CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: Acidio

Page 1 of 2 1 2

Search: Search took 0.01 seconds.

  1. Replies
    2
    Views
    1,953

    Feature description

    Hi all,

    Anyone know what CPSG-C-1-50 is? I've done a little research but haven't seen anything conclusive. It seems to appear with other CPSG type features.
  2. Replies
    2
    Views
    2,651

    Re: Stable version in Alteon

    the 2.x.x and 3.x.x/4.x.x are different code streams. the 2.3.x code stream is for the 5100 series firewalls. Look for the highest level in the 2.3.x series if you're running a 5100 series box
  3. Replies
    4
    Views
    2,028

    Re: Splitting a SmartCenter in two

    Have done a similar thing. All I used was cp_merge and everything worked fine. Didn't have any problems.

    It was a while ago when I did the migration, but from memory I think this was the...
  4. Replies
    1
    Views
    2,051

    Re: Cannot change Topology

    Check your CP object, it may be defined as a host rather than a gateway. If it is a host, you can convert it to a gateway by right clicking on it and selecting convert to gateway.
  5. Replies
    2
    Views
    2,145

    Re: Eventia Database location

    Awesome, thanks Ray.
  6. Replies
    2
    Views
    2,145

    Eventia Database location

    Hi all,

    Has anyone had any experience moving eventia db's around? Here's a little background...

    We're building an SPLAT based eventia reporter box that will be working with a considerable...
  7. Replies
    1
    Views
    2,769

    Re: Seperate Log server?

    Yes you can have a separate log server, however there are licensing issues. You could have a secondary management server or run a customer logging module (CLM) server. Both of which require the...
  8. Thread: Any CCSP here?

    by Acidio
    Replies
    13
    Views
    6,289

    Re: Any CCSP here?

    It's not just for Europe. We're a CCSP in New Zealand.

    Biggest benefits are to be able to sell the new Collaborative support packages. Of which I understand there are 3 levels. The good thing...
  9. Replies
    1
    Views
    1,322

    Re: Move DB management

    Are you trying to move the Smart Centre server to another machine? If this is the case and the new server has the same name and IP address, then an upgrade_export and upgrade_import should work...
  10. Replies
    7
    Views
    3,928

    Re: How to Block Yahoo.com, Google.com?

    Smart Defense allows you to block domains - essentially blocks DNS lookups for the banned domains. Seems to work OK.

    As Northland boy has mentioned, using domain objects in the rule will most...
  11. Replies
    2
    Views
    2,255

    Re: disconnected smartconsole clients

    How good is your physical connection. It could be faulty. CP clients disconnect pretty quick if your connection drops for any reason.
  12. Replies
    4
    Views
    3,905

    Re: Rotating log files on a weekly basis

    You can create a new time (scheduled event) object with the schedule you want and then specify that object in the 'Schedule log switch to' field in the logs and masters section of your gateway's...
  13. Replies
    9
    Views
    2,722

    Re: SecureClient & LAN issues

    Is the IP range you're assigning to the Sec Client users routed back to your gateway?
  14. Re: Site to Site Tunnel between a NGX60 and a Nortel Connectivity

    This sounds like a similar issue we had with CP to Contivity S2S VPN. Turned out to be the CP side causing the problem. The Contivity could VPN to other CP gateways without any problem. The CP...
  15. Thread: Desktop policy

    by Acidio
    Replies
    8
    Views
    2,045

    Re: Desktop policy

    Hi Mike,

    Yes, I agree, you'll probably end up in a political argument. Comes down to whatever your corporate security policy stipulates as acceptable.

    If however, you do need to allow access,...
  16. Replies
    3
    Views
    2,192

    Re: migrate fw-1 4.0 to NG R55

    I agree with Chillyjim,

    It's better to have new hardware available and do a clean install. You will then have a known, clean install state. This is what I would do if I were in your situation. ...
  17. Replies
    2
    Views
    1,468

    Re: problem with owa

    Check smart defense. There will be a protection enabled that will be causing the problem. You may have to play with a few smart defense settings - I have experienced OWA problems and changing...
  18. Replies
    10
    Views
    3,586

    Re: Single Sign-on - CheckPoint or ISA?

    I agree with Ray, single sign on is a security problem. Not sure what SOX etc says about this, but compliance issues may arise from doing it - to all systems at least.
  19. Thread: S2S VPN tunnel

    by Acidio
    Replies
    2
    Views
    1,557

    Re: S2S VPN tunnel

    Cisco to CP vpn's shouldn't pose you too much of a problem. Just keep the principal of keeping all settings the same at both ends in mind and you shouldn't have any didfficulties. In my experience,...
  20. Replies
    2
    Views
    1,525

    Re: Forcibly disconnect SecureClient users

    You can force users to reauthenticate after a period of time.

    You can also disconnect VPN users in SmartView Monitor (I think) This is a manual process however. I'm assuming you want an auto...
  21. Replies
    4
    Views
    3,084

    Re: Securemote problems

    You could also try editing the userc.c changing the following option...

    :allow_clear_traffic_while_disconnected (false) - this is the default change it to true and restart SecRemote
  22. Re: Secure Platform installation without the 15 day trial license

    You shouldn't have any problems with a distributed install. There should be a trial license on both the management and gateway boxes. Have done many of these myself and haven't had a problem (yet)....
  23. Re: Transparent and Connect Mode in SecureClient R60

    Hi Yasushi,

    It's called auto connect now and can be enabled on the options tab in Sec Client settings.
  24. Re: Use NAT to translate an external IP to an internal one?

    Hi Ray,

    I did something similar a while ago. Can't remember the specifics, however if I remember correctly, I had to allow access to the NAT address in the security rules for it to work. Seems a...
  25. Replies
    11
    Views
    3,084

    Re: SMTP: Blocking spoofed emails

    You could try debugging the in.smtpd and mdq processes. see the following kb article on how to do this.

    https://secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?id=sk31990
    ...
  26. Re: Site to Site Tunnel between a NGX60 and a Nortel Connectivity

    If Chillyjim's suggestion doesn't do the job, then editing the database will be required. You can edit the CP database by using the GUIDbedit utility. Once in there, search for 'largest'. This...
  27. Re: Site to Site Tunnel between a NGX60 and a Nortel Connectivity

    Do you have more than 172.x.x.x/24 subnet on the CP side? eg 172.16.0.0/24 and 172.16.1.0/24 If so, the CP box may be summarising the IP's.

    This can be disabled by editing the CP Database
  28. Replies
    8
    Views
    2,139

    Re: replacing implicit rules with explicit ones

    There probably is a way, however it's most likely buried in a config file somewhere. The only other way to do it would be to define the rules manually and disabled the implied rules.

    Have just...
  29. Thread: Newbi asks

    by Acidio
    Replies
    8
    Views
    3,201

    Re: Newbi asks

    Have a look at this one from ManageEngine - might do what you want.

    http://manageengine.adventnet.com/products/firewall/index.html


    If you want decent stats out of firewall-1 you'll need a...
  30. Replies
    1
    Views
    1,896

    Re: Floating Navigation Bar

    I don't specifically know about the navigation bar, but it's probably hidden away in the source files. I know most of the content in Connectra can be changed by editing the style sheets etc. I've...
  31. Thread: I'm stuck

    by Acidio
    Replies
    6
    Views
    2,864

    Re: I'm stuck

    Hi George,

    I have changed the gateway object IP on a number of occasions and it hasn't seemed to cause any issues.

    Regarding the the link selection - is your topology defined correctly on the...
  32. Replies
    8
    Views
    2,139

    Re: replacing implicit rules with explicit ones

    Disabling the implied rules and explicitly defining only what is required is good security practice in my view. It does however require a good understanding of your Check Point infrastructure. Some...
  33. Replies
    1
    Views
    1,552

    Re: Static NAT for mail server

    Easiest way is to create a host objects for machines in your DMZ and on each object go to NAT, select the 'add automatic address translation rules' check box, translation method = static, the hide...
  34. Replies
    17
    Views
    5,002

    Re: Policy server install

    The policy server components need to be installed. And then configured in smart dashboard (which you have probably done).
  35. Replies
    1
    Views
    1,841

    Re: Merging policy and objects NGX R60

    When a policy is imported, it won't overwrite what is already there (assuming the policy you are importing doesn't have the same name). When the policy is imported, you can copy and paste all the...
  36. Replies
    5
    Views
    1,932

    Re: Windows Management Server Replacement

    Hi Richter,

    Just re-read your original post. Upgrade_export will work. I had originally thought you were going to migrate to management server with a different IP address - hence the use of...
  37. Thread: SIC error

    by Acidio
    Replies
    3
    Views
    5,968

    Re: SIC error

    You could try logging in as the root user and doing a sic reset from there.
  38. Replies
    5
    Views
    1,932

    Re: Windows Management Server Replacement

    I would handle it this way.....

    Take copies of the olde licenses, create licenses for the new mgmt server
    Export the current policy using cp_merge
    Copy the objects_5_0.C file and exported policy...
  39. Re: SecureClient must required for Office Mode VPN ?

    The R60 docs cover how to edit and what to set.
  40. Replies
    11
    Views
    2,778

    Re: Configure HA for SPLAT

    Cluster XL is the technology that handles HA. You don't need to license it for failover (active/passive). If you want to do load sharing (active/active), then I think there is additional cost.
  41. Re: Problem with Site-to-Site-VPN (Checkpoint NG vs. Securepoint)

    Sounds like a similar problem to one that I had with an R60 to Nortel Contivity s2s vpn. In our situation, the VPN had been working fine for more than 18 months, and then, all of a sudden failed. ...
  42. Replies
    9
    Views
    21,139

    Re: Error no.10 - When loading policy

    You could unload the policy on the gateway and then push the policy. This usually solves the problem.

    I have seen instances where for no apparent reason comms from mgmt to the GW stops. I can...
  43. Replies
    1
    Views
    1,341

    Re: One FW1 two connections?

    You could look at using the ISP redundancy option. It's under the topology section of your gateway properties.

    Haven't used it myself, so I can't give you too much detail on it. However, it is...
  44. Re: SecureClient must required for Office Mode VPN ?

    Yup, SecureClient is the only option when using Office Mode. SecuRemote doesn't download any details.

    You could try editing the DNSInfo.C file (on the mgmt server I think) - can't remember if...
  45. Re: ./upgrade_import Error: This SmartCenter Server is not Primary.

    Excellent news.

    Beer is always accepted.
  46. Re: Need a version roadmap with end-of-support dates and a simplification of the prod

    Of course R55 doesn't do Connectra logging. What was I thinking - too many versions to keep up with!

    We've got an R60 CP box doing the logging which works a treat. By the way, the license key on...
  47. Replies
    3
    Views
    2,314

    Re: Better searchability of SecureKnowledge

    Thanks Ray,

    Great idea. Will start using it. Not sure if my memory is quite that good though :)
  48. Replies
    3
    Views
    1,559

    Re: Re-import Policy from R55 to NGX R61

    Migrating from one platform to another shouldn't cause any issues, as the Checkpoint components sit above the underlying hardware/Os. I haven't done a migration from/to your specific hardware,...
  49. Replies
    3
    Views
    2,314

    Re: Better searchability of SecureKnowledge

    Yeah, I agree.

    Don't think you're missing anything. The advanced search isn't that advanced.
  50. Replies
    4
    Views
    1,864

    Re: securemote authentication timeout

    It's probably not the authentication time out that causing the problem. When you have a user VPN connection that is still connected at midnight, the firewall doesn't seem to handle changing from...
  51. Re: Problem with Site-to-Site-VPN (Checkpoint NG vs. Securepoint)

    Yes. For traditional mode VPN's I always include the firewall(s) in the encryption domanis. Might not solve this particular problem, however it's a simple change so it's worth a go.
  52. Re: Problem with Site-to-Site-VPN (Checkpoint NG vs. Securepoint)

    Do you have the firewalls listed in the encryption domains?
  53. Re: Need a version roadmap with end-of-support dates and a simplification of the prod

    Hi Ray,

    silly question, (you'll probably say been there done that) but are you logging connectra into smart view tracker? And next question, what logging is it you're referring to - traffic, OS...
  54. Replies
    11
    Views
    2,778

    Re: Configure HA for SPLAT

    Yeah, that can be a little misleading.

    Historically, you needed to buy cluster xl as a product and the licenses. Now, the cluster xl technology/product (whatever you want to call it) is included....
  55. Re: Need a version roadmap with end-of-support dates and a simplification of the prod

    Interesting comments. My only knowledge of the difference between r60 and r61 is changes to management only. No changes were mode to the gateway components - whatever that means. This info came...
  56. Replies
    11
    Views
    2,778

    Re: Configure HA for SPLAT

    If you have access to the docs, the ClusterXL guide is a good place to start.
  57. Re: ./upgrade_import Error: This SmartCenter Server is not Primary.

    Oops, got that manual load suggestion a little wrong. You'll need to do that from the management server, so if management won't talk to the gateway via smart dashboard, you won't be able to a manual...
  58. Replies
    11
    Views
    3,084

    Re: SMTP: Blocking spoofed emails

    Hi Yogi,

    The resource use for dropping the e-mail will have *@yourdomain in the sender and the delivery resource will have*@yourdomain in the recipient field.

    As you mentioned, you could leave...
  59. Re: ./upgrade_import Error: This SmartCenter Server is not Primary.

    Ok, what I would do (if it's not going to cause you too many issues - ie stopping traffic) is unload the policy from the gateway, retest the SIC - it should work, then push the policy. The error you...
  60. Re: ./upgrade_import Error: This SmartCenter Server is not Primary.

    Are you able to log into your management server? If so, are you having problems pushing the policy to the gateway?

    If you're having problems pushing the policy, it may be the SIC is broken. In...
  61. Replies
    11
    Views
    3,084

    Re: SMTP: Blocking spoofed emails

    Depends on your point of view really. I don't see too many issues with using the security service. The only issue you may find is additional load on the FW.

    One thing I forgot to mention. ...
  62. Replies
    1
    Views
    1,818

    Re: VPN and NAT of internal rfc1918 to public

    Hi Paul,

    Yes it should work. You'll need to ensure the encryption domains match exactly . When going CP to Cisco, the encryption domains usually cause the problem - Cisco is a lot more fussy...
  63. Replies
    12
    Views
    3,430

    Re: SecureClient fails to get an IP

    Do you have desktop firewall already installed - or Windows firewall enabled?. If so, disable them and see if that helps.
  64. Re: Disable port opened on CP NGX.....security server

    Have a look at the global properties, and disable all options. Then specify all specific ports you require in the policy rules.

    NB: Ensure the rule(s) you create for the services you need are...
  65. Thread: fwm logexport

    by Acidio
    Replies
    3
    Views
    3,232

    Re: fwm logexport

    Hi Yogi,

    Yep you can use it on saved logs. In fact I think it's better to use it on saved logs because running on the live log can cause problems - especially if you have a busy firewall. I've...
  66. Re: ./upgrade_import Error: This SmartCenter Server is not Primary.

    This is a rather brute force method of roll back. When making changes to the policy, why not just save a new version of the database and policy. Much easier and doesn't require a full CP restore.
  67. Replies
    7
    Views
    2,365

    Re: Site 2 site connectivity problems !

    Do you have any other site-to-site VPN's configured on the NGX box? If so, do the other encryption domains have different IP addresses than the network behind the IP40?
  68. Replies
    7
    Views
    2,647

    Re: No Valid License for Firewall-1 module

    Use Smart Update. There's a licenses tab and also a licenses menu. Use the tab to see you installed licenses, and use the menu to add, attach, detach, delete licenses. Once the licenses are in the...
  69. Replies
    11
    Views
    3,084

    Re: SMTP: Blocking spoofed emails

    Hi Yogi,

    This might not be exactly how you want to attack this problem, however here goes.

    You could implement the SMTP security service on the firewall.
    Note: This may require changes to...
  70. Replies
    2
    Views
    1,665

    Re: Windows Media Player

    This is a real problem. I don't know of any way around it.

    However, I met with a Check Point guy from Israel a few months ago and made a feature request to enable Smart Defense exclusions for...
  71. Replies
    7
    Views
    2,647

    Re: No Valid License for Firewall-1 module

    Did you import the license from a file? The issue sounds like a reasonably common problem where the import process only grabs one part of the license - usually due to a corruption in the license...
  72. Re: Managing VPN without VPN-1 Pro/Express Control Connections

    Hi Yasushi,

    We do exactly what you're attempting to do. Try adding the following services to a group.
    AH
    ESP
    IKE
    IKE_TCP
    IKE_NAT_Traversal
    FW_PSLogon
    FW_PSLogon_NG
  73. Replies
    3
    Views
    1,432

    Re: Whats going on then ?

    What do you see in the secure client diagnostics tool - policy and log?
  74. Replies
    2
    Views
    2,819

    Re: Accessing Rules using command line

    Could also try using the web visualisation tool. Produces quite a good report in html format - shows all rules, nat objects etc. Download it from the CP website
  75. Replies
    3
    Views
    2,417

    Re: Guidance on Eventia reporter

    Yogi,

    Further to kva.kva's post, you can have the reporting tool installed on another machine. It doesn't have to be on the smart center server. Depending on the load on your current SC server,...
  76. Replies
    4
    Views
    1,540

    Re: How to automatically disable the VPN site

    If your topology has been encrypted, then you won't see this entry.
  77. Replies
    10
    Views
    2,519

    Re: Loss of traffic when pushing policy

    Also, I've seen some odd things happen when spanning tree is enabled on MLT ports. Might be worth checking this too. Nortel's recommendation is to have STP disabled on these ports.
  78. Replies
    10
    Views
    2,519

    Re: Loss of traffic when pushing policy

    The 450's are quite old hardware now. Have you got the latest software loaded on these?
  79. Thread: url object

    by Acidio
    Replies
    3
    Views
    2,327

    Re: url object

    Agreed, not a pleasant experience! Doesn't seem to matter if you have system resource to burn, still doesn't play nice.
  80. Replies
    1
    Views
    3,002

    Re: Z100G, Secure Home Wi-router when?

    First time I've seen this. The Zone Labs web site has some good info for this product. Perhaps an e-mail to the team at Zone Labs may provide the answer.
  81. Replies
    4
    Views
    1,540

    Re: How to automatically disable the VPN site

    You'll need to write a script that modifies the userc.c file (I'm assuming your post is referring to secure remote/client sites). Under each site in the file, there is a :disable entry. To...
  82. Re: Upgrade from NG to NGX leads to lost of funcionalities

    If you're a Check Point partner, generate a 'quick eval' license and attach it. this will solve the issue and will enable all the other features too. It will at least give you some time to find the...
  83. Replies
    3
    Views
    2,702

    Re: Backup of NG with AI (R55W) Build 346

    hi sambols,

    There is a tool (upgrade_export) you can use to export the entire checkpoint configuration which can then be imported onto a DR machine.

    Some things to consider
    1) is your...
  84. Re: NAT/Port Forwarding after adding E-mail appliance

    There's no need to change your MX. That's a hassle.

    You can still receive mail to the public IP of the Exchange server and the firewall can redirect to your e-mail appliance. That's the beauty...
  85. Re: NAT/Port Forwarding after adding E-mail appliance

    This is a very simple thing to do.

    Firstly, your e-mail appliance needs to be configured correctly so it can forward mail to your exchange server. Without this, the appliance is not going to do...
  86. Re: Tight Secure Client & Remote / Packaging client interaction

    This is true. The best way I have found to use the packaging tool is as follows:

    1) create your package profile with all the options you want (and do not create the .exe)
    2) edit the...
  87. Re: Tight Secure Client & Remote / Packaging client interaction

    they're in the check point docs that are on the install CDs - look in the VPN Guide PDF
  88. Replies
    4
    Views
    3,084

    Re: Securemote problems

    Do have secure remote or secure client installed?
  89. Replies
    9
    Views
    2,722

    Re: SecureClient & LAN issues

    Are you adding the rules under the Desktop Security tab?

    There are two sections - Inbound rules and Outbound rules. Don't forget these are rules that will be pushed to the client machine, so...
  90. Replies
    9
    Views
    2,722

    Re: SecureClient & LAN issues

    Oops, should clarify....

    AllUsers@Any defines the default rules that get applied to a policy not
    AllUsers@xxx

    So to protect your users fully when on of off the network, you'll also need to...
  91. Replies
    9
    Views
    2,722

    Re: SecureClient & LAN issues

    It sounds like some sort of policy is installed - somehow. What does the SecureClient diagnostics tool show?

    There is also an option you can set in the userc.c which should help...
  92. Replies
    6
    Views
    4,899

    Re: FireWall allows remote "get topology" request

    Northlandboy is right. In 4.1 days, you could get a topology download without first being authenticated. A check box was available to prevent this, but as of NG the default behavior is to only...
  93. Replies
    3
    Views
    1,514

    Re: Cannot reach webserver from internal network

    OK, I see what I forgot to mention. Try adding rule that looks like this:
    src dst service action track
    any 192.168.1.80 HTTP accept log

    You'll need to do this since NAT occurs...
  94. Replies
    3
    Views
    4,019

    Re: Site-to-Site VPN and Microsoft dce-rpc

    Hi David,

    Yes we had any rule for the VPN traffic also. As soon as I added a rule above using the MS Exchange specific serivces we had comms. Unfortunately the DCE-RPC services don't have a...
  95. Replies
    13
    Views
    9,854

    Re: VPN between Cisco and Checkpoint NG AI R55

    Maverick's advice is good. Stick with the simplified mode policy, they work. I have many site-to-site VPN's from CP to Cisco, Nortel, Watchguard etc and all are under simplified mode policies. ...
  96. Replies
    3
    Views
    4,019

    Re: Site-to-Site VPN and Microsoft dce-rpc

    Yep, I've had a similar issue.

    We had a Nortel Contivity at the remote end and a Nortel Alteon running R61 at head office end. Had a site-to-site confgured and the remote user was trying to...
  97. Replies
    11
    Views
    4,049

    Re: Site-to-Site VPN trouble

    Hi David,

    Just re-read your initial post. I retract my statement regarding FWA. It must be OK if you're getting encrypted traffic out.

    I'll have to pass on this one, sounds very odd. Can't...
  98. Replies
    3
    Views
    1,514

    Re: Cannot reach webserver from internal network

    I'm assuming the previous NAT method was automatic. If that was the case, the firewall automatically creates ARP entries for the public address.

    If you have disabled the automatic NAT from the...
  99. Replies
    11
    Views
    4,049

    Re: Site-to-Site VPN trouble

    Sorry to take so long to get back to this David.

    I'm thinking FWB is fine. Given you have VPN's from FWA there could be a config problem there. One thing FW1 does, is summarise your encryption...
  100. Replies
    2
    Views
    1,463

    Re: force hub mode on client

    You can use the Secure Client packaging tool to bundle up installs and set some options. You can also (in conjunction with the packaging tool) edit the userc.c and product.ini files.
Results 1 to 100 of 111
Page 1 of 2 1 2