CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: jcstefansson

Search: Search took 0.00 seconds.

  1. Replies
    2
    Views
    484

    Re: Mass-update to VPN Clients

    That's correct. I eventually found an update utility that would allow me to merge an updated trac.config file and distribute it by a script in the Endpoint admin guide.
  2. Replies
    2
    Views
    484

    Mass-update to VPN Clients

    I have a customer who is planning to migrate to a new physical location and a new IP address. They have approximately 200 customers who connect to their site via Endpoint Security client. They are...
  3. Re: After R80.10 upgrade, IA blade seems nonfunctional

    After examination, we determined that WMI had broken on the DC's and that was the problem. We replaced it with IDC and that worked.
  4. After R80.10 upgrade, IA blade seems nonfunctional

    Hey all,

    I recently upgraded an environment to R80.10. No issues during the upgrade and traffic seems to be passing normally. However, I observed in the logs that we are no longer getting...
  5. Replies
    16
    Views
    2,421

    Re: OSPF Route-based VPN questions

    So we had it all up and going (except the one site that needed a firmware upgrade), and it went down when we pushed policy. We were able to inconsistently replicate this failure, but unable to...
  6. Replies
    16
    Views
    2,421

    Re: OSPF Route-based VPN questions

    Spent some more time on this this morning.

    Figured out what the policy push issue was, there was a no-NAT rule for management to firewall traffic (because it normally goes over fiber MPLS). I...
  7. Replies
    16
    Views
    2,421

    Re: OSPF Route-based VPN questions

    So when the tunnel is up, I don't seem to see any traffic going across it. I do see the OSPF hello packet counter increment, but I never actually see the packet on the tcpdump.
  8. Replies
    16
    Views
    2,421

    Re: OSPF Route-based VPN questions

    The OSPF neighbor relationship isn't establishing and there's a specific host entry for the Mgmt on the remote gateway which I would THINK should cause it to route out the internet and not on the...
  9. Replies
    16
    Views
    2,421

    Re: OSPF Route-based VPN questions

    So the odd bit to me is that GW1 can talk to GW4 over the VTI (can ping the peer VTI), but the rest of the tunnels seem to be nonfunctional. What's extra weird about that is that GW4 still has it's...
  10. Replies
    16
    Views
    2,421

    Re: OSPF Route-based VPN questions

    At the moment, it is anyInternalNetworks-any-ospf-allow.

    The goal is to migrate totally to a ospf route based vpn, but until we get it working, there's a mix of domain and route based in the...
  11. Replies
    16
    Views
    2,421

    Re: OSPF Route-based VPN questions

    What happens if the domain isn't emptied on all members of the community? I ask because I'd like to test by removing it from two sites and confirm they can peer and such without affecting resources...
  12. Replies
    16
    Views
    2,421

    OSPF Route-based VPN questions

    Hello,

    I am attempting to convert an existing regular Mesh VPN network to a route-based VPN using OSPF. However, I seem to be doing something wrong. I'll describe the steps I've performed, and...
  13. Replies
    5
    Views
    684

    Re: Route Based VPN VTI configuration

    When I create the VTI, there is a field I have to fill in called VPN Tunnel ID. That's what I was referring to. I'm adding these via Gaia web ui.
  14. Replies
    5
    Views
    684

    Re: Route Based VPN VTI configuration

    I was told that they do. I haven't gotten around to the implementation on the Edge's, just the 1100s so far. VPN mailing list tells me that the VTI ID is a unique-per-box identifier, and isn't...
  15. Replies
    5
    Views
    684

    Route Based VPN VTI configuration

    When configuring VTI's for gateways that participate in a meshed community, should the VTI ID be unique per pair (GW A to GWB is 2, GW A to C is 3 GW B to C is 4, etc), or unique per community (VPN...
  16. Replies
    13
    Views
    2,470

    Re: Not responding to arp-who-has

    Confirmation: We did the upgrade again last night with clusterXL not enabled, and encountered no issues.
  17. Replies
    13
    Views
    2,470

    Re: Not responding to arp-who-has

    We rolled back to an R77.30 snapshot because of pressure from above, but here's info from last night:

    Static automatic NATs are what's being used in the config. We tried creating a manual NAT...
  18. Replies
    13
    Views
    2,470

    Not responding to arp-who-has

    Recently upgraded a single member firewall to R80.10. We have about 10 static NATs automatic in objects. Outbound traffic on those NATs seems to work fine (as well as all Hide NAT traffic). ...
  19. Re: After upgrading to R80.10 lost access to ssh and web UI

    In many cases, in place upgrades fail in CPUSE, whether via WebUI or CLI. If you mean after the upgrade, I've had less issues there, though I have had problems with 3rd part vendors hwo haven't...
  20. Replies
    3
    Views
    1,269

    Re: TACACS configuration and SIC Reset

    Updating the thread with what we wound up doing:
    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk41239&partition=General&product=Security...
  21. Re: After upgrading to R80.10 lost access to ssh and web UI

    I've been performing a number of 80.10 upgrades and I strongly suggest clean install as the method of upgrading if at all possible.
  22. Replies
    3
    Views
    1,269

    TACACS configuration and SIC Reset

    Hello all,

    I was working on an environment with an IPSO R75 cluster. We were resetting SIC due to a management IP/hostname change. When we reset SIC on the first firewall, we lost SSH access. ...
  23. Re: dbedit to import a large number of non-contingeous IP hosts

    What does the function of the { } do in the context of the line? Does it simply enable the phrase in " " (IE, is it like a super command, which contains the code inside the print line)?
  24. dbedit to import a large number of non-contingeous IP hosts

    Can I make a script that will take a file input and interpret it so I can bulk import noncontigous IPs without having to manually enter them? Something like this:

    INPUT= #Here I want it to take a...
Results 1 to 24 of 24