CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Search:

Type: Posts; User: jflemingeds

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds.

  1. Replies
    3
    Views
    36

    Re: dbedit rule id syntax

    9 rule headers. Difference right now is 16 (or 15 i'm guessing rule base is off by 1?) I have 1 disabled rule as well. Still not enough. :/

    implied rules blasts ways past that number.
  2. Replies
    3
    Views
    36

    dbedit rule id syntax

    Does anyone know how the logic behind rule id of a dbedit script for adding/removing objects from src/dst of rules?

    If i try to add/edit rule 119 as shown in dashboard the changes go in 103 (or...
  3. Replies
    6
    Views
    67

    Re: R80.10 in VMware

    You've been able to config a firewall without webui for a very long time.

    config_system is the latest way for R77.30. Haven't tried R8x.
  4. Re: Help on understanding why cant do nothing on the fw Virtual systems

    From expert can you run
    echo $SHELL
    export
    source /etc/profile
    export
  5. Replies
    1
    Views
    58

    Re: HA Upgrades in 1490 appliances

    Sure would be nice if someone knew how to run these under kvm-arm.

    So upgrades logs are stored in /logs. Iíd look there first. Maybe that will uncover some clues.
  6. Replies
    0
    Views
    105

    automatic restore of P1 backup

    FYI i have script setup to do a automatic restore of a full P1 environment (hurray open server!). The script ssh()es to the backup server, starts a tar -zxvf of the backup, pipes the stream of the...
  7. Re: Changing users authentication method en masse

    be sure to report back how things go.
  8. Replies
    4
    Views
    191

    Re: legacy client auth connectivity HTTPS

    I think you need to get more information about what encryption or hash method is making things angry, then disable it and generate a new cert.

    Just a guess sk106478 might be a good place to start....
  9. Re: Changing users authentication method en masse

    Damn it man, save those wrists!

    Step 1 - restore backups into lab that has working radius and secureid
    Step 2 - dump user database
    #if p1 don't forget to mdsenv into said CMA.
    fwm dbexport -f...
  10. Replies
    10
    Views
    270

    Re: Operation Memory Clean up is needed.

    Im confused as to what savedb even does. I just ran through creating some objects using dbedit and didn't issue a savedb and everything showed up where i expected. I've also looked at other examples...
  11. Replies
    4
    Views
    191

    Re: legacy client auth connectivity HTTPS

    Are you using the default vpn cert that the gateway generates or are you using your own?
  12. Replies
    1
    Views
    145

    Re: OSE problems

    Well.. so brute force method going forward.

    awk -F'[,]' '/,ose,/ {print "create host_plain ose2rtr_"$1"\nmodify network_objects ose2rtr_"$1" ipaddr "$3; if ($9){ print "modify network_objects...
  13. Re: Export SmartDashboard objects to a text file

    yupers, it will convert .C to .CSV
  14. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Start a new thread and runs the commands requested.
  15. Replies
    1
    Views
    145

    OSE problems

    So i've got 99 OSE problems and a host object isn't one of them. Well.. really its more like almost 800.

    Anyone know of a black magic dbedit script or.. really anything.. to convert OSE objects...
  16. Replies
    10
    Views
    270

    Re: Operation Memory Clean up is needed.

    ack.. yeah VSX doesn't support db revisions. You would like checkpoint would alarm or warn when creating and not restoring.

    I would not mess with anything further and contact support. Grab that...
  17. Replies
    10
    Views
    270

    Re: Operation Memory Clean up is needed.

    Is this part of the demo CMA you turned up in the other thread? I guess if you're worried you could restore the database revision. I would do a savedb more then just once at the end. Like maybe every...
  18. Replies
    12
    Views
    338

    Re: SQLNET and NAT

    What service is showing in the logs and what does that service show in the advanced section for protocol? abusharif pointed out the sqlnet2 inspection should support sqlnet redirect based on the...
  19. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    So does that mean that normal setting for Vpn tunnel on fortinet is 0.0.0.0/0 for proxy id and you changed from that default to something like Vpn tunnel per subnet pair?
  20. Re: Traffic not going through the VPN tunnel

    Just a guess but does the non working host have a NAT rule? If so sounds like you need a no NAT to work around that.

    If thats not the case then we need more info. Are you seeing the packet hit the...
  21. Re: Anyone interested in scientific research?

    I assume you be documenting this endeavor?
  22. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    There has been a lot of discussion (Well maybe not a lot) about changes that would be helpful for this forum and this thread pretty much encompasses everything I've brought up.

    Just a quick...
  23. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Can you disable the domain object for for a period of time? It might help zero in on root cause.
  24. Replies
    4
    Views
    254

    Re: CP 800 / WLAN issues

    I didn't see anything like that but i'm running on a 750.
  25. Re: Anyone interested in scientific research?

    I think this fall nicely inside the everything else clause of misc.
  26. Anyone interested in scientific research?

    I'm going to try to make peanut butter cookies with chocolate covered espresso beans.

    If anyone has embarked upon a similar project please let me know.

    That is all.
  27. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Need to know if both firewalls have the same problem or not.

    Also dmesg from both.

    What is that very last line about eth7? Was something cut off?
  28. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    I haven't seen this asked yet (or i missed it). Have you noticed if this happens on both firewalls or is it only happening when of the firewalls is active?
  29. Replies
    1
    Views
    92

    Re: RADIUS for external users and mfa

    Do a packet capture and see if the raduis server is returning unknown user.
  30. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Yeah that is the thing. If it was arp I would expect it to be happening at random times and not around policy install.

    Those kmalloc lines don't look good. Can you past fw ctl pat at and the...
  31. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Linux has a max size for the arp table. Neghbor table overflow mean you hit the max which by default is I think 1024? You can bump the size without issue. From clash i think itís like set arp-cache...
  32. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    I was thinking arp issue as well but couldnít tie it to policy install unless maybe there are a lot of nats using local subnet and maybe a failover is happening post policy install. Maybe garps...
  33. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Reply with the output of the following from both cluster members. Can you explain firewall topology as well? It seems like your saying only the dmz interface is going mia correct?

    dmesg
    fw ctl...
  34. Re: high cpu on the fw process of the standby firewall

    Yeah so non idea why the sk went mia. Call support and ask. Might be an internal only now.

    I think the end result pointed to a driverissue or maybe something with vrrp.
  35. Re: high cpu on the fw process of the standby firewall

    The screen shot shows a kernel process called events. That was what I was keying on. May not be related to your issue. Start a new thread to be sure.
  36. Replies
    7
    Views
    285

    Re: cphastart error

    yeah sounds like maybe a type-o on fwkern.conf.
  37. Replies
    16
    Views
    363

    Re: OSPF Route-based VPN questions

    How is this going?
  38. Replies
    16
    Views
    363

    Re: OSPF Route-based VPN questions

    I donít think tcpdump works on the vti interface. You need to use fw monitor. I think the filter would be like Ďip_p=89,accept;í

    Oh and turn off secure off securexl before running monitor.
    ...
  39. Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Come to the linux side, we have cookies.
  40. Replies
    16
    Views
    363

    Re: OSPF Route-based VPN questions

    Are you trying to route mgmt server access over a VTI by chance? I'd check routing in both directions to verify.
  41. Replies
    16
    Views
    363

    Re: OSPF Route-based VPN questions

    Are you mixing domain and vti vpns? You could use vpn tu to clear any relation SPIs setup. When you say you can't ping across the vti are you still getting encryption errors? If so ospf isn't going...
  42. Replies
    16
    Views
    363

    Re: OSPF Route-based VPN questions

    Yeah start with empty enc domain. That for sure is a problem.
  43. Replies
    13
    Views
    485

    Re: Not responding to arp-who-has

    Nice going, i'll buy you one of those famous $18 buds lights at vegas for your abilities assuming your going to cpx.
  44. Replies
    5
    Views
    166

    Re: Route Based VPN VTI configuration

    I'm assuming when you say VTI ID you're talking about the gateway name when you add the vti tunnel via clish? Assuming so yes its uniq and also case sensitive. I would assume you would have to write...
  45. Replies
    5
    Views
    166

    Re: Route Based VPN VTI configuration

    hmm. i've never done a full mesh with VTI. Good question.

    Do all the peers have direct internet connection meaning they aren't nated? I only bring this up because the peers can route through the...
  46. Replies
    13
    Views
    485

    Re: Not responding to arp-who-has

    and if none of that works you can always check for dropped packet with fw ctl zdebug drop.
  47. Replies
    13
    Views
    485

    Re: Not responding to arp-who-has

    Aaah. That makes sense. One last option if clustering doesn't fix it. On your proxy arp config are using the interface name or forcing a MAC address in the proxy arp? I just hit an issue a few days...
  48. Replies
    13
    Views
    485

    Re: Not responding to arp-who-has

    How could outbound nat traffic work if arp isnít being responded to?
  49. Re: fw ctl zdebug command is a bad practice

    Its not the size of the buffer that counts, its how you use it Don Quixote.
  50. Replies
    9
    Views
    297

    Re: fw ctl zdebug command question

    Maybe it started out in a R&D bubble but its for sure main stream now.

    sk100808
    How to use " fw ctl zdebug" command

    bla bla bla

    "See sk98799 for more information about in-depth kernel...
  51. Replies
    2
    Views
    127

    Re: OSPF dyanmic traffic allowing rule

    ospf routers (which includes the cluster) go in source and dest

    all mulitcast ranges go in dest.

    Side advice, i try to set ospf priority to 0 so firewall can't become DR/BDR as well.
  52. Re: fw ctl zdebug command is a bad practice

    I agree, i'd much rather explain to someone to do a zdebug and not worry about them messing up flags or resetting them.
  53. Replies
    7
    Views
    198

    Re: Cluster-cluster FIBMGR and ssh

    If i recall someone posted anisble code for R80.
  54. Re: Gateway as a Proxy - NAT Hiding Address Selection

    I was thinking you wouldn't need the VIP since the connection starts from the firewall node and would match a cluster fold. I also said to use services so other things wouldn't be high jacked. Also....
  55. Replies
    13
    Views
    368

    Re: R80: object explorer: unused objects

    Yikes. I assume it's clear that from a user prospective that would not be an unused object since it's in the nat policy. I understand the flip side could be it's not really in the nat policy but that...
  56. Replies
    7
    Views
    198

    Re: Cluster-cluster FIBMGR and ssh

    If you're going to use smart center you might as well use cprid_util to move files around instead of ssh.
  57. Re: Multi domain management server in vmware workstation doesn't run

    is it just the fwm process that is down? Did you by chance put a license on the CMA?
  58. Re: Gateway as a Proxy - NAT Hiding Address Selection

    Sounds like hide nat rule might work. I'm not sure if there are cases where you're VIP needs to be used else where, but for example this would only change your src nat for a given services...
  59. Replies
    7
    Views
    198

    Re: Cluster-cluster FIBMGR and ssh

    1. You used to have to create that rule for dynamic routings updates but I think itís implied now.
    2. I think itís a good rule to have. If someone has sshed to the firewall they must have admin...
  60. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    With beer!! Yes larger!! Err... no wait ..I mean logger

    fw ctl zdebug drop | grep --line-buffered | logger &
    disown

    It should run forever until you kill the fw ctl zdebug.

    Will be sent to...
  61. Replies
    6
    Views
    268

    Re: So I tried loading pfSense on a 4600

    I think pfsense is very picky on the way the remote is identified in phase I. You may want to pull a ike debug to see how the checkpoint is advertising and compare with what pfsense is configured...
  62. Re: CheckPoint 750 flash alternative OS on appliance

    NAND mdt. Checkpoint uses UBIFS on the 750 / 1400. 1100 uses jffs I think.
  63. Replies
    6
    Views
    268

    Re: So I tried loading pfSense on a 4600

    My guess is the kernel isnít sending the console output to the serial port. Do a search for pfsense searial console.
  64. Re: CheckPoint 750 flash alternative OS on appliance

    Anything is possible!

    Connect to the console port (115200 baud) boot the box and hit ctrl-c when promoted.

    I think there is a tftp option. If not shrug. If so try booting your fav arm distro....
  65. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    oops, loaded wrong IKE.elg file. ignore!

    Nothing to see here! .. um... yet! :D
  66. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Are both sides setup for Certificate base VPN instead of PSK. Is that correct? Looks like a cert issue right now.
  67. Re: Question regarding failover in ClusterXL (and not only)

    That sounds harder then "good enough".
  68. Replies
    3
    Views
    327

    Re: ISOmorphic download

    I haven't used ctrl-I in long time.
  69. Replies
    9
    Views
    622

    Re: new build of R77.20.60?

    FYI sk117894 is updated with build numbers and their fixes.
  70. Replies
    7
    Views
    721

    Re: Check Point debugging GUI

    Did you make this tool a long time ago? It seem interesting but really i wouldn't be cool with running this. Maybe if it was in a language used an interrupter like python or perl or something so that...
  71. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    Never say die!! Look said person up on LinkedIn/ fecalbook as well.
  72. Re: DELL R630 Gaia R77.30 Fresh Install crash viewing Machine Info

    Restart the install and don't do view machine info.
  73. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    Oh nice! keep us posted, want to see how this turns out.
  74. Re: DELL R630 Gaia R77.30 Fresh Install crash viewing Machine Info

    I wouldn't worry about this error. I've seen the same thing happen with a VM that has no problems. Shadowpeak is correct in that it could be something with parsing info about the storage controller...
  75. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    Well the SMB firewalls have a built in firewall license that doesn't expire.. so maybe not for those.. but for everything else for sure. My guess is that is why its so cheap.

    Don't worry about...
  76. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    Try this, don't PM Phoneboy at all, i'm sure nothing will come of it. Next... er i mean first.. call Account Services and let them know you bought this firewall and are trying to get the licenses.
    ...
  77. Thread: Openstack?

    by jflemingeds
    Replies
    4
    Views
    567

    Re: Openstack?

    yeah, i just noticed this.
  78. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    Id take it up with eBay. Show them proof checkpoint wonít even sell you a license for the box and then show this to mean it canít be used for its purpose and thus is broken. No idea if that will work...
  79. Replies
    5
    Views
    219

    Re: MTU on VPN traffic

    Sure.. but then you have to pray the application layer knows how to deal with that and most of the time.. meh.. enjoy your frags.
  80. Replies
    4
    Views
    178

    Re: R80 Appliance support

    IPSO is dead. 77.30 is the last firewall version and ipso isnít supported r80 on. That being said my guess is it will work fine, just donít call checkpoint and ask for a fix if it doesnít.

    Iím...
  81. Replies
    4
    Views
    178

    Re: R80 Appliance support

    Thatís a big nope.
  82. Thread: Openstack?

    by jflemingeds
    Replies
    4
    Views
    567

    Re: Openstack?

    building replications of stuff mainly - only with magic!
  83. Re: Google Authenticator and Remote Access VPN

    I did a write up on how to install it onto a 750 http://blog.spikefishsolutions.com/2017/01/installing-and-using-google.html

    Granted that might not be how you end up using it. The Google 2FA uses...
  84. Replies
    10
    Views
    502

    Re: cplic print -x licensing issue

    So take the time to fix the licensing issue. If you'll call account services they should be able to explain the differences between the two licenses, which doesn't seem right.

    Or you know.. um.....
  85. Replies
    10
    Views
    502

    Re: cplic print -x licensing issue

    Well, does it let you use both 4 cores? Sounds like a bbuy 2 get 2 free deal if so.

    Try throwing up a vm and seeing if you get the same thing?
  86. Replies
    9
    Views
    622

    Re: new build of R77.20.60?

    isn't 684 an 1100 image? I think i'd do the same to see whats up.
  87. Replies
    10
    Views
    502

    Re: cplic print -x licensing issue

    I haven't dealt with open server licensing much, so keep that in mind, but are the two licenses the same only one had advance blade added to the container or are they different? Just thinking maybe...
  88. Re: IPSec VPN - Unknown SPI for IPSec packet

    Have you tried clearing phase I and Phase 2 on the remote firewall (Telstra_gw?). Im' guessing its not a checkpoint and that its still got reference to the old vpn tunnel and checkpoint / 3rd party...
  89. Re: Trying to extract but it does not look like its working

    ok thats strange, what i was posting was just going to show what might have been inside the archive. It didn't really fix anything. Did you just end up downloading it again?
  90. Re: Trying to extract but it does not look like its working

    show the output of this command

    file DeploymentAgent_000001298_1.tgz

    If it says something like gzip then do this

    gzip -d DeploymentAgent_000001298_1.tgz

    and then run file on
  91. Replies
    9
    Views
    452

    Re: Eliminate non-UTF-8 encoded chars

    Ok.. so 2nd stab.


    works for object_5_0.C hits

    grep --color='auto' -P '^\t\t:|[^\x00-\x7F]' objects_5_0.C | grep -B1 -P '^\t\t\t'

    This works for rulebases_5_0.fws hits

    grep...
  92. Replies
    1
    Views
    170

    Re: DHCP leases not being freed

    So here is the deal, i don't remember if i stated this or not, but the issue is checkpoint saved all the leases in a database that is then converted to dhcpd format. The problem is this database does...
  93. Replies
    9
    Views
    452

    Re: Eliminate non-UTF-8 encoded chars

    This worked for me. Came from a google search for "grep for none ascii" FYI. R80.10 now runs unicode. In order for Checkpoint to convert it assumes the old format is ascii. When it sees something...
  94. Replies
    9
    Views
    452

    Re: Eliminate non-UTF-8 encoded chars

    Not sure about you, but its telling me that wasn't very useful. I'll find an example and show what i found if that helps.

    BTW did the setting to say its a window character set not help? I haven't...
  95. Replies
    9
    Views
    452

    Re: Eliminate non-UTF-8 encoded chars

    Now thats some fancy greping!
  96. Replies
    9
    Views
    452

    Re: Eliminate non-UTF-8 encoded chars

    1. I used grep to print none ascii characters. I'm still working through doing the upgrade but the upgrade tools stopped complaining. Its kind of a pain in the butt because you end up doing a lot of...
  97. attaching a lot of blades - user center is painful

    I have 20 firewalls that each have 2 blade that need to be attached. Each blade is a is a 3 year NGTP extension. Now if each one just added 3 years it would be slightly easier but each 20 have a date...
  98. Re: Clish- Is it possible to make multiple commands on the same line?

    also from bash.

    clish -c 'show hostname' && clish -c 'show date'
  99. Replies
    1
    Views
    170

    DHCP leases not being freed

    FYI i'm starting to see reports of this. Looks like R77.20.20 and R77.20.60 are having issues. Don't know what the trigger is, but i keep running across boxes where leases are not being freed so...
  100. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    Hurray! its Miller time!
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4