CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: RobertGraham

Page 1 of 3 1 2 3

Search: Search took 0.01 seconds.

  1. Re: Smart Center Server replacement from R65 to R71.10

    My preference is to spin up the new server on the old version, import the data, and then upgrade that bad boy. I'm old fashioned that way...
  2. Replies
    11
    Views
    3,232

    Re: ?? Possible To Image a SPLAT System ??

    Those people would be wrong. The entire registry is recovered using the snapshot command, so any HFAs and HFs that have been installed prior to running the snapshot command will be "pre-installed"...
  3. Replies
    23
    Views
    5,532

    Re: USB-1 ABRA users - are there any?

    Can anyone provide a technical justification why only TCP and not UDP? I don't understand it.
  4. Professional Services Position at Check Point

    Check Point is searching for an engineer with solid customer-facing skills. My personal take on the situation is that the technical can be learned, and even though it states "Northeast," there's...
  5. Replies
    3
    Views
    2,065

    Re: Can you create a sub-forum for DLP?

    We also need one for Abra. The DLP would go under network security and the Abra would go under endpoint.

    Meanwhile, SSL Network Extender should probably be moved out of Endpoint and next to where...
  6. Replies
    19
    Views
    3,777

    Re: How do I get rid of the SSL warnings?

    No he's not - he's just a faker. Remember the Dread Pirate Roberts in the movie "Princess Bride?" If you recall the story, Westley was actually the third or fourth Dread Pirate Roberts. The Phoneboy...
  7. Replies
    4
    Views
    4,838

    Re: How to check for Checkpoint license?

    Yeah, -x shows the lic fingerprint for deletion etc. I was going to paste the admin guide details, but the forum system won't let me upload the png file.

    -p shows the primitives...
  8. Replies
    3
    Views
    1,942

    Re: How to check patches from command line!

    You need to go into expert mode and run the less command against the registry file. This will show all CP HFAs and HFs installed on the system. There's also an installation log file, but this isn't...
  9. Re: False positives on Adobe Reader JPEG2000 IPS protection

    Um...I'd go back and re-open this with a request for more detail. What's the justification and exactly what's the reasoning behind suggesting an RFE? This doesn't sound right to me.
  10. Replies
    4
    Views
    1,943

    Re: DNS-problem on utm-1

    Allowing the gateways outgoing access must precede your stealth rule. If you think about it, it makes sense. The gw sends out a packet and the last rule accepts it outgoing. Only, when the response...
  11. Replies
    17
    Views
    18,313

    Sticky: Re: How To: Enable SCP on a SPLAT Gateway

    That's my understanding as well. Thus, one would want to send feedback to CP on the SK named. It doesn't specify this detail.
  12. Replies
    19
    Views
    16,512

    Re: Difference between snapshot vs backup

    Agreed. This is a job for backup. If you were concerned about rebuilding the exact details of your log server, you would want to take a snapshot *before* it began receiving logs. After that, all you...
  13. Re: False positives on Adobe Reader JPEG2000 IPS protection

    I tried to see if there were details in the signature, but I couldn't locate the darned thing. Your best bet is to open a ticket. My expectation is that they'll be able to show you where you packet...
  14. Replies
    26
    Views
    5,776

    Re: About Spam and Advertising on this board

    If you don't frequent the cert topics, then yeah, it's fine. But, in the sample thread I listed there are posts from one day ago, one week ago, two weeks ago, etc. So, it's not all historical...
  15. Replies
    4
    Views
    3,069

    Re: CCSE+ R70?

    Shadow:

    Are you quite certain that the R70 CCSE exam covers the troubleshooting and debugging aspects in the R65 CCSE Plus? I looked at the CP website, and it doesn't look that way.
  16. Re: Unable to access SSL Websites using IE8 on Windows 7/Vista. XP works fine.

    Ray:

    Does this persist on R70?
  17. Re: False positives on Adobe Reader JPEG2000 IPS protection

    Agreed. Be careful that you don't just disable a protection, because it's flagging alerts that you wouldn't expect. I would highly recommend investigating it in more detail and if you have a current...
  18. Replies
    26
    Views
    5,776

    Re: About Spam and Advertising on this board

    So, I mistakenly reported one of these, "send me the dump" messages as spam. But, I have to say that I believe that these messages are too much noise to simply ignore. This thread is a good example:...
  19. Replies
    19
    Views
    16,512

    Re: Difference between snapshot vs backup

    Tried this on an appliance, and I can confirm that it works. I was using R65 and R70.20. Normally, this should work on an open server just the same, bugs notwithstanding.
  20. Re: I could use some help trying to get SSH and SCP working to a SecurePlatform box

    Have you tried the script?h
  21. Please Be Diligent About Your Homework and Clarity

    Everyone:

    It's come to my attention that many folks haven't been following Barry's sticky, "how to ask questions the right way." The article is invaluable when it comes to posting here. Not...
  22. Re: I Recently Visited With Check Point in Tel Aviv

    Barry:

    Is there any reason that the highlights of cooperation between CPUG and Check Point Software Technologies Ltd can't be posted here for everyone to peruse?
  23. Re: Would a CPUG VMware Server Farm Be Useful?

    Wouldn't the auto-minimum end up being two VMs? One for the SMS and one for the SG? My employer should offer this to me too, BTW. I need to suggest this idea.
  24. Replies
    4
    Views
    2,410

    Re: GUI client error reasons /check list

    Your IP/port could be blocked by an intermediary device (firewall in the middle). Your GUI client might not have IP connectivity, your SMS (new name for SCS) may not have IP connectivity. The fwm's...
  25. Thread: SSL VPN

    by RobertGraham
    Replies
    1
    Views
    1,176

    Re: SSL VPN

    For now, all you can do is SNX on your UTM-1. This requires an extra lic. Check out the SSL Network Extender documentation for details.

    Very soon, you'll be able to enjoy complete on-gateway SSL...
  26. Replies
    67
    Views
    8,634

    Re: CPUG DB Issues?

    Was getting a lot of errors day before yesterday: "This thread doesn't exist." But, after clicking it again, it worked fine. Today, I haven't experienced that.
  27. Replies
    27
    Views
    4,861

    Re: R70.1 to R70.30 Upgrade woes

    Yes, this has been confirmed by Check Point's account services. As stated above, this is because there's no ability for the old lic to unlock new functionality that didn't exist in the NGX train. The...
  28. Re: I could use some help trying to get SSH and SCP working to a SecurePlatform box

    PS: Couple of things to be noted. This isn't really very secure, but it's fine for your lab env. Also, since I did create this for my own lab purposes, I wanted the pw for the scp_user to be the same...
  29. Re: High IOWAIT while installing policy on UTM -1 270

    Correct: Perf tests are done without on-box management. The original poster described on-box management, which I don't recommend.



    I'm not aware of any documentation that states these devices...
  30. Replies
    9
    Views
    3,060

    Re: How much mileage in CCSE Plus?

    This doesn't surprise me. The pool of CCSE+ certified people is simply too few to get that kind of visibility. It's not until a technically oriented hiring manager, *with CP knowledge*, sees your...
  31. Re: DOS(dDOS) , Connection limiting observing Smartdefense rules

    I would enable DoS monitoring under successive events and then hit the offenders with Suspicious Activity Monitoring to block them.
  32. Replies
    19
    Views
    16,512

    re: Difference between snapshot vs backup

    For disaster recovery (DR) purposes, I generally recommend to firewall teams that they use both assuming they aren't on appliances. It ends up looking like this:

    On date of birth(after...
  33. Replies
    17
    Views
    18,313

    Sticky: Re: How To: Enable SCP on a SPLAT Gateway

    Alienbaby:

    May I kindly suggest that you provide your feedback to this entry: sk30569?
  34. Replies
    17
    Views
    18,313

    Sticky: Re: How To: Enable SCP on a SPLAT Gateway

    restarting sshd is noted in the relevant SK. Thus, it may work without that. But, you don't want to try to open a ticket without doing that first.
  35. Re: Looking for UTM-1 & Power-1 CPU (cores, speed) information

    OK, I've not been checking the boards lately, so I'm late to chime in here. Cisco has been prone to dishing out some helpful hints packaged as something amazing called, "Best Practices."

    So, here...
  36. Replies
    27
    Views
    4,861

    Re: R70.1 to R70.30 Upgrade woes

    OK, so I was misinformed. I had been told by a supposedly reliable source that cp.macro would be gutted and it wouldn't be possible to apply NGX strings on anything R70.1 and newer.

    However, this...
  37. Re: I could use some help trying to get SSH and SCP working to a SecurePlatform box

    Firstly, it can't be a firewall or traffic issue, because you're getting an error msg from the app layer (SSHD) saying "access denied."

    Managing the scp thing is tricky because of the way the...
  38. Replies
    27
    Views
    4,861

    Re: R70.1 to R70.30 Upgrade woes

    Did you say you're running R70.30 on an NGX lic string?
  39. Replies
    3
    Views
    2,510

    Re: Exam in 7 days

    What happened ferdy? Did you pass? I'm sitting here on pins and needles.
  40. Replies
    9
    Views
    3,060

    Re: How much mileage in CCSE Plus?

    I would say that if you're serious about being a Check Point Engineer, go ahead and knock out the CCSE Plus next. It's good stuff, and I think that you could actually use it to differentiate yourself...
  41. Replies
    4
    Views
    3,069

    Re: CCSE+ R70?

    Usharted:

    First, let me just compliment you on your stellar username.

    Anyway, my take on this is: it's a very nuts and bolts oriented exam. This stuff doesn't change a whole heck of a lot. I...
  42. Re: High IOWAIT while installing policy on UTM -1 270

    Licensing practices and pricing aside - I'm wearing my engineer hat right now and siting at my engineer's workstation, which has had the $ removed from the 4 key - I highly recommend a distributed...
  43. Replies
    8
    Views
    1,475

    Re: Congrats to Check Point !

    Agreed. Super h4x0r style advanced search for those of us who like to sort, filter, and sift like it's going out of style would be pretty slick. I even tried the old-skool "go directly to the old URL...
  44. Re: Connectra && AD integration, show only permitted apps

    I think your only real option is to define an "Alternate portal." You didn't specify, so I'll default to Connectra R66. You'll find this under More | Portal | Alternative Portal.

    You basically...
  45. Even Experienced Check Point admins get 71%

    Yep, my peers can make fun of me all they want, there's no denying that I got a lame score on this exam today!

    As bad as I am at passing these standardized tests, I'm quite good at actually CP...
  46. Replies
    0
    Views
    1,145

    Cross-section of questions available?

    Hi: In 2007, Barry posted this quote in another category/thread, which I presume came from an E-mail in his inbox sent by a Check Point employee under the heading of a friendly warning: Notice the...
  47. Replies
    1
    Views
    3,381

    Accept all encrypted traffic

    On page 369 of the courseware, it specifically notes this check box, saying:

    "If the Accept all encrypted traffic box is checked, the system automatically creates a rule allowing encrypted...
  48. User Group Meeting at Check Point in Redwood City, CA

    Not sure if this is the proper heading, but it's the best I could find.

    So, this is late notice, but a User Group Meeting is being held 19 Jan 2010 from 3-5 local time. It's free and is a very...
  49. Re: What's the impact of NOT renewing my annual support?

    Um...guys...I think you're overlooking the fact that some of us engineers are for-hire guns. I mean, there are probably plenty of talented Check Point engineers who would be interested in someone who...
  50. Re: Looking for SEs in Atlanta, Redwood City

    Confirmed. RWC spot has been filled and is no longer vacant. NJ is searching though. Msg me if you are in the Philly area and are looking to become a Check Point SE.
  51. Replies
    7
    Views
    3,864

    Re: How to Configure OSPF in UTM-1 1070

    Good catch, glad you fixed it.
  52. Replies
    7
    Views
    3,864

    Re: How to Configure OSPF in UTM-1 1070

    Please post the relevant show ip ospf outputs. One thing that can get tricky is that you have to specifically define the area as you've done on the CHKP side on the Cisco side.

    I don't have the...
  53. Replies
    4
    Views
    1,456

    Re: CPU problems

    Let's all praise this wonderful command known as vmstat. :-)
  54. Replies
    1
    Views
    1,290

    Re: VSX NGX R65 and Security Servers

    Mario:

    Sorry, but for the R65 release of VSX, security servers aren't supported. Page 19 of the relnotes states that this is excluded from support.

    -Robert

    Profile for RobertGraham
  55. Re: Site-to-Ste VPN with phase 1 authentication using Certificates??

    This is from the R65 VPN guide, page 64:

    Trusting An External CA
    A trust relationship is a crucial prerequisite for establishing a VPN tunnel. However,
    a trust relationship is possible only if...
  56. Replies
    4
    Views
    1,456

    Re: CPU problems

    There are a couple of known memory leaks in R55 prior to HFA15 and R65 prior to HFA40. You probably ought to run R65HFA50 or better though.

    I would ask for vmstat output. Something like vmstat 1 5...
  57. Re: Looking for SEs in Atlanta, Redwood City

    RWC spot has been filled to the best of my knowledge.

    -Robert
    Profile for RobertGraham
  58. Re: What's the impact of NOT renewing my annual support?

    Overall your risk is minimal. Here are the potential scenarios for which you have no way out other than to pay sync fees:

    You have a difficult issue that no one on CPUG can help you with, and the...
  59. Replies
    4
    Views
    2,672

    Re: OSPF: Block Default Route

    Wouldn't this be what you're looking for?

    match ip address access-list

    It's described on page 1196 of the CheckPoint_R65_SecurePlatformPro_Adv_Routing_Suite_CLI.pdf.
  60. Re: multiple webservers one exteranl ip address

    I gotta side with Thorpuse on this one. What you would normally do is virtual hosting, it's a app layer (well I guess really OSI session layer) solution.

    You mention your web server is IIS (my...
  61. Replies
    5
    Views
    2,158

    Re: Automatically update IPS??

    Ahem, ahem....duly noted.

    It looks like I mixed up my product lines. :-/ This is possible in IPS-1, but not IPS. Sorry for the confusion. I will check to see if there's a CLI option to...
  62. Replies
    2
    Views
    2,272

    Re: About This New CCLE Forum

    It would never work. No one would ever be able to pass the exam. ;-)
  63. Re: How to Convert R65 to R65 Messaging suite

    CORRECTION: It is *not* necessary to perform a fresh installation of R65 with Messaging Security (aka HFA25) and then apply HFA30 on top of that in order to get MS.

    If you already have R65_HFA30...
  64. Replies
    5
    Views
    2,158

    Re: Automatically update IPS??

    Great news! You don't need to file an RFE.

    All you have to do is go to the Follow-up page under the IPS tab and uncheck the box titled, "Mark newly downloaded protections for follow-up" and you...
  65. Replies
    1
    Views
    2,366

    Re: Are there any data of 156-515.65??

    Contact your reseller for the ATRG and read that. It should help you. Visit the SK, and look at the top ten solutions. You'll want to know these too.
  66. Replies
    7
    Views
    4,245

    Re: CCSE+ Queries

    The proper name for the ATRG is actually: Advanced Technical Reference Guide. See the original thread in the Miscellaneous directory for more information.
  67. Replies
    2
    Views
    1,692

    Re: NGX: Advanced Technical Ref. Guide

    Please see the original ATRG thread for more details.
  68. Re: What is the Advanced Technical Reference Guide?

    Please note, Check Point has updated the ATRG version and the SecureKnowledge article related to it. For details on the NGX version of the ATRG, please see sk31221 in the Check Point support database.
  69. Replies
    6
    Views
    3,414

    Re: diffserv markings on floodgate

    Hi:

    Not sure I understand you guys properly, but it sounds like you're asking how is Diffserv implemented at the packet level.

    Here's the description direct from the online help:

    What is...
  70. Replies
    5
    Views
    2,873

    Re: IKE DOS Protection

    OK, so I read through the online help and this is my opinion:

    1. In the real world, use stateless for both. Puzzles for the unidentified would definitely mean a performance hit, which is contrary...
  71. Re: Accelerated CCSE NGX R65 Exam (156-915.65)

    One interesting thing is, if you look at the syllabus, found here:

    Check Point Software: Exam: 156-915.1

    You'll notice there's no mention of QoS. However, if you look at the syllabus for the...
  72. Replies
    4
    Views
    2,709

    Re: Probleme Site2Site VPN

    Ich stimme dantro zu, ich wuerde mal vpn debug ikeon laufen lassen und dann in den $FWDIR/log/ike.elg schauen was los ist.

    Wenn man einen SR# bei Check Point ernoeffnet, werden sie eh danach...
  73. Replies
    3
    Views
    1,649

    Re: Disable Smartdenfense

    What version do you refer to Woody? Normally, you would disable all the protections in the appropriate Protection Profile and apply that to the gateway needed, assuming you have R62 or greater.
  74. Replies
    14
    Views
    6,806

    Re: IPS-1 on VMware

    Works now though, but the software is still early availability only. It should release soon though, so stay tuned...

    PS: VMware isn't for setting up actual sensors, it's just for lab use etc. If...
  75. Replies
    2
    Views
    1,062

    Re: User Auth with site to site VPN.

    Good call, mcnallym. You could put Connectra inside the network on the end of the VPN tunnel and have users go through that. It would be SSL over IPsec, but at least you'd have the access control...
  76. Replies
    23
    Views
    8,523

    Re: I have just Passed CCSE+

    That's good to know. I need to make my "bones" as well. CCSA is like an initiation. Once you're in the club, it's easy. :-)
  77. Replies
    4
    Views
    1,723

    Re: http user auth does not work

    Is this on SPLAT? If so, are there any OS logs that show anything valuable?

    What HFA is this?

    Otherwise, I'd try doing a tcpdump to see what's going over the wire. Do binary output and open it...
  78. Replies
    4
    Views
    1,723

    Re: http user auth does not work

    Try resetting the user's password and re-pushing the policy.
  79. Replies
    4
    Views
    2,680

    Re: CP Backup and restore documentation....

    see my response to your other post.
  80. Replies
    4
    Views
    6,144

    Re: SPLAT Backup or Snapshot ??

    Backup is for the configuration files, snapshot is a complete image of the whole platform.

    Here's the description of snapshot from the PDF:

    Commands to take a snapshot of the entire system and...
  81. Replies
    8
    Views
    3,197

    Re: FTP backup script

    SSHD is installed by default on every linux flavor I've ever touched. The OS and software are both free of any licensing fees whatsoever. It's pretty easy to setup and get going and best of all it...
  82. Re: Change the hostname on Checkpoint gateway

    Don't forget to make sure the host's file gets changed properly. The new hostname should point to the same IP.
  83. Replies
    9
    Views
    2,595

    Re: Where are client log ?

    Oh goodie, that must be new. A little more than a year ago, I was speaking with an escalation eng about this. He made no mention of such a tool, so I can only conclude that it didn't yet exist.
  84. Replies
    4
    Views
    2,148

    Re: Installing CP Manager on Solaris 10

    Pluto:

    Let's get our terms right here. Do you mean:


    The Solaris motif based GUI; or,
    SmartCenter for Solaris?


    The motif based GUI doesn't require any special partitioning because it's...
  85. Replies
    4
    Views
    2,713

    Re: Backup Methods and using SCP

    You can do a backup without making these changes. However, as soon as you want to be able to move the backup file off the SPLAT box, you need a way to "download" them.

    You should pick up this...
  86. Replies
    8
    Views
    3,312

    Re: VPN Tunnel Utility - Bug?

    It's confirmed, this is the SK #sk33393. Check Point Support offers a HotFix to resolve this issue. You need to open a ticket to get it.
  87. Replies
    9
    Views
    2,595

    Re: Where are client log ?

    Clarification, there are some files that you can delete without issue. I think the internet log is one of them. You need to test it out. A couple others I was able to delete by renaming them and...
  88. Replies
    7
    Views
    5,853

    Re: Recovery pre-shared secrets

    That's a good observation. This means it can't be a hash. My first guess would be that it uses it's private key from the internal CA to encrypt/decrypt the secret. But, this is just conjecture, so...
  89. Replies
    3
    Views
    1,483

    Re: Problem with site to site VPN

    Do an IKE debug, post it, and I'll take a look. Don't forget to post version/platform info on both gateways.
  90. Replies
    8
    Views
    3,312

    Re: VPN Tunnel Utility - Bug?

    I'm running R65 HFA01 in the lab. I'll test this later and post the results.
  91. Replies
    2
    Views
    2,493

    Re: Please de-mystify SSH for me

    For DSA keys, authorized_keys2 is the file you're intersted in.

    Redo this walk through step for step and test again:
    Howto Linux / UNIX setup SSH with DSA public key authentication (password less...
  92. Replies
    16
    Views
    8,221

    Re: Can't connect to FW with SmartDashboard

    When you unload the policy, you can ping the CheckPoint system, but you can't login?

    Have you set the clocks? Sometimes this interfers with the certificate. Check to make sure both the server and...
  93. Replies
    4
    Views
    2,713

    Re: Backup Methods and using SCP

    SPLAT has an SSHD server included, this supports SCP (copy over SSH). It's locked down though, so you have to create the file /etc/scpusers. Here's the SK: sk26258.

    You have to watch out though,...
  94. Replies
    3
    Views
    2,071

    Re: Eventia with Provider-1 (R65)

    You don't need to do that here. This is for older versions only. It should be possible to configure all of this right in the GUI.

    You write:

    when I try to view Eventia reporter through Global...
  95. Replies
    7
    Views
    5,853

    Re: Recovery pre-shared secrets

    This should be a hashed value. If this is the case, there's no way to recover it. You could try copying the text and editing the same file on the running device. This probably won't work though.(If...
  96. Replies
    12
    Views
    4,675

    Re: Need CCSE+ Tk/at/p4sure-any version

    Go to SecureKnowledge and on the left sidebar, there's a heading for "Top Solutions."

    These are the 10 most looked at or used or whatever solutions in the database. These 10 solutions also acct...
  97. Replies
    12
    Views
    4,675

    Re: Need CCSE+ Tk/at/p4sure-any version

    The best thing to do is use the current courseware and the Top 10 solutions from SK. I haven't taken it yet, but the people I know who have didn't use any "cheat sheets" or dumps or whatever.
  98. Replies
    9
    Views
    2,299

    Re: splat or windows

    The windows OS also has a lot of overhead that SPLAT doesn't. Therefore, you're almost guaranteed to get better performance on SPLAT. You can try to tune the Windows box to be a little bit slimmer,...
  99. Replies
    3
    Views
    2,377

    Re: Failed CCSE Today

    Read the CLI Reference PDF and practice the most common stuff in a lab env. You really should know how to fetch a policy from the gateway and how to clear VPN SAs using the CLI.

    Actually, I think...
  100. Replies
    9
    Views
    6,178

    Re: Provider-1 NGX example questions

    I have a feeling that the post about reading the SKs is absolutely money. If you do anything suggested in this forum, do that.
Results 1 to 100 of 274
Page 1 of 3 1 2 3