CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Search:

Type: Posts; User: jdmoore0883

Page 1 of 4 1 2 3 4

Search: Search took 0.01 seconds.

  1. Re: Smart Event server will not collect data from Log Server or SMS

    What, exactly, are you trying to accomplish here?

    For the most part, the Object Database isn't "managed" from the SmartEvent server, it is done from the SMS/CMA. Once the changes are made there,...
  2. Replies
    23
    Views
    1,635

    Re: R77.30 Take 205 - is it stable?

    Take 205 is indeed still the GA and suggested package, 205 has not been recalled.

    Any and all reports that 205 has been recalled are false.

    Please take a look at:
    sk106162: Jumbo Hotfix...
  3. Replies
    14
    Views
    1,598

    Re: SecureXL - All traffic goto Medium path

    Acceleration will continue throughout the entire rulebase, past any rule that you see here; it isn't ACCELERATION that stops at rule 779, but TEMPLATING.
  4. Replies
    23
    Views
    1,635

    Re: R77.30 Take 205 - is it stable?

    SecureXL get re-initialized on a policy install; if you can catch it quick enough, it would be expected to see it turn off then back on again.
  5. Replies
    13
    Views
    1,043

    Re: Office365 IP addressing alternatives

    A - Yes. SRC: Internal Networks, DST: Any, Action: Accept
  6. Replies
    13
    Views
    1,043

    Re: Office365 IP addressing alternatives

    If there isn't any Firewall Rulebase rule to explicitly allow this traffic, it will never get to the Application Control blade to begin with.
  7. Replies
    13
    Views
    1,149

    Re: HFA identifier from cpinfo -y

    Then you will either need to get that info from the registry, or install a newer take of the jumbo that includes that command.
  8. Re: Connection entry is not getting removed from R75.40 even it receives a reset

    After making the change, give things time to clear out from the connections table and for the connections to try to re-establish. Try pushing policy or manually clearing the connections table.
  9. Replies
    13
    Views
    1,149

    Re: HFA identifier from cpinfo -y

    A - There is no way to do so from that command. You can try the 'installed_jumbo_take' command to give it to you like this:


    [Expert@HOST:0]# installed_jumbo_take
    R77.30 Jumbo Hotfix Accumulator...
  10. Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Disable Smart Connection Reuse on you R75.40 gateway.
    sk24960: "Smart Connection Reuse" feature modifies some SYN packets
  11. Replies
    31
    Views
    2,264

    Re: ClusterXL Issue with Failover

    A - Yes, among many other tests as well. They also completely removed one of the switches to verify no single point of failure, and the Sync and Cluster continued to operate properly/as expected.
    ...
  12. Replies
    31
    Views
    2,264

    Re: ClusterXL Issue with Failover

    A - Personally, myself, with equipment at my immediately disposal? No. I don't have the personal funds to do so, and as a mere Diamond Engineer here at Checkpoint, we haven't got quite THAT level of...
  13. Replies
    8
    Views
    874

    Re: support for R80 on older appliances

    https://www.checkpoint.com/support-services/support-life-cycle-policy/

    This has the versions supported for all appliances. Keep in mind that R80 (specifically) is for Management only, and R80.10...
  14. Replies
    13
    Views
    1,043

    Re: Office365 IP addressing alternatives

    A - Technically, yes.



    A- No, not at all.



    A - This is what you want to use. It is rather simple once you familiarize yourself. In short, you create rules like you would in your firewall...
  15. Replies
    31
    Views
    2,264

    Re: ClusterXL Issue with Failover

    sk92804: Sync Redundancy in ClusterXL

    In short, bond some interfaces, set that bond to be the Sync, set each physical of the bond to different switches on the same VLAN/broadcast domain.
  16. Re: troubleshooting high cpu/memory issue with packet loss with gateways R77.30

    Take a look at CPView.
    sk101878: CPView Utility

    Depending on whether or not your R77.30 is a fresh-install or upgrade, the CPView History Daemon may or may not be turned on. If it is, you can...
  17. Re: Web Visualization tool - NOT supported on R80

    A - That would likely be your best option.



    A -- Not yet from Checkpoint. There may be 3rd party tools out there, but I am not personally aware of any that would accomplish the same.
  18. Replies
    1
    Views
    337

    Re: Netflow on R77.20 SPLAT

    As far as I am aware, Netflow is supported on Gaia and IPSO only, not SecurePlatform.
  19. Replies
    14
    Views
    1,244

    Re: Recommendations for upgrade

    I second a vote for this.



    I have a customer running this setup... R80 SMS and R77.30 Gateways.



    In terms of operability between the R80 Management and the R77.30 Gateways, I have yet to...
  20. Replies
    10
    Views
    1,120

    Re: Windows R77.30 to Gaia R77.30 Migration

    Why? Why do this? You will cause yourself pain and misery trying to do this.
  21. Replies
    3
    Views
    527

    Re: R80 SmartEvent /var/log > NFS

    A - Don't do it! There is SO much Disk I/O, you would need a VERY fast NFS Server and connection, and even then, you will still suffer from performance issues. As per sk66003: "How to change the...
  22. Re: HTTPS inspection: How to capture website headers and content

    fw monitor doesn't work that way.

    There isn't any real easy/practical way to get this decrypted information, by design.
  23. Re: Databse Lock issue using custom script

    Hey. Without re-writing your script all over for you, I would suggest:
    - take a look at the existing routes
    - compare these to what you want
    - if they are already what you want, do not run the...
  24. Replies
    18
    Views
    1,408

    Re: NAT Issue with SecureXL

    How are you seeing that NAT is not taking place? What NAT rule should be applied to this traffic?
  25. Replies
    18
    Views
    1,408

    Re: NAT Issue with SecureXL

    Could the issue be related to the traffic you are testing? What, exactly, is the issue at hand? What kind of traffic is involved? How do you see that NAT is not taking place?
  26. Replies
    27
    Views
    1,806

    Re: sim affinity in R77.30 or R80?

    A - What is wrong with this? How is this broken?



    A - How else would you want to control the CPU affinities? What is wrong with this?



    A - Put what to rest?
  27. Replies
    13
    Views
    917

    Re: Disbale firewall policy ?

    When you run fw unloadlocal, it will also turn off ip_forward by setting it to 0, so you have to turn it back afterwards.
  28. Re: Exporting Application Control Rules in HTML/XLS/CSV File

    I do not believe there is any such tool; I'm certainly not aware of one.
  29. Replies
    2
    Views
    583

    Re: Upgrade from R75.47 to R77.30

    What about hotfixes? Got any installed there?
  30. Re: Fresh installation of SPLAT R77.30 UTM-1.

    A - Assuming you are going from SecurePlatform to Gaia (which I would strongly recommend), then there is no way to migrate or export these settings; the routing daemons and configuration between...
  31. Replies
    5
    Views
    2,782

    Re: Juniper SRX Log-Parser

    You might find a bit more information from Juniper... In the end, it is their logs you need to learn how to parse, and they (should) know how their logs are set up.

    But that is an interesting...
  32. Replies
    5
    Views
    611

    Re: Smart Console on Linux +Wine

    I have spent many MANY hours trying to get this going. The summary of all my efforts: No, this won't work.

    Despite (seemingly) being little more than a GUI Client, and only listing the .NET and...
  33. Replies
    2
    Views
    570

    Re: Question about VPN domain

    Yes, that would work just fine.
  34. Replies
    8
    Views
    2,147

    Re: Wildcard Subnet mask

    As far as I am aware it is for R77.30. I expect more details will become available as it becomes GA.
  35. Replies
    8
    Views
    2,147

    Re: Wildcard Subnet mask

    A - Yes, there is a way, but it is not yet 100% GA (internal word is that final QA should/will/might be completed this week, subject to change without notice). It requires a hotfix, but it will allow...
  36. Replies
    12
    Views
    784

    Re: tcpreplay on R77.30

    Yes, you are correct.
  37. Replies
    12
    Views
    784

    Re: tcpreplay on R77.30

    A - Take a look at your rulebase and global properties, and make sure you are logging everything



    A - What are you really trying to accomplish here?

    I have never seen a scenario where...
  38. Re: Very old version "ssl network extender" install package

    If you knew what version of Checkpoint this came from, install that as a gateway in a VM, and get the file from there. The installer will be in the following directory:...
  39. Re: SmartDashboard - Application URL Filtering - Section Titles

    This is a design limitation. This is not an issue with the R80 Dashboard and its unified policy.
  40. Re: Killing a TCP Connection from the state table?

    Using the same method you used to remove the first, using the appropriate reversed/NAT'd IPs.
  41. Re: Killing a TCP Connection from the state table?

    For any given connection, there will wind up being up to 4 entries in the connection table:
    - 1 for the connection with the IPs as you would expect
    - 1 for the reverse connection, to allow for the...
  42. Re: Legacy authentication combined with URLF+APCL

    A - You Bet!



    A - Nope. Use Identity Awareness.



    A - There should be a way to accomplish this; it might require some re-architecturing with new processes/methods, but you should be able...
  43. Re: ClusterXL HA interface topology question

    Check this out:
    sk32073: Configuring Cluster Addresses on Different Subnets
  44. Replies
    8
    Views
    820

    Re: Routing table is not same

    Where/how do you see this?
  45. Thread: Intro

    by jdmoore0883
    Replies
    2
    Views
    594

    Re: Intro

    Welcome Jericho!



    The only stupid questions are the ones you don't ask, so ask away!
  46. Re: USB-Booting problem with Fresh-Install of R77.30 (UTM-1 1070)

    A - There is only 1 real way to know: test them. Otherwise, there is no way to tell in advance. Over the years I have collected a great number of USB drives that work in some appliances, but not in...
  47. Thread: G-IKEv2

    by jdmoore0883
    Replies
    4
    Views
    543

    Re: G-IKEv2

    A - This is correct, G-IKEv2 is not supported.



    A - I will be the first to admit that, as knowledgeable as I am with Checkpoint (I am a Diamond Engineer with Checkpoint), I also don't know...
  48. Re: Hide vs static NAT with a pool of IP addresses

    cciesec2006 seems to be particularly hateful towards CP and TAC; a quick review of his posts will show this. Not to say that he doesn't have his points, but take his remarks with a grain of salt.
    ...
  49. Re: Smart 1-205 Policy installation takes too long

    Likely a resource utilization issue on your little Smart1-5.

    What are the CPU/MEM usages like when you push policy?
  50. Re: VRRP standby device sending TACACS authentication requests using VIP address

    What version of Checkpoint? Gaia or IPSO?

    Check out sk34180: Outgoing connections from cluster members are sent with cluster Virtual IP address instead of member's Physical IP address
  51. Thread: G-IKEv2

    by jdmoore0883
    Replies
    4
    Views
    543

    Re: G-IKEv2

    Not that I am aware of.
  52. Re: New R80 Install - No Gateways listed for installing policy

    R80 does not yet work for Gateways, this can be expected in R80.10.
  53. Re: Policy Based Routing Issue - NAT and ARP

    Add a proxy arp entry on the gateway for 1.1.1.30
  54. Re: IP350 latest IPSO and GAIA version support

    https://www.checkpoint.com/support-services/support-life-cycle-policy/

    The IP35-0 doesn't support anything beyond R65 (and likely IPSO 4.2).
    The IP Series appliances are no longer sold new, so if...
  55. Replies
    52
    Views
    3,391

    Re: Migrate Provider-1 R75.47 to R80

    You mean like this:
    sk108624: Check Point R80 Known Limitations ?
  56. Replies
    10
    Views
    786

    Re: Custom hotfixes from Checkpoint !!!!

    I have seen many a Linux machine do this. It seems to be something about the filenames... Sometimes, you can run ls with a different set of flags and it's fine, and add some flags, segfault. I had...
  57. Replies
    10
    Views
    786

    Re: Custom hotfixes from Checkpoint !!!!

    His issues extend FAR beyond mere hotfixes....
  58. Re: How to forward directed broadcast traffic for wake on LAN

    sk35551: Forwarding of Directed Broadcast traffic

    sk103963: Gaia IP Broadcast Helper does not forward Directed Broadcast traffic
  59. Replies
    9
    Views
    1,276

    Re: Clustered FW errors on cp_merge

    A - Not really... I mean, you'll have to reset SIC which can restart the Checkpoint services (there is a way to do so without that restart though, if need be), but other than that, it should be...
  60. Replies
    9
    Views
    1,276

    Re: Clustered FW errors on cp_merge

    A - Yes, this is indeed correct.



    A - Yes, you could if you really wanted to.



    A - This is (arguably) the better option:
    - faster
  61. Re: Hide NAT causes 100% CPU and slow Bandwidth

    You are confusing CoreXL and SecureXL... CoreXL is Multi-Core, and distributing process and interfaces across CPU Cores.

    SecureXL is the packet accelerator, that can allow packets to bypass the...
  62. Replies
    1
    Views
    804

    Re: HTTPS INSPECTION CA CERTIFICATE

    Install the certificate on the android devices.

    https://support.google.com/nexus/answer/2844832?hl=en
  63. Replies
    52
    Views
    3,391

    Re: Migrate Provider-1 R75.47 to R80

    From personal first-hand experience, it is far MORE common for these details to be completely wrong. We have sent MANY an RMA to sometimes the wrong COUNTRY, simply because we did not VERIFY these...
  64. Replies
    52
    Views
    3,391

    Re: Migrate Provider-1 R75.47 to R80

    Is it not possible that such an issue only became apparent AFTER R80 was released?
  65. Replies
    36
    Views
    2,275

    Re: CUL - Cluster

    PM me your Diamond Engineer's name. If need be, I will work with him directly to help get this setup replicated.
  66. Re: Malformed HTTP protocol name in response

    Go to the IPS settings, and set this protection to not log for that profile. While these will continue to be blocked, they just won't be logged so you won't have to deal with these "noise" logs.
  67. Replies
    52
    Views
    3,391

    Re: Migrate Provider-1 R75.47 to R80

    Oh yeah! I love those log files that tell you there's an error and to check the log file for the error...

    So that really only leaves us with the segfault to work with... SO many things could...
  68. Replies
    52
    Views
    3,391

    Re: Migrate Provider-1 R75.47 to R80

    Well this is pretty definitive, getting a segfault.



    Can we get these log file details? Perhaps there's more therein... /opt/CPInstLog/verification_tools_report
  69. Replies
    52
    Views
    3,391

    Re: Migrate Provider-1 R75.47 to R80

    Don't do these steps. Run the script from the mounted directory itself. I am reasonably sure that the script calls more files than you are copying over. Referencing the "R80 Installation and Upgrade...
  70. Re: move frequently hit rule to the top or SecureXL acceleration?

    Whoa whoa whoa waitaminute here..... There's a few issues here with this thread overall...



    Where did you get this info? Everything I have found seems to disagree with this.... NFS != CIFS...
    ...
  71. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    While you may replicate a SIMILAR situation by attempting to DoS your device, these attempts won't TRULY bring you any closer to resolution on your production environment as the root cause of the...
  72. Re: move frequently hit rule to the top or SecureXL acceleration?

    ShadowPeak's question isn't about the actual, raw traffic, but the service objects in use in the rulebase, and the FINE details about them.
  73. Replies
    7
    Views
    1,169

    Re: R77.20 to R77.30 fresh intall upgrade

    As a final note on this, I wouldn't just go and copy/paste the contents of $FWDIR/boot/modules/fwkern.conf, as some of these settings can be changed in the new version. I would suggest investigating...
  74. Replies
    1
    Views
    615

    Re: Power connected in both sockets?

    A - It should, yes.
  75. Replies
    8
    Views
    766

    Re: Fingerprint shown to Users for SNX

    A - Yep. Pretty sure...



    A - Nope. Is it *ALL* users, or just some? Is there any possibility that there is something else between the User(s) and your GW?
  76. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    If you google for 'hping3 --flood', and any variations thereof, you will find all kinds of Tutorials and Articles describing how to initiate a (pseudo) DoS Attack.

    So here you are, deliberately...
  77. Re: Introducing Exchange Point - New Check Point R80 Community

    CPUG is not officially affiliated with Checkpoint. The New Check Point R80 Community is run by Checkpoint.
  78. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    Doing a (VERY) rough count...

    I ran the same hping3 command you did, and captured the packets using tcpdump. Using this method, my 1 single host was capable of sending over 180,000 packets PER...
  79. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    I'm not sure what you're trying to get at here....

    You're deliberately flooding the gateway's interface, and these drops are (very likely) due to the buffers getting filled due to your deliberate...
  80. Re: move frequently hit rule to the top or SecureXL acceleration?

    Then it looks like you're in a bit of a tight spot, and it's a surprisingly common one to be in.... You can't debug the traffic problem without causing other traffic problems, but can't solve the...
  81. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    Take a look at:
    sk61143: fwmultik_inbound_packet_from_dispatcher Reason: Instance is currently fully utilized

    On that note, the hping3 command you are showing is set to flood:

    --flood ...
  82. Re: move frequently hit rule to the top or SecureXL acceleration?

    Why? If properly done, a simple TCPDump should not affect traffic.



    tcpdump, fw monitor, zdebug drop, netstat -ni, etc... There's a bunch of stuff that could be accomplished while the problem...
  83. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    Then what about fw ctl zdebug drop (no NAT, and grep only for SRC or DST IP)?
  84. Re: move frequently hit rule to the top or SecureXL acceleration?

    While these messages logs may coincide with your traffic issues, they will be symptomatic of the real problem, rather than a cause of the problem.

    Is this the same gateway that is passing your...
  85. Replies
    8
    Views
    766

    Re: Fingerprint shown to Users for SNX

    It would be the MAB Gateway's certificate. You can import a 3rd party Cert, or use a default cert.
  86. Re: move frequently hit rule to the top or SecureXL acceleration?

    What are you really trying to accomplish here? From these numbers, your rulebase is 99.44% SecureXL templated. That is a phenomenal number any way you slice or dice it. Why do you feel the need to...
  87. Re: Malformed HTTP protocol name in response

    A - It can be, depending on other variables in your environment.



    A - That is correct. The IPS protection is a little more generic, and the drop log a little more specific on the details. But...
  88. Re: Mobile Access Secure Workspace Crashes

    Which ones, exactly? Are any of them pre-packaged corporate images? Have you tried a plain, "vanilla" install of Windows (no corporate mucking about)?

    What version of Checkpoint is in use on the...
  89. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    What are the drop logs or messages for these?
  90. Replies
    2
    Views
    912

    Re: R80 - Migrate from R77.30

    New R80 Release Notes, put out today, indicate the following:

    Open Server Hardware Recommendations
    Processor

    Single Socket 1x

    Core i5-3550S

    4 cores, 3GHz or equivalent
  91. Re: fw_xlate_match_epilog: There is already NAT on src/sport

    It looks like something is trying to reuse a set of ports that are already being NAT'ed. For example:

    Let's say you have host 192.168.1.1, trying to reach 8.8.8.8 over port 80. The host will pick...
  92. Re: automatic fail-over to redundant 3rd Party VPN peer

    This will likely be the case for a while yet. If you find SKs that could use an update, feel free to say as much in the comments form in that SK. I have had to do so many a time, and the feedback is...
  93. Re: automatic fail-over to redundant 3rd Party VPN peer

    sk97746: New VPN features in R77.10
    Permanent tunnel support with interoperable devices VPN based on IKEv1/IKEv2 DPD (RFC 3706)

    Dead Peer Detection should work for this.
  94. Replies
    3
    Views
    1,114

    Re: Can we audit logs to syslog server?

    No.

    Theoretically, you can probably write some kind of monitoring script to watch the database and report on changes, but that will likely be neither quick, easy, nor straightforward.
  95. Replies
    36
    Views
    2,275

    Re: CUL - Cluster

    But your traffic (not what is defined in the rulebase) is CIFS, so it will not be accelerated.



    Should not have come to what? Replicating in a lab on Checkpoint's side of things? Unless you are...
  96. Replies
    36
    Views
    2,275

    Re: CUL - Cluster

    While typically true, it is also possible to have CIFS work over OTHER ports. It's all about the protocol and CP's protocol handlers.



    tcp port 445 on it's own (no protocol), yes, it should....
  97. Replies
    36
    Views
    2,275

    Re: CUL - Cluster

    Thank you. Though I have found my thought processes to be rather unique wherever I go...lol...



    At this point, I would agree with your findings that its (most likely) due to the DFS traffic.
    ...
  98. Replies
    36
    Views
    2,275

    Re: CUL - Cluster

    I would disagree with this. While it is reasonably obvious, it also entirely possible that it is the DFS AS WELL AS SOMETHING ELSE (not yet determined what) that is the TRUE cause of the issue. If...
  99. Replies
    36
    Views
    2,275

    Re: CUL - Cluster

    This could probably be said for all sales for all vendors. My primary gripe with ALL sales, as a whole. And in the end, the sales guys go with the sales info that they're provided, and though some...
  100. Replies
    36
    Views
    2,275

    Re: CUL - Cluster

    A - You can request that CIFS not be inspected. There is an internal hotfix available that can accomplish this. It does not appear to be as thoroughly tested as most other hotfixes, and as such isn't...
Results 1 to 100 of 364
Page 1 of 4 1 2 3 4