CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: northlandboy

Page 1 of 5 1 2 3 4

Search: Search took 0.03 seconds.

  1. Replies
    2
    Views
    804

    Re: R80 and R77 difference

    Look at the Check Point docs & Release Notes, e.g. the "What's New in R80" sections in SK.
  2. Re: Difference in block and drop ,…drop and reject

    Lots of explanations here: https://www.google.com/search?client=safari&rls=en&q=checkpoint+drop+reject&ie=UTF-8&oe=UTF-8

    Pick any of them
  3. Replies
    3
    Views
    661

    Re: Traffic shaping

    That is what they normally do. Sounds like they're being proactive here, rather than just hard dropping traffic. Shaping will help your overall throughput on those links.
  4. Replies
    3
    Views
    661

    Re: Traffic shaping

    So...what are they going to do if you *don't* shape your traffic? Allow it through?

    _Normally_ what happens here is that ISPs will Police traffic, while it's better for you to Shape it. QoS gets...
  5. Re: Management Server HA two different data centers?

    That was the sort of thing I was going to suggest. Basically the problem is the traffic coming in the primary firewall, and going around to the secondary. Gets things a bit confused.
  6. Re: Management Server HA two different data centers?

    Can you draw a simple diagram showing the traffic flows here?

    What firewall IP address is the management server trying to use, and where is that IP relative to the management server? Is your...
  7. Re: Management Server HA two different data centers?

    Trace the traffic through your network. When I've seen that behavior in the past, it was because traffic was arriving via an unexpected interface, and anti-spoofing was kicking in.

    Traffic from...
  8. Re: Management Server HA two different data centers?

    Generally agree with @cciesec2006. Using Check Point HA tends to be more hassle than it's worth. Due to the nature of the separation between enforcement & management, it's fine to have a short delay...
  9. Re: VRRP interface is Master on both FW 1 & 2

    What makes you think it is authentication-related?
  10. Re: Firewall Accept and Drop count for one month

    If it's just accepts & drops, you used to be able to get that data via SNMP. Use the firewall's own counters, rather than analysing logs.

    Then you can graph it over time, and it's just another...
  11. Re: Original IP address does not come through in a VPN tunnel

    Great to hear that you found it.

    I've had similar experiences in the past, especially with deeply nested groups that someone slips an overly large subnet into...takes a little while to figure out...
  12. Re: Original IP address does not come through in a VPN tunnel

    Sounds like the NAT is happening on the primary gateway, *after* the packet has come out of the VPN tunnel from the remote site?

    So might be worth going through all your NAT rules the primary...
  13. Replies
    15
    Views
    4,715

    Re: SecureXL getting disabled

    Just as an aside, you should also remove snmp-trap. Managed nodes send SNMP traps *to* the monitoring system, not the other way around.
  14. Thread: Sync port

    by northlandboy
    Replies
    8
    Views
    5,997

    Re: Sync port

    Years ago I worked at places that did not allow TCP/256 between firewall members, only UDP/8116.

    If a firewall was restarted, full sync would fail. New connections would be synced. Over time, the...
  15. Replies
    5
    Views
    746

    Re: Signs that a RAM upgrade is required

    Seems that's a far more important problem for them to solve?

    I can never understand why people will spend hundreds of thousands/millions on hardware & software, and not put in basic monitoring...
  16. Replies
    7
    Views
    4,148

    Re: SmartDashboard on macOS

    Why would it *not* be paid by the company? Why would you buy your own Windows license to manage a company asset? That makes no sense.

    > But even if this is the case why additional amount of money...
  17. Replies
    7
    Views
    4,148

    Re: SmartDashboard on macOS

    > It's a bit silly because I have to have license for this Windows which will cost me additional tax.

    And what's the cost of that vs the amount your company has already paid to Check Point?
  18. Replies
    5
    Views
    746

    Re: Signs that a RAM upgrade is required

    What does your monitoring system tell you?

    You _do_ have monitoring in place, right?
  19. Re: Need help to implement the Carbon black through Checkpoint

    Talk to the vendor. If they are in any way serious about selling this product into Enterprises they will have some way of dealing with this.

    If they are not interested, then why are you using them?
  20. Re: Need help to implement the Carbon black through Checkpoint

    So install one. Squid has been free for oh, 20 years or so.
  21. Re: Need help to implement the Carbon black through Checkpoint

    We have a bingo
  22. Re: ISP Circuit Change and Check Point- assistance request

    How does your public IP address range work? Is it a subnet that is in use between the firewalls & the upstream routers, and you take NAT IP addresses from that range?

    Or is your upstream ISP...
  23. Replies
    7
    Views
    688

    Re: Load balancing capabilities?

    I don't think I've ever seen it used outside the classroom in all the CP shops that I've worked in. Those have tended to be bigger places though, the sort that could invest in dedicated load...
  24. Replies
    7
    Views
    688

    Re: Load balancing capabilities?

    Pay attention to those caveats though: you're using a feature that goes back a very long way, and is little-used.

    You're better off using a proper load-balancer (ADC). There are free options these...
  25. Re: Is it possible to SFTP files off of Gaia?

    Only doing day trips at the moment, either riding around San Francisco area, or mountain biking trips like this one in Phoenix.

    Currently plotting our next move. Would like to do a few short bike...
  26. Re: Is it possible to SFTP files off of Gaia?

    Hopefully not going to be too slow using SFTP? My experience was always that it was much slower than SCP. Never really dug into exactly why though.
  27. Re: Moving CMA from one MDS env to a different one

    I did lots of these around the R60(ish) days. Always worked pretty well, and thankfully I never had to deal with Global Policy.

    So if they had it working well back then, you should be OK now.
    ...
  28. Replies
    3
    Views
    731

    Re: Revert change before applying policy

    If you don't remember what changes you made, and you don't have a revision control or backup, then you could try looking at the audit logs to see what you did, and manually undo those changes.
  29. Replies
    3
    Views
    2,126

    Re: URL based routing

    I would look at SD-WAN vendors for this sort of thing.
  30. Re: Checking if the return traffic is working

    You can also run tcpdump for a real-time view of traffic, if you're doing live debugging. Doesn't help with historical analysis, but the above 'Accounting' trick will do it.
  31. Re: kernel: neighbour table overflow' message appears repeatedly in /var/log/messages

    What happened when you did that? Arp cache no longer full, but firewall still unable to obtain & cache ARP entries, therefore unable to forward?
  32. Re: kernel: neighbour table overflow' message appears repeatedly in /var/log/messages

    It's not a CheckPoint-level thing - it's at the OS level, so `cpstop;cpstart` isn't going to help. Have to clear the ARP cache.
  33. Re: kernel: neighbour table overflow' message appears repeatedly in /var/log/messages

    Potentially. If it does go over threshold, garbage collector will kick in, and remove older/less frequently used ARP entries. If you've got a bunch of stale entries, it's probably no big deal. But if...
  34. Replies
    4
    Views
    2,230

    Re: Barry Stiefel - RIP

    There were some ups & downs over the years, but his work getting this board established brought us together.

    Hope his family is OK.

    - Lindsay
  35. Re: Nat for two private IP with one public IP

    That used to be one of those questions that used to get asked in old Check Point exam. I don't think I ever saw anyone ever actually implement it though.

    You're better off using a load-balancer....
  36. Replies
    11
    Views
    1,458

    Re: Evading firewall

    Why does passing encrypted traffic affect the firewall? Or are you encrypting at the firewall?
  37. Replies
    11
    Views
    1,458

    Re: Evading firewall

    Isn't that one of the IPS options, to detect SSH on a non-standard port?

    Off by default though.
  38. Re: IPSO Cluster cphaprob -a if missing cluster interface

    Did you update the firewall object in SmartDashboard?
  39. Replies
    5
    Views
    1,885

    Re: FW rules within the same subnet

    I've done it that way described above (with /32 routes on the hosts). You have to combine it with private VLANs, or protected ports, or similar.

    But it's pretty ugly. If you don't want those...
  40. Re: Check Point Recommends Reboots Every 90 Days?

    Like the rest of you, I don't think I've ever seen any formal 90-day policies. I wouldn't have a formal policy like that, *but*: I do think it's a good thing to reboot systems regularly. Not because...
  41. Re: SmartLog indexing depth is limited to about 30 minutes

    I know you checked available disk space, but did you check the disk space policies? The options that tell it to use no more than <x> amount of disk, or keep <Y> amount free?

    Just a thought.
  42. Replies
    2
    Views
    912

    Re: ECMP question

    It won't be per-packet (per-packet load-balancing is problematic, as you can end up with out of order packets). It will be flow-based, using a hashing algorithm. All packets in a flow will take the...
  43. Replies
    16
    Views
    3,244

    Re: Poisoned ARP cache?

    Check the destination MAC on the captured traffic - is it the MAC you expect?
    Check the mac address table on the switch - does it show that it thinks that that MAC is on the port connected to the...
  44. Re: Firewall management source IP address

    You might need a NAT rule for that.
  45. Replies
    9
    Views
    3,091

    Re: Ken Finley is let go

    I was saying that certifications are less relevant today, especially for 'legacy' IT like networks, firewalls, etc.

    People don't value them, companies see less value in them, and so the vendors...
  46. Replies
    9
    Views
    3,091

    Re: Ken Finley is let go

    Seems indicative of a broader trend away from certifications, especially for legacy/traditional products like CP. It's not just restricted to them.
  47. Re: Cron Job to automate deletion of /var/log files

    I prefer to control those settings through SmartLog, where you can set either min space required, or retention settings. That way it's kept with the Check Point settings, and should survive...
  48. Re: Internal access to public ip on the same network

    I don't believe so, assuming my understanding of the topology is correct (it may not be). My assumption is that the ICMP redirect check would occur before the NAT step, so it should be OK.
  49. Re: Internal access to public ip on the same network

    Couple of possible options:

    * Configure your NAT policy so that when those internal users access that public IP, source NAT is applied to hide them behind the firewall (or some other IP that will...
  50. Replies
    10
    Views
    1,908

    Re: Custom hotfixes from Checkpoint !!!!

    That's what I was wondering about. If I had 'ls -l' segfaulting I would have noticed it within minutes. Makes me wonder what was being patched that resulted in that behaviour.
  51. Re: looking for a Checkpoint Network Engineer

    Ever the optimist...I just assumed it was a typo
  52. Replies
    8
    Views
    2,551

    Re: Schedule upgrade_export FTP

    I'm pleased to see that I'm not the only one that gets upset about people clinging to FTP. These days I don't do much security work, it's mainly in networking space...you wouldn't believe the number...
  53. Replies
    8
    Views
    2,856

    Re: Solution=> NTP Config with VRRP Cluster

    Yep, +1 to this. I also find the NAT changes simpler than trying to remember which file to edit (which also risks getting lost on upgrade).
  54. Replies
    5
    Views
    2,303

    Re: Jumbo HFA for R80 Release

    Yah. Overall I'd rather have more frequent, smaller updates. Don't like having infrequent monster updates. Reduced batch sizes for greater system throughput.
  55. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    It's been fairly trivial to DoS systems for years now. Doesn't matter if it's "just http." For a few dollars I can easily saturate your Internet connection.

    There are plenty of people that would...
  56. Replies
    9
    Views
    2,313

    Re: FW opening for Amazon AWS

    The original request was about a "server hosted at AWS" - so while they could have some complex global/regional setup, it sort of implies there's a single EC2 instance + Elastic IP.

    Of course, it...
  57. Replies
    9
    Views
    2,313

    Re: FW opening for Amazon AWS

    If you're going to allow all AWS networks, you might as well just allow the entire Internet.

    Surely the customer knows what IP address they use to connect to that system at AWS?
  58. Replies
    9
    Views
    2,313

    Re: FW opening for Amazon AWS

    The AWS-hosted server may have a static IP. Or is this for some third-party application where you don't know what addresses they'll be using?
  59. Re: Changing IP address on the gateways on the interface that is talking to the SMS

    I'd be interested in knowing if it was making a connection, and SIC was failing, or if it was SIC unable to connect & timing out (e.g due to firewall policy)
  60. Re: Has anyone heard from a Nessus scan overwhelming a firewall?

    I would not expect a Nessus scan to cause firewall problems. (If it did, all of our Internet-facing firewalls would be stuffed).

    I wonder if it's some IPS protections you've got enabled causing...
  61. Re: Changing IP address on the gateways on the interface that is talking to the SMS

    That's a pretty disappointing response, especially since it is something that I & others have done successfully.

    What sort of failures were you getting? SIC errors?
  62. Re: Fetch policy from gateway to management station

    It's one of the great mysteries in life
  63. Re: Checkpoint to checkpoint VPN and management server

    Yep. I've been caught out by this in the past. The problem is that it the gateways can handle a gap in being able to communicate with the management server. If it's offline for a day or two, no big...
  64. Re: Changing IP address on the gateways on the interface that is talking to the SMS

    I've done similar changes in the past, following a generally similar process, and it went OK. Only problem was once when I had a locally-licensed firewall, as the changed IP invalidated the license....
  65. Replies
    21
    Views
    8,083

    Re: New 15000 and 23000 Appliances

    Yes, it does seem silly. But if they don't officially tell you what it is, then they can change the specs later and not have to tell you then either.
  66. Replies
    4
    Views
    1,300

    Re: firewall can't be connected

    nmap.org
  67. Re: Checkpoint Stops passing traffic - needs rebooted

    Don't know why you've got that debug file there, but might be worth making sure your NMS is alerting on disk consumption on those boxes?
  68. Re: New logical volume disappears after reboot

    Don't get me wrong, you _should_ be able to resize the partition. But maybe if you start telling them that they'll have to take the box offline to resize, they'll re-think the necessity. I can...
  69. Re: New logical volume disappears after reboot

    I'm intrigued. Why do they want a larger swap? (I'm going on the basis that memory is cheap enough that you should not be using swap at all on a modern system)
  70. Re: Is it possible to create an additional external interface that connects to second

    What's the thinking behind splitting inbound/outbound like that? It isn't going to double your bandwidth.
  71. Replies
    11
    Views
    3,293

    Re: Fixing address spoofing issues.

    What were you using, cat?

    Use less, or vi. Then you can search by entering "/" followed by the expression you want to search for.
  72. Replies
    11
    Views
    3,293

    Re: Fixing address spoofing issues.

    I always found that when groups with exclusions were in use, there are no quick answers. (Because it usually means there's some messed up routing design)
  73. Re: How to monitor "Log transmission status"?

    It's been a while since I dealt with this sort of problem, but I would look at running a cronjob on the gateways that looked to see if the file size of the local fw.log was increasing (indicating the...
  74. Re: Error codes when using the autoconfig clish file

    My guess is that you won't find a specific entry for code 254. That sounds like a generic exit code.

    I'd pay closer attention to what line 28 is trying to do.
  75. Replies
    8
    Views
    1,965

    Re: PCI compliance?

    Most important advice there. PCI-DSS is about two things:
    * Limit the scope as much as possible.
    * Understand the way your QSA thinks, talk your plans through with them, understand what they think...
  76. Re: R77 Possible bug: "xx Hides rule xx" not shown anymore?

    You'll need to fix it.

    Lazy fix - swap the order of the rules (move the more specific one above the less specific one).
    Proper fix - look at why you've got overlapping rulesets, and clean them...
  77. Replies
    15
    Views
    20,280

    Re: Check Point vs Fortinet pro's and con's.

    If cost (particularly short-term cost) is a driver, then Fortinet may well be the better option right now if you're going from a single box to an HA setup.

    Regards ASICs/FPGAs vs x86...it really...
  78. Replies
    15
    Views
    20,280

    Re: Check Point vs Fortinet pro's and con's.

    At your scale it doesn't really matter too much what you use. Both can meet your needs.

    Price per Mbps is interesting at a certain scale, but really it comes down to your specific needs. What...
  79. Replies
    35
    Views
    16,759

    Re: NTP not syncing - Gaia

    refid is the source used by the upstream server. So 10.2.1.246 is getting its time from 10.2.1.248.
  80. Replies
    3
    Views
    1,633

    Re: NAT question

    Yes - it works very well, and means no mucking around with proxy ARP. It's the recommended way to do it.
  81. Replies
    3
    Views
    1,415

    Re: Backup Fails on secondary MDS.

    Can you post the output from when you run 'backup' via CLI?
  82. Replies
    11
    Views
    5,483

    Re: Checkpoint VRRP - new install

    Yes - the future direction is clear to me. There's a lot of large customers running VRRP, so they won't get rid of it in a hurry, but you'll see a continued shift of resources towards Gaia +...
  83. Replies
    10
    Views
    2,336

    Re: Prevent access from home PC's

    Yeah. It's complicated.
  84. Re: Is an appliance more secure than an open server?

    Yawn. ASA has had plenty of issues over the years.

    What about a Check Point appliance?
  85. Replies
    10
    Views
    2,336

    Re: Prevent access from home PC's

    It's probably worth thinking about that overall risk. What makes it so much safer if I'm connecting from a domain PC vs my home PC? What makes it acceptable if it's a contractor PC? What makes it OK...
  86. Replies
    6
    Views
    1,323

    Re: NTP configuration problem

    Run shadowpeak's grep command again, but with a wider scope. Just do it against the whole box:

    grep -ril ntp.ien.it / 2>/dev/null
  87. Re: Tutorials, Tips&Tricks, How-Tos, Scripts - where to get?

    Sometimes that's used as a bit of a cop-out. "Oh, we've got an API, you can just write some code to do that!" Yeah, that's not practical for most organisations to do, beyond basic scripting.

    Part...
  88. Replies
    11
    Views
    4,885

    Re: SSL decryption for Office365

    What's the real problem you're trying to solve here?

    A/V scanning of Office 365-hosted email? What's the point in trying to do it yourself on a Check Point firewall? You've outsourced your email...
  89. Replies
    19
    Views
    11,014

    Re: How to reset hit counts R77.20

    I wondered if that might be the case. Good to know.
  90. Replies
    19
    Views
    11,014

    Re: How to reset hit counts R77.20

    Anyone know what happens if you disable hit count collection globally, push policy, then re-enable it?
  91. Replies
    9
    Views
    4,349

    Re: Migrating from ClusterXL to VRRP

    That's my gut feel too. To the OP, what's the reasoning behind the change, if you've been running ClusterXL for years?
  92. Replies
    6
    Views
    1,334

    Re: Merging Stand Alone Mgmt Servers

    Oh no mcnallym, you breached the 12 hour guaranteed forum response time!!!
  93. Replies
    14
    Views
    3,137

    Re: VRRP different hardware

    Aye, it does seem that way. I used to do this sort of setup when migrating between 530s, 650s, 740s, etc. Was all much simpler then.
  94. Replies
    5
    Views
    1,581

    Re: No log from GW

    Yes, it will start sending logs again, but it won't send the logs that it stored locally while it lost connectivity. So you end up with gaps in the logs on your management server.

    If you want to...
  95. Replies
    5
    Views
    1,581

    Re: No log from GW

    Not exactly to merge them, but from within Tracker, you can get it to retrieve logs from the gateway, and store them with the other logs on your management server.
  96. Replies
    6
    Views
    1,842

    Re: Gateway object - not quite deleted

    I would expect those changes to get synchronised.
  97. Replies
    6
    Views
    1,842

    Re: Gateway object - not quite deleted

    Yeah, dbedit is probably the only way to resolve it.

    I've seen something similar in the past. For whatever reason it didn't completely remove all the references when deleting from the GUI.

    Make...
  98. Re: Using Identity Awareness with NAT between CMA & Domain Controllers

    I've written some of this up in a bit more detail on my blog.

    Ugly diagrams, but you get the idea.
  99. Replies
    5
    Views
    1,795

    Re: Queries regarding SIC

    If you're a beginner with Check Point, why are you worried about understanding SIC in detail? There's other areas that are more important to focus on first.
  100. Replies
    13
    Views
    37,643

    Re: Packet Flow in Checkpoint Firewall

    Maybe you should buy his book?
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4