CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: chillyjim

Page 1 of 5 1 2 3 4

Search: Search took 0.03 seconds.

  1. Thread: VE HA

    by chillyjim
    Replies
    17
    Views
    10,222

    Re: VE HA

    We always recommend management HA, but as to if it is required in a given environment it depends on your level of risk tolerance.
    As long as you keep good documentation and perform [i]migrate...
  2. Re: Managemnt Server sits behind NAT -SIC issues

    Auto-nat is good when a Check Point is doing the NAT when it isn't a Check Point, as in management on AWS, you need to do the following:

    Manager's object Main IP Address set to the Public IP...
  3. Replies
    9
    Views
    2,849

    Re: Syslog Help Needed

    Cisco uses syslog and the normal logs do not contain as much data. There is log suppression configurable, but again straight syslog is not a good solution. SPLUNK and the like are.

    If you really...
  4. Replies
    9
    Views
    2,849

    Re: Syslog Help Needed

    Sending raw FW logs to a syslog server is a good way to kill it. What you see in Tracker/SmartLog is consolidated log entries, what you get in syslog is each and every log fragment with nothing on...
  5. Replies
    36
    Views
    6,112

    Re: CUL - Cluster

    I don't know of any current issues with DCE traffic but it has been a problem in the past. I would suggest getting to R77.30+JHF as the R77 kernel is noticeably better than the R75. Add to that R75.X...
  6. Replies
    14
    Views
    1,639

    Re: brand new R77.30 on IBM server

    If you know your Check Point SE tell them, it used to be noted on the HCL not to use the broadcom NICs, but this sounds like a different issue. If you don;t know them open an SR with all the info and...
  7. Replies
    5
    Views
    3,446

    Re: Migration from single gateway to cluster

    Good to this point. If you have a separate management network (and you really do want one) or you can use different VIP addresses from the existing gateway, skip #3.



    Yes but there is no need...
  8. Re: How to configure NTP for existed Checkpoint cluster without downtime?

    It depends on how much drift there is. If this is an Active/Standby cluster it won't be a problem, this will not cause a failover. Active/active if there is a lot of clock drift, 10s of seconds at...
  9. Re: Bridge Mode questions on CheckPoint Appliances

    This is the same in SPLAT. For a <i>normal</i> (VSX is different) you can have a mix of L2 & L3 interfaces, but be careful of the routing.

    That said almost everyone I know who has deployed this...
  10. Re: Best combination of firewall policy and application control for the following

    Starting with your FW rules -- All HTTP traffic from "SRV" is accepted on rule 1. Rule 2 will never be matched.
    On the APPL in rule 1 you accept all traffic from SRV to Villa, then on rule 2 you...
  11. Replies
    3
    Views
    2,183

    Re: Unable to access web console

    In SPLAT "webui enable 4434" to kick start the daemon and "fw unloadlocal" to take out any firewall rules that might be a problem.
  12. Re: very slow intervaln communication via checkpoint

    It would imply you can get it to work but Check Point doesn't have the same support responsibility as if it was "supported" (on the HCL).
  13. Re: very slow intervaln communication via checkpoint

    Not a supported card from what I can see. I've also seen a lot of comments that the performance is very poor. This is not just a Check Point issue. Google be2net and see...

    Supported 10GB cards...
  14. Replies
    7
    Views
    2,764

    Re: Need some help for site-to-site VPN

    You configure your community as a star and:

    Advanced Settings -> VPN Routing -> "To Center or through center to other satellites, to internet and other VPN targets"

    This is the easiest way.
  15. Re: Recommendations for producing a future-state rule set for review and documentatio

    Yes the -l option allows you to say which policy package you want to use.
  16. Replies
    3
    Views
    2,886

    Re: Upgrade GW from R75.40 to R77.20

    See also "save configuration" and "config_system" (lets you skip the FTW).
  17. Replies
    2
    Views
    1,280

    Re: SSL inspection

    My favorite SSL site...

    https://www.sslshopper.com/article-most-common-openssl-commands.html
  18. Replies
    2
    Views
    873

    Re: Maturity of 61k in question

    IIRC the 61K was released in 2012. The code release runs slightly behind the main-train release.
    You should not have any fear of the 61K. Any problem with the platform receives very high visibility....
  19. Replies
    19
    Views
    7,603

    Re: Bash Vulnerability

    There has been an IPS update to catch this.
  20. Replies
    5
    Views
    3,318

    Re: SmartWorkflow, Tufin, Algosec

    In that case I would look at Tufin.
  21. Re: HOWTO: Deal with stale ARP issues on adjacent routers

    Don't feel bad, I didn't know about either and I've been using Check Point 20 years.
  22. Re: Throughput question VPN-1 Edge vs 640 Series...

    Yeah it looks that way. 10 years you get a lot more CPU than you did.
  23. Replies
    14
    Views
    7,700

    Re: policy too slow

    That will make a big difference with large policies.
  24. Replies
    1
    Views
    959

    Re: 600 series questions...

    CPAP-SG640-NGTP = Wired only
    CPAP-SG640-NGTP-W-WORLD adds wireless AP to the device (International use)
    CPAP-SG640-NGTP-W-FCCA Wireless for US only
  25. Re: Throughput question VPN-1 Edge vs 640 Series...

    If you are using just FW/NAT then the S-Box should be fine. If you add services then the new platforms will be a lot better.
    It's as much a code thing as a hardware thing.
  26. Replies
    14
    Views
    7,700

    Re: policy too slow

    It depends on the size of the rule base. If it's large (>1000 objects + rules) that would sound about right.
    If it's not I would open a ticket right away.
  27. Replies
    6
    Views
    2,655

    Re: Connection to Switch

    Yes see http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/gigeth.html for the Cisco side and from voyager it's in the menu.
    See...
  28. Replies
    6
    Views
    2,655

    Re: Connection to Switch

    LACP bonded interfaces if your switch supports them for link-layer redundancy.

    I do not understand
  29. Re: SSO for domain user and captive portal for user guests

    Captive Portal is the authentication of last resort effectively. So if you have ADQ and/or Agent your domain systems should authenticate without the portal and non-domain (guest) systems will get the...
  30. Replies
    5
    Views
    1,680

    Re: Need urgent help on unique issue

    FYI: SecureClient & Office Mode will resolve most of the above.
  31. Replies
    9
    Views
    2,276

    Re: Blocking images (Google, Craigslist etc)

    There is a "transparent" portal if the user is using a browser that supports AD-Krborose. Then only users that do not have a KRB ticket are asked to sign in. Interm option until the Aruba stuff is...
  32. Replies
    5
    Views
    3,318

    Re: SmartWorkflow, Tufin, Algosec

    You should really be looking at Workflow and the Compliance blades for a complete Check Point solution. Tufin & Algosec does do more than Check Point but it really comes down to what you need to...
  33. Replies
    9
    Views
    2,276

    Re: Blocking images (Google, Craigslist etc)

    It should.

    ADQ as it works today doesn't. PAN is agent based (not a client agent but server agent) so it functions a little different. I do know there if more flexibility coming due to changes in...
  34. Replies
    9
    Views
    2,276

    Re: Blocking images (Google, Craigslist etc)

    Not really unless you are OK with an untrusted certificate waring at the client end.



    If you are using AD Log Query, until there is a log of the login we cannot detect it.
    If you are using the...
  35. Replies
    6
    Views
    1,401

    Re: Splat to Giaa Migration

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965&js_peid=P-114a7bc3b09-10006&partition=General&product=Security#Documentation

    Look...
  36. Replies
    19
    Views
    9,332

    Re: RSA SecurID and SmartDashboard (R75.20)

    Yes please post. This is the place for "unofficial" how-tos and if you needed to do it, someone else will too!
    Thanks.
  37. Re: Really slow DNS causing browser hangs when VPN connected

    Please PM me your SR# and I will take a look.
    Unusable Internet connectivity is not an expected behavior. This has to be an environment/configuration issue. I am on VPN almost full time with issue.
  38. Re: about change CheckPoint firewall's time-setting

    Re IPSec: you are correct that the differential makes a difference. If that differential soddenly changes it can cause the connection to drop. The actual time is an issue with the certificates used...
  39. Re: about change CheckPoint firewall's time-setting

    IIRC when we had the Daylight Savings Time change a few years back, one of the Check Point SE's tested SIC's tolerance and it was pretty long so even shifting a few hours shouldn't be an issue. THat...
  40. Replies
    8
    Views
    4,599

    Re: Running Checkpoint on Cisco UCS servers

    The more people that ask their SE's for support of this or any platform the more likely it will be. That said, the vast majority of UCS I see are ESX boxes which is a very good option for management....
  41. Replies
    24
    Views
    25,874

    Sticky: Re: Welcome back!

    Thank you Eric, Kevin & the rest of the Netanium crew.
  42. Replies
    304
    Views
    132,471

    Re: R70 "Free Upgrade" Check Point Promo Discussion

    ADN is SplatPro and QOS (and I think IPS redundancy). If you have a separate SPLATPro or FG-1 license for this that didn't convert correctly, you just need to contact account services and they will...
  43. Replies
    5
    Views
    1,573

    Re: Help Needed with Antique Firewall

    Boy I thought "Antique" we were talking pre-3.0 :)
  44. Replies
    8
    Views
    3,223

    Re: IP Appliance Throughput Testing

    As stated above, if the traffic comes off the ADP card you will pay a significant penalty vs. a normal NIC. The most you will get is about 3Gbps if the traffic comes off the card. If it stays on the...
  45. Replies
    8
    Views
    3,223

    Re: IP Appliance Throughput Testing

    WRT number of interfaces. Yes the published numbers are across all the interfaces.

    WRT ADP, w/o acceleration and if the traffic doesn't stay on the card, ADP can hurt your performance. Before...
  46. Replies
    2
    Views
    2,043

    Re: free vpn client

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk61286
  47. Replies
    14
    Views
    9,581

    Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    No all the info is complied into the policy not distributed as files.
  48. Replies
    7
    Views
    11,416

    Re: Checkpoint to Fortigate IPSec VPN

    Not sure about the topology, I just know I needed that set in order to make it work at all.
    You might want to take a look at an ike debug to see what the FG is sending.
  49. Replies
    9
    Views
    39,851

    re: How to export rulebase to Excel?

    Yes I've done it before, but haven't tried it in a while.
    You do need to have the template and Excel Pro for it to work.
  50. Replies
    7
    Views
    11,416

    Re: Checkpoint to Fortigate IPSec VPN

    Fortigate requires you to set the interoperable device to use a wild card VPN domain.
  51. Replies
    12
    Views
    5,353

    Re: How to upgrade the license from R65 to R75

    This you should get, if you didn't please call your account team and/or account services



    Again this only applied to Reporter where the first five edges counted as one. The SVM license may...
  52. Replies
    14
    Views
    9,581

    Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Sigh....If only the real world (tm) would allow such.

    PS. Apparently one of the IOS/ASA interoperability problems is the one discussed in sk42315. An ASA will expire/re-negociate Phase I SA but...
  53. Replies
    14
    Views
    9,581

    Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Yes, changes made on the SmartCenter.
  54. Re: Having to save a policy before opening another

    Nope. Wish there was, it bugs me too.
  55. Replies
    9
    Views
    39,851

    re: How to export rulebase to Excel?

    Confwiz (sk41719) will export your rulebase (and objects) to XML which can then be read by Excel. See sk42302 for the Excel template.
  56. Replies
    12
    Views
    5,353

    Re: How to upgrade the license from R65 to R75

    Userdirectory was always a licensed feature. If you had a SmartCenter Pro license it was included and still will be when you upgrade



    With the exception of SmartReporter that has always been...
  57. Replies
    14
    Views
    9,581

    Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Two major things to check.

    First make sure the community is set to negotiate on subnet not gateway, then take a look at sk19243 for how to force negotiation to a /24 instead of supper-netting.
    ...
  58. Replies
    3
    Views
    2,334

    Re: How to get R71 for learning

    Hrmm that's silly. Well maybe not from a marketing POV.

    I would contact a reseller or call into Check Point and ask the inside sales folks for a copy.

    If that doesn't work let me know and I'll...
  59. Re: SCS + Reporter Windows R65 to R71 Path Problem

    Short answer don't use windows, use SPLAT.

    Longer answer, a lot of stuff ends up in %SystemRoot%\fw1 but the big stuff (logs and the like) end up where you told it to install.
  60. Replies
    14
    Views
    4,143

    Re: Your Favorite DELL Hardware for SPLAT

    Hijacking the thread...



    My that's one BIG gateway!!

    Sounds like it would make a good SmartCenter/SmartEvent server as well.

    Being out of the server market for a long time now, what is...
  61. Replies
    3
    Views
    2,334

    Re: How to get R71 for learning

    Go to Try Our Products | Check Point Software and you should be able to get a copy to try.
    If that doesn't work, contact a reseller.
  62. Replies
    11
    Views
    4,348

    re: IPS Blade Crashes Since R71 Upgrade

    I have seen similar problems that were fixed by doing an IPS update (I gather it ends up replacing corrupted HTML files).
  63. Re: Multi domain Management (R75) on VMware ESXi 4.1

    I have at least one customer running R71.<something> on ESXi 4.1 sithout any issues.
    **NOTE: Not supported yet by Check Point (AFAIK) and really not supported by me**
  64. Re: Licensing question - Now R70.1 to R75 management server

    The simplest thing to do would be to run the Software Blade upgrade tool and see what it generates. You do not have to "commit" the upgrade.
  65. Replies
    4
    Views
    2,538

    I don't think so but I'm double checking. Now...

    I don't think so but I'm double checking.

    Now confirmed. SD is not needed with IAB.
  66. Replies
    3
    Views
    5,988

    Re: Tunnel Management / VPN Tunnel Sharing

    My route...

    If Check Point to Check Point (Including Edge) use one SA per gateway pair.
    If between non-Check Point then start with one per sub-net pair.
    If that doesn't work, try per host.
    ...
  67. Replies
    5
    Views
    1,752

    What ver of gateway & VPN client are you using? ...

    What ver of gateway & VPN client are you using?

    Does the VPN work with any other systems?
  68. Re: Senior Check Point Firewall Engineer Wanted

    I still have a customer on 3.0b! Yes he is paying SS.
    We won't even discus the 4.1 and FP3 customers still out there.
  69. Replies
    29
    Views
    8,378

    Re: Power-1 appliance 9075 vs Splat gateways...

    If you are going to go with standard support the appliance support rate if 12% in the US.

    As I said, YOU have to run the numbers and do what's right for YOU. Not everyone is the same.
    I do a lot...
  70. Replies
    29
    Views
    8,378

    Re: Power-1 appliance 9075 vs Splat gateways...

    The major advantage to the appliances is the 17% support rate IMHO. There is no "technical" advantage, and you may well be able to "roll your own" for less. That said a lot of people like the...
  71. Replies
    6
    Views
    1,971

    Re: Move FW to be managed by new Smart Center

    Yes you would if it "on" at the same time as the non-DR.

    The "Right" solution from a check point stand point, would be to use management HA.
    The other option, not quite a backup/restore but a...
  72. Thread: Project Gaia

    by chillyjim
    Replies
    82
    Views
    27,620

    Re: Project Gaia

    People with EA versions are under NDA not to discus the product until it has been released. It may be different in the public EA but I don't know.

    If you are looking for a lab copy, please contact...
  73. Re: This new forum on the Identity Awareness Blade

    **NOTE** For the life of the license there is no support uplift even if there is a charge for IAB after 12/31/2011
  74. Replies
    14
    Views
    4,327

    Re: IKE Version 1

    Used it with a fortenet box. still trying to find the developer that added it, have to hug her/him :)
  75. Replies
    14
    Views
    4,327

    Re: IKE Version 1

    Yeah you would think so, but not so much.
    R71+ (maybe R70) allows you to set an inter-operable device to use "wildcard domains" AKA a proxy-id of 0.0.0.0/0.0.0.0 like Juniper and other broken VPN...
  76. Replies
    5
    Views
    2,365

    Re: Identity Awareness Blade trial

    R75 also includes an on-demand 45 trial license.
    IAB is licensed free of charge (with no support uplift for the life of the license) until 12.31.2011 (at least) for products under support.
  77. Replies
    5
    Views
    2,487

    Re: Cluster member licensing

    A HA licensed box must be in a cluster with at least one non-HA box.
    Now is that how it's enforced? Not sure, if it's working for you now, you're probably OK until you get the RMA box in. To be...
  78. Re: Platform Hardware setting for a UTM-1 Cluster

    As long as the version you are using has the correct hardware type (Which R62+ does for UTM-1) then use it. Otherwise use Open Server (Assuming SPLAT).

    Does it really matter? Probably not for most...
  79. Replies
    25
    Views
    7,913

    Re: Sharing cpinfo

    Then I want to be your account team! (That's about an $8M usercenter at list price.)
  80. Re: Endpoint Security R80 Available for Download

    Yes there is FDE available with R80, just not the R73 version.



    There are plans to unify them from what I was told, but no time table.
  81. Re: Upgrade R65 to R70 ? R71? What's the best choice

    Check Point R71 April 2010 R71 April 2014
    Check Point R70 March 2009 R70 March 2013


    It's all on Check Point Enterprise Support Timeline
  82. Replies
    39
    Views
    13,570

    Re: R75 available for download..

    Yes it should be this year (2011) not 2012. For that matter, last I knew it should be Q1 but I haven't seen a release update in a while.

    As always, if you are in particular need talk to your SE...
  83. Replies
    39
    Views
    13,570

    Re: R75 available for download..

    Gaia was not suppose to be released as part of R75, it's a separate release.
    AFAIK it has not been released yet, but it is close. Keep your eyes open.
  84. Replies
    10
    Views
    2,976

    Re: distributed cluster

    Make sure both members can see the traffic (otherwise a cluster isn't getting you anything).
    Latency on the sync link should be <100 ms. Bandwidth should be gig on sync if you can.
  85. Replies
    4
    Views
    19,289

    Re: New Year! New Router! Set Up Question?

    This is most likely not the problem but having just spent too much time trying to hunt down a bad connection, it turns out that the comcast routers can only drive about 50 feet of Cat5 cable before...
  86. Replies
    13
    Views
    4,907

    Re: Enabling smartportal on R70 SPLAT

    IIRC that was fixed in one of the HFA's (I think it was R70 that I ran into the problem).
  87. Replies
    3
    Views
    1,944

    Re: eventia upgrade r65.70 to r70

    By not upgrade, do you mean not installed or is R65 Eventia still running.

    If not installed, then you you should be able to re-run the upgrade. If R65 is still running, call support.
  88. Thread: IPS problem?

    by chillyjim
    Replies
    2
    Views
    1,797

    Re: IPS problem?

    Sounds like you are getting hung up on one of the client (browser) protections. Assuming you have tried to update your IPS, I would look for BHO's and add-ons on the browser side.

    I'm sure there...
  89. Replies
    1
    Views
    1,261

    Re: Query/Questions

    Don't think I understand the question. The gateway will stop passing traffic until it's finished rebooting and loading policy.



    Lots of stuff can be happening.

    Two usefull commands are "fw...
  90. Replies
    7
    Views
    3,626

    Re: Dell R710 and SPLAT NGx R71.20 assistance

    One note on this, we (Check Point) have seen performance problems with Broadcom NICs under heavy load. There are several posts on CPUG about this. They will work just fine for sync and management,...
  91. Re: SPLAT R71.20x on Dell PowerEdge R710 with 12GB RAM

    Well then, 12GB's of RAM it is! Guess you buy a few of them.
    They will sure be nice for Gaia 64 when it comes out.
  92. Replies
    39
    Views
    13,570

    Re: R75 available for download..

    This usually means it will be released real soon.
    They tend to set up the links and such just before posting the new product.

    I'm sure there will be a nice big splash page when it's official.
  93. Re: SPLAT R71.20x on Dell PowerEdge R710 with 12GB RAM

    It should work (It does for most systems). As said above, more than 4 GB for a gateway isn't going to do much (PAE in the case of a gateway will hurt performance). A smartcenter, smartevent or...
  94. Replies
    15
    Views
    3,670

    Re: SPLAT R71.10 on Dell PowerEdge 1850

    A quick rescan and I stopped at R65 HFA70, so sorry.

    I assume you have tried a different 1850 (can't tell from you posts)?

    I don't have an 1850 to see myself (and my 38<something> won't turn on...
  95. Replies
    15
    Views
    3,670

    Re: SPLAT R71.10 on Dell PowerEdge 1850

    If you have an R70.x CD see if that works (I suspect not). Both use the same install kernel. I have had this problem in the past using a serial port.
  96. Replies
    15
    Views
    3,670

    Re: SPLAT R71.10 on Dell PowerEdge 1850

    Well if the CD works on other systems, and the system can boot off of other CD's, sounds like it's a keyboard problem. Try a different keyboard (PS/2 if you have one).
  97. Re: Announcing the Mobile Access Software Blade

    FWIW we use it internally. I've been using it for iPhone e-mail access and it works well. We have a few "sites" set up, but they don't display well on an iphone (nothing to do with the VPN).
  98. Replies
    17
    Views
    5,697

    Re: Active-Active Failover

    This is one of those "it depends" things. If you are in a spot where you really need Active/Active then it can really improve performance. If you are in a condition where you are just hammering the...
  99. Replies
    7
    Views
    2,715

    Re: SPLAT R71.10 as layer-2 firewalls

    I think so, I'll look around when I get home.

    The problem isn't L2 it's L2 clusters. There are just some switches/software versions that won't work.
  100. Replies
    7
    Views
    2,715

    Re: SPLAT R71.10 as layer-2 firewalls

    Yes I've done it. It is very dependent on your switches and switch configuration. Contact your SE, as this configuration (for now anyway) needs to be approved by the Solution Center.

    That all...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4