    Re: automated MDS backup

    Ah. Yeah. By convention, brackets indicate optional arguments in UNIX/Linux, and less-than and greater-than indicate mandatory arguments. In both cases, the enclosing characters need to be removed as...
  67. Replies
    10
    Views
    4,721

    Re: API Irritations

    Found another one. Some API endpoints are case-insensitive, while others (the specific one I hit was where-used) don't return anything for uppercase UUIDs. It's easy enough to just add a...
  68. Replies
    10
    Views
    4,721

    API Irritations

    I'm trying to do more with the management API, and it is insanely frustrating to deal with. Thought I would vent a little here.

    First, something actually very good: the API is versioned. Version...
  69. Replies
    9
    Views
    4,245

    Re: Business case to keep Check Point

    My knowledge of Palo Alto is limited, but I know their feature to identify users on endpoints (like Identity Awareness) is trivial to misconfigure. I've seen a few Palo Altos with that feature...
  70. Replies
    12
    Views
    5,971

    Re: automated MDS backup

    SSH keys are a user-level thing. Check Point doesn't use them directly for anything, and they won't interfere with anything Check Point does.

    I'm working on SCP stuff myself (specifically, still...
  71. Replies
    12
    Views
    5,971

    Re: automated MDS backup

    The file should be created as soon as you touch it, and it should have contents as soon as the >> is run. My bet would be time zone confusion (maybe he checked before the script had run?) or node...
  72. Replies
    2
    Views
    2,863

    Re: Standalone 2200 with R80.10 and up

    Remove the "return 1;" from the end of line 1129, and config_system will happily set up your 2200 as a standalone system.



    For some reason, I couldn't post (or preview) with that final line of...
  73. Replies
    2
    Views
    2,863

    Standalone 2200 with R80.10 and up

    I recently needed to get a personal Check Point license for some development work I'm doing. Getting a new software license would be hundreds to thousands of dollars, while Check Point branded...
  74. Replies
    12
    Views
    5,971

    Re: automated MDS backup

    Thanks for the comment! I'm never sure if anybody else cares about this kind of thing.
  75. Replies
    12
    Views
    5,971

    Re: automated MDS backup

    I just updated my MDS past the versions in sk163300, which changed mds_backup to no longer gzip the final tar file. That broke my file renaming logic. Testing a fix.

    Edited to add: This should...
  76. Re: Any interruption if I add the interesting traffic into the existing site2site tun

    IPSec VPNs are negotiated by the gateways for pairs of endpoints. An "endpoint" in this context can be a single host or a network (including the network 0.0.0.0/0, which includes all IPv4 addresses)....
  77. Replies
    12
    Views
    5,971

    Re: automated MDS backup

    I normally use mds_backup -b -i -l. The b sets batch mode, which doesn't prompt for anything. The i includes the rule hit counts. The l (lowercase L) excludes logs (I have separate MLMs, so this is...
  78. Re: trouble creating cluster interface in cluster XL

    So you're aware, the last step in that list undid all the earlier steps in that list. That button exists specifically for people who don't want to build the interface themselves. I would guess that...
  79. Re: trouble creating cluster interface in cluster XL

    The first screenshot is telling you someone else is making changes to gate01, so you can't make your changes.

    The second screenshot is telling you it doesn't like something about the change you...
  80. Replies
    1
    Views
    984

    Re: Licensing Cost / Job Interview

    To me, the single biggest selling point of Check Point's software is just that: it's software you can throw on your own server or VM. You can download the installer ISO for all the current versions...
  81. Replies
    4
    Views
    7,292

    Re: Network Load Balancing Server

    I doubt the firewall would do automatic proxy ARP for the virtual server. You could try adding a proxy ARP statement or using a VIP which isn't on any real network you use.
  82. Replies
    5
    Views
    2,022

    Re: Trying to run Python script

    Python has a concept of modules. A module provides functions and object types which Python by itself does not.

    Apparently this script requires one called "rulebasecsv", which isn't on the system...
  83. Replies
    5
    Views
    2,022

    Re: Trying to run Python script

    To expand on this, the "^M" part of the error is a control character. Control-M is a carriage return.

    Different platforms encode line endings in different ways. Specifically, classic Mac OS used a...
  84. Replies
    2
    Views
    7,725

    Re: SIC Certificate Management

    A Check Point SmartCenter or MDS runs an internal certificate authority (ICA). It is self-signed, and is the root of trust for the SIC domain. Secondary managements, log servers, firewalls, and so on...
  85. Replies
    2
    Views
    1,253

    Re: R80 box NAT'ing out weird public IPs

    Are the public IPs close to any public IPs you have defined? In the same /24, for example? You can do static NAT between two network objects of the same size, so that can cause NAT to IPs you don't...
  86. Replies
    3
    Views
    8,321

    Re: Is This Still An Active Group?

    I am very much not a fan of Check Point the company, so I prefer to post here. My posting on CheckMates is mostly just code and quick answers I know off the top of my head to questions about some...
  87. Replies
    4
    Views
    8,259

    Re: Mixing different hardware in a cluster

    It's more the CoreXL config. Last I tested, you can use a 16-core box to replace a 4-core box in a cluster as long as you change the new one from the default CoreXL config to be the same as the...
  88. Finding which interfaces are used and how many times

    I recently had a need to find which interfaces on a VSX system are in use, thereby letting me know which interfaces are available for future expansion. I wrote this quick script and thought it may be...
  89. Replies
    4
    Views
    8,259

    Re: Mixing different hardware in a cluster

    I don't know about documentation, but I know it works. You need the same CoreXL and SecureXL config on all members.

    Same version down to the patch level is a good idea, but you can force...
  90. Replies
    4
    Views
    2,151

    Re: Issues with SMS running R80.20M1

    Sounds like at this point, your best bet is to treat it as a completely failed primary SmartCenter. I don't know the process for R80-family management off the top of my head, but support should...
  91. Replies
    4
    Views
    2,151

    Re: Issues with SMS running R80.20M1

    Who said managing R80.20 firewalls from an R80.20M1 SmartCenter isn't supported? That doesn't sound right at all. Last I heard, managing R80.20 firewalls from R80 (no dot) is supported, you just...
  92. Re: new blog post on installing Kali on SMB or R80.x (3.10 kernel)

    Considering Docker is STILL based on chroot (just with cgroups added), it's a new-school container, too!

    I wish GAiA had been based on IPSO instead of SecurePlatform. Then we could have ZFS,...
  93. Re: new blog post on installing Kali on SMB or R80.x (3.10 kernel)

    To be clear, this is just a chroot, right? It's running the same instance of the same kernel, not a full hardware VM?
  94. Re: Adress Spoofing with Always On VPN RAS Server

    That's almost certain to be a routing loop. Run an fw monitor when you see the problem. I bet you will see a SYN pass through the firewall, then the same SYN hit the firewall on the interface it just...
  95. Thread: CP1500

    by Bob_Zimmerman
    Replies
    6
    Views
    10,256

    Re: CP1500

    Looks like new boxes Check Point just announced:

    https://www.checkpoint.com/downloads/products/1500-security-gateway-datasheet.pdf
  96. Re: Domain based VPN at checkpoint side and route based VPN on Cisco router

    You can mix domain-based and route-based VPNs just fine. The only trick is you need to be sure the domain-based VPN logic doesn't get triggered by traffic you want to go over the route-based VPN.
    ...
  97. Re: Licence expiration and the impact on security

    My understanding is URL filtering should work, but categorization won't. That is, if you try to use the category Check Point provides called "News / Media", nothing will match, as you no longer have...
  98. Replies
    2
    Views
    1,612

    Re: R77.30 to R80.20 migration.

    I am told with R80.20, a clean install is preferred. Here's the general process I would use:

    Export the configuration from the management and import it into a VM for testing purposes. Do you get...
  99. Replies
    6
    Views
    2,862

    Re: NAT assistance

    This is almost certainly what's going on. The destination is being changed, but the source isn't. Some janky clients (most notably, many versions of systemd) send NTP traffic from UDP port 123, not...
  100. Replies
    3
    Views
    2,374

    Re: Numbered VTI in cluster

    That's a really good question. I've done a lot with VTIs, but not recently, and I don't remember the answer.

    It should be pretty easy to test in a lab. You just need three VMs. One standalone...
Results 1 to 100 of 403
Page 1 of 5 1 2 3 4