Search:

Sorry, for that unclear answer, I was in a hurry.

It is a known issue that after installation of the client all incoming traffic is blocked. A solution for "traffic is blocked inside the vpn...

This is a known limitation. Maybe removed with HFA1, which probably will be released end of March.
R75 also blocks some registry keys, therefore some GPOs aren't applied anymore. For example IE...

If you choose not to modify your CSS or can't in case of ASAs, you might consider implementing Virtual MAC addresses with your Check Point solution. Take a look into sk50840 which describes how to...

banduraj, I agree having cluster addresses on a different subnet isn't a very good idea. I don't recommend it to customers either.

However, if there is a situation you have no other solution at...

Hi Paul,

I will try to clarify it for you.




In detail:
The Linux OS will not allow you to set a default route to an IP address which isn't directly reachable (via an interface device)...

Hi cciesec2006,

I also had trouble with some upgrades from R65 to R70/R71. The error message is familar and doesn't give you much about possible reasons, unfortunately. I would guess your OS...

Good Morning,

Yes you will need ADN for Dynamic Routing. If you already have SecurePlatform PRO Licenses those will be upgraded to ADN. But it is best to check that in your UserCenter. Click on...

PhoneBoy, if I'm allowed to modify your official advice:



If you take the definition of SHOULD from RFC2119, it MAY match. :)

Seriously: In my experience "Plugins" often stands for trouble....

Hi symon,

As serlud wrote, it depends on your current License(s).

Usually you will not have to pay to change hardware, unless you use an Appliance which comes with a License bound to it.
...

Hi dchoy,

I think you mean the "management connection / management interface" you would select through sysconfig during the first-time wizard?

The "Management Interface" you select through...

Hi cephalon,

strace from CentOS 3.8 should work fine. You can find it here.

Check Point is still using glibc 2.3.2 based on RHEL3.x. R65 SPLAT 2.6 and R70+ is using kernel 2.6.18 based on...

Actually you don't necessarily need to uninstall CPSG80CMP-R71-00, the management will just check the installed Plugins.
But I also don't see why it should be left on a Log Server/Eventia System....

Have a look into sk12882. This SK describes how to send logs to a Log Server/CLM which has no SIC Trust with the sending device (your VSes).
You can then fetch logs from the Log Server with your LEA...

Hi cciesec2006,

I would say you have three options:

Install R71.30 and then uninstall both Plugins
Modify Wrapper.conf and skip installing both Plugins
Activate the Plugins on your PV1

...

Hi Shaps,

Your Management tries to reach the Standby Members Main IP, which is the external IP in your case. As the Management only has a default route which is pointing to the VIP it tries to...

No announcement but R75 is available for download!

Checkout the Release Notes and have fun! :)

Yes, there will be some impressive features coming!

Still I wished Check Point would have choosen the iproute2 framework for policy based routing over the IPSO implementation. It would have been...

<cynism on="on">
Another "very important" "certification" for the information security sector: Institute for Certified Application Security Specialists (ASS)

How could I miss it for so long?...

Hi all,

regarding SSL/TLS Inspection read this post, this post or the complete thread.

Inspecting SSH Traffic on a Security Gateway uses the same method known as MITM attack.

There are some...

Hi PhoneBoy, Hi serlud,

Thanks for the info.

Of course I know that CP isn't releasing the tech specs of their appliances. At least not officially. And I guess most of us know why. ;)

I had...

Sounds interesting.

No moving parts, external power supply, 10 1Gbit ports, new deployment tool..

Are any detailed specs available for the new Appliance?
CPU, RAM, ..

Hello tomo,

I don't know the reason why you want to split the traffic into different tunnels, especially why you need different Phase 1 negotiations.

If you try to utilise different Links...

Hi member054,

To your questions:
- Desktop Policy does only have impact on your client. For desktop policies to work, you need SecureClient or the new Discovery Client (currently still in EA)....

Hi caro06,

late answer but hopefully not too late. ;)

If a failover occurs your active sessions remain on the old address / ISP link and will fail. ISP Redundancy should be an easy/cheap way to...

For the archive, this is a continued thread from the post UTM-1 ISP redundancy with 1 External interface.

Please look there.

Hello johnny,

I reply to this thread instead of VLAN.20 on Extenal interface is not reachable.

First, please make sure your Enforcement Gateway can reach both ISP routers. Try pinging both...

Hello and welcome adelgados!

I would recommend you to use a second interface for the new ISP and migrate your VPNs one-by-one. The second interface can be a VLAN interface or a real one, doesn't...

Hi manuadoor,

Yes, this is like it should be.

The curious reader should take a short look into RFC2616 Section 9.9 and a not so short look into RFC2817 Section 5.2 "Requesting a Tunnel with...

Hi Markus,

FTester could be what you want.

hping and nemesis are also very helpful tools for crafting your very own IP packets.

Would be nice to read about your results. :)

Hi,

The following products will support scanning HTTPS traffic: IronPort S Series, BlueCoat, McAfee Web Gateway and Squid+SSL Bump.

Basically those Proxies use a MITM (Man-in-the-Middle) Attack...

Hi johnny, You're welcome!

You do not need to use IPSec for ISP Redundancy or VLANs.

You can, however, use ISP Redundancy to increase the availaiblity in performance of your IPSec based VPNs....

Hi johnny,

You need two interfaces for ISP Redundancy to work. If you do not want to or can't use another physical interface you can separate both ISP Links by VLAN on one physical interface. This...

Hi *tomo*,

First: You are not alone!

QoS is not working with CoreXL, therefore you can't really utilise your Multi-Core Hardware.

The Accelerator Cards are not supported for...

Hi murderousmurk,
Did you use the R71 upgrade tools to export the configuration on your old management?

If not, transfer the whole $FWDIR/bin/upgrade_tools directory from your new R71 machine to...

Hi bytes,

Take a look at the Endpoint Connect R73 Release Notes, Section Updating the Endpoint Connect Version on the Gateway (Page 4) says:
You have to update the Endpoint Connect version on...

Hi bytes,

Take a look into the documentation. R70 VPN Administration Guide Page 385 "Using the Packaging Tool".
You'll get an MSI Package which you can deploy to your clients.

You can also...

Hi serlud,

True. Sorry I forgot to mention it. Usually the onboard NICs are used as secured interfaces in a cluster configuration, at a max.

The following network adapters are supported by...

Hi varera,

I don't have a DLP to play but the error indicates that the UPN (user@domain.tld) could not be read. Maybe you should check if the user has an UPN set. I have seen users without UPN,...

Hi Roluf,

Adam was faster, but I will add some comments.

Intel Virtualisation / Intel VT-d
You will not need Virtualisation, so you can savely disable it.

Intel Hyperthreading
On Check...

Hi belvdr,

I know. :)

I think ifconfig and route are deprecated since linux kernel 2.2, which was released quite a while ago (1999/2000 ?). ;)

But alot of distributions are still using...

Hi,

there is no direct upgrade from R65 to R70.1/20/30. Therefore you still need to use the WebUI for the R70 upgrade.

According to the R71 Installation and Upgrade Guide it is still only...

Hi,

here is an alternative by using the fabulous ip utility.
(Only supported on SecurePlatform/Linux)

Flush all arp enties on interface eth0:

# ip neigh flush dev eth0Flush arp entry for...

Hi Kevin,

Technically it is possible to change the username 'root'. Depending on the scripts used for different OS/Check Point tasks you may run into tremendous issues during operation, upgrade,...

Hi Alex,

For the Power-1 and UTM-1 Appliances it is important to do the Upgrade through the WebUI. An Upgrade through CLI fails with the error you described.

On page 168 in the R70 ...

Hello sonayny,

Do you use the command internal_sendmail or sendmail in Global Properties?
From the documentation (SmartDashboard Help):Try using internal_sendmail if you didn't.
I assume your...

Hi Manu,

Yes, there are ways to find the IP of your Security Management Server.

You can look up the IP address in $FWDIR/database/objects.C or in the state table management_list.

Here is an...

Hm.. I think I like the IPSec VPN Enhancements.

Especially Service Based Link Selection sounds promising!


IMHO
For DLP (and for IPS) SSL/TLS Interception is a key feature. I think this is...

Hi all,

I would be interested how Check Point is going to manage all this forks in near future.


R65 HFA40 -> R65 HFA50 -> R65 HFA60 -> R65 HFA70
| /
\ ...

This Maybe my fault. I posted a reply, since then the error apears.
Don't know why, I didn't use any special characters or control commands.

I already wrote a PM to the site admin last night.
...

Hi pmb1010,

Do a SmartDefense Upgrade, it will fix your issue.

Additionally I would recommend you to look for CRLF formated textfiles.
There may be some pretty important files which where...

You can use RADIUS as an alternative if you like.

Use External User Profiles to match users without the need to create them on your SmartCenter. Of course this is not as flexible as SmartDirectory...

Hi slocmiester,

It is hard to say what the actual problem is without more details.

What I would recommend you to to is:

Check SmartDefense settings. Every CIFS relevant protection should be...

Yes Thorpuse, you are absolutely right!

I wouldn't recommend to use this method if there is another way. But in case this is your last resort, it may be worth it.

At least you get your object...

InternalCA will be gone but you can get most other stuff. It will help you to restore and the missing parts will remind you to do backups AND TEST THEM! ;)

Basically it works like this:
Setup the...

@Ajit: Back to the orignial problem. I could think of two possible ways to solve the problem on a SPLAT gateway. Both have limitations.


ISP Redundancy
You can force ISP Redundancy to route...

Hi,

Please also read this post: http://www.cpug.org/forums/check-point-utm-1-appliances/10190-power-1-appliances-5070-9070-a.html#post39869.

Unfortunately you can't utilize FULL IPRoute 2...

And this sk25675 describes this snippet of INSPECT code you were referring to.

It is a very powerful and useful directive indeed. :)

Would be nice to hear/read/see use cases for it.

Hi guys,

Check Point just released R70.

Some interesting links:

R70 Known Limitations sk37042

R70 Documentation

Hi,

In my experience a Group with Exclusion works for Site2Site VPNs with Check Point GWs in the same Management Domain.

I know about trouble with SR/SC when a GW has a VPN Domain of this type...

Hi scucci,

Stupid question: Do you mean something like View -> Objects List?

If you need a CSV of your objects odumper might be of interest to you.

Hi shmilyh,

Take a closer look at cpstat. It might be very helpful for your customer. It is documented in the R65 CLI Reference/Admin Guide.
Also ver or cd_ver might be of interest to you.

Of...

Hi,

Please take a look in %FWDIR%\log\fwm.elg. Is there anything suspicous?

Is the fwm.exe process running?
Is fwm.exe listening on TCP port 18190 (do a netstat –an on cmd)?

Make sure...

Sorry for the cphaprob –ie list, this is wrong! I meant cphaprob –ia list .
I remembered a special R65 HFA30 for advanced routing, I think you should take a look at it: sk35205

If your problem...

SecuRemote and Office Mode
This is a grey area indeed. It is technically possible and shipped with VPN-1 Edges in combination with SecuRemote, but not officially supported. It seems as Check Point...

Hi yheffen,

Some things you should check:

Does sk31243 help you?
Are both cluster member SPLAT PRO?
Is the gated daemon running on both cluster members?
Do you really need SPLAT PRO...

Hi banduraj,

You do not need SPLAT PRO unless you want dynamic routing (routing protocols) through gated.

You do not need VTIs, Route based VPN. Domain based VPN is just fine for your purpose....

Hi,

iproute2 is around for years and provides PBR capabilities.

You can use iproute2 to do PBR. As there is no official support for PBR I wouldn’t recommend you to use it if you need to rely on...

Hi nathang,

This depends on your license.

If you purchased your license recently or you are not using a very old one, it is included. For Load Sharing (active/active) you will need an...

Hi TIA,

You should take a look in your Firewall logs.

Open SmartView Tracker and select Query Properties in the View menu.
Look for XlateSrc and XlateDst (propably in the end of the list),...

Hi giuffrolo,

You could use a SmartCard to store the user certificate in a secure manner.

SmartCards prevent copying the private key, so users cannot compromise security by handing over...

Hi Tom,

Your UTM-1 Appliance should come with a SmartDirectory license.

See: https://pricelist.checkpoint.com/

Hi,

Here are some of my thoughts.

Disk size is more a matter of how long you would like to keep your logs and view them with SmartView Tracker. Of course the log volume matters to. So...

Hi lifeng1656,

There is nothing like a green, yellow or red bulb to indicate the status of your logical servers or its members. At least not that I know off.

You can take a look into your...

Hi Morphus,

1. Did you try with a different policy?
2. Did you update to the latest libsw version?

According to the error message, there is a parsing error. So maybe there is something wrong...

Hi cciesec2006!

To your questions.

1. SmarDefense Protection Profiles were introduced with R62, so they are not available on a R61 SmartCenter.

2. Yes it is possible and it will work. At...

Hi menardk,

A segmentation fault is always a bad thing and may be a result of a memory leak.
There are several things you can do to find out the problem source.
You could start fwd in debug mode...

Hi archie,

You can use NTP for time synchronisation with an external source.
Checkout www.pool.ntp.org for different external sources.

Take a look in the R65 SecurePlatform & SecurePlatform...

Hi DeLaRio!
To me your logging problem seems to be a SIC issue too.

I would ask you to try the following.

1. Switch off one cluster module. This makes debugging more easy.
Make sure time is...

Hi kevin,

If the certificate expiration date is still 3 years ahead I wouldn't worry too much. ;)
You should consider renewal a few months ahead of the expiration date. Same for VPN Clients like...

What you gain or loose depends on your configuration. ;-)

For example consider the following Scenario:

Internet --- Router --- Firewall Cluster --- Internal Network

IP Network between Router...

Hello hotice!

A domain administrator is not necessarily mandatory to fetch branches and use SmartDirectory within your Check Point environment.
If you do not use the Check Point schema extension...

Hi Sam,

This is a completely different scenario.

You will not need to configure your gateways like stated above, RDP probing is not necessary in your scenario.
The routers should recognize a...

Hi Kevin,

No, the certificates are not renewed automatically.

You need to do this manually by pressing the "Renew.." button in the VPN tab of the checkpoint host object.
The certificate will...

Hi kevin,

Go to the VPN tab in the relevant checkpoint host object. Select the certificate you would like to check and press "View..".

You will find the expiration date there..

By the way,...

Hi Sam,

You are right, the probing is only available to "VPN enabled" interfaces.

Acording to your diagram both links are terminated at your enforcement points, so that all traffic is passing...

Hi John,

Take a look at sk34541 and sk32570. Those do not describe your specific problem but maybe those help you anyway.

I stumbled upon both articles while surfing the skb some time ago.
...

Hi menz456,

Did I forget to mention that you should define both interfaces as external? ;)
You should not have any problems with anti-spoofing in this case.

Let's assume
Site A has a VPN...

Hi banduraj,

For 1) try:
# ip route delete default
# ip route add DEFAULT_GW_IP/32 dev INTERFACE
# ip route add default via DEFAULT_GW_IP
# route --save

This will tell your SPLAT that the...

Hi Sam,

As I don't know about the version you are using I assume you use R65.
You can do this with Link Selection.

Here is a short example configuration:

Site A:
Open Gateway properties ->...

Hi felxo,

Take a look into the CheckPoint_R65_VPN_AdminGuide.pdf.

The Remote Access VPN section (Chapter 14 and 15) covers the topic you look for.
Watch out for OfficeMode configuration via...

Hi Michael!

I don't know off a direct export/import, but what I would do is:
1. Backup current R55 configuration.
2. Restore R55 configuration in a vmware install.
3. Upgrade vmware install to...

Hello sebastan,

Yes it is possible to use ISP Redundancy with ClusterXL New Mode HA on SPLAT and Linux.

And yes there are several limitations and requirements. You should have a look in the...

Hi winsoc,

SuSE is not a supported OS, you should consider using RedHat Enterprise Linux 3 or SecurePlatform, which is available for free if you are a Check Point customer.

Because Check Point...

Hello compubear,

at this point some more details are needed to help you fixing the problem.

Should the firewall send icmp redirects, should it receive them, are you running a cluster, is it a...

You need to enable the global kernel variable "fw_icmp_redirects".

You can do this by editing the file "$FWDIR/boot/modules/fwkern.conf".

Simply add the following line:
fw_icmp_redirects=1
...

Hi,

replacing Nokia Clusters with SPLAT may or may not be easy, it depends on the "Nokia specific" functionalities you are using.

You should first check your Nokia configuration and compare it...

Hi,

R60A integrates Content Inspection (the Express CI series).

Regards,
Simon

Hi jcamillo,

make sure you define more specific entries on top of your generic settings.

For example:
Line #1: cpmodule addr 192.168.1.100 wins=(), dns=() JohnDoe
Line #2: cpmodule net ...