Re: [FW-1] VPN/UTM Edge X -connecting to and managing from smartcenter
You should check your Smart Center is responding by http://ip:9283 - it is Sofaware Management Server. In case it is not responding - you will be unable to connect. You should also open port 9281 UDP to Smart Center from Edge Anyway you can check routing issues by pinging Smart Center from Edge device. Alexey Baltacov Security Specialist artNET Experts LTD [EMAIL PROTECTED] | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of a bv Sent: Wednesday, November 12, 2008 4:57 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] VPN/UTM Edge X -connecting to and managing from smartcenter I have tried this (gave IP addresses of 2 interface of NGX R65) but i get the error the service center did not respond. I guess for now the device is unable to access the interface of the firewall and had to check the connection i guess. To get your opinon what to check further ? (ill look for the route). Regards 2008/11/12 M. N. [EMAIL PROTECTED]: Hi, You need to connect the Edge box to the Smart Center Server through the WebGUI - Servces - Connect to a Service Center. Then just follow the step-by-step wizard. It will at some point ask your for a key that you generated from the SCS. This is also well documented. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of a bv Sent: November-12-08 9:02 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] VPN/UTM Edge X -connecting to and managing from smartcenter Hi, I have a demo UTMEdge X box which i would like to connect and manage from NGX R65 on Windows. I created a vpnedge gateway object and a new policy package on smartdashboard but couldnt communicate with it. And i dont know what to do on the edge appliance itself to let itself to be managed. Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] New 8.0x UTM-1 EDGE firmware (General Availability)
Hmmm On usercenter - there is only libsw is available for download. On their FTP - only 8.0.30... Alexey Baltacov Security Specialist artNET Experts LTD [EMAIL PROTECTED] | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of M. N. Sent: Wednesday, November 19, 2008 9:09 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] New 8.0x UTM-1 EDGE firmware (General Availability) Hi, Just got it this morning from one of my contacts and also saw someone post it on CPUG. Checkpoint Sofaware have just released the new 8.0.35x firmware for UTM-1 Edge and [EMAIL PROTECTED] devices for the General public. Release notes here: Embedded_NGX_8_GA_ReleaseNotes.pdf http://server.iad.liveperson.net/hc/s-9995810/cmd/kbresource/kb-48047511423 93322126/%21DOWNLOAD?entryid=351253attachid=31314 Among the new features: - Much better logs - VStream Antispam - Firewall Monitor - Enhanced Policy Editors - Built-in 802.1x and WPA Authenticator - Built-in RS-232 Terminal Server - Built-in DNS Server - BGP Dynamic Routing - Enhanced SNMP MIB - New Status Dashboard I've been playing with the beta version for a few weeks and IMHO it's been very stable and good. Love the new logs, much easier to troubleshoot now... Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] New 8.0x UTM-1 EDGE firmware (General Availability)
Yes, it also works on Edge devices, I have checked it already:) Also libsw is available right now. To Marius:-) Alexey Baltacov Security Specialist artNET Experts LTD [EMAIL PROTECTED] | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sidney Boumendil Sent: Friday, November 21, 2008 7:00 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] New 8.0x UTM-1 EDGE firmware (General Availability) On Fri, Nov 21, 2008 at 5:02 PM, pkc_mls [EMAIL PROTECTED] wrote: pkc_mls a e'crit : my mistake. when you search the usercenter for downloads for [EMAIL PROTECTED], you have indeed access to 8.0.35 and 8.0.35a. I just hope it works regardless of the device you have. It also works on Edge devices. Sidney Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN-1 EDGE X
In case it is connected to SmartCenter you can reset password via SMS http://smartcenterIP:9283 Alexey Baltacov Security Specialist artNET Experts LTD [EMAIL PROTECTED] | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Louis Sent: Tuesday, December 02, 2008 5:53 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] VPN-1 EDGE X I of course have forgotten the password on this box. I have read the paper getting startedand it states to hold the reset button in for seven seconds, but when it comes back up it is business as usual with it. It is not going back to the factory defaults. Evedintly I am missing something, does anyone have any idea on what the issue is Thank You in advance Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] VSX on IPSO
Hello, I am currently installing VSX on IPSO and have a problem with setting interfaces UP. Previously I have decided which interfaces I will use as regular interfaces and which I will use for VLAN trunking. I have configured all without problems. Have configured VS's and all I need. After it I have understood that I need to add one VS and need add one more interface for VLAN trunking and I am unable to set it. The error I am receiving when dashboard is trying to push configuration is: Interface cannot be set. So the question is: where I can search for debug information in order to understand the reason for it. I am using: Smart Center - R65 VSX Nokia IPSO: 6.2 Nokia CP: R65 VSX By the way I have tried to delete all VS's and put VLAN tagging on relevant interface - same error. I have also tried to delete and put back vlan tagging on current tagged interfaces - no problem Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il | Tel: +972-544989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] VSX on IPSO
Next time I will read release notes better:) If the Interface was previously used for something in order to reconfigure it for something else need run vsx_config Special thanks to Checkpoint support are pointed me to correct page in release notes limitations. Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Alexey Baltacov Sent: Monday, December 22, 2008 1:11 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] VSX on IPSO Hello, I am currently installing VSX on IPSO and have a problem with setting interfaces UP. Previously I have decided which interfaces I will use as regular interfaces and which I will use for VLAN trunking. I have configured all without problems. Have configured VS's and all I need. After it I have understood that I need to add one VS and need add one more interface for VLAN trunking and I am unable to set it. The error I am receiving when dashboard is trying to push configuration is: Interface cannot be set. So the question is: where I can search for debug information in order to understand the reason for it. I am using: Smart Center - R65 VSX Nokia IPSO: 6.2 Nokia CP: R65 VSX By the way I have tried to delete all VS's and put VLAN tagging on relevant interface - same error. I have also tried to delete and put back vlan tagging on current tagged interfaces - no problem Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il | Tel: +972-544989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
[FW-1] Interface order change after HFA 40 installation
Hello, Do somebody know what causing interface order change after HFA 40 installation on SPLAT and how fix/prevent/prepare before it happened? I already have 3 installation from 5 with this problem. The servers with this problem are not listed Checkpoint recommended servers and working with various NIC vendors (in most cases mixed vendors) Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il mailto:alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Interface order change after HFA 40 installation
Hello, It is not really fixing the problem, I met installations where overwriting ethtab with old one (before upgrade) do not solve the issue with eth order. Checkpoint have some draft SK with one more file taking care of eth ordering and need be overwrited with the old one in such case of issue, but they are not ready to release it to be public SK Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Reinhard Stich Sent: Wednesday, March 25, 2009 12:04 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Interface order change after HFA 40 installation hi, also seen here. this is known as interface reordering and _can_ happen on any linux. this is based on how linux searches for hardware. there is a file called /etc/sysconfig/ethtab (search the doku for details) that allowes manual interfaces ordering. br reinhard At 21:16 24.03.2009, you wrote: Hello, Do somebody know what causing interface order change after HFA 40 installation on SPLAT and how fix/prevent/prepare before it happened? I already have 3 installation from 5 with this problem. The servers with this problem are not listed Checkpoint recommended servers and working with various NIC vendors (in most cases mixed vendors) Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il mailto:alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Reinhard Stich r.st...@internet-security.at Internet Security AG, 1100 Wien, Wienerbergstrasse 9 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Interface order change after HFA 40 installation
It is not working in HFA40 :( Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Marius banica Sent: Wednesday, March 25, 2009 12:21 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Interface order change after HFA 40 installation Depends on the patch, you can re order the interfaces via modules.conf change the alias to the relevant module. -original message- Subject: Re: [FW-1] Interface order change after HFA 40 installation From: Alexey Baltacov alex...@office.artnet.co.il Date: 25/03/2009 09:32 Hello, It is not really fixing the problem, I met installations where overwriting ethtab with old one (before upgrade) do not solve the issue with eth order. Checkpoint have some draft SK with one more file taking care of eth ordering and need be overwrited with the old one in such case of issue, but they are not ready to release it to be public SK Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Reinhard Stich Sent: Wednesday, March 25, 2009 12:04 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Interface order change after HFA 40 installation hi, also seen here. this is known as interface reordering and _can_ happen on any linux. this is based on how linux searches for hardware. there is a file called /etc/sysconfig/ethtab (search the doku for details) that allowes manual interfaces ordering. br reinhard At 21:16 24.03.2009, you wrote: Hello, Do somebody know what causing interface order change after HFA 40 installation on SPLAT and how fix/prevent/prepare before it happened? I already have 3 installation from 5 with this problem. The servers with this problem are not listed Checkpoint recommended servers and working with various NIC vendors (in most cases mixed vendors) Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il mailto:alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Reinhard Stich r.st...@internet-security.at Internet Security AG, 1100 Wien, Wienerbergstrasse 9 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
Re: [FW-1] Interface order change after HFA 40 installation
The solution from checkpoint support: This is our new case regarding the interface disorder. The following is a manually fix, in the future it will be release as a script/package. R65 HFA_40 install changes the interface order (Renumber interfaces) Symptoms: R65 HFA_40 install changes the Interface numbering on the gateway. Cause: R65 HFA_40 changes the file: /etc/init.d/kudzu to fix a crossbeam interfaces issues. With that, there is a problem with how the Interfaces are calculated inside of R65 HFA_40 Solution: In order to resolve the issue, you will have to have access to the following files: Prior to the HFA_40 install, gather the following information from the Gateway: 1. /etc/init.d/kudzu 2. /etc/sysconfig/ethtab To solve the issue please After the HFA_40 install, change back the file /etc/init.d/kudzu from the version HFA_02 and then run the procedure in sk31788. Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Reinhard Stich Sent: Wednesday, March 25, 2009 12:04 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Interface order change after HFA 40 installation hi, also seen here. this is known as interface reordering and _can_ happen on any linux. this is based on how linux searches for hardware. there is a file called /etc/sysconfig/ethtab (search the doku for details) that allowes manual interfaces ordering. br reinhard At 21:16 24.03.2009, you wrote: Hello, Do somebody know what causing interface order change after HFA 40 installation on SPLAT and how fix/prevent/prepare before it happened? I already have 3 installation from 5 with this problem. The servers with this problem are not listed Checkpoint recommended servers and working with various NIC vendors (in most cases mixed vendors) Alexey Baltacov Security Specialist artNET Experts LTD alex...@office.artnet.co.il mailto:alex...@office.artnet.co.il | Tel: +972-544989954 Hanagar 5, Neve Neeman, 2nd floor, Hod Hasharon = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Reinhard Stich r.st...@internet-security.at Internet Security AG, 1100 Wien, Wienerbergstrasse 9 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] VPN Client 64 bits
In order to use Endpoint Connect with R65 GW you need to upgrade to HFA40 first. Second - you should use correct license. But In case you already have SNX you only need to upgrade SNX on your GW and you'll be able to connect via SNX Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Roberto Lauriola Sent: 29 June, 2009 2:36 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] VPN Client 64 bits Hi All, As mentioned in the SecureClient NGX R60_HFA_02 Release Notes, SecureClient for 64bits Windows is not supported. We are running VPN-1 NGX R65 how can we connect using VPN from a remote Windows Vista 64bit system? I read about Endpoint Connect is that a good idea? Thank-you all for your help. Bye, Roberto. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505
Hi All From mine experience - try change encryption/hashing algorithm. Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Shiroma Dassanayake Sent: 29 June, 2009 1:48 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 Hi Czar It is to address the supernetting issue that I have selected one VPN tunnel per each pair of hosts under tunnel management. The encryption domain of each tunnel comprises a single host only. Regards Shiroma --- On Mon, 6/29/09, c...@ans.com.au c...@ans.com.au wrote: From: c...@ans.com.au c...@ans.com.au Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Date: Monday, June 29, 2009, 2:07 AM Hi Shiroma, I just run into this kind of problem very recently. I think you have a supernetting issue. You must have defined subnets that are consecutive. If this is the case, by default, fw1 will supernet it automatically. You can confirm this if at the cisco ends, the ip address is appearing at a higher subnet, ie you initiated a traffic at a /24 address, it would appear at the cisco end as something like a /22 address. First, you can google for user.def +checkpoint or search the CP knowledge base for the solution. From memory, you have to use dbedit to change the behaviour at the smartcenter server. NB close all fw1 apps. (run dbedit ? To verify syntax) dbedit modify properties firewall_properties ike_use_largest_possible_subnets false bbedit update properties firewall_properties bbedit quit --update_all Then you have to manually edit $FW1/lib/user.def file using plain text editor ie Notepad. But make a backup copy first. Then put in your subnets as in following example -- #ifndef __user_def__ #define __user_def__ // // User defined INSPECT code // max_subnet_for_range = { first_IP_in_range, last_IP_in_the_range; subnet_mask, first_IP_in_range, last_IP_in_the_range; subnet_mask, ... first_IP_in_range, last_IP_in_the_range; subnet_mask }; #endif /* __user_def__ */ -- Save it. Then install the policy. In the Knowledge base, there are other examples. Check it out. Good luck. ta czar -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Shiroma Dassanayake Sent: Monday, 29 June 2009 1:41 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 Hi admins I have 3 site-site VPNs with three different Cisco models. The site-site with the ASA 5510 works. However the VPNs with the 515 and the 505 don't work. To exclude the subnets issue, I have selected one VPN tunnel per each pair of hosts under tunnel management. The keys are exchanged successfully and main mode completes. However when traffic is inititiated (in either direction) the packet is dropped as encryption fails as there is no valid SA. I have seen several references to this error on SK but none of the suggested workarounds seem to work. Any ideas?? Regards Shiroma = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have
Re: [FW-1] High load cpu by fwm process
1: Forwarding and policy enforcement is performed by kernel process and have higher CPU priority than FWM user process. It mean that user process can get only free resources after kernel process and cannot affect regular traffic. 2: Policy verification is performed by GUI client and not buy security management. 3: Only pushing policy into enforcement can affect regular traffic because atomic load that can get several milliseconds but in most cases not affects because buffers used. Fwm should use CPU in order perform the job faster. Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Gary Scott Sent: 11 June, 2009 5:02 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] High load cpu by fwm process If you are stuck with a standalone appliance that they won't let you split the license so you can run the recommended distributed architecture than yes I will take 50% to avoid traffic lose on the gateway when installing a policy to its self. I am currently seeing this and hoping the first HF will help address this. -GS From: FW1 Mailinglist mottaker fw1-maill...@gatesec.no To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thursday, June 11, 2009 1:59:23 AM Subject: Re: [FW-1] High load cpu by fwm process Would you rather prefer it used 50% CPU and took twice as long to compile and push the rulebase? Its quite common that when you tell a server to perform a job (preferrably as fast as possible), it will hog as much resources as it needs/can get to do so. As long as your CPU calms down after the policy is pushed I dont see any reason to be worried. Rgds, André -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of carlopmart Posted At: 10. juni 2009 21:48 Posted To: FireWall-1 mailinglist Conversation: [FW-1] High load cpu by fwm process Subject: Re: [FW-1] High load cpu by fwm process Normal?? Why normal?? I don't think that this is normal ... no almost on other management software ... Reinhard Stich wrote: hi, as I see it this is normal. policy install also took high cpu in older versions. br reinhard At 19:29 10.06.2009, you wrote: Hi all, I have a security management R70 installed on a rel5.3 host. Every time that I install a policy on a security gateway, fwm uses more than 99% of the cpu. Somebody knows if this is a bug on R70?. Rhel5.3 host is a quad-core 2 GHz cpu. On the other side, 50% ram is free ... Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at
Re: [FW-1] SNMP monitoring Provider-1 environment
Tunnel state monitoring SNMP Traps can be configured under Community Properties-Tunnel Management. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Luke Gogolkiewicz Sent: 23 June, 2009 1:37 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] SNMP monitoring Provider-1 environment Hi Torkel, What you will find is that the vpnd process actually runs on the firewalls themselves. You will need to poll the firewall instead of the server, on the checkpoint site they have their MIB, it is surprisingly (for checkpoint) pretty good. Or if you really want to get funky you can create a script which runs from your snmp server , to ssh to the firewall perform a command and spit back the results. I can't remember the exact command, but a little research will make short work of it. What kind of processes are you trying to monitor with snmp for the CMA/CLM's? Might be worth checking the MIB too. Good Luck. Luke. On Tue, Jun 23, 2009 at 7:27 PM, Torkel Mathisen torkel.mathi...@bbs.nowrote: Hi, Is there any way of getting Provider-1 (R70) to send or receive snmp traps to/from an external server about status of MDS/CMA processes? We want to monitor if a CMA or a CLM or any other process go down. We also want to monitor if a VPN tunnel go down. Anyone done this? Regards, Torkel Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Luke Gogolkiewicz Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Problem logging with Dashboard using read only admin
What about turn on fwm debug and read .elg file? Some errors here? Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Sergio Alvarez Sent: Tuesday, June 30, 2009 12:14 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Problem logging with Dashboard using read only admin Thanks for your answers but the tests of the new read-only admins was donde from the machine of one of the regular read/write admins, so there is no way this is an issue with the GUI Clients list. On any case, if I'm not mistaken, the error you get when attempting to get connected from a machine not included in the GUI Clients is the one saying something about making sure the service is up and running and that you are included in the GUI clients list. Any other ideas? Regards On Fri, Jun 26, 2009 at 7:58 PM, Independent IT Consultant itsec.itcons...@gmail.com wrote: be sure the machines these 2 additional admins are attempting to access SDB from are defined as GUI clients. Alternatively, consider implementing Smart Portal(so long as you're licensed for it). SmartPortal provides web-based read access into the Smart Center. On Fri, Jun 26, 2009 at 8:26 PM, Sergio Alvarez seral...@gmail.com wrote: Hello, This customer of mine has an R65 SmartCenter and has several administrators with read/write permissions that regularly log in via Smart Dashboard with no problems. Now they need to add two extra administrators but with read only permissions, so they created the users under the Administrators section, added a read only profile to them and defined a password for each, but when those 2 users try to login they get an error that says Connection cannot be established. Since it is not an authentication error nor a regular ...make sure the service is up and running.. message, seems like something strange is going on. I checked the SK, but could not find anything that seemed related with this scenario. Has anybody seen anything liek this before? Any help will be very appreciated. Regards -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Strange VPN problem
1: check if you are not blocking topology update 2: try update site on client 3: check if you are using same encryption domain for both secure client and site2site(Gateway Topology VPN Domain-Set Domain for Remote Access Community) 4: re-create site on client -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of c0re dumped Sent: 30 June, 2009 6:57 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] Strange VPN problem Some of networks listed in a obejct group that is applied in Manage Network Objects New Check Point Gateway Topology VPN Domain - Manually Defined are not being passed to my vpn clients. These clients are connecting using office mode. Even when I remove some networks of the group, the same set of routes are transmitted to the client What could this be ? # fw ver This is Check Point VPN-1(TM) FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006 SPLAT Thanks -- To err is human, to blame it on somebody else shows management potential. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Access to Internal Servers Through VPN Client
Hello:) It doesn't mean that remote users are unable to connect anything in their internal network. If you want such settings you need to use Desktop Policy/Endpoint Connect with Secure access. Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of John Lindblom Sent: 07 July, 2009 5:14 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Access to Internal Servers Through VPN Client Thanks Gary. I would think it would be a good thing that they couldn't connect to anything on the local LAN they would be on...more secure. Remote users would generally be on unsecured networks anyway at hotels, airports or home office. Gary Scott accesslimi...@yahoo.com Sent by: Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM 07/07/2009 09:05 AM Please respond to Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM To FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM cc Subject Re: [FW-1] Access to Internal Servers Through VPN Client Yes this is typical. Office mode will allow the client to connect even if they are on the same subnet as your internal enc domain, catch here is that while they are connected they will not be able to access anything on their local lan. -GS From: John Lindblom jlindb...@mico.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Tuesday, July 7, 2009 9:02:09 AM Subject: [FW-1] Access to Internal Servers Through VPN Client I have a couple of Citrix servers setup for remote access using the SecurClient VPN. The Citrix client is configured with the private IP addresses (172.16.x.x) of these servers and it everything is working just fine but I just need to make sure this configuration is best practice. At one time I had them setup to hide behind public IP addresses and then configured the Citrix client to point to the public IP addresses. After doing some testing I realized the Citrix client could connect using the private IP address assigned to the servers and didn't need to use the public IP addresses. I have a group setup that I add servers to that need to be accessed through the VPN client and have the rule setup to use that group. Is this the typical way of setting up access to internal servers through the SecureClient VPN? What concerns me is what would happen if the client is on a network that is using the same private IP address range. Thanks, John The information contained in this email and any attachments may contain confidential, proprietary, business sensitive, privileged or controlled information. If you are not the intended recipient, any disclosure, dissemination, distribution, duplication or other unauthorized use of the information contained in this email or any attachment is strictly prohibited. Unauthorized interception of this e-mail is a violation of law. If you are not the intended recipient, please notify the sender by reply email and immediately and permanently delete this mail and any attachments and any copies of them. Technical data and/or information provided in this email or any attachment may be subject to U.S. export control laws. Export, re-export, diversion or disclosure contrary to U.S. law is prohibited. It is your responsibility to check this email and any attachments for viruses or other harmful code before opening or forwarding. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = The information contained in this email and any attachments may contain confidential, proprietary, business sensitive, privileged or controlled information. If you are not the intended recipient, any disclosure, dissemination,
Re: [FW-1] vpn edge (managed by R65) lost password
Probably you should open the port -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of a bv Sent: Tuesday, November 24, 2009 11:30 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] vpn edge (managed by R65) lost password Hi Sergio , http://mysmartcenterip:9283 didnt bring anything. Which here mysmartcenter ip is the LAN interface ip of the firewall, which i use while logging with the smartdashboard. So i have to say i couldnt have the edge password :-) Regards 2009/11/9 Sergio Alvarez seral...@gmail.com: I don't understand your question. In case it is of any help to clarify, according with those instructions, you are supposed to open a browser and point to your SmartCenter IP on port 9283. Regards On Mon, Nov 9, 2009 at 9:37 AM, a bv vbavbal...@gmail.com wrote: Thanks can i get the URL again as open ? 2009/11/9 Sergio Alvarez seral...@gmail.com: Hello, Some time ago sombody passed me this procedure precisely to resolve the situation you have right now, I have never used it because have not faced that issue yet, but hopefuly it will work fine and help you get out of your problem: Solution The UTM-1 Edge GUI password can be reset only if the device is managed by SmartCenter server. Procedure: Make sure you have administrator permissions to connect to the SmartCenter server. Open the browser and connect to URL http://SmartCenterhttp://%3csmartcenter/server IP address :9283 Enter the SofaWare management server console and go to the View all gateways tab. Select the correct UTM-1 Edge device and click Reset local password. Next time you connect to the UTM-1 Edge device, it will ask for the new password. Regards On Mon, Nov 9, 2009 at 2:21 AM, a bv vbavbal...@gmail.com wrote: Hi, I have a vpn edge which is connected (managed) to an R65 smartcenter , i have lost the vpnedges web interface usernam password . So how can i recover it while not giving harm to its production and configuration? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the
Re: [FW-1] vpn edge (managed by R65) lost password
Is it standalone installation? If yes - you should debug SMS service. The management server should normally listen on port 9283 else you will unable to install policy to Edge (in case SMS isn't working). So if you are able to install policy to Edge - SMS is actually working and you should debug connectivity to SMS issue. If you are unable to install - SMS isn't working and need debug the service In order to check install policy you should make some change, for example some drop(or permit) rule and then check in smartcenter logs if you see the traffic match the rule. Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of a bv Sent: Friday, November 27, 2009 2:13 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] vpn edge (managed by R65) lost password How and where? From my local PC address to the firewall object? So is the firewall has a normally open port at 9283 listening? My PC has an any any accept access. Regards 2009/11/27 Alexey Baltacov alex...@office.artnet.co.il: Probably you should open the port -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of a bv Sent: Tuesday, November 24, 2009 11:30 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] vpn edge (managed by R65) lost password Hi Sergio , http://mysmartcenterip:9283 didnt bring anything. Which here mysmartcenter ip is the LAN interface ip of the firewall, which i use while logging with the smartdashboard. So i have to say i couldnt have the edge password :-) Regards 2009/11/9 Sergio Alvarez seral...@gmail.com: I don't understand your question. In case it is of any help to clarify, according with those instructions, you are supposed to open a browser and point to your SmartCenter IP on port 9283. Regards On Mon, Nov 9, 2009 at 9:37 AM, a bv vbavbal...@gmail.com wrote: Thanks can i get the URL again as open ? 2009/11/9 Sergio Alvarez seral...@gmail.com: Hello, Some time ago sombody passed me this procedure precisely to resolve the situation you have right now, I have never used it because have not faced that issue yet, but hopefuly it will work fine and help you get out of your problem: Solution The UTM-1 Edge GUI password can be reset only if the device is managed by SmartCenter server. Procedure: Make sure you have administrator permissions to connect to the SmartCenter server. Open the browser and connect to URL http://SmartCenterhttp://%3csmartcenter/server IP address :9283 Enter the SofaWare management server console and go to the View all gateways tab. Select the correct UTM-1 Edge device and click Reset local password. Next time you connect to the UTM-1 Edge device, it will ask for the new password. Regards On Mon, Nov 9, 2009 at 2:21 AM, a bv vbavbal...@gmail.com wrote: Hi, I have a vpn edge which is connected (managed) to an R65 smartcenter , i have lost the vpnedges web interface usernam password . So how can i recover it while not giving harm to its production and configuration? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com
Re: [FW-1] NGX R65 or NGX R70 (70.1 and 70.2)
For anyone dis-like SPLAT I can recommend IPSO:) -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Gary Scott Sent: Tuesday, January 19, 2010 10:57 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] NGX R65 or NGX R70 (70.1 and 70.2) IMO, secureplatform, sorry you don't like it, getting to the point where you may not have a choice, already the case for many features. Why do you dis-like splat? From: carlopmart carlopm...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Tue, January 19, 2010 3:05:52 PM Subject: [FW-1] NGX R65 or NGX R70 (70.1 and 70.2) Hi all, I need to deploy a new security gateway on one of my remote offices and I doubt about which version CP NGX version to install. At first instance I think to do it with NGX R65. The most important reason is that I don't like anything at all secureplatform OS (windows isn't an option), which is mandatory to install R70.x... But aside from my personal reasons: which platform do you choose to install a security gateway that needs to be exposed 24x7 a year?? which is most secure as a public firewall in your opinion?? Both products supports all my needs and I don't need to use IPS or Eventia. Thanks for your opinions. -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] NGX R65 or NGX R70 (70.1 and 70.2)
Hello, I think you already have read the R70/.10/.20 release notes and already know all new things are inside. But I think you need be aware about following: 1: IPS @ R70 is really works good, same protections you have @ smart defense and much more. It work faster and thanks to God exclusions are really works! 2: I am not sure about R65 version you are using, but R70 is working on Linux kernel 2.6 (support new hardware) and fully support CoreXL. 3: From R70.1 there are lot of enhancements in GUI that increase usability. 4: From R70.1 you are able to use hardware monitoring on open servers (number of functions depends on vendor). 5: in large deployments Smart Provisioning is also very useful. Anyway... I am installing/upgrading several checkpoint gateways a week for different customers. All customers are happy to work with R70 and no one want revert to R65:) Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of carlopmart Sent: Tuesday, January 19, 2010 10:06 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] NGX R65 or NGX R70 (70.1 and 70.2) Hi all, I need to deploy a new security gateway on one of my remote offices and I doubt about which version CP NGX version to install. At first instance I think to do it with NGX R65. The most important reason is that I don't like anything at all secureplatform OS (windows isn't an option), which is mandatory to install R70.x... But aside from my personal reasons: which platform do you choose to install a security gateway that needs to be exposed 24x7 a year?? which is most secure as a public firewall in your opinion?? Both products supports all my needs and I don't need to use IPS or Eventia. Thanks for your opinions. -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Bind multiple ip addresses on one Adapter SmartPlatform
Hey It is not recommended to do it because in this case you will be unable to make cluster. But in case you need it anyway you should enter you management interface (ssh/webui) and add new secondary IP subinterface in network configuration (same place where you r adding VLANS) Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Verweyen, Dirk Sent: Monday, April 12, 2010 10:27 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] Bind multiple ip addresses on one Adapter SmartPlatform Hello, is it possible to bind multiple ip addresses on one Adapter on a Smart Platfrom R70 Gateway? How can I do this? Regards, Dirk Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Reinstalling an old R65
Hi, Before starting the system there are 5 seconds when you can push any key to interrupt normal startup and start in debug mode Using it you can understand what happens during the boot. in most cases starting the system + hard disk led on all the time mean FSCK is running. but check what is the reason in debug mode On Fri, Mar 18, 2011 at 6:33 PM, Jørn Dahl-Stamnes fw.ad...@dahl-stamnes.net wrote: On Friday 18 March 2011 15:54, Sergio Alvarez wrote: The installation wizard asks if installing UTM or Power before reaching the list of products you point out... if you look closely, the first option says VPN-1 Power, if you had selected UTM in the previous section, here it would say VPN-1 UTM. The cpxp-ci-vpx- corresponds to a VPN-1 UTM firewall gateway. On any case, given the fact you seem a little lost, I would suggest to start over with the SPLAT installation, select UTM instead of Power, then select the VPN-1 and SmartCenter options from the list and go from there. I'll try. But it seems like the system does not work anymore after trying to reinstall. After the disk has been formated and things has been copied into th disk, I'm being asked to reboot. When rebooting I'm getting a message: Starting the system ... Then it seems like it freeze. The disk LED is constantly on and nothing more happens. Seem to be some kind of problem with the disk too. Thanks anyway. -- Jørn Dahl-Stamnes Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Reinstalling an old R65
Hello Jørn, Why you are not upgrading you licenses to software blades via usercenter and not installing newer Checkpoint versions? If you are able to upgrade licenses - it will solve your problem with incompatibility! Alexey On Sat, Mar 19, 2011 at 1:26 PM, Jørn Dahl-Stamnes fw.ad...@dahl-stamnes.net wrote: On Friday 18 March 2011 15:54, Sergio Alvarez wrote: The installation wizard asks if installing UTM or Power before reaching the list of products you point out... if you look closely, the first option says VPN-1 Power, if you had selected UTM in the previous section, here it would say VPN-1 UTM. The cpxp-ci-vpx- corresponds to a VPN-1 UTM firewall gateway. On any case, given the fact you seem a little lost, I would suggest to start over with the SPLAT installation, select UTM instead of Power, then select the VPN-1 and SmartCenter options from the list and go from there. I tried to reinstall as you said. But still it does not work. I'm not able to contact the server through https. The login screen is shown, but it refuse to let me in. I can contact it through GUI and was able to install one of the two licenses. The one that is installed is cpmp-sct-3-ngx, while cpxp-ci-vpx-250-ngx is not installed. When trying to install rules, I get the following error message: Installation failed: Load on module failed - there is no valid license for FireWall-1 module So I'm still stucked. :( -- Jørn Dahl-Stamnes Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Reinstalling an old R65
by the way - it can help: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=solutionid=sk31061 Seems you should install it as UTM and not as Power in order to use the license, without power pack and pro Alexey On Sat, Mar 19, 2011 at 1:26 PM, Jørn Dahl-Stamnes fw.ad...@dahl-stamnes.net wrote: On Friday 18 March 2011 15:54, Sergio Alvarez wrote: The installation wizard asks if installing UTM or Power before reaching the list of products you point out... if you look closely, the first option says VPN-1 Power, if you had selected UTM in the previous section, here it would say VPN-1 UTM. The cpxp-ci-vpx- corresponds to a VPN-1 UTM firewall gateway. On any case, given the fact you seem a little lost, I would suggest to start over with the SPLAT installation, select UTM instead of Power, then select the VPN-1 and SmartCenter options from the list and go from there. I tried to reinstall as you said. But still it does not work. I'm not able to contact the server through https. The login screen is shown, but it refuse to let me in. I can contact it through GUI and was able to install one of the two licenses. The one that is installed is cpmp-sct-3-ngx, while cpxp-ci-vpx-250-ngx is not installed. When trying to install rules, I get the following error message: Installation failed: Load on module failed - there is no valid license for FireWall-1 module So I'm still stucked. :( -- Jørn Dahl-Stamnes Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Reinstalling an old R65
Hello Jorn, This is real problem to understand what exactly you installing without see it. In case you are installing FW with only one interface - it will always be a Checkpoint host and you will be unable to pass the traffic via this device even with eval license. Usually during first time configuration wizard people define more then one network interface so not having this problem. even you are not doing it - then you are importing configuration from old FW and the issue will be fixed automatically! once you are not importing settings from old one - you should install the FW BY THE BOOK, using product installation manuals... ok about WEBUI: What port you are running the WEBUI? you have configured it during installation. once it's default, 443 and you didn't changed it during the first wizard - can be a problem because another services like VPN visitor mode/SSL portal can run on this port. you should change the port to another one using expert mode command webui enable another_port_number and allow to access the FW from your management station on this port. good luck On Sun, Mar 20, 2011 at 6:43 PM, Jørn Dahl-Stamnes fw.ad...@dahl-stamnes.net wrote: On Friday 18 March 2011 15:54, Sergio Alvarez wrote: The installation wizard asks if installing UTM or Power before reaching the list of products you point out... if you look closely, the first option says VPN-1 Power, if you had selected UTM in the previous section, here it would say VPN-1 UTM. The cpxp-ci-vpx- corresponds to a VPN-1 UTM firewall gateway. On any case, given the fact you seem a little lost, I would suggest to start over with the SPLAT installation, select UTM instead of Power, then select the VPN-1 and SmartCenter options from the list and go from there. BTW, when someone told you to go: (SmartDashboard Gateway General Properties CheckPoint Product List), he meant go to the gateway object and double clicking on it you will see the general properties for that gateway. Now, since to started installing only Smartcenter, most likely you will NOT have a gateway object which then requires some changes so just better go with the SPLAT reinstall and be sure to start with the right foot. First of all - thanks for all the replies I have had on my request :) I did what you said but still no luck until I from the GUI right-clicked on the FW object and selected Convert to gateway. Then I rebooted the firewall and tried again. Now both licenses was intalled and I'm able to install a ruleset on the firewall. I still got one problem - I cannot connect to the firewall through https from my laptop. When starting the web-browser I get: Cannot connect to server. Make sure the device is up and running, and that you are allowed to login from this machine. The laptop is also the one that I'm running the GUI on, and I have added one rule that say that https is allowed from the machine. I wonder what device the message is refering to? Another thing I have noticed is that during boot I get: Starting system Configuring network: FAILED I have checked /var/log/messages, and there is one message that say the same, but nothing that indicate what's wrong. However, since I can communicate with the firewall on the interface that is active, I cannot see what could be wrong. The firewall has two other network cards, one with VLAN support. In addition, the motherboard has one ethernet port which is not in use due to lack of drivers. So I don't consider this to be that important... or? -- Jørn Dahl-Stamnes Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] L2TP issue after upgrade
Hello, I never expected problems with L2TP clients connected from networks behind the FW, but several things are changed from R61 to R65HFA70. one of them is L2TP support for iPhone and others L2TP clients to connect the FW. so it's possible the FW changed the way it supports L2TP passing through too. I think the better way to solve you problem is continue upgrading to any supported version and in case it still doesn't work open the support ticket about it Alexey On Thu, Apr 14, 2011 at 4:44 PM, Ebersole, Jason jason.ebers...@sti-ultrasound.com wrote: Hello all, Microsoft configured L2TP clients worked wonderfully on SPLAT-R61. I upgraded to R65-HFA70 and everything seems to be working great accept now my L2TP clients are dropping after an hour. When comparing the logs between R61 R65, I see that after an hour, an L2TP client successfully renegotiates IKE. From client to gateway every hour: IKE: Quick Mode Sent Notification IKE: Quick Mode Completion IKE: Informational Exchange Received Delete IPSEC-SA from Peer Client continues VPN session But on R65-HFA70, after the first hour, none of the above happens and the client disconnects from remote VPN session. Any thoughts? Note: I know R65 is not supported any more. I'm late in upgrade planning, and just want to get up to R65 so I can plan vpn client upgrades with as little disruption as possible. I'm hoping there is an easy fix... Thanks, Jason Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] RES: [FW-1] Cluster SPLAT - Hardware problems - Replace servers
Hello, You can upgrade the cluster members one-by-one in order to be able to do fail back fast in case something going wrong. It will also minimize the down time to minimum if any. In case you are upgrading just hardware and not Checkpoint version it should be done without any downtime. Be sure you are working broadcast on old and new hardware before entering it to cluster In case you are going to upgrade to newer checkpoint version be sure your management is on the same version or newer. On Thu, Apr 14, 2011 at 6:42 PM, Sergio Alvarez seral...@gmail.com wrote: As an extra suggestion, after reset SIC and before installing policy, got to the cluster topology and use the get topology buttons at the top to force the Management (Smartcenter) pull the interface names and configuration from your new cluster members, make sure everything looks ok with the virtual (cluster) IPs and then, install policy. I'm not quite sure why, but even when the interfaces might be called the same (example: eth0, eth1, etc.), I have seen issues in which traffic won't flow, after a change of hardware. Finally, don't forget to add licenses to your new cluster members, use SmartUpdate, right click on each cluster member, select get licenses for it to realize there are no licenses on those boxes and finaly attach the licenses accordingly. Hope this is useful. Regards On Wed, Apr 13, 2011 at 2:20 PM, Gustavo Rocha de Andrade gusta...@trueaccess.com.br wrote: Hi list, If there is a level 3 hardware between the smart center and the clusters, do not forget to clear the arp table of level 3 hardware or you could not be able to install the policy. regards Gustavo Andrade Analista de Segurança da Informação Pl True Access Consulting S/A Fone: (61) 3217-1911 De: Mailing list for discussion of Firewall-1 [ FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] em Nome de Leandro Vilela [ dflean...@gmail.com] Enviado: quarta-feira, 13 de abril de 2011 12:31 Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Assunto: [FW-1] Cluster SPLAT - Hardware problems - Replace servers Hy list, I'm having a cluster that SPLAT with hardware problems. I purchased two new servers and need to replace equipment. I did the settings of the new servers identical to the former but not the policies yet. The idea is to simply unplug the old cluster, reconnect the new servers with same IP and name of previous re-create the SIC with the SmartCenter and implement policies. I wonder if I need to make any further configuration to replace the machines . Thanks in advance ... Regards Leandro VIlela Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe
Re: [FW-1] Encrypt all communitcations between remote Security Gateway and local SmartCenter Server
Checkpoint VPN is policy based, even in tunnel mode, so you are unable to configure IPSEC settings via the command line on GW. It is also not recommended to encrypt SIC communications, because in case of VPN down or Policy problem you will loose access to the gateway and will be unable to install new policy before unload local Bottom line, in case of any problem with encrypted communications, for any reason, your steps to fix it will be complicated Alexey On Tue, May 10, 2011 at 10:36 AM, carlopmart carlopm...@gmail.com wrote: On 05/09/2011 06:42 PM, Sergio Alvarez wrote: As Carlo said, it should not be necessary to di further encryption, SCS and remote gateway will be communicating securely onces SIC is established, but if you want to make things more complicated, remember a Check Point firewall is able to do VPN against any device working with standard IPSec, so I guess you can configure your local firewall (not Check Point) to establish a VPN against the remote gateway and make sure al traffic between that and the local SCS is encrypted. Regards Correct, but how can I configure a vpn access on remote CheckPoint gw without using SCS?? Is it possible to do it from command line?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Encrypt all communitcations between remote Security Gateway and local SmartCenter Server
Possible you have implied rules enabled, that's why you will see ports opened for ssl extender/webui/ssh and many other services. Many of them are checkpoint specific and have fingerprints nessus can identify. You have to carefully review implied rules, make regular rules in order to enable same functionality but limited to your needs and then disable implied rules. After it your scan again and see that GW stop to be identified any more as CP. On Tue, May 10, 2011 at 2:02 PM, carlopmart carlopm...@gmail.com wrote: On 05/10/2011 12:49 PM, Alexey Baltacov wrote: Checkpoint VPN is policy based, even in tunnel mode, so you are unable to configure IPSEC settings via the command line on GW. It is also not recommended to encrypt SIC communications, because in case of VPN down or Policy problem you will loose access to the gateway and will be unable to install new policy before unload local Bottom line, in case of any problem with encrypted communications, for any reason, your steps to fix it will be complicated Alexey Thanks Alexey. I am evaluating prons and cons about encrypt communications between SCS and splat gateway using ipsec or another type of encryption. But doing some scans with nessus and nmap against this splat remote gw, all revealed that it is a CheckPoint firewall. Can I almost change this?? I have installed a default policy with only two rules: a) SCS to GW, allow all ports. b) Any to GW, deny all (stealth rule) I don't have IPS soft blade license. Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Encrypt all communitcations between remote Security Gateway and local SmartCenter Server
yes, CP specific and all of them should be opened in implied rules. On Tue, May 10, 2011 at 2:27 PM, carlopmart carlopm...@gmail.com wrote: On 05/10/2011 01:17 PM, Alexey Baltacov wrote: Possible you have implied rules enabled, that's why you will see ports opened for ssl extender/webui/ssh and many other services. Many of them are checkpoint specific and have fingerprints nessus can identify. You have to carefully review implied rules, make regular rules in order to enable same functionality but limited to your needs and then disable implied rules. After it your scan again and see that GW stop to be identified any more as CP. Nessus and nmap detects these ports: 256 (tcp), 259 (udp), 4500 (udp), 18191 (tcp), 18192 (tcp), 18208 (tcp). Except for 4500, all are checkpoint related ... As you an see, ssl extender, webui and ssh are disabled (ssh is allowed only for SCS). I am doing these scans from my home workstation ... -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Strange problem with a new R75.10 installation
Is the checkpoint object type called checkpoint gateway or checkpoint host in dashboard? On Wed, May 25, 2011 at 11:30 PM, carlopmart carlopm...@gmail.com wrote: Hi all, I have installed a secureplatform host (R75.10) to use as a test lab and I have a strange problem: all interfaces are marked as external, and I can't change this topology definition via SmartDashboard, all checkboxes are greyed out... How can I resolve this?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Strange problem with a new R75.10 installation
because you have defined just one interface during first time configuration wizard On Wed, May 25, 2011 at 11:51 PM, carlopmart carlopm...@gmail.com wrote: On 05/25/2011 10:49 PM, carlopmart wrote: On 05/25/2011 10:40 PM, Alexey Baltacov wrote: Is the checkpoint object type called checkpoint gateway or checkpoint host in dashboard? OOpss .. It is defined as a CheckPoint Host ... Why?? I don't understand ... How can I change to checkpoint gateway?? OOps sorry .. I have found the option to change to cehckpoint gateway .. But why installation have defined this secureplatform as a checkpoint host??? -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Strange problem with a new R75.10 installation
Sergio: You may have .1q on this NIC So Checkpoint assumes that it is Checkpoint host only during first time initialization wizard and not during installation. Once you configuring 2 or more interfaces (physical or VLANs) - it will automatically enable the object as Gateway On Thu, May 26, 2011 at 4:49 AM, Sergio Alvarez seral...@gmail.com wrote: I have seen this before. If during the Secure Platform installation there is only one network interface available, the installation wizard assumes it is a host because a gateway needs a minimum of 2 available NICs. I would suggest checking out if Secure Platform has in fact recognized all NICs on the box. Regards On Wed, May 25, 2011 at 3:04 PM, Alexey Baltacov drongt...@gmail.comwrote: because you have defined just one interface during first time configuration wizard On Wed, May 25, 2011 at 11:51 PM, carlopmart carlopm...@gmail.com wrote: On 05/25/2011 10:49 PM, carlopmart wrote: On 05/25/2011 10:40 PM, Alexey Baltacov wrote: Is the checkpoint object type called checkpoint gateway or checkpoint host in dashboard? OOpss .. It is defined as a CheckPoint Host ... Why?? I don't understand ... How can I change to checkpoint gateway?? OOps sorry .. I have found the option to change to cehckpoint gateway .. But why installation have defined this secureplatform as a checkpoint host??? -- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] endpoint connect - failed todownload topology
Hello, You can see release notes for this endpoint connect client in order to see it not supported under r70.20 Please see the SK below: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=solutionid=sk61286 Alexey On Mon, May 30, 2011 at 9:37 AM, pkc mls pkc_...@yahoo.fr wrote: Hi, I configured an endpoint connect client (r75.10 on windows 7), but I can't connect to my checkpoint r70.20 cluster. The issue is the same on two windows 7 laptops (one 32 bits, one 64 bits). I systematically get the message failed to download topology. The same account can connect to the cluster with secureclient ngx r60. I configured the cluster according to the endpoint documentation. License is still NGX. Did anyone already have the same issue ? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] endpoint connect - failed todownload topology
Please try to configure the user's password under Checkpoint password and not under IKE properties On Mon, May 30, 2011 at 10:00 AM, pkc mls pkc_...@yahoo.fr wrote: Le 30/05/2011 08:50, Alexey Baltacov a écrit : Hello, You can see release notes for this endpoint connect client in order to see it not supported under r70.20 Please see the SK below: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=solutionid=sk61286 my mistake. version is r70.40 and the hotfix mentionned in the sk has been installed. Alexey Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] endpoint connect - failed todownload topology
Sorry, I don;t know the way to increase the Checkpoint password length for users except using Radius or OS password Just check if it is working with 8 characters length password. then will think about alternate to Checkpoint password solution. On Mon, May 30, 2011 at 12:03 PM, pkc mls pkc_...@yahoo.fr wrote: Le 30/05/2011 09:25, Alexey Baltacov a écrit : Please try to configure the user's password under Checkpoint password and not under IKE properties smartdashboard complains the password is too long. is there a way to increase the maximum password length ? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Please help!!! Reason: Smart Center Server aborted connection with peer, due to timeout = 300000( mili-sec )( port = 18191 )
subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Please help!!! Reason: Smart Center Server aborted connection with peer, due to timeout = 300000( mili-sec )( port = 18191 )
://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out
Re: [FW-1] getting information about rule creations from audit logs
Hi, Rule modification shown following way (in R65) Number: 11264 Date: 29Jun2011 Time: 9:02:38 Application:SmartDashboard Subject:Object Manipulation Operation: Modify Object Type: Log Object Type:firewall_policy Performed On: Standard Changes:UID = {8E7D9D25-757B-4CA4-956B-623D0A559264} Section Title 18 UID = {B893952E-ED77-4BA0-B9A7-98179F744D09} state: changed from 'collapsed' to 'expanded' Rule 159: added 'security_rule' - UID = {2950150B-9A7E-438A-9929-BFC280D3488C} Source: Lync_DMZ Destination: Any VPN: Any Service: domain-tcp Action: accept Install On: Cluster_IL Administrator: alexey Client: MANGIL1-VM Client IP: MGMT-IL (172.30.10.25) Object Table: fw_policies Operation Number: 1 Origin: FW1-IL Uid:{8E7D9D25-757B-4CA4-956B-623D0A559264} So you should search for relevant UID in Changes field of audit logs. Please be sure you are searching in correct logs (by date) On Wed, Jun 29, 2011 at 9:21 AM, pkc mls pkc_...@yahoo.fr wrote: Le 27/06/2011 10:49, a bv a écrit : Hi list, Hi a I have some rules on the firewall and i have to find out who and when created the specific rules (numbers given) . Audit logs on smartviewtracker are not so easiliy understandable so i wanted to ask the list for the best way. I'm afraid it's the only way for you to trace back what has been done. which version are you running ? looks like the 'create rule' doesn't exist in the operation list; you can search when the object that are used by this rule were created. you can also ask the firewall admins to comment what they do. (there is a comment column in firewall rulebase). Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] VoIP over SNX connections failing after R70 to R75 migration
Hello Sergio, I never seen such problem but... As I know in latest CP versions the worst thing can be done in order to stop voice traffic is changing advanced proto settings to none. Usually things can help is configuring voice by the book, with my experience with SIP - it working in 85% of cases. I mean configuring voice domain and etc... One more thing you can try for test - install Endpoint Connect R75.10 and test with it. Generally it is using the same 443 in order to connect, just different client and more options for configuration. Alexey On Wed, Jul 20, 2011 at 2:04 AM, Sergio Alvarez seral...@gmail.com wrote: Hello. This cutomer of ours has an active/standby SPLAT cluster with SNX enabled (bear in mind there is no Connectra involved here), everything worked perfect until a migration from R70.20 to R75 was done and since then, SNX users getting conencted to the cluster can access all services they used to with the exception of a VoIP service (H323), they can even ping to the server related but the application just won't work. No config changes had been done since it was working ok. Logs show a few drops of H323 traffic from an Office Mode IP, assigned to a test user, the drops show no rule related and the info says: dst scheme: NA; dst methods: SSL; route status: Failed to enforce VPN policy (8) I looked for that message and found something similar related with an encryption problem not related with this scenario. Did a zdebug to find out what was dropped and found a few extra messages like the ones bellow: ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 - Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce VPN policy (8); ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 - X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled; Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is the IP of the VoIP server. We could not find anything about those either. A case is opened already with CP support but no answers have been received and the situation is becoming more critical as time goes by. It was already checked the rule allowing the traffic is specific on H323 on the service section and also to change to none the advanced properties of the H323 service object, but with no luck. Has anybody seen something like this before. Any help will be very appreciated. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] VoIP over SNX connections failing after R70 to R75 migration
Hello Sergio, Actually there are lot of things were changed in R75 and R75.10 versions, that's why things previously were good can stop working now. The idea about use of endpoint connect needed just in order to understand if the problem is with client only or with whole FW+VPN deamon. In case the problem with client only - debug should be done on client, possible some new SNX release can solve it. Hope you have ticket opened with CP support and there is progress in it Alexey On Thu, Jul 21, 2011 at 5:12 PM, Sergio Alvarez seral...@gmail.com wrote: Hello Alexey. Thanks for your reply. Actually it was all working perfect before changing version and the idea of changing the advanced settings in H323 to none was something we tried because it has helped in the past to solve VoIP issues, although it did not this time. About trying with Endpoint Connect, the deal here is the customer especifically acquired SNX licenses because they have hundreds of users on the field requiring remote access to services, and installing a VPN software client on each laptop had become a nightmare. Suggesting to go back to such scenario won't be acceptable for them. Any further suggestions will be very appreciated. Regards On Wed, Jul 20, 2011 at 2:38 AM, Alexey Baltacov drongt...@gmail.comwrote: Hello Sergio, I never seen such problem but... As I know in latest CP versions the worst thing can be done in order to stop voice traffic is changing advanced proto settings to none. Usually things can help is configuring voice by the book, with my experience with SIP - it working in 85% of cases. I mean configuring voice domain and etc... One more thing you can try for test - install Endpoint Connect R75.10 and test with it. Generally it is using the same 443 in order to connect, just different client and more options for configuration. Alexey On Wed, Jul 20, 2011 at 2:04 AM, Sergio Alvarez seral...@gmail.com wrote: Hello. This cutomer of ours has an active/standby SPLAT cluster with SNX enabled (bear in mind there is no Connectra involved here), everything worked perfect until a migration from R70.20 to R75 was done and since then, SNX users getting conencted to the cluster can access all services they used to with the exception of a VoIP service (H323), they can even ping to the server related but the application just won't work. No config changes had been done since it was working ok. Logs show a few drops of H323 traffic from an Office Mode IP, assigned to a test user, the drops show no rule related and the info says: dst scheme: NA; dst methods: SSL; route status: Failed to enforce VPN policy (8) I looked for that message and found something similar related with an encryption problem not related with this scenario. Did a zdebug to find out what was dropped and found a few extra messages like the ones bellow: ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 - Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce VPN policy (8); ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 - X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled; Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is the IP of the VoIP server. We could not find anything about those either. A case is opened already with CP support but no answers have been received and the situation is becoming more critical as time goes by. It was already checked the rule allowing the traffic is specific on H323 on the service section and also to change to none the advanced properties of the H323 service object, but with no luck. Has anybody seen something like this before. Any help will be very appreciated. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
Re: [FW-1] Slow policy installation on R70
Hi, You can see that after the restart the policy installation is working better for several days. I don't know the real reason but seems like after several days of work the memory usage is much more then after restart. I think it should point to some memory leak(s) in this version. After upgrading to R71.10/R75.10 - it working much better Alexey On Wed, Aug 3, 2011 at 2:27 PM, a bv vbavbal...@gmail.com wrote: Hi, On a standalone R70 SPLAT the policy installation process sometimes gets so slow , that if you have something urgent to do you get angry. Are there any ideas which can cause this situation how to find out and fix? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Finding out the correct CPU usage
Hi Hugo, The problem happens in multicore environments. This bug is known in checkpoint and there is a fix for it (in r65-r71 versions). As I remember it solved in R75 On Fri, Aug 5, 2011 at 9:58 AM, curious curious curiouscpcuri...@gmail.com wrote: Hi, On my R70 SPLAT , I want to get the correct cpu usage situtation for both real time and for long time systatics. The Smartview Monitors main view at Average CPU usage column it says %100 which i guess a bugy situation. Also when i click the System Information at the gateways name i get below statistics. I also login to the shell remotely and use top command but i also see other low numbers (im not user i can fully understand the top commands cpu systatistics). I also used cpstat -f cpu os and get the results at the bottom. So how can i find out the real healty /real time and long time CPU usage ? Regards Total 1 96% 1% 3% 4% 2 98% 1% 1% 2% 3 98% 1% 1% 2% 4 78% 0% 22% 22% CPU User Time (%): 9 CPU System Time (%): 91 CPU Idle Time (%): 0 CPU Usage (%): 100 CPU Queue Length: - CPU Interrupts/Sec: 0 CPUs Number: 4 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Smartreporter consolidation creation error on Smart-1
Hi what is the version of your SmartCenter? Eventia must be from the same version exactly. Alexey On Fri, Sep 16, 2011 at 2:42 PM, a bv vbavbal...@gmail.com wrote: Hi , why didnt upgraded yet? Cause the device is so new and wanted the see what it brings with problems and goodness out of box. And the connected firewalls are still R70 , with upper R75.x smart-1 im not sure if there may any compatilibity issue (little or big) Regards 2011/9/16 a bv vbavbal...@gmail.com: Hi, On a new installed Smart-1 device which came with R70.30 , when loged to it with the R70 Eventia Reporter gui and click to consolidation tab there is no any consolidation seen there. When i click and try to create new consolidation session new consolidation session windows opens and i can see both my gateway and smart-1's IP. Then i choose my smart-1 IP then clck next the windows brings select log files and database for consolidation session and i choose the option select default log files and database . After i click the finish button at this window i get an error Failed to get default parameters from server/database . I looked at this error on the Checkpoints knowledgebase site , saw some entries and i checked them but i still couldnt have fix the problem so im having the same issue. Is there anyone with a recommandation to fix this? Regards = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Odd http requests after upgrade to R75.20
Hi, I got the pretty similar problem with several WEB servers. The server was configured as WEB Server and protected by = ANY Once the server wasn't protected by same gateway I have upgraded (several gateways managed by same Smart Center) - I changed the protected by to same gateway really protects it and now all working. In case it will not solve you problem - try to configure type of web server you are using or uncheck the web server checkbox until Checkpoint will solve it. Alexey On Fri, Sep 30, 2011 at 2:03 AM, Eamonn Twohig etwo...@qcdata.com wrote: Hi all, We've a bit of an oddity here after upgrading our firewalls to R75.20 from R65 HFA70. Management Server was done about 10 days ago whilst gateways were done in the last two days. Since the upgrade of one of the gateways yesterday, everything seemed to be working as previous until we discovered that no-one could access our website anymore. A quick investigation, using tcpdump and fw monitor, revealed that the firewall was dropping all https requests when hitting the external IP of the web server. Which is the weird thing, because no-one is sending https requests, only http. It seems that the firewall is somehow converting http requests to https and then obviously dropping them as our rulebase will only allow http. There are no problems accepting and forwarding smtp traffic; there are no problems for anyone doing udp lookups against our dns server; no problems for anyone hitting our ftp server. Only the web server is causing us grief. We've opened a support case with Check Point but so far, they are stumped. This mailing list has some experienced people as members though, so thought I'd ask ye too. Has anyone seen something like this before? If all resources on the DMZ were inaccessible then that would make more sense, or at least make it easier to troubleshoot, but this specific issue with inbound http requests getting dropped as https is a little odd. Thanks, Eamonn -- Sent from my BlackBerry Device Confidentiality Notice: This electronic message contains information that is privileged or confidential, is the property of QC Data, and is intended only for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that disclosure, copying, distribution or use of this information is prohibited. If you have received this message in error, please delete the original message and any copy of it in your possession and notify us by telephone or email immediately. QC Data (Ireland) Limited Registered in Ireland, Number: 158091 VAT Registration No.: IE 6556091K Registered office: 70 Sir John Rogerson s Quay, Dublin 2, Republic of Ireland. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Odd http requests after upgrade to R75.20
may be you have enabled SSL VPN? it uses the same 443... On Tue, Oct 4, 2011 at 9:43 AM, fsackew...@hasco.com wrote: Hi, there is some service which is reaping the port 443 from httpd: Oct 1 00:45:00 fwxx daemon.[LOG_NOTICE] pm[250]: Reaped: httpd[2213] Oct 1 00:45:00 fwxx daemon.[LOG_NOTICE] pm[250]: Scheduled httpd for +1 secs Oct 1 00:45:01 fwxx daemon.[LOG_NOTICE] pm[250]: Restarted /bin/httpd[3866], count=2 After moving the ssl port of the voyager to f.e. 4433 I´m able again to connect to voyager again. Best regards Frank Sackewitz From: Alexey Baltacov drongt...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Date: 02.10.2011 09:22 Subject: Re: [FW-1] Odd http requests after upgrade to R75.20 Sent by: Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Hi, I got the pretty similar problem with several WEB servers. The server was configured as WEB Server and protected by = ANY Once the server wasn't protected by same gateway I have upgraded (several gateways managed by same Smart Center) - I changed the protected by to same gateway really protects it and now all working. In case it will not solve you problem - try to configure type of web server you are using or uncheck the web server checkbox until Checkpoint will solve it. Alexey On Fri, Sep 30, 2011 at 2:03 AM, Eamonn Twohig etwo...@qcdata.com wrote: Hi all, We've a bit of an oddity here after upgrading our firewalls to R75.20 from R65 HFA70. Management Server was done about 10 days ago whilst gateways were done in the last two days. Since the upgrade of one of the gateways yesterday, everything seemed to be working as previous until we discovered that no-one could access our website anymore. A quick investigation, using tcpdump and fw monitor, revealed that the firewall was dropping all https requests when hitting the external IP of the web server. Which is the weird thing, because no-one is sending https requests, only http. It seems that the firewall is somehow converting http requests to https and then obviously dropping them as our rulebase will only allow http. There are no problems accepting and forwarding smtp traffic; there are no problems for anyone doing udp lookups against our dns server; no problems for anyone hitting our ftp server. Only the web server is causing us grief. We've opened a support case with Check Point but so far, they are stumped. This mailing list has some experienced people as members though, so thought I'd ask ye too. Has anyone seen something like this before? If all resources on the DMZ were inaccessible then that would make more sense, or at least make it easier to troubleshoot, but this specific issue with inbound http requests getting dropped as https is a little odd. Thanks, Eamonn -- Sent from my BlackBerry Device Confidentiality Notice: This electronic message contains information that is privileged or confidential, is the property of QC Data, and is intended only for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that disclosure, copying, distribution or use of this information is prohibited. If you have received this message in error, please delete the original message and any copy of it in your possession and notify us by telephone or email immediately. QC Data (Ireland) Limited Registered in Ireland, Number: 158091 VAT Registration No.: IE 6556091K Registered office: 70 Sir John Rogerson s Quay, Dublin 2, Republic of Ireland. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Besuchen Sie HASCO auf der FAKUMA
[FW-1] *.gddb files
Hello People! Do anyone knows what are *.gddb files under /var/opt/CPrt-R75/distrib/SOME_LONG_DIR_NAME.db/ There are millions of small (300 byte) files with extension above. It was impossible to create new file under /var until I have started to delete the files even with more then 75 Gb free disk space. So the question is WTF??? what CP product creating the files and why? -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] *.gddb files
I think it is incorrect. reporting database is postgresql file (1 file). the files I found should be something temporary. The question is what product it is related to? I am pretty sure it's not reporter files, possible Smart Event's. By the way Checkpoint support says me to delete the files because in this situation is impossible to work with the server at all. All previous tickets about it finished after deleting the files but it's not a solution, just workaround. On Mon, Dec 12, 2011 at 2:41 PM, Hugo van der Kooij hvdko...@vanderkooij.org wrote: On 12.12.2011 13:20, Alexey Baltacov wrote: Do anyone knows what are *.gddb files under /var/opt/CPrt-R75/distrib/SOME_LONG_DIR_NAME.db/ There are millions of small (300 byte) files with extension above. It was impossible to create new file under /var until I have started to delete the files even with more then 75 Gb free disk space. So the question is WTF??? what CP product creating the files and why? So you found the Reporting Database and have choosen to break the database files. If you have no nead for the Reporting software I would recommend that you remove it from the box. -- hvdko...@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Safe@Office and SmartCenter
Hi, You should buy a license for Safe@office in order to convert it to UTM-1 Edge. Then - no problem to centrally manage and get logs from it Alexey On Mon, Dec 12, 2011 at 6:50 PM, Dan Lynch dly...@placer.ca.gov wrote: Greetings list, Can anyone confirm, is the Safe@Office 500 appliance manageable from an R75 SmartCenter? Specifically, I want to store and push policy to the Safe@, and collect logs from it centrally. Thanks Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Upgrade with a flush install from R70 to R75.20
Hi, upgrade_export from R70 isn't importable to R71/R75. In order to make it importable you should use upgrade_tools from version you should import to. Alexey On Mon, Dec 12, 2011 at 6:46 PM, pkc mls pkc_...@yahoo.fr wrote: Le 12/12/2011 10:40, a bv a écrit : Hi, I have standalone R70 SPLAT boxes and i would like to upgrade them. I want to do this by an clean installation and taking the configuration file experted from R70 with upgrade export. I want to do a clean installation 1- Clean installation will i hope bring more stable/reliable gateway. 2- New Disk adding, which will be primary. I used the pre_upgrade verifier tool from the R75.20 DVD and it gave error only for the Software Blade licences need. What are your recommendations for this upgrade/installation? Do you think that installing R75.20 and importing the R70 export file will work (reliable)? Or are there midpaths i have to take (First install fresh R75 import the file and then use the 75.20 upgrade package etc?) upgrade from r70 to r75.20 is not supported (see upgrade paths in the r75.20 releases notes). check the r75 release notes if the upgrade from r70 to r75 is supported. and while taking the export file of the R70 is it ok to use its upgrade_export utility or do i have to use the ones come with R75.20 DVD and if so how? Regards = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] A question about dynamic objects
You should use domain object instead. Dynamic objects used for edges dynamic policy On Dec 13, 2011 9:33 PM, carlopmart carlopm...@gmail.com wrote: Hi all, I am very confused about dynamic objects pourpose. According to this sk: https://supportcenter.**checkpoint.com/supportcenter/**portal?eventSubmit_ **doGoviewsolutiondetails=**solutionid=skI1915js_peid=P-** 114a7ba5fd7-10001partition=**Generalproduct=Securityhttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=solutionid=skI1915js_peid=P-114a7ba5fd7-10001partition=Generalproduct=Security, I need to configure every dynamic object with an ip range. But how can I do a rule like this: Source: mymaiserver Destination:smtp.gmail.com Service:smtp-tls ??? As you know, smtp.gmail.com use a different ip every day or after some hours. Is not possible to define an object like smtp.google.com without ip or ip range?? Using dynamic objects for several security gateways that can be resolved it is a really advantage, but if it is mandatory to configure an ip range for every dynamic object, I have a serious doubts ... This type of rule it is really simple to install under linux iptables based firewalls, openbsd fws and stonegate fws ... Why not under CP?? Thanks. --- CL Martinez carlopmart {at} gmail {d0t} com Scanned by Check Point Total Security Gateway. ==**=== To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.**checkpoint.comlists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ==**=== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/**services/mailing.htmlhttp://www.checkpoint.com/services/mailing.html ==**=== If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ==**=== = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] A question about dynamic objects
Hi. The domain objects are used to resolve hostnames in rules. It's also not recommended to use such objects in beginning of rulebase because it can hardly affect the perfomance. In order to use it you should configure DNS servers on OS level. Please use nearest DNS's as possible (located in LAN) Alexey On Dec 13, 2011 9:52 PM, carlopmart carlopm...@gmail.com wrote: On Tue, 13 Dec 2011, Alexey Baltacov wrote: You should use domain object instead. Dynamic objects used for edges dynamic policy Thanks Alexei, but can I use domain objects to resolve hostnames unde rules?? Thanks. --- CL Martinez carlopmart {at} gmail {d0t} com ==**=== To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.**checkpoint.comlists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ==**=== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/**services/mailing.htmlhttp://www.checkpoint.com/services/mailing.html ==**=== If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ==**=== = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] web traffic through IPSEC tunnel.
Hi There is a big chance u have problem with encryption domain configuration Just check the addresses again and u will find On Oct 11, 2013 10:51 AM, tasneemjan tasneem...@aim.com wrote: I am using R77 and have a ip sec tunnel to a cloud service for anti-x filtering. I have rule at the top to send all http/s traffic through the community. after 1st rule i have rule for internal networks to be natted behind the gateways public interface. When i initiate the http traffic it doesn't match the 1st rule and matches the 2nd rule to go the internet which doesn't bring the tunnel up. Can some one assist please. regards = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] 1] web traffic through IPSEC tunnel.
Is ur encryption domain configured correctly On Oct 11, 2013 2:38 PM, tasneemjan tasneem...@aim.com wrote: I have checked the encryption domain which is correctly setup as the subnet I want to send through the ipsec tunnel. Regards -Original Message- From: Alexey Baltacov drongt...@gmail.com To: FW-1-MAILINGLIST FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Fri, Oct 11, 2013 9:42 am Subject: Re: [FW-1] web traffic through IPSEC tunnel. Hi There is a big chance u have problem with encryption domain configuration Just check the addresses again and u will find On Oct 11, 2013 10:51 AM, tasneemjan tasneem...@aim.com wrote: I am using R77 and have a ip sec tunnel to a cloud service for anti-x filtering. I have rule at the top to send all http/s traffic through the community. after 1st rule i have rule for internal networks to be natted behind the gateways public interface. When i initiate the http traffic it doesn't match the 1st rule and matches the 2nd rule to go the internet which doesn't bring the tunnel up. Can some one assist please. regards = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Email secured by Check Point = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Email secured by Check Point
Re: [FW-1] connection issues
Hi Frank Disable the secureXL and you will see the whole conversation in tcpdump On Nov 7, 2013 10:27 AM, fsackew...@hasco.com wrote: Hi, I have a strange connection issue. Apache in DMZ. Website on port 8081. When I try to connect from outside from a linux client I can open the website. When I try the sam from a Windowsclient or a Mobil (iPhone) the connection times out. I have tried to debug the communication. Windowsclient sends a syn packet and gets an ack. Windowsclient sends a synack. I can see it in wireshark on the Windows system, but not in a tcpdump on the external interface of the firewall. Any help appreciated! Best regards Frank Visit HASCO® at the EUROMOLD in Frankfurt, Germany December 3 to 6, 2013 - Halle 8.0 / Stand F27 Abonnieren Sie jetzt unseren Newsletter und bleiben Sie stets up-to-date! HASCO Hasenclever GmbH + Co KG | Sitz: Lüdenscheid | Geschäftsführung | Mag. Christoph Ehrlich | HRA 3072 AG Iserlohn | PhG: Hasenclever GmbH | HRB 4493 AG Iserlohn | Ust-IdNr. DE 125796912 | Zertifiziert nach DIN EN ISO 9001 | -DE- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind, oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese Mail. Das unerlaubte Kopieren oder die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =