CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: jflemingeds

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Replies
    4
    Views
    170

    Re: authentication failure

    If that doesn't help do a packet capture on the checkpoint device and see what service algosec is trying to use. From there it should be a little more clear on what to do.

    something like..
    ...
  2. Replies
    4
    Views
    170

    Re: authentication failure

    is it trying to login via ssh or via CPMI? If ssh maybe try changing the shell to bash. if CPMI i would check the audit logs.

    oh.. or API i forgot about that. I think by default the API is only...
  3. Re: jumbo hot fix acc. on r80.10 on the gateway not showing after installation.

    doesn't it show on that last line you pasted?

    also i think there is a command called

    installed_jumbo_take

    or something like that... that will show the take as well.
  4. Re: supporting multiple auth schema - Active Directory Auth and RSA Auth

    Well.. it hasn't gone well. Using raw securid it seems the best i can do is map all RSA users to a single group and then do something with that group in the firewall policy which isn't good.
    ...
  5. supporting multiple auth schema - Active Directory Auth and RSA Auth

    Hi all, i'm working on a project where i'm trying to support Active Directory base auth as well as SecureID based auth. I'm running into some RSA issues but i expect i'll have that addressed shortly....
  6. Re: Missing Routes on Active SG for VPN but the standby has the route?? Strange

    From clish
    show route all

    Does it show up then, possibly as hidden? Please show output from both cluster members.
  7. Re: Virtual systems with different DNS servers

    Could you hack it what NAT rules?

    src: fw1 dst:DNS1, nat src: orginal, nat dst:magic_dns_1
    src: fw2 dst:DNS1, nat src: orginal, nat dst:magic_dns_1

    Each VS could have its own nat rule.
  8. Replies
    18
    Views
    1,317

    Re: R80.20.M1 Management Release

    yeah i'm poking around and finding interesting things.

    TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap |
    bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan |
    ...
  9. Replies
    1
    Views
    193

    4k sectors on USB?

    Any know if 4k sectors are just not supported on USB? I was trying to get R77.30 to talk to a 6TB usb drive. Even with GPT table the moment I try to write data i get a large amount of errors barfed...
  10. Re: Anyone know any way for adding interfaces to cluster via dashboard without clicki

    yeah that or just edit and add a row.
  11. Replies
    18
    Views
    1,317

    Re: R80.20.M1 Management Release

    hmm looks like network namespaces are now supported. I wonder if that means a big vsx update is on the way.
  12. Replies
    18
    Views
    1,317

    Re: R80.20.M1 Management Release

    technically init is still pid 1.
  13. Replies
    18
    Views
    1,317

    Re: R80.20.M1 Management Release

    You sure about that version? :)
  14. Replies
    1
    Views
    270

    iOS LT2P + dhcp based office mode

    This is kind of a shot in the dark, but is anyone using L2TP on iOS? I'm using dhcp for officemode IP allocation and seeing that the MAC address unicasted to the dhcp server inside the dhcp request...
  15. Replies
    18
    Views
    1,317

    Re: R80.20.M1 Management Release

    iotop.. nice. I helped a customer out with a large p1 install. Everyone was complaining about how slow policy installs were but no one noticed %100 iowait. Took a little trouble shooting to figure...
  16. Re: SMS R77.30 install policy to IP390 (R65 and IPSO4.2) crashed

    oh sorry i misread. I was thinking R77.30 on IPSO. You clearly have R65 on ipso.

    Could be CPD and / or FWD need to be restarted. Might be easier to just reboot. However if the system is diskless...
  17. Re: SMS R77.30 install policy to IP390 (R65 and IPSO4.2) crashed

    I'm pretty sure the release notes or something says R77.30 requires 2gig of ram. Maybe its in R77 notes. I don't remember if IP390 has a real hard disk or not. If its flash your only hope is to maybe...
  18. Replies
    2
    Views
    280

    Re: fwx_xlate_method

    Is there any chance you have a services in the NAT policy and original has udp and nated has tcp or something like that?
  19. Re: Client Authentication - Bad SSL Certificate error

    I didn't know legacy client auth didn't support ssl on R80.10 but you should really be using captive portal. It should have the same functionality as client auth (well except for telnet auth.. well...
  20. Re: Is it possible to do a Proxy ARP on a whole network?

    for x in $(seq 10 100) ; do echo clish -c "add arp proxy ipv4-address 10.31.0.$x interface eth3 real-ipv4-address 10.31.0.1" ; done

    Make sure admin's shell is /bin/bash (log out and back in if you...
  21. Replies
    13
    Views
    1,127

    Re: unable to use clish

    BTW i think the locks Eric was talking about are in sk108058.

    rm -i /tmp/clish.*
  22. Replies
    13
    Views
    1,127

    Re: unable to use clish

    Are you using tacacs or radius for logins? BTW you left off md5sum of /bin/bash
  23. Replies
    13
    Views
    1,127

    Re: unable to use clish

    What does
    md5sum /etc/cli.sh /bin/bash
    Return?

    What does
    egrep admin /etc/passwd
    Return?


    Hmm maybe
  24. Replies
    24
    Views
    2,325

    Re: Checkpoint 5400 100% CPU usage

    Is there any chance the iscsi traffic is fragmenting? Might explain high cpu usage as frags basically suck. Would need to packet capture to tell since the firewall is going to reassembly the frags...
  25. Replies
    3
    Views
    306

    Re: spoofing question.....

    Doesn't antispoofing require 2 interfaces? Not sure if sync counts in that list or not.

    How does the routing look? Still just one default route?
  26. Re: Command to see if FW's are sending logs to Log server

    netstat -anp | grep 257

    should show something. 1 per gateway and should always be established. Granted just because there is an estblished connection doesn't mean its logging anything. Not super...
  27. Replies
    1
    Views
    618

    Re: Global Policy review with Tufin

    Man I am so disappointed in Tufin right now. They have no way to create a rules and objects usage report that digs into objects except via PDF or HTML. I've been told I can file a RFE or setup a PS...
  28. Replies
    9
    Views
    469

    Re: Appliance slot map

    I'm going to break protocol here and skip everything in the middle and go right for the head shot.

    I double dog dare you to do it!

    Not that i think anything will happen, but it would be nice...
  29. Re: Inconsistency switching between VSX contexts

    Looks like clish has a prompt command. I'm assuming you could fix that and submit a patch. ;)

    show clienv prompt

    looks like the default is

    %M>

    Not sure what all the options are, but i'm...
  30. Replies
    9
    Views
    469

    Re: Appliance slot map

    Doesn't ethtool also have a way to identify a port? I lost multiple days trying to understand the ethernet naming convention in ubuntu at one point. I found sanity only after looking cthulhu right in...
  31. Replies
    6
    Views
    1,177

    Re: 1100 - site to site route based VPN

    Challenge accepted!

    I made a bogus vti interface, then added a pbr route. Next hop options are ip, interface, vti vpn.

    If I chose next hop of remote vti peer it takes it. Granted this is not...
  32. Re: Moving CMA from one MDS env to a different one

    Thanks for all the replies everyone. No smb firewall so no worries there.
  33. Replies
    1
    Views
    618

    Global Policy review with Tufin

    Has anyone used Tufin to review global policy across many gateways before? My end goal is to see what global policy usage looks like across around 100 gateway. I played around with this through the...
  34. Replies
    6
    Views
    1,177

    Re: 1100 - site to site route based VPN

    But couldnít you do that with pbr and a vti?
  35. Re: Moving CMA from one MDS env to a different one

    Completed testing this morning. Well... can never have too much testing...

    Did not remove global policy first.

    Kept hostname of cma the same. Created a dummy vm firewall in pre move lab...
  36. Moving CMA from one MDS env to a different one

    Hi all, i'm starting a project where i'll be moving a CMA out of one MDS into a completely different MDS. The source CMA has global policy the destination MDS has no global policy.

    IP will change...
  37. Re: HTTPS inspection bypass not working as expected

    Have you looked at the cert its using? Could you match that on a allow for in your https inspection policy?
  38. Replies
    3
    Views
    370

    Re: Script to Restart Remote Gateways

    # From MGMT server / CMA
    cprid_util -server $IP -verbose rexec -rcmd bash -c 'reboot'

    I don't remember if the reboot command will ask you if your sure or not. This should work on SMB or normal...
  39. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    Can you expand on that? Like the normal performance issues or something else?
  40. Replies
    13
    Views
    1,399

    Re: ISP throughput

    Whatís that? Itís slow? No everything is fine *cough coughnowcough cough*.
  41. Replies
    6
    Views
    1,177

    Re: 1100 - site to site route based VPN

    I havenít tried that before but the route table seems to support that. Are you really using a vti or are you doing domain based vpn? Also is this centrally by a smart center?
  42. Re: How to insert old logs into Smart Event?

    sk98894 Maybe?
  43. Replies
    12
    Views
    1,353

    Re: ipso 6.2 R70 and 77.10 on Ip560

    Oooh right. I forgot about that. Could very well be.
  44. Re: upgrading from R77.20 SPLAT to R80.10 GAIA

    yeah, looks like it might not be a supported path. I would export the mgmt server database, rebuild in VM, import and then build new firewalls and test out pushing policies and what not.

    Looks...
  45. Re: Tenable Scan opening ports dynamically on GW

    I haven't heard of that. I would do a packet capture and see if you can verify it really looks like a SMTP server. Does anything show up in the logs of the secondary? What blades do you have enabled...
  46. Replies
    12
    Views
    1,353

    Re: ipso 6.2 R70 and 77.10 on Ip560

    Ok first yes, no Gaia on IPSO appliance. %100 agree.

    Is this a flash based IP560? Can you send the output of

    df -k

    If this only has CF and no hard drive then you can not install management...
  47. Replies
    12
    Views
    1,353

    Re: ipso 6.2 R70 and 77.10 on Ip560

    Its not clear what part you're saying is failing. Are you trying to run a firewall + mgmt on a flash based firewall? If so that isn't supported.

    If that isnt' what your getting at can you explain?...
  48. Replies
    13
    Views
    1,399

    Re: ISP throughput

    yes it will. As Shadow indicated the ISP router would need to do the hide nat function. the only thing he left out would be a static route on ISP router saying how to get to the subnet behind 1100. ...
  49. Replies
    13
    Views
    1,399

    Re: ISP throughput

    oops my bad, you are correct.
  50. Replies
    13
    Views
    1,399

    Re: ISP throughput

    1100 isn't the fastest firewall in the world. That being said it doesn't seem like its overloaded based on netstat -in output. How does top look when you run the speed test?

    Have you tried wiring...
  51. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    I normally don't like throwing this option out there, but since this is an older version have you tried rebooting the mgmt server?

    Never mind.. may not be worth trying. I didn't poke around the SK.
  52. Re: How to install policy with comms from mgmt server blocked by antispoofing

    Or a bridge firewall with a dedicated mgmt interface that needs internet access, which would then route through the internal interface of the bridge, but there is some newer way to handle that. Some...
  53. Replies
    8
    Views
    1,618

    Re: VPN Redundancy how to?

    This might be a little exotic, but does the remote side support VTI or route based VPNs? Its the same thing just a different name. They're interesting because the vpn doesn't use local and remote...
  54. Replies
    2
    Views
    332

    Re: CPUSE force install?

    yeah, thats what i ended up doing. Basically delete any ref of _30_JUMBO_HF. Now CPUSE will install.

    crossing fingers.
  55. Replies
    2
    Views
    332

    CPUSE force install?

    Is there a way to force the install of a jumbo hotfix via CPUSE? I have a replication setup that thinks JH $version is installed but its not. Want to re-install $version then upgrade to 309.
  56. Re: How to install policy with comms from mgmt server blocked by antispoofing

    That is a completely different beast. Interface spoofing can not be addressed with address spoofing.

    Do you by chance have more then one cluster on the same vlan? What about checking for ip...
  57. Replies
    10
    Views
    778

    Re: checkpoint appliance and microburst

    My guess is rx_missed_errors and/or rx_no_buffer_count go up.
  58. Replies
    5
    Views
    453

    Re: VPN PreShare Key cmd/clish

    My guess based on a few searches is the psk is stored in fwauth.NDB. I donít know what data store format that file is. Maybe something that checkpoint cooked up? Was thinking maybe a sleepycat (or...
  59. Re: Strange behavior on R77.20 cluster gateway SPLAT referer to cluster state

    Clusterxl can’t sync members with different CoreXL configs like you’ve found. Should be all you need to do is run cpconfig and fix the number in the CoreXL configuration.

    Did you try that already?
  60. Replies
    10
    Views
    778

    Re: checkpoint appliance and microburst

    It fully tastes the rainbow.
  61. Replies
    5
    Views
    453

    Re: VPN PreShare Key cmd/clish

    As far as i know you can't see it via clish. Its stored in a database that is accessed via smart dashboard by editing the vpn community.
  62. Replies
    0
    Views
    269

    R77.20.75 upgrade strangeness

    I just upgraded to R77.20.75 this morning and something strange happened. DHCP on the WAN interface was working *i think* as i could see an IP on it. No complaints in messages about dhcp.

    Reboot...
  63. Re: PBR Problem Behavior on 1100 and 1400 Appliances

    Seems like the static-route command in clish supports PBR.

    FW750> add static-route
    destination - IP address and subnet length of the destination of the packet in the format IP/subnet. e.g....
  64. Re: PBR Problem Behavior on 1100 and 1400 Appliances

    I havenít done pbr on a smb firewall, but my guess (and this is just a guess) is a his should be done via clish or something so that router.conf gets updated. Iíll poke around later to see if I find...
  65. Re: Check Point Gaia OS Privilege Escalation

    Ok youíre right. Sorry I forgot q1 ended feb 28. My bad.
  66. Re: Check Point Gaia OS Privilege Escalation

    I guess to be fair Checkpoint did say fix in q1 which technically isnít over.
  67. Re: Check Point Gaia OS Privilege Escalation

    1377
  68. Re: Check Point Gaia OS Privilege Escalation

    I wonder what else is missing from here
  69. Re: Problem routing between star communities (R77.30)

    I did this using domain based VPN and 3rd party. Pfsense -> ipsec -> checkpoint -> ipsec Pfsense.

    http://blog.spikefishsolutions.com/2016/06/star-vpn-with-center-gateway-as-hub.html

    man i hope...
  70. Re: RX-DRP / RX-OVR (FIFO Errors) / ClusterXL State change during policy install

    I don't see anything major based on top output. Its a little strange that snmpd is using so much more memory on standby but otherwise seems fine.
  71. Re: RX-DRP / RX-OVR (FIFO Errors) / ClusterXL State change during policy install

    Just a few thing i noticed. Memory usage looks a little strange. 700 meg higher on active node. Not sure if you noticed but peak connections were a bit high as well. Could be from choking on policy...
  72. Replies
    24
    Views
    2,343

    Re: unable to connect to server

    I hope the humor translates. But come on. You going to let a shell script tell what is and isnít possible? Use the source Luke.
  73. Replies
    24
    Views
    2,343

    Re: unable to connect to server

    Well.. there is supported.. and then there is possible... :D

    I'm assuming this for a lab box since a 4200 is a pretty sad box for a mgmt server.

    crack the box open (oh noes!), look at the...
  74. Replies
    3
    Views
    557

    Re: Editin multiple user object possible?

    Which version?
  75. Replies
    24
    Views
    2,343

    Re: unable to connect to server

    Yeah so upgrade the ram to 8 gig.
    </shifteyes>
  76. Re: Error when logging into CLI of Provder-1 server

    That’s it _nonlocl. What does messages say when you login?
  77. Re: Error when logging into CLI of Provder-1 server

    I think the user none-local or something like that is the user you become when you login with radius. Can you show your /etc/passwd file? Also what shows up in /var/log/messages when you attempt a...
  78. Replies
    32
    Views
    6,891

    Re: Java Process Consuming High CPU in R80

    I wouldnít be shocked if raid config was the issue. Raid 5 basically stinks. No write speed boost.
  79. Replies
    6
    Views
    461

    Re: Hot Fix Installation Verifier

    cpinfo -y all

    You might need to install the latest cpinfo for this to work. Upgrading cpinfo is %100 non-impacting.
  80. Replies
    24
    Views
    1,439

    Re: URL filtering, is this a joke?

    Not to down play your pain or anything. Just pointing out that from a regex point of view

    \.example\.com

    and

    .*\.example\.com

    should in theory match the same thing from a regex point of...
  81. Thread: Dual NAT

    by jflemingeds
    Replies
    6
    Views
    567

    Re: Dual NAT

    If you can't explain what you're trying to do its going to be very hard to help you. Can you show an network diagram maybe?
  82. Replies
    24
    Views
    2,343

    Re: unable to connect to server

    That only effected new installs of R77 after jan 24 2018 from reading SK22612.
  83. Re: Network monitoring on Checkpoint ext interface

    Nothing stopping you from compiling and running ntop yourself.
  84. Replies
    19
    Views
    1,759

    Re: 80.10 problems on ESXi 6.5

    That file should not be empty. This is from a r80 open server mgmt server for the normal section of the boot loader.



    title Start in normal mode
    root (hd0,0)
    kernel /vmlinuz...
  85. Re: Strange connection disruption 30minutes + after policy install

    Can you show an example arp request you see when the outage hits? Arp should be only used to find out info for the local network.

    Btw Linux does have a limit to the amount of arp entires it can...
  86. Re: Strange connection disruption 30minutes + after policy install

    This is very odd and smells like an incorrect subnet mask. There is no reason a device should arp for a remote server unless maybe it’s really talking to a nat on the local network.

    Is this...
  87. Re: pre upgrade check - INSPECT manual changes

    My guess is ldap across Vpn was enabled but to find out for sure do a install in a VM and compare the fresh install with your to see the difference.
  88. Replies
    19
    Views
    1,759

    Re: 80.10 problems on ESXi 6.5

    Can you show where you did so? Just making sure you put it in the right spot. Should be on the kernel line.
  89. Replies
    19
    Views
    1,759

    Re: 80.10 problems on ESXi 6.5

    Iím not sure it only effects boot up. None cachable ram is bad. The big posted made it sound like just about any data structure could end up in that range and have a performance impact.

    Of course...
  90. Replies
    19
    Views
    1,759

    Re: 80.10 problems on ESXi 6.5

    Something like /boot/grub/menu.1st

    The red hat bug you posted says it needs to be enabled (which doesnít seem to be default for red hat). What I donít know is if the code to support it is there or...
  91. Replies
    3
    Views
    378

    Re: Natting behind different ISPs

    Sounds right to me. Either do a automatic nat and set to hide behind gateway or do a manual nat with a host object of 0.0.0.0. Should do the same thing basically.
  92. Replies
    19
    Views
    1,759

    Re: 80.10 problems on ESXi 6.5

    Did you try setting acpi_mcfg_max_pci_bus_num=on in your menu.1st file?
  93. Re: MTU issues: packets are always fragmented by firewall!

    I donít get why anyone would want to use pmtu over mss. Maybe because pmtu is semi auto? Shrug. Just seems like it is better to not rely on a 2nd protocol to figure out mss when it can be handled...
  94. Replies
    12
    Views
    1,360

    Re: Anyone attending CPX360 2018?

    Did anyone else see the dance off between westcon and shadowpeak? It was epic.
  95. Re: MTU issues: packets are always fragmented by firewall!

    It should. If the mss is clamped to a low enough level you always be under mtu for tcp traffic at least.
  96. Re: MTU issues: packets are always fragmented by firewall!

    Is there a Vpn behind the firewall? Just wondering if that is the reason for the lowered mtu. If so that device should be clamping the mss in a perfect world.
  97. Re: MTU issues: packets are always fragmented by firewall!

    Ok well Iím checking out. Heading over to get settled for the game.

    If you can can you explain what thyou core problem is again?
  98. Re: MTU issues: packets are always fragmented by firewall!

    This site is really is a miserable experience on mobile. Iíll check it out from the airport if LA traffic doesnít curse me.
  99. Re: MTU issues: packets are always fragmented by firewall!

    Hmmm I canít seem to see the capture. Itís too blurry. Btw Ethernet has 18 bytes of overhead so max frame size will be 1518 with mtu of 1500 bytes.

    I would assume itís inherrited as well. I mean...
  100. Re: MTU issues: our R7720 and R8810 behaves differently cocnerning fragmentation

    Udp is stateless there for anything like this would require app layer to handle it.
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4