CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: Thorpuse

Page 1 of 5 1 2 3 4

Search: Search took 0.03 seconds.

  1. Replies
    5
    Views
    3,902

    Re: Which rule design is better

    The performance impact is negligible. An additional reason for doing this is VPN rules - I've seen strange things happen when people make bi-directional VPN rules.

    It's also generally good...
  2. Http://www.vpnc.org/ does this.

    Http://www.vpnc.org/ does this.
  3. Replies
    5
    Views
    3,445

    Re: another checkpoint snafu?

    I would never recommend running the webviz tool directly on the CMA anyway.... It's better off used as a remote CPMI client - this also minimises the risks to your CMA from files being in the wrong...
  4. Re: Should The CPUG Discussion Board Have A Board Of Advisors?

    My comments and ideas on this are already on record - they can be seen here. However based on subsequent actions, I think it would be inappropriate for me to comment further, apart from to say from...
  5. Replies
    4
    Views
    3,471

    Re: Disk full on 8GB root drive UTM-2076

    The solution to your problem is here - Online partition resizing on UTM-1 appliances My Check Point Blog . There's a bunch of other really useful stuff linked here too...
  6. Re: How to hide network object behind another network address pool

    Yuck.... so your other problem is going to be anti-spoofing for the return packets. You'll either need to disable anti-spoofing (NOT recommended!) or get the remote party to NAT their traffic....
  7. Sticky: Re: My Foundation Principles as Discussion Board Administrator

    Actually the issue many people had has ultimately come down to fundamental issues of governance, moderation and the arbitrary execution of control on this forum. Sadly, this thread is about all that...
  8. Re: Stop Checkpoint during boot from Single User Mode

    cpconfig has an option for automatic start of Check Point products. Use that if you want to control product starts on reboot.
  9. Sticky: Re: My Foundation Principles as Discussion Board Administrator

    As I was banned, I was given no right of reply. Which is probably fair enough, because any chance I would have had to comment would probably have been deleted anyway. Seeing as the last deleted post...
  10. Replies
    7
    Views
    3,067

    Re: Licensing a UTM Cluster

    I'd also strong recommend you visit UTM-1 My Check Point Blog and read up on the Perfect Setup work that has been done there. Setting up a UTM-1 Cluster is a little different to your typical...
  11. Replies
    7
    Views
    3,067

    Re: Licensing a UTM Cluster

    Correct - I need to dust off my CCLE certification, obviously... :P
  12. Sticky: Re: My Foundation Principles as Discussion Board Administrator

    Will these principles be updated to reflect more recent events on this forum? I would suggest that principles 6,7,8,9,12,16 and 17 have had numerous issues of late, and it would be good if the forum...
  13. Replies
    7
    Views
    3,067

    Re: Licensing a UTM Cluster

    The licenses should be local, to the IP address of each UTM Cluster member.
  14. Replies
    4
    Views
    1,955

    Re: modify or delete multiple objects NGX R65

    dbedit is definitely the right way to do this. If you can work out how to do this for one object, then you should be able to script it for the others.
  15. Re: installation failed.Reason:Internal SSL authenticaiton SSL error(Unknown) message

    If you're running IP380s, guess it's a safe assumption you've also got a pretty old (let's say 5 years...) old SmartCenter Server. Chances are you've hit the Certificate Lifetime of the SmartCenter...
  16. Replies
    1
    Views
    1,442

    Re: User dependent IP address possible?

    You can use User@host in rules as a source to control where VPN users can go on the decrypting gateway.

    You can also allocate unique Office-Mode IP addresses based on users. This can be extrremely...
  17. Replies
    8
    Views
    2,730

    Re: use two smart dashboards in different sites

    Virtualisation is another way to attack this - build your management in a VM and take a snapshot of the base build to reside in DC-B. Then in a disaster, instead of a rebuild you can just start the...
  18. Replies
    11
    Views
    5,397

    Re: WebUI - Unable To Login

    If you're not sure about this, run netstat -nap and check the ports that CP is listening on. It may be the case that with an upgrade, something else is now listening on that port and you have a...
  19. Replies
    11
    Views
    5,397

    Re: WebUI - Unable To Login

    What port is your WebUI running on?
  20. Replies
    6
    Views
    2,192

    Re: Upgrade UTM from R65 HFA70 to R70.40

    Do an IPS update... that should sort things out. Get an eval license for this if you don't have rights to it. If you can't get an eval license, log a call with the TAC to get the eval license to do...
  21. Re: Enabling Clustering on Standalone R71 UTM-576

    Look here and here for details on the best ways to set up the UTM-1 and Clustering. Tobias's blog (linked) is easily the best reference on this around.
  22. Replies
    3
    Views
    3,020

    Re: Poor SSD performance - is this the max?

    Interesting.... I flagged this as a potential issue about two years ago, seems I was ahead of my time in seeing this... just to be sure, you may want to ensure that the right SSD drivers are...
  23. Re: Issuing accounts for several hundred users (certificate auth) any way to do it bu

    fwm dbexport/dbimport won't help with certificate users.

    I recall from a while back that the ICA Management tool might have had a format for bulk certificate registrations. Do some searching on...
  24. Replies
    10
    Views
    2,164

    Re: how to restore ?

    There's a good explanation of the pros and cons of snapshot vs backup and when to use which here. The key differences are size of file, snapshot will cause an outage as it stops the FW, and different...
  25. Replies
    3
    Views
    2,017

    Re: R71.30 Reporter license..central or local?

    Local. Unless something dramatic has changed, Management Blades are all local licenses. Only Gateway Blades can be centrally licensed. Does anyone know otherwise?
  26. Replies
    13
    Views
    4,496

    Re: policy verification warning. what is this?

    Also using VPN's will become problematic because of the ways that CP calculates encryption domains. Any VPNs been set up lately?
  27. Replies
    6
    Views
    2,957

    Re: R65 P1 to R75 smart-1 standalone?

    This is why using odumper and/or confwiz might be better in this case. It won't copy everything, but it should be enough so that the customer can have most of the heavy lifting of policy...
  28. Replies
    6
    Views
    2,957

    Re: R65 P1 to R75 smart-1 standalone?

    That's because there isn't really one. Options :

    1. Use the migrate scripts from R75 to dump their CMA. Potential risk of information leakage depending on how independent your CMA and rules really...
  29. Replies
    8
    Views
    2,342

    Re: error while saving policy

    GO through the audit logs and review every change that was done since the last successful policy install. Back out as many of them as possible.

    Then turn on DB revisions, so this doesn't happen...
  30. Replies
    4
    Views
    1,951

    Re: A VPN Configuration Scenario

    ...or get a fxed IP for your DSL connection.

    Without this, you're relying on a dynamic IP to define your IP address for a remote Peer. That's not going to get you far.
  31. Re: How to find a rule which is not used for a period of time

    Use Tufin SecureTrack. Problem Solved.
  32. Replies
    6
    Views
    2,202

    Re: SecurClient Continuous Password Request

    Perhaps someone has made a change to the RAS encryption domain, and what you have happening is the site authenticating to multiple gateways?

    I'd be going through any/all network and policy...
  33. Replies
    1
    Views
    1,950

    Re: Best Practice Guides for Provider-1

    I'd be keen in helping out with this - a big gotcha you'll need to capture is the license transition to MDM licenses.
  34. Replies
    4
    Views
    2,590

    Re: Multiple domains, separate forests

    So here's the other question - do you need the User Directory Blade at the management level for the AD integration to work?
  35. Replies
    8
    Views
    2,652

    Re: No logs to CMA after import

    So if you do that, you also need to change the gateway properties to "Use Local Definitions for Masters and Logs" before that take effect. Have you done this as well?

    IIRC a cpstop/cpstart of the...
  36. Replies
    4
    Views
    1,920

    Re: HA cluster one IPS blade

    This is correct. It's a change from NGX licensing, which used to apply per-site.
  37. Replies
    8
    Views
    2,652

    Re: No logs to CMA after import

    Check the Logs and Masters setting on the gateway object - you may need to manually set these with the new CMA/CLM.

    Also confirm that it's not set to use local definitions for masters and logs....
  38. Re: Mail, Calender / Mobile Access Blade / Iphone

    How about telling us how it was fixed? Sharing is caring...
  39. Replies
    3
    Views
    1,510

    Re: Regarding Snapshot location

    Snapshots on the Appliance platforms are somewhere off the $FWDIR/log partition. This one caught me for a while too...
  40. Replies
    6
    Views
    2,675

    Re: SPLAT NGx R71.20 MUST READ

    SPLAT was designed so that specific Linux OS knowledge beyond the basics shouldn't need to be known to manage it. One of my pet bugbears is people who treat it like a generic linux build and then...
  41. Replies
    13
    Views
    2,561

    Re: Pre-defined filtering for users possible?

    The bigger issue here is that if this is being done for compliance/audit purposes, a fixed view in a tracker GUI is going to be trivial to bypass....

    The only ways I can see to do this is write...
  42. Replies
    6
    Views
    2,033

    Re: Move FW to be managed by new Smart Center

    Actually... the right way to look at this is to do a risk assessment and understand what your RPO/RTO times are, and map these against the cost of the solution. A simple criteria test

    Management...
  43. Re: R75 and CPFW-FM-U-NGX CPMP-PPK-1 Lics, Core limitation

    This issue about multicore licenses was something I raised a number of times during the initial Software Blades rollout and earlier. In principle, I still think the reasoning around cores as a...
  44. Replies
    12
    Views
    3,436

    Re: Troubleshooting UTM-1 2050

    Good result! that's basically what I would expect to happen - thanks for confirming it.
  45. Replies
    12
    Views
    3,436

    Re: Troubleshooting UTM-1 2050

    Actually, this does raise a really interesting licensing question - with the UTM-1 devices, the license ownership is bound to the device. Therefore if you puchase the device, shouldn't you also get...
  46. Replies
    7
    Views
    2,414

    Re: This does not look right

    I can only tell you what I've tried. I'd be very surprised if this tool could corrupt anything - as I've always understood it it's a read-only tool.

    I don't have any inside information - I do...
  47. Replies
    7
    Views
    2,414

    Re: This does not look right

    My experience with the tool was with a SmartCenter, not a CMA. Don't know if that makes a difference.
  48. Replies
    7
    Views
    2,414

    Re: This does not look right

    I've had Web Visualisation working on R71. Let's stop the conspiracy theories please.
  49. Re: Please stay away from Power-1 Appliance 11065

    Ok, definitely haven't seen that. That's certainly something that should go to TAC to investigate. Is this R70, R71 or R75?
  50. Re: Please stay away from Power-1 Appliance 11065

    Thank you for testing this - that eliminates one of the 3 issues it could be. Now, as I asked before, can you confirm whether after a shutdown (as opposed to reboot) it comes up every time? If so, we...
  51. Re: Please stay away from Power-1 Appliance 11065

    Ok.... so what bugs me here is that it's assumed that the only product that could be at fault here is the CP one. I've seen some pretty massive bugs around the Cisco side of 10Gb support as well, so...
  52. Re: Please stay away from Power-1 Appliance 11065

    You're probably right. However, I can tell you that the combination of SPLAT + 10Gig cards + Nexus switches has seen a similar issue. Try a shutdown rather than reboot. Bet that brings it up every...
  53. Re: Please stay away from Power-1 Appliance 11065

    This issue is not unique to this appliance. I believe it's something to do with the way that dead connection detection is done on the Nexus switches and/or the 10Gb drivers in linux/SPLAT. Try an...
  54. Replies
    9
    Views
    2,160

    Re: su command alias question

    I'll defer to my good friend MrSnakey on this - Editing the Commands Available in Check Points Restricted Shell, cpshell | Snake Oil Research
  55. Replies
    13
    Views
    3,987

    Re: "Sites" in NGX/Blades

    I'll defer to any CP person who wishes to disagree, but my understanding is that whether you push to a profile or not, it's still the gateway count that matters. You'll need the SMU, not the SM10.
    ...
  56. Re: How to not overwrite fwkern.conf during upgrade to R75

    The best follow-up on this would be to update the Upgrade guide on this and other elements that may be an issue during an upgrade. Perhaps even add an explicit disclaimer to the upgrade program to...
  57. Replies
    5
    Views
    3,178

    Re: UTM Failed to take the updates

    Yep - seen this before. Need to log a support call, they will provide instructions on re-installing that element to refresh the update process. You haven't supplied what UTM version you're running,...
  58. Replies
    9
    Views
    2,160

    Re: su command alias question

    It's hard to see this as anything other than a problem you've created for yourself by changing the default shell. The default shell is intentionally restricted, and provides a very straightforward...
  59. Re: Upgrade from SPLAT R65 to R71. Nic no longer work

    Contact support - I believe you need a special driver for that NIC.
  60. Replies
    30
    Views
    11,739

    Re: Check Point R70 R71 R75 Visual Road Map

    Sheesh! Yeah CP, how about a royalty or acknowledgement! IP (the other kind!) is important too!
  61. Re: enable cisco vpn client without shuting down the IPS

    You'll also need to ensure that the Cisco VPN client is not HideNATting behind the Firewall's IP address, otherwise the IKE packets will be intercepted by the CP firewall. Create a Static or Hide NAT...
  62. Replies
    2
    Views
    1,661

    SNX Escalation of Privileges Vulnerability

    FYI - See SecureKnowledge sk60510 for details.

    Sounds kinda nasty. Anyone know any more about this?
  63. Re: Determine if service is Check Point or user created

    I put a process in place to use a custom prefix on any services I create so that I can work this out. Naming convention tricks FTW... :)
  64. Thread: R71.30 is GA

    by Thorpuse
    Replies
    36
    Views
    8,668

    Re: R71.30 is GA

    What does the crs.xml file do anyway?
  65. Replies
    8
    Views
    3,377

    Re: Upgrading SCS to R75

    Mixed Windows/SPLAT management HA is a no-no. Doesn't work because of dos2unix conversions, among other things. However doing the export/import of the R75 build should work. If it doesn't, then...
  66. Replies
    8
    Views
    3,377

    Re: Upgrading SCS to R75

    Have you tried exporting from your Windows R75 build and importing this into SPLAT? That would be a good test to see if it legitimately a dos2unix - like issue, or if there was something else going...
  67. Replies
    22
    Views
    7,569

    Re: Endpoint Security R80 Available for Download

    LOL... You can't get the product to run and can't license it properly, but you think it looks really good? Unless I'm missing some irony here, that doesn't sound very successful to me!

    A unified...
  68. Replies
    29
    Views
    10,581

    Re: SecuRemote on Windows 7 64bit

    Not really - it proves that SecuRemote is not allowing IP Forwarding, as already mentioned. I don't really want to try an find an exploit to the product to prove the point - you can't route through...
  69. Replies
    11
    Views
    2,944

    Re: Need help with Routing issue in UTM-270

    You have not set up the Remote Access VPN Domain correctly. Create a group for what you want to tunnel and set this as the RAS VPN Domain.
  70. Replies
    4
    Views
    2,505

    Re: Cluster XL do not fail over

    run

    cphaconf set_ccp broadcast

    on both hosts and retest.
  71. Re: Upgrading a UTM 270 from R65 to R7x = Lost interfaces

    There's a hotfix to apply.

    This took me about 5 seconds to find in SecureKnowledge, using the search of "UTM-1 upgrade interface". Please use the tools that are available to you and find it...
  72. Replies
    22
    Views
    7,569

    Re: Endpoint Security R80 Available for Download

    It took over 6 years to get the Database unified.... I wouldn't be holding your breath for a unified GUI....
  73. Replies
    29
    Views
    10,581

    Re: SecuRemote on Windows 7 64bit

    Doesn't have to be cygwin. Anything that will work as a proxy on the XPMode system will work. The point is that you need the traffic to originate from the XPMode system, and using a proxy or...
  74. Re: Upgrading a UTM 270 from R65 to R7x = Lost interfaces

    Known issue, documented in SecureKnowledge. It got me too, in fact I think I was one of the first to report it.
  75. Replies
    29
    Views
    10,581

    Re: SecuRemote on Windows 7 64bit

    You've actually got two problems :

    1. IP Forwarding. SR/SC will disable this, so routing the packet through the XPMode VM will be disabled.

    2. (and this is your bigger issue...) The source IP...
  76. Re: Is it possible to have two separate public subnets behind one interface

    Secondary IPs are also a nightmare in Clusters....
  77. Replies
    22
    Views
    7,569

    Re: Endpoint Security R80 Available for Download

    I think it was 2004 when I asked how long it would take before we'd have a unified database for Endpoint Management.... and it was always promised that "the next version" would have it. Finally we're...
  78. Replies
    39
    Views
    13,734

    Re: R75 available for download..

    I must admit I've never really understood the point of restricting access like this. The more people can self-serve, the less they'll need to rely on support calls and other procedural stuff that...
  79. Re: Check Point certification - new exams, latest changes

    Any words on benefits of being a CCMA? Apart from the artificial demand created by Partner program requirements, I still struggle to see the value of the certification beyond vanity. Give me a...
  80. Re: Provider-1 NGx R71.20 High Availability. Good or bad ideas?

    What's also important is to properly understand what "Collision" state means, and why it got there.

    "Collision" means that at some stage, both CMAs have been Active, AND have had some sort of...
  81. Thread: R70.40 to R71

    by Thorpuse
    Replies
    14
    Views
    3,173

    Re: R70.40 to R71

    Unless you've got a feature-based reason to go to R71, I'd hold off until a more formal upgrade path from R70.40 is nominated. R70.40 is arguably more stable and less buggy at this stage.
  82. Thread: VRRP on SPLAT

    by Thorpuse
    Replies
    6
    Views
    3,464

    Re: VRRP on SPLAT

    Nope - GAIA will probably support this, but SPLAT does not.
  83. Replies
    7
    Views
    1,969

    Re: Upgrade/Migrate Solaris NGX60 to UTM-1 3070

    RTFM...

    sk33896 on the CP Support Center site has all the steps you need for this. Follow this exactly. There are tricks to what you're trying to migrate that aren't standard, and if you mess it...
  84. Thread: SG80 Issue

    by Thorpuse
    Replies
    9
    Views
    4,717

    re: SG80 Issue

    Hacking the masters file should definitely work - you just have to remember to edit the gateway object to use local difinitions for masters, otherwise it doesn't look at your local modifications.
    ...
  85. Thread: SG80 Issue

    by Thorpuse
    Replies
    9
    Views
    4,717

    re: SG80 Issue

    There's a number of ways to fix this -

    - In the SC object, there are NAT options for Management traffic. Setting these should ensure that the gateway gets the right IP for management traffic. Note...
  86. Replies
    25
    Views
    10,029

    Re: OpenSource VPN Client for Windows 7 x64?

    But it's a different product, with a different feature set.... Secondary connect, anyone? Concurrent connections to multiple sites? Redesigned topology calculation? Automated updates? All of these...
  87. Replies
    25
    Views
    10,029

    Re: OpenSource VPN Client for Windows 7 x64?

    So why call it SecuRemote, and confuse everyone? While I'm impressed that CP Marketing (for once!) have chosen not to mess with the name of a product as it "evolves", if it is a brand-new product,...
  88. Replies
    25
    Views
    10,029

    Re: OpenSource VPN Client for Windows 7 x64?

    Whoa.... wow.... so after 3 years of being told that "SecuRemote cannot be upgraded to 64-bit without rewriting the whole code" CP are now actually going to do it?

    Or is what is really coming a $0...
  89. Replies
    8
    Views
    2,484

    Re: Is this a Checkpoint bug?

    Sounds like a bug in Linux/SPLAT.
  90. Replies
    8
    Views
    2,484

    Re: Is this a Checkpoint bug?

    Check /var/messages and bootlog and see when the last time it rebooted was. The most plausible explanation is that it did reboot.... might mean that your monitoring missed it, especially if it's part...
  91. Thread: Stonesoft AET

    by Thorpuse
    Replies
    3
    Views
    2,465

    *sigh*.... I thought we were past the days of...

    *sigh*.... I thought we were past the days of FUD-based marketing, posing as "security advisories"....

    AETs look like the "Software Blades" of the IDS/IPS world. There's nothing that looks new...
  92. Replies
    7
    Views
    2,864

    Re: Script for writing rules

    Ofiller for the win! The Ofiller/Odumper utilities can be used to write rules, suggest you play with this.
  93. Replies
    7
    Views
    4,228

    Re: SSL Network extender

    IIRC, the 30-day standard trial license doesn't include RAS VPN licenses anymore. Make sure you get a trial license for Endpoint and remote access as well....
  94. Replies
    21
    Views
    7,048

    Re: Multi-Domain Management software blades

    It can be - it's the licensing model for it that I'd like to see be more flexible. CLM/MLM licensing was one of the most dramatic losers in the blades setup, still the overall cost is a lot nicer.
  95. Replies
    21
    Views
    7,048

    Re: Multi-Domain Management software blades

    YAY!!! Well done CP for finally getting (most of) this right! Big fan of this change - it reflects something that I mentioned about 5 years ago at a CPX that the main reason people didn't use...
  96. Re: Convert from Simplified to Traditional mode VPN

    An even simpler way of dealing with this is if the remote site is using private addressing, only include the private addressing in the VPN domain. That way any public IPs travel in the clear, and...
  97. Re: Multiple Simultaneous Secure Client Connections?

    Unaffiliated? It still needs to be authenticated and pass validation checks.... Any risk about "affiliation" would apply to any VPN connection. The fact that endpoint validation is done via...
  98. Re: Multiple Simultaneous Secure Client Connections?

    SecuRemote/SecureClient has done it for a decade.... it's not that challenging. Overlapping IP spaces are handled by SR/SC by a warning dialog and disabling the older site. Conflicting Security...
  99. Re: Multiple Simultaneous Secure Client Connections?

    I still find this limitation crazy. It's easy to prove that multiple concurrent OM addresses can reside on a client (I've done it numerous times with SC and EPC installed). I'd hoped that Discovery...
  100. Replies
    6
    Views
    3,968

    Re: Unable to use certificate enrollment

    I've seen a bug where Certificate enrolment fails when the SCS is NATted and the connection from the GW to the SCS doesn't use the NATted IP. Editing masters files etc didn't help. Contact CP for a...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4