CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: antonyso88

Page 1 of 2 1 2

Search: Search took 0.01 seconds.

  1. Primary bonding interface in active/standby mode

    I have reboot the switch connects to primary slave, eth2. After boot up, the active slave becomes eth1-02. Does anyone understand why the primary slave: eth2 not take up as primary? I guess it has...
  2. Re: Primary bond interface takes 30 sec to recover

    I already added it. Please see below.

    interface GigabitEthernet1/0/2
    description Connect to Eth1
    switchport access vlan 20
    spanning-tree portfast

    interface GigabitEthernet2/0/1
    ...
  3. Primary bond interface takes 30 sec to recover

    Dear all,

    I've installed R80.1 and bonding interface (Example. Eth1 is primary while Eth1-1 is backup.) with Active/backup. During failover test, i shutdown Eth1 and it goes to Eth1-1 (less than a...
  4. Re: Smart Management Server goes to CheckPoint Portal every minute

    Thanks. I tried to disable this feature and SMS stop to connect CheckPoint. However, according to the KB, it is better to enable it.

    I will keep it enable and if there is a method/parameter to...
  5. Smart Management Server goes to CheckPoint Portal every minute

    Dear all,

    I have a new installed R80.1 CheckPoint. I found the management server keep frequent goes to the internet in less or every minute. The visited website is CheckPoint.

    I checked with...
  6. CheckPoint management no response in verify policy

    My R70 smarhdash no repsonse when verify the policy. It happens 5 times out of 10. Checked the SIC is established and the network latency is not high (few milli seconds).

    Any idea?
  7. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    Sorry for missing the update. I did the cpstop;cpstart at last and it's success now. Thanks for all your advise.
  8. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    Things to check...
    (Here is the answer)

    1.Use tcpdump to confirm logs are being sent to the mgmt. (Checked. Traffic is sent to mgmt)
    2.SIC is working (Checked. SIC is running)
    3. You are not...
  9. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    Thanks Northlandboy advise.

    I tried reboot the management and also cpstop/cpstart. But result is same.

    The backup node in the cluster haven't send the log. Only the standalone firewall...
  10. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    Let me share more background detail.

    There's a R55 cluster and one standalone FW that's managed by the smartcenter (same policy). And also one backup smartcenter as a backup.

    There is one clue...
  11. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    Checked no certificate is using. And the time is correct on both module.

    I'll try to restore the smartcenter first.
  12. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    How can i check the cert is expire or not? In addition, any further firewall log can be investigated?

    And at last, i read the checkpoint debug. I can't find any debug related on the SIC.
    ...
  13. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    Just tcpdump and find there is traffic in and out

    AA -> BB TCP D=257 S=4225 Ack=3939757528 Seq=1652333149 Len=117 Win=16384 Options=<nop,nop,tstamp 39248787 14594169>
    BB -> AA TCP...
  14. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    I am not confident to do the failover. But it must be planned that can't fix the problem now. I am planning to restore the smartcenter server. Try to see it's working or not.

    I haven't idea just...
  15. Replies
    23
    Views
    6,043

    Re: Smartcenter cannot receive log

    I think it's impossible because its a production cluster. I can't do it by a try.

    Any clue/logging or turn the debug on smartcenter to find out the cause?

    How to do it?

    I can't find the...
  16. Replies
    23
    Views
    6,043

    Smartcenter cannot receive log

    My smartcenter is R55. It's working fine for a year.

    But today, it can't receive log from the cluster.

    I tested the SIC and it's communicating with the cluster. I checked the port "257" and...
  17. Replies
    1
    Views
    21,308

    Allow ping to firewall external interface

    Hi,

    I need to allow internet (restricted IP) to ping my firewall (R61) external interface for monitoring. I know open a rule only. Anything else that need to do?

    Thanks.
  18. Replies
    3
    Views
    2,210

    Re: Setup VPN gateway on DMZ

    Thanks your advise. I'll use automatic static NAT and insert a manual NAT rule before the automatic. Is the problem be solved?
  19. Replies
    3
    Views
    2,210

    Setup VPN gateway on DMZ

    I'm design to setup a new standalone VPN gateway in the DMZ of the CP firewall.

    When the VPN box in the DMZ, it need to do static NAT on the CP and also open IPSEC on the CP firewall.

    In...
  20. Replies
    0
    Views
    1,267

    SD blocking MSExchange traffic

    We try to connect the MSExchange server but failed with smartdefense message "DCE-RPC Enforcement Violation".

    We try to open "ANY" and "DCE_RPC_ALL" service but still failed. Uncheck some SD...
  21. Thread: NAT in VPN

    by antonyso88
    Replies
    8
    Views
    2,053

    Re: NAT in VPN

    I want to know the firewall will check the NAT policy first or the VPN policy?

    I am wonder if the traffic from site A incoming, it can do the SNAT after the tunnel?

    And for the reverse, it can...
  22. Thread: NAT in VPN

    by antonyso88
    Replies
    8
    Views
    2,053

    Re: NAT in VPN

    Site A firewall is another brand name and they don't want to make any change. So, all change is in our side.
  23. Thread: NAT in VPN

    by antonyso88
    Replies
    8
    Views
    2,053

    Re: NAT in VPN

    I here attached the drafted network to explain.

    Our internal network already has route to 192.168.1.0 but not go through the Site B firewall. It's routing to another internal network cloud.
    ...
  24. Thread: NAT in VPN

    by antonyso88
    Replies
    8
    Views
    2,053

    NAT in VPN

    We are using R55 and setup a VPN as below

    Site A
    192.168.1.0

    Site B
    192.168.2.0

    We've setup the VPN between Site A and B is fine. But later on, we need to do a NAT on network 192.168.1.0...
  25. Replies
    4
    Views
    1,389

    Re: Can Smartdefense run in VPN tunnel

    I am clear understand now. Thanks a lot.
  26. Replies
    4
    Views
    1,389

    Re: Can Smartdefense run in VPN tunnel

    It means no other choice except using SMTP security server? As i seen from the SmartDefense, there is a AI has mail option. Can it be used for detecting mail delivery?
  27. Replies
    4
    Views
    1,389

    Can Smartdefense run in VPN tunnel

    My CheckPoint Version is AI R55. Can smartdenfense run in VPN tunnel? If yes, can it detect spam mail? Or i need to use SMTP Security Server?
  28. Replies
    4
    Views
    7,079

    Re: Checkpoint to Juniper VPN

    What IPSEC Phase 1 and 2 setting. Please try MD5 instead of SHA-1.
  29. Replies
    10
    Views
    3,577

    Re: Manual NAT to private network

    That's exactly the subnet not in firewall. How can i solve it?
  30. Replies
    1
    Views
    2,905

    Clear routing table

    I want to how can i flush the whole routing table or only a network in a nokia box?
  31. Replies
    10
    Views
    3,577

    Re: Manual NAT to private network

    I tried to do the Manual NAT + proxy arp as mentioned. But it's not allowed in my nokia box when add the proxy arp. It said "The network segment is not exist"
  32. Replies
    10
    Views
    3,577

    Re: Manual NAT to private network

    If i won't do the proxy arp in router, i use checkpoint to do it. Is it possible?
  33. Replies
    10
    Views
    3,577

    Manual NAT to private network

    Hi,

    I am using R55P.

    I need to do a manual Source NAT as my internal is conflict with the remote vendor network. Here is the draft connection.

    Internal (10.0.0.X) - Checkpoint - External...
  34. Re: How to configure site-to-site VPN between networks with same IP addressing scheme

    Thanks a lot. But i will use manual SNAT. Should i add the Proxy arp in my nokia box?
  35. Re: How to configure site-to-site VPN between networks with same IP addressing scheme

    I think i need to clarify clearly.

    We form a VPN with a 3rd party gateway. But our internal source IP is conflict with other. So for the VPN site-to-site, i need to do a SNAT.
  36. Re: How to configure site-to-site VPN between networks with same IP addressing scheme

    Nevermind. But do you have a experience to configure it before? For my case,
    I just need to do the Source NAT rather both Source and Destination NAT.

    Under the VPN tunnel, how to do that? I will...
  37. Re: How to configure site-to-site VPN between networks with same IP addressing scheme

    Cannot open :-<
  38. Re: How to configure site-to-site VPN between networks with same IP addressing scheme

    got the file but can't open it.
  39. Re: How to configure site-to-site VPN between networks with same IP addressing scheme

    I did PM to you. Please check. Thanks.
  40. How to configure site-to-site VPN between networks with same IP addressing scheme

    As the subject title, i tried to search in checkpoint and got below SK#.

    Solution ID: sk12870

    But, unfortunately, i can't download it and even our vendor has same result. Is there any one has...
  41. Replies
    3
    Views
    1,761

    Re: Nokia Platform high CPU util

    Please send us the IPSO, CP version and HFA.
  42. Replies
    2
    Views
    2,259

    Re: Change firewall gateway IP in cluster

    Change to external gateway is because of the VPN site-to-site tunnel problem. That's why i need to change the firewall gateway IP. I think the license can attached on the Smartcenter first and...
  43. Replies
    2
    Views
    2,259

    Change firewall gateway IP in cluster

    I am running nokia NGX R61 VRRP cluster in a distributed environment. My firewall gateways IP are using internal IP. Now i need to register a VPN license into both firewall gateway. My question is.
    ...
  44. Re: Can eventia reporter can filter unused objects?

    May i know there is a evaluation copy for the firemon?
  45. Can eventia reporter can filter unused objects?

    We are now evaluate this product. Can it help to find out unused objects in a rule?
  46. Replies
    3
    Views
    3,762

    Re: Proxy-Arp problems on Solaris

    If you have checked "Translate Dest. on client side", you don't need to add static route.
  47. Replies
    1
    Views
    1,347

    Re: Nokia Problem...Pls Help

    Did you go to cli mode and type "df -k"? i don't think it will show 109%. what is your nokia and checkpoint version? If the /var is full, try to go the /var directory to check.
  48. Replies
    3
    Views
    3,762

    Re: Proxy-Arp problems on Solaris

    You are using Auto NAT. did you check the "automatic ARP configuration"?
  49. Re: How to create VPN Site-to-site in Nokia VRRP

    I've got one mistake is the CheckPoint VPN Gateway object IP should be the external IP which i set to internal IP previously.
  50. Re: How to create VPN Site-to-site in Nokia VRRP

    I already set the suggested setting but still can't form the VPN. Any idea?
  51. Re: How to create VPN Site-to-site in Nokia VRRP

    I've got a EVAL license for my nokia box now.

    I tried to form the VPN tunnel. But i found that only IKE (UDP 500) is accessed but the key can't be installed. I tried to copy my setting into my...
  52. Thread: VPN License

    by antonyso88
    Replies
    4
    Views
    2,302

    Re: VPN License

    Thanks for your reply. But it's really a bad news for me as i need to use the VPN in this week. May be i need to get a EVAL license first.
  53. Thread: VPN License

    by antonyso88
    Replies
    4
    Views
    2,302

    Re: VPN License

    Is it really no license? As i know now all the license is kept on the smartcenter, why the smartcenter host the encryption license?
  54. Thread: VPN License

    by antonyso88
    Replies
    4
    Views
    2,302

    VPN License

    My situation is i am running Nokia IP390 in VRRP while the smartcenter is a unix box.

    I got below license on the nokia and smartcenter

    nokia
    firewall 1: CPFW-FM-U-NGX CPMP-PPK-1-NGX
    firewall...
  55. How to create VPN Site-to-site in Nokia VRRP

    I've follow the VPN setup guide in checkpoint R61

    1.Choose Gateway -> VPN, Define Domain
    2. Create external gateway -> VPN, Define external domain
    3. Define the Community, define the central...
  56. Re: applying hotfix to a nokia pair in active/standby mode

    i haven't got your experience in my previous installation of R61 Hotfix and Nokia IPSO 4.1 Build 33. I install it in backup node first then reboot it. Then i install the primary and it swap to backup...
  57. Re: netscreen support checkpoint secureclient 4.1

    I can't check the smartview side as it is another company. I just can see the netscreen log. But unfortunately, i can't see any log in the netscreen. In addition, i also set the service the "ANY" but...
  58. netscreen support checkpoint secureclient 4.1

    I have a user running secureclient 4.1 (very old version :{ ) through our netscreen 5.0.0 version. After i upgrade the netscreen to 5.3.0, the connection is failed.

    Do anyone has my similar...
  59. Replies
    2
    Views
    1,538

    Re: NGx R61 tcp timeouts

    How about the nokia box has any timeout setting? Go to the service -> advanced. there is a timeout value.
  60. Replies
    3
    Views
    1,785

    Re: R60 TO R62 migration. (Nokia).

    For the checkpoint config, you can use upgrade_export/import to do so.

    But for nokia config, i think you need to config it manually.
  61. Replies
    0
    Views
    1,103

    Fail to get from connections table

    Hi all,

    I am using Nokia IPSO 4.1 build033 and R61 HFA2 hotfix in HA.

    I got below message in my $FWDIR/log/aftpd.elg

    fw_track_conn: fail to get from connections table

    Do you know the...
  62. Replies
    0
    Views
    1,302

    Fail to get from connections table

    Hi all,

    I am using Nokia IPSO 4.1 build033 and R61 HFA2 hotfix in HA.

    I got below message in my $FWDIR/log/aftpd.elg

    fw_track_conn: fail to get from connections table

    Do you know the...
  63. Replies
    3
    Views
    2,985

    Re: Transparent Bridge Mode

    I have used R55 in nokia IP300 in transparent mode with VRRP. I don't think there is any problem in the R55.
  64. Replies
    7
    Views
    2,535

    Re: IP 390, IPSO 4.2 Build029 keeps rebooting

    Are you running VRRP cluster? Any logging found in the messages?

    There is a fix of IPSO 4.2 Build038. There is a fix on machine reboot in VRRP.
  65. Replies
    3
    Views
    2,051

    Re: Smartview Monitor

    Read it
    http://www.cpug.org/forums/smartview-monitor-smartview-status/847-smartview-monitor-license.html
  66. Replies
    3
    Views
    2,051

    Re: Smartview Monitor

    Go to 'View' -> check whether you have check "Hide Tree"
  67. Replies
    6
    Views
    1,933

    Re: VRRP requirement

    I will use upgrade my IP380 to IPSO4.1 same as the IP390. Of course using the same number of interfaces. Any concern?

    Thanks a lot.
  68. Replies
    2
    Views
    2,508

    Check Physical RAM on nokia IPSO 3.8.1

    How can i check the physical memory in command mode? I can do it in voyager but i wants to know in command mode. Thanks.
  69. Replies
    6
    Views
    1,933

    VRRP requirement

    I've nokia IP380 and 390. If i want to form a VRRP cluster with same IPSO, can it form a cluster even i use different hardware box?? I will install R61.
  70. Replies
    1
    Views
    1,364

    check smartdenfense mode

    I am using R61 which has a smartdenfense central configuration option to activiate/deactiviate or monitor on the smartdenfense. I want to know how can i check my current smartdense status? is it...
  71. Replies
    0
    Views
    1,317

    Meaning of Account Option

    I read the checkpoint manual for the "account" option in smartview Tracker. It's the meaning "Account, required for including byte information in the record you save."

    what does this mean? I am...
  72. Replies
    16
    Views
    4,513

    Re: NOKIA VRRP- SYNC Cable Failure

    Setting both priority to same is to avoid the recovered primary node to take back the control in case of failover.
  73. Replies
    16
    Views
    4,513

    Re: NOKIA VRRP- SYNC Cable Failure

    How about the priority are same on both node?
  74. Replies
    8
    Views
    14,575

    Re: TCP packet out of state

    Deselect the flag "Drop out of state TCP packet" which can prevent the problem happen. It use for "Drop TCP packets which are not consistent with the current state of the TCP connection."
  75. Replies
    16
    Views
    4,513

    Re: NOKIA VRRP- SYNC Cable Failure

    If it is, both node will announce ifself as active and the others as fail. It will cause network connection problem.
  76. Replies
    3
    Views
    2,127

    Re: Cannot connect to smartcenter ngx

    If it's a newly installed firewall, you have to unload the local policy first. Then, you can access by the GUI. And you define the firewall object with a any-any-accept rule on it. Try to install the...
  77. Replies
    8
    Views
    2,000

    Re: need help with upgrade

    i guess you are installing standalone.

    After you install the R61, import the tgz file by "upgrade_import". Remember your firewall login account to login. After login, edit the firewall object...
  78. Replies
    2
    Views
    1,609

    Re: Ugrading to NGX R60 on IPSO 3.9

    Did you read the /opt/CPInstLog/wrapper_R60.elg? What it said about?
  79. Replies
    8
    Views
    2,000

    Re: need help with upgrade

    This is a tgz file which you can use unzip to decompress it. Then you will find the upgrade_export file.
  80. Replies
    4
    Views
    1,651

    Re: Installing NGX on IP350 from scratch

    What checkpoint version you are trying to? The delivered software in the nokia box is already quite lastest. And also, the smartcenter also in the box. If it is trial, you can unpack the software and...
  81. Re: Anyone knows where to download R60 upgrade_export???

    Try this link http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html
  82. Replies
    1
    Views
    1,672

    Re: Antispoof Rules on VRRP Cluster.

    Just define antispoofing on the external interface and internal interface but allow internal networks.
  83. Replies
    6
    Views
    4,122

    Re: Primary and Secondary show as active.

    Did you try to reset the SIC?
  84. Replies
    6
    Views
    1,567

    Re: Gateway swap

    I am thinking you may using NAT in your DMZ. How about from your internal to DMZ? Can it accessible? Make sure you have checked the NAT properties option.

    Moreover, for simply troubleshooting, i...
  85. Re: plse help on troubleshooting VRRP cluster failover

    As inetd advise, you must config topology cluster in the object. Try to automatic collect, if it can't. Define the each interface on the hosts table. And also, sync state must declare. Otherwise, it...
  86. Re: Upgrade license - Firewall-1 4.1 for NGX 62

    Can you access user center license page? If you can, you can edit your license to R62. If not, you better ask your support to generate a new license to you.
  87. Re: What is the difference between static arp and proxy arp?

    Clear! Thx for your information.
  88. Re: What is the difference between static arp and proxy arp?

    Thanks for your information. But it only describe the proxy arp feature on automatic and manual NAT. I want to know the meaning of static arp and proxy arp on nokia box. Thank you.
  89. Replies
    3
    Views
    2,739

    Re: Nokie VRRP- Urgent

    Any logging captured? Also, can the interface communicate with each other? Please provide more detail information.
  90. What is the difference between static arp and proxy arp?

    I know proxy arp will response the arp request from interface. But how about static arp? What is the difference?

    My concern is if i want to do manual NAT, use static arp or proxy arp?
  91. Replies
    1
    Views
    4,143

    Re: Nokia System Administration Guide

    i am also if someone got the study material.
  92. Replies
    5
    Views
    2,964

    Re: FTP using Voyager

    If you want to ftp from client to nokia box, make sure you allow ftp access under the security and access.

    If you want to frp from voyager to server, click system configuration -> packages ->...
  93. Replies
    8
    Views
    3,793

    Re: I've passed exam

    I think the answer is A. If it's NGX environment, u have to reset the SIC in the management and also the gateway.
  94. Replies
    0
    Views
    1,634

    Interface limitation

    I want to know any limitation on the interface? As i read my interface statistics from the voyager, it grows up very fast. Is there any limitation on the value?
  95. Replies
    1
    Views
    1,847

    Secondary management license

    If i install a license on secondary management server, the license IP should assign on the primary management (central licensing) or the secondary management server itself?

    I am using R61.
  96. Replies
    4
    Views
    1,920

    Re: export from 4.1 to R61

    4.1 can't directly upgrade to R61.

    You must consider upgrade 4.1 into NG first then upgrade to R61.

    Also, for your situation. I recommend you build the management on a new server. It's because...
  97. Re: installing management server & enforcement module

    i guess you are installing distributed environment. Create the firewall gateway object on the management, SIC. Then create a rule and install policy on it.
  98. Replies
    1
    Views
    2,555

    Re: Firewall R61 drop packet over MTU 1500

    Problem solved. I can read the smartdefense and found the IP fragment is prohibited.
  99. Replies
    1
    Views
    2,555

    Firewall R61 drop packet over MTU 1500

    I am using R61 and found that all fragments are drop when over MTU 1500. Does anyone know how to solve it?

    My client side can't reduce the size lower than 1500.
  100. Replies
    3
    Views
    2,688

    Re: HA with Nokia IP380 & IP 390

    If budget is allowable, use both IP390 is preferred. IP380 is out of date soon.

    VRRP is a good HA solution that i have used previously. Also, please note the IPSO image must same.
Results 1 to 100 of 178
Page 1 of 2 1 2