CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: mcnallym

Page 1 of 5 1 2 3 4

Search: Search took 0.04 seconds.

  1. Replies
    4
    Views
    113

    Re: Web Server Error

    Have always avoided Load Sharing so I don't really have any exposure to it beyond when being on Training Course.

    Other then suggesting tweaking the SDF trying the different options then cannot...
  2. Replies
    4
    Views
    113

    Re: Web Server Error

    If reading this correctly then if only one of the boxes is actually processing traffic then this works.

    What I would suspect is happening here is that the connection potentially been handled...
  3. Replies
    6
    Views
    581

    Re: NAT assistance

    I don't think is that on the same subnet that is an issue

    Looking at what you seeing then is always the first one that works.

    What happens if try

    Linux Client 10.0.1.1 to 192.168.1.1
    Linux...
  4. Replies
    3
    Views
    651

    Re: Numbered VTI in cluster

    When I configure VTI then to be honest always using 169.254.x.x addresses. Is used as unique to the local box and won't overlap with actual networks.

    What have is each member gets it's own IP...
  5. Replies
    1
    Views
    340

    Re: Numbered Interface - VTI

    When using Numbered IP VTI then only relevant locally on the box and it's VPN Peer.

    Normally people seem to use 169.254.x.x IP addresses, using consecutive IP so for instance

    169.254.0.1 for...
  6. Re: Checkpoint Provider-1 and Proxy server configuration

    On the Check Point Object in SmartConsole then if expand the + for the Topology there is a sub section for Proxy

    Has two options

    First which is the Default which is

    use default proxy...
  7. Replies
    11
    Views
    1,852

    Re: MDS R77.30 restore. Some unexpected things.

    When you do the mds_backup then along with the backup then also places the gtar files etc that need to use along with the backup file to restore.

    Is important that use those gtar from where the...
  8. Re: Intervlan Routing configuration on checkpoint

    When you do a tcpdump on the eth1.20 or eth1.30 sub-interfaces do you see the traffic arriving.

    I am presuming here that defined the interfaces in Gaia OS, then updated the Topology with those...
  9. Re: Can we have R77 MDS and gateway running on R80

    No you cannot

    Generally speaking your Management should be on the same or later version then your gateway.

    There maybe some exceptions, for instance you can manage R80.20 gateways from an...
  10. Replies
    1
    Views
    647

    Re: How to add a firewall in mds ?

    Same steps as if a SmartCentre.
  11. Replies
    1
    Views
    715

    Re: Sandblast appliance as firewall

    Is a specialist Appliance with specialist license.

    Is the same ISO these days a the regular appliance, so my personal thought would be NO, just use as a private on-premise...
  12. Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

    Possibly this may be a language/choice of words thing however Check Point Identity Awareness won't look at Groups in AD.

    What Identity Awareness is doing is reading AD Server Logs so that as a...
  13. Replies
    2
    Views
    2,404

    Re: Checkpoint 3 tier Architecture

    Console
    Management Server
    Gateway / Enforcement Point

    Are your 3 tiers
  14. Thread: SIC questions

    by mcnallym
    Replies
    1
    Views
    454

    Re: SIC questions

    On the MDS then check the same way. Look at the Cluster and then the Members.
  15. Replies
    1
    Views
    473

    Re: How to rollback in checkpoint

    Really depends upon what trying to rollback from.

    For instance if simply a Jumbo HFA installation then can simply restore to a snapshot image taken before applying the hfa.
  16. Replies
    9
    Views
    643

    Re: VRRP works on which checkpoint version

    The only time that found VRRP better then ClusterXL is down to the Network Environment and the difference between how the two work.

    VRRP uses a Virtual MAC address for the HA IP address, which...
  17. Replies
    2
    Views
    2,255

    Re: The problem with the access

    Last Time I saw this was a few years ago where the ICA Cert had actually expired hence why couldn't connect.

    Ended up having to escalate to Check Point TAC to resolve the issue, and I know that...
  18. Replies
    13
    Views
    859

    Re: First time configuration wizard hanged up

    What 77.30 iso did you use to build this and what machine is this as depending upon what is then may need specific R77.30 build.
  19. Re: Export https inspection certificates off the firewall

    In SmartConsole then under the Application Control & URL Filtering / Advanced / HTTPS Inspection / Gateways then at the bottom then lists the Self Generated CA Certificate that would be generated.
    ...
  20. Re: 23500 - expansion cards are not visible .

    I have had some fun with 23500/23800 chassis and cards. Really need to make sure that inserted properly.

    Couple of times thought card was bad, but had to reseat the card. Does seem a little...
  21. Replies
    2
    Views
    907

    Re: Change Mgmt interface on appliance

    From your update then the Mgmt Interface not in the Topology so the Check Point Firewall won't know about it, only the Gaia OS will, and will get dropped at the Firewall.

    Mgmt is simply the label...
  22. Re: Redundant Domain-Based Site2Site IPSEC tunnel

    Real Easy

    FW-B has two Internet Connections so presumably has ISP Redundancy configured so can use both lines.

    Use VPN Link Selection and configure to

    Use Probing. Link redundancy mode
    ...
  23. Replies
    2
    Views
    545

    Re: Installing R77.30_T204

    https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=54340&from=wizard
    ...
  24. Replies
    4
    Views
    698

    Re: Checkpoint RAS solutions

    Standlone IPSEC VPN Client

    Endpoint Security VPN ( SecureClient ) - Requires IPSEC VPN Blade, also requires Endpoint VPN License - Provides Office Mode and Desktop Policy from VPN Gateway...
  25. Re: Dedicated Management Port and Firewall Rules

    Sadly quite a few people get caught up with Check Point's naming of some Interfaces.

    Is the same with the larger boxes with the Synch Interface as well. Again that is simply a label and is equal...
  26. Replies
    3
    Views
    860

    Re: Simultaneous SSLVPN & IPSEC VPN

    Short Answer is that if a Check Point has a Site to Site VPN with an IP then it cannot establish a Remote Access from it.

    Basic idea is that if have a Site to Site then why not just use that.
    ...
  27. Replies
    10
    Views
    2,102

    Re: Security Management Server migration

    Leave the existing licenses on the Gateways initially.
    Get the licenses re-iped to the new SMS IP address and get then attach those updated licenses onto the gateways. Don't detach the old SMS IP...
  28. Replies
    1
    Views
    1,504

    Re: Saving a U-5 UTM

    IF you have the Gateway connected to a Management Server then can use this
    ...
  29. Re: Clean up rule in Application Control & Url filtering layer

    1.) ALL Traffic that gets passed by the Firewall Blade will get handed off to the Application Control/URL Filtering, not just HTTP/HTTPS in R77.30. With R80.10 then if kept the AppCtrl/URL as an...
  30. Replies
    5
    Views
    926

    Re: Domain based VPN and VTI

    Can you elaborate further as to the question as not quite sure what asking.
  31. Replies
    5
    Views
    926

    Re: Domain based VPN and VTI

    Yes you can

    Define YOUR Gateway with an Encryption Domain ( so can do Domain Based VPN )
    Define 1st Remote Gateway with an Encryption Domain ( so can do Domain Based VPN )
    Define 2nd Remote...
  32. Replies
    6
    Views
    1,689

    Re: Hotfix and Migration tool

    First thing you need to do is make sure that your Deployment Agent is the current one.
    ...
  33. Replies
    2
    Views
    659

    Re: Show routing table on Domain Based VPNs

    If there is then I have never found any documentation about it.
  34. Re: Migrate R77.30 Open Server to new appliance 5100

    Ok then first thing that would do is migrate the Management to R80.10, Use the Migration Tools to clean build an R80.10 then import the exported R80.10 config from the R77.30.

    Make sure get the...
  35. Re: Migrate R77.30 Open Server to new appliance 5100

    Are you looking to go from two clusters to two single boxes or two clusters based on 5100 Appliances?
  36. Re: have you ever seen this and how do you go about solving it?

    Have only seen something similar where the Search / Query Network Objects then use the Unusued Objects ib the refined fllter says some object unused and when you do a right click where used on an...
  37. Replies
    3
    Views
    901

    Re: Mobile Access Config Help Please

    SCV would be what would be used and would look to check that your machine is domain joined

    : (RegMonitor
    :type (plugin)
    :parameters (
    :string...
  38. Re: Enforce source IP address change for Gaia 80.10

    The issue here will be that your NAT is being done upstream at the ISP.

    The 172.16.0.0/29 Network is used to link the Check Point to the ISP.

    The ISP has NAT configured to NAT traffic...
  39. Replies
    1
    Views
    512

    Re: vpn site to site full tunnel mode

    Star community

    Branches as satellite

    Under vpn routing go option 3 allowing satellites to vpn to each other and internet.

    Make sure that nay the satellite office networks when going to the...
  40. Replies
    3
    Views
    593

    Re: spoofing question.....

    External in Topology is simply saying that this is where IP addresses that not specified on another interface will be permitted as source

    As the MPLS Traffic not specified on another interface...
  41. Replies
    3
    Views
    712

    Re: Site2Site between 2 Cisco ASA

    What you need to do at the Check Point side is

    1.) Make sure is a Single Star Community that has the Cisco as Satellites
    2.) Set the VPN Routing in the Community so that Satellites can...
  42. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    If this is all internal then what you want is to use Client Authentication.

    Requires that users HTTP or Telnet on 259 to the Gateway and Authenticate before they can pass through the rule ie
    ...
  43. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    Might want to check if any group policy changes made on the Windows Side preventing SmartConsole locking the Machine if SmartConsole been idle.

    In Check Point is found under

    Global Properties...
  44. Re: Does Backup Job need inbound udp68 for Checkpoints?

    Would suggest a look at sk117433

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk117433&partition=Advanced&product=vSEC

    From that SK...
  45. Re: Management HA/Migrate Export and SIC Mess!

    What did you migrate import into the PRI.

    Reading this then is almost as if migrate imported the config from the SEC unit.

    If you have a backup of the PRI does it not contain the Check Point...
  46. Replies
    5
    Views
    2,590

    Re: site to site vpn

    Key thing to make sure is that in connecting with a Non-Check Point gateway that the Phase 2 negotiations are correct in terms of what the Meraki is expecting.

    ie that the Check Point doesn't...
  47. Re: Centrally managed remote cluster + VPN site to site

    OK your issue is that your Management Server sits inside the Firewall that has the VPN to the 14x0 Cluster. Check Point always adds the Gateway IP into the VPN

    As such when you push the VPN out...
  48. Re: Two factor authentication for Gaia portal and GUI client login

    For Gaia Portal/CLISH then your RSA would need to be via RADIUS connection.

    You can use RSA SecurID for SmartDashboard. Simply define the Admin Account and set the Authentication to SecureID.
  49. Replies
    3
    Views
    1,165

    Re: How to update waagent in Checkpoint Azure

    A search in the knowledgebase turns up nothing.

    What is it that wanting to update the Agent for?

    Searching throws up about trying to use the Azure Backup utility and not having the latest agent...
  50. Replies
    3
    Views
    690

    Re: Natting behind different ISPs

    You would need to remove the ISP Redundancy Configuration and create Policy Based Routing configuration to route the traffic from the various IP out of an ISP line.

    Cannot do PBR and ISP...
  51. Re: upgrade to GAIA 80.10 "command not found"

    You should be using the migrate command.

    The upgrade_export upgrade_import commands were replaced by the migrate command instead.

    So

    ./migrate import

    would be the command that would use...
  52. Replies
    3
    Views
    1,960

    Re: Enabiling Https inspection

    Installing the CA Cert into the Clients Trusted Store simply tells the machines that the CA is a Trusted CA Authority. This means that when the client makes a connection to a real website and gets...
  53. Replies
    3
    Views
    1,960

    Re: Enabiling Https inspection

    Without HTTPS Inspection then may find that some apps on HTTPS are not identified properly. Office 365 SK articles on Check Point specifically state that for Office365 Apps to work correctly then...
  54. Mobile Access Reverse Proxy - Anyone used yet

    Is there anyone out there that has used the Check Point Mobile Access Reverse Proxy in the real world yet.

    If so how have they found it.
  55. Re: Configure different public IP for Remote Access (S2S already present)

    Even easier then as the work is done at your end rather then the far end.

    1.) Configure the NAT ( define a node object with the Cluster IP and accept the warning message ) so that when connecting...
  56. Re: Configure different public IP for Remote Access (S2S already present)

    If I understand what is happening is that you were able to Remote Access into YOUR gateway from a Customers location.

    You have now configured a Site 2 Site VPN with the Customer from the Gateway...
  57. Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Would put down to poor English ( anyone that done the exams will know where coming from! )

    I would suspect that as this a HARDWARE CPU vulnerability as opposed to a straight OS level that...
  58. Replies
    14
    Views
    1,516

    Re: VPN with 3rd party ASA

    Sounds like your are NATting the Traffic behind the Gateway as it goes out through the Check Point. That will cause the 3rd Party to simply see the External IP of the Gateway.

    Your Encryption...
  59. Thread: FW and Proxy

    by mcnallym
    Replies
    1
    Views
    925

    Re: FW and Proxy

    Nearest there is for X-Forward-For header support which is there if have additional software blades such as AppCtrl/URL etc enabled. ( if you have them then the only reason for Proxy Server is...
  60. Replies
    4
    Views
    992

    Re: Separate EPM Server - How to?

    Separate System so no need to create anything on the Firewall Management Server.
  61. Replies
    4
    Views
    992

    Re: Separate EPM Server - How to?

    Install as a Primary

    Will then want to add the Endpoint Addons ie R77.30.03 etc

    Will define itself on the Primary as Host
    Endpoint Licenses attached to the Endpoint Server IP. VPN Licenses...
  62. Re: Question regarding 'host access' during provisioning

    Personally tend to leave the Host Access settings alone on the Unit but set the Access to be via the Firewall Policy instead. Whilst building them then am not on the correct subnet for what would be...
  63. Replies
    4
    Views
    1,398

    Re: wiered r80.10 error when pushing policy

    What does cplic print show on the gateway

    Would suggest that detach and reattach the license using SmartUpdate

    Have seen similar behaviour previously with R7x software as well, and just...
  64. Re: Gateway as a Proxy - NAT Hiding Address Selection

    When using the Proxy then you make a connection to the Gateway, the gateway then makes a new connection from itself to the end destination on the Internet.

    As such the traffic won't match rules...
  65. Replies
    2
    Views
    1,006

    Re: Need decrypt utility for FDE

    If the machine is in contact with the Endpoint Server then in the Deployment simply ensure that the Deployment Rule that applies to your machine doesn't install the FDE Blade.

    When the machine...
  66. Re: Compatibility SecuRemote E80.62 and Gateway+MDS R80.10

    https://www.checkpoint.com/support-services/support-life-cycle-policy/#softwaresupport

    Is the Software Support Policy

    E80.62 support till Dec 2019. Is classed under Endpoint Security

    R80.10...
  67. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    Really depends upon what has been selling previously. SMB kit comes with the license pre-installed so wouldn't need to transfer the license. When you reset the device then it already has the...
  68. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    When Check Point sells the Appliance it comes with a License. The license is placed in the UserCentre Account of the Buyer.
    If they then resell the Appliance then the License should be transferred...
  69. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    You would need the license, however licenses are allocated/fixed with Appliances. So if you do buy a used 4800 make sure that you also get the UserCentre license moved across to a User Centre...
  70. Replies
    3
    Views
    3,292

    Re: R77.30 Upgrade to R80.10

    Would suggest that you build a NEW VM with R80.10, with the specs that you want moving forward, use the same IP and Hostname as existing unit and keep offline, ie stick on a dummy network so doesn't...
  71. Replies
    4
    Views
    914

    Re: R80 Appliance support

    IP Appliances go End of Life as in no more support 31st December 2018, so you want to be planning on replacement of any remaining IP Appliances. Purchasing etc always takes time so you really don't...
  72. Replies
    3
    Views
    829

    Re: Deploying IPS blade in Prevent mode

    http://dl3.checkpoint.com/paid/6f/6fc17adf262437c4a6206301d2ca6016/CP_IPS_BestPractices.pdf?HashKey=1506953287_20a06da3160fa6017d62f78ca1c7e59f&xtn=.pdf

    Is a pretty good starting point.

    If...
  73. Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Presuming that the firewall is a Gaia OS Firewall then can simply SSH into the unit and run the command

    show route

    This will then display the routing table of the Firewall.

    May well need to...
  74. Replies
    8
    Views
    9,116

    Re: How to use LOM interface on CP 12600

    sk92986

    lomipset <LOM_IP_ADDRESS> <LOM_NETMASK> <LOM_DEFAULT_GW_ADDRESS>

    If on R77.10 or newer

    Failing that use the ipmitool which is listed more in that SK.
  75. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    What you want to do is use the crypt.def to exclude encrypting traffic to the External IP of the 1490 so that the Local Gateway doesn't recognise that the External IP is part of the VPN.

    When you...
  76. Re: "ERR_CONNECTION_REFUSED" error is displayed in web browser when connecting to Gai

    There are a number of things that this could be

    sk118801 goes through 5 possible scenarios' and how can troubleshoot those 5 scenario's

    What was the last thing that was done on the unit before...
  77. Re: Cant reach resorses via static IPsec over remote VPN

    Does the SMB Code allow VPN Routing, as in Pass Traffic between VPN Tunnels.

    I know that on regular gateways that can enable Hub Mode which allows Remote Access Clients to route traffic through...
  78. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Pretty sure that a CPUSE Upgrade is an inplace upgrade.
  79. Re: File Shares not working when SMB1 on Windows Server is disabled/uninstalled

    Might be worth checking sk112202 on the Check Point site.

    File Shares using SMBv3 cannot be accessed using the Mobile Access Blade File Share application


    •Mobile Access File Share fails to...
  80. Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Always find pretty easy as well.

    Agree on what using for the P1 and P2 settings in terms of encryption, ie AES-256/SHA1 etc DH Group to use, PFS or not. Agree the subnets used for P2, edit the...
  81. Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Going to make an educated guess that the Community is set to be 1 VPN Tunnel per Gateway pair, or possibly under VPN advanced on the Gateway then is set to Custom Settings and then One VPN tunnel per...
  82. Re: Is there a way to shutdown all interfaces on one VSX?

    I presume you are looking to shutdown the interfaces for a VS in one go as opposed to simply shutting down individually.

    Not aware of a command to shutdown ALL the interfaces in a VS in one go,...
  83. Replies
    2
    Views
    754

    Re: IPS Profile and SmartEvent

    Regarding Port and Host Scan

    Taken from the Notes of the protections.

    Port Scan Protections can be set to Detect; they cannot be set to Prevent. The nature of this attack is to misuse...
  84. Replies
    2
    Views
    873

    Re: VPN S2S CheckPoint x Aker

    https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk108600#Scenario 4

    Possibly Scenario 4 in sk108600...
  85. Replies
    2
    Views
    2,047

    Re: Microsoft Azure acting as C&C?

    Colleagues seen some of this based on protection name

    There was some investigation work done which indicated that likely a false positive.

    Was reported to Check Point and waiting on...
  86. Re: can't perform mds_restore in a DEV environment from a mds_backup of a Production

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62226&partition=Advanced&product=Multi-Domain

    Is the only thing that found for testing...
  87. Replies
    3
    Views
    1,171

    Re: random issues with identifying users

    All Identified Users is basically anyone that been identified. Would use where basically you only want identified users to be able to match. There are genuine cases where would use.

    Is the...
  88. Replies
    4
    Views
    1,844

    Re: checkpoint policy error

    No you will need to upgrade the license as in purchase from the HA to a Full License.

    Typically a HA License is discounted ( 20% seems to be a figure that springs to mind ) compared to a full...
  89. Thread: ipvanish vpn

    by mcnallym
    Replies
    4
    Views
    944

    Re: ipvanish vpn

    Wrong Type of VPN.

    IPVanish are not VPN's as in Site to Site but more Client to Site in that you need to use a Username and Password with the IPVanish Service. Check Points Site to Site VPN...
  90. Replies
    9
    Views
    1,848

    Re: IPSEC Phase1 MM packet 1

    From the information then would believe that is an existing VPN Tunnel with 3rd Party.

    Knowledgebase entries indicate a couple of things that could be.

    Did it come back after about 10-15...
  91. Re: centrally managed 1100 with R75 from mgmt server with R80 ?

    We have managed 75.20 for SMB Appliances ie 1100 from R77.30 MDS without issue. As long as you select that is an 1100 and then the Correct Version then are good. If cannot select 1100 Applliance...
  92. Replies
    1
    Views
    1,266

    Re: unable to open https session

    May need to redo the SSL Connectivity

    Don't have much to do with IPSO anymore however as I understand it

    set voyager daemon-enable 0
    set voyager port 80

    Last time had to do this was with...
  93. Replies
    9
    Views
    1,590

    Re: Dear cpinfo / infoview programers

    Think I must have mis understood your initial response as thought it was about the Ikewview/uploader that reffering too whereas see now that referring to the Infoview tool, which would agree with you...
  94. Replies
    9
    Views
    1,590

    Re: Dear cpinfo / infoview programers

    Are they unofficial tools and internal only?

    I know tools like confwiz weren't supported/official but Support Partners are expected to use IKEView for the VPN debug stuff aren't we and the...
  95. Thread: grrr

    by mcnallym
    Replies
    6
    Views
    1,467

    Re: grrr

    Put it through a Cisco Gateway - You KNOW it makes more sense!

    Only ever got SIP working ONCE without haing to call TAC. Was literally 1 day after configuring SIP ( with TAC's help ) for another...
  96. Replies
    4
    Views
    1,458

    Re: Easy VPN at Checkpoint?

    You have to use VPN Certificates when using a DAIP, Dynamically Allocated IP Gateway with the Check Point.

    So you have to do the Certificate thing for the Check Point Gateway to identify the...
  97. Replies
    4
    Views
    1,458

    Re: Easy VPN at Checkpoint?

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk94028&partition=General&product=IPSec

    Substitute the 600/1100 for the ASA, do the...
  98. Replies
    2
    Views
    1,372

    Re: OPSEC Applications

    https://www.checkpoint.com/partners/opsec/

    Open Platform for Security.

    Is Check Point's API for linking 3rd party products into Check Point. Further details at the above link including who the...
  99. Replies
    2
    Views
    1,389

    Re: Enforcement module

    Enforcement Module is the Gateway / Firewall itself, as opposed to the Management Server or Console.
  100. Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Thanks for the Clarification.
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4