CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: iku899

Search: Search took 0.02 seconds.

  1. Re: Https inspection interferes into traffic which is bypassed

    Definitelly the solution I would like to have. The reality will be simple cisco for a fraction of price. But I think I finally understand that one checkpoint gateway is not suitable for environment...
  2. Re: Https inspection interferes into traffic which is bypassed

    Probe bypass was allready switched on. As I wrote in first message I hoped that I would be able to completely disable inspection by not using inspectors of traffic.

    Situation is:
    - I want to...
  3. Re: Https inspection interferes into traffic which is bypassed

    Yes it is at the top and it was sent to gateway. My feeling is that in spite of all bypass rules, even the simple fact of switching the inspection on has some side effects.

    Tomorrow I will try...
  4. Re: Https inspection interferes into traffic which is bypassed

    Sorry, bad explanation of situation from me.

    I have also this bypass rule in action:
    source: GRP_BypassInspection => destination: Internet, services: https and https_proxy, action bypass.
    ...
  5. Https inspection interferes into traffic which is bypassed

    Hello,
    Scenario:
    - https inspection is on
    - for some network subnets we want to completely bypass https inspection
    - even when there are bypass rules (down the page) when we switch https...
  6. Spam - flag subject and domainkeys identified mail

    Hallo,
    when the message is domainkeys identified mail and at the same time it is spam, it looks like that checkpoint is not able to flag subject nor header. The message is properly identified as...
  7. Port 80 and 443 are open at external interfaces

    Hello,
    When scanned from external sources ports 80 and 443 are open. There are no implied rule and first rule is a stealth one. Discussion about it is here. Also there is sk66170 which suggest that...
  8. Replies
    2
    Views
    1,500

    Re: SecureXL - optimization

    The IPS is disabled at all. My guess is that traffic which is NATed is not accelerated. I really wasn't able to understand if nated traffic is accelerated or not.

    Best Regards
    Ivan
  9. Replies
    6
    Views
    2,067

    Re: High SI load which doesn't go down

    We are still at 75.30 version.

    Best Regards
    Ivan
  10. Replies
    6
    Views
    2,067

    Re: High SI load which doesn't go down

    Finally this problem is solved. Problem is in the blade "Application Control". When I switched it off completaly and restarted the whole machine (not only checkpoint products) problem dissapeared....
  11. Replies
    10
    Views
    11,933

    Re: SecureXL vs CoreXL

    I can repeat what I got from Checkpoint:

    Our R&D strongly suggest NOT to use CoreXL when you have less than 4 cores, which means that with 2 cores you should not use CoreXL - so in my opinion you...
  12. Replies
    10
    Views
    11,933

    Re: SecureXL vs CoreXL

    Recently I was solving this with checkpoint:
    - Our R&D strongly suggest NOT to use CoreXL when you have less than 4 cores, which means that with 2 cores you should not use CoreXL.

    I would guess...
  13. Re: How to write rules for access to internet but not to dmz

    One more question - I finally found what was the first impulse for my question. If you take a look to this presentation - IP_Platforms_Best_Practices_for_Performance_010810 at page 15 there is...
  14. Re: How to write rules for access to internet but not to dmz

    Thank you, that was what I was looking for.
  15. How to write rules for access to internet but not to dmz

    Hello,
    what is the best way how to write rules for access to internet from internal site but at the same time deny access to DMZ?

    First variant:
    allow http from internal_network to...
  16. Replies
    2
    Views
    1,500

    SecureXL - optimization

    Hello,
    When I check the settings of Securexl


    [Expert@firewall]# fwaccel stats -s
    Accelerated conns/Total conns : 1/434 (0%)
    Accelerated pkts/Total pkts : 3/620174 (0%)
    F2Fed pkts/Total...
  17. Replies
    6
    Views
    2,067

    Re: High SI load which doesn't go down

    Hello,
    How busy is your firewall - I attached picture (firewall_pu_cnn.JPG) where you can see that there is nearly no traffic and SI goes up and up.
    Running processes - in the pictures...
  18. Replies
    6
    Views
    2,067

    High SI load which doesn't go down

    Hello,
    We have 4600 appliance with R75.30.
    several weeks ago we started to have problem that the load of the gateway suddenly goes up and never return back to usual numbers. When I take a look to...
  19. Replies
    0
    Views
    1,091

    R75.3 - memory leak

    Hello,
    from time to time we meet condition where R75.3 starts to allocate more and more memory. It usually starts about 5 o'clock in the morning. Does anybody know what can be a trigger for this...
  20. Re: Citadel SMTP RCPT Remote Buffer Overflow - logged but not exists

    Solved with this tool.

    Ivan
  21. Replies
    2
    Views
    4,780

    Re: Email - policy violation but nothing in log

    Several minutes after I had sent it here, I found solution. Problem was that external domain sent private command in smtp conversation. These private commands are checked not only by IPS but also by...
  22. Replies
    2
    Views
    4,780

    Email - policy violation but nothing in log

    Hello,
    From one external domain, when anybody wants to send us an email, he can see only

    [0FC0] 07:48:32 Client session Connected, local IP= X.X.X.X
    [0FC0] 07:48:32 Client session <<< 220 x.x.cz...
  23. Re: Citadel SMTP RCPT Remote Buffer Overflow - logged but not exists

    I don't see this protection in dashboard as well. Is there a way how to reset the database?

    Regards
    Ivan
  24. Re: Citadel SMTP RCPT Remote Buffer Overflow - logged but not exists

    I am sending log

    Best Regards
    Ivan
  25. Re: Citadel SMTP RCPT Remote Buffer Overflow - logged but not exists

    I am not so stupid :-) Of course I did it and it said as well that protection didn't exist.

    Ivan
  26. Citadel SMTP RCPT Remote Buffer Overflow - logged but not exists

    Hello,
    we have quite a lot detects of "Citadel SMTP RCPT Remote Buffer Overflow" in IPS logs (R75.30) - most of them are false positives. I would like to switch this particular protection off...
  27. Replies
    9
    Views
    4,166

    Re: New 4600 - upgrade to R75.20 failed

    It's solved finally. If you download upgrade package with chrome browser the file has extension ".gz" instead ".tgz". The checksum is the same in both cases. I renamed the file to proper name and I...
  28. Replies
    9
    Views
    4,166

    Re: New 4600 - upgrade to R75.20 failed

    There is a difference. As far as I know you cannot upgrade 4600 through webui.
  29. Replies
    9
    Views
    4,166

    Re: New 4600 - upgrade to R75.20 failed

    The upgrade I tried was with ordinary license and contract. I will wait for R75.30 if it helps. Still don't know what can be wrong in brand new appliance.

    I would really appreciate if there is...
  30. Replies
    9
    Views
    4,166

    New 4600 - upgrade to R75.20 failed

    Hello,
    I have tried to upgrade brand new appliance 4600 from R75.10 to R75.20. There is no web upgrade package, only the file at...
  31. Replies
    0
    Views
    1,430

    Check_Point_Custom_Nac_Client.msi

    Hello,
    before upgrade to R75.2 we wanted to customise Check_Point_Custom_Nac_Client.msi. Unfortunately there is no such program at /linux/windows/Check_Point_Custom_Nac_Client.msi at installation...
  32. Thread: Maximum memory

    by iku899
    Replies
    0
    Views
    1,302

    Maximum memory

    Hello,
    does Splat use only 4GB of memory or there is any advantage if I put more memory to server?

    Thank you
    Ivan
  33. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hello,
    R71.2 - resolved issues - The swapping process (kswapd) stops after a specified number of attempts to balance the memory so that the CPU will not occupied with excessive swapping (IOWAIT)....
  34. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hello
    I see it as well. I solved it by automatic restart every week. I would be interested in solution if you have a patience to solve it with checkpoint support.

    Regards
    Ivan
  35. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi all
    I have closed the ticket about "High CPU after saving the policy" and I hope it will not repeat again that the problem which as support said "many customers suffered with" will be in solving...
  36. Re: R71 - antivirus only detect viruses, secureXL license

    I found that there are so many limiting condition for traffic to be accelerated that we don't use SecureXL in the end. If there is anybody with experience I am also interested in hearing it.
    ...
  37. Re: SmartView Tracker's Filter - Equal vs Contains

    If you have in a line "The horrible virus" and you want to filter it

    then for "equal" you have to write "The horrible virus"

    for "contain" it is enough to write "virus"

    I am not native...
  38. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi Hedi
    from my point of view this patch is stable and ready for production. Definitely more then all versions from R70 without this patch. About strange issues at R71 I wrote at...
  39. Re: R71 - antivirus only detect viruses, secureXL license

    Hi Hedi
    take a look to sk26202. You should use

    fw ctl set int g_ci_av_eicar_handling_mode 2

    0-monitor,1-ignore,2-block

    Regards
    Ivan
  40. Replies
    7
    Views
    3,162

    Re: R71 Upgrade/install

    We use AV, URLF and IPS as well (for http traffic and only "low performance")


    As I wrote - most of the time yes, once happened that traffic was stopped (well maybe more times by I didn't mention...
  41. Replies
    7
    Views
    3,162

    Re: R71 Upgrade/install

    I have upgraded R70.3 to R71 at productive firewall at UTM1- 570.

    My experience:
    - performance is really better, average cpu usage on our UTM-1 570 went from 70% to 30%
    - to be able to try...
  42. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    I was said that they prepared different patches for different versions (R70x.3 x R71).

    It also means that I will think twice before future updates.

    Regards
    Ivan
  43. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi Hedi
    I tested the patch "kernel-2.6.18-92cp_976010001.i686.rpm" - for R71. For the first time I saw improvement. I hadn't problem during policy push (one day testing). I had a problem during the...
  44. Replies
    4
    Views
    2,236

    Re: UTM-1 x50 - how to extend the root partition

    If you use antivirus then until R70.3 there are temporary files at root partitions. So it means you cannot download bigger files then you have a free space there.
    It's different on R71 release but...
  45. Re: R71 - antivirus only detect viruses, secureXL license

    No, you are not right. I have already generated new blade licenses three months ago. As dys152 wrote you have to regenerate them again. Local checkpoint branch was surprised as well.

    Regards
    Ivan
  46. Re: R71 - antivirus only detect viruses, secureXL license

    Thank you, it worked.

    Best Regards
    Ivan
  47. Re: R71 - antivirus only detect viruses, secureXL license

    Hello,
    for everybody who is interested:
    - behaviour for eicar file is determined by g_ci_av_eicar_handling_mode parameter, in R71 is default only to "detect".

    Because of change of antivir...
  48. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi Steve
    after upgrading to R71 the problem is even worse. Today firewall started swapping even without sending policy.

    We are thinking about either going back to R65 (this is the last working...
  49. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi Steve and all
    I tried to upgrade to R71. Problem is still the same.

    Best Regards
    Ivan
  50. R71 - antivirus only detect viruses, secureXL license

    Hello
    after update to R71 I found two problems:
    I tried to access http://www.eicar.org/download/eicar.com . This is test file which should be blocked by firewall. I was really suprised that I was...
  51. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi Steve and all
    I got official hotfix for this issue - it is replacement of the kernel (not public available yet :-) ). Problem is better now, I was able to send policy several times without...
  52. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi Steve
    I am suffering the same issue ...
    Regards
    Ivan
  53. Replies
    12
    Views
    6,129

    Re: HTTP Header Length

    Hello Steve
    try "Global Properties", Smart DashBoard Customization, Configure, Firewall-1, Web security, Tuning, http_buffer_size. Try to raise the number (in my case I had to doubled it to 8192) ....
  54. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi Steve
    this is the part of my communication with support (their answers):
    - we are not able to replicate it here in any way
    - we manage to replicate the issue in lab
    - we manage to replicate...
  55. Replies
    3
    Views
    1,744

    Re: UTM-570 and http download of a big files

    Antivir is integrated in UTM-1. However if the file is greater than 150 MB, it should't be scanned. The files are generated during download and they have the names filekkktka, fileytS0rA etc. -...
  56. Replies
    3
    Views
    1,744

    UTM-570 and http download of a big files

    Hello
    when I try to download very big file (5 GB), the space on "/"
    partition goes down to zero and the file is never downloaded properly.
    During download the file is probably saved also to...
  57. Replies
    51
    Views
    13,695

    Re: High CPU on UTM-1 2076 after saving policy

    Hi Steve,
    checkpoint support team managed to replicate this issue. They are working on solution.

    Best Regards
    Ivan
Results 1 to 57 of 57