CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: Bob_Zimmerman

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds.

  1. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    This week, I was able to use some of the internal functionality I developed for the generalized rule views to add a neat user-visible feature:

    1471

    I've had the layers and policies listed in...
  2. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    I've had some pretty significant life changes this year, which have left me with less time than I would like to program. When I do have time, I often don't have the focus to really think about the...
  3. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Still chasing the performance issues when scrolling rules. I've found four or five ways to do it which don't improve the situation at all. Still looking for a method which does. Might burn a...
  4. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Every time I think my day job is settling down a little, there's some new crisis. As a result, I haven't been able to spend as much time on this project as I'd like. I have also run into a...
  5. Replies
    2
    Views
    2,431

    Re: issues with snapshot in R77.30

    The space Gaia uses for snapshots doesn't show up in 'df'. I'm betting somebody has handed all of the space on the disk to lv_current, leaving no space for snapshots. You can check this with the...
  6. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    No screenshot for this update, as it's "just" fixes for stuff I showed off in the last one.

    Updated my policy package objects to have an ordered relationship to access layers, updated the rest of...
  7. Replies
    13
    Views
    10,906

    Re: API Irritations

    It's been a little while!

    Today, I found that you can't both turn a policy package's "access" property to true and set its access layers in one API call. The API just barfs with an extremely...
  8. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Spent some time this weekend building detail views for a few more types of object: access layers and policy packages. I still have a little work left to do on them before they're really done, but...
  9. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    I really need to stop posting in the afternoon. That evening, I figured out how to use the view to edit group members! And with the way I've built the editor, it should be trivial to extend to most...
  10. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    I am now able to create a view for part of my object tree and represent a set of selected objects. I can toggle the selections, and the new selections are reflected in the set of selected objects....
  11. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Work on this application has been slowed by day job stuff. I also took the time a while ago to tweak my development machine's EFI extensions (OCLP is pretty nice!) to let me upgrade more smoothly....
  12. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    I've used the method of dealing with complex properties to add handling of automatic NAT and aggressive aging settings for objects which have them. Changes to automatic NAT currently aren't reflected...
  13. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    One of the big problems I've had with my data model has been complex properties. Most properties of an access rule are either simple types (like a boolean value for source negation or a string for...
  14. Replies
    13
    Views
    10,906

    Re: API Irritations

    Huh! I haven't had that problem yet. Hit something similar on R81.10, which wound up being a bug somewhere in the management server or API service. Try using the script in the first post to find the...
  15. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Earlier this week, I managed to connect the progress meter to the API interaction queue. And as of an hour or so ago, I think I have resolved all the new bugs I introduced getting it to work!
    ...
  16. Replies
    2
    Views
    6,016

    Re: API target for development

    It looks like Check Point has done something in R81.10 which breaks this method of making disposable hosts with preset SSH keys. My user key survives, but new host keys are generated when the system...
  17. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Day job has been busier than expected the last few weeks. Thorny firewall upgrade. It eventually worked, but I haven't had the focus left at the end of the day to really program effectively.

    Over...
  18. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    While building some test data to confirm I handle policy installation targets correctly, I noticed I didn't import clusters at all. I think I started developing this client against R80.20, which...
  19. Replies
    1
    Views
    5,645

    Re: VPN Statically NATted IP

    Let's say you have gateway A (with only private addresses) which goes through gateway B, which NATs A's private address to a public address. That option exists to let you form a VPN straight from A...
  20. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Just added the ability to push policy! The UI is still a work in progress, but it's usable.

    1462

    Right now, the installation targets list just shows all firewalls. I don't currently interpret...
  21. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Just finished adding the ability to add and delete access and NAT rules and sections. I create rules disabled to let you build the rule before enabling it. This isn't as big a deal as it was before...
  22. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Still thinking about the right way to calculate rule numbers. I do have some minor things to share. I've added the ability to disable NAT rules (and to show that they are disabled), as well as the...
  23. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Well, I just discovered that while policies have automatically-generated NAT sections which you can't modify at the top, you can add NAT rules above them. So that's fun. Time to rework a chunk of my...
  24. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    It's extremely limited right now. Shows most things, but can only manipulate a few of them. The login flow is iffy (it defaults to my lab SmartCenter's address and doesn't remember any others you log...
  25. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    I think I've finally cracked it. Removed some debugging code I had added, and now drag-and-drop is working from inside a section to outside a section, from outside a section to inside, between...
  26. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Duplicate post.
  27. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Even if it comes after browser-based management, I won't be too disappointed. I'm one person doing this in my spare time, after all. ;) I will always prefer the performance achievable with a thick...
  28. Re: Anyone remember the command on the gateway to see which Terminal Servers are conn

    You can use 'who' to find out who is currently connected and how:

    [Expert@LabSC]# who
    admin pts/2 Aug 12 17:42 (10.20.30.40)
    admin pts/3 Aug 12 17:42 (10.20.30.40)
    The...
  29. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Databases are one of those things I really donít understand all that well. Key-value observing is another. This, unfortunately, combines both, so it has taken me a long time to learn what I need to...
  30. Replies
    1
    Views
    6,299

    Re: Threat Protections and SSL Inspection

    It depends if you offer or use unencrypted services. For example, if you host an FTP site or if you access somebody else's, then IPS, threat emulation, and so on could see the traffic and provide...
  31. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    So it took me waaaay longer than I expected to figure out live UI updates in response to database changes, but I think I have it mostly working now. And it turns out it involves using a Cocoa...
  32. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Figured out how to update the rule ordering criteria and rule numbers. Now dragged-and-dropped rules gets reordered in the UI, and they get the correct rule number (or at least, I'm not aware of any...
  33. Replies
    6
    Views
    8,592

    Re: Management API performance

    I've collected enough data for what I care about. It's posted here:

    https://github.com/Bob-Zimmerman/CPAPI-Stats

    There's an Excel spreadsheet with a tab for each configuration and a column for...
  34. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Over the weekend, I added color swatches to the object color picker. That was WAAAAY harder than it seems like it should have been, but it's working now:
    1456
    And just now, an hour before the WWDC...
  35. Replies
    6
    Views
    8,592

    Re: Management API performance

    Here's the script I've been using with VMs:

    #!/usr/bin/env bash
    TIMEFORMAT='%R'
    filePrefix="vm$(egrep "^processor\s" /proc/cpuinfo | wc -l)$(grep MemTotal /proc/meminfo | awk '{GB = $2/1000000}...
  36. Replies
    6
    Views
    8,592

    Re: Management API performance

    It may just be down to having more thermal headroom. The Atom was originally a reimplementation of the core x86 instructions without power-hungry features like branch prediction and speculative...
  37. Replies
    6
    Views
    8,592

    Re: Management API performance

    I am indeed. A while ago, I found out how to modify config_system to let me set it up as a standalone. The firewall part has one rule: any, any, any, accept.

    This performance is surely why...
  38. Replies
    6
    Views
    8,592

    Management API performance

    So I've been working on adding drag-and-drop rule rearrangement to my Mac-native client, and it's presenting a problem. Refreshing the rule positions after a drag operation would require re-fetching...
  39. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Lots of visible updates! I've been adding menus to access rule fields and items within those fields. While most of the menu items aren't hooked up to anything yet, I do have this one which I think is...
  40. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Just got object search working in the sidebar. It's not quite as smooth as I want it. It searches automatically as you type and shows the results live in the sidebar, but it closes the object types....
  41. Re: CMA appears to be down, while in CLI its up

    When the GUI disagrees with the command line (or with itself), I generally jump right to trashing the applications.C* and CPMILinksMgr.db*. They're all in $FWDIR/conf. cpstop the MDS, trash them (or...
  42. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    My client has long had a big, gross limitation which isn't really obvious in screenshots: it didn't handle data updates very well. You could download objects, edit existing objects, and now make new...
  43. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    I've figured out enough about contextual menus to allow for object deletion.
    1451
    This required more "fun" with Objective-C selectors. Selectors are basically function calls, but you can't pick...
  44. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    While figuring out some menu stuff, I decided it's time to learn more about how localization works on macOS (this was actually to help me reliably place the "Add Object" menu in the menubar). Turns...
  45. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Took a bit longer than I thought to finish shaving some other yaks and get back to directly working on this project. I'm happy to report I was able to figure out enough about menus to allow for the...
  46. Replies
    2
    Views
    6,016

    Re: API target for development

    I eventually decided using snapshots for this is too slow. I have a ludicrously powerful desktop (2x Xeon X5675 [3.06 GHz, 6 cores plus hyperthreading], 96 GB of RAM), and it was still taking over 20...
  47. Replies
    2
    Views
    5,574

    Re: Standalone 2200 with R80.10 and up

    I just confirmed the 2200 can handle 8 GB of DDR3 RAM in the form of two 4 GB SODIMMs. Mine have eight chips on each side, 16 chips per stick, so 256 MB per chip. I hear sticks with 512 MB chips...
  48. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Now that I have a good way to build an MDS for testing, I'm starting to work with the multi-domain parts of the API. This leads to a big question:

    How should connecting to an MDS work?

    It would...
  49. Replies
    2
    Views
    6,016

    API target for development

    Most of my development work so far has been against a 2200 which I personally own. It has a perpetual license, but it's sometimes a little unpredictable. The API service sometimes crashes. It has a...
  50. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Finding some rough edges when it comes to application/site objects and their relationships with categories. Suspending my work on that for now.

    I think I've figured out how to make new objects. It...
  51. Re: When you thought 2020 couldn't get worse

    You should look up the Cherpumple.
  52. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Gave up on the progress meter for now, and learned to do this instead:

    1448

    I now have support for dragging objects from the sidebar into the source, destination, and service fields of rules,...
  53. Replies
    13
    Views
    10,906

    Re: API Irritations

    Ran into the group-members-are-sometimes-objects-and-sometimes-UUIDs thing again, but this time with tags. I suspect this inconsistency will bite me a few more times before I've tracked down all the...
  54. Re: When you thought 2020 couldn't get worse

    Eh. GNS3 is only mildly weird. I was hoping for something like an x86 emulator on a Raspberry Pi emulated by an UltraSPARC. ;p
  55. Re: When you thought 2020 couldn't get worse

    So a Fortinet VM inside a PAN VM inside a Check Point box? Please tell me that's also a VM on something weird.
  56. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    At some point, sure. For now, I figure I have about 20% the functionality of SmartDashboard. Lots left to add, but it's mostly view-side code in MVC. The object model changes put me in a better...
  57. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Spent a while completely rewriting my entire import architecture and my entire object model. Previously I had been using one single object definition for everything. Hosts, networks, services,...
  58. Replies
    13
    Views
    10,906

    Re: API Irritations

    'show object' returns a JSON structure with a top-level key of "object" which has its value set to the JSON structure for the object you are trying to get:


    [Expert@mySmartCenter:0]# mgmt_cli -r...
  59. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    No screenshots to really show this off, but a small update.

    I have just made my first successful API call to change the properties of an object based on changes made locally in my client.

    While...
  60. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Made some advances and thought I would show them off.

    1446

    Dark mode actually worked perfectly right out of the gate.

    Dramatically improved login. That's the phone button at the far left of...
  61. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Ran into some issues, which stalled my progress for a while. I decided the fix was to rewrite most of the UI. Still not done with that, and still not past the issues in question, but I think I'm...
  62. Re: Secure Internal Communication (SIC) Basics

    Change management's name? Need to reset the ICA and all trust relationships. I hit that mostly when rebuilding a failed management (I wrote the process for the three-file rebuild, and used it on a...
  63. Re: Secure Internal Communication (SIC) Basics

    Elaborating on this one a bit. Resetting SIC should almost never be necessary, and it often makes problems worse and reduces your ability to troubleshoot the problem. While building your...
  64. Re: Secure Internal Communication (SIC) Basics

    The trust establishment negotiation is actually from the management to the gateway and from the management to the log server. The rest is accurate, yes.
  65. Replies
    3
    Views
    10,851

    Re: All that's old is new again.

    There was also SunOS/Solaris, and I think you could install FW-1 on Redhat as well for a while.

    The level of sensitivity to Solaris patches was a huge pain. That build also didn't get great...
  66. Replies
    13
    Views
    7,153

    Re: Upgrade to 80.40

    Sure, but there's a great saying among programmers: the best code is the code you don't have to write. If you can arrange other things such that you don't need the modification, that's vastly...
  67. Replies
    13
    Views
    7,153

    Re: Upgrade to 80.40

    I try really hard not to make modifications to files like the table.def, implied_rules.def, and so on. This is why. Upgrades always wipe them out, and updates sometimes do as well. Rediscovering all...
  68. Replies
    13
    Views
    10,906

    Re: API Irritations

    'show changes' is so close! It provides enough information to highlight items which were changed. Unfortunately, it doesn't provide enough to actually merge those changes from just the 'show changes'...
  69. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Still working on the ordering of empty sections.

    Since I last posted, I have:

    Added NAT rulebase display.
    Added a picker to choose the policy package you want to view. It also has a special...
  70. Replies
    13
    Views
    10,906

    Re: API Irritations

    And back to hair-pulling frustration.

    If you run 'show objects', and you get a group, that group's members are given as a list of UUIDs.

    If you get the same group via 'show object', the group's...
  71. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    For my initial development, I skipped dealing with certificates and so on. Instead, I coded it to use custom TLS trust evaluation, and to blindly trust any certificate presented by a particular IP...
  72. Replies
    13
    Views
    10,906

    Re: API Irritations

    Just ran into a more pleasant surprise! 'show object' appears to work with any UUID. Object, policy package, layer, even individual rules. I noticed when I made a mistake handling inline layers and...
  73. Replies
    13
    Views
    10,906

    Re: API Irritations

    Entirely possible. That said, if somebody else wants to build tools like the ones I build, this might help them avoid some of the data model potholes I've hit. It took me days to convert from a...
  74. Replies
    13
    Views
    10,906

    Re: API Irritations

    Found a new one. I'm probably going to report this as a bug.

    Access sections don't give you their position. They have a 'from' integer and a 'to' integer for the rules inside them, but no position...
  75. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Your comment did remind me I forgot to handle cell negation. Simple enough fix. I just added a "negate" variable in my cell view, and fed it the appropriate value from the working row. SwiftUI is...
  76. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    That's actually the thing I find most disappointing about the API. It was a chance for a clean break. You could have provided a VCS like Hg or Git (or even non-distributed; something like SVN), but...
  77. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    It's 100% Swift 5.2. It's a very nice language. Easy to reason about. Automatic reference counting for memory management, a good static analyzer, good exception handling capabilities.

    The UI is a...
  78. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    I was not aware, but web applications are universally pretty awful. You have reduced working space due to the browser's chrome on top of the application chrome. In-page state interacts in really...
  79. Replies
    64
    Views
    45,317

    Re: SmartDashboard on macOS

    Funny this should be the most recent thread in the off-topic forum. I was just trying to determine where to ask if anybody was interested in a little application I've been working on.

    I'm solving...
  80. Replies
    13
    Views
    7,153

    Re: Upgrade to 80.40

    That would be my expectation. Kernels are easy to swap. Itís a single binary image stored on the disk. Point to a new one, done.

    Filesystems are much harder to swap (though not impossible; Apple...
  81. Replies
    13
    Views
    7,153

    Re: Upgrade to 80.40

    I upgraded my personal 2200 from R80.20 to R80.40 over the weekend. It has a 1.8 GHz dual-core processor, 4 GB of RAM, and a SATA SSD. Except for the SSD, it's pretty close to a worst-case scenario....
  82. Replies
    13
    Views
    10,906

    Re: API Irritations

    I converted my code to use a single class for all objects, then switched to using 'show objects' to get everything.

    Tags aren't included in 'show objects'.

    Are you kidding me?



    I'm also...
  83. Replies
    15
    Views
    11,452

    Re: automated MDS backup

    Ah. Yeah. By convention, brackets indicate optional arguments in UNIX/Linux, and less-than and greater-than indicate mandatory arguments. In both cases, the enclosing characters need to be removed as...
  84. Replies
    13
    Views
    10,906

    Re: API Irritations

    Found another one. Some API endpoints are case-insensitive, while others (the specific one I hit was where-used) don't return anything for uppercase UUIDs. It's easy enough to just add a...
  85. Replies
    13
    Views
    10,906

    API Irritations

    I'm trying to do more with the management API, and it is insanely frustrating to deal with. Thought I would vent a little here.

    First, something actually very good: the API is versioned. Version...
  86. Replies
    9
    Views
    7,641

    Re: Business case to keep Check Point

    My knowledge of Palo Alto is limited, but I know their feature to identify users on endpoints (like Identity Awareness) is trivial to misconfigure. I've seen a few Palo Altos with that feature...
  87. Replies
    15
    Views
    11,452

    Re: automated MDS backup

    SSH keys are a user-level thing. Check Point doesn't use them directly for anything, and they won't interfere with anything Check Point does.

    I'm working on SCP stuff myself (specifically, still...
  88. Replies
    15
    Views
    11,452

    Re: automated MDS backup

    The file should be created as soon as you touch it, and it should have contents as soon as the >> is run. My bet would be time zone confusion (maybe he checked before the script had run?) or node...
  89. Replies
    2
    Views
    5,574

    Re: Standalone 2200 with R80.10 and up

    Remove the "return 1;" from the end of line 1129, and config_system will happily set up your 2200 as a standalone system.



    For some reason, I couldn't post (or preview) with that final line of...
  90. Replies
    2
    Views
    5,574

    Standalone 2200 with R80.10 and up

    I recently needed to get a personal Check Point license for some development work I'm doing. Getting a new software license would be hundreds to thousands of dollars, while Check Point branded...
  91. Replies
    15
    Views
    11,452

    Re: automated MDS backup

    Thanks for the comment! I'm never sure if anybody else cares about this kind of thing.
  92. Replies
    15
    Views
    11,452

    Re: automated MDS backup

    I just updated my MDS past the versions in sk163300, which changed mds_backup to no longer gzip the final tar file. That broke my file renaming logic. Testing a fix.

    Edited to add: This should...
  93. Re: Any interruption if I add the interesting traffic into the existing site2site tun

    IPSec VPNs are negotiated by the gateways for pairs of endpoints. An "endpoint" in this context can be a single host or a network (including the network 0.0.0.0/0, which includes all IPv4 addresses)....
  94. Replies
    15
    Views
    11,452

    Re: automated MDS backup

    I normally use mds_backup -b -i -l. The b sets batch mode, which doesn't prompt for anything. The i includes the rule hit counts. The l (lowercase L) excludes logs (I have separate MLMs, so this is...
  95. Re: trouble creating cluster interface in cluster XL

    So you're aware, the last step in that list undid all the earlier steps in that list. That button exists specifically for people who don't want to build the interface themselves. I would guess that...
  96. Re: trouble creating cluster interface in cluster XL

    The first screenshot is telling you someone else is making changes to gate01, so you can't make your changes.

    The second screenshot is telling you it doesn't like something about the change you...
  97. Replies
    1
    Views
    1,589

    Re: Licensing Cost / Job Interview

    To me, the single biggest selling point of Check Point's software is just that: it's software you can throw on your own server or VM. You can download the installer ISO for all the current versions...
  98. Replies
    4
    Views
    11,348

    Re: Network Load Balancing Server

    I doubt the firewall would do automatic proxy ARP for the virtual server. You could try adding a proxy ARP statement or using a VIP which isn't on any real network you use.
  99. Replies
    5
    Views
    2,933

    Re: Trying to run Python script

    Python has a concept of modules. A module provides functions and object types which Python by itself does not.

    Apparently this script requires one called "rulebasecsv", which isn't on the system...
  100. Replies
    5
    Views
    2,933

    Re: Trying to run Python script

    To expand on this, the "^M" part of the error is a control character. Control-M is a carriage return.

    Different platforms encode line endings in different ways. Specifically, classic Mac OS used a...
Results 1 to 100 of 420
Page 1 of 5 1 2 3 4