CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: dbrown3611

Page 1 of 2 1 2

Search: Search took 0.01 seconds.

  1. Re: Threat Prevention is Not Block DNS Reputation Traffic Which High Severity

    It appears you have "DNS Trap" enabled, typically this is desirable, your requirements may dictate otherwise.

    With DNS Trap active a detect is expected for the DNS server traffic. When the client...
  2. Replies
    5
    Views
    1,576

    Re: fwm export - File size limit exceeded

    Well, "other duties as assigned" prevented my testing yesterday. I did so today and have encouraging results. Thank you for the great insights Zimmie.

    I now have an Excel error stating not...
  3. Replies
    5
    Views
    1,576

    Re: fwm export - File size limit exceeded

    Thank you very much!

    I was using CP_R77_CLI_ReferenceGuide for command structure, they do not note the -z or -s switches, this is nice to know. I will be trying your string shortly and reporting...
  4. Replies
    5
    Views
    1,576

    fwm export - File size limit exceeded

    SM225 running R77.30

    Our logs rollover at midnight every day. Typical log file contains 6-7 million records and a size of approx 1.3 GB. Having a need to export multiple days of logs into a .csv...
  5. Replies
    24
    Views
    4,685

    Re: CPDBL - CP Dynamic block lists

    Thank you for quick response.
  6. Replies
    24
    Views
    4,685

    Re: CPDBL - CP Dynamic block lists

    Clarification regarding usage on R77.30:
    - https://cpdbl.net/ shows recommended usages, some are incoming, some are outgoing.
    - readme.txt states blocking is only performed inbound.

    Can the...
  7. Re: SANS ISC/DShield Block List Not Updating, Check Point Seems To Have Trouble Resol

    That is attractive and thank you for pointing it out. We may well take that path if Outgoing traffic were also to be inspected (hopefully is still on the roadmap).
  8. SANS ISC/DShield Block List Not Updating, Check Point Seems To Have Trouble Resolving

    R77.30 in impacted environment, SMS Smart-1 225 and 5800 HA Clusters.

    On April 5 SANS moved to a new TLS certificate and removed support for TLS 1.0, since that time the DShield block list has...
  9. Re: Can I get URL wise report from Smart Reporter?

    Correct, this is from SmartReporter.

    https://www.cpug.org/forums/attachment.php?attachmentid=1390&stc=1
  10. Re: Can I get URL wise report from Smart Reporter?

    R77.30 in my environment.

    In Definitions, Standard, Predefined, go to Content Inspection and User Activity. Under the Filter tab check Product, then select Specific Match Values for Check Point...
  11. Replies
    6
    Views
    3,078

    Re: SAM rule expiration sorting

    Used with good results in our environment (R77.30). As with post by Zimmie, our heaviest usage is the integration with SmartEvent.
  12. Replies
    2
    Views
    417

    Re: Need info on Inspection points -- iIoO

    Couple Check Point documents that may be useful:

    - What is FW Monitor: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30583
    - R77...
  13. Replies
    9
    Views
    2,011

    Re: Check Point Gaia OS Privilege Escalation

    Thank you for posting that information.
  14. Re: Non HTTP Traffic over HTTP port: Invalid character

    Thank you for the response.

    - Packet captures have been taken, invalid characters have not been identified. It would seem this is the key to a solution.
    - We have ASCII Only Request enabled,...
  15. Non HTTP Traffic over HTTP port: Invalid character

    - Smart-1 225 SMS
    - Two 5800 Active/Standby clusters
    - All running R77.30 Build 092 with Jumbo HFA 286

    In early August we enabled IPS protection for Non HTTP Traffic over HTTP port, immediately...
  16. Vendor Used By Check Point For A/V Engine and Definitions

    With recent news stating the US Government is headed towards banning Kaspersky products, I am seeking clarification on the A/V used within Check Point products. Specifically within R77 and R80...
  17. Re: VA Reports Over 250 Java Vulnerabilities On Check Point Appliances

    I received a timely answer from Check Point 3rd-tier support late yesterday afternoon:
    "I have consulted with escalations on this matter and we don't appear to have any documentation stating it but...
  18. Re: strange behavior - can't ping gateway when clustered

    Do the other sites NAT your outgoing traffic behind the cluster VIP?

    In your gateway object, under ClusterXL and VRRP, do the other sites have "Use Virtual MAC" enabled?
  19. VA Reports Over 250 Java Vulnerabilities On Check Point Appliances

    SMS Smart-1 25 running Gaia R77.30
    12200 HA Cluster running Gaia R77.10
    No third-party software installed.
    Gateway enabled blades: FW, VPN, IPS, Anti-Bot, Anti-Virus, Monitoring, ClusterXL
    SMS...
  20. Re: CPUSE Update, 1130 to 1283, Resulted In HotFix Status Inaccuracies

    So Check Point would not allow our support partner to piggy-back my problem on SR 1-9374382131. A new SR was opened on June 8 for my issue, there were several requests for info but no resolution.
    ...
  21. Replies
    8
    Views
    4,187

    Re: Check Point firewall flow

    SK116255 is very nice, thank you for pointing it out.

    To take a trip down memory lane, FW Monitor documentation was also informative in detailing flows. Pages 14 and 19 from here was useful for...
  22. Re: CPUSE Update, 1130 to 1283, Resulted In HotFix Status Inaccuracies

    Thank you Boaz.

    I will submit the HKLM_registry.data info to my support vendor and have them reference SR 1-9374382131 for follow up with Check Point.
  23. Re: CPUSE Update, 1130 to 1283, Resulted In HotFix Status Inaccuracies

    Correct, on the left is inaccurate information. For comparison, in this same environment I have a IP-567 running the same CP code (upgraded from IPSO 6.2 couple years ago, which is story unto...
  24. CPUSE Update, 1130 to 1283, Resulted In HotFix Status Inaccuracies

    12200 Active/Standby Cluster, R77.10 Gaia Take 151

    About 3 weeks back, using the WebGUI Status and Actions section, I updated this cluster from CPUSE version 1130 to 1283. Installed HotFixes are...
  25. Re: Check Point Recommends Reboots Every 90 Days?

    These are IP-560's, we have 7 active VRID's on them, couple years ago we had 15. These boxes will be replaced with 12200's later this year. The last of my devices running IPSO and I will miss that...
  26. Re: Check Point Recommends Reboots Every 90 Days?

    laf_c,

    Thank you for the feedback. I rebooted my standby member, then disconnected a cable from the primary member, failover occurred. I then rebooted the primary cluster member, re-connected...
  27. Check Point Recommends Reboots Every 90 Days?

    So last week I bragged on CPUG about a couple IPSO boxes running in my environment that have been up for well over a year. That bragging seems to have jinxed me, I now have an issue with VRRP and...
  28. Re: SmartLog indexing depth is limited to about 30 minutes

    Possibly the Index Size was inadvertently modified, see SK96546.
  29. Replies
    4
    Views
    1,604

    Re: IPSO 6.2 MR6 now available in sk42645

    I still have a couple IP-560's in our ICS environment running IPSO 6.2. One has been up for 707 days, the other for 368 days.

    These are scheduled to be replaced this year, I will be sad to see...
  30. Re: IPS signatures - need to set ALL TOR to prevent!

    If you are licensed for "Application & URL Filtering" the Anonymizer category may be helpful for you. Tor is defined application within that category.

    Kind regards,
    dbrown
  31. Replies
    12
    Views
    4,356

    Re: help to understand fw monitor syntax.

    Handy indeed, this will be very useful. Thank you.
  32. Replies
    3
    Views
    731

    Re: Cooling a server closet

    Many years back I was involved with a project similar to yours. We got by without any dedicated A/C units but, given your location YMMV with this approach.

    Keeping the generated heat isolated...
  33. Replies
    1
    Views
    969

    Re: Secret of Stateful Inspection is out

    Nice, very nice! :)
  34. Replies
    2
    Views
    1,272

    Re: Show IPS Status From CLI

    Thank you. Feeling a bit embarrassed I did not try in Expert, was just searching in clish mode. Thanks again.
  35. Replies
    2
    Views
    1,272

    Show IPS Status From CLI

    IP-567 Appliance, IPSO 6.2-GA083a02, R75.47

    I have a requirement to report/monitor the status of IPS on IPSO box listed above. I am not finding a way to get this from the CLI. On my Gaia boxes,...
  36. Re: Urgent please guys: Failed to read database files

    cciesec2006 is not a troll. His contributions to this site have been of enormous help to me over the years.

    Kind regards,
    dbrown
  37. Replies
    7
    Views
    1,764

    Re: Show Appliance Listening Ports

    Thank you ShadowPeak and jflemingeds, good info for me to proceed with.

    BTW, I checked and lsof not in IPSO.
  38. Replies
    7
    Views
    1,764

    Re: Show Appliance Listening Ports

    Thank you jflemingeds, that is helpful. sockstat -4 is returning more than I wish, notably loopback at 127.0.0.1 and TCP high ports. Got rid of loopbacks with this, sockstat -4 | grep -v 127.0.0.1,...
  39. Replies
    7
    Views
    1,764

    Re: Show Appliance Listening Ports

    That SK lists the ports that "could" be used by Check Point. My requirement is to report on and monitor the ports that "are" in use, generating an alert when a deviation occurs from my established...
  40. Replies
    7
    Views
    1,764

    Show Appliance Listening Ports

    IP-567 Appliance, IPSO 6.2-GA083a02, R75.47
    12200 Appliance, Gaia R77.10

    For NERC-CIP regulatory reasons I need to document and monitor open ports on devices in my environment. Streaming Unix...
  41. Replies
    2
    Views
    1,659

    SmartEvent DNS Querie Throttling

    Smart-1 225 Appliance, dedicated for SmartEvent/SmartReporter, R77.20

    In some infrequent situations the SmartEvent device will cause a DOS in our environment. I have Network Quota enabled on our...
  42. Re: Connection Failed: The user is not defined properly. and SK95973

    Update:
    I changed my Phase 2 setting from AES-256 to 3DES, now working fine.

    vonunov:
    Thank you. I am curious as to why AES fails to work, but 3DES is acceptable.
  43. Re: Connection Failed: The user is not defined properly. and SK95973

    These are my P1 and P2 encryption settings, no single DES, would you advise any changes?

    960961
  44. Connection Failed: The user is not defined properly. and SK95973

    Smart-1 25 Mgmt Server, R77.2, Gaia
    IP-560 Active/Standby Cluster, R75.47, IPSO 6.2
    Endpoint Security VPN Client, R80.41
    Office Mode using static IP assignments.
    This VPN solution is internal...
  45. Replies
    5
    Views
    5,290

    Re: OPSEC LEA forwarding to Log Rhythm

    It has been several years since I performed this task, but I recall it as being straightforward and painless. Basically just followed the paint by number steps in the LogRhythm Help PDF file. Grab...
  46. Replies
    5
    Views
    1,673

    Re: Queries regarding SIC

    Security Management Server admin guides will give you a good overview of SIC. R75.4 is here:...
  47. Replies
    19
    Views
    7,485

    Re: Bash Vulnerability

    I have 2 independent SMS's, along with 10 gateways licensed for IPS. After sk102673 was updated on Thursday stating a IPS signature had been released...
  48. Replies
    19
    Views
    7,485

    Re: Bash Vulnerability

    SK102673 lists Gaia and SecurePlatform OS. My testing shows IPSO 6.2-GA083a02 also vulnerable.
  49. Re: Listing Of IPS Protections Not Being Updated On CP Website?

    Indeed, cut/paste error from me. The URL's in question were:
    http://www.checkpoint.com/defense/advisories/public/updates/r634/update_info.html
    and...
  50. Listing Of IPS Protections Not Being Updated On CP Website?

    Cross-posted over on CPShared forum, just became aware this site is back, so asking here too.

    This page seems to not be updated with new IPS protections:...
  51. Replies
    3
    Views
    1,754

    Re: Verify Speed/Duplex @ CLI level

    On my IPSO 6.2 boxes this command in the IPSO shell will show speed/duplex: 'ifconfig -a'

    My IPSO 6.2 CLI reference guide states these commands in the CLI shell should show speed/duplex info...
  52. Replies
    3
    Views
    1,389

    Re: Problem with internet radio

    If you are licensed for it, the URL Filtering blade could be of some use here, but you'll still have a few headaches. There is likely some amount of sites in the "streaming media" category you want...
  53. Re: Antivirus Engine/Definitions Vendor, UTM Appliances

    I received verification from my VAR that Kaspersky is the provider of the A/V definitions.
  54. Antivirus Engine/Definitions Vendor, UTM Appliances

    UTM-2076's and UTM-3078's, R71.3, a/v inspections of HTTP traffic enabled.

    I seem to recall that the a/v in R65 was provided by Kaspersky. Is this still true for R71.x and R75.x releases?

    My...
  55. Replies
    0
    Views
    917

    Tracker: Modifying Field Lengths

    UTM-2070 and UTM-3070's
    R71.3
    URL Filtering Enabled

    In the URL column in Tracker, the default field length appears to be 50. Anything beyond that is truncated with ...

    Why was 50 chosen as...
  56. Re: Who is running firewalls inside networks they manage?

    I would maintain that segregation via VLAN's does not offer much in the way of security on its own. Other than as has been previously noted, you have the ability to isolate segments should an...
  57. Re: Firewalls answering for unused IP addresses

    To add more to suggestion from alienbaby, this document will hopefully provide useful information on altering where in the chain monitoring takes place, have a look at page 19..... ...
  58. Replies
    17
    Views
    4,614

    re: A Major Upgrade Today

    After some initial adjustment to the new look I am liking it. A bigger font would be nice.

    Kind regards,
    dbrown
  59. Replies
    5
    Views
    1,510

    Re: What is the max IPSO version for IP530?

    At the time we retired our IP530's they were running IPSO 4.2 and R62. These versions were supported by Check Point on that platform. R65 will probably run on a 530, but it was never officially...
  60. Replies
    6
    Views
    1,936

    Re: IPSO VRRP - Do Not Cascade Switches

    I am speculating here, could it be possible CP is cautioning against using two switches simply interconnected by a port to port connection? That is the only sense I can make of the documentation.
    ...
  61. Re: R75 as usual NICs speed and duplex do not like WebUI and/or eth_set command

    Due to a support arrangement with a very capable VAR I never have to interact directly with CP TAC. But I am somewhat curious/confused by the above statements. Is this interpretation correct:

    -...
  62. Re: Please stay away from Power-1 Appliance 11065

    cciesec2006:

    Is there some compelling reason that you must buy support direct from CP? It sure appears they are not meeting your needs.

    My support is from a VAR (headquartered in Kansas City)...
  63. Replies
    5
    Views
    1,964

    Re: Antivirus mit Edge und Smartcenter

    Both of you forgot to include fluency in TCP/IP. :)

    Kind regards,
    dbrown
  64. Re: How to manually delete previous image and snapshot files

    Some time back I hunted for these files on my UTM-2076's running on R65. In my case the backup files were in path /var/log/CPbackup/backups/NGX_R65_/xyz.tgz

    I had assistance from very capable...
  65. Replies
    25
    Views
    9,795

    Re: OpenSource VPN Client for Windows 7 x64?

    If you need to use Office Mode for your users, the upcoming SR/SC release may not return you to normal.

    Back in August I was on the same path as you, an immediate need for a 64 bit VPN client. I...
  66. Replies
    5
    Views
    1,943

    Re: Serial Connection Banner Message

    Thank you.
  67. Replies
    5
    Views
    1,943

    Serial Connection Banner Message

    I may have a regulatory requirement coming up that will require an "acceptable usage" message be displayed when connecting to devices via the serial port. NERC CIP regs for those interested.

    This...
  68. Replies
    12
    Views
    5,326

    Re: Needed help with this topology

    Analog Visio, used heavily back in the overhead projector days if memory serves correctly.
  69. Replies
    2
    Views
    1,406

    Re: Some help with a website not loading

    This thread might be helpful to you. I had a similar issue with certain web sites not loading, increasing the http_buffer_size took care of the problem.
    ...
  70. Replies
    5
    Views
    2,149

    Re: IP Logging In /var/log/messages

    Thanks apachepro, that is good info.

    Thanks belvdr, that UNIX guide is a nice reference.
  71. Replies
    5
    Views
    2,149

    Re: IP Logging In /var/log/messages

    Did you test that before posting, or use it successfully in the past? It did not work for me.

    One of our Linux guys wandered by, so I grabbed him. He had me look in /etc/syslog.conf for...
  72. Replies
    5
    Views
    2,149

    IP Logging In /var/log/messages

    UTM-2076's HA, Open Server SMS
    All on R65 HFA40
    IP560's HA and IP350 on R65 HFA01

    When I SSH or HTTPS to my IPSO boxes there are log entries in /var/log/messages for the username and the...
  73. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    Quote:
    Originally Posted by plamy
    Bozo filter added.


    My opinion, the comments from both of you are shameful.
  74. Check Point kills scareware-style pop-up campaign

    Interesting to me that Check Point is capable of 180' turns. First removing the waiting period between CCSA and CCSE exams, now this:

    Check Point kills scareware-style pop-up campaign ? The...
  75. Replies
    1
    Views
    1,441

    Re: UTM-2076, MD5 Mismatch Of Backup

    Ignore previous post, there is not a mismatch of the MD5 checksum. Confusion came about due to my lack of understanding of the GUI operation. Save to desktop and save to appliance are two different...
  76. Replies
    1
    Views
    1,441

    UTM-2076, MD5 Mismatch Of Backup

    UTM-2076's Active/Standby
    NGX R65 HFA40

    Using the GUI to perform a backup to desktop. When I compare the MD5 of the file on my desktop to the file located here there is a mismatch: [UTM-2]# pwd...
  77. Replies
    21
    Views
    7,229

    Re: I've waited long enough

    Congratulations to you! Nice way to start off the holiday weekend.

    Kind regards,
    dbrown
  78. Replies
    7
    Views
    2,708

    Re: Endpoint Connection installation question

    Thanks lammbo, that is good info.

    All I need is Win7 64-bit support, IPsec and OM, none of that other crap for me either. :)

    I'll get on with my testing....

    Regards,
    dbrown
  79. Replies
    7
    Views
    2,708

    Re: Endpoint Connection installation question

    Page 25 of this document is what led me on the path of needing the plug-in:

    Check Point Software Technologies: Download Center

    If you choose to install HFA40 on the VPN-1 gateway without...
  80. Replies
    7
    Views
    2,708

    Re: Endpoint Connection installation question

    I need to support remote users that have Win7 as their OS, 32 and 64 bit. R73 Endpoint Connect Discovery product was recommended to me by the regional Check Point sales rep. I have the client .msi...
  81. Replies
    5
    Views
    1,455

    Re: Dshield.org Name change

    SANS diary entry announcing the change, and further details, can be found here:

    Changes to Internet Storm Center Host Name

    Kind regards,
    dbrown
  82. Replies
    30
    Views
    7,081

    Re: Bug in NGx R71

    For myself, it usually means my glass is twice as large as it needs to be.

    Kind regards,
    dbrown
  83. Replies
    17
    Views
    4,967

    Re: StormAgentMsg: Failed to access URL

    I am also seeing this on my UTM-2076's, running R65 HFA40.
  84. Replies
    2
    Views
    1,238

    Re: Memory for an IP350

    Have a look at this thread:
    http://www.cpug.org/forums/check-point-ip-appliances-ipso-formerly-nokia/11572-what-kind-ram-do-old-ip260-ip350-take.html

    Regards,
    dbrown
  85. Replies
    21
    Views
    7,229

    Re: I've waited long enough

    I received an email from SANS today regarding CISSP online instruction. It may be of interest if you have the funds available. See here for the details: SANS vLive! - MGT414 - Eric Conrad

    They...
  86. Replies
    6
    Views
    3,243

    Re: Split-Tunneling: Pros/Cons of Disabling

    So, New Zealand is truly Nirvana! :)

    Thanks to all for the comments, much appreciated.

    Regards,
    dbrown
  87. Replies
    6
    Views
    3,243

    Split-Tunneling: Pros/Cons of Disabling

    UTM-2076 HA, NGX R65 HFA40
    IPsec users running SecureRemote (not SecureClient)

    I have been requested to disable split-tunneling for my SR users. Request is based upon an article recently read by...
  88. Replies
    33
    Views
    100,861

    Re: Nokia IPSO Command Line

    On my IPSO 4.2 boxes I use CLISH, then enter "show route" at the prompt.
  89. Replies
    18
    Views
    4,077

    Re: DNSSEC issues on May 5th?

    Fully agree with the above, sage advice.

    SANS has some comment today about DNSSEC going live... DNSSEC...not a bang but a whimper?

    They also provide a link to a good article written by the ISC...
  90. Replies
    16
    Views
    2,856

    Re: anyone on R65 HFA70?

    My opinions:
    - From an admin side CP is less complex than Cisco, is that not a CP marketing point? The underlying CP code is perhaps more complex to get this ease of administration, I would...
  91. Replies
    14
    Views
    4,838

    Re: Fw Monitor- Mask Interpretation

    manuadoor:

    If you have not read it already, another reference that may be of interest to you is the NGX Advanced Technical Reference
    Guide, located here:...
  92. Replies
    14
    Views
    4,838

    Re: Fw Monitor- Mask Interpretation

    This is correct, NAT occurs after outbound inspection (o), not between (I) and (o). IP routing occurs after NAT operations. If after NAT operations your packet has no defined path in your routing...
  93. Replies
    2
    Views
    1,178

    Re: Secure Wireless

    In my environment we provide wireless access to two distinct groups of users, internal and guests. Guests having internet access only, no permissions to access any internal resources.

    The AAA is...
  94. Replies
    14
    Views
    4,838

    Re: Fw Monitor- Mask Interpretation

    Some of your conclusions may be in error. I added some comments to your statements.

    See this Nokia white paper for a good read on FW Monitor:...
  95. Replies
    9
    Views
    2,115

    Re: Is this normal?

    I have different hardware and enabled features:
    UTM-2076's HA, NGX R65 HFA_40, A/V enabled, URL content filtering enabled, "lots" of SmartDefense protections.

    Like you, I experience problems...
  96. Replies
    25
    Views
    51,945

    Re: AES vs 3DES performance and throughput

    I apologize for being off-topic, but lammbo started it. :)

    It is worth noting that while Cisco sells hardware, they are a software company. Fact is, nearly all of their manufacturing is...
  97. Thread: High CPU

    by dbrown3611
    Replies
    9
    Views
    2,937

    Re: High CPU

    I don't believe "top" will work for you on IPSO, good for SPLAT machines though. It does not work on my IPSO 4.2 boxes.

    ps -auxww should give the output you're looking for.

    Regards,
    dbrown
  98. Replies
    12
    Views
    6,107

    Re: HTTP Header Length

    UTM-2070 HA Cluster, NGX R65 HFA40

    For several months I've had a nagging issue of a couple web sites not loading for some people. Notably cisco.com IOS download page and dell.premier.com. No...
  99. Re: How to determine which hotfix were included in HFAs?

    Agree fully with the above. This would save valuable time when upgrading and appears would require little effort from CP.

    @Phoneboy: Is this something you could inquire about?

    Kind regards,...
  100. Replies
    4
    Views
    2,473

    Re: NAT Rule 0 from External vs. Internal

    Any other traffics to/from the client 172.27.18.x network that is flowing correctly? I'm asking to verify you have the routing in place for return traffic.

    If your firewall knows the next hop for...
Results 1 to 100 of 160
Page 1 of 2 1 2