CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: oharek

Page 1 of 2 1 2

Search: Search took 0.00 seconds.

  1. Replies
    0
    Views
    224

    No return traffic from remote site

    Hi,

    An ACS server sits on the DMZ switch and when I try to authenticate to the Mobile software using port udp/1812 I am getting a connection ok to two IP addresses at the remote end
    So I am...
  2. Re: Network monitoring on Checkpoint ext interface

    Thanks for the advice. I will try both tcpdump and fw monitor - plus check the cores and cpu stats
  3. Network monitoring on Checkpoint ext interface

    Hello,

    My Checkpoint 4400 is my external firewall. I have upstream proxys from the dmz that go through this firewall to the internet. Some users are complaining that internet is slow on my...
  4. Replies
    5
    Views
    1,729

    Re: Checkpoint CPU question

    [Expert@UTM-WEST-CORP:0]# enabled_blades
    fw appi ips



    [Expert@UTM-WEST-CORP:0]# installed_jumbo_take
    bash: installed_jumbo_take: command not found
  5. Replies
    5
    Views
    1,729

    Re: Checkpoint CPU question

    One of the checkpoints is sitting at 95% today and the other is 555
    I have attached the output from the one of the two checkpoints which is 95%

    Any advice is welcome - i am just trying to work...
  6. Replies
    5
    Views
    1,729

    Checkpoint CPU question

    Hello,

    I have got 2 x Checkpoint 4400's externally facing with 100MB links to the internet. Recently we are using more applications like Office365 and Skype. Skype calls drop out occasionally ...
  7. Replies
    1
    Views
    1,815

    Load balancing of internet services

    Hello,

    I have two sites with 100MB internet pipes to both from the same provider. Half of my NAT is done on site A checkpoint and half done on site B checkpoint. My direct access application is...
  8. Replies
    4
    Views
    2,153

    Re: High Availability OPTIONS

    KEMP 3400 - I am starting to think they are very limited though. I am testing with them but don't trust them to go into production
  9. Replies
    4
    Views
    2,153

    Re: High Availability OPTIONS

    I have a 100MB dedicated fibre running between the two datacentres. I have Layer 2 connectivity between both firewalls.
  10. Replies
    4
    Views
    2,153

    High Availability OPTIONS

    Hello,

    I have two sites 3 miles apart. Both have a 100MB internet pipe and terminates on my Checkpoint Firewall. I have dmz services running at both sites but my two firewalls are running as...
  11. Replies
    13
    Views
    3,846

    Re: Office365 IP addressing alternatives

    Your correct - Checkpoint had a look and also got me to tick this box for HTTPS inspection on the gateway
  12. Replies
    13
    Views
    3,846

    Re: Office365 IP addressing alternatives

    Yes - that worked (almost 100%)

    Our server team are using a hybrid test tool on their exchange server to connection via the Checkpoint to the Microsoft Cloud. Now that I have the rule in you...
  13. Replies
    13
    Views
    3,846

    Re: Office365 IP addressing alternatives

    Not too sure what you mean

    Do I need a rule to allow the corporate network to get to office365 somehow?
  14. Replies
    13
    Views
    3,846

    Re: Office365 IP addressing alternatives

    Sorry to ask again - but I have the Application Control setup from my internal IP's to the office365. But when I try to connect to the Microsoft cloud the Microsoft IP's are showing up as blocked on...
  15. Replies
    13
    Views
    3,846

    Re: Office365 IP addressing alternatives

    Good advice - application control could be the way to do this. I have the blade licenses on my checkpoints to do this as an option.
  16. Replies
    13
    Views
    3,846

    Re: Office365 IP addressing alternatives

    I have looked at my Checkpoint licenses and I have already paid for application control. I'll do some research but it definitely looks like the way ahead for me
  17. Replies
    13
    Views
    3,846

    Office365 IP addressing alternatives

    Hello,

    I need to trial office365 from my corporate network to the Microsoft cloud. Can I use FQDN instead of IP, i.e. home.office.com, portal.office.com etc instead of IP addresses.

    Is this a...
  18. Replies
    5
    Views
    1,261

    Re: Kemp or F5 loadbalancer options

    Just curious - would you put the loadbalancer on the dmz interface on the Checkpoint itself (where i have a dmz interface)

    or should i have the loadbalancer outside the Checkpoint on a switch i.e....
  19. Replies
    5
    Views
    1,261

    Kemp or F5 loadbalancer options

    Hi,

    I have 2 datacentres. Checkpoint firewalls is located at both sites (4400's with R77.30)
    I have fibre running to both sites at Layer 2 and can manage both firewalls with a Checkpoint Smart...
  20. Replies
    15
    Views
    5,505

    Re: Checkpoint 1100 device - VPN tab not working

    The Mangement Server sits on the DMZ behind CORP-ASA-BRET

    I have a NAT on the Mangement Server (which doesnt change) so the CP1100 device (public IP) can talk back to it

    I can push to it and...
  21. Replies
    15
    Views
    5,505

    Re: Checkpoint 1100 device - VPN tab not working

    Sorry to be a pain but i have got stuck on this.

    I can push to the device with the CP 3050 connected to a subnet behind CORP-ASA-BRET

    But i want the CP 1100 which sits outside our network on an...
  22. Replies
    15
    Views
    5,505

    Re: Checkpoint 1100 device - VPN tab not working

    I am now at the stage where i have the Checkpoint Mgr 3050 SIC established with the remote device.

    Then i create a new policy on the Checkpoint Mgr 3050 to push out to the Checkpoint 1120 remote...
  23. Replies
    15
    Views
    5,505

    Re: Checkpoint 1100 device - VPN tab not working

    Yes - Checkpoint support said for me to install the addon

    Install addon to manage 1100 / 1200R Appliances running R77.20...
  24. Replies
    15
    Views
    5,505

    Re: Checkpoint 1100 device - VPN tab not working

    I had to install an addon for the Checkpoint Mgr 3050 - even though i had R77.30 on it i needed an R77.20 addon for the Checkpoint 1100 appliances

    Then i got the SIC established and pushed out a...
  25. Replies
    15
    Views
    5,505

    Re: Checkpoint 1100 device - VPN tab not working

    Think i'll try this next week - looks like a good approach
  26. Replies
    15
    Views
    5,505

    Re: Checkpoint 1100 device - VPN tab not working

    WebUI on the firewall itself

    i had it set to central so maybe i will set it to local


    The scenario is I have 27 sites on ADSL (because i cant get them onto my corporate network)

    So i want...
  27. Replies
    15
    Views
    5,505

    Checkpoint 1100 device - VPN tab not working

    Hello,

    I have bought 27 Checkpoint 1100's

    How do i turn on the VPN feature under Security Dashboard: Control and monitor Software Blades configurations and status

    Its greyed out and i have...
  28. Re: Backup rulebase, objects and logs - R77.30 Gaia

    [Expert@UTM-MGR:0]# ifconfig Mgmt
    Mgmt Link encap:Ethernet HWaddr 00:1C:7F:42:8E:8B
    inet addr:192.168.12.155 Bcast:192.168.12.255 Mask:255.255.255.0
    UP BROADCAST...
  29. Re: Backup rulebase, objects and logs - R77.30 Gaia

    i have rebuilt checkpoint smart 3050
    i did a migrate export from the checkpoint smart 210 box
    i did a migrate import into the checkpoint smart 3050 box
    i have downloaded the latest patches for the...
  30. Re: Backup rulebase, objects and logs - R77.30 Gaia

    I'll give that a go tomorrow - cheers Kevin
  31. Re: Backup rulebase, objects and logs - R77.30 Gaia

    Bhav,

    I need to have the Checkpoint Smart3050 patched with the same Hotfixes as the Smart210. Is their a directory somewhere on the Checkpoint Smart210 that i can FTP the hotfixes off to a server...
  32. Replies
    4
    Views
    2,549

    Re: Checkpoint Backup and Restore

    Sorry to be a pain again. But i have built the Checkpoint Smart3050 with the same IP and routing etc. I am still running the Smart210 but know how to do the migrate / export ok.

    I need to have...
  33. Re: Backup rulebase, objects and logs - R77.30 Gaia

    Thanks for the advice

    I intend to do this changeover to the new server next week. If i follow this i know i wont be far away from success

    cheers
    Kevin
  34. Replies
    4
    Views
    2,549

    Re: Checkpoint Backup and Restore

    Ok - i will give that a go

    Thanks,
    Kevin
  35. Replies
    4
    Views
    2,549

    Checkpoint Backup and Restore

    Hello,

    I have a Checkpoint Manager Smart 210 with R77.30 installed

    Can I do a backup on the device and restore it to a Checkpoint Smart 3050

    I hate the thought of attempting this via...
  36. Backup rulebase, objects and logs - R77.30 Gaia

    Hello,

    I have a Checkpoint Smart 210 Manager using image R77.30 but now I have purchased a new Checkpoint Smart 3050 Manager also using image R77.30

    What’s the best approach to lift the current...
  37. Replies
    6
    Views
    2,289

    Re: standalone v distributed install

    Excellent news - thanks for that advice
  38. Replies
    6
    Views
    2,289

    Re: standalone v distributed install

    I don't see any GUI clients - here is a screenshot

    Configuration Options:
    ----------------------
    (1) Licenses and contracts
    (2) SNMP Extension
    (3) Group Permissions
    (4) PKCS#11 Token...
  39. Replies
    6
    Views
    2,289

    Re: standalone v distributed install

    FW-NIWS1[admin]# cpprod_util CPPROD_GetKeyValues products 0
    FW1
    UAG
    VSXCMP
    V40CMP
    NGXCMP
    CPinfo


    Still not sure if its standalone or distributed - any clues?
  40. Replies
    6
    Views
    2,289

    standalone v distributed install

    Hello,

    What command can I run to check if my Checkpoint IP690 install is standalone or distributed


    regards,
    Kevin
  41. Replies
    7
    Views
    2,759

    Re: Checkpoint R70.40 Manager re-install

    This is an old Checkpoint I took over and when I tried to push out the policy after resetting the sic - it did not work. So I had to reset the sic on the initial mgr and abort the changeover for now...
  42. Replies
    7
    Views
    2,759

    Re: Checkpoint R70.40 Manager re-install

    Scenario: I have a Smart 210 checkpoint Firewall manager and want to push out policy’s to an existing Firewall (details below)

    Model IP690...
  43. Replies
    7
    Views
    2,759

    Re: Checkpoint R70.40 Manager re-install

    The CP software version is R70.40
  44. Replies
    7
    Views
    2,759

    Re: Checkpoint R70.40 Manager re-install

    Point 1 is correct with a version of Software Version: releng 1 09.04.2009-042026


    Point 2 - the smart 210 appliance (R77.30 gaia) it is a dedicated Mgmt Server which I am using to push policies...
  45. Replies
    7
    Views
    2,759

    Checkpoint R70.40 Manager re-install

    Hello,

    I have an older Checkpoint in my production network. Its working fine
    Model: IP690
    Software Release: 6.2-GA024
    Software Version: releng 1 09.04.2009-042026

    The server where SPLAT is...
  46. Replies
    3
    Views
    6,354

    Re: Checkpoint basic config file

    Thanks for that - I will give this a go.

    I did a few restores recently with a full backup and noticed the backup will only restore once you have applied any Hotfixes that you previously used when...
  47. Replies
    3
    Views
    6,354

    Checkpoint basic config file

    Hello,

    I intend to upgrade my Checkpoint R77.20 to R77.30 soon and i want to format the box and re-image to R77.30 instend of doing just updates

    Is their anyway i can take a backup of say a...
  48. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    Forgot to say i got this sorted a good while ago. i raised a case with Checkpoint and they got me to login to the command line and delete some entries in the database for this one particular VPN. ...
  49. Re: Checkpoint Stops passing traffic - needs rebooted

    I raised a TAC case and Checkpoint did some stuff ie CPInfo

    I also setup NMS alerting on disk consumption

    They think the problem was caused by a debug left running on one of the Checkpoints...
  50. Re: Checkpoint Stops passing traffic - needs rebooted

    Did a df –h on the Problem firewall. The /var/log/ partition was 100%. One file, debug.txt was 57GB so we deleted. Thought that there was not much use in the file anyway as we can’t upload a 57GB...
  51. Re: Checkpoint Stops passing traffic - needs rebooted

    It failed again today
    Internet traffic was ok but the VPN tunnels dropped out again
    I still had access to the box via ssh so I was able to push out a policy and everything came back online again...
  52. Re: Checkpoint Stops passing traffic - needs rebooted

    How many connections you currently have: fw tab -t connections -s ?

    [Expert@UTM-:0]# fw tab -t connections -s
    HOST NAME ID #VALS #PEAK #SLINKS...
  53. Re: Checkpoint Stops passing traffic - needs rebooted

    Is a process hung, or consuming 100% CPU
    CPU is ok – all 4 Checkpoints are between 6 and 22%


    What is memory showing as in use
    Active Virtual Memory is ok – range for all 4 is 1.08GB to 1.98GB...
  54. Re: Checkpoint Stops passing traffic - needs rebooted

    Unfortunately I just got called in again Out of Hours as the Checkpoint had stopped passing traffic again

    All our Site to Site VPNs are automatically terminated - this is frustrating

    I can...
  55. Checkpoint Stops passing traffic - needs rebooted

    Hello,

    I bought new Checkpoint Hardware this year. All 4 of my Checkpoints were upgraded from old UTM appliances to new UTM devices with R77.20

    But 3 of them have stopped passing traffic...
  56. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    This didn't work either but it was good advice all the same and appreciated

    I have a called with Checkpoint for support to see if they can make any sense of it

    They have asked for ....CPinfo of...
  57. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    I have other site to sites which are all working ok - but this one is the only GRE Tunnel

    Maybe I need to do a manual NAT for this one external IP and leave the others as Automatic

    Would that...
  58. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    Its an Automatic NAT


    Original Packet
    Source is the outside interface of the Cisco ASA
    - under NAT it says Static
    - Translate to IP 'public ip that external Site to Sites connect to'
    ...
  59. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    Surely someone has an idea why a Checkpoint Firewall would not NAT an incoming external IP address? That's all i need to know otherwise i will have to delete this post tommorrow
  60. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    Thanks for the document. Everything is setup ok on the external router and the internal routers and cisco ASA.

    What I can see from the Checkpoint logs is that the Checkpoint is not doing a NAT on...
  61. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    The GRE Tunnel is just for loopback addresses on both sides to keep the tunnel up with interesting traffic.
  62. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    1 - Yeah - this is ok we have a static route pointing to our ISP - internet access & emails outbound from our corporate lan is fine
    2 - 6 other site to site VPN's are working ok coming in the same...
  63. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    some info below - hopefully that helps - cheers
  64. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    Hopefully this answers you both



    GRE tunnel endpoint is on a Layer 3 router on the Corporate Network

    IPSec for the tunnel terminates on the Cisco ASA
  65. Re: Site to site tunnel fails because of missing NAT on the Checkpoint

    Hello,

    I have attached a basic diagram. Last week I decommissioned the two external 3825 routers where our external facing IP addresses are NATted. I moved the NAT config for everything onto the...
  66. Site to site tunnel fails because of missing NAT on the Checkpoint

    Hello,

    I have a 100MB circuit coming into my network for VPN,s etc. It terminates on an outside router before then hitting the Checkpoint and then Cisco ASA before anything gets near the...
  67. Replies
    11
    Views
    5,472

    Checkpoint VRRP - new install

    Hello,

    I have 2 x Checkpoints running Gaia R77.20 and both sit on different sites. I have a smart appliance on one of the sites to push the rulebase to both of them. Everything is working ok. I...
  68. Replies
    2
    Views
    1,783

    Re: View OUTGOING data through the Checkpoint

    I have it worked out now. I wasn't logging on a particular rule so that was the issue but I have taken the rest of your advice on as useful information.

    Thanks for your help
    Kevin
  69. Replies
    2
    Views
    1,783

    View OUTGOING data through the Checkpoint

    Hello,

    When I go to Smartview Tracker I can see source and destination of what is coming into the firewall. How can I check what is going out via the firewall. Specifically I want to check some...
  70. Re: UTM Checkpoint lost its policy after a shutdown

    Got it sorted this morning
    Did a fw unloadlocal on both the gateway and the mgr
    then restored the sic on both & pushed the policy back out

    You could be right in that the utm-mgr is installed as...
  71. Re: UTM Checkpoint lost its policy after a shutdown

    I was talking to someone who had the same issue and they said if I do a fw unloadlocal on the UTM-MGR as well as the UTM-Gateway then I will have access to smart dashboard and can then re-stablish...
  72. Re: UTM Checkpoint lost its policy after a shutdown

    If I go into expert mode and then cpconfig it lets me change the SIC

    Thanks
    KOH
  73. Re: UTM Checkpoint lost its policy after a shutdown

    That makes sense that I need to re-establish SIC via cpconfig on the gateway - i'll do that first thing tomorrow

    Q. How do I get smart dashboard access to the mgt server. I have command line...
  74. UTM Checkpoint lost its policy after a shutdown

    I have lost my policy on a R77.20 after a shutdown

    I did the following:

    Check routing table to see all routes needed are available
    Netstat –r

    Check interfaces
    Ifconfig
  75. Replies
    2
    Views
    2,057

    Re: Checkpoint smart-1 210 appliance

    I will give one of these options a go

    Thanks
    Kevin
  76. Replies
    2
    Views
    2,057

    Checkpoint smart-1 210 appliance

    Hello,

    I bought a Checkpoint smart-1 210 appliance with R77.10 GAIA to replace my current policy server which was just installed on an old server. But my new mgr is pre-built with R77.10 as...
  77. cannot export snapshot insufficient space in /var/log/

    Hello,

    I did a full backup under Maintenance, snapshot mgt but when I try to export it, it says cannot export snapshot insufficient space in /var/log/

    I have logged into the device and done a...
  78. Replies
    4
    Views
    3,731

    Re: Cant login to Checkpoint R70 device

    Try the fix below - it worked for me.
  79. Replies
    4
    Views
    3,731

    Re: Cant login to Checkpoint R70 device

    This worked for me. Brilliant stuff - Kevin
  80. Replies
    4
    Views
    3,731

    Cant login to Checkpoint R70 device

    Hello,

    I am having a problem logging into my checkpoint although its still passing traffic. I cant get on via Smart Dashboard or Smart Update or SSH.

    The connection has been refused due to...
  81. Replies
    4
    Views
    2,109

    Re: Report on Checkpoint attacks

    Excellent

    Thanks,
    Kevin
  82. Replies
    4
    Views
    2,109

    Report on Checkpoint attacks

    Hello,

    What should I be looking at on the Checkpoint Firewall if I want to review attempted attacks on the firewall.

    I.E. I want to do a weekly / monthly report

    Is this done via smartview...
  83. Thread: Licensing issue

    by oharek
    Replies
    6
    Views
    2,308

    Re: Licensing issue

    Just curious but how can you tell I have the Security Management Server set up both for Security Management (correct) and Security Gateway (incorrect)?

    I appreciate your help and I will give this...
  84. Thread: Licensing issue

    by oharek
    Replies
    6
    Views
    2,308

    Re: Licensing issue

    1) Gateway is logging ok. I did see streaming logs on the screen from firewall rules

    2) [Expert@UTM-BRET:0]# tcpdump -ni any port 257
    10:12:50.637428 IP 192.168.0.x.61234 > 192.168.1.x.set: S...
  85. Thread: Licensing issue

    by oharek
    Replies
    6
    Views
    2,308

    Licensing issue

    Hello,

    I had two Checkpoint R65 boxes and one R65 manager to push the policys to both. I upgraded all three boxes to R77.20 Gaia. Both firewalls are fine and I can push the policy out to both...
  86. Re: Checkpoint Installation failed: Failed to load Policy on Module

    I found this solution and tried it - it worked for me on both firewalls and I was able to push policies again - Thanks once again for your help.

    The CPD process is not running Security Gateway*or...
  87. Checkpoint Installation failed: Failed to load Policy on Module

    Hello,

    I have an error on both of my Checkpoint R70 devices. I cant push any policys out now. This has only happened within the last week and i dont know what the issue is.

    Installation...
  88. Replies
    0
    Views
    1,020

    Checkpoint R70.40 image needed

    Hello,

    I need to build a Checkpoint Manager for an existing Checkpoint appliance on my network.

    R70.40 build

    Model IP690

    Anyone know where can i get the image for this? I cant seem to...
  89. Replies
    12
    Views
    4,187

    Re: Nightmare upgrade to R75

    Back again i'm afraid...

    I got the Checkpoint Manager rebuilt with a clean version of R71.10 and upgraded it to R75.40
    Then I did the upgrade_import of my rulebase
    Then I got my new Checkpoint...
  90. Replies
    12
    Views
    4,187

    Re: Nightmare upgrade to R75

    :p Cant believe it but i have actually got over the line. As you say:
    download the patch from checkpoint for R71.40 and patch via the cmd line
    do an upgrade_export
    build a new R75.40
    do an...
  91. Replies
    12
    Views
    4,187

    Re: Nightmare upgrade to R75

    I've discovered you will get this error if you have no interfaces up. It went away after connecting a crossover between two of my ethernet ports.
  92. Replies
    12
    Views
    4,187

    Re: Nightmare upgrade to R75

    Ok - I have patched the box to R71.40 successfully but i still cant get the R75.40 migration tools to work to perform an upgrade_export
    I am still getting a .log file error

    Any ideas what i can...
  93. Replies
    12
    Views
    4,187

    Re: Nightmare upgrade to R75

    Where can i get this R71.40 patch? I dont see it anywhere on the support.Checkpoint.com website where i usually download any images
  94. Replies
    12
    Views
    4,187

    Re: Nightmare upgrade to R75

    You'd think it would be easy. But no matter what migration tools i run be it R71.40, R75, R75.40 or even the upgrade_export thats built into it namely R71.10 it comes back with an error log. Would...
  95. Replies
    12
    Views
    4,187

    Nightmare upgrade to R75

    Hello,

    I did an upgrade from R65 to R71.10 - i use R71.10 migration tools on the R65 and when i built my R71.10 i was able to import all my rule base into the new build

    So now i need to upgrade...
  96. Replies
    15
    Views
    9,472

    Re: Upgrade from R65 to R75

    I had a go at this today and ran the R75.40 tools on the R71.40 but it didnt like it. Does that mean i need to install R75 splat first and then go to R75.40
  97. Replies
    15
    Views
    9,472

    Re: Upgrade from R65 to R75

    I have done steps 1 to 5 successfully so now have upgraded my R65 manager to R71.40 and applied a new software blade license
    I have downloaded the R71.40 migration tools so i can do a new...
  98. Replies
    15
    Views
    9,472

    Re: Upgrade from R65 to R75

    This was correct.
    I needed a new software Blade license as R71 onwards is different to R65 but these upgrades were free
  99. Replies
    8
    Views
    3,599

    Re: R65 to R75 using import_upgrade tools

    Thanks for your advice
    Just to let you know this advice was correct

    I went R65 SPLAT to R71.40 SPLAT on an interim VM then R75 SPLAT and then R75.40 GAIA
    Upgrade_export and upgrade_import is...
  100. Replies
    8
    Views
    3,599

    Re: R65 to R75 using import_upgrade tools

    I have about 50 rules on mine but i think i would be happy enough just to recreate all the objects and recreate the rule base. Is that all i have to do really? If i dont do the upgrade_Import am i...
Results 1 to 100 of 128
Page 1 of 2 1 2