CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: Irek_Romaniuk

Page 1 of 3 1 2 3

Search: Search took 0.01 seconds.

  1. Re: Split Tunneling based on Application Control?

    I've just tried it on Ubuntu 16.4, see below:


    docker@ubuntu-DC1:~/ochepist$ ls -l ochepist.tar.gz
    -rw-rw-r-- 1 docker docker 4760557 Aug 14 12:42 ochepist.tar.gz
    docker@ubuntu-DC1:~/ochepist$...
  2. Replies
    6
    Views
    1,857

    Re: Netflow Replicator

    Why not logstash as flow collector ? Read here
  3. Re: Problem with Endpoint Security VPN and clustered 1470 appliance

    I had issues described in sk78180 Disabling MEP for Endpoint VPN Client
  4. Replies
    28
    Views
    19,222

    Re: How to handle Office365 IP addresses

    I developed program 'ochepist' for R77.30 which pulls Office 365 addresses from web page and exports in dbedit format. It is described here, link to repo included. I will upload binaries on...
  5. Re: Smartprovisioning being used for large rollouts ?

    Yeah I think smartpro is better to manage large number of gateways (never used it with regular gaia). But it doesn't make provisioning any easier. Zero touch provisioning (Zero touch portal) is...
  6. Replies
    1
    Views
    1,088

    Re: automated FW push scripts

    you have API avail in R80.10 , see https://sc1.checkpoint.com/documents/R80/APIs/#gui-cli/install-policy
  7. Replies
    3
    Views
    1,304

    Re: r80.10 api generic_err_invalid_syntax

    exactly but without colons;) Thnx !


    $ curl --insecure -XPOST "https://10.254.253.110/web_api/login" --data-binary "{\"user\": \"admin\", \"password\": \"password\"}" -H "Content-Type:...
  8. Replies
    3
    Views
    1,304

    r80.10 api generic_err_invalid_syntax

    I am trying basic API on my R80.10 with curl below, but getting error


    $ curl --insecure -XPOST "https://10.254.253.110/web_api/login" --data-binary "{"user":"admin", "password":"secret"}" -H...
  9. Replies
    5
    Views
    1,587

    Re: GUI port ?

    I found it with:



    > show web ssl-port
    web-ssl-port 4434
  10. Replies
    5
    Views
    1,587

    Re: GUI port ?

    Got Error: Access denied. The destination of your request has not been configured, or you do not have authorization to access it. (403)..strange , was not prompted for credentials
  11. Replies
    5
    Views
    1,587

    GUI port ?

    What is the GUI port I can access mobile blade ? it's not 443 because it is taken by portal
  12. Replies
    22
    Views
    9,308

    Re: Webui not working

    Finally I managed to upgrade , but had to follow sk116056 'Duplicate objects, IPS profiles, policies are displayed in R80 / R80.10 SmartConsole' Now I am on R80.10 and webui is available
  13. Re: Firewall Policy Achitecture and Best Practices

    Of course the module creating a rule based on the source/destination and port has to be vendor API specific. Looking at Checkpoint management API Reference v1.0 I can see 'add access-rule' with...
  14. Replies
    22
    Views
    9,308

    Re: Webui not working

    Thanks again, regarding using CLI to upgrade , which command do you run after untaring Check_Point_R80.10_T421_Upgrade_from_R80_FULL.tgz . I dont see typical UnixInstallScript...


    Btw, see below...
  15. Replies
    22
    Views
    9,308

    Re: Webui not working

    Appreciate Yonatan, CP asked me to collect evidence , follow sk84561. In the process of collecting evidence my connection to portal was magically restored, probably as a result of restarting httpd2...
  16. Replies
    22
    Views
    9,308

    Re: Webui not working

    I have the same problem, can't reach R80 with mgmt gui , and I want to upgrade it to R80.10. Restart doesn't help
  17. Re: Firewall Policy Achitecture and Best Practices

    I believe that policy creation should be vendor agnostic , even at the cost of having 10k rules...put some of my thoughts together here .
  18. Re: Firewall Policy Achitecture and Best Practices

    These best practices address only initial, manually created part of the policy. In my opinion after this is done, the rest of rules should be created automatically thru API, based on approved...
  19. Re: Changing DNS settings on 1100 is disabling wireless ???

    Here is the ticket number 1-9572412401, thnx
  20. Re: Changing DNS settings on 1100 is disabling wireless ???

    Yeah, ticket opened. I disabled wireless trying to change DNS settings on too many appliances this week ;( To make things even worse I couldn't re-enable it with CLI (was getting 'unkown error') so...
  21. Changing DNS settings on 1100 is disabling wireless ???

    Changing DNS settings on 1100 is causing wireless to be disabled, anyone seen this behavior ? This happens across all versions, including 77.20 below



    Irek-11> show wlan vap CPHome
    …...
  22. Replies
    12
    Views
    2,321

    Re: Security policy rule order ?

    Thnx, added to the calendar. Btw , what's the max number of rules (and/or subrules?) in CP ?
  23. Replies
    12
    Views
    2,321

    Re: Security policy rule order ?

    But it would require some extra program logic to find out where to put the rule instead of straightforward 'next to the bottom'
  24. Replies
    12
    Views
    2,321

    Re: Security policy rule order ?

    So far my rule base is close to 100 per firewall;) But this is because requests are manually implemented and optimized in GUI (i.e. integrated into existing ones by adding a port or address, here...
  25. Replies
    12
    Views
    2,321

    Re: Security policy rule order ?

    So does the number of rules matter, is there a difference in packet delay (processing) between rule set with 100 and 10k rules ?
  26. Replies
    12
    Views
    2,321

    Security policy rule order ?

    Is Checkpoint policy first-match or is rather TRIE-based, where rules are converted to 'n-ary tries' (graphs) ? I think Paloalto is using Trie-Based Policy
  27. Re: Split Tunneling based on Application Control?

    Split tunneling is based on vpn encryption domain which from what I know can only be a group of address objects. Updating group of address objects through dbedit automation scripts is supported by...
  28. Re: centrally managed 1100 with R75 from mgmt server with R80 ?

    Where you able to upgrade R 75 1100 To R77.20 (remotely)? We have firmware upgrade issuers
  29. centrally managed 1100 with R75 from mgmt server with R80 ?

    I was told that all 1100 appliances can be centrally managed, whether management server runs R77.30, R80 or R80.10. Do you know if it includes 1100 with R75 ?
  30. Re: Split Tunneling based on Application Control?

    Program can be run outside of mgmt server, only to generate dbedit files ;)
  31. Re: Split Tunneling based on Application Control?

    I developed program in Go called 'ochepist' which I use to pull list of i.e. Office 365 IP addresses from provided url and write them to the file in CP dbedit format creating group object (see g-o365...
  32. Re: CPDBL - CP Dynamic block lists for R80.10

    Sounds great. Unfortunately I have 77.30. So how do I setup CPDBL on 77.30 to whitelist Office 365 address ranges (I have https feed with ranges) ?
  33. Re: CPDBL - CP Dynamic block lists for R80.10

    Is it possible to possible to use CPDBL to whitelist custom list of addresses i.e. Office 365 below (served from https) ?


    104.210.43.160-104.210.43.160
    104.41.155.129-104.41.155.129...
  34. Replies
    1
    Views
    824

    weak ssh algorithm vulnerability ?

    Do you know how to disable RC4 cipher on CP firewall ?
  35. Re: SmartView Monitor Incorrect Average CPU

    I'm not believing what Smartview is showing for CPU, I rely on top because I can look at processes I want to, like 'fw_worke'r. On each gateways I have simple bash script running every 10sec which...
  36. keeping CRL IP after changing IP address of CMA

    I am changing IP address of multi domain management server (P1 - MDS with couple of CMAs, 77.30) but I would rather avoid resetting internal CA (fwm sic_reset on CMA). It will leave old CMA IP inside...
  37. Replies
    2
    Views
    2,088

    Re: CPSB-SSLVPN-500 and CPSB-SSLVPN-U

    It's definitely unlimited, number exceeded 500 ... I haven't found correct syntax for that command yet Thnx again
  38. Replies
    2
    Views
    2,088

    CPSB-SSLVPN-500 and CPSB-SSLVPN-U

    I have two license for sslvpn applied, CPSB-SSLVPN-500 and CPSB-SSLVPN-U. Last one is eval, but active. So what is my current limit of SSLVPN connections, 500 or unlimited ?
  39. Replies
    7
    Views
    2,302

    Re: Cross compiling Go for Checkpoint 1100

    CP support ? ;)
  40. Replies
    7
    Views
    2,302

    Re: Cross compiling Go for Checkpoint 1100

    Maybe I can get myself ftp client which will be able to transfer files thru tunnel (pick src interface other than public;), or quickly install any of missing tools like i.e. curl.
  41. Replies
    7
    Views
    2,302

    Cross compiling Go for Checkpoint 1100

    I quickly tested Go cross compilation of simple web server to Checkpoint 1100 appliance, see my blog post here. It's super easy and I do not need compiler on 1100
  42. Forwarding CheckPoint Logs to Syslog Server

    Looks cool http://qostechnology.in/blog/syslog-integration-with-checkpoint/
  43. Replies
    10
    Views
    2,396

    Re: Log file generator?

    I haven't used c++ for looong time, instead of re-learning I started to use Go
  44. Replies
    10
    Views
    2,396

    Re: Log file generator?

    Right, you are looking for log generator but for rule specific logs, not syslog , correct ? I wrote syslog generator for PAN , CP is more challenging because of encryption ;(
  45. Replies
    10
    Views
    2,396

    Re: Log file generator?

    this one is good https://blog.rootshell.be/2014/08/28/check-point-firewall-logs-and-logstash-elk-integration/
  46. Replies
    24
    Views
    5,458

    Re: CPDBL - CP Dynamic block lists

    Interesting, I can try on VSX
  47. Replies
    2
    Views
    948

    Re: rule testing utility ?

    this is it , thnx !
  48. Re: exporting a selection of firewall logs to SIEM

    This is worth reading https://blog.rootshell.be/2014/08/28/check-point-firewall-logs-and-logstash-elk-integration/
  49. Replies
    2
    Views
    948

    rule testing utility ?

    I've seen a post about rule testing utility some time ago . I just can't remember what name or sk number it is.
  50. Replies
    2
    Views
    1,225

    Re: persistent storage on 1100 ?

    thnx
  51. Replies
    2
    Views
    1,225

    persistent storage on 1100 ?

    I saved pcap in root directory of 1100 but it is gone after reboot. What directory would you recommend for tmp storage on 1100 ?
  52. Replies
    2
    Views
    1,269

    Re: Tunnel_test fails for a DAIP gateway

    I have the same problem, haven't found a solution.
  53. Re: CONFIGURING POLICY BASED ROUTING ON CP1100

    Is it standalone or centrally managed 1100 ?
  54. Replies
    13
    Views
    2,580

    Re: Disbale firewall policy ?

    I was looking to use CP as VPN concentrator only in my current topology. Any-Any-Accept on CP still does inspect traffic
  55. Replies
    4
    Views
    1,031

    Re: tnlmon_listener_list ?

    this is default number of tunnels to be monitored by SmartPro
  56. Replies
    4
    Views
    1,031

    Re: tnlmon_listener_list ?

    Makes sense..now I remember that limit of 200 of vpn test;)
  57. Replies
    4
    Views
    1,031

    tnlmon_listener_list ?

    I have table tnlmon_listener_list hitting the roof, but I dont know what tnlmon_listener_list is ?


    # fw tab -t tnlmon_listener_list -s
    HOST NAME ...
  58. Replies
    13
    Views
    2,580

    Re: Disbale firewall policy ?

    Right, response from CP was 'The firewall without a policy will act as a router. We have to push at least a policy that allows any to any and push the vpn configuration to the gateway. The firewall...
  59. Replies
    13
    Views
    2,580

    Re: Disbale firewall policy ?

    Thnx, look like it is what I am looking for, not sure if VPN will still work. I can see 'ip_forward' is already 1 ?
    #cat /proc/sys/net/ipv4/ip_forward
    1
  60. Replies
    13
    Views
    2,580

    Disbale firewall policy ?

    I am using UTM-1 3070 as central VPN gateway (R77.30), don't really need security policy because this is behind main firewall. Is there a way to disable security policy without individually disabling...
  61. Replies
    2
    Views
    1,151

    Re: Question about VPN domain

    It shouldn't be a problem. I'm just in process to create tunnel where I have all public IP addresses in VPN domain;)
  62. Replies
    3
    Views
    1,915

    no option to add new interface in GUI

    I was using only one interface 'Internal' on my UTM-1 . Now I added External in clish, can see it from bash, ping from it etc. But in GUI I can't add External interface (Topology Section) , neither...
  63. Replies
    4
    Views
    4,199

    Re: Login attempt for nonexistent user

    Yeah, looks like too many of these where clish doesn't create bash user are R77.20.00 - Build 289...I found 3 more. It doesn't happen on R75.x neither R77.20 except build 289 ;(
  64. Replies
    4
    Views
    4,199

    Re: Login attempt for nonexistent user

    Correct, nothing in /etc/passwd. I was going to add user and make it using bash as default lol
  65. Replies
    4
    Views
    4,199

    Login attempt for nonexistent user

    I have many cases where I can't login to existing account ('newadmin' below) on 1100 and at the same time /var/log/messages shows message 'authpriv.warn dropbear[640]: [SSH] Login attempt for...
  66. Replies
    6
    Views
    3,164

    Re: CLI script for pushing FW policies

    I ma using global policy to install all polices in given CMA, below excerpt from global_autopolicy.sh


    mdscmd install-globalpolicy -install -l CMA1 2>&1

    then save output in the file (see cron...
  67. Re: create user with expert privileges on gaia embedded

    ;) correct bash user works only for admin
  68. create user with expert privileges on gaia embedded

    There is a way to setup user with expert privileges on gaia typing 'set user user_name shell /bin/bash' but not on gaia embedded (1100/1400). On gaia embedded I can add user in clish but then have to...
  69. Replies
    3
    Views
    1,915

    Re: Rule or not to rule ?

    I agree, depends but I think direction is to use inspection and identity awareness like access. I was never able to answer simple question of who have access to what based on any policies I've seen...
  70. Replies
    3
    Views
    1,915

    Rule or not to rule ?

    I posted discussion here regarding security policy strategy. Basically I would like to know your opinion on whether to use granular, 'one off' rules or just intrusion and malware inspection. I think...
  71. Replies
    8
    Views
    2,567

    Re: Schedule upgrade_export FTP

    I use Jenkins to schedule backup tasks , see here . It includes starting ftp server, transfer and then stop ftp server. I don't know how to automate sftp, but even if I knew I would still use Jenkins...
  72. Replies
    9
    Views
    2,947

    Re: Syslog Help Needed

    Checkpoint doesn't natively support sending firewall logs (rules related logs) to syslog, it can send only OS logs to syslog. Log server in your case means external CP log server (separate product)....
  73. Re: cppkg del Segmentation fault (core dumped)

    Sure thing, thnx again
  74. Re: cppkg del Segmentation fault (core dumped)

    yeah , in that log I can see entries like this below (I tried to remove from GUI as well)

    [6110:Thu May 19 11:16:25 2016] CSuRemovePackageHandler::RemovePackage: Failed to remove package...
  75. cppkg del Segmentation fault (core dumped)

    I am trying to remove R77.20 packages and add one back (most recent). Buy I am getting Segmentation fault (core dumped) when typing cppkg del , see below. I can't do it from GUI at MDS level, don't...
  76. Replies
    2
    Views
    1,066

    Re: CMA Auto Backup

    Yes, I am using similar script. Soemtimes it was freezing during mds start process (and not being able to transfer my backup file later in the same script). Now I am doing it all from Jenkins with...
  77. Replies
    2
    Views
    1,387

    Re: Tool for Firmware upgrade 1140's

    Smartlsm firmware upgrade works fine in fresh lab install, but for some reason not in my production. CP was not able to fix it so far and I had no time to look under the hood
  78. Re: Searching for a Script to update GAIA config

    It was discussed https://www.cpug.org/forums/showthread.php/20400-can-t-ssh-to-1100-using-kyes?highlight=ssh+password I think I changed uids , and it worked But since I am fine to ssh with...
  79. Re: Searching for a Script to update GAIA config

    'raw' module is all I have, not bad . but ..full python stack, would be really nice ! CP doesn't even want to support key based ssh access to 1100. I was told that my workaround can be overwritten by...
  80. Re: Searching for a Script to update GAIA config

    I have to change passwords on my fifteen hundreds of 1100 soon, maybe next week. But I will use Jenkins with Ansible plugin. Already used to change syslog setting (any gaia or bash settings). I got...
  81. Re: Deploy Policies to all Firewall in the Estate

    I was using this script below in cron. Recently moved to Jenkins , see my blog post

    # cat /var/scripts/autopolicy-jenkins.sh
    #!/bin/bash
    # Source the Check Point profile for library and...
  82. Replies
    13
    Views
    2,466

    Re: CPX - US - Who is going?

    I will be there , hopefully John will have presentation of 'strace' stuff, can't wait ;)
  83. Replies
    2
    Views
    1,632

    Re: Mobile access and windows 10

    I am waiting for SSL (or SNX) to be supported in Win10 , according to sk107132 (updated on March 23) it is not yet supported in Chrome buils 45 and above (until Q2 2016). I don't know why the...
  84. Replies
    1
    Views
    1,714

    get VSX throughput by CLI

    I am looking for the best way to obtain network throughput on VSX , per phy interface or per VS (CLI) . I know I can do below , but this only works for VS0


    [Expert@VSX-1:0]# cpview -p | grep...
  85. Re: Checkpoint to checkpoint VPN and management server

    There is excellent post on CRL here I think default is 24h
  86. Re: been working on this for a while 600 / 1100

    What it is ?;)
  87. Replies
    7
    Views
    1,970

    Re: CLMs log SYN_RECV

    Yes, there is core dump in /var/log/dump/usermode/. See /var/log/fwd.debug...


    [Expert@mlm1w:0]# ls -l /var/log/dump/usermode/
    total 53624
    -rw-r--r-- 1 admin root 54848174 Mar 1 09:45...
  88. Replies
    7
    Views
    1,970

    Re: CLMs log SYN_RECV

    I tried to restart manually also followed sk35628 but FWD.clm2w still down


    [Expert@mlm1w:0]# /opt/CPmds-R77/customers/clm2w/CPsuite-R77/fw1/bin/fwd -n
    fwd_monitor_init: fwd_monitor_active was...
  89. Replies
    7
    Views
    1,970

    CLMs log SYN_RECV

    One of my CLMs (ip address ending with 142) stopped to collect logs, file fw.log is not growing anymore. Based on tcpdump there is traffic on port 257 coming from gateways to that clm and even...
  90. Replies
    2
    Views
    1,187

    Re: IA REST API

    Interesting, they claim it is possible to use RESTful API in 77.20-30. I will ask CP support
  91. Re: CP 1100 appliance implementation in current network topology

    Did you setup OSPF neighborship over IPsec or locally in LAN ? I know it is possible using unicast addresses, instead of default multicast. Also was it for centrally or locally managed 1100 ?
  92. Replies
    16
    Views
    3,562

    Re: install curl on 1100 ?

    Yeah, I wouldn't count on R&D , they were not even opened to allow ssh using key instead of password without workaround. I would love to have curl
  93. Replies
    3
    Views
    1,218

    Re: IPS scripting Follow Up

    Interesting , do you know where I can find info about changing the IPS profile of a gateway ?
  94. Re: CP 1100 appliance implementation in current network topology

    OSPF over IPSEC ? I think OSPF doesn't work over IPsec. Also on centrally managed 1100 (at least Smartpro) you are limited to domain based VPN with statically configured destination subnets. In case...
  95. Replies
    18
    Views
    3,251

    Re: Troubleshooting URLF on VSX ?

    Forgot to update, I fixed it. The problem was that CP IPS was dropping URLF updates, the second http one (not https)


    curl -v https://secureupdates.checkpoint.com
    curl -v...
  96. Replies
    5
    Views
    2,274

    Re: clear user/IP association

    I got answer from CP tech support 'No, unfortunately there is no command line way to change this value' ;) Don't know what they mean probably that there is no cli to change default timeout, but...
  97. Replies
    5
    Views
    2,274

    clear user/IP association

    Is there CLI command to clear user/IP association ? it's set to 720 min by default but I need to clear it before that timeout
  98. Thread: PAN

    by Irek_Romaniuk
    Replies
    2
    Views
    1,311

    Re: PAN

    Interesting , thnx for sharing. That McAfee Evader looks pretty cool, are there any similar tools ?
  99. Replies
    18
    Views
    3,251

    Re: Troubleshooting URLF on VSX ?

    Hey, see attached debug. CP guy is still looking ;)
  100. Replies
    40
    Views
    9,890

    Re: R80 now public EA

    Did you install multi-management ? I think EA supports only single server
Results 1 to 100 of 250
Page 1 of 3 1 2 3