CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: Tan Da Boss

Page 1 of 2 1 2

Search: Search took 0.01 seconds.

  1. Replies
    0
    Views
    3,439

    Expérience Gaia / R75.40

    Bonjour à tous,

    auriez-vous des retours d'expérience à partager concernant Gaia / R75.40?

    Tan
  2. Replies
    2
    Views
    2,180

    Re: Create a management backup

    You can have a look to this thread.
    It explains more or less different solutions to your issue.

    http://www.cpug.org/forums/smartdashboard/15753-use-two-smart-dashboards-different-sites.html
  3. Re: installation failed.Reason:Internal SSL authenticaiton SSL error(Unknown) message

    Your SIC is obviously not functionning. It is the secured communication between your management and your gateways:
    SIC Status for prenlofwnpr1: Not Communicating
    Internal SSL authentication error...
  4. Re: Migrate Provider-1 R70.30 with R65.20 VSX to Provider-1 R71.30 VSX R65.20

    varera made a presentation about this topic 2 years ago at CPUG conf in Europe
    I know that the slides were available online but no way to find them and Barry is not responding to my PM
  5. Re: info required : antispoofing on command line

    I don't really understand the idea underneath. As long as your AS is set correctly, you shouldn't be annoyed.
  6. Replies
    8
    Views
    3,161

    Re: IP Appliance Throughput Testing

    One of my customers made some benchmark last year on Nokia's boxes with ADP and 10Gig Interfaces.
    Max throughput per interface was around 1 Gig ...
    When you are buying some 10 Gig interfaces, you...
  7. Replies
    9
    Views
    39,115

    Re: How to export rulebase to Excel?

    Confwiz is nice for hosts and services but for groups or rulebases it is just useless. It is unreadable. You can surely write a script or a macro to fix it but well it is faster to use...
  8. Re: How to migrate SmartCenter R60 (IPSO) box to R71 Smart-1 appliance (SPLAT)

    In the Upgrade guide, every steps are detailed for all kind of scenario.
    Make sure you are using the latest version of the migration tools.
    You will have of course to configure by yourself the OS...
  9. Replies
    7
    Views
    4,952

    Re: Passed Accelerated CCSE R71 156-915.71

    well done all
    I also have to prepare for my recert also. I will give you a feedback when I will pass it.
  10. Re: IPS Blade Strengths/Weaknesses/Impressions

    As far as I've seen, IPS Blade is a bit better than SmartDefense but the difference is not that huge.
    It is very weird all the issues related to updates or false positives we encounter with IPS...
  11. Re: Policy installation problem after IPS update : cannot find SPII_ACCEPT_CONN_STUB

    As far as I've seen, IPS Blade is a bit better than SmartDefense but the difference is light.
    It is very weird all the issues related to updates or false positive we encounter with IPS blade. I...
  12. Replies
    10
    Views
    3,899

    Re: IPS Drops without IPS enforcement

    Hi Serlud,

    I'm not able to find out names or MD5 of the files. All files are at my customer and I'm not working there any more.
    As you experienced, it was not that straight forward. I remember to...
  13. Replies
    10
    Views
    3,899

    Re: IPS Drops without IPS enforcement

    I've encountered the same issue at a customer.
    CP TAC provided us a hotfix to fix this issue.
    Seems that the hotfix is tight to the hardware you are using.
  14. Poll: Re: Quelle technologie de firewall utilisez vous en dehors de Check Point ?

    Effectivement nouvelle blade disponible depuis fin 2010 en R75. La partie que je trouve vraiment intéressante est l'identity awareness. Malheureusement je n'ai pas encore eu le temps de tester.
  15. Replies
    2
    Views
    1,504

    Re: Update MWAG; Added P1 and SC scripts

    Great site
    Thx for sharing
  16. Poll: Re: Quelle technologie de firewall utilisez vous en dehors de Check Point ?

    C'est vrai que depuis quelques mois, on sent une concurrence rude sur le marché du firewall et Cisco comme Check Point y ont perdu des plumes.
    Un de mes clients a choisi Fortinet pour la première...
  17. Replies
    12
    Views
    7,189

    Re: Cannot ping VIP address!

    from sk26874



    it is a normal behavior but don't ask me the reasons of that I have no idea :D
  18. Replies
    5
    Views
    2,768

    Re: Extract firewall rules

    cpdb2html is part of web visualization tool which is supported on R70 and earlier versions.
  19. Replies
    3
    Views
    1,504

    Re: test scenario connection against rules

    With the Manage Rule Queries, you can do that (Search>Manage Rule Queries). It works but they are some limitations, for example, it doesn't take into considerations the negate cells.
  20. Re: Powerful combination of Confwiz and Excel

    Hi Ofer,

    I tried to do some manipulations with rules but it is nearly impossible. The ruleset objects are refered to Reference_Keywordxx. I haven't found the way yet to identify the object through...
  21. Replies
    30
    Views
    7,483

    Re: Confwiz supports R70!!!

    Hi Ofer,

    Do you know how I can submit the request to the service center?
    I browsed the CP website and haven't found anything.

    Thx

    Tan
  22. Network Security Engineer - Open Permanent Position in North Switzerland

    Hi,

    my company is looking for a network security engineer. German/Swiss German and English are mandatory. Experience/certifications with our key partners are greatly appreciated: Cisco, Check...
  23. Replies
    19
    Views
    11,161

    Re: This new forum about the CCSA R70 Exams

    Well but it takes me more than one minute to read, understand, analyze and answer correctly to this kind of questions.

    So I might fail my next recertification :D
  24. Replies
    4
    Views
    2,547

    Re: Any experience with the course material?

    To my knowledge, there were only two versions of courseware for R65 ...
    There are not so many errors in the courseware but the huge ones ;)
  25. Replies
    30
    Views
    7,483

    Re: Confwiz supports R70!!!

    Hi Ofer,

    thanks, I'm currently doing it for a customer to replicate the objects between CMAs. Maybe it is a request for feature, but it would be nice to have it integrated into the P-1 interface....
  26. Replies
    30
    Views
    7,483

    Re: Confwiz supports R70!!!

    Great News.
    I've used it several times on different configurations and so far, I'm very happy with it.
    Do you know if Check Point will implement it as a functionnality?
    For example in P-1, to...
  27. Replies
    19
    Views
    11,161

    Re: This new forum about the CCSA R70 Exams

    130 questions in 120 minutes!
    you have to be very quick!
    Does the R70 exam include very long questions as it was in the previous versions?
    You know the kind of question where you are administrator...
  28. Re: Synchronize objects database between 2 smartdashboards

    Hi Gustave,

    you can use confwiz for that.
    Pretty easy to use and supported by CheckPoint.
    I've done dozens of Objects replications between SmartCenters and CMAs.

    More details in this section...
  29. Replies
    2
    Views
    2,351

    Re: Changing IP Address of Management server

    you have this procedure detailed in the Upgrade guide.
    The specific case for changing the IP of the SmartCenter is described in the doc.
  30. re: Checkpoint latest releases "has anyone got access via their website?"

    yes you're right it should be the EA program download page or something similar.
  31. re: Checkpoint latest releases "has anyone got access via their website?"

    R70.30? already?
  32. Re: An Open Letter To Training & Certification Manager Amy Hughey

    2 weeks instead of 1???
    I can see new topics but the difference of time is huge!
    what about CCSE+?
  33. Re: Green light flashing on checkpoint utm appliance

    The info you found is regarding Edge boxes I guess.
    I don't know the status light of the UTM-1 appliances but as long as it is green, I think you are on the good way. Do you have any message in the...
  34. Poll: Re: Quelle technologie de firewall utilisez vous en dehors de Check Point ?

    J'ai repondu Cisco car c'est le couple CP/Cisco le plus repandu.
    On est maintenant loin de l'epoque 6.x/pdm et Cisco a bien ameliore ses produits meme s'il reste encore un peu de travail.
  35. Re: CPUG on Tour One-Day Technical Conferences in Atlanta (2/23) and New York City (2

    Thanks, Great!
    Enjoy the conferences everyone :)
  36. Re: CPUG on Tour One-Day Technical Conferences in Atlanta (2/23) and New York City (2

    Will the presentations be on line afterwards as it was for Chur CPUG conf? US is too far for me ;)
  37. Replies
    19
    Views
    12,489

    Re: CbtNuggets CCSA

    Congratulations Routerkid1. Great Link! Thanks.
  38. Thread: Nokia VRRP

    by Tan Da Boss
    Replies
    5
    Views
    5,216

    Re: Nokia VRRP

    regarding the synchronization, it is recommended to have a dedicated interface.
  39. Thread: Nokia VRRP

    by Tan Da Boss
    Replies
    5
    Views
    5,216

    Re: Nokia VRRP

    It seems that your configuration is fine.
    You have to distinguish IPSO level (vrrp) and Check Point level (cphaprobe).
    As long as you see master/backup in the vrrp configuration and active/active...
  40. Re: TCP session timeout seems not working for service...ANY

    do you need two definitions for the same service?
    I would delete the one you don't need or disable the match for any option (advanced options of the service) for the one that annoys you.
    So when...
  41. Re: Any feedback on Palo Alto's security solution ?

    I had indirect feedback from a customer using it to protect and filter around 5000 users.
    Seems that the performances are really good and the customer is pretty happy. The vendor claims high...
  42. Re: TCP session timeout seems not working for service...ANY

    as far as I know normally it shouldn't behaved differently
    is your problem impact any tcp port or just some? maybe you have specific session timeouts for few tcp services
  43. Replies
    30
    Views
    12,889

    Re: Virtual Machine (VMware) Nokia IPSO

    I think it is pretty tough to get this file unless you know some people in the dev team.
  44. Replies
    3
    Views
    1,299

    Re: new fellow with a design question

    welcome to CPUG
    You can have a look at the VPN forum
    VPN's (Virtual Private Networks) - CPUG: The Check Point User Group
    You can make a search in this forum only with some key words
    you can check...
  45. Re: Check Point VPN-1 SecureClient NGX R60 HFA3 for Windows 7

    dracosveen>> uses the link above
    I just tested it and you don't have to login at all
  46. Thread: EXPORT VSX

    by Tan Da Boss
    Replies
    5
    Views
    1,404

    Re: EXPORT VSX

    check the upgrade guide, the procedure is defined.
    you have to create a temporary SC object with the new IP
    all the steps are detailed in the document

    the title of the chapter is

    "Migration...
  47. Replies
    4
    Views
    2,837

    Re: Bienvenue dans CPUG en VF

    Bonjour tout le monde,

    enfin nous avons notre section pour les francophones.
    Il serait bien d'y faire part des differents evenements relatifs a Check Point ou meme a la securite.

    A +

    Tan
    ...
  48. Maybe Confwiz?

    Hi

    Have you tried the confwiz tool?
    http://www.cpug.org/forums/confwiz/11220-powerful-combination-confwiz-excel.html

    If you are creating hosts, networks, services it is fine.
    If you want to...
  49. Re: Check Point VPN-1 SecureClient NGX R60 HFA3 for Windows 7

    I can download both files today. Maybe temporary dead links.
  50. Replies
    13
    Views
    2,781

    Re: Checkpoint authentication assistance

    I think it meets my customer's issue. The Citrix servers are on one side of the firewall and the ressources on the other side.
    So I guess the OPSEC API of Citrix should forward the user's group to...
  51. Replies
    13
    Views
    2,781

    Re: Checkpoint authentication assistance

    Thanks Thorpuse for you inputs.
    I will ask our Check Point SE or maybe directly to varera ;)

    What a pity because the description was so attractive and would have fulfilled my customer needs.
  52. Replies
    13
    Views
    2,781

    Re: Checkpoint authentication assistance

    I'm facing the same issue than you for a customer.
    He pointed me to the User Authority Feature to use with Citrix servers.
    Our aim is to filter Citrix connections using the user's group membership....
  53. Re: Check Point VPN-1 SecureClient NGX R60 HFA3 for Windows 7

    I cannot download the release notes nor the secureclient software.
  54. Replies
    4
    Views
    3,682

    Re: UTM-1 xx70 series R70.1

    Thanks for the tip.
    By now, I haven't installed any UTM-1 without R70 embedded.
  55. Replies
    5
    Views
    2,096

    Re: R70.20 is GA

    I read the release notes and nothing is clearly stated.
    You just have to use software blade licenses for some specific features such as IPS geolocalisation or multicore.
  56. Replies
    17
    Views
    5,418

    Re: Some info about exam

    Just to confirm what chmelvv said.

    Lot of questions regarding ClusterXL (all modes), Upgrade and VPN (MEP and VTI). There are a lot of similar questions with slight differences.
    Quite a lot of...
  57. Re: Firewall rule clean-up tools assistance needed

    I don't have "live" experience with the product but some colleagues gave me a very good feedback. The product was deployed in a very large environment and the customer was really satisfied.
    To find...
  58. Re: Firewall rule clean-up tools assistance needed

    Tufin can identify for you unused objects in a rule (source, destination or service) but you have to remove them by yourself.
    I don't know any dynamic tool that can identify and remove unused...
  59. Re: Nokia hardware & IPSO end of life/support dates

    here it is ;)

    Check Point Enterprise Appliance Support Timeline
  60. Thks

    Thanks to all for your feedback.
    With all the reported bugs, I don't think I will upgrade to HFA50...
  61. Replies
    6
    Views
    2,550

    no real solution

    Same problem over here.
    We set up a secondary IP on the external interface of the primary member. It works but in case of failover we will loose all the connections to this secondary IP.
    We are...
  62. Replies
    6
    Views
    2,178

    Re: Monitor FTP traffic last week?

    not the only purpose of Smartview Monitor
    You can create graphs and diagrams to show different kinds of stats such as bandwidth by services, gateways, interfaces and many more. Stats of long periods...
  63. Replies
    6
    Views
    2,178

    Re: Monitor FTP traffic last week?

    not sure that you can filter by IP but I don't use SmartView Monitor that much.
  64. Replies
    26
    Views
    6,164

    Re: R70.1 available

    LOL
    Excellent!
    Then don't ask why we get confused with Check Point sometimes ;)
  65. Replies
    2
    Views
    1,477

    Re: backup smartcenter on spalt

    if you have the place to store it, you can also use the snapshot feature.
    it takes a snapshot of your whole Splat, so pretty quick to restore if you have any issue.
  66. Replies
    2
    Views
    2,777

    Re: Limit of subinterfaces

    In addition, the total of subinterfaces is limited to 1024.
  67. Replies
    30
    Views
    9,273

    Re: Smart-1 Appliances

    I still have some issues to understand the interests of this solution.
    Ok, there won't be any driver issue but can someone have answers to the following questions?
    Is it cheaper than a traditional...
  68. Replies
    1
    Views
    1,956

    Re: New UTM-1 Appliance Setup

    Yes you have a VIP.
    The passive fw takes the hand if a monitored interface or the active peer is reported as down. There is a synchronization link to monitor the peer and to synchronize the...
  69. Re: R70

    I'm replying to myself. No, only Ipso 6.0.7 supports R70 so just three appliances can run R70.
    But when you check CP's website, it says all platforms are R70 compatible...

    Check Point IP...
  70. R70

    Does the latest 4.2 build supports R70?
    If not, it means that R70 is only supported on a limited number of IP appliances.
  71. Re: Powerful combination of Confwiz and Excel

    Hi Ofer,

    No in fact I was asking for the same feature as for the objects, so Excel + confwiz. Do you think it is possible? I'm thinking about it because I just created a brand new rule base using...
  72. Re: Powerful combination of Confwiz and Excel

    Nice input.
    Will it be also possible to import large rules base with this tool?

    We can currently do it with dbedit via command line but it isn't really userfriendly. :(
  73. Replies
    5
    Views
    4,176

    Re: NAT & Proxy ARP SPLAT

    Nice article, easy to understand.
    I guess that the file proxy.arp should exist and be used to use the following command, isn't it?
    /sbin/arp –s [NAT IP] [MAC Address] pub

    I know that the...
  74. Replies
    5
    Views
    4,176

    Re: NAT & Proxy ARP SPLAT

    here are some interesting inputs from northlandboy
    http://www.cpug.org/forums/nat-network-address-translation/2600-how-view-automatic-proxy-arps-ngx.html
  75. Replies
    5
    Views
    4,176

    Re: NAT & Proxy ARP SPLAT

    same situation, completely lost on how it works!
    on my side, I didn't create the route but in the security rules, I have defined the public IP of the host as destination ...
    it works but I don't...
  76. Replies
    13
    Views
    8,199

    Beta Version

    I consider this confwiz as a beta version. Check Point has to work hard and quick to support Cisco latest versions.
    Cisco has a converting tool for years supporting Check Point versions from 4.x to...
  77. Re: R65 and HFA 40 and NICs problem. Working solutions

    The available HFA40 is still the old one on the usercenter.
  78. Replies
    4
    Views
    1,436

    Re: Good IDS/IPS

    freeware : Snort
    Vendor's solutions: TippingPoint and Sourcefire.

    I don't know any windows based solution.

    Cheers,

    Tan
  79. Replies
    9
    Views
    6,716

    Re: Fw unloadlocal

    is there any way to enable ip forwarding when the policy is disabled?
  80. Re: QoS Alert message - [Cannot delete last QoS policy]

    seems to be a normal behaviour if we refer to sk32964.

    maybe you can try to disable QOS module on your gateway and then try to push the policy if you want to disable this feature

    Cheers

    Tan
  81. Replies
    4
    Views
    1,672

    Re: Sychronization question driving me Crazy

    Dynamic routing was introduced with NGX R60 but you're right Nokia has proposed these functionnalities much sooner than CP.
  82. Replies
    13
    Views
    7,097

    Re: SecureClient not getting Office Mode IP

    I had a similar issue.
    During some tests at a customer site, I noticed that each time I stopped and restart the SC services, I lost office mode functionnality.
    The VPN still works but I don't have...
  83. Replies
    14
    Views
    2,171

    Re: NOKIA or SPLAT on INTEL, which is best ?

    I'm pretty sure that CP wants to kick out Nokia from their business but I don't think it will be as quick as suggested desperado618.

    40% of the CP's firewalls are running Nokia's IPSO and I'm not...
  84. Replies
    9
    Views
    5,204

    Re: IKEView interpretation - INVALID ID INFO

    Hi ChrisA,

    you have the VPN-1_VPN_Interoperability.pdf which describes the different possible issues with VPN.
    I have the same issue and in my case I think that the SA Lifetimes aren't the same...
  85. Replies
    1
    Views
    1,529

    Re: R62 HFA01 released

    With 56 fixes, it looks like a Cisco Asa Interim Release :D
  86. Replies
    8
    Views
    2,904

    Re: NGX R62 HFA's

    Several of our customers had some issues with H323.



    Few customers also have the following issue:



    Some issues were reported by my colleagues and the fix should be included in this HFA....
  87. Replies
    8
    Views
    2,904

    Re: NGX R62 HFA's

    HFA 01 is now available for NGX R62!!! At last!!! ;)
  88. Re: how to associate the diff-serv class with a qos policy

    Hi Sebastian

    I think you try to modify the default rule created by Check Point that's why you cannot modify the source or the destination.

    Here is an example of QOS policy.
    ...
  89. Re: how to associate the diff-serv class with a qos policy

    Hi Sebastian,

    I think you did half of the configuration.
    You have already defined your Class of Service (Diffserv - EF for Voice I assume) and you have configured your interface for QOS.

    Now,...
  90. Replies
    6
    Views
    1,552

    Re: Hotfix supplements

    Most of the time, the latest HFA includes previous ones.
    So HFA 03 should include HFA 02 and 01 fixes.

    For special Hot fixes, as suggested by chillyjim, you should check release notes.

    Don't...
  91. Replies
    6
    Views
    2,492

    Re: Urgent Help

    156-215.1 is still available
    I don't know why they created an exam for R65.
  92. Replies
    1
    Views
    1,738

    Re: Passed CCSA 88% April 30th 2008

    Hi all,

    just passed CCSE this afternoon and although the questions seem easier than CCSA's ones, I "only" scored 81%.

    Same methods used to prepare this test.

    A lot of questions on VoIP, VPN,...
  93. Replies
    1
    Views
    1,738

    Passed CCSA 88% April 30th 2008

    Hi,

    I just passed my CCSA this morning.

    I have no particular issue except for LDAP questions (only 66%).
    Be sure to learn Check Point ports or services such as:

    256 FW1
    257 FW1_Log
    18190...
  94. Re: Can ToS flags (DSCP) be forwarded across Floodgate?

    Has anybody already implemented QOS on internal and external interfaces?
    I chatted with CP's TAC and she just told me that it might be a performance issue.
    One of my customer has a firewall...
  95. Re: Can ToS flags (DSCP) be forwarded across Floodgate?

    Thanks Routerkid1 for this answer.
    Do you know if the next NGX R65 VoIP will include this functionnality?

    Cheers

    Tan
  96. Solutions? IP560, SecureXL, & NIF4427 Accelerator Exprience

    Hi all,

    it seems that a fix has been included in the latest IPSO (4.2 build 78, fix for 4.1 IPSO will be released soon).

    Cheers,

    Tan
  97. Replies
    1
    Views
    1,629

    Re: Interface state unknown using fw monitor

    Hi Stephan,

    one of my customers has a similar issue.
    he is using Nortel Contivity for specific users and this VPN tunnel passes through his Check Point Site to Site VPN (so VPN inside VPN). No...
  98. Replies
    8
    Views
    5,167

    Re: CCSA CCSE RESOURCE DOWNLOAD HERE

    Do you know who is the owner of this site?
    I would like to report some errors in the NGX II courseware.
    Some pages are missing and sometimes some are reversed.

    Anyway this site is great.

    I...
  99. Replies
    49
    Views
    26,091

    Re: Pass4sure v2.73

    Hi Trinity,

    I sent you a private message.

    Cheers,

    Tan
  100. Re: IP560, SecureXL, & NIF4427 Accelerator Exprience

    Hi All,

    here is the confirmation that SecureXL + NIF4427 isn't a good combination.
    From Nokia's TAC:



    One of my customer has had this issue twice this week. SecureXL was enabled at the...
Results 1 to 100 of 140
Page 1 of 2 1 2