CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 4 of 4

Thread: All that's old is new again.

  1. #1
    Join Date
    2019-07-12
    Posts
    13
    Rep Power
    0

    Default All that's old is new again.

    It's really nice to see that this community is still here and active. I have been away from Check Point for a pretty long time. I became a Check Point administrator back in 2005 and attended a training class by Barry Stiefel. I believe he was the owner and operator of CPUG back then. (I still have to chuckle when I think of his rants about a particular car rental company.) I was very saddened to only recently learn of his passing. I remember that he was a great guy and would even answer questions via email long after I had him as an instructor.

    The Check Point product looked very different back then and I think that SPLAT was relatively new to the scene. Before that (correct me if I'm wrong), I think the only options were the Windows platform or Nokia appliances. I can't remember what version I learned on at the time but I do believe that SmartView Monitor was about all there was for administration. A few years later, my employer changed to a different firewall vendor and Check Point went by the wayside for me.

    When I recently changed employers, I was reintroduced to Check Point and the product looks very different from what I remember. Although I have been a firewall administrator for years, I am kind of starting over with Check Point in many ways. Special thanks to everyone here who has been so helpful as I get back into this saddle.

    Well, if you took the time to read this far, thanks for reminiscing with me!

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    359
    Rep Power
    14

    Default Re: All that's old is new again.

    There was also SunOS/Solaris, and I think you could install FW-1 on Redhat as well for a while.

    The level of sensitivity to Solaris patches was a huge pain. That build also didn't get great testing. I got a call once from somebody whose cluster stopped working after he upgraded it to the GA of some major version. Turns out there was a bug in the proxy ARP code which caused it to send the gratuitous ARP replies with bogus MACs. New mode HA clusters use that same proxy ARP mechanism to claim ownership of the cluster VIPs. DTrace on Solaris 10 sure saved me a few times, though.

    And Solaris boxes were incredibly stable. Got another call which ended up involving a Sun Ultra 5 running Solaris 2.5 and FW-1 4.1. They weren't sure about the password for this device, and on top of that there wasn't a network or firewall person at the site. They got somebody to plug a null modem cable into it and he hit enter.

    #

    "Okay. I'm going to need you to run the command 'passwd' right now." We later checked the 'last' output and it had been logged in as root on the console since about eight years before I got the call. That was a fun one.



    I miss IPSO. The ideal GAiA for me would have been IPSO based on FreeBSD 8 or so. DTrace and ZFS were added in 7.0 (2008), and jails date back to 4.0 (2000).

  3. #3
    Join Date
    2019-07-12
    Posts
    13
    Rep Power
    0

    Default Re: All that's old is new again.

    This brings back a memory from long, long ago in a galaxy far, far away with professional services and replacing a gateway with new hardware. It's the middle of the night, the new firewall doesn't appear to be passing traffic, and management is VERY upset ("Staring over your shoulder until it is fixed" level of upset). There appears to be no traffic reaching the Internet router. It turned out that the problem was not the firewall at all... The ARP table needed to be flushed on the router that the firewall was plugged into before it would associate the IP with the new MAC. For some reason, the ARP table entry was not timing out.

  4. #4
    Join Date
    2014-09-02
    Posts
    373
    Rep Power
    10

    Default Re: All that's old is new again.

    Quote Originally Posted by TheDroppedPacket View Post
    This brings back a memory from long, long ago in a galaxy far, far away with professional services and replacing a gateway with new hardware. It's the middle of the night, the new firewall doesn't appear to be passing traffic, and management is VERY upset ("Staring over your shoulder until it is fixed" level of upset). There appears to be no traffic reaching the Internet router. It turned out that the problem was not the firewall at all... The ARP table needed to be flushed on the router that the firewall was plugged into before it would associate the IP with the new MAC. For some reason, the ARP table entry was not timing out.
    Yep - that's the one (or at least most common) thing outside of CP that we always point out and prep for when replacing/upgrading/etc. If a client doesn't have access/rights to flush the ARP cache properly, then it's usually enough to reboot the affected device(s). In really extreme cases (like static ARP entry on a router you can't control) it's actually possible to spoof the MAC of the old device, but I can only recall once that it was actually necessary - and we pushed hard for the client to get away from that ASAP.

    -E

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •