CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Search:

Type: Posts; User: dys152

Search: Search took 0.00 seconds.

  1. Replies
    4
    Views
    2,120

    Re: R80.20 Production and Public EA

    Hi there, out of interest, what is the version of linux ppp in the new version? Reason I ask is that in the UK, VDSL deployments support 1500 byte MTU but that needs ppp version 2.4.7 or greater?
    ...
  2. Replies
    4
    Views
    1,931

    Re: R77.20 VSX Link Aggregation

    If it isn't in the list of physical interfaces in the VSX object then you can add it manually, assuming that the bond is up and working correctly.
  3. Replies
    2
    Views
    2,418

    Re: VSX mode and bandwidth limitation

    We too have a similar issue, as of R77.20 you I notice you can now use the fw samp commands in VS mode which I guess means that there is some functionality in place within the product to perform...
  4. Replies
    10
    Views
    4,160

    Re: Vulnerability on firewall itself

    Another thing to check is that if your GUI/SSH/Web client access is set to 'Any' and all the Implies rules are enabled, then you may be at rick from that too - make sure implied rules are logged!
  5. Replies
    6
    Views
    1,538

    Re: SecureXL doesn't accellerate the traffic

    What version is it? In the newer versions of VSX, most commands are VS specific so could it be that these stats are for VS0 (where most traffic is management destined to the gateway so not...
  6. Replies
    7
    Views
    1,973

    Re: RFC 4638 - Baby Jumbo Frames

    On a related note, it always used to be the case that SecureXL was automatically disabled on PPPoE interfaces anyway, not sure if this is still the case but presumably it's because of the additional...
  7. Re: Physical system and VSX "virtual system shows two different IP address.

    I believe this issue was introduced in R75.40VS and fixed in R77.20, we used to run R65/R67 and never had this then and I notice in the resolved issues for R77.20, this is now fixed. See Sk102177.
  8. Replies
    0
    Views
    1,399

    CPSB-DMNVSX licenses for VSX cluster

    Hi there,

    So we have a current VSX cluster managed from Provider-1/MLM (on R75.40VS) with NGX licensing plus the Blade enabler licenses.

    We are deploying a new HA pair of 4600 appliances with...
  9. Replies
    10
    Views
    9,996

    Re: Splat, bonded interfaces and VLANs

    Just to add (though this might well not be the problem) but if you are doing load balancing based on MAC and all the external traffic is coming from one MAC (e.g. the router) and then going to a...
  10. Replies
    10
    Views
    9,996

    Re: Splat, bonded interfaces and VLANs

    You need to change the port-channel load-balancing algorithm in global config mode, however this is switch model dependant, for example:

    From a Catalyst 3750G:
    Switch(config)#port-channel...
  11. Replies
    5
    Views
    3,505

    World IPv6 day - June 8th!

    Am hoping Checkpoint will get their IPv6 act together in response to this! Would be nice to have 6to4 NAT to be able to quickly enable customer websites to be available on IPv6 and VSX IPv6 support,...
  12. Replies
    15
    Views
    8,426

    Re: State of ipv6 in Check Point products

    Agree with the above, the majority of large ISPs are now IPv6 enabled. We now have potential customers asking for IPv6 support at the proposal stage, so find it hard to recommend Checkpoint when they...
  13. Replies
    5
    Views
    1,868

    Re: VPN and SecureXL

    We had exactly the same (on R70.1 and seen it on VSX R65) but only when SecureXL and NAT on a VPN was used (ie we were NATting through the VPN). Basically we saw existing connections getting dropped...
  14. Re: R71 - antivirus only detect viruses, secureXL license

    The CPMP-PPK-1-NGX string gets added to all the other blade licensing to it's not an NGX license, full string is:

    "CPSG-C-1-50-HA CPSB-FW-HA CPSG-U CPSM-C-2 CPEP-SA-5 CPMP-PPK-1-NGX CPSB-VPN-HA...
  15. Re: R71 - antivirus only detect viruses, secureXL license

    To get SecureXL to work, you just need to regenerate your licneses in the User Center, it now adds a "CPMP-PPK-1-NGX" string which allows us to run performance pack, also works in R70.1 :)
  16. Replies
    19
    Views
    6,746

    Re: vpn dropped shortly after policy push

    We have a similar issue (not necessarily the same) and have managed to isolate the problem to it being SecureXL AND Static NAT for objects on our side of the VPN, do you have both these enabled in...
  17. Thread: R71 availablity

    by dys152
    Replies
    30
    Views
    8,298

    R71 availablity

    Anyone know when R71 is available for download?

    According to Checkpoint it is available for "immediately"!

    UTM-1 Appliance Performance Boost

    According to this link it appears it adds...
  18. Re: Losing SecureXL and clustering in conversion to blade licensing?

    Thanks for the replies, what is the best way to contact account services? I googled it and have filled a web based form in, is that the best way?
  19. Losing SecureXL and clustering in conversion to blade licensing?

    Hi there,

    We're currently having an issue with converting some (very) old lincenses to blade licensing. We have raised it with our reseller in Decemeber and keep prodding them but they are saying...
  20. Replies
    304
    Views
    135,770

    Re: R70 "Free Upgrade" Check Point Promo Discussion

    Hi there,

    Apologies for the slight thread hijacking but I thought it is still relevant...

    We're currently having an issue with converting some (very) old lincenses to blade licensing. We have...
  21. Replies
    1
    Views
    1,911

    IPv6 support in VSX

    Hi there,

    Anybody have any insider insight as to when VSX will add support for IPv6? Currently, Checkpoint state that R65 doesn't support it.

    Cheers,

    John
  22. Replies
    14
    Views
    3,880

    Re: VSX NGX R65 HFA_10 available for EA

    Anyone dared to apply this yet?!
  23. Replies
    4
    Views
    2,302

    Re: reading FW-policy from the node?

    You can get most stuff back with ofiller:

    http://www.cpug.org/check_point_resources/ofiller_v2.4.tgz

    Check out the tutorial PDF doc contained with it, specifically section 9:

    "Recovering...
  24. Thread: R70.1 available

    by dys152
    Replies
    26
    Views
    6,501

    Re: R70.1 available

    And it finally supports SPLAT link aggregation!!!!
  25. Replies
    4
    Views
    2,185

    Re: Blocking country/geo region

    You can generate a list of netblocks for a country at this link

    How accurate they are is another question :)
  26. Replies
    7
    Views
    1,787

    Re: Experience with SUN Hardware?

    Forgot to say, there are no HFA's for 2.6 - definitely don't install the normal R65 HFA's on R65 2.6!
  27. Replies
    7
    Views
    1,787

    Re: Experience with SUN Hardware?

    Hi there, it's the one detailed in SK35556 "Kernel reads the information from the RPC table incorrectly and subsequently crashes", you need to request the hotfix from your Checkpoint support contact,...
  28. Replies
    7
    Views
    1,787

    Re: Experience with SUN Hardware?

    We run a lot of X4200 M2's and SPLAT 2.6 (for around a year) and have had no problems since we applied patches to sort out the reboots from RPC traffic traversing the firewall.
  29. Replies
    5
    Views
    1,798

    Re: VSX + SmartCenter, not P1

    Hi there, Yes we also do this successfully (on R65). One thing to bear in mind with using Smartcenter is that the license agreement says that it you are not allowed to resell the VSX instances to...
  30. Replies
    5
    Views
    2,059

    Re: Move to Provider-1

    Another thing to remember is that if it's R65 you also need a copy of the /opt/CPshrd-R65/registry directory for the import to succeed.
  31. Replies
    2
    Views
    1,603

    Link aggregation in R70

    Hi there,

    Has anybody had a chance to see if active/active link aggregation is supported in R70 yet? I know it was supported in R65 in failover mode but was wondering if they had improved on this?...
  32. Re: URGENT HELP!!!!! Asymetric route not working after upgrading gateway to NGx R65

    Hi there, you seeing anything in the logs at all to indicate why it's not working? I have done a similar thing before as a temporary workaround with dual homed Linux boxes before but have always used...
  33. Replies
    8
    Views
    2,210

    Re: VSX NGX R65 versions - how many CP has?

    Have PM'd you
  34. Replies
    8
    Views
    2,210

    Re: VSX NGX R65 versions - how many CP has?

    Hi there, we are also running VSX R65 on Sun X4200 M2's:

    Linux xxxxxxxx 2.4.21-21cpsmp #1 SMP Thu Feb 14 22:26:21 IST 2008 i686 athlon i386 GNU/Linux
    This is Check Point VPN-1 VSX NGX R65, Hotfix...
  35. Replies
    5
    Views
    2,953

    Re: SPLAT interface numbering

    We have a number of X4200 M2's running 2.6 SPLAT with the Sun (ie Intel) quad PCI Express cards. We experienced quite bad instability with random reboots, took us a while to figure out they were...
  36. Replies
    4
    Views
    1,753

    Re: Help, can't install policy on vsx

    Presume it says "Cant connect on TCP port 18191", this means your Smartcenter cant connect to the actual VSX machine on port 18191 which is the port used to push policy I believe. Do you have another...
  37. Replies
    17
    Views
    4,840

    Re: Provider-1 NGx R65 and licensing issue

    Just an update on this. One thing that I forgot to mention was that we are managing an R65 VSX from the Provider-1. It turns out that the issue was with the R65 VSX management plug in, it's not...
  38. Replies
    17
    Views
    4,840

    Re: Provider-1 NGx R65 and licensing issue

    Thanks for the reply, will get round to sorting it tomorrow. Glad to know it's not me being an idiot :)

    Will keep you posted.

    Jon
  39. Replies
    17
    Views
    4,840

    Re: Provider-1 NGx R65 and licensing issue

    Hi guys,

    Am new to Provider-1 (have been working with Checkpoint for years though) and we're having a few teathing troubles with a new system. Will be raising an official support call on Monday...
  40. Replies
    3
    Views
    1,222

    Re: urgent help with splat install

    Hi, we had a similar issue with Sun X4200 M2's with four quad intel cards in, it worked with 3 cards but not 4. Turned out to be a BIOS bug and all worked fine after we upgraded the BIOS on the...
  41. Replies
    6
    Views
    3,137

    Re: NGx R65 with 2.6 kernel on Sun 4200-M2

    Hey, the only two of the onboard NICs are supported, eth0 and eth1 are Nvidia based and aren't supported, eth2 and eth3 are Intel based and are supported, strange eh! See this:

    Check Point...
  42. Replies
    2
    Views
    1,835

    Provider-1 MLM hardware recommendations

    Hi guys, we are about to purchase Provider-1 by trading in various licenses so that we end up with

    1 x 10 CMA MDS
    1 x 10 MLM
    plus VSX CMA addons and an HA VSX installation

    Following on from...
  43. Replies
    0
    Views
    1,457

    Multicast routing

    Hi there, I am having trouble with a Nokia IP120 firewall running IPSO 3.8.1-BUILD048 and Checkpoint NG (for IPSO 3.8) R55 HFA_09. The problem I am having is that when I try and join a multicast...
  44. Thread: Which switch?

    by dys152
    Replies
    5
    Views
    1,733

    Re: Which switch?

    Hi there, buying Cisco is like buying IBM in the old days, nobody ever got sacked for buying it! High end Cisco kit is good and pretty reliable but you pay for that as well. We are staring to shift...
  45. Thread: fwaccel diag

    by dys152
    Replies
    1
    Views
    3,021

    Re: fwaccel diag

    I think you are looking for "fwaccel stat", gives output like the following:

    Accelerator Status : on
    Templates : disabled by FireWall-1 starting from rule #17
    Accelerator Features : Accounting,...
  46. Replies
    12
    Views
    5,443

    Re: [Help] How to reimage IP130

    Yes you can use another system's drive. I used an IP330's to image my own IP120's disk.
  47. Replies
    0
    Views
    1,871

    ClusterXL 'ready' state

    Hi there, need some advice please. We have an R61 ClusterXL running on Solaris 9 with HFA_01 that is exhibiting some strange behaviour. Periodically one of the members goes to the state 'Ready', not...
  48. Replies
    2
    Views
    2,694

    Re: Installing on Solaris T2000 fail - R60 + R65

    Hi there, I always use this, works a treat:

    mount -F hsfs -o ro `lofiadm -a /var/tmp/checkpoint.iso` /mnt

    Just make an ISO of the CD/DVD and copy it on then it uses loopback adm to mount the...
  49. Replies
    4
    Views
    2,676

    Re: Logexport randomises fields?

    We had this problem, not in work at the moment so cant give exact details but there is an article on Secureknowledge covering this. You have to create a file that determines the order of the fields...
  50. Replies
    0
    Views
    1,117

    Sun X4200 servers

    Hi there, does anybody else here run SPLAT on X4200's (or other similar Sun servers)? We are running it on a number of systems (R61) and it works very well, the only problem we have is monitoring the...
  51. Thread: Nokia IP120

    by dys152
    Replies
    3
    Views
    3,088

    Re: Nokia IP120

    Right thanks for the help guys, I've now got a new 20 gig hard disk for the thing and I put Monowall on it and that boots fine so I know the unit is working. Now I've got the bootloader file and ipso...
  52. Thread: Nokia IP120

    by dys152
    Replies
    3
    Views
    3,088

    Re: Nokia IP120

    Thanks for the reply, that's kind of what I wanted to hear, gives me something to play around with then :)
  53. Thread: Nokia IP120

    by dys152
    Replies
    3
    Views
    3,088

    Nokia IP120

    Hi there,

    Right I've bought a cheap Nokia IP120 off ebay for playing around with but have found out it has a dead hard disk (or possibly is completely dead!). When I power it up with the console...
Results 1 to 53 of 53