CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: David.Baldwin

Search: Search took 0.01 seconds.

  1. Replies
    4
    Views
    2,065

    De-Introduction

    After an extensive bake off and requirements gathering the CISO has overrode his own staff and the Network Team and has chosen PaloAlto to replace all firewalls.

    This board has provided me with...
  2. Replies
    14
    Views
    2,863

    Recommendations for upgrade

    Current environment

    Platform: GAIA, Open Systems (HP Servers)
    Management: r77.20 (Separate Log, Management, SmartEvent, SmartReporter and Management HA servers). No Provider 1 (or whatever they...
  3. Re: Smart 1-205 Policy installation takes too long

    Agreed. This is why we run only on open server for management and gateways. If Checkpoint ever stops supporting open servers I will have a difficult time justifying the cost of CP appliances to ...
  4. Re: Check Point response to Leap Second introduced in UTC on 30 June 2015

    I was unable to get a maintenance window in time to disable NTP prior to the Leap Second (management waffling). So I logged into all my Checkpoint boxes at 1205 to make sure everything was still...
  5. Re: Identifying protections that are causing high CPU utilizaiton

    Your Bond and the switch need to agree on how traffic will be sent to which port (hashing method).

    In Cisco the commands look like this:

    IOSswitch#show etherchannel load-balance
    EtherChannel...
  6. Re: One of our own has just been published!

    I ordered my from Amazon US on April 9th and it arrived today.

    Caveat: I have Amazon Prime.
  7. Re: One of our own has just been published!

    I am looking forward to my copy arriving on Tuesday (my older eyes prefer paper books to digital readers).
  8. Replies
    11
    Views
    5,686

    Re: R77.30

    I was just looking for the sk. Thanks for for pointing that out.

    I see it as well in the User Center.
  9. Replies
    11
    Views
    5,686

    Re: R77.30

    I heard that r77.30 went EA today from my Sales Engineer. Secure Knowledge doesn't seem to reflect that but it might be I don't have permissions to see such things.
  10. Jumbo Hotfix Accumulator (install or not to install, that is the question).

    General question:
    During an upgrade is it best practice to install the current Jumbo Hotfix Accumulator for a given release?


    Specific Situation:

    Environment:
    All enforcement points and...
  11. Replies
    11
    Views
    7,065

    Re: DAservice

    sk98228
    Has the latest build for DAService (which is 627)

    A fresh install of r77.10 showed a build of 553 for DAService.

    I did not see the CPU issue but a around 2000 plugin-upgrade-matcher*...
  12. Replies
    24
    Views
    25,651

    Sticky: Re: Welcome back!

    I am heartened to see CPUG back online!! This site and its members have been an invaluable resource in resolving Checkpoint issues and getting a deep dive into the technical guts.

    Right now...
  13. Replies
    20
    Views
    22,334

    Re: Check Point vs. Everyone

    Apologies in advance for the poor formatting. I am rushing to get everything done today prior to getting spine injections tomorrow.

    Environment:
    2 node cluster (ClusterXL)
    GAIA
    R77.10 -...
  14. Replies
    20
    Views
    22,334

    Re: Check Point vs. Everyone

    I have value 2 set on a test cluster (r77.10 GAIA on open platform). So far I'm not impressed but I'm going to reserve judgement until I can devote a few hours to this. I'll post the results if...
  15. Re: Are any Check Point products affected by heartbleed bug?

    Check sk100173: Check Point response to OpenSSL vulnerability (CVE-2014-0160)
  16. Replies
    2
    Views
    1,041

    Re: Design question - DMZ vlan

    Splat or GAIA ??
  17. Re: How to disable TCP timestamp response value in checkpoint firewall

    According to sk62700:



    Nothing is mentioned of a reboot being required.
  18. Re: Difference between Checkpoint Eventia/Cisco MARS/Juniper STRM and Arcsight/Envis

    Cisco MARS is a dead tool: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/prod_end-of-life_notice0900aecd807189ef.html
  19. Re: Reg: Response from server (return traffic) is denied in Cleanup rule.

    I was wondering the same thing.

    In the mean time I found this site KLOTH.NET - Convert and locate IP addresses

    It will go IP -> hex and hex -> IP.

    Hope it helps.
  20. Re: SYNC Interface Priority (LAN2 over eth3-01)

    I was just reading this the other day, perhaps this:

    From the r75.4 ClusterXL documentation:
  21. Replies
    8
    Views
    2,602

    Re: SecureXL is evil !!!!

    The sk says SecureXL or IPS not just the first one.

    I'll be watching my memory use extra close now. I can shut off SecureXL without issue but I need IPS for PCI compliance issues... crap.
  22. Re: Need some Suggestion about Vmalloc size

    I'm not having the issue the OP stated. I am getting ready to do a bunch of upgrades on some hard-to-get-downtime systems and was looking to combine as much preventive items (that require a reboot)...
  23. Re: Need some Suggestion about Vmalloc size

    I was doing some research on VMALLOC and GAIA and came across this thread. I went to the CP Support Website to verify the 1GB VMALLOC. sk90043 says if the device is in 64-bit mode then the VMALLOC...
  24. Re: SmartUpdate Not Showing Correct Version Info

    sk92943 perhaps??
  25. Replies
    3
    Views
    1,679

    Re: GAIA 64-bit on Proliant DL380 G7

    We are polling 1.3.6.1.4.1.2620.1.6.7.7.1.1.6 for the RAID status on our HP Proliant G6 & 7s without issue. It even found a failed drive over the weekend!

    The above OID will return Raid state:...
  26. Replies
    6
    Views
    2,422

    Re: Migrating from SPLAT to GAIA

    If you plan on using 64-bit mode and clustering here's an issue we ran into the other day.

    One cluster member was moved to 64-bit and the other one (due to human error) was not. When the...
  27. Replies
    16
    Views
    6,610

    Re: Check Point R76

    From the link:


    A quick look through the documentation package and release notes did not turn up anything about Netflow.

    Where might I find out more info??
  28. Re: How to write rules for access to internet but not to dmz

    Slide 35 at the bottom from the PowerPoint you linked.

    The author of this presentation is Pierre Lamy. Since he frequents Checkpoint forums perhaps a further explanation directly from him would...
  29. Re: How to write rules for access to internet but not to dmz

    Internal_Networks to DMZ Drop
    Internal_Networks to !(PrivateIPRange) Accept <Negate on the Private IP Range group>

    This would specifically deny the traffic to the DMZ and allow Internet...
  30. Replies
    82
    Views
    27,386

    Re: Project Gaia

    I just created a WEBUI user called "test" with a password of K_((01!!@#44 and it worked fine.

    However, when I tried to change the password to _((01!!@#44K12 it would not work.

    Looks like...
  31. Replies
    5
    Views
    1,092

    Re: Connection to Firewall impossible

    Interesting.

    We had to uninstall SEP Threat Protection to solve a vexing issue where Windows 7 PC's would randomly disconnect from the network.
  32. Re: Error "snmpd[27733]: No page line in /proc/stat”

    An older one that has the above problem :(.

    I had to open a support ticket to get updated snmpd (5.3.1) and everything is fine now.
  33. Replies
    18
    Views
    5,316

    Please not Java!!! Checkpoint if you are...

    Please not Java!!!

    Checkpoint if you are listening: No Java.

    After dealing with Cisco's crappy management software (and having issues with them) please don't go that route.


    ---
    I am...
  34. I'm currently running R71.3 (management server on...

    I'm currently running R71.3 (management server on SPLAT) and I have the same update issue.
  35. Replies
    2
    Views
    1,798

    Re: DAYLIGHT Saving time...on EDGE X?

    http://www.cpug.org/forums/check-point-secureplatform-splat/13266-issue-ntp-synchronization.html

    Post #7 has an excellent explanation of how to fix this (I used it myself yesterday).
  36. Replies
    10
    Views
    9,716

    Re: Splat, bonded interfaces and VLANs

    Is the clustering Active-Active ??

    I've found through testing that Active-Standby gave better throughput than Active-Active.

    (Attached file best viewed with Wordpad)
  37. Replies
    7
    Views
    21,257

    Sticky: Re: How To Enable SNMP on SPLAT

    Big Time did this help!!

    Just to let you know I am plagiarizing this post into my own docs. This is making my Solarwinds monitoring of my SPLAT boxes much easier.

    BTW: Your royalty check is...
  38. Replies
    2
    Views
    2,126

    Re: SPLAT R71.2: Bonding and anti-spoofing

    Thanks. I figured the same thing but wanted verify before starting the production deployment (which is still going be in July of this year).
  39. Replies
    10
    Views
    9,716

    Re: Splat, bonded interfaces and VLANs

    The closest thing I have is a Cisco 6509 and 2 SPLAT boxes running R71.2. This bond has been up for 3 weeks and I haven't had an issue yet with it.

    Here's the Cisco config for the port channel:
    ...
  40. Replies
    2
    Views
    2,126

    SPLAT R71.2: Bonding and anti-spoofing

    I have a lab setup with 2 10Gb NIC's bonded on a cluster. The Bond is subdivided into 2 VLAN's. I have setup anti-spoofing on the 2 VLAN'd interfaces and policy pushes work without error.
    ...
  41. Replies
    6
    Views
    3,143

    Re: ClusterXL and bandwidth degradation

    In my recent testing I have found that on SPLAT (R71.2) Active/Active clustering stops Jumbo Frames from passing but work just fine with Active/Passive.

    nomadata: Have the server folks put the...
  42. Replies
    13
    Views
    4,741

    Re: Geo Protection in R70.30 not updating

    https://forums.checkpoint.com/forums/thread.jspa?threadID=11594&tstart=0&start=15
  43. Re: Need review from customers on GEO Protection.

    Update:

    I upgraded my enforcement points today to R71.2 from R70.3.

    I am still not using a proxy.

    The //opt/CPsuite-R71/fw1/tmp/geo_location_tmp/updates/IpToCountry.csv
    now shows version...
  44. Replies
    1
    Views
    2,025

    DNS Inspection

    We are looking at using the CP IPS (R71.2 SPLAT) to reduce the number of bad DNS queries that make it to the DNS server.

    I have turned on the Inbound DNS Requests to detect and have created...
  45. Re: R75 as usual NICs speed and duplex do not like WebUI and/or eth_set command

    You mean you're a Checkpoint plumber ?? ;)
  46. Re: Need review from customers on GEO Protection.

    Hmm.

    Is there a way to force the update of the update of the IpToCountry.csv file ??

    I have a R71.2 gateway in the lab I want to test with and verify if this bug is fixed or not.
  47. Re: Need review from customers on GEO Protection.

    Have you gotten any word from Checkpoint on this Ray ??

    Also, how did manually updating the file go ??
  48. Replies
    3
    Views
    2,514

    Re: Jumbo Ethernet Frames

    Since I have new production gear that needs testing with jumbo frames I'll post up the results when we are done.
  49. Replies
    3
    Views
    2,514

    Jumbo Ethernet Frames

    I see sk51600 says that jumbo frames are supported on Power-1 appliances since R71 and Open Servers "may work".

    So the question is this: Is anyone using Jumbo Frames either in test labs or...
  50. Replies
    4
    Views
    1,726

    Re: Debugging packets

    I thought you could see packets from tcpdump but not fwmonitor when using SecureXL??
  51. Replies
    6
    Views
    2,597

    Re: UTM appliances VS home built hardware

    Given the current firewall throughput and expected growth CP recommended an 9075 but we are opting, at the moment to go with the 11065. This gives us growth headroom while more than meeting our...
  52. Replies
    6
    Views
    2,597

    Re: UTM appliances VS home built hardware

    Thanks.

    This pretty much mirrors my take on the matter.
  53. Replies
    6
    Views
    2,597

    UTM appliances VS home built hardware

    We are in the process of replacing our Datacenter firewalls (currently Cisco FWSMs). Checkpoint is in the mix as a possible replacement.

    After meeting with Checkpoint and seeing the cost of the...
  54. Replies
    8
    Views
    2,261

    Re: Packet Dropping during policy push

    I was thinking more in the Batman genre: "atomic batteries to power turbines to speed"

    ;)
  55. Replies
    8
    Views
    2,261

    Re: Packet Dropping during policy push

    The CCIE in question is a Cisco employee (Sales Engineer) and I have already contacted his management chain.

    I want to give Cisco a chance to deal with this.
  56. Replies
    8
    Views
    2,261

    Packet Dropping during policy push

    We had a consultant in today to discuss replacing our Cisco Firewall Services Modules (internal Datacenter firewall) and we are considering Checkpoint appliances.

    He says that all versions of...
  57. Replies
    6
    Views
    4,266

    Re: Error messages in /var/log/messages

    Hmm. Over the weekend the messages stopped. I do note that an IPS update happened on 9/1.

    Thanks for all of the suggestions!!

    Hate it when stuff just starts working....
  58. Replies
    6
    Views
    4,266

    Re: Error messages in /var/log/messages

    I have a few (very few) IPS rules that capture packets.

    Your question sounds ominous... ;-)
  59. Replies
    6
    Views
    4,266

    Error messages in /var/log/messages

    Environment:

    SPLAT
    FW VER
    This is Check Point VPN-1(TM) & FireWall-1(R) R70.30 - Build 008
    Clustered in HA mode (multicast)

    cphaprob stat
    Cluster Mode: New High Availability (Primary Up)
  60. Replies
    1
    Views
    1,131

    Eventia Report for IP location

    I would like to build a report that would show me incoming/outgoing traffic by source/destination country.

    Is this possible with Eventia Reporter/Analyzer/Whatever CP is calling the product today??
  61. Re: Eventia Reporter (R70.3) database maintenance issue

    Thank you.

    I have contacted my account rep and we'll go from there.
  62. Eventia Reporter (R70.3) database maintenance issue

    SVRServer.log

    [24 Aug 15:54:39][SVRServer] Database operation failed with error code 1.

    GUI Error:

    Failed to delete records from table 'SEAM_EVENTS'

    My limited access to CP's knowledge...
  63. Replies
    17
    Views
    5,015

    Re: StormAgentMsg: Failed to access URL

    Thanks for the info.

    Seems like geo protection is looking more and more appealing.
  64. Replies
    17
    Views
    5,015

    Re: StormAgentMsg: Failed to access URL

    dynamic_objects -l

    object name : CPDShield
    range 0 : 0.0.0.1 0.0.0.1

    Operation completed successfully

    stormd.elg

    Aug 16:28:58][CPDShield] Data has expired. Clearing defined ranges...
  65. Replies
    5
    Views
    3,325

    Re: Licensing issue.

    I called Accounts Services and they explained it to me.

    /sarcasm

    What a dope I am for not understanding Checkpoint licensing!!

    /end sarcasm
  66. Replies
    5
    Views
    3,325

    Licensing issue.

    Environment
    All SPLAT R70.3 on HP Hardware

    2 Management servers in Management HA (using central licensing)

    4 Gateways in 2 Clusters in High Availibility

    I downloaded all my licenses into to...
  67. Replies
    3
    Views
    2,438

    Eventia database issues

    Environment:
    Distributed (1 HA cluster, 2 Mangement servers HA, 1 Eventia Reporter).
    All SPLAT at NGX R70.3

    Log Consolidator on Eventia appears to work however in SVRServer.log I see the...
  68. Replies
    9
    Views
    2,162

    Re: Cluster DNS resolution issue

    Hmm. I just did some more looking and found sk41467.

    I could not find the option mentioned in the knowledge base article so I put in a manual NAT rule instead.

    DNS now works like a charm on...
  69. Replies
    9
    Views
    2,162

    Re: Cluster DNS resolution issue

    Bump.

    I am seeing the same issue with a brand new R70.1 SPLAT cluster. I can resolve DNS names on the active node but not on the standby node.
  70. Thread: Hello

    by David.Baldwin
    Replies
    1
    Views
    1,935

    Hello

    I have been working with CheckPoint products for about 8 years now and have been doing networking for 11. I work for a dental insurance carrier in Michigan. I find myself asking more questions...
Results 1 to 70 of 70