CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 39

Thread: R80.10 Public Early Availability

  1. #1
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default R80.10 Public Early Availability

    I am happy to announce that we have launched a new Public EA program for Check Point R80.10.
    Join the Public EA program for Check Point R80.10 via the UserCenter’s Public EA page.
    You can all access and register to the Public EA release via - usercenter.checkpoint.com -> TRY OUR PRODUCTS -> Early Availability Programs ->
    CPEA-EVAL-R80.10
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default Re: R80.10 Public Early Availability

    It's worth noting there has been an updated drop of the R80.10 EA code available (has been for a couple weeks now).
    I highly recommend giving it a spin in your lab and submitting feedback through the EA program.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    2

    Default Re: R80.10 Public Early Availability

    #####
    Test environment
    #####

    >>> Mgmt: R80.10 eval license

    # cplic print
    Host Expiration Features
    192.168.20.81 17Apr2017 CPSB-EVAL CPSM-C-U CK-96FEE63037BB

    [Expert@GAIAR80:0]# fw ver
    This is Check Point's software version R80.10 - Build 005


    >>> GW: R80.10 eval license
    # cplic print
    Host Expiration Features
    192.168.20.80 17Apr2017 CPSB-EVAL CK-96FEE63037BB

    [Expert@GAIAR80GW:0]# fw ver
    This is Check Point's software version R80.10 - Build 005


    >>> SmartConsole Windows 10 Pro build 1607 x64


    #####
    Topology
    #####

    LAN >>> GW R80.10 >>> Internet

    |
    Mgmt
    Gaia R80.10

    Mgmt subnet: 192.168.20.0/24
    GW mgmt IP: 192.168.20.80
    MGMT server IP: 192.168.20.81


    #####
    Issue
    #####

    Did not changed Mgmt,GW ports, default setup.

    UC Portal is redirected to the gateway WebUI login not to the UC AV block page. Both Prevent and Ask.

    Can see the redirect in packet captures.

    Kernel debug fw ctl debug -m UC all
    =======

    ;19Jan2017 18:44:10.777138;[fw4_0];1484851450:[SID: 01862] {webapi} uc_set_redirect_url: Original URL: http://amtso.securi
    ty-features-check.com/eicar.zip, orig_url_encoded: aHR0cDovL2FtdHNvLnNlY3VyaXR5LWZlYXR1cmVzLWNoZWNrLm NvbS9laWNhci56aXA=;
    ;19Jan2017 18:44:10.777145;[fw4_0];1484851450:[SID: 01862] {webapi} uc_set_redirect_url: The url wasnt fixed and stayed: h
    ttp://192.168.20.80/UserCheck/PortalMain;
    ;19Jan2017 18:44:10.777150;[fw4_0];1484851450:[SID: 01862] {webapi} uc_set_redirect_url: The size of the URL is 162;
    ;19Jan2017 18:44:10.777156;[fw4_0];1484851450:[SID: 01862] {webapi} uc_set_redirect_url: redirecting to http://192.168.20.
    80/UserCheck/PortalMain?IID=6630C6AC-343B-AA26-54C3-05B47D4363A1&origUrl=aHR0cDovL2FtdHNvLnNlY3VyaXR5L WZlYXR1cmVzLWNoZWNrL
    mNvbS9laWNhci56aXA; <<< This redirects to GW login page.

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by Tsubasa View Post
    UC Portal is redirected to the gateway WebUI login not to the UC AV block page. Both Prevent and Ask.

    Can see the redirect in packet captures.
    Please engage with the EA team on this issue.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    2

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by PhoneBoy View Post
    Please engage with the EA team on this issue.
    I did.
    Thanks for the reply.
    When the reply comes i will update this thread.

  6. #6
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    2

    Default Re: R80.10 Public Early Availability

    Sent email to ea_support@checkpoint.com:



    #####
    Checkpoint's reply
    ####"

    I’m Lotan from the Early Availability team in Check Point.

    I would like to thank you for participating in the R80.10 Public EA.



    We would appreciate it if you could take some time to fill this quick questionnaire regarding your experience with the EA product.



    http://www.checkpoint.com/surveys/ea...y-r80.10-eval/



    Thank you,

    The Check Point Early Availability Team



    @PhoneBoy

    Is this the normal flow ?

    Thanks

  7. #7
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    966
    Rep Power
    12

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by Tsubasa View Post
    Sent email to ea_support@checkpoint.com:



    #####
    Checkpoint's reply
    ####"

    I’m Lotan from the Early Availability team in Check Point.

    I would like to thank you for participating in the R80.10 Public EA.



    We would appreciate it if you could take some time to fill this quick questionnaire regarding your experience with the EA product.



    http://www.checkpoint.com/surveys/ea...y-r80.10-eval/



    Thank you,

    The Check Point Early Availability Team



    @PhoneBoy

    Is this the normal flow ?

    Thanks
    Not a PhoneBoy, but yes.
    EA implies your feedback to Check Point. That's the main idea for giving you ability to check code even if it is not GA yet
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by Tsubasa View Post
    Did not changed Mgmt,GW ports, default setup.

    UC Portal is redirected to the gateway WebUI login not to the UC AV block page. Both Prevent and Ask.

    Can see the redirect in packet captures.
    The most common reason for this scenario (according to my R&D contacts) is when the UserCheck portal is configured to work only on internal interface (the default), but the portal is being accessed from what the GW considers as external interface.

    Click image for larger version. 

Name:	pic1.png 
Views:	193 
Size:	39.6 KB 
ID:	1191

    In this case the GAIA portal will be reached instead.
    To resolve it, you need to either allow access to UserCheck Portal from “all interfaces” or make sure that the interface from which the user is being redirected to the portal is indeed internal (and defined as such in the topology tab).

    Click image for larger version. 

Name:	pic2.png 
Views:	160 
Size:	14.9 KB 
ID:	1192
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by Tsubasa View Post
    Is this the normal flow ?
    Public EA support in general is "best effort."
    I would expect something slightly beyond "fill out the survey" (please do that, it helps gauge the product quality).
    Someone from R&D saw the thread and gave me some information to give you about this problem, which I posted on separately.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  10. #10
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    2

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by PhoneBoy View Post
    The most common reason for this scenario (according to my R&D contacts) is when the UserCheck portal is configured to work only on internal interface (the default), but the portal is being accessed from what the GW considers as external interface.

    Click image for larger version. 

Name:	pic1.png 
Views:	193 
Size:	39.6 KB 
ID:	1191



    In this case the GAIA portal will be reached instead.
    To resolve it, you need to either allow access to UserCheck Portal from “all interfaces” or make sure that the interface from which the user is being redirected to the portal is indeed internal (and defined as such in the topology tab).

    Click image for larger version. 

Name:	pic2.png 
Views:	160 
Size:	14.9 KB 
ID:	1192

    Thanks PhoneBoy. Apologize for this dumb question regarding UC.
    Management prefix 192.168.20.0/24 and interfaces were considered external {had a default route through 192.168.20.254 on the gateway which i forgot to delete it :) }
    UC works now. Screenshot name: INTUC1

    ###

    Steps done to make it work

    ###

    >>> Allowed UserCheck portal from "all interfaces" Screenshot name: INTUC2

    >>> made 192.168.20.0/24 an internal subnet Screenshot name: INTUC3



    Thank you and the developer for your prompt reply.

    btw the developer R&D is from Israel?
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	INTUC1.jpg 
Views:	98 
Size:	73.7 KB 
ID:	1193   Click image for larger version. 

Name:	INTUC2.jpg 
Views:	60 
Size:	84.1 KB 
ID:	1194   Click image for larger version. 

Name:	INTUC3.jpg 
Views:	61 
Size:	44.0 KB 
ID:	1195  

  11. #11
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    2

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by Tsubasa View Post
    Thanks PhoneBoy. Apologize for this dumb question regarding UC.
    Management prefix 192.168.20.0/24 and interfaces were considered external {had a default route through 192.168.20.254 on the gateway which i forgot to delete it :) }
    UC works now. Screenshot name: INTUC1

    ###

    Steps done to make it work

    ###

    >>> Allowed UserCheck portal from "all interfaces" Screenshot name: INTUC2

    >>> made 192.168.20.0/24 an internal subnet Screenshot name: INTUC3



    Thank you and the developer for your prompt reply.

    btw the developer R&D is from Israel?

    ###

    Steps done to make it work

    ###
    >>> Also can change UC portal listening address to another interface IP.
    Screenshot name: INTUC5,INTUC6
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	INTUC5.jpg 
Views:	92 
Size:	84.8 KB 
ID:	1196   Click image for larger version. 

Name:	INTUC6.jpg 
Views:	54 
Size:	24.1 KB 
ID:	1197  

  12. #12
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,050
    Rep Power
    12

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by Tsubasa View Post
    =
    Management prefix 192.168.20.0/24 and interfaces were considered external {had a default route through 192.168.20.254 on the gateway which i forgot to delete it :) }
    Not having your firewall's interfaces properly defined as External or Internal in the object's Topology can cause all kinds of strange effects like this and even incur performance issues. Very important to make sure the firewall interfaces are completely and correctly defined as a LOT of features depend on it being correct.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  13. #13
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    2

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by ShadowPeak.com View Post
    Not having your firewall's interfaces properly defined as External or Internal in the object's Topology can cause all kinds of strange effects like this and even incur performance issues. Very important to make sure the firewall interfaces are completely and correctly defined as a LOT of features depend on it being correct.
    Yep.Keep in mind.

    by the way. I cannot find your book here in Japan and need it.
    Only in US stores.

  14. #14
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,050
    Rep Power
    12

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by Tsubasa View Post
    Yep.Keep in mind.

    by the way. I cannot find your book here in Japan and need it.
    Only in US stores.
    You can buy a PDF of the book online with a credit card.

    For hardcopies, does Amazon not have a Japan version? Also you can order the book directly from the publisher CreateSpace and they offer worldwide shipping, more info at the URL Below.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  15. #15
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    2

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by ShadowPeak.com View Post
    You can buy a PDF of the book online with a credit card.

    For hardcopies, does Amazon not have a Japan version? Also you can order the book directly from the publisher CreateSpace and they offer worldwide shipping, more info at the URL Below.
    Amazon Japan does not have a Japan version. I will buy the PDF.
    Thanks.

  16. #16
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default Re: R80.10 Public Early Availability

    Looks like the Public EA take of R80.10 has been updated as of yesterday.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  17. #17
    Join Date
    2014-07-21
    Posts
    57
    Rep Power
    4

    Default Re: R80.10 Public Early Availability

    Quote Originally Posted by PhoneBoy View Post
    Looks like the Public EA take of R80.10 has been updated as of yesterday.
    Changelog?
    How to upgrade existing R80.10? Guide? SK?
    Or is this update within a Jumbo HFA?

    I sent several issues to EA TEam and before I provide further problems which are still there from R77.xx - I will use the latest version in my lab.

    Regards

  18. #18
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default Re: R80.10 Public Early Availability

    If you've got an existing R80.10 EA installed, you can't do an in-place upgrade between EA takes.
    You have to do a fresh install and import from a previous release *or* do what I did and export/import objects using the following script: https://community.checkpoint.com/docs/DOC-1911
    Rules can be exported from SmartConsole in CSV format, but I haven't worked out how to import this.
    Since my rulebase at home is fairly small, recreating it manually wasn't a big deal.

    A "changelog" between EAs has not been posted, but I have seen some of the "known limitations" disappear.
    One notable one: standalone gateway + management configurations are no longer in the list.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  19. #19
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    966
    Rep Power
    12

    Default Re: R80.10 Public Early Availability

    Just a side note, having 2.6.18-92 kernel on the new CP GW is a disappointment. After all, RH 5.2 2.6.18-92 is 9 years old now. Also, I would suspect CP developers having trouble with the newest HW support...
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  20. #20
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default Re: R80.10 Public Early Availability

    As far as I know, it isn't planned to upgrade the kernel in R80.10.
    I expect it will happen in the future, future hardware support being one of many reasons.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Page 1 of 2 12 LastLast

Similar Threads

  1. Security Gateway VE - "Avatar" Early Availability Program
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 4
    Last Post: 2010-08-20, 18:21
  2. VSX R65 HFA_20 Early Availability
    By PhoneBoy in forum VPN-1 VSX
    Replies: 4
    Last Post: 2010-04-26, 14:18
  3. NGx R65 HFA_70 Early Availability released notes
    By cciesec2006 in forum Installing And Upgrading
    Replies: 10
    Last Post: 2010-03-02, 18:26
  4. fw early SIP NAT (sipnat)
    By -=MrG=- in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 2
    Last Post: 2008-11-12, 12:08
  5. Early Availability Vista client?
    By zoo-loo in forum Secure Access
    Replies: 1
    Last Post: 2007-10-12, 11:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •