If you don't have access to the SK, you won't be able to follow it. SPLAT
and GAiA up to R75.40 or so didn't include the right version of the igb
driver, so you need to download it. Newer versions (R76 / R77) have the
updated driver built-in.
On Wed, Oct 2, 2013 at 9:59 AM, a bv
Different wireless frequencies. FCCA is US-standards, while the world is
nearly the rest of the world.
On Thu, Jun 27, 2013 at 10:05 AM, fsackew...@hasco.com wrote:
Hello @all,
I just got two SG-80A, or now called CP SG1100.
One is a CPAP-SG1140-NGTP-W-ADSL-A-FCCA, the other is called
@AMADEUS.US.CHECKPOINT.COM] On Behalf Of
Independent
IT Consultant
Sent: lunedì 27 maggio 2013 20:47
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Upgrade problem
Because you probably used the R75.45 version of the utilities. Mount the
R76 DVD and use the utilities off that. Always use
This is related to an IPS table being filled. The resolution is
well-documented; see sk52101 for details.
On Mon, Apr 15, 2013 at 8:14 AM, a bv vbavbal...@gmail.com wrote:
*Hi,
*
*I saw new entries at R70 SPLAT /var/log/mesaages like below but
knowledgebase didnt help to found out yet to
Indirectly, you can accomplish this. Create a group with the relevant
wireless nets, then define a single rule as follows:
Source: {wireless nets}
Destination: NOT {Internal nets}
Service: HTTP, HTTPS
Action: Allow
Bear in mind that you're talking about fundamental differences in
architecture
There's insufficient information provided here to properly diagnose. If
the issue is in the policy compilation / verification stage, more often
than not, this is due to insufficient memory and/or excessive CPU load on
the SmartCenter. If the delay occurs during the installation stage, the
issue
The last I heard, there is an Android client currently under development.
I think it's in the final beta phase (based on my last conversation). The
client, from what I've been told, will work with Ice Cream Sandwich and
Jelly bean -- nothing earlier.
Contact your local checkpoint rep for more
APP Control / URL Filtering is designed for this. IPS isn't.
On Mon, Aug 6, 2012 at 8:30 AM, a bv vbavbal...@gmail.com wrote:
Hi,
How can we block facebook youtube twitter etc access from our SPLAT
with IPS to some users which some also have direct http https access
generally? Is there a
http://www.checkpoint.com/services/techsupport/hcl/virtual/index.html
To clarify further, management (SmartCenter, Eventia) are fully supported
on ESXi, as is legacy Connectra. For GATEWAY functionality, a VE license
is required.
On Fri, Jul 13, 2012 at 7:54 AM, Mark Elsen mark.el...@gmail.com
timers.
Please can you explain more ? You mean by timesync all the gateways
have the same time (or how many differences accepted)? The gateways
others then mine is remote firms.
What are the tunnel timers and how to check?
Regards
2012/6/4 Independent IT Consultant itsec.itcons...@gmail.com
Prior to R70, CoreXL wasn't part of maintrain code, and was only introduced
as a special release after R65. This is the component that makes use of
multiple CPUs.
On Nokia, you also needed IPSO version 607 or later to use this feature.
On Thu, Feb 23, 2012 at 8:22 PM, Ray sixsigm...@hotmail.com
VRRP VRID must be unique per cluster per network. In other words, you
can't have 2 disparate clusters on the same network using the same VRID.
On Wed, Feb 8, 2012 at 3:15 AM, Peter Addy wavema...@yahoo.com wrote:
Just a quick question
In simplified mode, does it really matter which VRID
VRIDs.
On Wed, Feb 8, 2012 at 6:48 AM, Independent IT Consultant
itsec.itcons...@gmail.com wrote:
VRRP VRID must be unique per cluster per network. In other words, you
can't have 2 disparate clusters on the same network using the same VRID.
On Wed, Feb 8, 2012 at 3:15 AM, Peter Addy wavema
You can use du -h / to find which directories are eating up the space.
In all likelihood, it's one of 2 possible places: /home/admin or
$CPDIR/tmp. If the former, remove anything unnecessary. If it's the
latter, remove anything called file{something} -- rm file*. These are
temp files used for
Policy installation is required.
On Thu, Jan 12, 2012 at 3:09 AM, a bv vbavbal...@gmail.com wrote:
Hi,
Think of an object defined with an IP address and has been used in an
access rule. If i edit the objects properties and change itsIP
address, when the new IP will have the rights of the
modzap doesn't work on SPLAT.
Is this a VSX system? TSID refers to the FWD daemon.
Determine why your log buffer is filling before changing anything.
Possible reasons may include high CPU, congestion on the wire, excessive
errors on the wire, and so on. Could also be load on the management
It sounds like you've got either a bad license or an issue with the
configuration.
Start with an evaluation license. Does that work? If so, move on to
examining the real license.
Is it central or local? You say the license is associated with the
external IP. Be sure that IP is actually there
The multiportal gateway is still there -- the WebUI also uses it.
On Fri, Dec 30, 2011 at 3:44 AM, Liu, Huiqi huiqi@cggveritas.comwrote:
Hi Ted,
Just want to clarify: IA isn't even enabled on the gateway, does it still
try to use the webportal?
Thanks,
Huiqi Liu
-Original
You can't find it because VSX on SPLAT has no WebUI.
No need for it.
On Thu, Dec 29, 2011 at 8:30 AM, tasneemjan tasneem...@netscape.net wrote:
hi
I am running vsx with following ver:
SecurePlatform Pro VSX NGX R67 Build 158
I can't connect via web interface. I do have console and ssh
Are other NICs defined but disconnected?
If you're getting dropped from Dashboard only, that would suggest that FWM
is dying. Are you simultaneously losing your SSH session?
Have you looked to see if there's any information in /var/log/messages?
If you look at your NIC counters, do you see the
to do URL filtering ... I am trying to
allow to four servers to access only to smtp.gmail.com to send some emails
a day ... Nothing more. And yes, this rules is at the end of the ruleset.
On Tue, Dec 13, 2011 at 10:53 PM, Independent IT Consultant
itsec.itcons...@gmail.com wrote:
What
What exactly are you trying to do?
Domain objects work (even with cnames), but are *VERY* resource intensive.
There is *NO* caching done, so *EVERY* new session will require a new
lookup. For services like GMAIL, this may become problematic.
This is why CP strongly advocates that any rules
If you suspect an ARP issue, run with it... When the issue presents
itself, look at the ARP table on the firewall. If the affected hosts are
on a network local to the firewall, you should see them listed in the ARP
table. If you see something listed, compare the MAC address to what it
should
DBEdit is -- in NO way -- a troubleshooting tool. It's a brute force
(read: blunt instrument) tool for directly manipulating the database.
On Fri, Dec 2, 2011 at 3:40 AM, a bv vbavbal...@gmail.com wrote:
Hi,
How and how often do you use DBedit tool? Does it help you do any
troubleshoot?
You can use the upgrade package or reimage the appliance. Should you
choose to reimage, you need either a USB DVD drive or something like a
zalman drive (or the tool noted in sk65205, though I haven't had luck with
it yet).
On Thu, Dec 1, 2011 at 9:46 AM, Kaas, David D david_d_k...@rl.gov wrote:
Have you determined the source of the CPU spike? Also, have you determined
what's eating up the disk space? If you're doing nightly backups, those
backups may be what's eating up your disk space. The log rotate and
cleanup controls only $FWDIR/log and even then only the actual log files -
not
There should be no need for putkeys. Haven't needed them in many, many
years. If moving to P1, just follow the instructions in the admin guides
to do the cma_migrate.
On Fri, Nov 18, 2011 at 8:14 PM, turenne azevedo turenn...@hotmail.comwrote:
Hi...Try this...
fw putkey IP gateway IP
I have L2TP running just fine in many places - iPhone, iPad, Android,
etc.. Follow the rules, be sure you have a supported version of gateway,
and it works like a champ. See
https://forums.checkpoint.com/forums/thread.jspa?threadID=11188tstart=-1or
If policy compilation is slow (the bar seems to hang at Verifying policy)
then the issue is a problem on the SMC -- likely not enough memory or too
many policies. Be sure that the only policies you have are ones that are
active on gateways, and that you don't have a bunch of unused policies.
It is not possible to restore a smartcenter from the files on a gateway
(without MASSIVE manual intervention). The objects.C compiled for a gateway
is incompatible with objects_5_0.C on the manager, and policy is darn well
nearly impossible.
Your best bet is to try to recover as much as possible
You can change it from the command line and from /etc/modprobe.conf
On Wed, Sep 21, 2011 at 9:47 AM, pkc mls pkc_...@yahoo.fr wrote:
Hi all,
Is it possible to force speed and duplex on an interface that belongs to a
bridge ?
webgui indicates that interface belonging to a bridge cannot be
If your problem is asymmetric routing, then fix that problem; don't reduce
the security posture. If I'm reading this right, your inside network points
to the firewall as the default gateway, but you've since added a router on
the inside network. The issue is that the firewall will see only
By using an already antiquated (and known buggy) version, you're causing
more work for yourself than is necessary. R75 will backwards manage R70
gateways. Reimage the appliance with 75.20 and move on.
On Fri, Sep 16, 2011 at 7:42 AM, a bv vbavbal...@gmail.com wrote:
Hi ,
why didnt upgraded
Why are you using such an old version of code? Since this is a new
installation, reimage it with a newer version of the code - R75.20 would be
my recommendation. I dealt with a load of issues with 70.30 that were
cleared up with newer versions, and Eventia is far improved in the later
release.
First thing is to check your IPSO version - 6.2 prior to MR3 was very
unstable.
Next is that you may have had some modzaps on these old legacy boxes that
weren't documented.
Third would be to consider creating new cluster objects instead of recycling
and reconfiguring the old ones. Esp with
It's on a hidden partition of the hard drive -- same as the factory default
images.
On Wed, Sep 14, 2011 at 7:48 AM, a bv vbavbal...@gmail.com wrote:
Hi,
Im taking snapshots of smart-1 appliance from its webui , and there is
a list of imgae names there. But i serached for this file on the
You can upgrade the bootmanager without clean install. Refer to the IPSO
Admin Guide.
On Tue, Sep 6, 2011 at 12:37 PM, Peter Addy wavema...@yahoo.com wrote:
Hi,
Anyone know how to check if a version of bootmanager is compatible with
ipso 6.2?
Also if the boot manager has to be upgarded
due to the
gateways'
inability to load the CRL.
Pre-shared secret VPN's will continue to operate, presumably
indefinitely.
Independent IT Consultant itsec.itcons...@gmail.com wrote:
It greatly depends on the *type* of VPN. If using certificates
Technically, it depends on what you're doing. If it's a general purpose
gateway and you're not using any of checkpoint's virtual stuff, then at this
point VE licensing isn't enforced, though it will yell about needing it at
the console at boot.
legally may be a different story.
On Thu, May 26,
It greatly depends on the *type* of VPN. If using certificates (such as
with Edges or other gateways that are centrally managed), then the limiting
factor is the CRL expiration on the ICA, which is, by default, 24 hours. In
this case, tunnels that can't validate their certificates will fail
.
Are you concerned by some of the open ports? If so, tweak the implied
rules. There are well-documented secureknowledge articles on locking down
the footprint.
On Mon, May 9, 2011 at 5:53 AM, carlopmart carlopm...@gmail.com wrote:
On 05/08/2011 01:05 AM, Independent IT Consultant wrote:
I don't
I don't understand the need for the 3rd firewall. All communications
between the gateway and management are already encrypted (that's the point
of SIC --SECURE Internal Communications).
On Sat, May 7, 2011 at 5:53 PM, carlopmart carlopm...@gmail.com wrote:
Hi all,
I need to manage a remote
The install will likely ask if this is a UTM or POWER install.
In your case, this is a UTM install. The license string you provided --
cpxp-ci-vpx-250-ngx -- is an Express gateway license (vpx) for 250 users
with content inspection (ci). The cpmp-sct-3-ngx is the management
license, supporting
There is no right answer to this question, especially given the lack of
information provided. How large is the implementation? What's the
competency of the administration staff? What requirements do you have?
Does the organization already have established standards?
SPLAT is, arguably, the
Short answer: you don't.
Longer answer: If built right, there's little need for them. When defining
your smartcenter guest, be sure to use the pro-1000 card not the vmnet.
On Sun, Jan 23, 2011 at 3:15 PM, Eugeniu Patrascu eu...@imacandi.netwrote:
On Sun, Jan 23, 2011 at 14:51, Reinhard
by
political, not technical reasons), then install on RedHat, not SPLAT.
On Sun, Jan 23, 2011 at 4:54 PM, Ralph J.Mayer rma...@vinotech.de wrote:
Am 23.01.2011 22:30, schrieb Independent IT Consultant:
Short answer: you don't.
From performance point of view you really want the drivers.
--
Viele
Windows as an enforcement point platform greatly limits your capabilities --
most of the advanced features aren't compatible with windows. It also is
something of an oxymoron -- an inherently insecure OS used as the platform
for a security solution. At this time, 2008R2 is not supported -- only
HFAs include SPLAT updates when applicable.
On Thu, Oct 21, 2010 at 3:27 PM, a bv vbavbal...@gmail.com wrote:
Hi,
I would like to ask , when do you apply any fixes , HFAs to your
Secureplatform? Do you find any vulnerability on the OS or
application side of Secureplatform , if it remains
If it's important to use this model and not one that's certified, contact
your Checkpoint account team and ask them to submit the model for
certification; TAC can only support what's certified and has no influence
over getting new products certified. So long as it's a fairly common
platform,
If you're using legacy NGX licensing, it won't work. You need to convert
your licenses to the blade model.
On Thu, Oct 14, 2010 at 9:39 AM, Toomas Vahtra toomas.vah...@gmail.comwrote:
Hi,
Does anyone have Identity logging working with R70.3 with SmartCenter
running on SPLAT.
In the
Try a clean installation onto the gateway.
On Tue, Sep 7, 2010 at 3:22 AM, Konstantin Y Tselikhin co...@etk.ru wrote:
On Tue, 7 Sep 2010 08:43:23 +0800, Konstantin Y Tselikhin co...@etk.ru
wrote:
After upgrade management portal from R70.30 to R71.10, when
attempting to push policy
You need to update your topology to reflect the current interface names.
They will have changed when migrating from Windows to SPLAT.
Don't modify the /etc/modprobe.conf file -- that's associating the
interfaces (eth0, eth1, etc) with the NIC driver (tg3, e1000, etc).
Easiest thing would simply
Unless you have a significant performance issue with your current
configuration, I'd say, NO.
Part of the reason is that you'll need another container blade license if
you split it up. Keeping things as-is (and so long as your licenses have
support), you can use the tool from usercenter to
Assuming this is a distributed installation (Eventia on a different box than
the SMC), perform a database installation.
From SMARTDashboard, Policy -- Install Database. This syncs the SMC
database with the Eventia server.
On Mon, Feb 1, 2010 at 4:07 PM, Joe synec...@yahoo.ca wrote:
Gents,
Is your license for a sufficient # of nodes? Check Tools - License
Registration
On Mon, Feb 1, 2010 at 7:28 PM, Joe synec...@yahoo.ca wrote:
Thanks, but the database installation didn't fix the problem.
Jo
- Original Message
From: Independent IT Consultant itsec.itcons
I've tried it and, overall, like the idea -- it's certainly less expensive
than deploying SecurID and less cumbersome than digital certificates.
Checkpoint is now offering the ability to test drive the product -- they'll
grant a UserCenter account up to 50 SMS messages through their test SMS
They're great for small offices on relatively slow pipes. I don't use them
for anything more than about 15 people or a decent dsl line (up to around 10
mb), though. they're rated for 45 mb and up to unlimited users, but i've
never gotten anywhere close to that before they start falling down.
On
Redhat isn't a supported enforcement point platform in r70, and RHEL3 is
rapidly approaching end of life. It won't support the latest platforms
(such as Nehalem). Move on.
If you really don't like splat, put an IP appliance out there. Run IPSO.
If you don't like cpshell, don't use it...
.
C:\Documents and Settings\Administrator
so what i'm i still doing wrong?
Thanks
C:\Documents and Settings\Administratorcp_merge delimited_policy -s
127.0.0.1 -
l TesPolicy20100115 -f CentralOffice-20100810.pol -a import_append
--- On Sat, 16/1/10, Independent IT Consultant itsec.itcons
I've just gone through this with a number of my customers. It's actually
quite simple... Checkpoint is allowing customers to trade in their existing
licenses for *EQUIVALENT* software blade licenses at no cost, though a $0
purchase order has to be processed. If you're looking for something for
Yes. You need the . (without the quotes) after the -d in order to
denote the current directory as containing the policy file. Also, your -n
and -f are backwards. -n should be the name of the policy you're
merging into, while-f includes the .pol file you're merging... If
you're running this
file name] [-a
export | import_new | import_override | import_append ] [-k security | nat |
all ]
Note: -l is a lowercase L as in LIMA, not I as in Indigo or the number
1
On Sat, Jan 16, 2010 at 7:48 AM, Independent IT Consultant
itsec.itcons...@gmail.com wrote:
Yes. You need the . (without
10.1.69.39 -n CentralOffice-20100810.pol -f
TesPolicy20100115 -d
the new policy i want to create is the test one as above
all i get is Run cp_merge -help for detailed usage
what i'm i missing,
thanks
--- On Wed, 13/1/10, Independent IT Consultant itsec.itcons...@gmail.com
wrote:
From
I've never used the import_append command (that would have been handy for a
recent consolidation I did), but the syntax should be as follows:
cp_merge import_append -s (smartcenter IP) -n (name of policy being added /
appended) -f (policy file being added / appended) -d (. (without the
quotes) or
Not supported, never was supported. AFAIK, RHEL 3 for R65, RHEL 5 for R70.
checkpoint never seriously considered RHEL 4.
On Mon, Jan 11, 2010 at 1:12 AM, securitystig securitys...@gmail.comwrote:
Hi,
Has anyone upgraded their R65 SmartCenter to R70 on RHES \ RHAS 4.8 or
nearest build?
The
2 thoughts come to mind:
1) implied rules got corrupted -- try adding an explicit management rule
2) Try updating smartdefense -- SD could have been corrupted
Either way, a quick debug should show you what's happening.
On Wed, Dec 30, 2009 at 2:11 PM, Warden, Kim kwar...@mpr.com wrote:
...@amadeus.us.checkpoint.com] On Behalf Of
Independent IT Consultant
Sent: Wednesday, December 30, 2009 3:17 PM
To: FW-1-MAILINGLIST@amadeus.us.checkpoint.com
Subject: Re: [FW-1] Must do fwm unload locahost to get to
Smartdashboard
2 thoughts come to mind:
1) implied rules got corrupted
You can do this -- use domain as the object type (you may need to look in
the other network object category to find it), with the name being the
FQDN. NOTE: Be very, very careful about doing this, as it can cause a
significant performance degredation, as the firewall is forced to do lookups
for
You're problem is that it sounds as though there's NAT occurring on both
sides of the VoIP connection -- this is a huge issue.
Far-end NAT is a royal pain in the rear for VoIP, and can make it absolutely
useless.
My suggesttion is to look into some sort of session border controller --
either
Does this happen to be a site that's natted behind the same firewall you're
behind? If so, use a split DNS to hit it directly. If not, are you seeing
the HTTP connection traversing the firewall? I've seen where customers have
some odd routes on their network in the past. If both of those look
You did an in-place upgrade, right? Do an upgrade_export, reinstall the SMC
(clean), then upgrade_import.
If your SMC is on SecurePlatform, did you delete the recursive softlink as
referenced in sk43427?
On Wed, Dec 23, 2009 at 6:31 AM, Reinhard Stich
r.st...@internet-security.at wrote:
Do
It might work -- if you use the latest build. But not recommended.
On Tue, Dec 15, 2009 at 5:10 AM, pkc_mls pkc_...@yahoo.fr wrote:
M. N. a écrit :
Hi,
I know it is not on the HCL but has anyone been able to install SPLAT 2.6
R70 on a HP Proliant DL160 G6 server?
Hi,
installing a
Port translation is not the answer -- HTTP over port 443 is not the same as
HTTPS. Tell them to rewrite their application and remove hard links using
full URLs with the http://; prefix. No external load balancer nor SSL
termination device will address bad website programming.
On Mon, Dec 14,
Enable SNMP reads, and you can use any off-the-shelf SNMP monitoring
software to grab much of this (I like the open-source stuff like ZenOSS,
Cacti, NMIS, etc). NOTE: checkpoint has its own SNMP tree you can walk.
Look up the MIBs on their support site.
I would suggest you poll the interface
Your issue sounds as though it may be solved by adjusting the freeze state
mechanism. Read sk32488: State sync while pushing the policy can cause the
cluster to failover.
I used to see this issue a lot, but can't say I've seen it with R70 yet.
2009/11/17 Luiz H. Guimarães Filho
Check to see if fwm crashed -- look in the Windows Event log for messages
regarding cpwatchdog and check task manager -- 12:1 you'll find it dead.
I've seen plenty of issues in the past (especially HFA02 and HFA25) where
FWM crashed for some unknown reason. If this is the case, Checkpoint will
Generally speaking, you need to define proxy ARP or local ARP for any NAT
that is a manually-defined NAT; if you directly edited the entries in NAT
tab, you're using manual NAT.
On Wed, Oct 28, 2009 at 7:08 AM, Peter Addy wavema...@yahoo.com wrote:
Hi
Can anyone please help urgently!!
This is 1 situation where hating on Checkpoint is not the answer -- you've
made the bed, now you've got to sleep in it. The moral of the story here is
to use hardware that's on the HCL -- at least reasonably close to hardware
on the HCL (found here:
Have you tried changing the SATA mode to legacy?
On Wed, Oct 21, 2009 at 7:56 PM, Eugeniu Patrascu eu...@imacandi.netwrote:
pkc_mls wrote:
carlopmart a écrit :
I need to install R70.1 and I have only two options (because SATA
controller isn't supported by secureplatform. System is a Dell
I've successfully implemented SecurID without major incident any number of
times, most particularly in almost every Provider1 implementation I've ever
done. Just follow the instructions in the documentation, and you'll be
fine.
On Wed, Oct 21, 2009 at 6:01 PM, Hugo van der Kooij
Can we presume you're trying to install R70 and not a prior version? If
it's R65, my account team told me that checkpoint's releasing an updated
version of the 2.6 kernel version of R65, providing better support for newer
hardware as well as support HFAs -- HFA50 finally handles the old version.
If you're doing an upgrade_import, then theoretically it *SHOULD* behave --
so long as the server can find itself. The ID in SIC will be wrong, but
I've seen plenty of cases where it doesn't care -- especially if you use a
hosts file and list both the new and the old name. The BIG issue is when
checkpoint's integrated IPS (used to be SmartDefense) and IPS-1 (formerly
Sensivist from NFR) are not the same product. I've heard rumors that NCode
would eventually be integrated into the firewall-based IPS, but I don't have
a lot of faith.
cp's marketting crew claim that the new IPS engine is
R70 *Management* is supported on SPARC. R70 enforcement is no longer
supported on SPARC. That said, avoid the T processors, as I've
heard of *significant
*performance issues associated with them.
R70 *Enforcement *(using SPLAT) is supported on select Sun-Intel platforms
(consult the HCL for
The hotfix should have been distributed as a zip / tarball -- bear in mind
that the hotfix will have been compiled separately for each OS, so your IPSO
version will not work on Windows.. Extract it on the new smart center and
run the setup associated with the hotfix -- in the UNIX world, there's
DISCLAIMER: I've had a slew of problems with Build 96. On a dozen
gateways, I ended up reverting to an earlier build after pulling my hair out
with quirks on b96. Check Point recently (FINALLY) released 4.2 MR7 (build
105, I think) which resolved many of the issues I had.
As others have
Unless the tunnel is configured for wire mode or has some sort of
persistence, it won't be formed until traffic attempts to traverse it. Try
pinging a host at the far end of the tunnel. You should then see a few
messages in tracker regarding the tunnel being established (so long as ping
is
You can comfortably upgrade from at least NGAI to R65 directly. I recommend
that you not perform an in-place upgrade; instead, plan to to an
upgrade_export / upgrade_import onto new hardware (or virtual machine).
This will save you a load of trouble down the road. You will need to
regenerate
An IP60 is an Edge appliance. You do not need to define it as an
externally-managed device. In Dashboard, create a new VPN-1 UTM Edge
Gateway then select IP60 as type.Note, however, that you'll need to
ensure that the Sofaware Management Service is running -- from the command
line of your
I can personally confirm that legacy (that is, anything pre-Blade) does,
in fact, work with R70. I've upgraded customers with both Express and pro
licenses -- without any licensing issues whatsoever (database conversion
issues is a different story).
The caveat emptor to all of this is the
This is fairly common if running gateway anti-virus and a large amount of
the traffic is being inspected by the AV engine. Try turning off gateway
AV, and I suspect you'll see utilization drop from 95% to ~30%. If that's
the case, consider tuning your AV settings.
HTH.
On Wed, Jul 22, 2009 at
Damon:
I don't mean to start a flamewar here, but Connectra *IS* the Check Point
answer to secure reverse proxy, and, yes, it *DOES* do what ISA does (and
then some). AFAIK, it won't reverse proxy without prior authentication --
true, but, then again, if you want secure reverse proxy, why not
be sure the machines these 2 additional admins are attempting to access SDB
from are defined as GUI clients. Alternatively, consider implementing Smart
Portal(so long as you're licensed for it). SmartPortal provides web-based
read access into the Smart Center.
On Fri, Jun 26, 2009 at 8:26 PM,
If you have a Smart Defense subscription, do an update, then activate the
Conficker protection. If you're not retaining your logs (which you should
be!!!), set the action to mail or user defined and have it mail you each
time it finds a hit (though that may be tantamount to SPAM early on).
Microsoft DNS doesn't support this capability. The ills of Microsoft DNS
aside, there's only one salient point that must be considered:
* Do you require exposure of your internal DNS environment to the
outside world? If your internal DNS server is *NOT* publicly authoritative
for one or
95 matches
Mail list logo