CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: RayPesek

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Replies
    9
    Views
    2,776

    Re: Is it possible to SFTP files off of Gaia?

    Dunno. We'll find our soon. I'm going to run it weekly on Sundays so it shouldn't be an issue.

    Done any good bike trips lately, Lindsay? Our family followed your around-the-world one. It was...
  2. Re: Support for embedded R77.20 extended by a year

    Agreed, another year would be nice and for another reason. I'll either be retired by then or close enough that I won't have to deal with it. :)

    Ray
  3. Replies
    9
    Views
    2,776

    Re: Is it possible to SFTP files off of Gaia?

    Thanks! I wrote up how I think it can work and we'll be testing it tomorrow or Monday. I see some stuff you wrote that I may steal.

    BTW, I think you can replace this line:

    echo "y" |...
  4. Replies
    9
    Views
    2,776

    Re: Is it possible to SFTP files off of Gaia?

    Thanks for the quick reply. I already had it enabled so that part is good. This looks like it solves all of my issues. I actually stumbled on it by accident. I was searching the SK articles and came...
  5. Replies
    9
    Views
    2,776

    Re: Is it possible to SFTP files off of Gaia?

    I often find that it helps to post a help request like these because then it makes my brain engage. It looks like it may be built in now:

    [Expert@sc:0]# cd /usr/bin
    [Expert@sc:0]# ./sftp
    usage:...
  6. Replies
    9
    Views
    2,776

    Is it possible to SFTP files off of Gaia?

    We want to automate the movement of migrate exports off of the R77.30 SmartCenter but our internal file transfer system does not support SCP, just FTP, SFTP and FTPS. I'd rather not use FTP. Any...
  7. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    Yeah, and you weren't the only one. It's been a long two weeks. :-)

    Ray
  8. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    And database revion #102 did the trick! Thank you VERY much!

    So I only have two issues left and I have tickets on both: The QoS issue and the .60 upgrade issue.

    Ray
  9. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    !@#$%^&*

    Thank you for the "Duh" moment. And for being so polite when you pointed it out. Now I'm going to have to remote in today to see if that is actually how I screwed up. :-)

    Database...
  10. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    Thank you very much for following this thread. Yup, I already tried that with no change. I also defined an entire /24, since it would be unique to us, and put that in the VPN Domain with no change. ...
  11. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    So I have a new one that is just kicking me to the curb.

    To recap, a main gateway which we'll call R77.30 Take 216 and a 1490 running R77.20.51, both managed by the same SmartCenter.

    There is...
  12. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    Today we successfully did an in-place upgrade to R77.20.51. Everything just worked immediately.

    We then did an in-place upgrade to R77.20.60 and it went bad. Upon the reboot the VPN failed to come...
  13. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    Yup, I already added the error and the "resolution" to the ticket. The SmartCenter is on Gaia.

    Ray
  14. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    Update on the QoS issue. These are the errors I see when trying to install a QoS policy on the 1490 with either the R77.20.31 or R77.20.60 firmware. Yes, the Add On is installed and the hotfix to be...
  15. Re: One-way VPN between a 1490 and an Open Server? And then no VPN traffic after topo

    I've got a thread running in the 1400 forum about some really, really odd issues we hit with R77.20.60 and this may have been a firmware issue. Once I reverted the appliance back to the factory...
  16. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    So we made some significant progress today. Yes, the SmartCenter is in the VPN domain of the gateway it's behind and needs to be because we use a site-to-site VPN to ship scripted "migrate export"...
  17. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    It's the ninth firewall. I always explicitly specify the Install On target to avoid ugly surprises. Good thought, though.

    Ray
  18. Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    We're setting up a new 1490 on R77.20.60 being managed by an R77.30 SmartCenter. The Add On is installed as well as the hotfix to manage the 1400 series. I just got off a three-hour three-person CP...
  19. Re: One-way VPN between a 1490 and an Open Server? And then no VPN traffic after topo

    As a follow-up, this was caused by having the 1490 behind NAT. For whatever reason, some of the control connections from the R77.30 to the 1490 were being NAT'd and others were trying to go to its...
  20. Re: One-way VPN between a 1490 and an Open Server? And then no VPN traffic after topo

    OK, it is absolutely related to it being behind the other firewall. Despite the VPN logs showing that the R77.30 was connecting to the standalone CP IP, it wasn't.

    Once I went into the NAT for...
  21. Re: One-way VPN between a 1490 and an Open Server? And then no VPN traffic after topo

    The "Disable NAT within community" had no effect either way. I do have No NAT rules in place. What I see in SmartView Tracker for R77.30 -> 1490 is this:

    IKE: Child SA exchange: Exchange failed:...
  22. Re: One-way VPN between a 1490 and an Open Server? And then no VPN traffic after topo

    That's the "Do not NAT within the Community" you're talking about? I'll double-check but I believe it is checked since I usually do that for CP - CP VPNs.

    Thanks for the quick reply,

    Ray
  23. One-way VPN between a 1490 and an Open Server? And then no VPN traffic after topo chg

    We bought a new 1490 and it has R77.20.60 firmware on it. The primary firewall is Open Server R77.30 Take 216 (HF 6). Both are managed by the same SmartCenter and I used a Community to configure...
  24. Thread: cprid and SIC

    by RayPesek
    Replies
    4
    Views
    4,219

    Re: cprid and SIC

    Yeah, I used to think that as well because that's what the docs say. It doesn't seem to be true. It feels like the "activation key" is the certificate private key or something. Or the key encrypting...
  25. Replies
    11
    Views
    1,460

    Re: Evading firewall

    The real question is "How are you monitoring and auditing administrator actions?"

    If you're talking about a perimeter firewall, opening 1521 or 22 or just about anything else to the Internet...
  26. Replies
    4
    Views
    1,355

    Re: R77.30 with JHFA 216

    I'm about to. It's been running in test with no issues. The minimal number of fixes between the previous one and 216 plus the time the previous one was in service are making me feel confident. For...
  27. R77.30 Take 216 showed up on my firewalls today

    sk106162

    https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk106162#List of resolved issues in GA...
  28. Replies
    23
    Views
    5,154

    Re: R77.30 Take 205 - is it stable?

    Take 216 just showed up on my firewalls today.

    Ray
  29. Replies
    8
    Views
    2,169

    Re: Radius with RSA/ACE server

    We had to create local accounts within Gaia with the same user name as the SecurID user name to get it to work. I'm pretty sure we're on 8.1 but virtual.

    Ray
  30. Replies
    8
    Views
    2,202

    Re: Hot to force VPN client disconnection

    You can (or used to be able to) use Block Intruder in Smartview Tracker. It's the middle tab, the one that warns you about possible performance issues when you click it (Connections?).

    Find the...
  31. Replies
    4
    Views
    1,735

    Re: Authentication with Radius

    Likewise. We're using RSA SecurID via Radius for the Gaia logins.

    Ray
  32. Replies
    9
    Views
    11,140

    Re: NAT and Palo Alto

    Maybe "any" in Source or Destination works like "any" in Service; it doesn't mean "every". Like how X11 is specifically not included in "any" Service.

    Ray
  33. Re: Session Matching failing after R77.30 upgrade

    What kind of user complaints are you receiving? I'm surprised anyone would even notice what with retries.

    Ray
  34. Re: Installing both Gateway and mgmt server on same platform

    Absolutely agreed. It takes a lot more horsepower to run both on the same box and performance when installing policies is noticeably slower. You also can run the gateway without a management server...
  35. Replies
    11
    Views
    3,900

    Re: Scheduled reboots?

    Bummer. We've got a couple of 1100's but they're still on R75.20. Everything else is Open Server.
  36. Replies
    11
    Views
    3,900

    Re: Scheduled reboots?

    Perfect. Go follow the directions in the article I linked to. I'm 999.9% positive this is your issue. Seems to be working OK but can't get into it by SSH or the web GUI. And it does not require a...
  37. Replies
    11
    Views
    3,900

    Re: Scheduled reboots?

    You've got something else wrong. What version and hotfix level are you on? Does this apply to you?...
  38. Replies
    11
    Views
    3,900

    Re: Scheduled reboots?

    May I ask why you want to do that? A year of uptime, if there are no hotfixes needing it, is not unusual for us with no performance degradation.

    Ray
  39. Replies
    3
    Views
    1,931

    Re: How to stop "threat emulation" popup

    In our case, we're not licensed for Threat Emulation but we still get that annoying "New file types are available!" pop-up. I just open it and OK it and it goes away until the next time.
  40. Re: Checkpoint Installation failed: Failed to load Policy on Module

    FWIW, we've never had threat emulation licensed or enabled so it was something else for us.
  41. Replies
    27
    Views
    7,040

    Re: sk93587- monitord high CPU

    This was fixed in a Check Point hotfix years ago.
  42. Re: Has anyone heard from a Nessus scan overwhelming a firewall?

    We run with a lot of IPS signatures active. The key as always is to manage your systems instead of Next-Next-Next'ing them. On every IPS update we review the signatures and Deactivate every one where...
  43. Re: Has anyone heard from a Nessus scan overwhelming a firewall?

    Amen to that. I was just about to write something similar. Fool me once, fool me twice, fool thrice, and eventually I figure it out.
  44. Re: Has anyone heard from a Nessus scan overwhelming a firewall?

    "But there is one nasty side effect to enabling the IPS signature Network Quota that will probably make your firewall even more susceptible to DoS attacks: almost all traffic will be forced into the...
  45. Re: Has anyone heard from a Nessus scan overwhelming a firewall?

    It means your firewall configuration is susceptible to some denial-of-service attacks.

    "2) Enable the IPS signature Aggressive Aging."

    That one should definitely be enabled. During pen tests we...
  46. Re: Had a bad Dell iDRAC take down a firewall today. Really.

    What threw us was that we were used to the older ones that have limited functionality and actually are a add-in card. We opened the server to just unplug the thing and found out it wasn't. It also...
  47. Had a bad Dell iDRAC take down a firewall today. Really.

    We started seeing that one of our firewalls appeared down and logs stopped about 7:30 AM, it still pinged, etc. SmartView Monitor showed all was normal. But stuff wasn't working. It's on a Dell R620....
  48. Resetting Gaia password makes all successive logins fail?

    We've hit an issue on multiple R77.30 Gaia firewalls with logging into the web interface. It started a few months ago and our MSP has been unable to help us.

    When someone changes their password...
  49. Re: Checkpoint Installation failed: Failed to load Policy on Module

    The next time it happens, fire up SmartView Monitor and look at the amount of Virtual Memory in use as compared to the amount of physical memory installed. We used to notice that the virtual memory...
  50. Re: How to estimate the performance impact of HTTPS Inspection using the Appliance Si

    We don't use Check Point for HTTPS inspection but the reality is that if you are security-focused, there will only be a very small number of sites that you do not decrypt. We see compromised...
  51. Replies
    10
    Views
    2,662

    Re: sk92889 - oversized Hit Count table

    I do it the easy way. I copy the rule and paste it in at the same position and delete the other one. It changes the rule GUID but we're not using it for anything.
  52. Re: SmartView Tracker "Custom Filters" are missing after R77.20 -> R77.30 upgrade on

    Nice find on sk107510.

    "This is the current design - during upgrade to R77.30, predefined query for Threat Extraction blade is added to $FWDIR/conf/TrackerTree.C file on Security Management Server...
  53. Re: SmartView Tracker "Custom Filters" are missing after R77.20 -> R77.30 upgrade on

    I had tried that before I posted this. It made no difference. A support case through our CSP, who went to CP on it, said they were told it was essentially a feature and not a bug. We even sent in the...
  54. Replies
    11
    Views
    4,480

    Re: ISOmorphic in R77.20

    The 1100 takes its firmware via the web interface. It holds both the new version and the previous version on the box. What are you trying to do precisely?
  55. Replies
    17
    Views
    7,747

    Re: R77.30 Upgrade advice

    Make sure you install the recommended hotfix(es). #4 is now out and it rolls up 1 - 3. We did all of our 77.20 -> 77.30 upgrades using CPUSE but had problems with the hotfixes. Failed by CPUSE and...
  56. Re: Allow rule skipped, traffic dropped by clean up

    Can you post both the rule and the log entry, sanitized if necessary?

    I take it the log entry has the same object names as in the rule?
  57. Re: How to kill all active SmartDashboad sessions from CLI ?

    cpstop;cpstart on the SmartCenter has always worked for me. :-)

    Ray
  58. Re: Firewall rate-limiting and penalty box experiences

    This is where a real web app firewall can make a difference.Controlling application DoS issues is trivial. I would never buy a DDoS appliance because there's no way it can handle a traffic flood...
  59. Re: SmartView Tracker "Custom Filters" are missing after R77.20 -> R77.30 upgrade on

    Other than this and the aforementioned problem people have had with both the upgrade and the HF's erroring out when run using the web GUI (CPUSE) but installing OK with the CLI install, we've had no...
  60. SmartView Tracker "Custom Filters" are missing after R77.20 -> R77.30 upgrade on Gaia

    Anyone else noticing this? I posted this on the CP forums and got one response from someone else who had the same thing happen. I still had the R77.20 install so I copied the files over per the SK...
  61. Replies
    21
    Views
    4,741

    Re: HTTPS Inspection - Real world experience

    Did you just say it's better to be more strict so that bypasses have to be set so that less HTTPS sites are actually inspected? :-)

    Ray
  62. Replies
    21
    Views
    4,741

    Re: HTTPS Inspection - Real world experience

    That would match most of our bypass sites. For instance, the site where you download Oracle patches from supports RC4, two ciphers susceptible to Logjam and 112-bit 3DES and that's it. Once we...
  63. Replies
    21
    Views
    4,741

    Re: HTTPS Inspection - Real world experience

    We're running Websense appliances in explicit mode with full SSL decryption using v7.8.4 HF 11 and have just about zero issues. One thing I've noticed about many Websense customers is they never...
  64. Re: update from R77.20 to R77.30 Installed with Errors

    While we did not have any problems with upgrading R77.20 take 91 to R77.30 using CPUSE, two out of five boxes then failed to install HF2 with CPUSE. The log showed the problem on both was...
  65. Replies
    27
    Views
    7,396

    Re: 1100 GAIA R77.20 Embeded

    I would not expect to see it until R77.30 is released. We heard that the SmartCenter must be at R77.30 to manage an 1100 on R77.20. We've got a few we want to upgrade as well. R77.30 has been in EA...
  66. Re: This is just to easy to bypass Threat Emulation

    There were a spate of malicious emails set to us recently that had names like "John Smith resume.doc.js" that we stopped because we explicitly block scripting type files. Other companies had people...
  67. Re: This is just to easy to bypass Threat Emulation

    Sadly this is what happens when people become too tool-dependent and don't think about the risks versus business needs. Or when "security is everyone's job" which means it's no one's job.

    I...
  68. Replies
    3
    Views
    1,299

    Re: Ransomeware solutions?

    The simplest way is to block executable attachments coming in by email. Not just .exe, but .scr, .chm, .js, .ps1, .jar etc. Doing that will eliminate most of your risk. Nobody should be accepting...
  69. Replies
    31
    Views
    11,835

    Re: Appliance vs open server?

    Not for anything of consequence. We do have a few 1100's for remote offices. We do review them every time we're looking at new hardware. We came closer last time but with the number of physical...
  70. Replies
    31
    Views
    11,835

    Re: Appliance vs open server?

    Another consideration I did not see mentioned is the number of physical interfaces. If you need a lot of NICs, open server does not penalize you you. That's especially if you want to bond a pair....
  71. Re: Share your knowledge about rules managing DNS traffic through the firewall?

    Yeah, you and 99.999% of the rest of the world. DNS tunneling is, IMHO, the biggest blind spot any company has because DNS has to be designed properly from Day 1 and no one does that. Without a split...
  72. Re: Share your knowledge about rules managing DNS traffic through the firewall?

    No one outside your company should ever be able to query your DNS servers. That's one way the DNS DDoS attacks are occurring.

    Here is your biggest potential security issue. Run this test. From...
  73. Re: No 1100 Appliance selection on an R77.20 SmartCenter?

    Thanks. I had found that article but I would doubt I still have to manually replace files in the latest and greatest. The SmartCenter is able to connect to the Internet. I guess I'll open a support...
  74. No 1100 Appliance selection on an R77.20 SmartCenter?

    We just installed our first 1100 and there is no selection for it on the R77.20 Gaia SmartCenter. It starts at 2200. It detects it as Open Server, Unknown OS and vR75.20.66. Only the version is...
  75. Replies
    19
    Views
    7,651

    Re: Bash Vulnerability

    Just some false positives outbound. We added an exclusion for the proxy as source.
  76. Replies
    19
    Views
    7,651

    Re: Bash Vulnerability

    This could get ugly fairly fast.

    https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ - I wonder how many home routers have a bash shell in their innards.

    I've already...
  77. Re: Smart Dashboard Login Issues post R77.10 Upgrade

    Odd that you wrote this because I've noticed it on an intermittent basis but nothing as much as you do. It's happened so much that I take extra care with typing the password but it still happens...
  78. Replies
    20
    Views
    22,564

    Re: Check Point vs. Everyone

    Sorry, I'm not sure what you're asking.

    In a speech a year or so ago the head of the OCC said that for the first time anyone can remember, the regulators are not focusing primarily on "safety and...
  79. Replies
    20
    Views
    22,564

    Re: Check Point vs. Everyone

    OCC stands for the Office of the Comptroller of the Currency is the primary regulator for US banks. Other US regulators are the Federal Deposit Insurance Corporation and National Credit Union...
  80. Replies
    20
    Views
    22,564

    Re: Check Point vs. Everyone

    Make sure you're not coming across as "I'm smarter than everyone else because I know firewalls" but not the financial business and its regulations, both state and federal. That's a non-starter....
  81. Replies
    10
    Views
    2,480

    Re: Large Download's getting Corrupted

    What does "large" mean? I just downloaded several ISOs and a VMware OVA and a couple of RPMs that were over 6 GB each and they all MD5'd perfectly. Using R77.10 on Open Server.

    Is the file size...
  82. Replies
    6
    Views
    1,762

    Re: Mail alerts over TLS

    TLS or SMTPS? TLS generally runs over 25 using the STARTTLS command.
  83. Replies
    8
    Views
    2,203

    Re: Urgent R75.40+ patch?

    I particularly liked how, even though we're the customer, Check Point denies us the ability to see the bulletin. We had to open a case with our CSP. What a waste of time and effort.
  84. Re: CheckPoint is on private network and natted for Remote Access VPN

    It's been a long time since I used Check Point's remote access offerings. Back then if you had such a setup there were some changes you had to make to assure that the downloaded topology...
  85. Replies
    2
    Views
    6,483

    Re: message_info: Address spoofing

    I think you really meant "Anti-Spoofing must match the routing table and must never be disabled." :-)

    Groups are always best for both anti-spoofing and the VPN Domain unless they are very simple,...
  86. Replies
    5
    Views
    1,792

    Re: Connections table max's out

    There's a setting either on the firewall object or maybe global policy where you can set the connection table size. I keep mine at automatic. No, I haven't seen that behavior but I probably wouldn't...
  87. Replies
    12
    Views
    21,967

    Re: TCP packet out of state

    I just had this issue on just one application. It operates through an Apache reverse proxy and the connection between the reverse proxy in the DMZ and the internal server had lots of TCP out of state...
  88. Replies
    3
    Views
    834

    Re: Default router to internet issue

    I don't know anything about the appliances but when I use a separate management interface on Open Server, I need a static route entered to point the management network to the SmartCenter.

    I have...
  89. Re: Check point Security Server vs real proxy like Bluecoat

    Whew, good, you understood. I thought maybe I was being too subtle again. :-)

    Ray
  90. Re: Check point Security Server vs real proxy like Bluecoat

    And to further expand on my displeasure, today there is a security alert sitting in my Inbox for some HTTP protections not working. It 'is a "high" rating, meaning we must apply it. Guess what step 6...
  91. Re: Check point Security Server vs real proxy like Bluecoat

    And I would be very disappointed if you didn't. :-)

    Unfortunately your use of the word "current" best describes our use case. It came down to a number of things:


    Check Point was five years...
  92. Re: How to: changing gateways (changing hardware)

    So you want to keep the same SmartCenter but replace two gateways? What version are you using?
  93. Re: Check point Security Server vs real proxy like Bluecoat

    If you need to do a good job on content security, a dedicated proxy will always beat the stuff-everything-in-one-box products like Check Point. By good job I mean things like:


    Fast MITM SSL...
  94. Replies
    2
    Views
    3,052

    Re: Proposed Ultrasurf Network Block list

    Does the use of a local proxy break any settings explicitly defined for the company proxy server? I can't see how it would not do that. If you're limiting outbound traffic to just the source IP of...
  95. Re: R77.10 Gaia gateway config restore corrupts the routing table?

    "Same hardware" as in absolutely the same chunk of metal or "same hardware" as in same model hardware and same NICs? If the former, no but I can still try that because I have one more firewall to...
  96. Replies
    16
    Views
    3,259

    Re: Passing public ip???

    If the intent is for them to move off your circuits and IP space as soon as they have their own, yes. That way you're out of the consideration for being part of their PCI environment and probably...
  97. R77.10 Gaia gateway config restore corrupts the routing table?

    When testing a new version we build it on an isolated network and manually configure the gateway completely. Then we save the config off using System Backup, completely re-install the gateway and...
  98. Replies
    16
    Views
    3,259

    Re: Passing public ip???

    Personally I've never had double NATting cause an issue. Since you mentioned point-of-sale, you need to understand if they plan on sending transaction data across your network. If so, that brings you...
  99. Replies
    8
    Views
    4,115

    Re: "Load on module failed - no memory" R75.46

    What log or message lead you to look there?
  100. Replies
    7
    Views
    3,730

    Re: Problem upgrading from R77 to R77.10

    Good news. Thanks for the follow-up.

    Ray
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4