CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: vonunov

Search: Search took 0.00 seconds.

  1. Replies
    11
    Views
    4,402

    Re: ISOmorphic in R77.20

    The 1100 can use USB similarly, but you only have to copy the image file instead of 'burning' it as with ISOMorphic. See page 99: http://downloads.checkpoint.com/dc/download.htm?ID=40945
  2. Replies
    11
    Views
    4,419

    Re: Value:Main Mode Could not retrieve CRL

    The address for the second object should be the public IP. The first object already has the internal address as the main address, which is why the remote peer is trying and failing to fetch CRL from...
  3. Replies
    11
    Views
    4,419

    Re: Value:Main Mode Could not retrieve CRL

    The request is never getting there because it's using an internal address (main address of mgmt-R77-20).

    Use http://supportcontent.checkpoint.com/solutions?id=sk100583 section 9 "Security Gateway...
  4. Thread: API

    by vonunov
    Replies
    1
    Views
    1,835

    Re: API

    https://ds.checkpoint.com/ds-portal/?isFullSite=true
  5. Replies
    11
    Views
    4,419

    Re: Value:Main Mode Could not retrieve CRL

    Take IKE debug and use IkeView ( SK30994 )

    There you should be able to see the URL for the CRL that is sent to the peer. In this example we have a broken one (the address is "1") -- there you...
  6. Replies
    11
    Views
    4,419

    Re: Value:Main Mode Could not retrieve CRL

    RemoteFX has to be able to retrieve the CRL from the manager of the peer.
    (Is it third party?)

    Since the manager is internal only, check...
  7. Re: Connection Failed: The user is not defined properly. and SK95973

    It looks like that should be fine; the guide doesn't seem to say anything about this happening.

    https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/73680.htm#o14208

    What happens if...
  8. Re: Connection Failed: The user is not defined properly. and SK95973

    There's another SK, internal (only internal because not manually reviewed, so nothing secret)

    Symptoms
    When trying to establish a VPN tunnel using endpoint connect client he client sais...
  9. Re: Can't login to Checkpoint Management Server GUI thoruh Smartdashboard

    Were any changes made before this?

    Is it using Management HA?

    There are some tasks about this.

    R77.20
    Same CPMI error line
    Using Management HA
    Error occurred on the secondary
  10. How to fix getting the wrong web pages in SK / support center

    Does SecureKnowledge / support center return the wrong page, the front page, the last page you looked at, etc.?

    This plagued us at TAC and now I hear that it affects the outside users also. It...
  11. Re: Disable "Version was created successfully" message?

    Might be able to get around it with AHK. http://www.autohotkey.com/board/topic/29636-automate-the-click-of-the-ok-button-when-the-window-appears/

    One of the people there talks about using...
  12. Re: cannot export snapshot insufficient space in /var/log/

    That would be creating a snapshot, not exporting. Creating a snapshot in Gaia uses unallocated space in LVM, creating a logical volume where the root volume is mirrored. Exporting is described like...
  13. Re: cannot export snapshot insufficient space in /var/log/

    # cd /var/log
    # du -hsx * | sort -hr | head -20

    This will give you a good idea of where to start looking. Try to stay out of CPAnything if you're unsure, except if you have a bunch of old logs...
  14. Re: R75.40 to R77.20 Migration Fails - [ReadFwsetFile] ERR: Failed to parse fwset in

    In the (new) management server object > General Properties > Management tab, do you have Endpoint enabled? If you uncheck this, then Policy > Install Database, you should be able to import, and then...
  15. Re: Alternative to Monitoring blade - how to see number of connections per ip without

    fw tab -t connections -f ?
  16. Replies
    1
    Views
    1,041

    Re: High Availability Sync Failure

    Any recent changes, in the firewalls or the surrounding network?

    Are you able to ping across the sync network?

    Is CCP being dropped?

    # fw ctl zdebug + drop | grep 8116

    Debug FWD and...
  17. Re: Policy Install fails fw_loader_AddPeerLicenses: license file does not exist

    Does it change anything if you force a management HA sync?

    Most of the (few) tickets for this issue in R77.20 are still open, so there may not be a solution yet.

    # fwm -d load [policy name]...
  18. Re: R75.40 to R77.20 Migration Fails - [ReadFwsetFile] ERR: Failed to parse fwset in

    But you did have to transfer the R77.20 upgrade tools to the old box? Were they extracted already when you did this?

    Run this to be sure and make sure it doesn't say it has CRLF line endings:
    ...
  19. Replies
    2
    Views
    1,486

    Re: SK84520 OSPF trace script

    WTFPLv2
  20. Thread: HTTPS bypass

    by vonunov
    Replies
    12
    Views
    4,913

    Re: HTTPS bypass

    It turned out that the HTTPSI rule had a site category defined, and when this was removed, it worked as expected. We're trying to get on a remote session to verify that there are no holes in the...
  21. Re: R75.40 to R77.20 Migration Fails - [ReadFwsetFile] ERR: Failed to parse fwset in

    Do:

    # dos2unix migrate.conf

    You may need to check for others, or transfer the files again and make sure you use binary mode.
    ...
  22. Replies
    2
    Views
    1,486

    SK84520 OSPF trace script

    I threw this together for a ticket and thought you guys might like it.

    http://hastebin.com/avevujukag.mel

    Please post any problems or suggestions.

    (I had a cpinfo line in there but found...
  23. Thread: VPN Issues

    by vonunov
    Replies
    2
    Views
    1,317

    Re: VPN Issues

    Whenever I see this, it's almost always fixed by solution 2 in SK44075. Does your configuration match any of the conditions in that SK?

    May be helpful to include:

    - Remote access domain
    -...
  24. Replies
    5
    Views
    2,273

    Re: Cant Login after Restore

    Double-check GUI clients, try adding Any, delete and re-add the SmartConsole admin in cpconfig (don't exit before adding it back).

    Otherwise clear cache ( sk100507 ); maybe some seeds for some...
  25. Thread: HTTPS bypass

    by vonunov
    Replies
    12
    Views
    4,913

    Re: HTTPS bypass

    I'm away from the office until Monday afternoon, still need to finish checking out the cpinfo. If you want in the meantime you could post screenshots of the config (instead of cpinfo full of private...
  26. Thread: HTTPS bypass

    by vonunov
    Replies
    12
    Views
    4,913

    Re: HTTPS bypass

    There was a known issue in SK98972 but the fix was integrated in R77.20.

    I've requested config screenshots or a manager cpinfo via your Check Point ticket so I can look over the configuration....
  27. Replies
    9
    Views
    2,417

    Re: snapshot stop all services or not ??

    In Gaia R77, the services are not stopped: https://www.youtube.com/watch?v=BEkgAB-uHx8

    However, in sk42329 (for SecurePlatform) it says: "Note: snapshot creation temporarily stops Check Point...
  28. Replies
    5
    Views
    6,834

    Re: CheckPoint Firewall Online Lab

    I'll have a look if you like.
  29. Replies
    2
    Views
    1,007

    Re: Copying Internal Content Warning?

    Yes, we now (for a while back though) have a (super annoying) javascript that intercepts right-click/ctrl-c as if we're not aware when we're looking at an internal SK (with "Internal" in bold red) or...
  30. Re: Client loses local network once VPN connected

    I have it on good authority (i.e. "the VPN guy") that this is working as intended, and the only good solution is to have the user change the LAN subnet (or, implied by this, change the encryption...
  31. Replies
    9
    Views
    12,482

    Re: SmartEvent is Not Working

    Could be that, or licenses (try installing full eval, or is the license attached to the correct server?)

    Or try clearing SmartConsole cache:

    Close all GUI clients.

    cpstop
    mkdir /var/tmp...
  32. Replies
    9
    Views
    12,482

    Re: SmartEvent is Not Working

    In "evconfig" (expert mode) make sure that none of the Intro stuff is turned on.
  33. Thread: CPUGcon 2015

    by vonunov
    Replies
    13
    Views
    4,801

    Re: CPUGcon 2015

    I'd like to go to Boston if circumstances allow. Closer to Dallas would be cool, but if everyone's going to Boston, that'll work.
  34. Re: How do I increase disk space for my log files on SPLAT

    Check here:

    http://www.howtoforge.com/linux_resizing_ext3_partitions

    An ext4 can be grown (but not shrunk) without unmounting; instructions for that exist as well (but are pretty much the...
Results 1 to 34 of 34