CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: EricAnderson

Page 1 of 4 1 2 3 4

Search: Search took 0.01 seconds.

  1. Thread: CP1500

    by EricAnderson
    Replies
    6
    Views
    357

    Re: CP1500

    Yes, definitely a good forward move - newer hardware/performance/version (anyone else notice the USB-C console port?).

    I'd still love to see these move to a more standard GW code base, while...
  2. Replies
    3
    Views
    413

    Re: Problem running Log Exporter

    Are you in CLISH or bash/expert? "cp_log_export" is not a CLISH command and needs to be executed from "expert" mode (bash).

    Seems like I just gave a similar reply a few weeks ago ;)


    -E
  3. Re: Grep won't apply when running fw ctl zdebug + drop

    Don't take this the wrong way, but are you sure you're in export mode (bash)?

    "fw" commands will work from clish, but grep won't.

    -E
  4. Replies
    4
    Views
    330

    Re: Web Server Error

    Also verify that both GW's are configured identically - especially as far as routing. Symptoms almost sound like secondary is unable to route packets properly.

    This can be avoided by a...
  5. Replies
    6
    Views
    800

    Re: Advanced Upgrade to R80.30

    Glad we could help :)

    -E
  6. Replies
    6
    Views
    800

    Re: Advanced Upgrade to R80.30

    I'm not sure what you downloaded, but grab the file from the link I gave (again here). Extract that to a folder and run the pre_upgrade_verifier directly from there.

    -E
  7. Replies
    6
    Views
    800

    Re: Advanced Upgrade to R80.30

    Exactly as Tim said. To expand a bit...

    - The command you found is specific to Multi Domain Server (MDS), a much bigger and more complex beast.
    - If you downloaded the correct package, the...
  8. Replies
    3
    Views
    1,900

    Re: GAIA PORTAL WHITE PAGE

    Try the original/older fix...paste this into expert/bash CLI:
    cp /web/htdocs2/js/login.js /web/htdocs2/js/login.js.orig; sed -i 's/if( form.isValid() ){/if( form.isValid()...
  9. Replies
    2
    Views
    1,990

    Re: CCSA R80.10 Student and Lab Manual

    Unfortunately, no. For better or worse, CP has protected the documents and restricted permissions.

    We can discuss reasons/merits, but I will preemptively warn that any posting of copy-written...
  10. Re: VRRP works on which checkpoint version

    Wow - you guys decided to dive right in to the specific use cases, where I just left it at "granularity/control" ;)

    To add to the specific reasons above, one of the cool "old school" uses was to...
  11. Re: VRRP works on which checkpoint version

    VRRP was introduced in GAIA (which was introduced in R75.40).

    One of the primary reasons for the introduction of GAIA was to consolidate/replacement both SPLAT and IPSO. The goal was to offer all...
  12. Re: First time configuration wizard hanged up

    What browser? Have you tried another?

    -E
  13. Replies
    6
    Views
    1,023

    Re: New install CP Management Server R80.10

    First 2 thoughts:
    - Did you install it as a "standalone" with both management and gateway? If so, try "fw unloadlocal".
    - Are you sure it's done loading/booting? The database in R80.x takes quite...
  14. Replies
    6
    Views
    1,157

    Re: WebUI for FCW not opened

    Or just paste the following into an expert/bash shell of any Gaia device. It fixes the javascript code:

    cp /web/htdocs2/js/login.js /web/htdocs2/js/login.js.orig; sed -i 's/if( form.isValid()...
  15. Replies
    8
    Views
    1,864

    Re: Antispoofing adding static route

    If only I had a nickle for every hour I've spent explaining/teaching anti-spoofing...it's quite capable and simple (once understood), but far from intuitive.

    mdjmcnally is correct, but I'll take a...
  16. Replies
    5
    Views
    1,820

    Re: install R77.30 on Open Server

    Yup (and I don't often say that...I usually stick with "it should").

    For reference, the SK was 122612.

    -E
  17. Replies
    5
    Views
    1,820

    Re: install R77.30 on Open Server

    ^ Beat me to it ^

    Definite case where setting the date correctly will kill it. Notoriously unhelpful failure message, but at least an easy fix (apply newer HFA and re-sign CA).

    -E
  18. Replies
    1
    Views
    566

    Re: Where to get 80.10 trial version?

    New installs are granted a 15-day "trial mode" which allows all features.

    You can find the latest Management release (R80.20.M1) here.

    And the latest gateway-supported version (R80.10) here.
    ...
  19. Replies
    0
    Views
    758

    CPX "mini" in NYC?

    Anyone attending this week's "mini" CPX event in New York City? If so, stop by the Netanium / Atlantic Data Security table and say "hi".

    For anyone who wasn't aware, there's more info here.

    If...
  20. Replies
    13
    Views
    2,883

    Re: unable to use clish

    Understood, and completely valid. I didn't mean to imply otherwise.

    My preferred solution is to create a separate account (i like to use "adminbash") that defaults to /bin/bash. For a larger...
  21. Replies
    13
    Views
    2,883

    Re: unable to use clish

    So, you were trying to go from clish >to> bash >to> clish? Definite no-go.

    However, if your default shell is bash, you can launch clish as a secondary shell. Very common/useful for those who...
  22. Replies
    13
    Views
    2,883

    Re: unable to use clish

    I remember there be something about clish lock files in /tmp. Are there files in there? Try deleting (or temporarily moving them elsewhere).

    -E
  23. Replies
    3
    Views
    747

    Re: Disable NAT rules using Script

    Can we assume you're on R7x? I believe the syntax you're looking for with dbedit is "rule_adtr"...

    modify fw_policies ##Standard rule_adtr:3:disabled true


    If you were running R80.x this...
  24. Thread: Dual NAT

    by EricAnderson
    Replies
    6
    Views
    1,420

    Re: Dual NAT

    The problem is with this statement:



    How do you know you need something if you don't know what it is? If you could explain why you think you need it we may be able to help.

    -E
  25. Replies
    1
    Views
    915

    Re: De-Introduction _ LAF

    Best wishes, and we look forward to your return.

    -E
  26. 2018 CPUG Challenge and the return of CPUGcon!

    2018 promises to be a big year for CPUG, especially with the return of CPUGcon (but more on that later).

    For those attending CPX360 this week (Feb 6-8) in Las Vegas, make sure to stop by the...
  27. Replies
    12
    Views
    2,191

    Re: Anyone attending CPX360 2018?

    So...who else is in (or coming to) Vegas?

    -E
  28. Replies
    2
    Views
    910

    Re: The Old Guard at CPX360 Barcelona

    Great meeting you too, Bhav! I always enjoy it when community members come say "hi".

    To everyone coming to Vegas, make sure and stop by the Infinity Scavenger Hunt booth, and attend the sessions...
  29. Replies
    12
    Views
    2,191

    Re: Anyone attending CPX360 2018?

    LOL...I'll stick with Phil Collins.

    Here's on e a bit more recent (like a few hours). See if you can identify the others. Hint: we're all members here.

    -E

    1360

    Photo credit/blame: Toni...
  30. Replies
    12
    Views
    2,191

    Re: Anyone attending CPX360 2018?

    I will be in Barca and Vegas as well.

    More info will be posted soon (this weekend?) on this year's CPUG Challenge. For know, I'll let everyone know that I'll be hanging out quite a bit with...
  31. Replies
    6
    Views
    841

    Re: Something weird with VPN

    I would try this, in hopes of forcing things a bit:
    - Remove VPN option (uncheck box) on cluster and remote GW (will have to remove both from community first)
    - Install policy to both
    - Re-enable...
  32. Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Agreed. As incorrect as it may be, Check Point often seems to refer to "open server" as another form of "Check Point appliance". Maybe they see an open server install as assimilating the device,...
  33. Replies
    5
    Views
    4,743

    Re: CCSM exam materials

    What Tim said.

    I still have a few hardcopies that I can heavily discount. However, depending on where you are, shipping may make the e-kit more affordable. Let me know if you're interested.

    -E
  34. Replies
    9
    Views
    3,111

    Re: Hide NAT Address Range

    Correct, IP Pool NAT is not the same thing. Historically, prior to Office Mode, IP Pool NAT was commonly employed for remote users - giving each one's inbound traffic a unique source IP address from...
  35. Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Please don't read this as an argument that this shouldn't be a concern. Rather, it's just the perspective of an optimist interested in avoiding unnecessary knee-jerk reactions...

    While I won't...
  36. Re: Goodbye Check Point, hello Guardicore, wish me luck, etc

    Godspeed, Val, and good luck with the new gig.

    -E
  37. Re: Blink - Full gateway installation in 5 minutes

    Very cool! Looking forward to playing...

    -E
  38. Re: Migrate Cluster 77.30 appliance to new 80.10 cluster applliance (Replace)

    Contrary to CP marketing/sales/support, it is entirely possible to add any model of appliance to the cluster, the issue is one of cores (it wouldn't be possible to sync 8 fw kernels onto a box with...
  39. Replies
    25
    Views
    7,190

    Re: R80.10 in VMware

    I hear you, and understand the restrictions (and resulting frustrations). I like the idea of a network-based config as well, and it may even be possible in one way or another with hacks to...
  40. Replies
    25
    Views
    7,190

    Re: R80.10 in VMware

    One word: ISOmorphic

    If I understand you correctly, it should do most (if not all) of what you're looking for. Check SK65205

    While I hate to have to kick people over to SK, since the tool can...
  41. Replies
    25
    Views
    7,190

    Re: R80.10 in VMware

    config_system still works, and can actually be quite powerful when used properly ;)

    -E
  42. Free, EARLY Star Wars: Last Jedi screening

    Located in Boston (MA - 12/14), Buffalo (NY - 12/14), or Rochester (NY - 12/15) areas? Want to see the new Star Wars flick before everyone else - for free?

    While not officially a CPUG event, I've...
  43. Replies
    0
    Views
    1,103

    Sale on certification exams

    In case you'd missed it, Check Point has entered the "Cyber MondayWeek" craze with a 25% discount on certification exams. The code (which is "Cyber Monday") is supposed to be good on CCSA, CCSE, and...
  44. Re: All Objects and Categories disappeared from Objects tab

    Since we're stuck anyway, and have a backup (sort of), how about just deleting the offending object it with GUIdbedit? Still works in R80.x as well.

    -E
  45. Re: All Objects and Categories disappeared from Objects tab

    Upon further reflection, I'd definitely give this a shot. If there had been corruption prior to the backup, the corruption would be included in the backup and restore. Export/import does more of a...
  46. Re: All Objects and Categories disappeared from Objects tab

    I have come across cases of R80.x database "corruption". In one memorable instance, any click to enable "HTTPS Inspection" on any gateway would crash SmartConsole.

    One possible workaround (which...
  47. Re: Upgraded from 75.40VS to 77.30 - ARP Issues

    This is a pretty well-documented concept (see sk30197, and the information you've provided is a bit limited.

    A few basic questions/ideas:

    Was your previous setup SPLAT or Gaia?

    Did you...
  48. Re: R80.10 Security Management get interfaces error from Dashboard

    This is expected. _Dedicated_ management servers don't enforce policy, and therefore don't _need_ "topology" defined. It can't be "fetched" because they don't have the same components that gateways...
  49. Replies
    13
    Views
    3,369

    Re: Not responding to arp-who-has

    If the Automatic Hide NAT is fine, and you're seeing the outbound Static's being NATed properly, but not getting replies, then yes, this seems to be an ARP issue, and yes, ClusterXL is a very likely...
  50. Replies
    13
    Views
    3,369

    Re: Not responding to arp-who-has

    But if the Static NAT rules come before the Hide NAT (which they will if they're all Automatic), then even the outbound connections will be source-NATed as coming from their public address. If ARP...
  51. Re: Smart Console 'Unable the connect server'

    One thing to keep in mind is that R8x management servers take considerably longer than prior versions to initialize/boot, especially on under-powered systems. How much RAM does this system have?
    ...
  52. Replies
    2
    Views
    3,662

    Re: Smartlog slow to return results

    I think the first question you'll get from most is about the hardware specs. Yes, SmartLog can be very fast to return results, even with your numbers. However, running on under-powered gear can...
  53. Re: Trying to extract but it does not look like its working

    Are you positive the file is intact? Did you maybe transfer it via non-binary FTP?

    Maybe try gunzip, just to see if you get a .tar as a result? (should just be "gunzip [filename]")

    You can...
  54. Replies
    9
    Views
    2,933

    Re: Eliminate non-UTF-8 encoded chars

    Did this recently with a client. SK111111 details the grep command that will find the "offending" characters.

    I believe the "sem" files are the database copies used by SmartEvent. Just made the...
  55. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Thanks, Ofer, and you're welcome. Always happy to help further the cause!

    -E
  56. Re: Migrate policy from r77.30 to r80 management

    That's a great and timely question, that unfortunately has many possible answers - none of which are perfect in every case.

    I'll give a quick nod to odumper. It's quick and efficient, but dated...
  57. Replies
    3
    Views
    6,122

    Re: ISOmorphic download

    Anyone with a support account on Check Point's site.

    I'm not sure what access/contract level is required, but you can find the file here.

    It's inappropriate/illegal to distribute Check Point...
  58. Re: InfoView does not work on Windows 10 or 2012

    This has been mentioned multiple times in this thread, but I'll try to expand/clarify...

    The WebUI and CLI are used to access/configure the operating system. In most cases (nowadays), you're...
  59. Re: InfoView does not work on Windows 10 or 2012

    Well, you're finally getting very close. :)

    What the above tells you is that the current software (as opposed to operating system) administrative account is "fwadmin". That is what you should be...
  60. Re: InfoView does not work on Windows 10 or 2012

    First, this thread has gotten waaay off-topic. Please create a new thread (or threads) for questions that are unrelated to infoview.

    Second, many of the questions you've been asking would be...
  61. Re: Connectivity with VPN service is lost - Checkpoint

    First, welcome to the community!

    Second, you're using a pretty dated version of the remote access client. Is there a reason? Have you tried a newer client?


    While it's a rather...
  62. Re: InfoView does not work on Windows 10 or 2012

    You need to remember that the Gaia operating system is separate from the Check Point software. The accounts used to log into the CLI and WebUI (to administer the OS) are not necessarily the same...
  63. Re: InfoView does not work on Windows 10 or 2012

    Another simple oldie-but-goodie trick is to use cpconfig.

    Simply type cpconfig from the CLI (either clish or bash/expert) and observe the menu options available.
    - If there are options for...
  64. Re: InfoView does not work on Windows 10 or 2012

    ** Please don't just re-post what was in the original request.

    That said, are you positive you're running the latest version? I've just re-downloaded and installed/ran fine on Win10. ...
  65. Re: "ERR_CONNECTION_REFUSED" error is displayed in web browser when connecting to Gai

    First question I like to ask: What do the logs tell you?

    I instill in my students that the logs can often save you from a bunch of fruitless troubleshooting. Especially for the beginner, they're...
  66. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Good to hear. Thanks for the confirmation!

    -E
  67. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Yes, basically WebUI = CPUSE (now). The "old" method is now called "Legacy" in the WebUI. No? Just make sure CPUSE has been updated (SK in prior post).



    Ran into [what may be] a similar...
  68. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Maybe it's just me, but from the statement you boldly quoted, I would assume that if R80 to R80.10 requires CPUSE, then older versions can't do it any other way either. The only mentions of R7x SMS...
  69. Re: Weird issue faced while moving/migrating management server

    No idea what happened, but as I read through the steps you performed I was waiting for the mention of "migrate export/import". That is by far the way I would recommend for migrating a management...
  70. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Just to add to the confusion...

    - I built a new/clean MDS with R77.30
    - I did not create any CMA's
    - I mounted R80.10 ISO
    - I ran linux/p1_install/mds_setup script
    - I got the exact same...
  71. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Woooah...I don't "agree" with the logic either (if it's even true). I'm not trying to excuse CP for not accommodating an empty SMS, but figure out how it could have been missed (if it even has...
  72. Thread: tacacs

    by EricAnderson
    Replies
    2
    Views
    1,043

    Re: tacacs

    Just to cover our bases, if you're referring to adding them within SmartConsole (instead of Gaia), you'll both object types under:
    More, Server, More...

    -E

    1312
  73. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    While I agree that this should work, it's at least possible that it won't due to the somewhat illogical/unrealistic scenario. In production, either an existing MDS would have at least one CMA, or,...
  74. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    I have a bit more of a fundamental question: Why are you using EA release? 394 was pretty late in the process, but I'm pretty sure there were MDS limitations with some EA releases (can't find...
  75. Re: R77.30 First time Configuration wizard is stuck in VMware workstation

    Glad to hear it! Don't underestimate the "hunger" of R80 management ;)



    Forget that book - it's trash (just kidding!)

    Actually, Tim is known (rather well) around here as ShadowPeak. You'll...
  76. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    LOL. If I didn't know him personally, I'd seriously wonder if he was a "bot".



    We've been installing R80 for management for new customers for about a year. That was driven primarily by not...
  77. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    But...after a few years, aren't you supposed to trade your spouse in for a newer model? ;)
    (not that she'll read this, but I'm actually happily married for many years, and not shopping)

    I...
  78. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    What, me? Verbose? Never. I'm also never sarcastic (or use parentheses).

    I'll definitely admit that I can ramble on a bit, especially when I get passionate and excited about something (there...
  79. Re: R77.30 First time Configuration wizard is stuck in VMware workstation

    What browser are you using? I've definitely seen similar issues, and I seem to remember resolving with a different browser (usually Chrome).

    -E
  80. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Let me just take this opportunity to clarify a few things that I've seen a bit of confusion over...

    Layers are not a new thing, not even to Check Point - what's new is calling them "Layers". In...
  81. Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    A couple of quick notes...
    - As Phoneboy indicated, the action of Rule 5 would not be Accept or Drop, but rather to fire the "blason's Approved Apps" layer (or whatever name you give it)
    - Access...
  82. Replies
    12
    Views
    2,706

    Re: R80.10 performance on standalone 4200

    In response to the OP, while 4200's can run standalone (pre-R80), it's never really been an ideal situation.

    All of the performance specs given for any gateway devices are based on them being run...
  83. Replies
    12
    Views
    2,706

    Re: R80.10 performance on standalone 4200

    I spite of cciecec2006 venting his frustrations (understandable as they may be), let me welcome you, Gilad.

    While some may take your presence here as an opportunity to vent frustrations , I'd like...
  84. Replies
    2
    Views
    869

    Re: Localy manage GW and 2 factor VPN

    There are plenty of third-party solutions, all with different methods and requirements. Most don't actually require AD, but integrate with it, so that users don't have to be maintained in multiple...
  85. Re: VPN Remote User with timeouts and low performance

    Sounds like you've got "Hub Mode" enabled (under Gateway properties, VPN Clients, Remote Access). This allows clients to route all traffic (including Internet-bound) through the VPN. The reason...
  86. Re: After upgrading to R80.10 lost access to ssh and web UI

    Another thought: Has anyone seen this problem on a management server, or just gateways? (hopefully obvious implications)

    -E
  87. Re: After upgrading to R80.10 lost access to ssh and web UI

    Hmmm...good info. Only thing you left out is whether you see anything in logs and/or [the much maligned] "fw monitor". Since the traffic is reaching the box (as seen in tcpdump), either the...
  88. Replies
    2
    Views
    2,506

    Re: smartlog is not active

    You need to enable "Log Indexing" in the Log settings of the Management Server object.

    Don't forget to Install Database after (or just install a policy if you'd prefer).

    -E
  89. Re: After upgrading to R80.10 lost access to ssh and web UI

    Shouldn't be any difference in WebUI/CLI access after upgrade...as long as everything else is the same. What was the upgrade method? Are routes intact? Can you ping the client machine from the CLI...
  90. Re: After upgrading to R80.10 lost access to ssh and web UI

    First, welcome to the community.

    Second, check your "Platform Portal" setting on the cluster object in SmartConsole. By default, the Main URL should be https://main_IP_address/. This binds SSL...
  91. Replies
    2
    Views
    1,295

    Re: Residual CCSE/CCSM Courseware For Sale

    Get 'em while you can, people. They'll be "collector's items" very soon, since CP doesn't produce printed books any more.

    -E
  92. Replies
    4
    Views
    1,959

    Re: checkpoint policy error

    Unfortunately, it means exactly what it says. The "HA" appliance was discounted as part of an HA pair, and its license doesn't permit it to run on its own.

    I'd suggest talking to your reseller...
  93. Re: r80.10 stand alone 3200 sending 10 DNS requests per SECOND on its own

    A few ideas/thoughts:
    - What is the the gateway (via GAiA) set to use for DNS? Is should be internal, or maybe ISP DNS server, but not 4.2.2.2 or 8.8.8.8 (except maybe as a tertiary).
    - What do...
  94. Replies
    4
    Views
    2,272

    Re: Barry Stiefel - RIP

    Yes, I have heard as well. I was waiting until I had more details before posting here, but there's very little concrete info.

    For now, I'll leave it at this:


    Barry, thanks for everything you...
  95. Replies
    17
    Views
    3,259

    Re: R80.10 release on the way?

    LOL. "Can you feel it, coming in the air tonight..."

    That picture is outside of the "after party" - illuminated (of course) in "Check Point Pink". You should have seen it inside.

    -E
  96. Replies
    17
    Views
    3,259

    Re: R80.10 release on the way?

    As requested...
    1265

    -E
  97. Replies
    17
    Views
    3,259

    Re: R80.10 release on the way?

    LOL. I'm done talking/guessing/asking/answering about ETA's for a while - this one took too much out of me. ;)

    -E
  98. Replies
    17
    Views
    3,259

    Re: R80.10 release on the way?

    Ask and you shall receive...

    12621263

    Ready for business!

    1264


    -E
  99. Replies
    17
    Views
    3,259

    Re: R80.10 release on the way?

    Yep - looks like I got good intel this time ;)

    -E
  100. Replies
    17
    Views
    3,259

    R80.10 release on the way?

    I know, we've already heard this too many times to count. But, I have it from a trusted source (here at CPX in Milan), that tomorrow is the day for R80.10 GA.

    We'll see... [holding breath]

    -E
Results 1 to 100 of 349
Page 1 of 4 1 2 3 4