CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: pat13b

Page 1 of 3 1 2 3

Search: Search took 0.01 seconds.

  1. Re: Tenable Scan opening ports dynamically on GW

    Thanks again.

    I do have both of your books. Very good reading. I'll have another look.
    Clearly these appliances are not the same although we cannot find any differences among them and giving...
  2. Re: Tenable Scan opening ports dynamically on GW

    Thanks for the responses. Yes I agree about not allowing "any" from the scan networks but We lost that argument.
    The PCI auditors have full access for their scanners to scan all the gateways and...
  3. Re: Tenable Scan opening ports dynamically on GW

    I just noticed that the ports on the 2 gateways are a little different between the gateways, but still get tagged as "SMTP Server Non-standard Port Detection back door vulnerabilities"

    -pat
  4. Re: Tenable Scan opening ports dynamically on GW

    Thanks for the response. The ports that are opened up and start listening when doing a netstat are: 35723,36873,41251,44422,45674,45960,47735,49595,51232,54766,56675,58281,60627,64168

    We have all...
  5. Tenable Scan opening ports dynamically on GW

    Tenable Scan will dynamically open up various ports "SMTP Server Non-standard Port Detection" only on 2 out of the 16 gateways in our production environment. So far it has only happened on the...
  6. Re: Smartprovisioning being used for large rollouts ?

    Thanks for the info and the SK. Very much appreciated.

    -pat
  7. Smartprovisioning being used for large rollouts ?

    Hello;
    We are faced with rolling out a few hundred gateways. They have not been purchased yet but they will most likely be full Gaia devices not the embedded ones. We are at R77.30 at the moment...
  8. Replies
    9
    Views
    2,485

    Re: Database Revision Ques

    Thanks again. Was just looking into the difference between r77.x and r80 policy revision stuff because that question did come up in a meeting a little while ago.

    Much appreciated.

    -pat
  9. Replies
    9
    Views
    2,485

    Re: Database Revision Ques

    Great thanks very much for the clarification on the DB revision, and the info on R80. We are starting to lab up R80.
  10. Replies
    9
    Views
    2,485

    Database Revision Ques

    Hello;

    We have multiple policies on a single smartcenter. When we take a database revision before a policy push; are we backing up ALL policies on this smartcenter?

    I would think that we are...
  11. Replies
    13
    Views
    5,617

    Re: CPUG MERGE event updates

    I also attended via web. As mentioned some technical problems and questions via chat did not seem to work / were not seen. Over all very good and looking forward to more of these.

    -pat
  12. Replies
    5
    Views
    3,545

    Re: Smart Console on Ubuntu or Vmware ??

    Thank You both. When I get back from vaca I'll be taking a crash course in Vmware.

    Thanks
    -pat
  13. Replies
    5
    Views
    3,545

    Re: Smart Console on Ubuntu or Vmware ??

    Thanks very much for the info. I'll look into Vmware again. I started down that road but there were so many options to choose in Vmware I ended up with Ubuntu.

    Thanks again.
  14. Replies
    5
    Views
    3,545

    Smart Console on Ubuntu or Vmware ??

    Hello;

    I'm trying to put together a lab jump server with R77.30 Smartconsole installed. I have installed 64bit Ubuntu and Wine on a Dell 2950 but SmartConsole won't install.

    Is anyone doing...
  15. Re: Can't login to Checkpoint Management Server GUI thoruh Smartdashboard

    Maybe SK100507 ?

    Seems to cover allot of these types of problems.

    -pat
  16. Re: No Smart Console login possible after mds_restore

    This happened to us after a restore. This fixed the problem. Clearing GUI Cache. sk100507

    -pat13b
  17. Replies
    6
    Views
    3,249

    Re: RADIUS Accounting with Aruba Wireless

    I did NOT see sk104958 !!! This does look promising...So they did get together on this. We just weren't updated I guess.

    Thanks for the info !!!

    -pat
  18. Replies
    6
    Views
    3,249

    Re: RADIUS Accounting with Aruba Wireless

    Thanks for the info. I have seen some of this. I don't think Check Point and Aruba have a very good working relationship. At least this is what we see from a Customer perspective.
    We were...
  19. Re: One of our own has just been published!

    Just got my book the other day. Very nice !! Put together very well. Two thumbs up...
  20. Replies
    3
    Views
    2,878

    Re: NGSE GAed + No security updates

    We did a demo of this and quickly figured out we could not put exceptions in for Geo protections.
    Hoping they fix that eventually. Other than what you had mentioned about the lack of canned...
  21. Re: One of our own has just been published!

    Thanks for the updates. That might be the difference. I do not have the Amazon Prime.

    -pat
  22. Re: One of our own has just been published!

    That's great. I'm looking forward to it. I just thought it was strange that the order hasn't moved in about a week. I ordered through Amazon US. I'll give it another day or so and contact them if...
  23. Re: One of our own has just been published!

    Does anyone know if this book is in stock? I ordered from Amazon last week and it hasn't shipped yet. Typically they ship the same day or very next day.

    -pat
  24. Re: Using Identity Awareness with NAT between CMA & Domain Controllers

    We were not successfull in getting this to work. It's buried in the pdf that IA AD query does not work with NAT. So we moved one of AD servers into a DMZ off the Check Point without NAT.
    The...
  25. Re: Application Control / URL Filtering Bandwidth alerting?

    I think you would need to get specific with the rule. Again I have not used this bandwidth in any of my policies but I would think if you tied that with Identity awareness you could give certiam...
  26. Replies
    3
    Views
    1,454

    Re: SmartEvent (Access for Help Desk only)

    Thanks very much for the info. This is where I do do the permissions but regardless of the option I un-check, they are still able to jump into smart dashboard, tracker, smart log etc. Even though...
  27. Re: Application Control / URL Filtering Bandwidth alerting?

    You can do this in Application/Url policy. I haven't tried it but the option is there.

    -pat13b
  28. Replies
    3
    Views
    1,454

    SmartEvent (Access for Help Desk only)

    Hello,

    We are trying to give access to our SmartEvent appliance for our Security and Help Desk teams and only this appliance.

    We don't want them to be able to launch from there into...
  29. Replies
    25
    Views
    6,068

    Re: SMART-1 (not so smart)

    I get this when running the ipmtool command.


    [Expert@sscpsmart02:0]# ipmitool sdr list full 2>/dev/null | egrep -i '^PSU.*watt'
    [Expert@sscpsmart02:0]# ipmitool sdr ...
  30. Replies
    25
    Views
    6,068

    Re: SMART-1 (not so smart)

    I want to thank all who posted ideas and comments.

    My intention is not to bash Check Point. I have several years of experience with Check Point and prefer Check Point over any other.

    The...
  31. Replies
    25
    Views
    6,068

    Re: SMART-1 (not so smart)

    Thanks very much for the idea. I;ll have to try this.

    Also, I did find this when doing

    [Expert@sscpsmart02:0]# dmidecode -t chassis
    # dmidecode 2.7
    SMBIOS 2.5 present.

    Handle 0x0003,...
  32. Replies
    25
    Views
    6,068

    Re: SMART-1 (not so smart)

    Thanks, I did try dmidecode but nothing shows regarding power. Also the RAID, it is possible to lose one drive and still function. At least I can run RAIDCONFIG Status to see status but would be...
  33. Replies
    25
    Views
    6,068

    Re: SMART-1 (not so smart)

    No we didn't find this. Our appliances are connected at 1Gig. Looking at the switch end they negotiated to 1Gig on the Mgmt interface.

    -pat
  34. Replies
    25
    Views
    6,068

    SMART-1 (not so smart)

    Hello,

    Not sure how popular the SMART-1 appliance is but we just realized that although you can configure the SNMP traps for power supply and RAID,

    The appliance will not send out a trap when...
  35. Replies
    9
    Views
    2,257

    Re: Blocking images (Google, Craigslist etc)

    The portal was an option we presented but management does not want the user to have to sign in twice. Once with AD and then a second login for the Check Point portal.

    I heard today that Check...
  36. Replies
    5
    Views
    3,289

    Re: SmartWorkflow, Tufin, Algosec

    We run Algosec (purchased long before Check Point) but it produces much better reports and activily monitors changes a little better than with our Cisco FWSMs. It works well for them but I notice it...
  37. Replies
    9
    Views
    2,257

    Re: Blocking images (Google, Craigslist etc)

    Thanks for clarifying Jim.

    My understanding from our Check Point Team, is that Check Point and Aruba are working together on the IA aspect. Aruba will work with direct integration with Palo Alto...
  38. Replies
    9
    Views
    2,257

    Re: Blocking images (Google, Craigslist etc)

    Intresting. Thanks very much for your reply.

    No we don't have HTTPS inspection turned on. The organization wouldn't allow the certs to be pushed to the user's laptops and PCs.

    My...
  39. Replies
    9
    Views
    2,257

    Re: Blocking images (Google, Craigslist etc)

    I forgot to mention we are at R77.20.

    I also forgot to add, that checking the box "safe Search" in the engines settings does absolutely nothing either.

    I'm sure there are many Companies with...
  40. Replies
    9
    Views
    2,257

    Blocking images (Google, Craigslist etc)

    Hello,

    Does anyone know how to block images from sites like google and craigslist ?

    We would like to allow our users to get to these sites just not be able to see questionable images.
    ...
  41. Replies
    17
    Views
    5,401

    Re: R77 RADIUS accounting

    I'm not the wireless person, but my understanding from that group, is that the authentication of a user using certs is really done between the Client and the Wireless Controller.

    So unless the...
  42. Replies
    17
    Views
    5,401

    Re: R77 RADIUS accounting

    We are running Aruba wireless and having zero luck in getting the controller, clear pass policy manager, or any other Aruba device to spit out Accounting updates on a regular basis.

    The Check...
  43. Replies
    6
    Views
    3,249

    Re: RADIUS Accounting with Aruba Wireless

    Aruba claims this CANNOT be done. I find it hard to believe that their controller cannot spit out RADIUS accounting.

    Anyone actually have this working or tried to get it to work in their network?...
  44. Replies
    6
    Views
    3,249

    Re: RADIUS Accounting with Aruba Wireless

    Thanks very much for the response.

    Maybe I'm putting too much thought into this. Other than the configuration on the identity awareness / Radius Accounting section, do I need to define a RADIUS...
  45. Replies
    6
    Views
    3,249

    RADIUS Accounting with Aruba Wireless

    Hello,

    Anyone using Aruba wireless and IA with Check Point?

    Once the clients initially register their cert, the authentication is done between the Aruba and client and not AD, so we are trying...
  46. Replies
    8
    Views
    4,040

    Re: "Load on module failed - no memory" R75.46

    We were getting this on a regular basis. Had to reboot the gateways then was able to push the policy.

    But since upgrading to R77.10 have not seen this error.

    -pat
  47. Replies
    6
    Views
    7,854

    Re: ClusterXL and VLANs on Gaia

    Thanks very much for all the good advice.

    I finally figured it out. We typically setup port-channels (logical interface) on our switches for our trunks then assign the physical interfaces to the...
  48. Replies
    6
    Views
    7,854

    ClusterXL and VLANs on Gaia

    Hello,

    I have a new install of Gaia R77.10 on 12400 appliances in a ClusterXL Active/Active UNICAST setup.

    I'm trying to implement VLANs in a trunk to a Cisco switch. If I configure these VLANs...
  49. Replies
    3
    Views
    1,457

    Re: 0 Virtual drives

    How about the "raidconfig" command from CLI. Not sure this is what your looking for?

    -pat13b
  50. Replies
    7
    Views
    7,337

    Re: CCSA gaia 156-215.13

    I don't know what's going to be on the exam, but there is plenty of docs on Check Points web site pertaining to R76 and Gaia.

    I also found a sample test of the CCSA 2013 with 50 sample questions...
  51. Replies
    7
    Views
    7,337

    Re: CCSA gaia 156-215.13

    I'm in a same situation as you. I have been grabbing pdfs off Check Points site and reading through them.

    There does not seem to be any books published yet. The class is very new as well.
    ...
  52. Replies
    4
    Views
    2,510

    Re: SmartUpdate Not Showing Correct Version Info

    That was it !!!!

    sk92943

    Thanks David !!!

    -pat
  53. Replies
    4
    Views
    2,510

    Re: SmartUpdate Not Showing Correct Version Info

    Thanks for the response.

    I have run the "get gateway data" but still shows the same thing. I upgraded using the Gaia web interface. Seemed to work great. As near as I can tell it was upgraded...
  54. Replies
    4
    Views
    2,510

    SmartUpdate Not Showing Correct Version Info

    I think this might be a cosmetic thing? but I upgraded my gateways (12400) and smart-1 appliances to Gaia R76.

    In Smart Update all versions of everything show R76 except on the gateways.

    They...
  55. Replies
    0
    Views
    1,084

    RAID information in SmartView Monitor

    Hello,

    How do you see RAID information in smartview monitor? When clicking on the link, it shows nothing.
    We are running Gaia R76 on a smart-1 appliance with RAID-1. I know we can use SNMP to...
  56. Thread: Service "X11"

    by pat13b
    Replies
    7
    Views
    3,493

    Re: Service "X11"

    I recently found this out myself. Apparently X11 is not part of the "any" . You need to put in a seperate rule to allow for X11.

    There is an article on Check Point web site that shows what...
  57. Replies
    6
    Views
    4,783

    Re: NTP (how to confirm)

    No good info from the clish command line.

    But looks like "ntpdc" does the trick in IPSO 6.x but not IPSO 4.x

    -pat13b
  58. Replies
    6
    Views
    4,783

    Re: NTP (how to confirm)

    Thanks for responding,

    ntpdate (ip address) produces "the NTP socket is in use, exiting"

    Just typing ntpdate with no ip addresses, produces "no servers can be used"

    This is IPSO 6.2...
  59. Replies
    6
    Views
    4,783

    NTP (how to confirm)

    Hello,

    I'm looking for a way to confirm that NTP is actually working form the command line or log.

    I see it going through tracker but I would like to know if there is a way to tell if it thinks...
  60. Replies
    30
    Views
    9,359

    Re: Smart-1 Appliances

    Exactly my point, these enterprise class devices will be placed in a computer room somewhere far away from the management stations and people maintaining them.

    My experience is with the "50" I'm...
  61. Replies
    30
    Views
    9,359

    Re: Smart-1 Appliances

    One point of interest (we found out the hard way) The RAID array cannot be monitored. The only indication given when a drive goes bad or out of sync in the RAID, is an audible alarm.

    Check...
  62. Re: SmartDashborad R70.20 Will not load intermittently

    Thanks for the replies.

    I recieved a new ver of the client from our CP partner. It worked on on one laptops but the other 3 are still not working.

    - Performed CP-Clean.
    - Went into registry...
  63. SmartDashborad R70.20 Will not load intermittently

    Hello,

    I'm having trouble (new install) getting the SmartDashboard R70.20 to load.

    If it does load, it takes 10 min to complete. Most of the time if just hangs.

    I have tried it on a couple...
  64. Replies
    7
    Views
    3,499

    Re: Customizing client authentication website

    I think this will do the trick.

    Solution ID: skI5130

    To configure Encrypted Client Authentication, perform the following steps:
    1. Run the cpstop command on the Security gateway.

    2. Edit...
  65. Replies
    3
    Views
    3,800

    Re: Web visualisation tool

    I had issiues like this using IE. Try Firefox instead.

    -pat13b
  66. Replies
    5
    Views
    2,588

    Re: IPSO cluster problem

    I'm using IPSO clustering on 350s with 512 RAM. I think that's the max the IP350's will take?

    I'm at IPSO 4.2 with HFA02 and NGX R65.

    Sounds like maybe a multicast problem. You can try...
  67. Replies
    5
    Views
    2,489

    Re: Quad 1000 Base-T PMC in IP390/395

    This is great news. Do you know if it works for the IP390 and do you have a part number for this card?

    thanks

    -pat13b
  68. Re: Nokia Cluster Voyager Authentication to ACS TACACS+ failing

    Maybe a compatibility problem with Nokia TACACS and Cisco TACACS ?

    I can try this in our lab next week, to see if I get these results.

    -pat13b
  69. Re: Nokia Cluster Voyager Authentication to ACS TACACS+ failing

    ok, now I see.....

    I still think it's because the cluster ID isn't in the attributes. Maybe you could test that to see if you can get by this problem. I seem to recall having a similliar isiue...
  70. Re: Nokia Cluster Voyager Authentication to ACS TACACS+ failing

    Did you define TACACS attributes and add the cluster id in ACS to allow for the cluster admin to login in.

    Nokia-IPSO-User-Role=clusterAdminRole:9999
    Nokia-IPSO-SuperUser-Access=1

    -pat13b
  71. Thread: AAA with SPLAT

    by pat13b
    Replies
    7
    Views
    4,199

    Re: AAA with SPLAT

    Thanks for the responses.

    I'll look into this on the correct license. It's good news that the UTM's can have this ability.

    -pat13b
  72. Thread: AAA with SPLAT

    by pat13b
    Replies
    7
    Views
    4,199

    Re: AAA with SPLAT

    Thanks for the response chillyjim,

    So what about UTM devices. Can these be upgraded to offer this as well?

    Seems like an over site on Check Points part not to include this in basic SPLAT and I...
  73. Thread: AAA with SPLAT

    by pat13b
    Replies
    7
    Views
    4,199

    AAA with SPLAT

    Hello,

    Anyone know if there is a way to implmenet AAA (TACACS or RADIUS) authenitcation on a SPLAT box ?

    The closet I have gotten is SPLAT PRO offers Radius.

    Cannot find anything with SPLAT...
  74. Replies
    4
    Views
    4,970

    Re: Nokia AAA using Cisco Secure ACS

    Hello,

    As an update to my testing of this, so far its working well and going to be deployed into production. I did have trouble with the "cluster admin" role but I have figured that out...
  75. Replies
    1
    Views
    1,885

    Re: Error Message (What Does This Mean?)

    UPDATE to this problem. Although I don't know what this error is and how to fix it, I was able to add the roles via clish. and that worked.

    -pat13b
  76. Replies
    1
    Views
    1,885

    Error Message (What Does This Mean?)

    Hello,

    I get this error message when trying to add user roles.
    I'm logged into Voyager as admin.

    "Couldn't Create Error File For Command: Permission Denied"

    Any idea how to get around this?...
  77. Replies
    4
    Views
    4,970

    Re: Nokia AAA using Cisco Secure ACS

    Hello,

    I'm still testing this but seems to work so far. After a bunch of research and looking all over the web, I decided to go to the Cisco forum and look this up. A short search I found.........
  78. Replies
    2
    Views
    1,222

    Re: Ethernet Stats on Edge Devices

    Thanks for the reply and info.

    Yes, We are currently running 7.55. Will have to plan an upgrade.


    Thanks again.

    -pat13b
  79. Replies
    2
    Views
    1,222

    Ethernet Stats on Edge Devices

    Hello,

    Any way to get Ethernet stats from the edge devices. I can't seem to find a way to look at errors / stats on the ethernet ports.

    -pat13b
  80. Replies
    3
    Views
    3,440

    Re: Find the UTM-1 Model

    whoops, missed that one.

    So after looking into this, I can't figure this out either.

    I ran "dmidecode" in Expert mode. This is close as I can seem to come.

    Handle 0x0001
    DMI...
  81. Replies
    3
    Views
    3,440

    Re: Find the UTM-1 Model

    ssh to it and type:

    >info device


    [700000] Device Information:

    Hardware:
    Appliance Type: SBox-200-B
    Version: 1.2G Industrial
  82. Replies
    3
    Views
    2,285

    Re: 802.1x Authen on LAN Port

    Thanks for the reply.

    I was able to get this to work and it works great. It was my configuration on the Cisco ACS server that was not correct.

    -pat13b
  83. Replies
    3
    Views
    2,285

    802.1x Authen on LAN Port

    Hello,
    Does anyone know if these UTM Edge devices will do 802.1x on the LAN ports.

    We are trying to authen with our windows credentials using this type of port security in order to authen our...
  84. Replies
    2
    Views
    1,267

    Re: NO0-002 Exam in Massachusetts?

    If you go to prometric.com and type in locate a site and choose this exam, a bunch of them come up.

    Brookline, Waltham, Burlington, Danvers

    -pat13b
  85. Thread: SPLAT 2.6 How

    by pat13b
    Replies
    3
    Views
    2,158

    Re: SPLAT 2.6 How

    Thanks cciesec2006.

    Yes I did this on the Dell box. I'm thinking I have a bad image.

    I'm going to try and download it again. I wasn;t sure if this file was bootable or not. Sounds like it...
  86. Thread: SPLAT 2.6 How

    by pat13b
    Replies
    3
    Views
    2,158

    SPLAT 2.6 How

    Hello,

    I downloaded "VPN-1_SPLAT26_R65_CD1.iso" and burned this onto a CD.

    I was hoping somehow this would just boot and go through the install process, but not a chance.

    Can someone walk...
  87. Replies
    3
    Views
    1,517

    Re: MEP or Cluster XL

    Thanks for the clarification. Initially the 2070's would be together then the plan is to seperate one and place in a DR site. So It looks like phase 1 will be Cluster XL and then MEP once we move...
  88. Replies
    3
    Views
    1,517

    MEP or Cluster XL

    Hello,

    Is MEP the way to go for UTM VPN site to site tunnel redundancy? I don't see much talk about here.

    Looking to take a pair of UTM 2070's at the head end with UTM edge
    devices at the...
  89. Replies
    2
    Views
    1,570

    Re: Initial Configs via TFTP

    I never thought to look on their website sofaware.com.

    There is a few docs out there on this, regarding radid deployment and command line scripts.

    I haven't read through all of them, but it...
  90. Replies
    2
    Views
    1,570

    Initial Configs via TFTP

    Hello,

    Is there a way to have these edge devices get their initial config via a tftp server ?

    How would we go about this and create a config file?

    We are deploying many of these in the field...
  91. Replies
    4
    Views
    2,421

    Re: Check Point NGX and CiscoSecureACS

    Hello,

    I'm sucessfully doing this. The only thing I have found when the ACS log says successfull login and Check Point won't log you in as you describe, is that the expiration date has expired. ...
  92. Replies
    5
    Views
    2,310

    Re: New NGX Book coming out

    ok I won't ask you how. but is it any good ?

    -pat13b
  93. Replies
    7
    Views
    6,435

    Re: CP+RSA authentication problem

    I have not done this yet. (in a few weeks i think)

    I found a pdf but it's too big to upload to this forum.
    It's on RSA web site and called:

    RSA-CheckPoint_VPN1FW1_NGX_R65_AM7.1.pdf

    -pat13b
  94. Replies
    5
    Views
    1,683

    Re: User Authen Custom Banner

    UPDATE......

    The file is called "cpsc.en_us"

    It needs to be edited on the Firewall itself Not the Management server.

    I was able to edit this file for the authen failed screen. Still...
  95. Replies
    5
    Views
    1,846

    Nokia IP350 @100%

    Hello,

    I have been pulling my hair trying to figure out why one of the Nokia's IP350's I have in my lab kept going to 100% CPU utilization.

    I comapred my configs, swapped memory, swapped CPUs. ...
  96. Replies
    5
    Views
    1,683

    Re: User Authen Custom Banner

    Confirmed, this only works for "Client Authentication"

    Anyone ????

    -pat13b
  97. Replies
    5
    Views
    1,683

    Re: User Authen Custom Banner

    Thanks, I did see this, but was hoping there would be an easier way to do this.

    For example with the Cisco PIX/ASA the only thing that needs to br done is entering text in a box.

    -pat13b
  98. Replies
    5
    Views
    1,683

    User Authen Custom Banner

    Hello,

    I have been searching everywhere for info on edititng the pop up in web browser for "User Authentication"

    I see that under Global Policy, that I can tell it to load a file, but this is...
  99. Replies
    2
    Views
    1,257

    Re: Message about authen on popup windows

    Hello,

    Did you ever get an answer to this? We are trying to do the same thing.
    I can't find this info anywhere.

    -pat13b
  100. Replies
    9
    Views
    2,386

    Re: Appliances Make Good VPN Solutions ?

    Good to hear. Thanks for the reply. We are also looking at the ASA price comparision / functionality and management. but I'm hoping the Checkpoint product will win.

    -pat13b
Results 1 to 100 of 207
Page 1 of 3 1 2 3