CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: vijayant

Page 1 of 2 1 2

Search: Search took 0.00 seconds.

  1. Re: Does my Checkpoint expertise count in being a CISSP Professional

    Hi Friends

    I finally conquered CISSP. I have cleared the exam. My endorsement is pending...

    Thanks for all your suggestions and help...


    HI dreambuddy
    Your words are really comming true...
  2. Replies
    15
    Views
    7,817

    Re: Just again TCP packet out of state

    Is your firewall a cluster ? This may be routing issue in case of cluster. Check if routes are added on all members of the cluster. Also you may check on the protocol object in the advanced option...
  3. Re: How to keep existing VPN endpoint while changing gateway IP

    Is this a Cluster or standalone system. In case its a Cluster then keeping the Virtual Cluster IP same you can always change the rest of the IP addresses. In case its a standalon, you can still creat...
  4. Replies
    8
    Views
    2,808

    Re: VPN as Backup Connection and antispoofing

    HI

    So your site 1 has one firewall FW1 and one Router R1. The site 2 has only one Router R2 with one interface connecting to MPLS cloud and the other interface connected to Internet. If so then:...
  5. Replies
    8
    Views
    2,808

    Re: VPN as Backup Connection and antispoofing

    On the remote site, the primary is connected to the same MPLS cloud. The secondary is the internet interface that terminates the IPSec tunnel.


    What is primary and secondary ?
  6. Replies
    8
    Views
    2,808

    Re: VPN as Backup Connection and antispoofing

    I asume your MPLS link is connected directly to the intranet and not to the firewall. The firewall has more than two interfaces that is it has Internal, External and DMZ interfaces. That is the only...
  7. Re: VPN Setup from internal and external Interfaces

    Hi mcnallym

    I called up checkpoint. They said its possible as long as the network reachability is there. In my case what i mean to say is the tunnels established on the internal interface will not...
  8. VPN Setup from internal and external Interfaces

    Hi

    We have a requirement to establish Site to Site VPN Tunnel. Few from internal interface and few from external interface. Is it possible ? Any issues we can face due to antispoofing ? What...
  9. Replies
    1
    Views
    1,168

    Re: VPN Certificate Query

    I wonder if you uncheck the VPN option from the firewalls and re do it again. That will regenerate the certificate.
  10. Replies
    7
    Views
    6,605

    Re: Windows Update/Microsoft Update IP ranges

    HI jlobl

    For this you need to use URI Resource. I am strugling with the same. Will update you in case of breakthrough.
  11. Replies
    9
    Views
    4,407

    Re: How to create redundant VPN link

    HI

    Adding to the above scenarion (the latest diagram with routers) my setup has DMZ network on both the firewalls (therefore three interfaces: external, internal and DMZ). Due to that we have...
  12. Re: New checkpoint admin need to confirm the fw is working fine...

    GUI Client: SmartView Monitor will show you the health.
  13. Replies
    7
    Views
    1,898

    Re: how to identify installed modules

    On SPLAT it gave:

    [Expert@At-AA-fw1]# pkginfo | grep CP
    bash: pkginfo: command not found
  14. Replies
    14
    Views
    5,359

    Re: Site-to-Site VPN Problem

    Please do
    vpn debug off
    vpn debug ikeoff

    after you are done... :)
  15. Replies
    3
    Views
    2,148

    Re: Changing external IP

    HI

    Can you please explain it a bit more. How you changed the IP ? Where do you see the "VPN identifier"
  16. Replies
    8
    Views
    3,122

    Re: End of Support for R55

    Dont remember the date, but last lime we called up checkpoint for some issues on R55 they said they no more support R55.
  17. Replies
    0
    Views
    1,380

    UTM-1 Appliance

    Hi

    Till now we used Server machines (Dell, HP, IBM) only for firewall installation. For a new facility we are looking for installing UTM-1 (1070). The site capacity will be 500 users.

    Can...
  18. Replies
    14
    Views
    3,042

    Re: Basic Backup Strategies R65

    HI

    If you can rely on your network then you may proceed that way. But if the logs are primarily stored on the Smart Center Server and periodically moved to some other server, I feel its more...
  19. Thread: Command Line

    by vijayant
    Replies
    7
    Views
    4,436

    Re: Command Line

    This will be in addition to the existing rule base or will replace that ?
  20. Replies
    2
    Views
    1,519

    Re: VPN Checkpoint Checkpoint via PIX

    Do a static 1-to-1 NAT for CP1 on the PIX and use the NATed IP to creat the Site to Site tunnel between the CP1 and CP2. Allow the VPN traffic CP1 to CP2 through the PIX. PIX will be only a firewall...
  21. Replies
    1
    Views
    1,679

    Re: Using the Excluded Services VPN Option

    The traffic will be excluded from the VPN Tunnel
  22. Replies
    6
    Views
    1,819

    Re: VPN Site to Site Cisco Device

    HI

    when you say "When the destionation make the response, the packet pass trough the firewall checkpoint without encrypt."

    how do you know this ?
  23. Replies
    6
    Views
    1,819

    Re: VPN Site to Site Cisco Device

    Hi

    Your end subnet participating in the VPN tunnel should be a park of your end VPN Domain. Other end subnet participating in the VPN tunnel should be a park of other end VPN Domain. Also take a...
  24. Replies
    12
    Views
    8,264

    Re: DNS resolution through VPN tunnel

    Is it not too silly..
  25. Replies
    1
    Views
    1,936

    Re: IKE phase1 failed

    Hi

    Just once again check that all the configurations on chkpt and ASA are the same.
    Also try to change the Hashing (e.g MD5 to SHA1). also similarly you may test for encryption etc.

    For me...
  26. Replies
    4
    Views
    1,846

    Re: Single Interface multible ip ranges

    HI

    Can you put both these ranges in one subnet, by changing the subnet value on the Firewall.
  27. Replies
    7
    Views
    2,885

    Re: RDP via VPN does not work

    HI

    Just check with the Firewall admin if they allow your user ID to access the required servers. Also ask them what log are they getting for your problem.
  28. Replies
    6
    Views
    3,127

    Re: VPN problem to access internal network

    HI

    replaced means you have configured all the rulebase, object, NAT VPN etc. on new R65 or you did an upgrade_export/_import ?

    Encryption domain of your end should have your end networks...
  29. Replies
    12
    Views
    8,264

    Re: DNS resolution through VPN tunnel

    HI

    The problem is not the access of "acct.company.com". The problem is by some means you have to resolve URL to IP. If the number of machine in your remote company location is less then include...
  30. Replies
    7
    Views
    1,921

    Re: What does the grey triangle mean?

    Do you mean this type ? For me it showes on all the objects I have configured under checkpoint and interoperable devices. I didnt face any concern regarding it till date.
  31. Re: Does my Checkpoint expertise count in being a CISSP Professional

    Hi dreambuddy

    What you said, I have the same perception, that's where I feel is a person with MCSE and CCSA is in a better position than me CCSA, CCSE. Any how you response is precious for me....
  32. Replies
    7
    Views
    2,084

    Re: Clarification for IP usage in Clusters

    Mohit



    in general scenario Cluster members dont have any logical interface.



    Its not a matter of should and can, you need to understand how Checkpoint work as a Technology.
  33. Replies
    7
    Views
    2,084

    Re: Clarification for IP usage in Clusters

    HI

    If you have Layer 3 switch then you can put the firewalls in one of the VLANS.
  34. Replies
    5
    Views
    4,350

    Re: ha module not started

    HI

    pl do cphaprob -i list, it should show:

    Device Name: HA Initialization
    Current state: OK

    on both the firewalls..
  35. Replies
    5
    Views
    1,970

    Routing restoration

    HI

    In case I am rebuilding/upgrading a Firewall, can I add all the existing routes on the crashed/old firewall in one go on SPLAT. On windows server we can do that, but what for SPLAT.
    Also if I...
  36. Replies
    5
    Views
    4,350

    Re: ha module not started

    hi

    Do a cphaprob list. What is the status of clustering there. Just copy paist it. Have you pushed the policy ?
  37. Replies
    5
    Views
    4,350

    Re: ha module not started

    Hi

    Do you have a License for Cluster and have you pushed the policy after you put that license on the Smart Center Server ?
  38. Replies
    5
    Views
    1,611

    Re: clusterXL both servers active

    HI

    Do a "fw unloadlocal" on both the firewalls and push the policy again. Also checkk the status of your Sync cable/interface, it should be communicating. Also I can see that these firewalls are...
  39. Replies
    7
    Views
    6,906

    Re: CP+RSA authentication problem

    Hi

    just check if you can get something from the link http://www.cpug.org/forums/authentication/8476-rsa-authentication-failure.html

    Please see the agent host config in the attached doc.
    Have...
  40. Replies
    14
    Views
    4,371

    Re: DL380G5+NC346T+XL+SPLAT+v2.6 Traffic drops

    Hi

    Please check the interfaces also, as you said the problem is for in and out traffic both. Its better that the interfaces have statically defined link speed than AUTO.
  41. Re: Directing traffic to another subnet via a VPN

    Are you sure your routing is correct ?
  42. Replies
    4
    Views
    2,266

    Re: Site-To-Site VPN problem

    What do you see in smart view tracker?
    Is routing correct ?
    Is there access list permitting the same ?
  43. Does my Checkpoint expertise count in being a CISSP Professional

    Hi

    I am CCSA, CCSE. I have approx 7 years experience in Networks and Firewalls. Now I am preparing for CISSP due to its market value and broader domain. The problem is that if I move to the...
  44. Replies
    10
    Views
    3,251

    Re: Putting all traffic through vpn tunnel

    checkpoint will tell that there is network address overlap and SA will not be established

    I think you require route based VPN on Checkpoint and a GRE on Cisco. I have never configured that. You...
  45. Re: HA - Problem after reinstallation of a member

    Hi

    Do a fw unloadlocal on the new one and push the policy again. If this dont work. It is always better to recreate the Firewall object or even the Cluster object in such a case.
  46. Replies
    16
    Views
    7,475

    Re: supernet trouble

    Try this as well..

    Configuring a Subnet
    To enhance interoperability with third-party devices, define the subnet used in the quick mode
    negotiation per range. To further enhance interoperability,...
  47. Replies
    2
    Views
    2,350

    Re: Problem with hide nat on site-to-site vpn

    why dont you do the hide NAT in the network object(10.0.0.0/8) itself and put object 10.0.0.0/8 in the VPN Domain.
  48. Replies
    6
    Views
    1,308

    Re: need help VPN site to site cisco

    Hi

    Dont creat an access list for destination any. Give the other end subnets. On checkpoint just try to configure using the docs. then let us know the erros you got etc.
  49. Replies
    10
    Views
    3,251

    Re: Putting all traffic through vpn tunnel

    Hi

    I dont know whether "any" is supported or not on cisco. To my knowledge Checkpoint also dont know any for VPN. You need to know otherend subnets and put in the access list. That way you may...
  50. Re: configuration example for vpn with cisco devices

    HI

    I think configuring VPN with Cisco device is pretty streight forward. Just creat an Interoperable device and mention its VPN domain. Rest all is same.
  51. Replies
    10
    Views
    6,922

    Re: site to site ike no response from peer

    In broadcast mode no need to worry for any thing else.
  52. Replies
    5
    Views
    3,641

    Re: RSA Authentication Failure

    Hi All

    Thanks for suggestions.

    Actually we have followed all the steps as per configuration docs. But we were not knowing where to start with the troubleshooting. By segragating we finally...
  53. Replies
    5
    Views
    3,641

    RSA Authentication Failure

    In RSA Server we have created users and Agent Host. In Firewall we have placed sdconf.rec and also created sdopts.rec. When I try to authenticate in a Client to Site VPN. It says wrong username...
  54. Replies
    9
    Views
    5,700

    Re: IKEView interpretation - INVALID ID INFO

    I'm getting INVALID ID INFO on phase 2 with a Cisco 3005? (Both peers have validated the encryption domains, and they seem to match).

    Even when your domain is defined correctly-> In QM PACKET 1...
  55. Replies
    10
    Views
    6,922

    Re: site to site ike no response from peer

    what is the message in tracker now ?
    right click the object and option > where used. You will know where it is used.
    /etc/host should not matter I supose, not sure.

    If possible generate...
  56. Re: VPN-1 vpn with PIX (supernetting and SA lifetimes)

    Hi

    Something similar I am facing. We upgraded R55(Windows Platform) to R60(Secure Platform). The tunnel between my Cluster and remote VPN Concentrator gave no valid SA error. Tunnel can be...
  57. Replies
    4
    Views
    4,180

    Re: Monitoring VPN Tunnels via SNMP

    Hi

    Please share the info how do you make the SNMP communication possible with checkpoint. I have the Checkpoint MIB. Can I monitor CPU, Memory, Load etc. If yes then how? Using SMTP the firewall...
  58. Replies
    10
    Views
    6,922

    Re: site to site ike no response from peer

    In Smart View Status are the licenses attached properly. Please verify.Check the Firewall status in Smart View Monitor. VPN with Cluster is configured in the same way, only instead of Gateway IP you...
  59. Replies
    1
    Views
    1,648

    Re: Cluster Failed After timezone change???

    Please check the License state in Smart Update are they still attached to Firewall modules.
  60. Re: Internet infrastructure going to change, need some advice

    Just take down time. You just dont know what new prob may surface at that moment. Always something that you have relied the most...

    If you connect the Secondary first, just check the networking...
  61. Replies
    4
    Views
    1,297

    Re: Client to Site not working after Upgrade

    mcnallym

    You are right. It seams to be routing issue. I disabled Office mode and it woked fine. I suspect the Office mode network could not be routed properly thats why the problem. So most...
  62. Replies
    4
    Views
    1,297

    Re: Client to Site not working after Upgrade

    mcnallym

    Its a new Server, so still its not connected to network. I just try to connect using my Laptop, putting the IP in network same as the external network for the firewall. Yes I created new...
  63. Replies
    4
    Views
    1,297

    Client to Site not working after Upgrade

    Hi We are upgrading NG AI R55 (Windows Platform) to R60 on SPLAT. Problem is that after upgrading, client to site is not working, it was giving something like "Could not get Certificate to check...
  64. Re: [Help]Internal Interface Port does not go up even Restored Default!

    Do "fw unloadlocal" if the firewall is not in production or take down time, and trouble shoot the interface alone. Is it a windows platform or Unix/splat ? for Unix/splat use mii-tool command to...
  65. Thread: NAT issue

    by vijayant
    Replies
    2
    Views
    1,568

    Re: NAT issue

    HI

    Its working now. May be it was due to two objects created for the same Server, one with the Public IP and the other with the Private IP. Too many people working on the same issue, ;)
  66. Thread: NAT issue

    by vijayant
    Replies
    2
    Views
    1,568

    NAT issue

    HI

    ON R55 a machine A with IP 192.168.100.10 is static NATed to 202.89.64.5. Its automatic NAT. NATing is working fine i.e IP 202.89.64.5 is accessible from Internet. Now 192.168.100.10 is not...
  67. Replies
    8
    Views
    2,861

    Re: Change SIC Interface

    melipla

    Time difference between firewalls is 40 seconds, between Smart Center Server and Firewalls is approx 7 min.
    Also let me tell you that 90 % of the traffic on this firewall is of some file...
  68. Replies
    8
    Views
    2,861

    Re: Change SIC Interface

    Daniel

    Can you please explain why do you have these doughts.. I am not sure how the SIC was establish but I will proceed with steps told by you. Please let me know if any more info i can give to...
  69. Replies
    8
    Views
    2,861

    Change SIC Interface

    Hi

    We are using R60 in Cluster High Availability. It seams our SIC interface is not working properly as we see ping response of 10000 to 20000 ms on it. We have decided to config SIC on another...
  70. Re: Using VeriSign 3rd Party Certificte - problems due to Intermediate CA signin

    James

    Just check in the "Certificate Path" option of the certificate provided to you, if you see the CA you trusted. If this is not the case then you have to check with Verizone
  71. Replies
    5
    Views
    1,264

    Re: functioning of vpn communities

    sebastan

    You should not reach the destination through two tunnels. e.g if A, B, C are in a single mesh community and also if B and C are in another VPN community.. then from B to C there are more...
  72. Replies
    10
    Views
    8,094

    Re: Site to Site won't initiate encryption

    Just try two things more:
    1. Reset the state on Firewall asin : http://www.cpug.org/forums/vpns-virtual-private-networks/7908-gre-traffic-failing.html

    2. Select "One VPN Peer each pair of hosts"...
  73. Replies
    5
    Views
    3,439

    Re: GRE traffic failing

    Yes we solved it. Checkpoint asked me to clear the state.
    Procedure:
    1. Do cpstop on Smart Center Server and all firewall modules in the cluster symultaniously.
    2. Backup the content of state...
  74. Replies
    5
    Views
    3,439

    Re: GRE traffic failing

    Cisco rtr is not nated. My fw is R55, remote is R62. Both sides are PFS enabled as per now. We did alot of changes to get this resolved. Now if i do fw monitor -p all, i see packet from GRE router at...
  75. Replies
    5
    Views
    2,769

    Re: Find traffic between IPSO and Tracker

    Hi


    Can any body send a resolution to this one. I am getting exactly the same.
  76. Replies
    5
    Views
    3,439

    Re: GRE traffic failing

    Hi CCIE

    the scenario is similar to what you mention, instead of PIX we have Chkpt on both sides. I am not able to get the Cisco IOS version. In the error log i am getting Gateway is PFS enabled...
  77. Replies
    5
    Views
    3,439

    GRE traffic failing

    Hi

    We have a VPN tunnel between 2 Chkpt Fws. My side it is R55. All the traffic through goes well except GRE. Error no valid SA. All configuration checked well. One more strange thing I see in...
  78. Re: SmartConsole unable to connect to the SmartCenter server

    Reboot Smart Center.
    Is there latest HFA on the server.
    Just try to connect Smart Update, that should work. There after you can check License.
  79. Re: detecting up/down interfaces in Secureplatform

    Hi All

    I just want to know if I can monitor the performance of any Checkpoint prodoct (Splat) using SNMP. We have Solar Wind. In that I can see OID 1.3.6.1.4.1.2620 for checkpoint. Does that mean...
  80. Re: HA Cluster problem - cluster members can't be active at same time

    please check if it gets resolved by implimenting latest HFA for R62
  81. Replies
    1
    Views
    1,656

    Time synchronization

    HI

    We are about to do a new setup with one Smart Center Server R65 and two Firewalls in Cluster R65. For current time configuration I need to know how to configure time synch using NTP server....
  82. Replies
    3
    Views
    2,819

    Re: Synchronisation Problem

    Hi daz306td

    Please check for 'mgha' on Smart Center Server.

    1 10.0.0.1 100% active
    2 (local) 10.0.0.2 0% down

    down may indicate a cable issue.

    For my case I have registered some of...
  83. Re: multiple interfaces to serve as single external interface

    Hi All

    I got it. Its here http://www.cpug.org/forums/check-point-secureplatform-splat/1574-ethernet-bonding.html

    Thanks
  84. multiple interfaces to serve as single external interface

    Hi All

    Just curious to know, is there a way to put multiple interfaces of a singel firewall under one ip, some thing called "teaming" to provide load balancing or else like even if an interface...
  85. Replies
    2
    Views
    2,971

    Re: Block traffic forwaded to an another proxy

    You need a proper solution for URL filtering e.g websense etc. Checkpoint itself does not provide in depth URL based filtering.
  86. Replies
    5
    Views
    2,448

    Re: vpn-1 and home network

    Use an additional NATing device in the home network, NAT the printer to some IP that doesnot fall in the VPN domain. IF there is no way out you may try that.
  87. Replies
    4
    Views
    2,131

    Re: License installed but not working

    Hi

    I updated the system with latest Hotfix HFA06 and its working fine now. Thanks to all.
  88. Replies
    4
    Views
    2,131

    License installed but not working

    Hi

    I am using one of my production Smart center server License in my test lab Machine. with all configuration same except the host name and OS. My original server is splat R60 where as the test...
  89. Re: Site-to-Site - tunnel up but no app connections

    Did you see any failed traffic between the gateways.. i mean Source Gateway (Connection origination side) destination (Connection termination side). If so please check
    ...
  90. Thread: MEP

    by vijayant
    Replies
    0
    Views
    1,112

    MEP

    Hi

    I need to creat a tunnel with my client having presence in Germany and UK. We are having R60 cluster, other end firewall is not known. We are required to creat a tunnel in primary back mode....
  91. Replies
    6
    Views
    3,777

    Re: CLI for changing priority of gateways

    Thorpuse

    Sorry I could not test that way. Its in production, need multiple levels of approval. So isnt there any command etc to check the state sync. CCP is default so Multicast
  92. Replies
    6
    Views
    3,777

    Re: CLI for changing priority of gateways

    I am not sure about that, as the connectivity is already down and we reboot the primary... so no idea.

    I could not find the required command. Please tell me ..
  93. Replies
    3
    Views
    2,819

    Synchronisation Problem

    Failover takes place successfully.

    cphaprob state

    1 10.0.0.1 100% active
    2 (local) 10.0.0.2 0% down

    [Expert@MOON]# cphaprob -ia list...
  94. Replies
    6
    Views
    3,777

    Re: CLI for changing priority of gateways

    Thorpuse

    It dont seem to be cluster issue.. please check my previous post

    http://www.cpug.org/forums/miscellaneous/6634-connectivity-breaks-high-ping-response.html

    also when we reboot...
  95. Replies
    6
    Views
    3,777

    CLI for changing priority of gateways

    Hi

    We have a remote site with R60 Cluster. At times it happenes that the primarry firewall misbehaves and we lose connectivity to the network behind that firewall. as it is not totally down so...
  96. Replies
    2
    Views
    1,703

    Re: Endian FW & CP 55AI

    Your checkpoint is not expecting the subnet 192.168.120.0/24 from the interface it is comming from. Can you please check if the same subnet is defined at "IP Address behind the interface" on internal...
  97. Replies
    4
    Views
    8,763

    Re: Virtual Defragmentation error

    Is there some connectivity where the hosts can ping each other but cant transfer file--
    This may be a MTU Issue, try decreasing MTU on the source host or destination server else

    Smart Defence> IP...
  98. Replies
    6
    Views
    1,978

    Re: Why encrypt option in Desktop Sec Policy

    Thnaks alot napo..

    So does that mean Action > Encrypt is only required in Inbound rule. Or will the outbound rule with Action> Encrypt will take care of any traffic from/to Destination server....
  99. Replies
    6
    Views
    5,955

    Re: X11 enforcement violation

    Hi Ray



    What to do if this traffic has to pass through VPN
  100. Replies
    6
    Views
    1,978

    Re: Why encrypt option in Desktop Sec Policy

    Hi friends

    I am getting some insite but still confused.

    If I am putting a rule as :

    Source abc@any
    Destination Myftpserver
    Action Encrypt
Results 1 to 100 of 169
Page 1 of 2 1 2