CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: belvdr

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Replies
    2
    Views
    2,211

    Re: ASA5505 for sale

    Nobody is interested in having an ASA in their lab?
  2. Replies
    2
    Views
    2,211

    ASA5505 for sale

    Yes, it's a Check Point board, but many here also support some Cisco gear.

    Anyone interested in purchasing my personal Cisco ASA5505?

    I upgraded it to 512MB of memory from Crucial along with an...
  3. Re: which versions of secure client only use DES encryption

    4.1 had it. I finally found the SKU for SecureClient:

    CPVP-VSC-100-DES-V41

    I think NG had it too (replace V41 with NG).

    I recall implementing DES for some customers in the 2000 timeframe.
  4. Re: which versions of secure client only use DES encryption

    My advice is to get them to the latest version possible for your config and don't enable DES. I thought this was a 4.1/NG thing.
  5. Replies
    12
    Views
    2,323

    Re: Has anyone seen this before?

    Considering IBM itself splits the updates into BIOS, BMC, Disk, and Network, etc, I wouldn't necessarily say that. :)

    Seriously, though, if it is occurring as soon as you hit enter at the boot...
  6. Replies
    12
    Views
    2,323

    Re: Has anyone seen this before?

    I have never seen this on my HP DL380 G6s.

    Is the firmware up to date on all other hardware (NICs, SCSI controllers, system board - not BIOS, etc)?
  7. Replies
    5
    Views
    1,941

    Re: Need to renew software subscriptions?

    You can renew at any time, but you also pay more money for the years you were not on software subscription as well. I believe they call them sync fees, which is just another way to get more money...
  8. Replies
    16
    Views
    4,253

    Re: NOKIA VRRP- SYNC Cable Failure

    ClusterXL has the ability to stop this from happening, but you don't want to do this in VRRP. Doeschi is right in that you cannot determine which is Master. In fact, you may have both as Master or...
  9. Thread: DNS Resolution

    by belvdr
    Replies
    6
    Views
    1,771

    Re: DNS Resolution

    Sorry, long day and bad typing = bad replies. :)

    I meant make sure you are pointing to your internal DNS servers. I guess what I'm failing to realize is where this issue is occurring. If the...
  10. Thread: DNS Resolution

    by belvdr
    Replies
    6
    Views
    1,771

    Re: DNS Resolution

    Two things:

    1. Make sure you are pointing to the internal networks.
    2. Confirm you can ping by hostname (not FQDN) from the gateway.
  11. Thread: DNS Resolution

    by belvdr
    Replies
    6
    Views
    1,771

    Re: DNS Resolution

    What is <hostname>, the firewall or the host trying to connect?
  12. Replies
    8
    Views
    2,480

    Re: Is this a Checkpoint bug?

    There's been some questions with regards to this, specifically rolling over every 497 days. This is not Check Point specific, but Linux specific.

    On an R70.30 machine, I have v3.2.7 installed. ...
  13. Replies
    11
    Views
    3,566

    Re: troubleshooting IP390 performance issue

    I wouldn't say it's difficult. ;)

    The HP DL380 G6 along with the HP NC364T quad port NICs would work, as it has three slots readily available. You can add three more slots with an optional...
  14. Thread: Adsl sync sped

    by belvdr
    Replies
    5
    Views
    2,520

    Re: Adsl sync sped

    Let us know how it goes.
  15. Replies
    8
    Views
    2,909

    Re: Poweroff command

    On some older systems, they won't power off. So after issuing shutdown/poweroff, wait until the console says "System halted." and you can power it off safely.
  16. Replies
    8
    Views
    2,909

    Re: Poweroff command

    You can add -h to shutdown and it should poweroff if ACPI is supported on the system. You can safely use poweroff on SPLAT as well.
  17. Thread: Adsl sync sped

    by belvdr
    Replies
    5
    Views
    2,520

    Re: Adsl sync sped

    It looks like the Linksys supports more ADSL standards (2+M and 2M). Off the top of my head, I'm guessing this could account for the difference.
  18. Re: adding default route as part of build (no nets connected)

    Sorry, I thought you were adding via the webui.

    You can modify the /etc/sysconfig/netconf.C directly.
  19. Re: adding default route as part of build (no nets connected)

    Untested, but should work. In expert mode, do a:



    route add -net 0.0.0.0 netmask 0.0.0.0 gw <gateway ip>
    route --save
  20. Replies
    57
    Views
    20,542

    Re: Strange Issue with ClusterXL

    Is this a firewall or linux kernel?
  21. Replies
    24
    Views
    8,685

    Re: Error on policy verify but not on install

    This attitude is being reported in your permanent personnel file. ha ha
  22. Replies
    24
    Views
    8,685

    Re: Error on policy verify but not on install

    Because I said so. ;) I had to find someone to blame.

    I'm not sure how you missed this though. It took you a solid two months to figure out that you were being held accountable.
  23. Replies
    17
    Views
    6,197

    Re: Upgrading from R65 to R71

    If someone were logged in changing things while you're doing the export, weird things can happen. Thus, it is safer to do it after everything is stopped.

    For my backups, and especially during an...
  24. Replies
    5
    Views
    2,737

    Re: Microsoft Direct Access / UAG

    It requires:

    IPv6 using standard IPsec (AES or 3DES)
    Windows 2008 R2 and Windows 7

    It also says it needs a Windows box with two NIC's, but wondering if you could multihome it behind CP.

    You...
  25. Replies
    44
    Views
    16,488

    Re: Observations on CoreXL

    It's a lot to comprehend so I apologize for the questions.

    I do have SecureXL, so I'm wondering that, even if I do manually assign them, will SecureXL come along and reassign them later? From...
  26. Replies
    44
    Views
    16,488

    Re: Observations on CoreXL

    You're welcome. I'm not sure what the impact might be; in fact, it could be slower by using a larger group. Let me know how it goes.

    One other thing to note is that I set the affinity on my two...
  27. Re: Global Object gsnmp-trap causes assignment failure

    I'm thinking "snmp-trap" is a reserved word.
  28. Replies
    44
    Views
    16,488

    Re: Observations on CoreXL

    Heh, yeah right. :)

    One thing to note is when I configured my ASA for AES-256, it recommended I move to DH Group 5 due to the key size.
  29. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    Something tells me he has some internal documentation on the matter...
  30. Replies
    5
    Views
    2,219

    Re: Upgrade to R71.10

    I checked too and couldn't find it. That's a weird trick for them to pull.
  31. Replies
    5
    Views
    2,224

    Re: IP Logging In /var/log/messages

    Unfortunately, I was not able to test that before posting. I'm glad you were able to get this fixed.
  32. Thread: Kernel Upgrade

    by belvdr
    Replies
    2
    Views
    1,061

    Re: Kernel Upgrade

    Alternatively, scp the file to the gateway from your machine, assuming you have /etc/scpusers configured.
  33. Replies
    5
    Views
    2,224

    Re: IP Logging In /var/log/messages

    File is /etc/ssh/sshd_config
    Parameter is LogLevel

    It defaults to INFO, but you can try VERBOSE or higher.

    See: UNIX man pages : sshd_config () for more information.
  34. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    I disagree entirely, but we are all entitled to our opinion. Sometimes things need to be said.

    It doesn't make sense to visit a manufacturer-specific board and begin nitpicking them apart with...
  35. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    That's hilarious!
  36. Re: CP-Openswan, subnet-subnet works, subnet-0.0.0.0/0 does not

    If you are not doing so already, I'm guessing you'd have to configure this as a route-based VPN, not a domain based.
  37. Replies
    4
    Views
    1,983

    Re: Leaving information security

    I have accepted the new position so I'll be transitioning from this role over the next several months. Honestly, I believe after I leave the position, the firewalls will be back where they were when...
  38. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    I don't even know what that means.



    I read it (and re-read it) and you did not state that. You specifically stated "real maximum", not "user tested":



    Which is flat out wrong. Make sure...
  39. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    If you're going to complain about Check Point's numbers and how they obtain them, then you are as bad as them. You state as fact that dividing by 40 will give you the "real" answer, but in truth, it...
  40. Thread: Network NAT

    by belvdr
    Replies
    7
    Views
    2,062

    Re: Network NAT

    Well aren't you a .... oh wait.. :)

    We've all been there. I'm in the running for the best of the worst tech advice givers. :)
  41. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    Where does 40 come from? Testing?

    It also depends on whether you are running R71 and getting SecureXL functionality.
  42. Thread: Network NAT

    by belvdr
    Replies
    7
    Views
    2,062

    Re: Network NAT

    You'll only need to reconfigure one rule, not all of them. There are a few ways to add manual rules at the bottom:

    1. Rules -> Add Rule -> Bottom
    2. CTRL-ALT-B
    3. Click the button on the...
  43. Replies
    4
    Views
    3,087

    Re: Inbound port translation problem.

    No tricks, but if you're going to R65, you might consider going all the way to R70.
  44. Replies
    2
    Views
    1,743

    Re: Unable to put exception or be granular

    Are your gateways R70 as well? R65 did not support network exceptions.
  45. Replies
    5
    Views
    2,215

    Re: Next business day?

    That sounds perfectly reasonable to me and that's what I'd expect as well.

    NBD = the next business day for the customer
  46. Replies
    4
    Views
    2,920

    Re: syslog TO checkpoint

    A recommendation for a syslog server on Windows is Kiwi Syslog. The latest version even has web access to the logs. There is also a free version if your logging needs are limited.
  47. Replies
    11
    Views
    3,566

    Re: troubleshooting IP390 performance issue

    You said this was run when things are slow, so I'm curious if you hit the maximum connection limit. You can check with:
    fw tab -t connections -s
  48. Replies
    3
    Views
    2,084

    Re: IPsec vpn tunnel question

    It is based on the tunnel configuration from the CP side in this case. The traffic has to pass through the CP device and it is trying to encrypt. It's not reading the ASA configuration to determine...
  49. Re: IP unreachable through UTM1-450, no error in Tracker.

    I cannot ping that host either from two separate residential DSL connections (in different states no less) or my corporate network. It might be they are having an issue.
  50. Re: IP unreachable through UTM1-450, no error in Tracker.

    Is NAT not occurring? Tracker should show you that, if you enable the columns.
  51. Re: Installing R65 HFA50 on Nokia IPSO 4.2 -- Help

    Yes, those are HFAs for the base R65 installation. Upgrade to R65 first, then apply the HFAs.
  52. Replies
    34
    Views
    14,239

    Re: Latest Questions for CCSE NGX -(101 questions)

    Pointless thread should equal deletion.
  53. Re: R65 Management server upgrade to R71 on VMWARE

    I'm not sure why anyone would think it's related to Check Point, especially since the link I posted takes you to VMware's knowledgebase.

    You stated:



    which, when I read it, implies that one...
  54. Replies
    3
    Views
    1,502

    Re: Best Practice - duplicate services?

    It depends on the advanced definition of the service. If it's not specified, I just reuse the service.

    Of course, there's little harm in duplicating it, but instead of service-specific names, I...
  55. Replies
    3
    Views
    1,904

    Re: Disk Maintenance Help

    You can use:
    df -h to see disk space.

    My guess is your firewall logs in $FWDIR/log are consuming space. Move/remove those and you should be good.

    To do so, you may need to do a logswitch:...
  56. Replies
    3
    Views
    1,224

    Re: Gateway Upgrade: disk space issue

    I have never tried to do this from a loop device, so it may be this is causing the issue.
  57. Re: R65 Management server upgrade to R71 on VMWARE

    This is incorrect. Assigning too many CPUs can cause degradation of VM performance.

    I assigned two CPUs to my SMS and it was much slower than one CPU.

    See: VMware KB: Determining if multiple...
  58. Re: R65 Management server upgrade to R71 on VMWARE

    Another option to consider is using SPLAT, which will use less memory than Windows.

    I have an R70.30 SMS managing one cluster and 4 other standalone gateways with 4GB of memory and one core. It...
  59. Replies
    11
    Views
    4,125

    Re: Active Connections

    Look at the traffic. If it's a bunch of IPs that aren't doing anything productive, consider blocking them via rules. However, that would not stop me from increasing the maximum connections so that...
  60. Replies
    11
    Views
    4,125

    Re: Active Connections

    Increase the maximum connections of the firewall. This is done on the Capacity Optimization tab of the firewall object.
  61. Re: IPv6 addresses assigned, but how did it happen?

    My R70.20 open servers and my R70.30 management VM on SPLAT do not show this interface:


    # ifconfig sit0
    sit0: error fetching interface information: Device not found


    Could it be a license...
  62. Replies
    3
    Views
    6,679

    Re: Checkpoint sflow or netflow

    SecurePlatform doesn't support NetFlow yet. I'm wondering if they'll look into this integration in Gaia. Would SNMP work?
  63. Replies
    1
    Views
    1,504

    Re: HA of Checkpoint SPLAT Firewalls?

    I would expect one node's load to be higher in unicast mode, as one node has to forward all traffic to the appropriate nodes for processing.
  64. Re: Fwmonitor giving:-Local Host is not a Firewall-1 Module

    What has changed?
  65. Thread: Webui access

    by belvdr
    Replies
    3
    Views
    1,745

    Re: Webui access

    Are you using any custom plugins/tools/pop-up blockersfor your web browser that would block the scripts from running?
  66. Thread: Webui access

    by belvdr
    Replies
    3
    Views
    1,745

    Re: Webui access

    Are you using IE?
  67. Replies
    13
    Views
    3,205

    re: Network Performance - R65

    I'd just use TCPOptimizer and call it a day. :)
  68. Re: Fwmonitor giving:-Local Host is not a Firewall-1 Module

    I'm out of ideas here, and with that version being different than anything I've ever seen, I'd likely consider re-installing the Check Point software. If you are in a cluster, there should be no...
  69. Re: Fwmonitor giving:-Local Host is not a Firewall-1 Module

    There's no expert mode in IPSO.

    Run:
    fw ver

    It should look something like:
    This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) - Build 430

    I think your installed packages in Voyager...
  70. Replies
    2
    Views
    1,595

    Re: License for upgradation from R65 to R70

    You can use NGX licenses with R70. However, you won't get any of the R70 features.

    Whether it's cost effective, nobody here can say for your organization. That's something you have to do the...
  71. Replies
    4
    Views
    3,416

    Re: RSA and Smart Center Authentication

    I have this setup and it works great with hard tokens. My software tokens fail though. ACE logs show "Syntax error" or "Access Denied". Anyone able to get software tokens to work with...
  72. Replies
    34
    Views
    6,486

    Re: Anyone running SPLAT R71 SMS on VMware ESX?

    Did you reboot after those changes? I can't think of anything else, other than an issue with multiple CPUs on the ESX host.
  73. Replies
    2
    Views
    1,361

    Re: Checkpoint UTM-1 R65 enable rule change?

    The change takes place once you install policy.
  74. Replies
    13
    Views
    3,205

    re: Network Performance - R65

    Before messing with the firewall, I'd test by putting two nodes attached to the routers directly. This will confirm whether it's routing or firewalling that is causing your issue.

    Also, be sure...
  75. Replies
    12
    Views
    10,359

    Re: How to script route changes

    Wow, how about adding some carriage returns in there? That whole block of text is unreadable.

    EDIT: Looks like you cleaned it up while I was writing. :)
  76. Replies
    4
    Views
    1,983

    Re: Leaving information security

    That's a good point. I was an Oracle DBA, as well as Unix and Windows admin, before taking my current role. I'm finding that screwing around with VLANs for 90% of the day is just not my cup of tea...
  77. Replies
    4
    Views
    1,983

    Leaving information security

    All,

    Just a note that I might be leaving the information security area. I'm applying for a DBA role in our organization due to various reasons. Actually, I learned that information security is...
  78. Replies
    34
    Views
    6,486

    Re: Anyone running SPLAT R71 SMS on VMware ESX?

    Yes, or you can set them manually (exception of RxIntDelay):



    ethtool -G eth0 4096 tx
    ethtool -G eth0 4096 rx


    I could not figure a way to set RxIntDelay by the CLI, without unloading and...
  79. Replies
    3
    Views
    1,621

    Re: Hello From a new member rvillano

    That's right! boldin always asks newbie questions... he he :D <just kidding>
  80. Replies
    11
    Views
    5,772

    Re: Passed Accelerated CCSE R70 156-915.70

    Consider it's an upgrade course, so you're not relearning the entire GUI, just bits and pieces.

    I seem to recall that you should know if dynamic routing can work over VTIs and the difference...
  81. Replies
    34
    Views
    6,486

    Re: Anyone running SPLAT R71 SMS on VMware ESX?

    Did you also set the descriptors in /etc/modprobe.conf?
  82. Replies
    4
    Views
    2,045

    Re: WSE0120001 Malicious Code Detected

    D'oh! I was thinking URI; my apologies.

    If R70 or better, you can add a network exception to the protection. Unfortunately, it sounds like you're on R65 (by mention of SmartDefense) and...
  83. Replies
    20
    Views
    3,379

    Re: Need help with SPLAT

    Where is the management server in this diagram? Is it on the firewall itself?
  84. Replies
    6
    Views
    7,103

    Re: info required : antispoofing on command line

    From the management server, you could use dbedit, although I've never done it.
  85. Replies
    20
    Views
    3,379

    Re: Need help with SPLAT

    As I said earlier: the IP of what you use for the dashboard has no effect on SIC.

    Can you draw a diagram with all interfaces and IPs, so we know what we're dealing with?
  86. Replies
    20
    Views
    3,379

    Re: Need help with SPLAT

    It doesn't matter. That's just for login purposes to the dashboard. It has no effect whatsoever on SIC. SIC utilizes the IPs of the objects, not the IP used to login to the dashboard.
  87. Replies
    20
    Views
    3,379

    Re: Need help with SPLAT

    Sure. On the gateway, run 'cpconfig' and select the number for SIC. It will ask if you want to reset it, answer 'y' and enter a new password.

    In the Dashboard, edit the object and click the SIC...
  88. Replies
    7
    Views
    2,465

    Re: FTP Secure is blocked

    That's a bold statement that I disagree with. If someone were to eavesdrop over regular FTP, they now have potential access to the FTP server to start pulling data. From there, they can take it...
  89. Replies
    4
    Views
    2,045

    Re: WSE0120001 Malicious Code Detected

    One workaround would be to add a rule above it, which allows access to that URL.
  90. Replies
    34
    Views
    6,486

    Re: Anyone running SPLAT R71 SMS on VMware ESX?

    Let me know if you see any benefit as well. One instance is not a very good test case. :)

    I actually saw improvement going from 2 vCPU down to 1.
  91. Replies
    1
    Views
    1,388

    Re: load on module failed error

    No need to http://www.cpug.org/forums/check-point-secureplatform-splat/14225-module-failed-disk-space-error.html double post.

    Check your other thread, as you already have a good reply.
  92. Replies
    20
    Views
    3,379

    Re: Need help with SPLAT

    Logging into the Dashboard is not connected in any way to SIC. Perform the 'fw unloadlocal' command on the gateway.

    Then reset SIC on both devices and install policy.

    You can also define your...
  93. Replies
    34
    Views
    6,486

    Re: Anyone running SPLAT R71 SMS on VMware ESX?

    Two things:

    1. You might try using 1 CPU instead. I have found that adding CPUs for VMs may be detrimental to performance.

    2. Modify the NIC in the .vmx file so that it is using e1000. Then...
  94. Replies
    2
    Views
    1,274

    Re: VPN Between three Firewalls

    Not enough information. Are there rules allowing this? What's Tracker saying?
  95. Thread: DCE RPC

    by belvdr
    Replies
    7
    Views
    3,950

    Re: DCE RPC

    Microsoft Exchange comes to mind, but Wikipedia has more info:

    DCE/RPC - Wikipedia, the free encyclopedia
  96. Replies
    19
    Views
    16,724

    Re: Difference between snapshot vs backup

    No need to reinvent the wheel:

    http://www.cpug.org/forums/38983-post2.html

    I'd seriously suggest using SFTP for backups.
  97. Replies
    11
    Views
    3,877

    Re: telnet on secure platform NGX 65

    Considering these are RPMs and they install without complaints, my guess it is harmless. Worst case is to uninstall it with 'rpm -e'.



    This installs a telnet client, not a telnet server on the...
  98. Replies
    11
    Views
    3,877

    Re: telnet on secure platform NGX 65

    Yes it is fine. I have run it on R65 and R70 as well.

    SFTP the file to the box and:


    mkdir addon_tmp
    tar zxvf SecurePlatformAddOn_R55.tgz -C addon_tmp
    cd addon_tmp
    ./installme.sh
  99. Replies
    11
    Views
    3,877

    Re: telnet on secure platform NGX 65

    Is it SPLAT or is it Windows? If SPLAT, install this:

    http://www.checkpoint.com/techsupport/downloads/bin/firewall1/r55/secureplatform/SecurePlatformAddOn_R55.tgz
  100. Replies
    34
    Views
    6,486

    Re: Anyone running SPLAT R71 SMS on VMware ESX?

    Two ideas come to mind:

    1. Install Cygwin on the Windows box in order to SFTP from the SMS to it

    or

    2. SFTP from your machine to the SMS and copy the file down and then copy the file to...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4