CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: avilT

Page 1 of 4 1 2 3 4

Search: Search took 0.01 seconds.

  1. Replies
    2
    Views
    6,733

    FTP on Higher ports

    I have a FTP server running on Windows on port TCP/2121.

    When I perform a FTP from a DMZ host to this internal host on port 2121, the first connection on TCP/2121 is successfull. But the secondary...
  2. Replies
    1
    Views
    2,826

    FW-1: too many internal hosts(192)detected

    Is the following alert going to bring down the network performance or network itself?
    FW-1: too many internal hosts(192)detected
  3. Replies
    5
    Views
    1,357

    Re: TCP VS UDP/ICMP thru Firewall

    Thanks, that's what I observed.

    I am not designing this topology rather cleaning up the mess now.

    Can you elaborate more as how the state full firewall handles icmp traffic where as udp can...
  4. Replies
    5
    Views
    1,357

    TCP VS UDP/ICMP thru Firewall

    Please refer the attached diagram. From PC-1 if I access PC-2 (TCP based application) by it's 10.0.0.2 IP address it will fail because 3-way handshake fails which is normal.

    Is this applicable for...
  5. Replies
    3
    Views
    905

    Re: Site-2-Site VPN & NAT

    It's a VPN where both ends access resoruces of each other.

    It's me who is replacing the current firewall R71.30 with R75.40. There were absolutley no changes made on their end. (they will not...
  6. Replies
    3
    Views
    846

    Re: VPN, is there a one-way tunnel?

    Thanks a lot. I realized this only after getting the remote firewall logs.

    It seems like our firewall is trying the IKE SA with both it's external IP (x.x.x.68) address as well as the NAT IP...
  7. Replies
    14
    Views
    3,267

    Re: site to site VPN issue with R75.40

    I just got the firewall logs from the remote gateway. It turned out that the remote gateway is negotiation IKE with my side NAT ip instead of the actual external IP address. How can I force my...
  8. Replies
    3
    Views
    846

    VPN, is there a one-way tunnel?

    I need expert advice on site-2-site VPN. If I have a site-2-site VPN defined, is there a possibility that there is only one way traffic passing thru in spite of access being allowed in both...
  9. Replies
    3
    Views
    905

    Site-2-Site VPN & NAT

    When I define a Site-2-Site IPSec VPN, we define the NAT rules which basically defines NO NAT between the source and the remtoe subnets.
    In the source NAT, do I need to add, the firewall management...
  10. Replies
    5
    Views
    1,664

    Re: Global Properties & NAT

    Alright, that mean I need to have a NAT rule, which basically performs no-nat from the same segment (mgmt segment 10.x.x.x) to the same segment (mgmt segment 10.x.x.x).
    After this the communication...
  11. Replies
    14
    Views
    3,267

    re: site to site VPN issue with R75.40

    Thank You for the detailed information. You seems to be right, the supernetting issue should not occue when both end points are Checkpoint gateways. I hav confimred this. Following is my scenario.
    ...
  12. Replies
    14
    Views
    3,267

    re: site to site VPN issue with R75.40

    I am using NGX R75, so I need to execute the following command instead of editing user.def right?

    dbedit>modify properties firewall_properties ike_use_largest_possible_subnets false

    dbedit>...
  13. Replies
    14
    Views
    3,267

    re: site to site VPN issue with R75.40

    Coming back to the original question, why is that I was not able to reach the destination when the firewall may be performing subnet summarization.

    I could see the action as encrypt but I never...
  14. Replies
    14
    Views
    3,267

    re: site to site VPN issue with R75.40

    You might be correct, even I am also zeroing in on this solution.
    I have a network range like x.y.84.1-x.y.87.254

    By the way, when I create external firewall object for the VPN, do I need to be...
  15. Replies
    14
    Views
    3,267

    re: site to site VPN issue with R75.40

    I can see the IKE keys successfully installed, so the shared secret key issue is ruled out.
    The first IKE log is "IKE: Main Mode completion [UDP]."

    But strangely, in the following log, the actual...
  16. Replies
    14
    Views
    3,267

    site to site VPN issue with R75.40

    I have a site to site VPN running on a NGX R75.10. Today tried to repace this with Gaiaa R75.40 with the same encryption settings with out luck.

    Whenever I access the remote site (ping, http etc)...
  17. Re: SmartView monitor shows "Attention state" on recently upgraded gateways

    I have the same problem, but whenever I right click the gateway-> refresh, the attention message disappears. Has it got something to do with name resolution among gateways and smart center server?
  18. Thread: SSH Response

    by avilT
    Replies
    7
    Views
    1,722

    Re: SSH Response

    It's a DNS issue with reverse look up.
    Thank You.
  19. Replies
    5
    Views
    1,664

    Re: Global Properties & NAT

    I am referring to connections originating from the firewall it self.

    example: I have a manual hide nat rule defined, which incudes all subnets including the firewall managament segment. Now what...
  20. Replies
    5
    Views
    1,664

    Global Properties & NAT

    Under global properties if I set the " Accept outgoing packets originating from the gateway = First"
    then am sure it's enforced before all the access rules. How about NAT? Is it going to bypass NAT...
  21. Replies
    4
    Views
    6,851

    Re: Gaia Proxy ARP added, fw ctl arp no entries

    Now when I extecute the command "fw ctl arp" it takes too much time to display the arp entries.

    Is it a normal behaviour?
  22. Best way to prevent NAT for the traffic originating from the Gateway

    I have a R75.40 clusterXL, Initially I had defined a NO NAT rule as , LAN --to--> DMZ & DMZ --to --> LAN

    when I ping from active device to standby device interface, it gets nated to the public...
  23. Thread: SSH Response

    by avilT
    Replies
    7
    Views
    1,722

    SSH Response

    I have two R75.40 clusters, GAIA, 4407.

    Cluster-1 is simple firewall without VPN.
    Cluster-2 is firewall VPN enabled.

    When I ssh to Cluster-1 it's very quick(both user and password prompt)...
  24. Replies
    0
    Views
    607

    Externally Managed Gateway

    When we define Externally Managed Gateway for a site to site VPN, does it really matters, the version of software/type that we specify for the external gateway object in the smart dashboard?
  25. Re: TCP packet out of state: First packet isn't SYN tcp_flags: PUSH-ACK

    Is there any way (I know it's not good) to allow out of state connection for a particular source/destination pair along with the services?
  26. Replies
    2
    Views
    2,760

    Gaia Terminal Length Settings

    How can I set the terminal length on Gaia appliance so that show configuration command can pull all the configration with one key stroke? (similar to terminal length 0 on Cisco routers)
  27. Replies
    4
    Views
    6,851

    Re: Gaia Proxy ARP added, fw ctl arp no entries

    Thank you, you are right.
  28. Replies
    4
    Views
    6,851

    Gaia Proxy ARP added, fw ctl arp no entries

    I am preparing new firewalls for a replacement, its R75.40, 4407 applaince, CPHA cluster.
    I have added the proxy arp entries manually in the local.arp file at /opt/CPsuite-R75.40/fw1/conf

    But...
  29. Replies
    0
    Views
    2,318

    Externally Managed Gateway, Link Selection

    I have a Checkpoint setup, R71.30 and I am preparing a new setup which is R75.40. I am trying to create a externally managed gateway for the IPSec VPN on R75.40. I am setting the same properties of...
  30. Replies
    3
    Views
    1,479

    Re: SK26202 Editing MAC Address

    The following command resolved my problem.

    fw ctl set int fwha_mac_magic 0xfb
    fw ctl set int fwha_mac_forward_magic 0xfa
  31. Replies
    3
    Views
    1,479

    SK26202 Editing MAC Address

    I have two clusters in the smae vlan so would like ot edit the MAC address using fwkern.conf. It's Checkpoint 4400 appliance running R75.40

    If I execute the following command manually it works...
  32. Re: Smartcenter Installation Import Configuration

    What is the best option to import the config in Windows? Is it a fresh install with default settings and then upgrade_import (migrate) command?
  33. Smartcenter Installation Import Configuration

    I am installing R75.40 smart on Windows 2003, (lab environment) Import configuration during the install. The original config file is from Smart Appliance, R75.40 version taken using migrate command....
  34. Running migrate command on Standalone Gateway

    I have both Gateway and Management running on the same appliance. If I run migrate (upgrade_export) command will it stop the firewall service?
  35. Re: TCP packet out of state: First packet isn't SYN tcp_flags: PUSH-ACK

    Is it at the application level or the OS level?
  36. Re: Two Clusters in same VLAN SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe00 in vlan 10

    Thank You.

    As of now I see the error logs only on the Cisco L2 switch's. I do not see any warnings or errors (smartview monitor/cphaprob) on either clusters. As long as the switch does not act on...
  37. Re: Two Clusters in same VLAN SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe00 in vlan 10

    Thank You, I will set the following values on my new GAIA cluster.

    fw ctl set int fwha_mac_magic 57
    fw ctl set int fwha_mac_forward_magic 56
  38. Re: Two Clusters in same VLAN SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe00 in vlan 10

    I will be replacing cluster-1 in a few days. Since it's in production without any issues, I will leave it as it is.

    How can I change the Magic address? I should change the source mac address...
  39. Re: Two Clusters in same VLAN SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe00 in vlan 10

    Yes, I do not see any errors with cphaprob or in smartview monitor. The following IP's are in the same vlan. They are just normal active/standby clusters, no load sharing.

    Cluster-1: R71.30, ...
  40. Two Clusters in same VLAN SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe00 in vlan 10 is

    I have two clusters one is UTM-1070 and another Gaia 4407 appliance in the same vlan and I am getting the following log on the cisco switch.
    I have no issues with the clusters. Can I leave this as...
  41. Re: TCP packet out of state: First packet isn't SYN tcp_flags: PUSH-ACK

    Need some advice.

    In general, do you come across a scenario which require to tweak session time out settings?

    Like batch job which runs initially, sleeps for a few minutes and then continues...
  42. TCP packet out of state: First packet isn't SYN tcp_flags: PUSH-ACK

    I have a standalone gateway, version R75.40 Gaia on appliance 4407.

    Under Global Properties, TCP Session timeout = 3600 (Default) and I am getting the following error for the connection from my...
  43. re: NAT Default behaviour "Policy Targets" (not added any firewalls).

    My scenarios is like this. Currently only one cluster (tier-2, internal firewall, no NAT required) so if I remmove all NAT rules, it works fine.

    Now I have to setup tier-1 firewall (not yet ready)...
  44. re: NAT Default behaviour "Policy Targets" (not added any firewalls).

    I have verified, the default "All Internal Security Gateways" is selected and I do not see any gateways on this page.

    What is the default bahaviour if policy targets are not defined?
  45. re: NAT Default behaviour "Policy Targets" (not added any firewalls).

    I did not create the nat rules on object, instead created manually under NAT section.
    My question is since I have left the default option under "Install On" to "Policy Targets" (not added any...
  46. NAT Default behaviour "Policy Targets" (not added any firewalls).

    I have created a NAT (hide nat) rule manually, but under NAT tab, "Install On" I have left the default option "Policy Targets" (not added any firewalls).

    In this scenario, the firewall performs...
  47. Replies
    3
    Views
    1,016

    Re: Policy Installation Warning

    I was able to resolve this with the following steps.

    1.cpstop the Security Management station.
    2.Delete $FWDIR/state/links.C (%FWDIR%\state\links.C in Windows)
    3.cpstart the Security...
  48. Replies
    3
    Views
    1,016

    Re: Policy Installation Warning

    Has anyone faced similar problem? I would like to get rid of this warning.
  49. Replies
    4
    Views
    2,765

    Re: ClusterXL issues on Gaia

    Thank You very much. So that means I should have at least one device in each segment which can respond to ping requests from the cluster members. This requirement is a bit strange specially if I am...
  50. Replies
    4
    Views
    2,765

    Re: ClusterXL issues on Gaia

    Please find attached the various case scenarios, with PC in each segment, the clusterXL seems to be fine.
  51. Replies
    3
    Views
    703

    Re: Routing and Access thru Firewall

    Thank You,

    Address spoofing can be bypassed easily but NAT is also must in this case. The NAT ip should be from the segment between tier-2 & tier-1 right?
  52. Replies
    3
    Views
    703

    Routing and Access thru Firewall

    I need one clarification with my attached setup diagram. I am in the process of replacing the firewalls, I may have to retains this design only during the transition period.
    In the first (current)...
  53. Replies
    9
    Views
    2,265

    Re: CPHA Cluster Issues with R75.40 Gaia

    Surprise:
    Today I connected one PC on the external segment pointed external VIP as gateway and on inside, smart appliance pointed internal VIP as gateway. Now the cluster seems to be working...
  54. Replies
    4
    Views
    2,765

    ClusterXL issues on Gaia

    Has anyone setup working CPHA clusterXL on Gaia R75.40?

    I am setting up a CPHA clusterXL in a lab using brand new 4407 appliances using Smart appliance. I am familiar with cluster setup with...
  55. Replies
    9
    Views
    2,265

    Re: CPHA Cluster Issues with R75.40 Gaia

    I have left all the coreXL options to default. Also on the switch, it's just the firewalls nothing else, each interface segment in a dedicated vlan.

    Please find the various fail-over case...
  56. Replies
    9
    Views
    2,265

    CPHA Cluster Issues with R75.40 Gaia

    I am setting up a CPHA cluster in a lab using brand new appliances, 4407 appliance using Smart appliance, R75.40 Gaia. I am familiar with cluster setup but this time with new setup it doesn't seem to...
  57. Replies
    3
    Views
    1,016

    Policy Installation Warning

    I have defiend a CPHA cluster, initially installed the policy in Simplified Mode. Later I made a new policy in traditional mode. Now when I deploy the policy it pops up the following message
    ...
  58. Thread: SNMP V3 Error

    by avilT
    Replies
    1
    Views
    2,617

    Re: SNMP V3 Error

    Has anyone got success in monitoring the firewall appliance with snmp v3? I am able to monitor it using snmp v2 but not v3.
  59. Replies
    2
    Views
    936

    Vlan Interfaces and Performance

    Has anyone come across performance issues with vlan intefaces on the Checkpoint appliances? I need 3 vlan interfaces on a physical gbps interface with a total host not exceeding 100. Is there going...
  60. Replies
    1
    Views
    704

    TCP Sesion Time Out

    How can I set unlimited session time out for a specific service under Service -> Advanced option?
  61. Replies
    9
    Views
    2,384

    Re: Smart1-5 Appliance Queries

    My new GAIA smart appliance is shipped with R75.40 & R75.20 image too. So does it mean that I have to

    1) Set my smart to R75.20, import the config from Windows Smart
    2) Export the config using...
  62. Replies
    3
    Views
    1,012

    Re: How to clear console connection

    I have tried u r commands, I was able to kill the session but still I am getting just the cursor on console. May be the restart required. I have already tried a different console cable. I am using...
  63. Thread: SNMP V3 Error

    by avilT
    Replies
    1
    Views
    2,617

    SNMP V3 Error

    I am trying to montior the resources from a cacti version 0.8.7d of Checkpoint 4407 Gaia appliance. With snmp version 2 it works fine but with snmp v3 it gives error. On Gaia, I have setup snmp v3...
  64. Replies
    3
    Views
    1,012

    How to clear console connection

    Initially I was able to connect to Gaia appliance using the console cable. Now it just gives me just the cursor. How can I clear the console sessions?
  65. Replies
    2
    Views
    1,040

    Re: dhclient no dhcpoffers received

    You are right, I have set it right.
  66. Replies
    2
    Views
    1,040

    dhclient no dhcpoffers received

    I have setup Gaia appliance into production, I am not using Mgmt interface, the Mgmt interface is disabled but in my syslog I am getting the error "dhclient no dhcpoffers received" as shown in the...
  67. Replies
    2
    Views
    1,566

    Re: R75.40 migrate import error

    I am able to resolve this problem, I just need to set "bin" during the ftp operation.
  68. Replies
    2
    Views
    1,566

    R75.40 migrate import error

    I am trying to import R75.40 configuration using migrate command as shown below. But it ends with the error. The configuration is exported from R75.40 version. What is wrong with my command syntax?
    ...
  69. Replies
    4
    Views
    1,106

    Re: Standalone GW & Performance

    I have a 2012 appliance, 4400 with 4GB RAM, 5gbps throughput (as per the spec) If I do not enable extensive logging, how much throughput can I expect?
  70. Replies
    4
    Views
    1,106

    Standalone GW & Performance

    If I setup standalone gateway (GW & Mgmt on same device) is there any performance decrease? Any advice on this type of setup to improve the performance?
  71. Replies
    7
    Views
    4,107

    Re: proxy arp in GAIA

    It's standalone gateway, GAIA's ARP did not work. So added local.arp now nat works.
  72. Replies
    7
    Views
    4,107

    Re: proxy arp in GAIA

    Now the manual arp entries can be added thru GAIA web interface. However these entries does not appear in the local.arp file (there is no local.arp file under /opt/CPsuite-R75.40/fw1/conf). In this...
  73. Replies
    5
    Views
    4,258

    Re: IPS License Expiration and Impact

    I was able to resolve this error by, downloading the latest contract file from Checkpoint user center and loading it manually in smart update.
  74. Replies
    10
    Views
    12,373

    Re: SecureXL vs CoreXL

    I am currently using UTM appliances and replacing them with 2012 appliances, GAIA, R75.40.
    So to conclude, on the new appliances should I turn off both CoreXL and SecureXL?
  75. Replies
    7
    Views
    4,107

    proxy arp in GAIA

    I am replacing my UTM appliances with 2012 appliacne 4400 GAIA, R75.40.

    Currently i have local.arp under /opt/CPsuite-R71/fw1/conf.

    What is the recommendadation regarding proxy arp with GAIA?...
  76. Thread: Private IP & NAT

    by avilT
    Replies
    4
    Views
    1,145

    Re: Private IP & NAT

    I am going to terminate a new connection from our partner network on one new interface on the firewall. This interface will have a private IP, 192.168.1.10 Now the partner network users will access...
  77. Thread: Private IP & NAT

    by avilT
    Replies
    4
    Views
    1,145

    Private IP & NAT

    My current firewall has got one external interface with public IP address/NAT and internal interface with private IP 10.x.x.x.

    Now I need to connect one customer/partner network to another...
  78. Replies
    5
    Views
    4,258

    Re: IPS License Expiration and Impact

    I am running R71.30 and its a smartdefense I have a very vew IPS signatures enabled. I am not worried about the IPS protection, but othe aspects like access rules/nat will not affect right?
  79. Replies
    5
    Views
    4,258

    IPS License Expiration and Impact

    I have a built in IPS on R71.30 gateway. I am in the process of replacing the gateway, so have not renewed the IPS license and now when I try to deploy a new policy I am getting the error as shown in...
  80. Replies
    10
    Views
    12,373

    SecureXL vs CoreXL

    When we execute cpconfig on R75.40 we have the following options.

    (7) Disable Check Point SecureXL
    (8) Configure Check Point CoreXL

    •SecureXL accelerates multiple intensive security...
  81. Replies
    1
    Views
    1,387

    snmp a basic query

    In order the get the cpu, memory statistics in my Cacti tool for the firewall, apart from defining snmp community strings in Gaia, do I need to enable "SNMP Extensions" from cpconfig commands?
  82. Thread: cphaprob state

    by avilT
    Replies
    2
    Views
    972

    Re: cphaprob state

    I have a R75.40 cluster and it doesn't list sync interfaces in the output.
  83. Thread: cphaprob state

    by avilT
    Replies
    2
    Views
    972

    cphaprob state

    In the cphaprob state output, what is the criteria for listing the interface IP address when I have multiple interfaces and IP addresses configured on the firewall?
  84. Thread: Vlan Interfaces

    by avilT
    Replies
    9
    Views
    2,642

    Re: Vlan Interfaces

    What about the following command to reduce the 45 sec delay for port state transition. Is it recommended?
    spanning tree porfast trunk
  85. Replies
    7
    Views
    3,658

    Re: vlan xx is flapping between port

    You are right, after installing the policy as a cluster the error stopped appearing on the Cisco switch.
  86. Replies
    0
    Views
    1,455

    Routing Protocol on HA clusters

    First time I have been thinking of setting up OSPF on firewalls. I am well versed with OSPF setting on Cisco routers. But when you run OSPF on clusters what is the default behaviour? Does both...
  87. Replies
    7
    Views
    3,658

    Re: vlan xx is flapping between port

    I am using the following switch and I have not yet deployed the policy on the cluster. I am at the initial stage of defining the interfaces.

    Cisco IOS Software, C2960S Software...
  88. Replies
    7
    Views
    3,658

    vlan xx is flapping between port

    I am testing a new setup in the lab, 2 gateway appliances as cpha, one cisco switch. Just enabed 2 interfaces on the firewall, inside/outside. 2 vlans on the switch, inside/outside, each segment in...
  89. Replies
    3
    Views
    1,677

    HA Cluster or VRRP

    I am replacing UTM-1070 with 2012 appliance. Earlier with UTM I could only setup clusterXL using smartdashboard, now the Gaia gives me both CluserXL as well as VRRP during the initial setup.

    Is...
  90. Replies
    2
    Views
    1,152

    Re: Gaia Initial Setup default port 4434 or 443?

    Thank You for the clarification.

    The gateway ships only with R75.40 and the smart applaince ships with R71.40 as well as R75.40. Both smart and the gateway I could access only on port 443.
  91. Replies
    2
    Views
    1,152

    Gaia Initial Setup default port 4434 or 443?

    I have got a couple of 2012 appliances, the default manual says connect to appliance as https://192.168.1.1:4434 where as I could only connect on port 443. Is it a typo error from Checkpoint?
  92. Thread: Vlan Interfaces

    by avilT
    Replies
    9
    Views
    2,642

    Re: Vlan Interfaces

    Alright, I will take your point.

    By the way, what settings do I need to define on the Cisco Switch trunk port? Can I hard code the following settings?

    interface GigabitEthernet1/0/1...
  93. Thread: Vlan Interfaces

    by avilT
    Replies
    9
    Views
    2,642

    Re: Vlan Interfaces

    The vlan's are already there in production, I am just replacing the firewalls with vlan interfaces. So it's not must to have unique vlan's on each interface right? I can have a vlan 20 on eth1 on lan...
  94. Thread: Vlan Interfaces

    by avilT
    Replies
    9
    Views
    2,642

    Vlan Interfaces

    When I create vlan interfaces on Checkpoint appliances, does it require to be unique among different interfaces?

    For example can I have 2 vlans 20 and 30 on both interfaces Lan2 & Lan3 on...
  95. Replies
    9
    Views
    2,384

    Re: Smart1-5 Appliance Queries

    Can I import the configuration file into a smart appliance which is exported on a Windows smart management server?
  96. Replies
    9
    Views
    2,384

    Re: Smart1-5 Appliance Queries

    Thank You. Can I import the configuration file exported from Windows smart center server into a smart appliance?
  97. Replies
    9
    Views
    2,384

    Smart1-5 Appliance Queries

    I have been using Smart center server on Windows for a long time and this time I will switch to Smart1-5 to manage the firewalls. This is my first time setup on appliance and I have a few basic...
  98. Replies
    1
    Views
    866

    Smartcenter Server Recovery Steps

    I have my my R71.30 smart center server on Windosws 2008 STD with SP2, exported the config using the R71.10 CD upgrade_export tool.

    Now I would like to recover the smart center server on a...
  99. Replies
    3
    Views
    1,417

    How to find OS version of firewall

    When I execute fw ver -k it displays the following output.
    This is Check Point VPN-1(TM) & FireWall-1(R) R71.30 - Build 036
    kernel: R71.30 - Build 036

    What is the OS version? I beleive R71.30 is...
  100. Thread: SSL VPN, 2FA etc

    by avilT
    Replies
    0
    Views
    706

    SSL VPN, 2FA etc

    I am planning for SSL VPN on my Internet firewall (not a dedicated for SSL VPN alone)

    1. Is it going to create any kind of management/security issues?
    2. What 2 factor authentication schemes can...
Results 1 to 100 of 392
Page 1 of 4 1 2 3 4