Search:

Hi Friends

I finally conquered CISSP. I have cleared the exam. My endorsement is pending...

Thanks for all your suggestions and help...


HI dreambuddy
Your words are really comming true...

Is your firewall a cluster ? This may be routing issue in case of cluster. Check if routes are added on all members of the cluster. Also you may check on the protocol object in the advanced option...

Is this a Cluster or standalone system. In case its a Cluster then keeping the Virtual Cluster IP same you can always change the rest of the IP addresses. In case its a standalon, you can still creat...

HI

So your site 1 has one firewall FW1 and one Router R1. The site 2 has only one Router R2 with one interface connecting to MPLS cloud and the other interface connected to Internet. If so then:...

On the remote site, the primary is connected to the same MPLS cloud. The secondary is the internet interface that terminates the IPSec tunnel.


What is primary and secondary ?

I asume your MPLS link is connected directly to the intranet and not to the firewall. The firewall has more than two interfaces that is it has Internal, External and DMZ interfaces. That is the only...

Hi mcnallym

I called up checkpoint. They said its possible as long as the network reachability is there. In my case what i mean to say is the tunnels established on the internal interface will not...

Hi

We have a requirement to establish Site to Site VPN Tunnel. Few from internal interface and few from external interface. Is it possible ? Any issues we can face due to antispoofing ? What...

I wonder if you uncheck the VPN option from the firewalls and re do it again. That will regenerate the certificate.

HI jlobl

For this you need to use URI Resource. I am strugling with the same. Will update you in case of breakthrough.

HI

Adding to the above scenarion (the latest diagram with routers) my setup has DMZ network on both the firewalls (therefore three interfaces: external, internal and DMZ). Due to that we have...

GUI Client: SmartView Monitor will show you the health.

On SPLAT it gave:

[Expert@At-AA-fw1]# pkginfo | grep CP
bash: pkginfo: command not found

Please do
vpn debug off
vpn debug ikeoff

after you are done... :)

HI

Can you please explain it a bit more. How you changed the IP ? Where do you see the "VPN identifier"

Dont remember the date, but last lime we called up checkpoint for some issues on R55 they said they no more support R55.

Hi

Till now we used Server machines (Dell, HP, IBM) only for firewall installation. For a new facility we are looking for installing UTM-1 (1070). The site capacity will be 500 users.

Can...

HI

If you can rely on your network then you may proceed that way. But if the logs are primarily stored on the Smart Center Server and periodically moved to some other server, I feel its more...

This will be in addition to the existing rule base or will replace that ?

Do a static 1-to-1 NAT for CP1 on the PIX and use the NATed IP to creat the Site to Site tunnel between the CP1 and CP2. Allow the VPN traffic CP1 to CP2 through the PIX. PIX will be only a firewall...

The traffic will be excluded from the VPN Tunnel

HI

when you say "When the destionation make the response, the packet pass trough the firewall checkpoint without encrypt."

how do you know this ?

Hi

Your end subnet participating in the VPN tunnel should be a park of your end VPN Domain. Other end subnet participating in the VPN tunnel should be a park of other end VPN Domain. Also take a...

Is it not too silly..

Hi

Just once again check that all the configurations on chkpt and ASA are the same.
Also try to change the Hashing (e.g MD5 to SHA1). also similarly you may test for encryption etc.

For me...

HI

Can you put both these ranges in one subnet, by changing the subnet value on the Firewall.

HI

Just check with the Firewall admin if they allow your user ID to access the required servers. Also ask them what log are they getting for your problem.

HI

replaced means you have configured all the rulebase, object, NAT VPN etc. on new R65 or you did an upgrade_export/_import ?

Encryption domain of your end should have your end networks...

HI

The problem is not the access of "acct.company.com". The problem is by some means you have to resolve URL to IP. If the number of machine in your remote company location is less then include...

Do you mean this type ? For me it showes on all the objects I have configured under checkpoint and interoperable devices. I didnt face any concern regarding it till date.

Hi dreambuddy

What you said, I have the same perception, that's where I feel is a person with MCSE and CCSA is in a better position than me CCSA, CCSE. Any how you response is precious for me....

Mohit



in general scenario Cluster members dont have any logical interface.



Its not a matter of should and can, you need to understand how Checkpoint work as a Technology.

HI

If you have Layer 3 switch then you can put the firewalls in one of the VLANS.

HI

pl do cphaprob -i list, it should show:

Device Name: HA Initialization
Current state: OK

on both the firewalls..

HI

In case I am rebuilding/upgrading a Firewall, can I add all the existing routes on the crashed/old firewall in one go on SPLAT. On windows server we can do that, but what for SPLAT.
Also if I...

hi

Do a cphaprob list. What is the status of clustering there. Just copy paist it. Have you pushed the policy ?

Hi

Do you have a License for Cluster and have you pushed the policy after you put that license on the Smart Center Server ?

HI

Do a "fw unloadlocal" on both the firewalls and push the policy again. Also checkk the status of your Sync cable/interface, it should be communicating. Also I can see that these firewalls are...

Hi

just check if you can get something from the link http://www.cpug.org/forums/authentication/8476-rsa-authentication-failure.html

Please see the agent host config in the attached doc.
Have...

Hi

Please check the interfaces also, as you said the problem is for in and out traffic both. Its better that the interfaces have statically defined link speed than AUTO.

Are you sure your routing is correct ?

What do you see in smart view tracker?
Is routing correct ?
Is there access list permitting the same ?

Hi

I am CCSA, CCSE. I have approx 7 years experience in Networks and Firewalls. Now I am preparing for CISSP due to its market value and broader domain. The problem is that if I move to the...

checkpoint will tell that there is network address overlap and SA will not be established

I think you require route based VPN on Checkpoint and a GRE on Cisco. I have never configured that. You...

Hi

Do a fw unloadlocal on the new one and push the policy again. If this dont work. It is always better to recreate the Firewall object or even the Cluster object in such a case.

Try this as well..

Configuring a Subnet
To enhance interoperability with third-party devices, define the subnet used in the quick mode
negotiation per range. To further enhance interoperability,...

why dont you do the hide NAT in the network object(10.0.0.0/8) itself and put object 10.0.0.0/8 in the VPN Domain.

Hi

Dont creat an access list for destination any. Give the other end subnets. On checkpoint just try to configure using the docs. then let us know the erros you got etc.

Hi

I dont know whether "any" is supported or not on cisco. To my knowledge Checkpoint also dont know any for VPN. You need to know otherend subnets and put in the access list. That way you may...

HI

I think configuring VPN with Cisco device is pretty streight forward. Just creat an Interoperable device and mention its VPN domain. Rest all is same.

In broadcast mode no need to worry for any thing else.

Hi All

Thanks for suggestions.

Actually we have followed all the steps as per configuration docs. But we were not knowing where to start with the troubleshooting. By segragating we finally...

In RSA Server we have created users and Agent Host. In Firewall we have placed sdconf.rec and also created sdopts.rec. When I try to authenticate in a Client to Site VPN. It says wrong username...

I'm getting INVALID ID INFO on phase 2 with a Cisco 3005? (Both peers have validated the encryption domains, and they seem to match).

Even when your domain is defined correctly-> In QM PACKET 1...

what is the message in tracker now ?
right click the object and option > where used. You will know where it is used.
/etc/host should not matter I supose, not sure.

If possible generate...

Hi

Something similar I am facing. We upgraded R55(Windows Platform) to R60(Secure Platform). The tunnel between my Cluster and remote VPN Concentrator gave no valid SA error. Tunnel can be...

Hi

Please share the info how do you make the SNMP communication possible with checkpoint. I have the Checkpoint MIB. Can I monitor CPU, Memory, Load etc. If yes then how? Using SMTP the firewall...

In Smart View Status are the licenses attached properly. Please verify.Check the Firewall status in Smart View Monitor. VPN with Cluster is configured in the same way, only instead of Gateway IP you...

Please check the License state in Smart Update are they still attached to Firewall modules.

Just take down time. You just dont know what new prob may surface at that moment. Always something that you have relied the most...

If you connect the Secondary first, just check the networking...

mcnallym

You are right. It seams to be routing issue. I disabled Office mode and it woked fine. I suspect the Office mode network could not be routed properly thats why the problem. So most...

mcnallym

Its a new Server, so still its not connected to network. I just try to connect using my Laptop, putting the IP in network same as the external network for the firewall. Yes I created new...

Hi We are upgrading NG AI R55 (Windows Platform) to R60 on SPLAT. Problem is that after upgrading, client to site is not working, it was giving something like "Could not get Certificate to check...

Do "fw unloadlocal" if the firewall is not in production or take down time, and trouble shoot the interface alone. Is it a windows platform or Unix/splat ? for Unix/splat use mii-tool command to...

HI

Its working now. May be it was due to two objects created for the same Server, one with the Public IP and the other with the Private IP. Too many people working on the same issue, ;)

HI

ON R55 a machine A with IP 192.168.100.10 is static NATed to 202.89.64.5. Its automatic NAT. NATing is working fine i.e IP 202.89.64.5 is accessible from Internet. Now 192.168.100.10 is not...

melipla

Time difference between firewalls is 40 seconds, between Smart Center Server and Firewalls is approx 7 min.
Also let me tell you that 90 % of the traffic on this firewall is of some file...

Daniel

Can you please explain why do you have these doughts.. I am not sure how the SIC was establish but I will proceed with steps told by you. Please let me know if any more info i can give to...

Hi

We are using R60 in Cluster High Availability. It seams our SIC interface is not working properly as we see ping response of 10000 to 20000 ms on it. We have decided to config SIC on another...

James

Just check in the "Certificate Path" option of the certificate provided to you, if you see the CA you trusted. If this is not the case then you have to check with Verizone

sebastan

You should not reach the destination through two tunnels. e.g if A, B, C are in a single mesh community and also if B and C are in another VPN community.. then from B to C there are more...

Just try two things more:
1. Reset the state on Firewall asin : http://www.cpug.org/forums/vpns-virtual-private-networks/7908-gre-traffic-failing.html

2. Select "One VPN Peer each pair of hosts"...

Yes we solved it. Checkpoint asked me to clear the state.
Procedure:
1. Do cpstop on Smart Center Server and all firewall modules in the cluster symultaniously.
2. Backup the content of state...

Cisco rtr is not nated. My fw is R55, remote is R62. Both sides are PFS enabled as per now. We did alot of changes to get this resolved. Now if i do fw monitor -p all, i see packet from GRE router at...

Hi


Can any body send a resolution to this one. I am getting exactly the same.

Hi CCIE

the scenario is similar to what you mention, instead of PIX we have Chkpt on both sides. I am not able to get the Cisco IOS version. In the error log i am getting Gateway is PFS enabled...

Hi

We have a VPN tunnel between 2 Chkpt Fws. My side it is R55. All the traffic through goes well except GRE. Error no valid SA. All configuration checked well. One more strange thing I see in...

Reboot Smart Center.
Is there latest HFA on the server.
Just try to connect Smart Update, that should work. There after you can check License.

Hi All

I just want to know if I can monitor the performance of any Checkpoint prodoct (Splat) using SNMP. We have Solar Wind. In that I can see OID 1.3.6.1.4.1.2620 for checkpoint. Does that mean...

please check if it gets resolved by implimenting latest HFA for R62

HI

We are about to do a new setup with one Smart Center Server R65 and two Firewalls in Cluster R65. For current time configuration I need to know how to configure time synch using NTP server....

Hi daz306td

Please check for 'mgha' on Smart Center Server.

1 10.0.0.1 100% active
2 (local) 10.0.0.2 0% down

down may indicate a cable issue.

For my case I have registered some of...

Hi All

I got it. Its here http://www.cpug.org/forums/check-point-secureplatform-splat/1574-ethernet-bonding.html

Thanks

Hi All

Just curious to know, is there a way to put multiple interfaces of a singel firewall under one ip, some thing called "teaming" to provide load balancing or else like even if an interface...

You need a proper solution for URL filtering e.g websense etc. Checkpoint itself does not provide in depth URL based filtering.

Use an additional NATing device in the home network, NAT the printer to some IP that doesnot fall in the VPN domain. IF there is no way out you may try that.

Hi

I updated the system with latest Hotfix HFA06 and its working fine now. Thanks to all.

Hi

I am using one of my production Smart center server License in my test lab Machine. with all configuration same except the host name and OS. My original server is splat R60 where as the test...

Did you see any failed traffic between the gateways.. i mean Source Gateway (Connection origination side) destination (Connection termination side). If so please check
...

Hi

I need to creat a tunnel with my client having presence in Germany and UK. We are having R60 cluster, other end firewall is not known. We are required to creat a tunnel in primary back mode....

Thorpuse

Sorry I could not test that way. Its in production, need multiple levels of approval. So isnt there any command etc to check the state sync. CCP is default so Multicast

I am not sure about that, as the connectivity is already down and we reboot the primary... so no idea.

I could not find the required command. Please tell me ..

Failover takes place successfully.

cphaprob state

1 10.0.0.1 100% active
2 (local) 10.0.0.2 0% down

[Expert@MOON]# cphaprob -ia list...

Thorpuse

It dont seem to be cluster issue.. please check my previous post

http://www.cpug.org/forums/miscellaneous/6634-connectivity-breaks-high-ping-response.html

also when we reboot...

Hi

We have a remote site with R60 Cluster. At times it happenes that the primarry firewall misbehaves and we lose connectivity to the network behind that firewall. as it is not totally down so...

Your checkpoint is not expecting the subnet 192.168.120.0/24 from the interface it is comming from. Can you please check if the same subnet is defined at "IP Address behind the interface" on internal...

Is there some connectivity where the hosts can ping each other but cant transfer file--
This may be a MTU Issue, try decreasing MTU on the source host or destination server else

Smart Defence> IP...

Thnaks alot napo..

So does that mean Action > Encrypt is only required in Inbound rule. Or will the outbound rule with Action> Encrypt will take care of any traffic from/to Destination server....

Hi Ray



What to do if this traffic has to pass through VPN

Hi friends

I am getting some insite but still confused.

If I am putting a rule as :

Source abc@any
Destination Myftpserver
Action Encrypt