Re: [FW-1] connection issues
You have not mentioned anything about the firewall logs... Anything particular there? El lunes, 11 de noviembre de 2013, pkc_mls escribió: Le 07/11/2013 09:21, fsackew...@hasco.com a écrit : Hi, hi I have a strange connection issue. Apache in DMZ. Website on port 8081. When I try to connect from outside from a linux client I can open the website. When I try the sam from a Windowsclient or a Mobil (iPhone) the connection times out. I have tried to debug the communication. Windowsclient sends a syn packet and gets an ack. Windowsclient sends a synack. I can see it in wireshark on the Windows system, but not in a tcpdump on the external interface of the firewall. Any help appreciated! could you try from the windows client connected to the same network your firewall uses as external ? (if you have a public IP available). = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Policy/routebased routing
Hello The easiest way to go is upgrade at least to R75.40 and change to Gaia, instead of SPLAT. Gaia allows to configure PBR via web GUI a d it is very simple. Regards El jueves, 7 de noviembre de 2013, a bv escribió: Hi, On my R70 SPLAT , we added a new interface with a new (and second for the box) real ip which is connected to an other isp. I would like to configure a network block/clients traffic pass by/to the new isp, not the old default gateway. Other old networks flow as is, through the old isp. How can i write this kind of source/policy based route on R70 SPLAT? Regards = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com javascript:; in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com javascript:; = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] web traffic through IPSEC tunnel.
I agree with David here, the problem is with the definition of the vpn domain for the other peer, you just cannot know what the destination would be. Regards El viernes, 11 de octubre de 2013, David DeSimone escribió: tasneemjan tasneem...@aim.com javascript:; wrote: I am using R77 and have a ip sec tunnel to a cloud service for anti-x filtering. Do you mean that you want all HTTP/HTTPS traffic originating from your network, no matter what destination IP it might have, to go through this IPSEC tunnel? I have rule at the top to send all http/s traffic through the community. Rules do not set the community which will be used. They instead match which community was chosen, based on topology. If your traffic does not route through the VPN community, then it will not match rule 1. after 1st rule i have rule for internal networks to be natted behind the gateways public interface. When i initiate the http traffic it doesn't match the 1st rule and matches the 2nd rule to go the internet which doesn't bring the tunnel up. Can some one assist please. You said that you checked the encryption domain for your local network, and it is correct. What did you use as the encryption domain for the peer at the other end of the IPSEC tunnel? If my guess is correct, you want to use route-based VPN rather than topology-based VPN. -- David DeSimone == Network Admin == f...@verio.net javascript:; I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it. -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. Email secured by Check Point = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com javascript:; in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com javascript:; = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] R75.40 Dashboard giving Operation Error message
Finally got the chance to check on this, in fact cpca has over 1000 files opened, far more than any other process in the firewall. I still don't have a solution for the problem yet, so far have not find any documentation about the problem. Thanks again for the help David... anything else to suggest... anybody? On Fri, Sep 20, 2013 at 10:54 PM, David DeSimone f...@verio.net wrote: You can debug this using Linux debug techniques, since Splat and Gaia are just Linux under the hood. The message Too many open files either means that the process cpca has opened too many files and overflowed its local file table, or it means that some other process on the system has opened too many files and overflowed the global file table. You can see which processes have a large number of files open with and expert command like this: ls /proc/*/fd It should show a series of numbers for each process running, for example: /proc/522/fd: 0 1 2 3 4 5 6 7 8 9 That shows a process with only 10 files open. /proc/5196/fd: 0109 12 130 141 152 163 174 185 196 206 26 37 48 59 7 80 91 111 120 131 142 153 164 175 186 197 207 27 38 49 6 70 81 92 10 110 121 132 143 154 165 176 187 198 208 28 39 5 60 71 82 93 100 111 122 133 144 155 166 177 188 199 209 29 4 50 61 72 83 94 101 112 123 134 145 156 167 178 189 221 3 40 51 62 73 84 95 102 113 124 135 146 157 168 179 19 20 210 30 41 52 63 74 85 96 103 114 125 136 147 158 169 18 190 200 211 31 42 53 64 75 86 97 104 115 126 137 148 159 17 180 191 201 213 32 43 54 65 76 87 98 105 116 127 138 149 16 170 181 192 202 22 33 44 55 66 77 88 99 106 117 128 139 15 160 171 182 193 203 23 34 45 56 67 78 89 107 118 129 14 150 161 172 183 194 204 24 35 46 57 68 79 9 108 119 13 140 151 162 173 184 195 205 25 36 47 58 69 8 90 That shows a process that has 214 files open. If you see a process which has hundreds or thousands of files open, then you can find the name of the process with ps: [Expert@f020102]# ps 5196 PID TTY STAT TIME COMMAND 5196 ?Ssl 234:21 cpd So my cpd process in this example has 214 files open. If your system was really out of files in its global file table, it would probably be crashing pretty badly. So it seems more likely that your cpca process has forgotten to close some of its files and it eventually used up all of its file table entries. If so, then you probably could fix the situation by killing the cpca process to force it to restart, but that's getting into guesswork. :) Sergio Alvarez seral...@gmail.com wrote: Hello. This customer is running a stand alone appliance running SPLAT R75.40, a few weeks ago, noticed opening any objects' properties in the Dashboard was taking far longer than usual and from time to time an error message popped up: Operation Error. If the problem persists contact customer support. the issue went away with no changes done, and then returned a few days later. I checked the box for resource issues and even when CPU won't go higher than 40%, I noticed top shows cpca as consuming 100% of that 40%, I don't think I have seen something like this before, so looked in the $FWDIR/log directory and found a bunch of cpca.elg files (around 10), all of them are filled with hundreds of lines like this; SvcSk_new_connection: accept(12) failed: Too many open files SvcSk_new_connection: accept(11) failed: Too many open files SvcSk_new_connection: accept(12) failed: Too many open files SvcSk_new_connection: accept(11) failed: Too many open files SK search did not help but I did find an SK on how to troubleshoot cpca which basically says to run debugs like this: *fw debug cpca on TDERROR_ALL_ALL=5* * * *Which I did, but I don't get anything new in the elg files, just the same lines above.* A search in SK and even Google did not help. Only SK doc mentioning the exact error message seen in Dashboard regards a problem trying to remove an ICA cert from the gateway, which off course we are not doing here. Any ideas? All suggestions would be appreciated. -- David DeSimone == Network Admin == f...@verio.net I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it. -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail
Re: [FW-1] R75.40 Dashboard giving Operation Error message
Thank you David. On Fri, Sep 20, 2013 at 10:54 PM, David DeSimone f...@verio.net wrote: You can debug this using Linux debug techniques, since Splat and Gaia are just Linux under the hood. The message Too many open files either means that the process cpca has opened too many files and overflowed its local file table, or it means that some other process on the system has opened too many files and overflowed the global file table. You can see which processes have a large number of files open with and expert command like this: ls /proc/*/fd It should show a series of numbers for each process running, for example: /proc/522/fd: 0 1 2 3 4 5 6 7 8 9 That shows a process with only 10 files open. /proc/5196/fd: 0109 12 130 141 152 163 174 185 196 206 26 37 48 59 7 80 91 111 120 131 142 153 164 175 186 197 207 27 38 49 6 70 81 92 10 110 121 132 143 154 165 176 187 198 208 28 39 5 60 71 82 93 100 111 122 133 144 155 166 177 188 199 209 29 4 50 61 72 83 94 101 112 123 134 145 156 167 178 189 221 3 40 51 62 73 84 95 102 113 124 135 146 157 168 179 19 20 210 30 41 52 63 74 85 96 103 114 125 136 147 158 169 18 190 200 211 31 42 53 64 75 86 97 104 115 126 137 148 159 17 180 191 201 213 32 43 54 65 76 87 98 105 116 127 138 149 16 170 181 192 202 22 33 44 55 66 77 88 99 106 117 128 139 15 160 171 182 193 203 23 34 45 56 67 78 89 107 118 129 14 150 161 172 183 194 204 24 35 46 57 68 79 9 108 119 13 140 151 162 173 184 195 205 25 36 47 58 69 8 90 That shows a process that has 214 files open. If you see a process which has hundreds or thousands of files open, then you can find the name of the process with ps: [Expert@f020102]# ps 5196 PID TTY STAT TIME COMMAND 5196 ?Ssl 234:21 cpd So my cpd process in this example has 214 files open. If your system was really out of files in its global file table, it would probably be crashing pretty badly. So it seems more likely that your cpca process has forgotten to close some of its files and it eventually used up all of its file table entries. If so, then you probably could fix the situation by killing the cpca process to force it to restart, but that's getting into guesswork. :) Sergio Alvarez seral...@gmail.com wrote: Hello. This customer is running a stand alone appliance running SPLAT R75.40, a few weeks ago, noticed opening any objects' properties in the Dashboard was taking far longer than usual and from time to time an error message popped up: Operation Error. If the problem persists contact customer support. the issue went away with no changes done, and then returned a few days later. I checked the box for resource issues and even when CPU won't go higher than 40%, I noticed top shows cpca as consuming 100% of that 40%, I don't think I have seen something like this before, so looked in the $FWDIR/log directory and found a bunch of cpca.elg files (around 10), all of them are filled with hundreds of lines like this; SvcSk_new_connection: accept(12) failed: Too many open files SvcSk_new_connection: accept(11) failed: Too many open files SvcSk_new_connection: accept(12) failed: Too many open files SvcSk_new_connection: accept(11) failed: Too many open files SK search did not help but I did find an SK on how to troubleshoot cpca which basically says to run debugs like this: *fw debug cpca on TDERROR_ALL_ALL=5* * * *Which I did, but I don't get anything new in the elg files, just the same lines above.* A search in SK and even Google did not help. Only SK doc mentioning the exact error message seen in Dashboard regards a problem trying to remove an ICA cert from the gateway, which off course we are not doing here. Any ideas? All suggestions would be appreciated. -- David DeSimone == Network Admin == f...@verio.net I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it. -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. Email secured by Check Point = To set vacation, Out-Of-Office, or away messages, send an email
[FW-1] R75.40 Dashboard giving Operation Error message
Hello. This customer is running a stand alone appliance running SPLAT R75.40, a few weeks ago, noticed opening any objects' properties in the Dashboard was taking far longer than usual and from time to time an error message popped up: Operation Error. If the problem persists contact customer support. the issue went away with no changes done, and then returned a few days later. I checked the box for resource issues and even when CPU won't go higher than 40%, I noticed top shows cpca as consuming 100% of that 40%, I don't think I have seen something like this before, so looked in the $FWDIR/log directory and found a bunch of cpca.elg files (around 10), all of them are filled with hundreds of lines like this; SvcSk_new_connection: accept(12) failed: Too many open files SvcSk_new_connection: accept(11) failed: Too many open files SvcSk_new_connection: accept(12) failed: Too many open files SvcSk_new_connection: accept(11) failed: Too many open files SK search did not help but I did find an SK on how to troubleshoot cpca which basically says to run debugs like this: *fw debug cpca on TDERROR_ALL_ALL=5* * * *Which I did, but I don't get anything new in the elg files, just the same lines above.* A search in SK and even Google did not help. Only SK doc mentioning the exact error message seen in Dashboard regards a problem trying to remove an ICA cert from the gateway, which off course we are not doing here. Any ideas? All suggestions would be appreciated. Regards -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Logs show traffic on TCP/1124 sourced from the firewall to internal servers
Thanks for answering. SV Tracker shows firewall internal IP as the source, xlate src shows blank, as well as nat rule. I haven't been able to gather fw monitor captures of this traffic, but at least from the logs perspective, no nat seems involved. Regards El miércoles, 18 de septiembre de 2013, David DeSimone escribió: Are you certain that this isn't traffic which is simply NAT'd behind the firewall's IP? Sergio Alvarez seral...@gmail.com javascript:; wrote: Thanks for answering. Everything (Management and two-gateway cluster) runs on CheckPoint appliances (Gaia), R76. Regards El miércoles, 18 de septiembre de 2013, Diotte, Shannon S escribió: Is this an HP platform? From: Mailing list for discussion of Firewall-1 [ FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM javascript:;javascript:;] on behalf of Sergio Alvarez [seral...@gmail.com javascript:; javascript:;] Sent: Wednesday, September 18, 2013 7:28 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM javascript:;javascript:; Subject: [FW-1] Logs show traffic on TCP/1124 sourced from the firewall to internal servers Hello. A customer is concerned with the fact logs are showing allowed TCP/1124 traffic originated from the firewall gateway's internal interface and destined to various internal servers. The service is named hpvmmcontrol and apparently there are multiple vulnerabilities associated with it. The firewall is not working as proxy, Mobile Access is not in use and I could not come up with any further ideas on why would this particular traffic would be originated from the firewall itself. TCP/1124 is not something regularly used by CheckPoint and searches on the KB won't come back with anything. Does anybody know what could this traffic be related? -- David DeSimone == Network Admin == f...@verio.net javascript:; I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it. -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. Email secured by Check Point = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com javascript:; in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com javascript:; = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Logs show traffic on TCP/1124 sourced from the firewall to internal servers
Thanks for answering. Everything (Management and two-gateway cluster) runs on CheckPoint appliances (Gaia), R76. Regards El miércoles, 18 de septiembre de 2013, Diotte, Shannon S escribió: Is this an HP platform? From: Mailing list for discussion of Firewall-1 [ FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM javascript:;] on behalf of Sergio Alvarez [seral...@gmail.com javascript:;] Sent: Wednesday, September 18, 2013 7:28 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM javascript:; Subject: [FW-1] Logs show traffic on TCP/1124 sourced from the firewall to internal servers Hello. A customer is concerned with the fact logs are showing allowed TCP/1124 traffic originated from the firewall gateway's internal interface and destined to various internal servers. The service is named hpvmmcontrol and apparently there are multiple vulnerabilities associated with it. The firewall is not working as proxy, Mobile Access is not in use and I could not come up with any further ideas on why would this particular traffic would be originated from the firewall itself. TCP/1124 is not something regularly used by CheckPoint and searches on the KB won't come back with anything. Does anybody know what could this traffic be related? Regards -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com javascript:; in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com javascript:; = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com javascript:; in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com javascript:; = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] checkpoint r76 - is anyone using this release for production firewalls ?
I have one customer installation with R76 (against my will). So far... Pro: URL Filtering is finally able to categorize https websites without having to do full https inspection. Con: Smart Console tools seem a bit slow and regularly generate errors that force closure of the application and require to reopen it to continue working (be careful to continuously save you progress or it might get lost) On Wed, May 15, 2013 at 8:05 AM, pkc_mls pkc_...@yahoo.fr wrote: Hi all, I'm wondering if anyone already upgraded production systems up to r76 or use this release for recently installed devices ? Any pros or cons ? thanks. Email secured by Check Point ==**=== To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.**checkpoint.comlists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ==**=== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/**services/mailing.htmlhttp://www.checkpoint.com/services/mailing.html ==**=== If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ==**=== -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] GAIA cluster policy installation problem
Seems to me like you in fact missed adding a Sync interface (as some one else has mentioned already), given you have a virtual environment, just create a new virtual switch, add interfaces on both members to be connected to it, add IPs in the same network range (different from any IP range behind the cluster) and define those interfaces as the Sync Link between the members. Regards On Thu, Feb 28, 2013 at 7:45 AM, pkc_mls pkc_...@yahoo.fr wrote: Le 27/02/2013 23:29, a bv a écrit : Hi, I have downloaded and setup an R76 cluster with 1 management and 2 gateways on vmware. all machines have 2 virtual adapters which are on 2 virtual host only networks. I have created the cluster and established the trust. at the cluster properties i tried to set eth0 and eth1 intrerfaces with IPs for cluster and sync seperate networks. But i still got the below error when i try to install the policy. ı wanna ask how i can fix this. you should add one or to interfaces to the gateways for dedicated sync. you can create a bond with two interfaces and use this as single sync link. how is the topology defined on your networks ? Email secured by Check Point ==**=== To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.**checkpoint.comlists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ==**=== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/**services/mailing.htmlhttp://www.checkpoint.com/services/mailing.html ==**=== If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ==**=== -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Choosing open server or appliance for firewall
Things have recently turned a lot easier if you choose to go for appliances, Check Point released a Sizing Tool that even when is not yet generally available, allows sales contacts to enter variables such as throughput, number of network interfaces, amount of internal users, servers to publish and protect, Blades to be enabled, number of ISP links and available bandwidth on each one of them, etc. And the tool comes up with a nice report suggesting 2 or 3 appliance models and specifying the space for growth for each one of them, depending on the given scenario. Going the open server route, I believe there is nothing like that tool yet and it is still a matter of experience on the field and comparison between existing deployments. There is something called Platform Selection Guide on the Check Point web site, but seems like they don't update the lists very often, the only parameter mentioned is throughput and is not very exact about it. Regards On Fri, Mar 1, 2013 at 3:08 AM, a bv vbavbal...@gmail.com wrote: Hi, Nowadays i find some Checkpoints performance reporting scripts from checkpoint support site but they run mostly at the versions below R71 etc which doesnt fit for me. I wanna ask the list how do you select your next appliance or server which will run your Checkpoint firewalls? Regards = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
[FW-1] How to find concurrent SNX connections
Hello. We need to figure out the amount of concurrent SNX sessions in a gateway, if possible getting historic data, for the purposes of working in new hardware sizing. sk42255, talks about command fw tab -t cvpn_snx_session -s, but it is giving unrealistic results. Always says #VALS is 8061 and both #PEAK and #SLINKS show as zero. The same output is obtained on a different gateway without SNX enabled, the amount of SNX users must be changing and it makes no sense the peak value is zero. Now, this gateway is running SPLAT R75.40 and the SK says the command applies specificaly for R62, so the question is if there is a similar table to be checked in R75 that could provide the information we need. Any help will be appreciated. Regards -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Setup of Remote VPN on R75+
Alvarez Sent: Wednesday, September 26, 2012 12:14 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Global Properties Remotes Access VPN Auth and Ecryp IKE over TCP - here you enable support for TCP encapsulation on the gateway Gateway Properties IPSec VPN Remote Access Support NAT Traversal -- Here you enable support for a propietary UDP Encapsulation on -- the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go to Settings Properties of the Site Advanced and you configured there the use of TCP and/or UDP Encap (also enable/disable Visitor mode). If you are still seeing HTTPS from the client IP and destined to the firewall on your logs, then your client is still trying to use Visitor Mode. Finally, you will find more help from people, forums and documentation if you turn to simplified VPN mode, traditional mode is pretty old. On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins na...@thfcom.com wrote: Actually I see the FW external IP used frequently, but that's not relevant here. Please explain where I would involve TCP encapsulation - I've looked around for anything that would re-designate a way for Secure Client to make a connection and nothing has worked so far. I have mentioned (at least once, in my initial post) that in Logviewer all I see are accepts for HTTP/HTTPS. I have also explained in a recent post that I don't see any drops at the console (CLI) for the SIP of where the remote client is coming from. Yes - I have read the Admin Guide for R75.20 - several times actually... Its not that helpful... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well, usually the Firewall public IP is not used to staticaly NAT web servers, so regularly this is not an issue... anyway. I have mentioned already that you could try using something else like TCP encapsulation, have you tried that?? So far you have not mentioned anything about the logs... have you checked them? What does it say for connection attempts from a test VPN client user? I see that before someone else explained to you how to use debugging with a filter to check for drops on the firewall, have you tried that? Have you read the VPN Admin Guide pdf document? On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins na...@thfcom.com wrote: Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity. In R60-65 Remote Access VPN was initiated on ports other than 80/443 and it worked great...even for visitor mode... Okay. I'll disable visitor mode because its not necessary, but its still not connecting - so what now? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 9:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features
Re: [FW-1] Setup of Remote VPN on R75+
As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Setup of Remote VPN on R75+
Well, usually the Firewall public IP is not used to staticaly NAT web servers, so regularly this is not an issue... anyway. I have mentioned already that you could try using something else like TCP encapsulation, have you tried that?? So far you have not mentioned anything about the logs... have you checked them? What does it say for connection attempts from a test VPN client user? I see that before someone else explained to you how to use debugging with a filter to check for drops on the firewall, have you tried that? Have you read the VPN Admin Guide pdf document? On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins na...@thfcom.com wrote: Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity. In R60-65 Remote Access VPN was initiated on ports other than 80/443 and it worked great...even for visitor mode... Okay. I'll disable visitor mode because its not necessary, but its still not connecting - so what now? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 9:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
Re: [FW-1] Setup of Remote VPN on R75+
Global Properties Remotes Access VPN Auth and Ecryp IKE over TCP - here you enable support for TCP encapsulation on the gateway Gateway Properties IPSec VPN Remote Access Support NAT Traversal -- Here you enable support for a propietary UDP Encapsulation on the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go to Settings Properties of the Site Advanced and you configured there the use of TCP and/or UDP Encap (also enable/disable Visitor mode). If you are still seeing HTTPS from the client IP and destined to the firewall on your logs, then your client is still trying to use Visitor Mode. Finally, you will find more help from people, forums and documentation if you turn to simplified VPN mode, traditional mode is pretty old. On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins na...@thfcom.com wrote: Actually I see the FW external IP used frequently, but that's not relevant here. Please explain where I would involve TCP encapsulation - I've looked around for anything that would re-designate a way for Secure Client to make a connection and nothing has worked so far. I have mentioned (at least once, in my initial post) that in Logviewer all I see are accepts for HTTP/HTTPS. I have also explained in a recent post that I don't see any drops at the console (CLI) for the SIP of where the remote client is coming from. Yes - I have read the Admin Guide for R75.20 - several times actually... Its not that helpful... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 10:12 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well, usually the Firewall public IP is not used to staticaly NAT web servers, so regularly this is not an issue... anyway. I have mentioned already that you could try using something else like TCP encapsulation, have you tried that?? So far you have not mentioned anything about the logs... have you checked them? What does it say for connection attempts from a test VPN client user? I see that before someone else explained to you how to use debugging with a filter to check for drops on the firewall, have you tried that? Have you read the VPN Admin Guide pdf document? On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins na...@thfcom.com wrote: Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity. In R60-65 Remote Access VPN was initiated on ports other than 80/443 and it worked great...even for visitor mode... Okay. I'll disable visitor mode because its not necessary, but its still not connecting - so what now? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 9:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ As said... it uses TCP/443 when you enable the feature called Visitor Mode. You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be stupid/irresponsible. On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins na...@thfcom.com wrote: There has to be a way to set Secure Client to connect at a port (or ports) other than port 80 and 443... That it requires those ports is pretty stupid/irresponsible... -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Monday, September 24, 2012 11:23 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want
Re: [FW-1] Setup of Remote VPN on R75+
AFAIK, you need TCP/443 when you enable visitor mode, which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other advanced connectivity features, such as TCP encapsulation. On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins na...@thfcom.com wrote: fw ctl zdebug drop displays ALL drops...I need a way to further filter out the drops because there's too many drops to see the one(s) I want. fw ctl zdebug drop | grep myipaddress In the global properties there is no specific IKE property. All control connections are allowed First. Well, you use client encrypt in the action column in order to make remote access work...what do you suggest? set the user@at in the source, then restrict rule to apply only on remoteaccess community. (but it requires the policy to be moved to simplified mode). I think I read somewhere that Secure Client/Remote requires port 443 to be open on the firewall...which I don't understand why that would be a requirement when HTTPS is necessary for web server applications...anyway...is there a way to make Secure Client/Remote connect at a different port (I suspect so - how do you do so)? I don't like simplified mode...so how do you configure the rule policy for secure remote connections for traditional mode? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Policy installation takes too long
You may want to check the resources consumption while installing policy, But I have seen lots of slow policy installation issues with R70, upgrading to R75 has improved that a lot. Regards El jueves, 13 de septiembre de 2012, pkc_mls escribió: Le 13/09/2012 10:44, a bv a écrit : Hi, On SPLAT R70 generally it takes too much time to policy install. What can be the reasons , how to find out the reasone and fix it? how to improve it? Also sometimes get load on memory fail error Disable smartmap in the global properties. Regarding memory the only workaround proposed by checkpoint was to upgrade to Gaia. Scanned by Check Point Total Security Gateway. ==**=== To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ==**=== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/**services/mailing.htmlhttp://www.checkpoint.com/services/mailing.html ==**=== If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ==**=== -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] standalone to distributed deployment
Remember when you do a migrate export (upgrade_export), you are in fact getting it from the Management, no matter, there is a gateway on the same box, from the application stand point, they are separate entities, no matter, they reside on the same box. Now, I had to do that stand-alone to distributed change a couple of times in the past (quite a while ago), but I remember it was not so complicated: - Export the config to the new Management and when the config comes up in the Dashbord, just remove all gateway features from the old standalone object, leave the Management part and use the convert to host option available when doing a right-click on the object. It is possible you might have to remove the old object from some spots in the config, before it allows you to convert it to the new separate Management object. - Once the gateway servers are installed and configured properly, create the new cluster object establishing SIC and put this object in the required spots (f.e the install-on column of the rules, VPN communities, etc.) and finally install policy. This is a very simplified explanation and you might bump into a few rough edges, but as I remember it, it was not so hard to figure out how to get around them and finish the change. Regards On Mon, Sep 10, 2012 at 7:42 AM, r locus rlocus2...@gmail.com wrote: I have a dell PowerEdge running Gaia R75.04 that is a security gateway and security management server. I need to turn this into a distributed deployment with security gateway cluster and security management server on different computer. What is the best method to do this? How do I get all my rules and objects setup on the new management server without creating all the objects manually? If I use upgrade_import then the gateway is still really setup as gateway and management on one server. Should I use cluster XL? Thank you, rlocus = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Android VPN Support with Office Mode
A couple of days ago a support rep told me, after consulting with Development, next month there will be an early avalibility version of the Check Point Mobile VPN client for Android. It is currently available for iOS and I have seen it working very well on a couple of customer's deployments. Regards El jueves, 23 de agosto de 2012, Independent IT Consultant escribió: The last I heard, there is an Android client currently under development. I think it's in the final beta phase (based on my last conversation). The client, from what I've been told, will work with Ice Cream Sandwich and Jelly bean -- nothing earlier. Contact your local checkpoint rep for more information. On Tue, Aug 7, 2012 at 5:24 AM, Kivanc Harputlu kivanc.harpu...@tav.aerojavascript:; wrote: Hi All, I want to use the VPN with IPAD. But I've to upgrade R71.50 or R75.40 to use it. What would you recommend? R75.40 SPLAT or R71.50? By the way I want to use VPN with Android. When I look the Android Market, I can see the VPN Client but it is very old (8.12.2011) And I cannot use with Office Mode on Android. Do you know how I can use with Office mode for Android or when I can use it if the future does not support now? Thanks Kıvanç Join us online: Twitterhttp://twitter.com/TAVairports I Facebook http://www.facebook.com/TAVairports I Youtube http://www.youtube.com/user/TAVAirports/videos I Instagram http://web.stagram.com/n/tavairports Bu e-posta mesajı ve ekleri gizlidir ve gönderildiği kişi/kişilere özeldir. Bu mesajın muhatabı değilseniz veya mesaj size yanlışlıkla ulaşmış ise, lütfen göndereni haberdar ediniz ve mesajı ve eklerini derhal sisteminizden siliniz. Mesajın muhatabı değilseniz, mesajı başkalarına iletmemeniz , içeriğini kopyalamamanız veya başkalarına açıklamamanız gerekmektedir. Elektronik posta sistemleri güvenli değildir, onun için bu mesajın ve eklerinin içeriğinden dolayı gönderen veya şirketimiz sorumlu tutulamaz. Elektronik posta sistemlerinin taşıdığı güvenlik risklerinden dolayı mesajların güvenliği ve bütünlüğü korunamayabilir veya mesajlar virus içerebilir. Bu mesaj ve ekleri bilinen bütün virüslere karşı kontrol edilmiş olmasına rağmen,şirketimiz virus içermediğini garanti etmez ve bu mesajla taşınmış herhangi bir virüsün bilgisayar sisteminize verebileceği herhangi bir zarardan dolayı sorumluluk kabul etmez. This e-mail message and its attachment(s) are confidential and intended solely for the recipient(s) . If you are not the intended recipient or have received it in error, please notify the sender and delete it and any attachment(s) immediately from your system. If you are not the intended recipient, you must not forward it or copy or disclose its contents to any other person. E-mail communication systems are not secure and therefore the sender or our company does not accept responsibility for the contents of this message and its attachment(s). Due to the risks of the e-mail communication systems, the security and integrity of messages may not be protected or messages may contain viruses. Although this message and its attachments are scanned for known viruses, our company does not warrant that it is virus-free or does not accept any liability for any damage caused to your system by any virus transmitted by this message. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.http://www.checkpoint.com/services/mailing.htmlScanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
Re: [FW-1] R: [FW-1] R: [FW-1] CLI GAIA
Hello Giacomo. This bug you mentioned is something Check Point support admited? Do you know if the bug appears only upgrading from R75.30? I'm planning a couple of upgrades, one from R75.30 and one from R75.20. Would rather be advised and prepared before proceeding. Regards On Thu, Jul 26, 2012 at 5:48 AM, Giacomo Fazio giacomo.fa...@ifc.inaf.itwrote: Check Point bug After upgrading from R75.30 SP to R75.40 Gaia, admin password is unrecoverable No possibility to manage gateway -Messaggio originale- Da: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] Per conto di Giacomo Fazio Inviato: giovedì 26 luglio 2012 11:19 A: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Oggetto: [FW-1] R: [FW-1] CLI GAIA I have no possibility to change anything... Also date and time are bad... It is possible to add a new admin user? -Messaggio originale- Da: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] Per conto di Matthew Odendaal Inviato: mercoledì 25 luglio 2012 14:46 A: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Oggetto: Re: [FW-1] CLI GAIA Where is the set command in GAIA CLI It's there as soon as you log in. But don't make the mistake of going into expert mode. The default shell when you login is clish, and the set command is a normal built-in command of any clish environment. It will not work in expert mode. If you have changed your login shell to something other than clish, then run clish manually from the bash prompt. Don't forget to issue save config after you add the route, otherwise it will be lost after reboot. Good luck Matthew Odendaal matt...@isa.co.za -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Giacomo Fazio Sent: 25 July 2012 01:47 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] CLI GAIA Where is the set command in GAIA CLI set ipv6 static-route Destination nexthop gateway GW IP [priority P Value] on|off interface GW IF [priority P Value] on|off nexthop blackhole nexthop reject off Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out
Re: [FW-1] WebUI problem on R75.20
I had a similar issue once, quite a while ago, I believe with R65. Never found an answer and had a case opened with Check Point support for months with no resolution. At the end, the customer needed to change hardware and I did a clean install, so the issue went away with the old box. Regards On Fri, May 18, 2012 at 8:38 AM, Liu, Huiqi huiqi@cggveritas.comwrote: Hello All, I have a problem with connecting to our enforcement with WebUI. It seems to have started since I did some internal network changes, and re-IPed one of the interfaces, though it could have been there earlier. IE just says Internet Explorer cannot display the webpage, ssh access to the box is fine. Rule base looks OK as I can see the traffic being accepted, and httpd is running. Have anyone seen similar problems? Many thanks! Huiqi Liu = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
[FW-1] cluster consuming only one public IP
Hello. This customer has a cluster made up of two 4000 appliances, as usual, it was configured consuming 3 public IPs (one for each cluster member and one as virtual IP for the cluster), now he ran out of public IPs and asks if something can be done to use a single public IP (virtual one) and use private IPs on the external interfaces of the cluster members. I found documentation stating it CAN be done, but it does not provide any details so I would like to know if anyone here has done it before and can give me the whole picture. Besides changing the IPs on each cluster member from public to private, is there something else that needs to be configured differently? Is there some sort of downtime when this change is done? Besides the obvious fact that, from the Internet, it will only be possible to access via SSH or WebGUI the active cluster member, is there any other implication of doing this change? Any extra piece of info regarding this scenario anyone can provide, will be very appreciated. Regards -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] cluster consuming only one public IP
Thanks a lot Matthew and Crist for your quick replies, both have given me very usefull information Regards On Wed, May 9, 2012 at 8:49 AM, Matthew Odendaal matt...@isa.co.za wrote: It's actually pretty easy, but there are a few gotchas. Firstly, I don't think you can get away with doing this without downtime. You need to change the IPs of the interface, and the clustering subsystem won't react too well to the change of IPs until both are done. In previous environments, this is how I set it up: 1. Change the IPs of the external interfaces to the private IP range. 2. Using sysconfig, add a new network route for the real external subnet and when asked for the gateway, leave it empty and hit enter. It should then ask you for the outgoing interface name. Type the device name of the external interface (e.g. Ext, eth0, etc). This allows the host to see that external range (including the all-important default gateway via the correct interface. 3. Add your default gateway or static routes again to point to your external router(s). 4. On the cluster topology of your cluster object, edit the relevant external interfaces (get the topology to populate the interface names with the private IPs), and on the Cluster IP interface, set the Cluster IP and subnet mask to the real public IP address that you want to use on the Internet. In the member network tab, enter the network id of the private subnet and the relevant mask that you're using for the physical interfaces. The subnet masks for your private range and the public range should be the same. That should instruct ClusterXL to use the physical IPs only for the clustering CCP packets, but to consider the public IP as the virtual IP used for outgoing / incoming traffic. I'm not sure exactly how well this works with proxy arp though. I haven't done this recently, but in older versions, I had to use a local.arp file to get the cluster to proxy-arp for any NATs that need to exist on the public range (or you could just add static routes for them from the Internet router if you control the router). Good luck Matt -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: 09 May 2012 03:55 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] cluster consuming only one public IP Hello. This customer has a cluster made up of two 4000 appliances, as usual, it was configured consuming 3 public IPs (one for each cluster member and one as virtual IP for the cluster), now he ran out of public IPs and asks if something can be done to use a single public IP (virtual one) and use private IPs on the external interfaces of the cluster members. I found documentation stating it CAN be done, but it does not provide any details so I would like to know if anyone here has done it before and can give me the whole picture. Besides changing the IPs on each cluster member from public to private, is there something else that needs to be configured differently? Is there some sort of downtime when this change is done? Besides the obvious fact that, from the Internet, it will only be possible to access via SSH or WebGUI the active cluster member, is there any other implication of doing this change? Any extra piece of info regarding this scenario anyone can provide, will be very appreciated. Regards -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail
Re: [FW-1] Smartdashboard error
Does it work fine with the SmartConsole installed in a different computer. Not so far ago I had a similar issue with a customer (SmartView Tracker started loading and after saying it was done loading, the whole window dissapeared with no error messages). On that case it was a problem with the Manager server, happened to all administrators, Check Point Support provided multiple possible solutions (removing files here and there, rebooting to get them recreated), at some point decided to reinstall from scratch and tried loading multiple backups with no success (problem remained). End up doing a clean install and recreating the entire config by hand... it was a nighmare. Gladly it was a small config and I was able to recreate it in a few hours. Regards On Wed, May 9, 2012 at 6:35 AM, a bv vbavbal...@gmail.com wrote: Hi, I have couple of versions of smartconsole installed at my PC. I have some problems with that PC these days blue screens , nonbooting (windows system files releated not found errors etc). We have tried to fix thix xp box but still problems. My problem is now my R75.20 Smartdashboard doesnt work login screen comes i tried to login and it seems to load the screen but it disappears then. I can login with the Smartviewmonitor to the same fw . I have used the fwpolicy -d command at command prompt, then opened dashboard as usual . The rule-editor_debug_output.txt file says the below. [rule-editor 3348 1628]@BSB65[9 May 11:59:33] SearchTokens: Entering. [rule-editor 3348 1628]@BSB65[9 May 11:59:33] CTokenHolder::LoadTokens - No tokens found in CAPI [rule-editor 3348 1628]@BSB65[9 May 11:59:33] _cp_get_cpdir: Failed to initilaze cp_dir. How can i fix the situation? Regards = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
[FW-1] Conflict with Gaia webUI port
Hello. I'm currently working with the new Gaia platform on a small UTM-1 270 appliance, just for testing purposes. On older SPLAT appliances they had changed the default port for the WebUI from the original 443 to 4434, in order to avoid conflicts with SNX or the Mobile Access Portal, but the new Gaia works by default again on plain HTTPS 443 port. I wondered what if I want to enable SNX or the Mobile Access Portal then. I could not find details about this in the documentation I downloaded for Gaia and R75.40 in general. Obviously first I looked for the option to change the current WebUI port in the WebUI console itself (its there on the SPLAT webUI), but after browsing the options tree (advanced option enabled), I could not find it. Moved then to the CLI and tried the old SPLAT command webui enable, that allowed to change that port, but the command is no longer valid. So I was a little naive and thought maybe if you enable something that requires port 443, the webUI will automatically change to something else. But I enabled SNX on the gateway, installed policy and the webUI was no longer available... pointing to the gateway on port 443 obviously gives the SNX portal but the Gaia webUI was not available on 4434 or any other port I could think of. Finally decided to disable SNX and install policy to regain access to the Gaia webUI... surprise!!... it did not work again, rebooted and tried several things but the page was not available... so basically be very careful, I end up going back to factory defaults and starting from scratch. I wonder then how to get SNX or the Mobile Access Portal working on a Gaia box without loosing the webUI. Anyone care to share his/her experience? Regards -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Remote Access VPN Configuration
Hello. As mentioned on my previous message: ... newer E7x client versions work also on 64-bit OS, but unless you have a very recent software version on your gateway side, you will need to apply patches or upgrades on it... So unfortunately the answer to your question is negative. Depending how old is your elder gateway version, you might or might not have the posibility of adding a patch to support the new E7X client, that's why I suggested to check on that on the release notes. Regards On Mon, May 7, 2012 at 5:45 AM, a bv vbavbal...@gmail.com wrote: Many thanks , I wonder if backward compatibility is living. like having and installing the latest remote access client will I be able to connect to my elder gateway version. As you know when managing firewalls you have to use same version of smartconsole applications as the gateway at the Checkpoint world. Regards 2012/5/4 Sergio Alvarez seral...@gmail.com: It is confusing. Older client versions (R5x/R6x) will only work on 32-bit windows versions, newer E7x client versions work also on 64-bit OS, but unless you have a very recent software version on your gateway side, you will need to apply patches or upgrades on it. I suggest to verify in detail each client's Release Notes before making a decision. Good luck wth your tests. Regards On Thu, May 3, 2012 at 2:46 AM, a bv vbavbal...@gmail.com wrote: Many thanks ill try as soon as possible , and the vpn client choosing can be a little confusing especially finding the compatible client with the gateway version seems comfusing Regards 2012/4/22 Sergio Alvarez seral...@gmail.com: You need: - User Group with at least one user for remote access - Remote Access Community including participating gateway(s) and above mentioned user group - Security Rule with users group as source and specific destinations you want to give access vía remote access - Make sure VPN Domain includes destinations of the above mentioned rule (Gateway properties Topology VPN Domain) Note: By default the VPN Domain defined in the Topology section applies to both Remote Access and site to site VPN's. although its possible they might have been configured differently. Verify so clicking on the button set domain for remote access community. Hope this helps. Regards On Fri, Apr 20, 2012 at 6:22 AM, a bv vbavbal...@gmail.com wrote: Hi, For the succesfullly giving Remote Access VPN service to the users what are the required and methodically steps? Following Documentation always doesnt work. 1- Configuring remote access community creating a user and installing the client on PC and trying to create the site and connection didnt work. 2- Will it work if i add a security rule which let user access anything through remote access vpn community? 3- What about ip setting and network access of the vpn user? Will any additional routing /tcp ip configuration be required at the client side? 4- Any additional setting, configuration and management tasks? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
Re: [FW-1] Remote Access VPN Configuration
It is confusing. Older client versions (R5x/R6x) will only work on 32-bit windows versions, newer E7x client versions work also on 64-bit OS, but unless you have a very recent software version on your gateway side, you will need to apply patches or upgrades on it. I suggest to verify in detail each client's Release Notes before making a decision. Good luck wth your tests. Regards On Thu, May 3, 2012 at 2:46 AM, a bv vbavbal...@gmail.com wrote: Many thanks ill try as soon as possible , and the vpn client choosing can be a little confusing especially finding the compatible client with the gateway version seems comfusing Regards 2012/4/22 Sergio Alvarez seral...@gmail.com: You need: - User Group with at least one user for remote access - Remote Access Community including participating gateway(s) and above mentioned user group - Security Rule with users group as source and specific destinations you want to give access vía remote access - Make sure VPN Domain includes destinations of the above mentioned rule (Gateway properties Topology VPN Domain) Note: By default the VPN Domain defined in the Topology section applies to both Remote Access and site to site VPN's. although its possible they might have been configured differently. Verify so clicking on the button set domain for remote access community. Hope this helps. Regards On Fri, Apr 20, 2012 at 6:22 AM, a bv vbavbal...@gmail.com wrote: Hi, For the succesfullly giving Remote Access VPN service to the users what are the required and methodically steps? Following Documentation always doesnt work. 1- Configuring remote access community creating a user and installing the client on PC and trying to create the site and connection didnt work. 2- Will it work if i add a security rule which let user access anything through remote access vpn community? 3- What about ip setting and network access of the vpn user? Will any additional routing /tcp ip configuration be required at the client side? 4- Any additional setting, configuration and management tasks? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Root partition full, unable to update IPS
Thanks for your reply Matthew.
BTW, I got the issue resolved by cleaning the /var partition removing a
decompressed R75.10 installer, several export backups and a couple of cap
files generated with fw monitor, that were placed there while doing some
throubleshooting for another issue.
I guess everybody is used to place in /var whatever files require disk
space...
Regards
On Sun, Feb 12, 2012 at 1:10 PM, Matthew Odendaal matt...@isa.co.za wrote:
Hi Sergio
Unfortunately it applies to the 2012 appliances as well.
Kind Regards
Matthew Odendaal
Technical Manager
Information Security Architects
matt...@isa.co.za
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:
FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez
Sent: 09 February 2012 05:15 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Root partition full, unable to update IPS
Thanks to you too Matthew.
Now that you explained that about the /var and /var/log partitions, I
finally understand a lot of things... I was not aware of difference between
the appliances and the regular SPLAT versions (which is what Imostly work
with).
Then, I have a question, this change with the /var partition applies only
to the UTM-1 appliances or does it also to the new 2012 appliances? I
installed a couple of those already and have several more on the way.
Regards
On Thu, Feb 9, 2012 at 9:08 AM, Matthew Odendaal matt...@isa.co.za
wrote:
Hi Sergio
Remember that on appliances, the /var partition is not a separate
partition. Only /var/log is defined as a separate partition. Which
means that if there are any Check Point products on the box that
normally use /var for their files, those files are actually residing
on the root partition on an appliance. A good example is SmartEvent and
SmartReporter.
If you have either of those, make sure that you make symbolic links
for the events_db directory to point to somewhere under /var/log. Also
make sure that any temp directory you have created under var (for
patches etc) are moved to /var/log.
I also agree that in all likelihood, you have a number of files under
$CPDIR/tmp which can be removed if they begin with file{something}.
I don't know why Check Point decided to move away from using /var as
the major partition on appliances. It causes many problems, especially
when you enable kernel crash dumps and they write to /var/crash and fill
up the disk.
Matthew Odendaal
Technical Manager
Information Security Architects
matt...@isa.co.za
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:
FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio
Alvarez
Sent: 09 February 2012 04:13 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Root partition full, unable to update IPS
Hello.
This customer or ours has a UTM-1 appliance running R75.10, recently
found out IPS updates are failing, error says unable to put files on
server, another error message says URLF updates are also failing, for
that it says insufficient disk space. The df -h command showed the
root partition is the one with 100% usage.
On /var partition you can remove logs or backups, but what can be
safely removed from the root partition to make up some space and get
the issue resolved?
Regards
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options,
email
fw-1-ow...@ts.checkpoint.com==
===
Scanned by Check Point Total Security Gateway.
=
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options,
email fw-1-ow...@ts.checkpoint.com
=
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist
Re: [FW-1] Root partition full, unable to update IPS
Thanks a lot for your suggestions. I'll check on that.
Regards
On Wed, Feb 8, 2012 at 8:35 PM, Independent IT Consultant
itsec.itcons...@gmail.com wrote:
You can use du -h / to find which directories are eating up the space.
In all likelihood, it's one of 2 possible places: /home/admin or
$CPDIR/tmp. If the former, remove anything unnecessary. If it's the
latter, remove anything called file{something} -- rm file*. These are
temp files used for on-line contract validation that don't always get
cleaned up properly.
On Wed, Feb 8, 2012 at 9:13 PM, Sergio Alvarez seral...@gmail.com wrote:
Hello.
This customer or ours has a UTM-1 appliance running R75.10, recently
found
out IPS updates are failing, error says unable to put files on server,
another error message says URLF updates are also failing, for that it
says
insufficient disk space. The df -h command showed the root partition
is
the one with 100% usage.
On /var partition you can remove logs or backups, but what can be safely
removed from the root partition to make up some space and get the issue
resolved?
Regards
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Scanned by Check Point Total Security Gateway.
Re: [FW-1] Root partition full, unable to update IPS
Thanks to you too Matthew.
Now that you explained that about the /var and /var/log partitions, I
finally understand a lot of things... I was not aware of difference between
the appliances and the regular SPLAT versions (which is what Imostly work
with).
Then, I have a question, this change with the /var partition applies only
to the UTM-1 appliances or does it also to the new 2012 appliances? I
installed a couple of those already and have several more on the way.
Regards
On Thu, Feb 9, 2012 at 9:08 AM, Matthew Odendaal matt...@isa.co.za wrote:
Hi Sergio
Remember that on appliances, the /var partition is not a separate
partition. Only /var/log is defined as a separate partition. Which means
that if there are any Check Point products on the box that normally use
/var for their files, those files are actually residing on the root
partition on an appliance. A good example is SmartEvent and SmartReporter.
If you have either of those, make sure that you make symbolic links for the
events_db directory to point to somewhere under /var/log. Also make sure
that any temp directory you have created under var (for patches etc) are
moved to /var/log.
I also agree that in all likelihood, you have a number of files under
$CPDIR/tmp which can be removed if they begin with file{something}.
I don't know why Check Point decided to move away from using /var as the
major partition on appliances. It causes many problems, especially when you
enable kernel crash dumps and they write to /var/crash and fill up the disk.
Matthew Odendaal
Technical Manager
Information Security Architects
matt...@isa.co.za
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:
FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez
Sent: 09 February 2012 04:13 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Root partition full, unable to update IPS
Hello.
This customer or ours has a UTM-1 appliance running R75.10, recently found
out IPS updates are failing, error says unable to put files on server,
another error message says URLF updates are also failing, for that it says
insufficient disk space. The df -h command showed the root partition is
the one with 100% usage.
On /var partition you can remove logs or backups, but what can be safely
removed from the root partition to make up some space and get the issue
resolved?
Regards
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options,
email
fw-1-ow...@ts.checkpoint.com=
Scanned by Check Point Total Security Gateway.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
[FW-1] Root partition full, unable to update IPS
Hello. This customer or ours has a UTM-1 appliance running R75.10, recently found out IPS updates are failing, error says unable to put files on server, another error message says URLF updates are also failing, for that it says insufficient disk space. The df -h command showed the root partition is the one with 100% usage. On /var partition you can remove logs or backups, but what can be safely removed from the root partition to make up some space and get the issue resolved? Regards -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Android VPN Connection to R71.10 Gateway
Check Point had a Beta Mobile client for Android, I signed in for it, because a customer wanted to try it, but was never able to download it, for some strange reason the User Center showed me as registered, but when I tried to download the installer it would give me an error message about not having enough permissions to download, I wrote a couple of times reporting the problem but never received an answer about it. Finally, several weeks later, I received a message from the Development team letting me know they had canceled the Beta and the development process, precisely because they had found security issues within Android that they could not address and so they would have to wait for a future Android release with those issues resolved, before they could continue working on a Mobile client for that OS. On the other hand, I have struggled for months trying to make iPhones connect to a customer's gateway vía L2TP (The Mobile Access client for iOS has limitations and does not give full access to local services as a regular VPN client), but it has been a complete head ache, I have had a case opened with the support team for quite a while with no answer. So, even if you decide to ignore the warning about using L2TP on Android, expect some difficulties on the way. Regards On Tue, Nov 8, 2011 at 11:01 AM, jlindb...@mico.com wrote: I'm looking at getting Samsung Android device connecting through a VPN with a R71.10 Gateway to access Lotus Domino with the Lotus Notes Traveler web based email. It does appear the Mobile Access Blade supports the Android and has a client available. Anyone currently using the blade Android. I also found a document on Checkpoint KB talking about using the Android L2TP VPN client to connect using IPSec but the last sentence of the document is saying Important: We don't recommend using the L2TP option in Android due to security vulnerabilities issues.. Anyone using this method for Android? Has this vulnerability been resolved? Any input would be appreciated. Thanks, John The information contained in this email and any attachments may contain confidential, proprietary, business sensitive, privileged or controlled information. If you are not the intended recipient, any disclosure, dissemination, distribution, duplication or other unauthorized use of the information contained in this email or any attachment is strictly prohibited. Unauthorized interception of this e-mail is a violation of law. If you are not the intended recipient, please notify the sender by reply email and immediately and permanently delete this mail and any attachments and any copies of them. Technical data and/or information provided in this email or any attachment may be subject to U.S. export control laws. Export, re-export, diversion or disclosure contrary to U.S. law is prohibited. It is your responsibility to check this email and any attachments for viruses or other harmful code before opening or forwarding. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Android VPN Connection to R71.10 Gateway
Hello Gary. I was told by a Check Point SE, using L2TP would solve the limitations of the Mobile client and it would give me full acsess to resources behind the firewall, as using any regular VPN client or even SSL Network Extender, the problem is, we have never make it work. My customer first had a gateway cluster working in LS Unicast mode, on that mode , the tunnel just never has been established, the L2TP client on the iPhone would just give an error message with something like gateway not responding. Support said they found out it appeared the negotiation was starting on one cluster member and then trying to finish with the other member, which caused the problem. After several weeks they got a hotfix to solve that issue, but by then the customer had changed the cluster operation mode to High Availability because of some other problem they had, and so, not only the hotfix, made no sense, but the L2TP connectivity was still not working and the symptoms were different. Now, the L2TP connectivity is established but there is no traffic getting routed through the tunnel (which sounds like the same problem you have), I've been working with Support with the new scenario for weeks again, gathered new cpinfos and debugging but still they have not come back even with a possible solution. Regards On Tue, Nov 8, 2011 at 9:25 PM, Gary Scott accesslimi...@yahoo.com wrote: I have done limited tested the android client and was successful running against r75.20 with the android HF. I too saw where the beta client was canceled but then ran into the android app here, https://market.android.com/details?id=com.CheckPointVpnfeature=search_result , here too you are limited to web app access only as with the iOS app client. Sergio, what are your headaches with iOS and L2TP? One of mine is not being able to route all traffic and running into overlap problems with the clients local IP on iOS and android L2TP. Thanks, GS From: Sergio Alvarez seral...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Tuesday, November 8, 2011 9:59 PM Subject: Re: [FW-1] Android VPN Connection to R71.10 Gateway Check Point had a Beta Mobile client for Android, I signed in for it, because a customer wanted to try it, but was never able to download it, for some strange reason the User Center showed me as registered, but when I tried to download the installer it would give me an error message about not having enough permissions to download, I wrote a couple of times reporting the problem but never received an answer about it. Finally, several weeks later, I received a message from the Development team letting me know they had canceled the Beta and the development process, precisely because they had found security issues within Android that they could not address and so they would have to wait for a future Android release with those issues resolved, before they could continue working on a Mobile client for that OS. On the other hand, I have struggled for months trying to make iPhones connect to a customer's gateway vía L2TP (The Mobile Access client for iOS has limitations and does not give full access to local services as a regular VPN client), but it has been a complete head ache, I have had a case opened with the support team for quite a while with no answer. So, even if you decide to ignore the warning about using L2TP on Android, expect some difficulties on the way. Regards On Tue, Nov 8, 2011 at 11:01 AM, jlindb...@mico.com wrote: I'm looking at getting Samsung Android device connecting through a VPN with a R71.10 Gateway to access Lotus Domino with the Lotus Notes Traveler web based email. It does appear the Mobile Access Blade supports the Android and has a client available. Anyone currently using the blade Android. I also found a document on Checkpoint KB talking about using the Android L2TP VPN client to connect using IPSec but the last sentence of the document is saying Important: We don't recommend using the L2TP option in Android due to security vulnerabilities issues.. Anyone using this method for Android? Has this vulnerability been resolved? Any input would be appreciated. Thanks, John The information contained in this email and any attachments may contain confidential, proprietary, business sensitive, privileged or controlled information. If you are not the intended recipient, any disclosure, dissemination, distribution, duplication or other unauthorized use of the information contained in this email or any attachment is strictly prohibited. Unauthorized interception of this e-mail is a violation of law. If you are not the intended recipient, please notify the sender by reply email and immediately and permanently delete this mail and any attachments and any copies of them. Technical data and/or information provided in this email or any attachment may
Re: [FW-1] Distributed vs Standalone Deployment
...as soon as you need cluster or one smartcenter to manage several gateways, the distributed config is mandatory... Well, about clustering, this is not entirely true, Check Point appliances allow to have both Management and Gateway clustered with just two appliances. On any case, IMHO it is better to have a distributed environment even if you are managing just one gateway, it gives you a lot of freedom for maintenance tasks and a better tolerance to failures. On Fri, Sep 30, 2011 at 7:29 AM, pkc mls pkc_...@yahoo.fr wrote: Le 30/09/2011 14:48, a bv a écrit : Hi, What are the features /gains /problems (communication? log loss?) between Distributed vs Standalone Deployment for SPLAT ? Which deployment method do you prefer and why? if you can afford one smartcenter per gateway, keep standalone deployment; as soon as you need cluster or one smartcenter to manage several gateways, the distributed config is mandatory. Regards Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ==**=== To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.**checkpoint.comlists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ==**=== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/**services/mailing.htmlhttp://www.checkpoint.com/services/mailing.html ==**=== If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ==**=== -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Your opinions about R75/R75.20
In some of our customers' deployments with UTM-1 appliances, I noticed a performance improvement going from R70 to R75 (and even R71). In deployments with open servers instead of Check Point appliances, the difference was not so noticeable. What did improve, no matter the hardware platform, was the time it takes to open the SmartDashboard and install the policy. Regards 2011/10/3 Charles-Etienne Prévost cprev...@gosecure.ca Hi, Based on about 8-10 upgrades we have done so far I have not seen any significant performance improvement for similar feature sets. I would definitely recommend going directly to R75.20 if possible.. we encountered a few issues with R75, which appear to be fixed ( mostly ) with R75.20. However, most of the environments were on open servers, so my opinion might be a little biased. Cheers, Charles Charles-Etienne Prévost Analyste en sécurité de l'information Information Security Analyst GoSecure Inc. Experts en sécurité de l'information The Trusted Experts in Information Security http://www.gosecure.ca -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of a bv Sent: Monday, October 03, 2011 7:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Your opinions about R75/R75.20 Many thanks for the answer? what about the perfomance issue comparing with R70 on same hardware? They wrote some code again as i guess to gain more performance while the blades are getting added and the firewall becomes more complex. 2011/10/3 Reinhard Stich r.st...@internet-security.at: At 09:05 03.10.2011, you wrote: Hi, I would like have your opinions about R75.20 or R75 . Was it worth to upgrade? Were there perfomance gains? Do you have problems on them? I use R75.20, it's stable and I like the new app-control features ... performance is the same as it was with R75. br reinhard -- Reinhard Stich r.st...@arrowecs.at Arrow ECS Internet Security AG, 1100 Wien, Wienerbergstrasse 11 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Smart-1 appliance deployment
Hello. It is not clear if you are planning to use the new Smart-1 appliance just as central log server for reporting and correlation or if you also plan to use it to manage the two gateways you already have working as stand-alone. If you do, then you need to merge the configuration of both gateways on the new appliance and that might require a lot of work, depending on how big those configs are. AFAIK, there is no tool that would allow you to automate such procedure. Regards On Fri, Aug 26, 2011 at 1:04 AM, a bv vbavbal...@gmail.com wrote: Hi, Having 2 standalone SPLAT R70x boxes (which will be planned to upgrade to R75x) and some other edges which some of them are connected to the SPLAT in the enviroment , i have a Smart-1 box now. What are the best installation and deployment way to use this Smart-1 box to use as a stable/reliable (none log lost) log reporting, coroleation storage etc (everything log releated) ? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
[FW-1] Delay with traffic going through non-pivot member of an LS Unicast cluster.
Hello. I have in my hands a very weird issue, that have never seen before, and was hoping some of you guys might have suggestions about it. Scenario: Two-member Load Sharing Unicast cluster running R75.10 over open servers running SPLAT. Cluster has worked like this for months without any problems but today received report about problems with a new application that requires traffic to go through the cluster. This new application is running on a DMZ interface, the following info was provided about it: Web Servers en DMZ: IBM HTTP Server version 7.0.0.11 (build cf111021.10) over AIX 6.1-02 Portal Servers on the intranet: IBM WebSphere Application Server – ND version 7.0.0.11 (build cf111021.10) over AIX 6.1-02 Traffic comes from web services located in other network segments, through the firewall and to the DMZ in question. After the deployment of this application, noticed important delays with traffic through the cluster, but those appeared some times and some times not. Decided to do some tests, among those, enabled fw monitor captures on both cluster members and found out when traffic goes through the Pivot member of the Unicast cluster, everything works perfect, but when it is handled by the other cluster member, the delays occur. Here are multiple pieces of info that might be of help: - Traffic goes over TCP ports 10039, 10040, 10050. - Only affecting this new app. - No drops are shown in the logs. - Cluster advanced configuration is set to handle load sharing by IPs only and use sticky decision function is selected. - If the cluster is changed to HA instead of LS Unicast operation mode, everything works perfect - Checked the cluster status with multiple commands, but one in particular caused interest: cphaprob syncstat. SK34475 document says the following: Lost sync connection (num of events)... SHOULD be 0 - positive value indicates connectivity problems Not held due to no members. SHOULD be 0 - positive value indicates connectivity problem between the members Running the command on both cluster members in fact showed positive values in both variables (for example: 2144 in the primary member for lost sync). Noticed changing from LS unicast to HA causes increases on these values, so currently unsure if the positive value is normal given multiple changes in the cluster operation mode. Given the fact the issue is affecting only one application, it appears to me it might not be related with a general cluster problem, but thought it might be useful info. Any ideas on how to get this one resolved will be very appreciated. Regards -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Slow policy installation on R70
I saw this issue with all customers running R70. As Alexey points out, upgrading to R71 improved the installation times, the difference might be small, but I believe R75, improved it even a little more. Regards On Wed, Aug 3, 2011 at 5:37 AM, Alexey Baltacov drongt...@gmail.com wrote: Hi, You can see that after the restart the policy installation is working better for several days. I don't know the real reason but seems like after several days of work the memory usage is much more then after restart. I think it should point to some memory leak(s) in this version. After upgrading to R71.10/R75.10 - it working much better Alexey On Wed, Aug 3, 2011 at 2:27 PM, a bv vbavbal...@gmail.com wrote: Hi, On a standalone R70 SPLAT the policy installation process sometimes gets so slow , that if you have something urgent to do you get angry. Are there any ideas which can cause this situation how to find out and fix? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] VoIP over SNX connections failing after R70 to R75 migration
Thanks Hugo. First of all, I have to let you know the issue got resolved, although unfortunately I was not able to visit the customer today and it was achieved by a CP engineer in a remote session with the customer this morning. Therefore I'm still waiting to get details on how it was done. Answering your questions, the site-to-site vpn domain is in fact the same for the Remote Access users, although I know they created a group of networks and objects to be used as VPN domain, don't really know if it includes range objects. So, what information do you have about this issue? have you experienced it before? do you know why it happens? Thanks again for your reply. Regards On Fri, Jul 22, 2011 at 5:49 AM, Hugo van der Kooij hvdko...@vanderkooij.org wrote: On Thu, 21 Jul 2011 11:54:25 -0600, Sergio Alvarez seral...@gmail.com wrote: I agree with you, it must have something to do with changes in R75. Regrading the client, they are already using the latest SNX version available. The issue also occurs on R71.30 with traditional SecureClient users. So the change was post R70. And it is particular to OfficeMode network from what I can gather. Is your site-to-site encryption domain identical to your Remote Access encryption domain? Are you using range objects somehere in one of these definitions? (Either direct or somwhere as part of a group ) Hugo. -- hvdko...@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/**0x58F19981.aschttp://hugo.vanderkooij.org/0x58F19981.asc Scanned by Check Point Total Security Gateway. ==**=== To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.**checkpoint.comlists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ==**=== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/**services/mailing.htmlhttp://www.checkpoint.com/services/mailing.html ==**=== If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ==**=== -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] VoIP over SNX connections failing after R70 to R75 migration
Hello Alexey. Thanks for your reply. Actually it was all working perfect before changing version and the idea of changing the advanced settings in H323 to none was something we tried because it has helped in the past to solve VoIP issues, although it did not this time. About trying with Endpoint Connect, the deal here is the customer especifically acquired SNX licenses because they have hundreds of users on the field requiring remote access to services, and installing a VPN software client on each laptop had become a nightmare. Suggesting to go back to such scenario won't be acceptable for them. Any further suggestions will be very appreciated. Regards On Wed, Jul 20, 2011 at 2:38 AM, Alexey Baltacov drongt...@gmail.comwrote: Hello Sergio, I never seen such problem but... As I know in latest CP versions the worst thing can be done in order to stop voice traffic is changing advanced proto settings to none. Usually things can help is configuring voice by the book, with my experience with SIP - it working in 85% of cases. I mean configuring voice domain and etc... One more thing you can try for test - install Endpoint Connect R75.10 and test with it. Generally it is using the same 443 in order to connect, just different client and more options for configuration. Alexey On Wed, Jul 20, 2011 at 2:04 AM, Sergio Alvarez seral...@gmail.com wrote: Hello. This cutomer of ours has an active/standby SPLAT cluster with SNX enabled (bear in mind there is no Connectra involved here), everything worked perfect until a migration from R70.20 to R75 was done and since then, SNX users getting conencted to the cluster can access all services they used to with the exception of a VoIP service (H323), they can even ping to the server related but the application just won't work. No config changes had been done since it was working ok. Logs show a few drops of H323 traffic from an Office Mode IP, assigned to a test user, the drops show no rule related and the info says: dst scheme: NA; dst methods: SSL; route status: Failed to enforce VPN policy (8) I looked for that message and found something similar related with an encryption problem not related with this scenario. Did a zdebug to find out what was dropped and found a few extra messages like the ones bellow: ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 - Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce VPN policy (8); ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 - X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled; Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is the IP of the VoIP server. We could not find anything about those either. A case is opened already with CP support but no answers have been received and the situation is becoming more critical as time goes by. It was already checked the rule allowing the traffic is specific on H323 on the service section and also to change to none the advanced properties of the H323 service object, but with no luck. Has anybody seen something like this before. Any help will be very appreciated. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sincerely, Alexey Baltacov drongt...@gmail.com | Tel: +972-504989954 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail
Re: [FW-1] VoIP over SNX connections failing after R70 to R75 migration
Hello Alexey. I agree with you, it must have something to do with changes in R75. Regrading the client, they are already using the latest SNX version available. There is in fact a case opened with CP Support since last week but the apparent high amount of cases they are handling right now, plus the complexity of the issue have end up with a very poor response from their side and a very aggravated customer. Today we finally got the engineer in charge to call back for a remote session (calling them has turned in to a hours on hold nightmare theses days), but apparently have been working all morning with no success yet. Once again, thanks for your comments. Regards On Thu, Jul 21, 2011 at 9:46 AM, Alexey Baltacov drongt...@gmail.comwrote: Hello Sergio, Actually there are lot of things were changed in R75 and R75.10 versions, that's why things previously were good can stop working now. The idea about use of endpoint connect needed just in order to understand if the problem is with client only or with whole FW+VPN deamon. In case the problem with client only - debug should be done on client, possible some new SNX release can solve it. Hope you have ticket opened with CP support and there is progress in it Alexey On Thu, Jul 21, 2011 at 5:12 PM, Sergio Alvarez seral...@gmail.com wrote: Hello Alexey. Thanks for your reply. Actually it was all working perfect before changing version and the idea of changing the advanced settings in H323 to none was something we tried because it has helped in the past to solve VoIP issues, although it did not this time. About trying with Endpoint Connect, the deal here is the customer especifically acquired SNX licenses because they have hundreds of users on the field requiring remote access to services, and installing a VPN software client on each laptop had become a nightmare. Suggesting to go back to such scenario won't be acceptable for them. Any further suggestions will be very appreciated. Regards On Wed, Jul 20, 2011 at 2:38 AM, Alexey Baltacov drongt...@gmail.com wrote: Hello Sergio, I never seen such problem but... As I know in latest CP versions the worst thing can be done in order to stop voice traffic is changing advanced proto settings to none. Usually things can help is configuring voice by the book, with my experience with SIP - it working in 85% of cases. I mean configuring voice domain and etc... One more thing you can try for test - install Endpoint Connect R75.10 and test with it. Generally it is using the same 443 in order to connect, just different client and more options for configuration. Alexey On Wed, Jul 20, 2011 at 2:04 AM, Sergio Alvarez seral...@gmail.com wrote: Hello. This cutomer of ours has an active/standby SPLAT cluster with SNX enabled (bear in mind there is no Connectra involved here), everything worked perfect until a migration from R70.20 to R75 was done and since then, SNX users getting conencted to the cluster can access all services they used to with the exception of a VoIP service (H323), they can even ping to the server related but the application just won't work. No config changes had been done since it was working ok. Logs show a few drops of H323 traffic from an Office Mode IP, assigned to a test user, the drops show no rule related and the info says: dst scheme: NA; dst methods: SSL; route status: Failed to enforce VPN policy (8) I looked for that message and found something similar related with an encryption problem not related with this scenario. Did a zdebug to find out what was dropped and found a few extra messages like the ones bellow: ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 - Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce VPN policy (8); ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 - X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled; Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is the IP of the VoIP server. We could not find anything about those either. A case is opened already with CP support but no answers have been received and the situation is becoming more critical as time goes by. It was already checked the rule allowing the traffic is specific on H323 on the service section and also to change to none the advanced properties of the H323 service object, but with no luck. Has anybody seen something like this before. Any help will be very appreciated. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail
[FW-1] VoIP over SNX connections failing after R70 to R75 migration
Hello. This cutomer of ours has an active/standby SPLAT cluster with SNX enabled (bear in mind there is no Connectra involved here), everything worked perfect until a migration from R70.20 to R75 was done and since then, SNX users getting conencted to the cluster can access all services they used to with the exception of a VoIP service (H323), they can even ping to the server related but the application just won't work. No config changes had been done since it was working ok. Logs show a few drops of H323 traffic from an Office Mode IP, assigned to a test user, the drops show no rule related and the info says: dst scheme: NA; dst methods: SSL; route status: Failed to enforce VPN policy (8) I looked for that message and found something similar related with an encryption problem not related with this scenario. Did a zdebug to find out what was dropped and found a few extra messages like the ones bellow: ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 X.X.X.X:34524 - Y.Y.Y.Y:1720 dropped by vpn_drop_and_log Reason: Failed to enforce VPN policy (8); ;[cpu_11];[fw_0];fw_log_drop: Packet proto=6 Y.Y.Y.Y:1720 - X.X.X.X:22944 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled; Where X.X.X.X is the Office Mode IP assigned to the user and Y.Y.Y.Y is the IP of the VoIP server. We could not find anything about those either. A case is opened already with CP support but no answers have been received and the situation is becoming more critical as time goes by. It was already checked the rule allowing the traffic is specific on H323 on the service section and also to change to none the advanced properties of the H323 service object, but with no luck. Has anybody seen something like this before. Any help will be very appreciated. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Strange problem with a new R75.10 installation
I have seen this before.
If during the Secure Platform installation there is only one network
interface available, the installation wizard assumes it is a host because a
gateway needs a minimum of 2 available NICs.
I would suggest checking out if Secure Platform has in fact recognized all
NICs on the box.
Regards
On Wed, May 25, 2011 at 3:04 PM, Alexey Baltacov drongt...@gmail.comwrote:
because you have defined just one interface during first time
configuration wizard
On Wed, May 25, 2011 at 11:51 PM, carlopmart carlopm...@gmail.com wrote:
On 05/25/2011 10:49 PM, carlopmart wrote:
On 05/25/2011 10:40 PM, Alexey Baltacov wrote:
Is the checkpoint object type called checkpoint gateway or
checkpoint host in dashboard?
OOpss .. It is defined as a CheckPoint Host ... Why?? I don't understand
...
How can I change to checkpoint gateway??
OOps sorry .. I have found the option to change to cehckpoint gateway ..
But
why installation have defined this secureplatform as a checkpoint host???
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scanned by Check Point Total Security Gateway.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
--
Sincerely,
Alexey Baltacov
drongt...@gmail.com | Tel: +972-504989954
Scanned by Check Point Total Security Gateway.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Scanned by Check Point Total Security Gateway.
Re: [FW-1] Solaris Checkpoint manager version R65 HFA50 and R65 HFA 70 Nokia modules
I guess what you have is a question for the Check Point Development team. It has always been recommended to keep your SmartCenter in the same or a higher version than the gateways it is managing. Which also means, if you are going to upgrade (no matter if it's a hofix or a higher major version), start by working on your SmartCenter. I think maybe it all has to do with the specific patches included in the hotfix you are applying, maybe if none of those has anything to do with the SCS vs Gateway interaction, it might not matter to have the patch applied to the gateways before the SMS, but it would require very deep knowledge of such patch to know that. Regards On Sun, May 15, 2011 at 2:41 PM, Peter Addy wavema...@yahoo.com wrote: Thanks, is this not a minor revison upgrade, what will be the actual impact of doing this? From: pkc mls pkc_...@yahoo.fr To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Sun, 15 May, 2011 10:12:13 Subject: Re: [FW-1] Solaris Checkpoint manager version R65 HFA50 and R65 HFA 70 Nokia modules Le 15/05/2011 09:58, Peter Addy a écrit : Hi, Just a quick question. A Checkpoint manager running R65 HFA50, and firewalls runningn R65 HFA70, is this supported. Just the HFA that is higher on the modules compared to the manager, so not a major revision just a hotfix? or is it advisable to get the manager upgraded to HFA70 before pulling in the firewalls, it's definitely not recommended to run a lowest HFA on the smartcenter; you have to run at least the same release on the smartcenter than the one that runs on the gateways. thoughts please and any issues that we could encounter Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Encrypt all communitcations between remote Security Gateway and local SmartCenter Server
As Carlo said, it should not be necessary to di further encryption, SCS and
remote gateway will be communicating securely onces SIC is established, but
if you want to make things more complicated, remember a Check Point firewall
is able to do VPN against any device working with standard IPSec, so I guess
you can configure your local firewall (not Check Point) to establish a VPN
against the remote gateway and make sure al traffic between that and the
local SCS is encrypted.
Regards
On Mon, May 9, 2011 at 3:53 AM, carlopmart carlopm...@gmail.com wrote:
On 05/08/2011 01:05 AM, Independent IT Consultant wrote:
I don't understand the need for the 3rd firewall. All communications
between the gateway and management are already encrypted (that's the point
of SIC --SECURE Internal Communications).
I think I have not explained very well. This is my schema:
SCS Server --- Firewall (not CP) - Internet - Remote
SecurePlatorm FW R70.4
I would like to encrypt all communications between SCS and the remote Splat
gw with a strong algorithm that CP uses, like an ipsec tunnel. If I not
worng, CP uses ssl-based tunnels to communicate gws and SCS servers. Is that
correct??
Can I use an ipsec tunnel (or another strong communication algortihm than
ssl) to encrypt these communications??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scanned by Check Point Total Security Gateway.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Scanned by Check Point Total Security Gateway.
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Re: [FW-1] Dettach license - off-line server
First of all, you don't really need to remove the license from the old box to use it on a new one, at least you will eventually put that old box again in production and managed by the same SmartCenter Going to licensing stuff, basically you should not have 2 firewalls in production using the same licence. Finally, if you really want to remove that license from the old box, use the cpconfig command and it will give you a menu in which there are options for licensing and, if I'm not mistaken, there is an option to remove a the licenses. Regards On Thu, Apr 28, 2011 at 12:21 PM, Leandro Vilela dflean...@gmail.comwrote: How do I remove the license of a firewall that is no longer connected / synchronized to SmartCenter R70? We have a NOKIA IP390 firewall cluster (R65) which was replaced by another solution, but it was not done by him dettach SmartCenter license. Now I need to use this cluster NOKIA (2 box) into another solution but I need the licenses. The IPs of old cluster NOKIA are in use by another firewall that replaces the old cluster, so I can not reconnect it to the network to synchronize it with the SmartCenter and remove the license? I appreciate if someone can help. Regards, Leandro Vilela Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] adding gui client doesnt work
Normally, when adding a new IP on the GUI Clients list, it is not necessary to reboot or do cpstop/cpstart. If you are seeing a drop log, it means either yo have a standalone firewall/management box or the client has to go through a firewall module in order to reach the Management server, in both cases, no matter you added the IP on the GUI Clients list, you should create a rule that allows that client to reach your standalone or Management server. In the standalone scenario, implied rules should allow the CPMI connection because it is a Check Point Control connection, but I have seen cases in which it doesn't work as expected. Regards On Thu, Apr 21, 2011 at 1:38 PM, Gary Scott accesslimi...@yahoo.com wrote: If it is standalone then install the policy after adding the gui client, if distributed then add a rule. From: Glover Jr., Douglas V (Duke) duke.glo...@verizon.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thu, April 21, 2011 3:29:58 PM Subject: Re: [FW-1] adding gui client doesnt work Are you allowing Firewall-1 Control connections ? Duke Glover INS VzT Firewall 813-978-2727 -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Eugeniu Patrascu Sent: Thursday, April 21, 2011 3:11 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] adding gui client doesnt work On Thu, Apr 21, 2011 at 14:46, a bv vbavbal...@gmail.com wrote: Hi I have added a new IP as a gui client and done nothing else. When i look at the firewall logs that new gui IPs CPMI requests are dropped. What else i have to do to work? do i have to cpstop cpstart? Sometimes yes. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com= Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] RES: [FW-1] Cluster SPLAT - Hardware problems - Replace servers
As an extra suggestion, after reset SIC and before installing policy, got to the cluster topology and use the get topology buttons at the top to force the Management (Smartcenter) pull the interface names and configuration from your new cluster members, make sure everything looks ok with the virtual (cluster) IPs and then, install policy. I'm not quite sure why, but even when the interfaces might be called the same (example: eth0, eth1, etc.), I have seen issues in which traffic won't flow, after a change of hardware. Finally, don't forget to add licenses to your new cluster members, use SmartUpdate, right click on each cluster member, select get licenses for it to realize there are no licenses on those boxes and finaly attach the licenses accordingly. Hope this is useful. Regards On Wed, Apr 13, 2011 at 2:20 PM, Gustavo Rocha de Andrade gusta...@trueaccess.com.br wrote: Hi list, If there is a level 3 hardware between the smart center and the clusters, do not forget to clear the arp table of level 3 hardware or you could not be able to install the policy. regards Gustavo Andrade Analista de Segurança da Informação Pl True Access Consulting S/A Fone: (61) 3217-1911 De: Mailing list for discussion of Firewall-1 [ FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] em Nome de Leandro Vilela [ dflean...@gmail.com] Enviado: quarta-feira, 13 de abril de 2011 12:31 Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Assunto: [FW-1] Cluster SPLAT - Hardware problems - Replace servers Hy list, I'm having a cluster that SPLAT with hardware problems. I purchased two new servers and need to replace equipment. I did the settings of the new servers identical to the former but not the policies yet. The idea is to simply unplug the old cluster, reconnect the new servers with same IP and name of previous re-create the SIC with the SmartCenter and implement policies. I wonder if I need to make any further configuration to replace the machines . Thanks in advance ... Regards Leandro VIlela Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Reinstalling an old R65
The installation wizard asks if installing UTM or Power before reaching the list of products you point out... if you look closely, the first option says VPN-1 Power, if you had selected UTM in the previous section, here it would say VPN-1 UTM. The cpxp-ci-vpx- corresponds to a VPN-1 UTM firewall gateway. On any case, given the fact you seem a little lost, I would suggest to start over with the SPLAT installation, select UTM instead of Power, then select the VPN-1 and SmartCenter options from the list and go from there. BTW, when someone told you to go: (SmartDashboard Gateway General Properties CheckPoint Product List), he meant go to the gateway object and double clicking on it you will see the general properties for that gateway. Now, since to started installing only Smartcenter, most likely you will NOT have a gateway object which then requires some changes so just better go with the SPLAT reinstall and be sure to start with the right foot. Regards On Fri, Mar 18, 2011 at 7:25 AM, Jørn Dahl-Stamnes fw.ad...@dahl-stamnes.net wrote: On Friday 18 March 2011 14:12, Independent IT Consultant wrote: The install will likely ask if this is a UTM or POWER install. It's a SPLAT distribution. In your case, this is a UTM install. The license string you provided -- cpxp-ci-vpx-250-ngx -- is an Express gateway license (vpx) for 250 users with content inspection (ci). The cpmp-sct-3-ngx is the management license, supporting up to 3 sites. Hmm... Is the cpxp-ci-vpx-250-ngx license associated with any of the products in the list below? * VPN-1 Power * Advanced Routing Suite * SmartCenter * Eventia Suite * Integrity * SmartPortal All you need are the management and gateway components, not pro pack, not eventia, not integrity, not smartportal. Given that NGX is EOL in 2 weeks, you way want to encourage your customer to take this opportunity to upgrade to the R7x train. Upgrade is not an issue in this case. I just have to make this work. -- Jørn Dahl-Stamnes Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] recommended operating system for smartcenter server
IMHO... SPLAT
On Mon, Mar 7, 2011 at 4:31 AM, carlopmart carlopm...@gmail.com wrote:
On 03/07/2011 11:03 AM, Shiroma Dassanayake wrote:
Dear Checkpoint admin
I would like opinions/feedback on the best operating system to use for a
smartcenter server. It will be used to manage version R65 and above
gateways.
RHEL5.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scanned by Check Point Total Security Gateway.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Re: [FW-1] Urgent R70 not accessable both from ssh and Dashboard
Well, I believe it would be difficult to check if fwd is down, run a cprestart or install the latest HFA if he is unable to access the box via ssh or even console... :) On Sat, Jan 22, 2011 at 7:11 AM, Reinhard Stich r.st...@internet-security.at wrote: At 09:48 22.01.2011, you wrote: If the firewall was passing the traffic and firewall , was not logging what will you think about the situation , the reason, the event? this sounds like the fwd is down ... you can check ps aux | grep fwd to soo if it's running. cprestart should fix it - but this causes a shot downtime. further more: installing the latest hfa makes sense ... br reinhard -- Reinhard Stich r.st...@arrowecs.at Arrow ECS Internet Security AG, 1100 Wien, Wienerbergstrasse 11 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Urgent R70 not accessable both from ssh and Dashboard
Hello, I just wanted to ask... is everybody reporting similar issues running R70 or did any of this situations happened on R71 or higher versions? I have been told to go straight from R65 to R71, due to inestability and slowliness issues on R70... but this would be another big reason not to even try R70. Regards On Fri, Jan 21, 2011 at 4:54 PM, Inci Gedik ige...@gmail.com wrote: My case was also same. Appliance was passing the traffic and sending logs but it was unable to reach box via ssh or web gui. On Fri, Jan 21, 2011 at 10:32 PM, Dan Lynch dly...@placer.ca.gov wrote: the ones who are having this problem did you check if firewall has connection logs for the time problem lived? In my case, the box still properly passed traffic and sent logs. It was simply inaccessible from console, SSH, and web gui. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Question about a software blades license
Hello, the following 3 blades are Security Management (SmartCenter) related:
CPSB-NPM CPSB-EPM CPSB-LOGS
In regards of separating that on a Management and a gateway, if I'm not
mistaken, you need two containers (a manegement and a gateway container) to
hold each corresponding blades.
This whole thing about Software Blades is a real pain and even when I have
tried to fully understand it, I still could not tell if you already have
such containers, but in your situation I would rather call Check Point and
get an Account Services guy checking your usercenter account and explaining
what you are entitled to, I have had doubts in the past and those guys are
pretty good and take their time to explain in detail.
Regards
On Fri, Jan 21, 2011 at 5:34 AM, carlopmart carlopm...@gmail.com wrote:
On 01/21/2011 12:23 PM, pkc_mls wrote:
Le 1/21/2011 11:53 AM, carlopmart a écrit
ok, thanks. At usercenter I can't see if this lincense can be attached to
a
smartcenter server.
Under cp.macro, I see this:
CPSG-C-1-50 Security Gateway Container for Security Gateways with 1 core
and up to
50 users
CPSB-FW Firewall blade
CPSG-U fw1:6.0:unlimit (means ulimited security gatewys??)
CPSM-C-2 Security Management container to manage up to 2 gateways (maybe
this the
feature for smartcenter server using software blades licenses??)
CPEP-SA-5 Endpoint SecureAccess for 5 users
CPMP-PPK-1-NGX Performance Pack; version: NGX
CPSB-VPN IPSEC VPN blade
CPSB-NPM Network Policy Management blade
CPSB-EPM EndPoint Policy Management Blade
CPSB-LOGS Logging Status blade
CPSB-IPS IPS blade
CPSB-AV Anti-Virus Anti-Malware blade
CPSB-URLF URL Filtering blade
CPSB-ASPM Anti-Spam Email Security blade
It seems that maybe correct, but If i install this license on smartcenter
server,
how can I attach license to both security gatewys?? Or Do I need to
generate under
usercenter.checkpoint.com one license for every security gateway??
license above contains only one firewall blade, so I don't think you can
install two
security gateways with this one only.
Is it for a new installation or an NGX licence migration ?
for a new R70.40 installation (or R75 if license is valid) ...
But If it is only for one firewall blade, I can't install smartcenter
server, correct??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scanned by Check Point Total Security Gateway.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
--
Sergio Alvarez
CISSP | CCSE+
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Scanned by Check Point Total Security Gateway.
Re: [FW-1] R75
What did Account Services said? I believe this is a job for them. It is clearly not an issue related with lack of Software Blade licensing On Mon, Jan 17, 2011 at 6:59 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: On Tue, Jan 11, 2011 at 10:18 PM, Eugeniu Patrascu eu...@imacandi.net wrote: On Tue, Jan 11, 2011 at 12:05, Giacomo Fazio giacomo.fa...@ifc.inaf.it wrote: Yes i did the upgrade to blade-license. But R75 is already a blade version? Considering the fact that Software Blades were launched when R70 was released and R75 is a newer version that R70, the answer to your question is yes. He should already be on blade licensing considering the version he's coming from... I'm trying to upgrade from R74 to R75. Curiouser and curiouser... -- ciao JT Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] Strange behavior while installing database and policy-Emergency
Have you try a simple reboot of your SmartCenter/Security Management? I have seen many policy/db installation issues go away with a reboot. Regards 2010/12/30 Folnagy, Tamas tamas.foln...@citi.com You probably have debugs on, or had debug on in the past and didnt properly get turned off. Doublecheck if these are off. If it doesnt help then you have to recycle the CMA/SmartCenter (mdsstop_customer or cpstop depending on what you have) I usually run into this symptom when i leave debugs enabled. Also i noticed sometimes turning debug off again won't help, i usually recycle the application. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of a bv Sent: Thursday, December 30, 2010 4:17 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Strange behavior while installing database and policy-Emergency Hi, I started another install database and it doesnt finish its still showing scrolling some output soem other keywords i catch from the screen are querybuild add class StaticDefensePatterns CDdynamic etc I didnt want to do a abort again the install database but it took many minutes ill try to abort and install the policy again Regards 2010/12/30, a bv vbavbal...@gmail.com: Hi, Many thanks 1-I seen to have 10 d. revisions on Smartdashboard ( i had previous ones but weeks ago i either moved their folders or even deleted some of them. ) 2- A single output i catched on the install database i windows is like [FWM 32145 19830744...@myfirewall[30 Dec 15:43:50] .-- CDBReader::SetDBPath I will try to look at the .elg files on the folders you have given hope that the logs are understandable. Regards 2010/12/30, Hugo van der Kooij hvdko...@vanderkooij.org: On Thu, 30 Dec 2010 16:06:56 +0200, a bv vbavbal...@gmail.com wrote: I have edited a qos rule on R70 SPLAT smartdashboard and made install database and the opened window about that first time gave some output (like verbosing outputting the operation is what doing ) and doesnt seem to be finished. And also policy installation seem to be not ending. ı didnt have this kind of problem before. But i see an policy install made on audit logs Round up the usual suspects. Check the $FWDIR/log/*.elg files and the $CPDIR/log/*.elg files If you use revision control then make sure you have less then 25 revisions. Given that there is little actual information in your problem description there is very little to go on. Hugo. -- hvdko...@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com= Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set
Re: [FW-1] AW: [FW-1] general question about clustering
I also preffer HA (active/standby) over Load Sharing (active/active), first because LS introduces many variables in the environment, complicating things when having to troubleshoot. Second, because when traffic through the cluster grows along time, people with LS scenarios tend to forget both members are sharing the load and at some point there might be a failure in one of the boxes and the remaining one is unable to handle all the load, which at the end defeats the whole purpose of have redundancy in the the worst possible moment (been there with a few customers). Someone will come up with the point that good practices say regular drills should be done to ensure redundancy works, but since on this case it must be done with full production traffic to be a valid test of load handling, most managers won't be willing to go for them ever. Moving to Tom's comment my friend, the whole Software Blades idea is a license strategy to get more money. Regards On Sat, Nov 6, 2010 at 3:43 PM, Tom Robers tom.rob...@heidelberg.de wrote: Hi, we use the HA clustering for a long time with no problems and the benefits. Now we have the blades(R71) with Antivirus and URL Filtering... no update of the second cluster member is possible. I get no answer for this task; maybe a checkpoint license strategy ?? -Tom Von: Mailing list for discussion of Firewall-1 [ fw-1-mailingl...@amadeus.us.checkpoint.com]quot; im Auftrag von quot;Reinhard Stich [r.st...@internet-security.at] Gesendet: Samstag, 6. November 2010 12:52 Bis: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Betreff: Re: [FW-1] general question about clustering hi, At 08:24 06.11.2010, you wrote: Hi , I wanna ask for the benefits which we'll gain, and the problems we may have when making up a clustered firewall (especially Checkpoint fw-1 of course) benefit: - no problem if one node fails (transparent failover) - updates / maintainance without outages - updates / maintainance during working hours (because there is no outage) problems: - with active-active clustering you have to care about the traffic that should go through both firewalls - so maybe you have to play with your switch-config - I prefer HA clusering (one node active, one standby) br reinhard -- Reinhard Stich r.st...@arrowecs.at Arrow ECS Internet Security AG, 1100 Wien, Wienerbergstrasse 11 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] SPLAT and multi-processor hardware
To add a little to what Eugeniu said... you will actually need new Software Blade type of licenses, in order to take advantage of multicore hardware. Actually in Software Blade licensing, gateway licenses already come for particular amounts of cores, so it will be just a matter of choosing the coresponding one for your new hardware. If you currently have NGX licenses, moving to R70 software won't make any difference in regards of multicore leverage, although regular features will work, the CoreXL feature won't, so it would be necessary to contact your sales partner and ask for help with the license migration. Regards On Thu, Oct 28, 2010 at 9:43 AM, Eugeniu Patrascu eu...@imacandi.netwrote: On Thu, Oct 28, 2010 at 16:16, Ebersole, Jason jason.ebers...@sti-ultrasound.com wrote: Does SPLAT (R70 and above) take advantage of multi-processor hardware? If so, is this in basic configuration or only with addons such as IPS and URL Filtering? My box is long overdue for upgrade, and I'm trying to figure out if I should spring for multi-processor. I'm looking at the Dell R610. I'll probably be running with just basic configuration; so I'm primarily looking to maximize throughput. On R70 and above you get CoreXL that uses multicpu/multicore acceleration to improve firewall performance. But you'll have to license it on the number of cores you're willing to use. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Dell PowerEdge R310 HCL?
If it is not in the HCL, they will just say we don't support it. They don't really care if the models in the list are no longer sold by the hardware vendors, so calling to ask about support for models out of the list is a waste of time... I've been there. On Wed, Oct 20, 2010 at 12:57 AM, pkc_mls pkc_...@yahoo.fr wrote: Le 10/19/2010 10:02 PM, M. N. a écrit : Hi, I'd like to know if anyone is running a R70/R71 SCS/GW SPLAT on a Dell PowerEdge R310 open server? Only the R300 is on the HCL but it's pretty old and it can't be ordered anymore and it doesn't look like Check Point is in a hurry to update the list. Thanks! you should definitely ask checkpoint customer care before installing the product on this hardware. otherwise you won't be able to get any support. Minh Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Staying with SecurePlatform?
I consider all previous comments valid, but it is important to note Check Point customers in general have complained about poor hardware and performance on the UTM-1 appliances, which by the way are SPLAT based. IP appliances on the other hand, are a completely different story, they are great, very robust and the IPSO OS they are based on, is also very good, rich featured and very easy to manage. I work for a reseller, so don't really manage firewalls in a day by day basis, but customers of ours who have acquired IP appliances, love them and would never change them for something different. Regards On Wed, Oct 20, 2010 at 2:39 PM, Kropiewnicki, Alex alexkropiewni...@ozinga.com wrote: Main reason for me is that I don't like to replace my appliance every 3 years. The firewall is a very light user of resources (less heat) on the SPLAT which I believe leads to a much longer life on the hardware. Having spare hardware on site makes all the difference in the world. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Ebersole, Jason Sent: Wednesday, October 20, 2010 2:34 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] Staying with SecurePlatform? I'm at a crossroads. My maintenance renewal is coming due and my Checkpoint representative was reviewing the account (we have one VPN-1 standalone Enterprise license protecting 250 IPs) and suggested I go with an appliance. I think the IP565. There would be a pretty significant discount to get the appliance, but the big thing that's got me thinking about this is that my yearly renewal fees would be reduced by over half. However, I like the convenience of running Checkpoint on my own hardware. I can reduce downtime by having a spare box preconfigured in case of hardware, configuration change or upgrade issues. I think this is pretty huge, but I've been doing this for so long, and never really had any major configuration or upgrade issues, that I wonder if my reasoning is flawed. For those running SecurePlatform, what are your reasons for not going with an appliance? Thanks, Jason Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] IP Change of both SmartCenter and Gateway
I have seen issues like this after changing IPs on gateways, ussually it gets resolved by going to the gateway object in the Dashboard Topology Get Interfaces. You might have already done it as part of the change, but if not, it might help. Regards On Sun, Oct 17, 2010 at 7:03 AM, Gary Scott accesslimi...@yahoo.com wrote: You should verify with a tcpdump to make sure the traffic is not getting to your FW. You did a get topo after the IP change, define new networks, setup NAT etc...? Does your manager use the FW has its default gateway? Can it access the internet? If no traffic is seen at the FW then not much you can do to the FW for traffic that doesn't reach it. -GS From: c...@ans.com.au c...@ans.com.au To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Sat, October 16, 2010 3:45:56 PM Subject: [FW-1] IP Change of both SmartCenter and Gateway Hi, I have a centrally licensed SmartCenter and one splat enforcement gateway module. To suit our internal policy, we have to change the internal ip address of the gateway, and obviously the ip address of the SmartCenter. I have obtained the license for the new ip address from CP. Following the change over procedure, I have managed to changed the ip of both, installed the new license, reset the sic, and successfully installed the policy. However, now I cannot access the net from the internal network. The odd thing though is that, our ftp server, which on a dmz in splat, can be accessed from the net and internally. We are using ISA 2006 (proxy mode) as our proxy server (and no we are chaining splat with the isa). I've changed the routing, the vlan assignments, etc but still cannot surf the net. Our proxy server cannot surf either. Originally, before the ip change, the splat, smartcenter and proxy server are on the same vlan (192.168.x.y/24). But with the new ip, splat and smart center are on a different vlan (172.x.y.z/24). Both vlans are on the same cisco switch. In the new ip addresses, I look at the tracker log, I don't even see the http connection hitting the firewall. I suspect routing is the issue. Please advise any suggestions/ideas. ta czar = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] checkpoint
AFAIK it does not. Basically newer versions sometimes recognize licenses of older versions (for example, R70 works with R60 and R65 licenses, on the other hand, R71 only works with Software Blades licenses), but older ones don't have the required info to do the same in the oposite direction. On Tue, Aug 31, 2010 at 9:40 PM, Sam Ghannadi ho...@yahoo.com wrote: Now does R65 licnese works with R60? Thanks, Sam - Original Message From: Reinhard Stich r.st...@internet-security.at To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Tue, August 31, 2010 10:21:00 AM Subject: Re: [FW-1] checkpoint hi, yes - R60 licenses also work with R65. the oldest version that is supported is R65. see: http://www.checkpoint.com/services/lifecycle/support_periods.html br reinhard At 16:06 31.08.2010, you wrote: Does anyone know if R60 license would work with R65? What is the oldest version supported by Checkpoint? Thanks, Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Reinhard Stichr.st...@arrowecs.at Arrow ECS Internet Security AG, 1100 Wien, Wienerbergstrasse 7 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez CISSP | CCSE+ Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] static arp entry at 2 diffent SPLAT boxes
OK, then only way I can think to minimize downtime due to a required MAC address change in the ARP table of the Internet router is keep a console session open on that router before switching boxes and run a clear arp command on it right after the change, that way you force the router to find all required MAC addresses to fill the ARP table at that very moment and use the new firewall MAC. On Thu, Aug 12, 2010 at 12:55 AM, a bv vbavbal...@gmail.com wrote: Hi, The boxes are independent , not clustered. While switching, only the network cables of the online one then plugged in to the other one for switching. and the internet gateway device is reported to be Cisco 3750-G. Regards 2010/8/11, Oscar Esquivel oscar.esqui...@digicelgroup.com: Hello, I have clusters running with multiple ISP and after a failover in our cluster, we don't have any packet lost. Gratuitous arp works fine!!. It sounds to me that the issue is in your ISP router...here some recommendation: 1) you didn't mention, but if your ISP is using a Cisco Router, check if they have no ip gratuitous-arps, for security reason, sometimes they disable the gratuitous arp. no ip gratuitous-arps To disable the transmission of gratuitous Address Resolution Protocol (ARP) messages for an address in a local pool, use the no ip gratuitous-arps http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_l1 g.html 2)if you have multiple ISP(more than 1 router for internet connection) you can use ask them to use HSRP(Hot Standby Router Protocol) , it use gratuitous arps. I hope this can give you a clue... -Mensaje original- De: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombre de Sergio Alvarez Enviado el: Wednesday, August 11, 2010 10:04 AM Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Asunto: Re: [FW-1] static arp entry at 2 diffent SPLAT boxes Hello, As far as I understand, what you have an active/standby cluster, please let us know if it is something else you are talking about. The way such scenario is supposed to work is, when a failover occurs, the newly active cluster member should send a gratuituous ARP update to all perimeter devices, letting them know they should change their ARP tables and associate the corresponding IPs to the new MAC addresses. I have multiple customers with similar scenarios and a failover never disrupts communications, at least anything session related remains up and running while the first member goes down and the secondary takes charge of the traffic, only having a continuous ping going through the cluster you will see 2 or 4 packets lost, but it does not generate any downtime at all. That said, I believe there is something not working properly in your environment, I have never faced anything as you described, but I hope this info helps you understanding what you see is not expected behavior and change the way you are approaching the issue to find a solution... I'm thinking maybe something on the Internet gateway not being able to handle the ARP updates. Regards On Wed, Aug 11, 2010 at 1:32 AM, a bv vbavbal...@gmail.com wrote: Hi, Having a 2 FW-1 SPLAT R70 box and sometimes switching from one to the makes an extra offline time cause of the arp. Cause the internet gateway device (router, modem etc) has the first fws arp entry, not the others one and also the new online taken box doesnt know its gateway devices mac address. So for during the firewall switches what arp-mac releated things can or must done to minimize the wait time and problems? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how
Re: [FW-1] static arp entry at 2 diffent SPLAT boxes
Hello, As far as I understand, what you have an active/standby cluster, please let us know if it is something else you are talking about. The way such scenario is supposed to work is, when a failover occurs, the newly active cluster member should send a gratuituous ARP update to all perimeter devices, letting them know they should change their ARP tables and associate the corresponding IPs to the new MAC addresses. I have multiple customers with similar scenarios and a failover never disrupts communications, at least anything session related remains up and running while the first member goes down and the secondary takes charge of the traffic, only having a continuous ping going through the cluster you will see 2 or 4 packets lost, but it does not generate any downtime at all. That said, I believe there is something not working properly in your environment, I have never faced anything as you described, but I hope this info helps you understanding what you see is not expected behavior and change the way you are approaching the issue to find a solution... I'm thinking maybe something on the Internet gateway not being able to handle the ARP updates. Regards On Wed, Aug 11, 2010 at 1:32 AM, a bv vbavbal...@gmail.com wrote: Hi, Having a 2 FW-1 SPLAT R70 box and sometimes switching from one to the makes an extra offline time cause of the arp. Cause the internet gateway device (router, modem etc) has the first fws arp entry, not the others one and also the new online taken box doesnt know its gateway devices mac address. So for during the firewall switches what arp-mac releated things can or must done to minimize the wait time and problems? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] 1] HFA Upgrade
= = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. -- Sergio Alvarez CISSP | CCSE+ = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.
Re: [FW-1] UTM-1 R70 Software Blades
If you already have software version Check Point licenses, I think it makes no sense changing those for UTM-1 appliances. Plus, I agree with Rob on all his points. Check Point is trying to get more money out of their firewall sells, so far they had missed on that share related with the hardware that other firewall vendors where getting, so their appliances (including licenses) have very good prices when you are going to make a new purchase and make a comparison between buying those versus getting software version licenses + open servers to run the software. Seems to me like a simple marketing strategy. Regards On Mon, Mar 8, 2010 at 3:39 PM, John Lindblom jlindb...@mico.com wrote: I think your making a good point here. I can't find any detailed specs on the appliances but these do appear to be small boxes with no disk, cooling or power redundancy. I'm trying to determine what the benefit is going the appliance route but not much information to be found. I would think as far as support is concerned, a hardware failure with the appliance would be a next day replacement requiring a rebuild. A hardware failure with an HP server wouldn't be as drastic with hardware redundancy, a rebuild would probably never need to be done. One draw back to the HP server is not having the ability to run the HP management agents for hardware failure notification. Right now the only way I know of at this point is to look at the server to see hardware has failed. Unless I'm missing something. John From: Rob Vuurman r...@vuurman.net To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Date: 03/08/2010 11:38 AM Subject: Re: [FW-1] UTM-1 R70 Software Blades Sent by: Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM John, My honest opinion, why not a HP DL360 or HP DL380 for the upgrade? An UTM 572 isn't really the best hardware, check the specs. For the same money, and less, you can have redundant disks and redundant power supply. It can handle much more traffic than an UTM. And correct me if I am wrong, you can upgrade your license and don't have to buy a new one for the UTM which you must. just my simple thinking. regards and good luck. Rob -Oorspronkelijk bericht- Van: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] Namens John Lindblom Verzonden: maandag 8 maart 2010 15:57 Aan: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Onderwerp: Re: [FW-1] UTM-1 R70 Software Blades Thanks for the reply Sergio. After giving it some thought I did come to the same conclusion that the web filtering shouldn't be done on the UTM-1 for the reasons you pointed out. I was looking at the option to use the UTM-1 for web filtering because I needed to upgrade my Barracuda Web Firewall, I think I will continue down the path of upgrading it to continue handling the web filtering. The cost is probably close to the same or probably less then using the UTM-1 for web filtering anyway. I will probably end up upgrading from my HP DL140 running SPLAT NGX R65 gateway to the UTM-1 572 or 1073 appliance with R70 to just handle Firewall and VPN as it is now. From: Sergio Alvarez seral...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Date: 03/07/2010 08:13 PM Subject: Re: [FW-1] UTM-1 R70 Software Blades Sent by: Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Hello, First of all, I wouldn't replace a dedicated web filtering device for ANY UTM url filtering feature. It is almost impossible to achieve the same level of granularity and robustness. Remember the main function of a UTM appliance is being a firewall, anything else are just extra features. If you need all the features but don't have enough money or space to get them in separate devices, get a UTM, otherwise let each device do what it was mainly design for. If you are happy with your Barracuda, my very personal opinion is: keep it. Now, in regards of Fortinet, they do offer UTM appliances at a very good price (pretty lower than CheckPoint), bad thing is, they offer things their appliances just can't do, so you might bump into very bad surprises if you invest on one of those boxes. We all know all vendors provide numbers in their datasheets that were taken from lab environments and very controlled situations, so those numbers are not achievable in real production networks, but Fortinet goes way beyond that and with no shame at all, lie awfully in their datasheets, you wouldn't believe the stories I've heard. Bare in mind this is just my humble opinion. Hopefully my comments will still be of use for you at this point. Regards On Fri, Feb 19, 2010 at 8:44 AM, John Lindblom jlindb...@mico.com wrote: I'm preparing for an upgrade from NGX R65 running SPLAT on a HP server to possibly one of the UTM-1 appliances specifically the 1073/1076
Re: [FW-1] UTM-1 R70 Software Blades
Hello, First of all, I wouldn't replace a dedicated web filtering device for ANY UTM url filtering feature. It is almost impossible to achieve the same level of granularity and robustness. Remember the main function of a UTM appliance is being a firewall, anything else are just extra features. If you need all the features but don't have enough money or space to get them in separate devices, get a UTM, otherwise let each device do what it was mainly design for. If you are happy with your Barracuda, my very personal opinion is: keep it. Now, in regards of Fortinet, they do offer UTM appliances at a very good price (pretty lower than CheckPoint), bad thing is, they offer things their appliances just can't do, so you might bump into very bad surprises if you invest on one of those boxes. We all know all vendors provide numbers in their datasheets that were taken from lab environments and very controlled situations, so those numbers are not achievable in real production networks, but Fortinet goes way beyond that and with no shame at all, lie awfully in their datasheets, you wouldn't believe the stories I've heard. Bare in mind this is just my humble opinion. Hopefully my comments will still be of use for you at this point. Regards On Fri, Feb 19, 2010 at 8:44 AM, John Lindblom jlindb...@mico.com wrote: I'm preparing for an upgrade from NGX R65 running SPLAT on a HP server to possibly one of the UTM-1 appliances specifically the 1073/1076 for a 300 user network. I'm currently using a Barracuda Web Filter for URL and antivirus/anti -malware filtering that also need to be upgraded soon so I'm considering the UTM options for this. I'm trying to determine if the web filter could be replaced with the URL Software Blade and the Antivirus Anti-Malware Software Blade. Anyone have any experience yet with these blades? We are happy with the Barracuda Web Filter but it is another piece of hardware, I'm being told this can now be replaced and handled on the UTM appliance. It also appears Fortinet is giving Checkpoint a strong run for the money with the FortiGate UTM appliances, my vendor is recommending I take a serious look. Any feed back or real world experience with these Checkpoint UTM Software Blades would be appreciated. John The information contained in this email and any attachments may contain confidential, proprietary, business sensitive, privileged or controlled information. If you are not the intended recipient, any disclosure, dissemination, distribution, duplication or other unauthorized use of the information contained in this email or any attachment is strictly prohibited. Unauthorized interception of this e-mail is a violation of law. If you are not the intended recipient, please notify the sender by reply email and immediately and permanently delete this mail and any attachments and any copies of them. Technical data and/or information provided in this email or any attachment may be subject to U.S. export control laws. Export, re-export, diversion or disclosure contrary to U.S. law is prohibited. It is your responsibility to check this email and any attachments for viruses or other harmful code before opening or forwarding. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] AW: [FW-1] Upgrade to R70 / Change to Distributed Deployment?
With as-is, he meant keep it a stand-alone deployment. On Fri, Feb 12, 2010 at 6:26 AM, Verweyen, Dirk verwe...@kemper.de wrote: Okthank you for you reply. With keep it as-is you don´t mean that I do not the upgrade to R70 -Ursprüngliche Nachricht- Von: Mailing list for discussion of Firewall-1 [mailto: fw-1-mailingl...@amadeus.us.checkpoint.com] Im Auftrag von Independent IT Consultant Gesendet: Freitag, 12. Februar 2010 13:18 An: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Betreff: Re: [FW-1] Upgrade to R70 / Change to Distributed Deployment? Unless you have a significant performance issue with your current configuration, I'd say, NO. Part of the reason is that you'll need another container blade license if you split it up. Keeping things as-is (and so long as your licenses have support), you can use the tool from usercenter to upgrade your existing licenses to the new blade licenses (required for the latest features in R70). There's no fee unless you upgrade the functionality from what you've got today. I've got a few customers who did this and had no issues. On Fri, Feb 12, 2010 at 4:36 AM, Verweyen, Dirk verwe...@kemper.de wrote: Hello, we have an R60 Standalone Deployment on a PC based Server with 2 connected Edges around the Internet. We now plan to upgrade the R60 to R70 and From Windows to Smart Plattform... One Question, would you change in this step the topologie from Standalone to Distributed? Thanks for your advice. Dirk Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] SVM
Hey Gary. CP support found there was another case filed for this same issue and the guy who opened found out the issue was related with permissions in the machines were he had install the Console. Using and Administrator user to install the SmartConsole solved the issue for him. I'm still waiting for my customer to tell me if that helps in his case, but I thought it might be a good hint for you. Let us know if it helps. Regards On Fri, Feb 19, 2010 at 2:10 PM, Gary Scott accesslimi...@yahoo.com wrote: Thanks Sergio, I too see this in demo mode. If I stumble into a fix I'll be sure to post. From: Sergio Alvarez seral...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Fri, February 19, 2010 2:50:06 PM Subject: Re: [FW-1] SVM Hello Gary, I currently have a case opened with Check Point for this exact same issue. In my case, the organization has around 4 or 5 firewall managers that have the R70.20 GUI installed in their laptops, they have a mix of Windows versions but particularly the only opne using Windows 7 is the one experiencing this problem, all other running Vista and XP work with no problem. So far my customer tried removing and reinstalling the publicly available GUI and also another one, provided by Check Point support, that is not publicly available and supposedly has several issues resolved, but with no success. To make sure it was an issue exclusively with the GUI, the customer tried opening the GUI in demo mode and the issue also happens that way. I'm currently waiting for Support to give me some extra troubelshooting steps or a solution, but have received nothing so far. I will let you know if they do manage to solve it. Regards On Fri, Feb 19, 2010 at 12:25 PM, Gary Scott accesslimi...@yahoo.com wrote: I have some R70.20 gui clients that are unable to display anything in the details window within SVM. I know this is specific to these gui clients and not a problem with the SCS or other gui clients. The clients with the problem are domain members and I suspect a domain policy or the like causing this problem. Has anyone ran into this or knows what is being used to help display the details window within SVM? Thanks, -GS = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] SVM
Yet another possible solution for my case. Thanks Gary. On Tue, Feb 23, 2010 at 1:39 PM, Gary Scott accesslimi...@yahoo.com wrote: Thanks Sergio, for me it was un-installing the AV software (sophos), then re-installing the dashboard that did the trick. -GS From: Sergio Alvarez seral...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Tue, February 23, 2010 9:32:31 AM Subject: Re: [FW-1] SVM Hey Gary. CP support found there was another case filed for this same issue and the guy who opened found out the issue was related with permissions in the machines were he had install the Console. Using and Administrator user to install the SmartConsole solved the issue for him. I'm still waiting for my customer to tell me if that helps in his case, but I thought it might be a good hint for you. Let us know if it helps. Regards On Fri, Feb 19, 2010 at 2:10 PM, Gary Scott accesslimi...@yahoo.com wrote: Thanks Sergio, I too see this in demo mode. If I stumble into a fix I'll be sure to post. From: Sergio Alvarez seral...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Fri, February 19, 2010 2:50:06 PM Subject: Re: [FW-1] SVM Hello Gary, I currently have a case opened with Check Point for this exact same issue. In my case, the organization has around 4 or 5 firewall managers that have the R70.20 GUI installed in their laptops, they have a mix of Windows versions but particularly the only opne using Windows 7 is the one experiencing this problem, all other running Vista and XP work with no problem. So far my customer tried removing and reinstalling the publicly available GUI and also another one, provided by Check Point support, that is not publicly available and supposedly has several issues resolved, but with no success. To make sure it was an issue exclusively with the GUI, the customer tried opening the GUI in demo mode and the issue also happens that way. I'm currently waiting for Support to give me some extra troubelshooting steps or a solution, but have received nothing so far. I will let you know if they do manage to solve it. Regards On Fri, Feb 19, 2010 at 12:25 PM, Gary Scott accesslimi...@yahoo.com wrote: I have some R70.20 gui clients that are unable to display anything in the details window within SVM. I know this is specific to these gui clients and not a problem with the SCS or other gui clients. The clients with the problem are domain members and I suspect a domain policy or the like causing this problem. Has anyone ran into this or knows what is being used to help display the details window within SVM? Thanks, -GS = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add
Re: [FW-1] SVM
The issue got resolved not only by installing the SmartConsole as and Administrator, but it was also necessary to run the application as Administrator. My customer says he can live like that, so we closed the case with CP. Thanks. On Tue, Feb 23, 2010 at 2:51 PM, Sergio Alvarez seral...@gmail.com wrote: Yet another possible solution for my case. Thanks Gary. On Tue, Feb 23, 2010 at 1:39 PM, Gary Scott accesslimi...@yahoo.comwrote: Thanks Sergio, for me it was un-installing the AV software (sophos), then re-installing the dashboard that did the trick. -GS From: Sergio Alvarez seral...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Tue, February 23, 2010 9:32:31 AM Subject: Re: [FW-1] SVM Hey Gary. CP support found there was another case filed for this same issue and the guy who opened found out the issue was related with permissions in the machines were he had install the Console. Using and Administrator user to install the SmartConsole solved the issue for him. I'm still waiting for my customer to tell me if that helps in his case, but I thought it might be a good hint for you. Let us know if it helps. Regards On Fri, Feb 19, 2010 at 2:10 PM, Gary Scott accesslimi...@yahoo.com wrote: Thanks Sergio, I too see this in demo mode. If I stumble into a fix I'll be sure to post. From: Sergio Alvarez seral...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Fri, February 19, 2010 2:50:06 PM Subject: Re: [FW-1] SVM Hello Gary, I currently have a case opened with Check Point for this exact same issue. In my case, the organization has around 4 or 5 firewall managers that have the R70.20 GUI installed in their laptops, they have a mix of Windows versions but particularly the only opne using Windows 7 is the one experiencing this problem, all other running Vista and XP work with no problem. So far my customer tried removing and reinstalling the publicly available GUI and also another one, provided by Check Point support, that is not publicly available and supposedly has several issues resolved, but with no success. To make sure it was an issue exclusively with the GUI, the customer tried opening the GUI in demo mode and the issue also happens that way. I'm currently waiting for Support to give me some extra troubelshooting steps or a solution, but have received nothing so far. I will let you know if they do manage to solve it. Regards On Fri, Feb 19, 2010 at 12:25 PM, Gary Scott accesslimi...@yahoo.com wrote: I have some R70.20 gui clients that are unable to display anything in the details window within SVM. I know this is specific to these gui clients and not a problem with the SCS or other gui clients. The clients with the problem are domain members and I suspect a domain policy or the like causing this problem. Has anyone ran into this or knows what is being used to help display the details window within SVM? Thanks, -GS = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com
Re: [FW-1] Deploying IPSEC between DMZ network and a (some) LAN hosts
Bare in mind to establish a VPN tunnel, you must have capable devices on both ends of the tunnel. If you need to encrypt traffic betweeen two hosts located in segments to which your firrewall has interfaces, there is nothing you can do with your firewall because it is just a hop in the way traversed by that VPN. Your firewall can be an end point of a VPN but cannot do anything, in regards of encyption for traffic just passing through. Regards On Wed, Dec 2, 2009 at 2:37 AM, a bv vbavbal...@gmail.com wrote: What is wanted is to encrypt the traffic between DMZ segment and a machine at LAN. the trafiicc will be about database processes i guess . I controll the fw but dont know what the people are trying to do much. Regards 2009/12/1 pkc_mls pkc_...@yahoo.fr: a bv a écrit : Hi, What i need to know about deploying IPSEC between DMZ network and a host (o a little more) which reside on LAN? Putting the security rule with some related ports will be enough to work it out or i need to know and monitor more? Hi, why would you tunnel communication between two lans connected to the same device ? (did I misunderstood something ?). which kind of traffic would you like to crypt/secure ? did you check if ssl tunnel could suit your needs ? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] vpn edge (managed by R65) lost password
Hello, Some time ago sombody passed me this procedure precisely to resolve the situation you have right now, I have never used it because have not faced that issue yet, but hopefuly it will work fine and help you get out of your problem: Solution The UTM-1 Edge GUI password can be reset only if the device is managed by SmartCenter server. Procedure: Make sure you have administrator permissions to connect to the SmartCenter server. Open the browser and connect to URL http://SmartCenterhttp://%3csmartcenter/server IP address :9283 Enter the SofaWare management server console and go to the View all gateways tab. Select the correct UTM-1 Edge device and click Reset local password. Next time you connect to the UTM-1 Edge device, it will ask for the new password. Regards On Mon, Nov 9, 2009 at 2:21 AM, a bv vbavbal...@gmail.com wrote: Hi, I have a vpn edge which is connected (managed) to an R65 smartcenter , i have lost the vpnedges web interface usernam password . So how can i recover it while not giving harm to its production and configuration? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] vpn edge (managed by R65) lost password
I don't understand your question. In case it is of any help to clarify, according with those instructions, you are supposed to open a browser and point to your SmartCenter IP on port 9283. Regards On Mon, Nov 9, 2009 at 9:37 AM, a bv vbavbal...@gmail.com wrote: Thanks can i get the URL again as open ? 2009/11/9 Sergio Alvarez seral...@gmail.com: Hello, Some time ago sombody passed me this procedure precisely to resolve the situation you have right now, I have never used it because have not faced that issue yet, but hopefuly it will work fine and help you get out of your problem: Solution The UTM-1 Edge GUI password can be reset only if the device is managed by SmartCenter server. Procedure: Make sure you have administrator permissions to connect to the SmartCenter server. Open the browser and connect to URL http://SmartCenterhttp://%3csmartcenter/server IP address :9283 Enter the SofaWare management server console and go to the View all gateways tab. Select the correct UTM-1 Edge device and click Reset local password. Next time you connect to the UTM-1 Edge device, it will ask for the new password. Regards On Mon, Nov 9, 2009 at 2:21 AM, a bv vbavbal...@gmail.com wrote: Hi, I have a vpn edge which is connected (managed) to an R65 smartcenter , i have lost the vpnedges web interface usernam password . So how can i recover it while not giving harm to its production and configuration? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Future relese of NGX R70.x for Rhel5 security gateway
Just a suggestion...
I have had lots of customers who got new servers and later decided to use
some of them to renew their Check Point architecture, in most cases they
could not find the exact models in the SPLAT Hardware Compatibility List,
but it does not mean they wouldn't work with it.
You can do a quick test with the Compatibility Tool available here:
http://www.checkpoint.com/services/techsupport/hcl/testing_tool.html
And its possible you won't have any issues moving to SPLAT.
Regards
On Tue, Oct 20, 2009 at 1:36 AM, carlopmart carlopm...@gmail.com wrote:
Hugo van der Kooij wrote:
On 10/19/09 16:21, carlopmart wrote:
Hi all,
Somebody knows if CheckPoint will release security gateway packages for
Rhel5.x distro instead to use only SecurePlatform??
Well. It is not official but I guess that SPLAT will the only option left.
Gateways on Solaris are out as well.
Hugo.
Scanned by Check Point Total Security Gateway.
Thanks Hugo. Then I have a problem because my hardware isn't supported by
secureplatform.
Is windows 2008 SP2 (32bits) a supported platform? Or only windows 2008
SP1?? Any suggestion about to install a hardened security gateway with
windows 2008, like NSA guides?
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scanned by Check Point Total Security Gateway.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
--
Sergio Alvarez
+(506)88301342
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Re: [FW-1] Traffic dropped unexpectedly by cluster
Thanks a lot for your reply Gary, Answring your questions: - There are lots of other devices in the MPLS network, but nothing besides this Edge box in that particular subnet. - The network behind the Edge is not being hide NATed by the Edge, although that subnet is a range right next to the subnet from which the Edge's external IP was allocated. I already checked the routes in the firewall modules those have a route for the entire network where both the external and internal ranges of the Edge reside pointing to the next hop in the MPLS cloud, I also checked the topology groups (always do when an antispoofing comes up in the logs), but could not find anything wrong, although I have to tell you those groups are pretty big and full of hosts, networks and other groups, so I might have missed something. Anyway I would really appreciate any further ideas in case double checking the topology config does not help. Regards On Fri, Oct 16, 2009 at 9:50 PM, Gary Scott accesslimi...@yahoo.com wrote: I have seen the connection contains real IP of natted address and the accepts immediately followed by a anti-spoofing drops from routing and topology misconfiguration, same networks/hosts in topology groups for different interfaces. Do you have other devices on the edges external network that have no problems accessing? Is the network behind the edge being hide natted by the edge? -GS From: Sergio Alvarez seral...@gmail.com To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Fri, October 16, 2009 10:33:41 PM Subject: [FW-1] Traffic dropped unexpectedly by cluster Hello, I have this customer that currently has a couple of Nokia boxes working as VRRP pair and facing the Internet, behind it there is an MPLS network and somewhere in that cloud is a VPN-1 Edge box. Traffic coming from the network behind that Edge is able to get to the Internet with no problem, but the customer purchased the filtering services for the Edge and so needs to register it with the Sofware Service Center, but the Nokia cluster is not allowing it to establish the connection. When we attempt to contact the Service Center, SmartView Tracker first shows an accept log, where the source, destination, service (UDP/9282) and xlate src, look ok, then right after that, a drop log, this time the xlate src is blank, and the Information says: message_info Connection contains real IP of NATed address. Both logs show the inbound interface as the one where the action was taken, so it is not even getting passed that first interface kernel. I did some research in the Check Point SK, but the documents I found make reference to issues in older versions that were solved by HFAs, and the most recent article makes reference to R61 and doesn't seem to be related with our scenario. Currently we have R65 running over IPSO 4.2 on those Nokias. But the weird stuff doesn't end there, I did some ping tests from the Edge itself just to be sure if it had something to do with the particular UDP/9282 traffic and what I see is that SV Tracker shows first an accept log and right after that a drop log, but on the second, xlate src is blank, and the correct destination IP was changed by the source IP (the one of the Edge box) and since source and destination are the same, now the Information says it was dropped by Anti spoofing. Again both logs show the inbound interface as the one where the action was taken and I have no idea why is the firewall replacing the destination IP with the source IP. Has anybody seen anything like this before? I'm completely lost here. Regards -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com
[FW-1] Traffic dropped unexpectedly by cluster
Hello, I have this customer that currently has a couple of Nokia boxes working as VRRP pair and facing the Internet, behind it there is an MPLS network and somewhere in that cloud is a VPN-1 Edge box. Traffic coming from the network behind that Edge is able to get to the Internet with no problem, but the customer purchased the filtering services for the Edge and so needs to register it with the Sofware Service Center, but the Nokia cluster is not allowing it to establish the connection. When we attempt to contact the Service Center, SmartView Tracker first shows an accept log, where the source, destination, service (UDP/9282) and xlate src, look ok, then right after that, a drop log, this time the xlate src is blank, and the Information says: message_info Connection contains real IP of NATed address. Both logs show the inbound interface as the one where the action was taken, so it is not even getting passed that first interface kernel. I did some research in the Check Point SK, but the documents I found make reference to issues in older versions that were solved by HFAs, and the most recent article makes reference to R61 and doesn't seem to be related with our scenario. Currently we have R65 running over IPSO 4.2 on those Nokias. But the weird stuff doesn't end there, I did some ping tests from the Edge itself just to be sure if it had something to do with the particular UDP/9282 traffic and what I see is that SV Tracker shows first an accept log and right after that a drop log, but on the second, xlate src is blank, and the correct destination IP was changed by the source IP (the one of the Edge box) and since source and destination are the same, now the Information says it was dropped by Anti spoofing. Again both logs show the inbound interface as the one where the action was taken and I have no idea why is the firewall replacing the destination IP with the source IP. Has anybody seen anything like this before? I'm completely lost here. Regards -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Cisco IP Phone via SSL Extender
AFAIK, there should be no specific version assocated with Cisco IP Phone support. On Fri, Oct 16, 2009 at 12:42 AM, antarees chrisna achri...@jakarta.oilfield.slb.com wrote: Hii All, Does anyone know what the CP version either Gateway or SSL Extender that support Cisco IP Phone. Rgds, -AC Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] New Windows SmartCentre to run NGX R65
You must be looking at an IPSO or Linux/SPLAT hotfix installer, if you are going to install it on a Windows machine, then you need to look for and download the specific Windows version of the installer. All hotfix installers are usually tgz files, but once decompressed, the Windows specific installer will include a Setup.bat file you can execute to run the installation. Hope this helps. Regards On Thu, Oct 15, 2009 at 5:20 AM, Independent IT Consultant itsec.itcons...@gmail.com wrote: The hotfix should have been distributed as a zip / tarball -- bear in mind that the hotfix will have been compiled separately for each OS, so your IPSO version will not work on Windows.. Extract it on the new smart center and run the setup associated with the hotfix -- in the UNIX world, there's almost always a UnixInstallScript shell script; in Windows, this is usually handled by a batch file. I suggest that you run it from the command line and not by double-clicking. That's all there is to it. Regarding SIC, a SIC change is not needed if the IP address changes, though the masters file on the enforcement point may need to be updated if it lists the IP and not the hostname. SIC is based on hostname, not IP. On Thu, Oct 15, 2009 at 6:50 AM, Peter Addy wavema...@yahoo.com wrote: Thanks, any idea on the hotfix installtion on windows? Cheers --- On Thu, 10/15/09, pkc_mls pkc_...@yahoo.fr wrote: From: pkc_mls pkc_...@yahoo.fr Subject: Re: [FW-1] New Windows SmartCentre to run NGX R65 To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Date: Thursday, October 15, 2009, 10:29 AM Peter Addy a écrit : Hi Before i commence, does anyone esle know of any other gotcha's when installing a neew manangement server from R61 to R65, usign the import/export tool The only thing the new servfer will have is a new IP address, i assume routing and all other aspects will be ok and are in the saved config, lastly i have never ran a hotfix on Windows but it says to run setup.bat??? i canot see where that file is, how do i run a hotfix on windows, i thought there would be a setp.exe? ran the hotfix many time on a ipso usign the ./install but never on windows Thanks Hi, As others already mentionned, make sure you don't change the name of the smartcenter. otherwise, the process is quite long. Changing the IP requires only to change the SIC with all gateways this smartcenter manages. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
Re: [FW-1] New Windows SmartCentre to run NGX R65
Hello, I do not recommend changing the SmartCenter hostname, the ICA gets corrupted and it's a royal pain to reset it, plus you have to re-establish SIC with all your firewall modules and all certs issued by the ICA (for example used by VPN Client users), become invalid. Now, changing the IP associated with the licenses is not a big deal. Once the IP is changed the licenses become invalid, so it's just a matter of being careful. 1. Change IP assignment of the licenses in the UserCenter 2. Change the SmartCenter IP on the SmartDashboard object 3.Change the IP at the OS level (in your case Windows) 4. Add the licenses with the new IP downloaded from UserCenter Regards On Mon, Oct 12, 2009 at 3:08 PM, Peter Addy wavema...@yahoo.com wrote: Thanks again to all --- On Mon, 10/12/09, Kim Longenbaugh k...@colonialsavings.com wrote: From: Kim Longenbaugh k...@colonialsavings.com Subject: Re: [FW-1] New Windows SmartCentre to run NGX R65 To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Date: Monday, October 12, 2009, 4:36 PM -Original Message- From: Mailing list for discussion of Firewall-1 [mailto: fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Peter Addy Sent: Monday, October 12, 2009 9:43 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] New Windows SmartCentre to run NGX R65 Hi All just a quick question, how is easy is it to install a new Windows SmartCentre server, our orginal server is running NGX R61 and we are building a new Windows 2003 server to run NGX R65 , is it simply of exporting the config off the current server and importing this into the new server, if so how and also the IP of the new server will be different, thanks to all = Peter, I forgot to mention a small detail. If you change the name of the Windows server you're hosting your Smart Center server on, you will also break the SIC, and all your VPNs (if any) will also break. Changing the server name and/or the IP address are both doable, but there's a lot of detailed steps to follow, so again, I'd advise contacting tech support for help. Kim Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Exporting policy from NGX R65 to VPNedge
When you have a VPN-1 Edge box you have 2 options, manage it from a SmartCenter or locally using its own Web GUI. When it is managed by a SmartCenter, you can create rules for it as you would do for any regular VPN-1 gateway, but AFIK, there is NO way to export an existing config in a SmartCenter for an Edge box, to a file that would then be imported into that or another Edge box, if that is what you are thinking about. Now, have I answered your question or are you actually thinking about something else? Regards On Mon, Sep 28, 2009 at 7:36 AM, a bv vbavbal...@gmail.com wrote: Then How? 2009/9/25 Reinhard Stich r.st...@internet-security.at: At 14:25 25.09.2009, you wrote: Hi, Is there a way to export policy from NGX R65 to use in VPNEdge? if the edge is managed from the same smartcenter as the R65 is: yes br reinhard -- Reinhard Stich r.st...@internet-security.at Internet Security AG, 1100 Wien, Wienerbergstrasse 9 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] VPN client for windows 7??
I don't think there is still an officialy supported Secure Client version for Windows 7, which is what I guess you are looking for. Given the fact Microsoft claimed there is very good backwards compatibility with Vista, most likely the versions supporting Vista will work with Win 7, although I haven't tried it myselft nor have heard about experiences from anybody else. I guess you have nothing to loose trying. On any case, it might be useful for you to know a customer of mine has SSL Network Extender deployed on his VPN-1 cluster and his Windows 7 users were able to get connected that way with no problem. Regards On Thu, Sep 24, 2009 at 6:20 AM, Ken Cameron kcame...@staffleasing-peo.comwrote: Does anybody know the right client install for Win7?? The website isn't organized very well for looking from the client end of things, they have it oriented from the server end of the configs. -ken cameron, CCP. Staff Leasing of CNY Inc 315-641-3600 SkyDiver: Zoo-602, A-8596, D-11839. Skier: down cross. English Hunter Rider. Scuba: wet dry mailto: kcame...@staffleasing-peo.com Home DZ: FingerLakes Skydivers, Ovid NY Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] L2TP connection from iPhone
Hello, Actually my customer has had a few other things with higher priority in his hands, so we haven't really had the chance to work on it. Any way, when the time comes, any extra help with would be really appreciated, so yes, please send me fix and the release notes. Thanks a lot for your offer. Regards On Mon, Sep 21, 2009 at 3:35 AM, pkc_mls pkc_...@yahoo.fr wrote: Sergio Alvarez a écrit : Hello guys, Hi, I have a customer who would like to try enable support for iPhone users to VPN to their VPN-1 R65 HFA50 HA cluster. I already downloaded the L2TP Supplement, read the Release Notes and also a couple of threads I found on this list about the deployment, so I have clear the deal with AES-128 setting. I have a few doubts though and maybe some of you can help me. Don't know if you fixed the issue, but we had a fix from checkpoint for this. I can send you the fix and releases notes if you're interested. regards. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] License (adding) problem Upgrade from R65Windows 2003 to R70 SPLAT and edge
I usually rather get the license files from the Check Point UserCenter. If you got an error fetching the license from the file you got from exporting, maybe there IS a problem with the file, try login to the UserCenter and download the license files from there. Regards On Wed, Sep 9, 2009 at 5:37 AM, a bv vbavbal...@gmail.com wrote: Hi, I have exported a CP NGX R65 onWindows 2003 configuration with upgrade_export and formated the backup fw with Secureplatfrom R70. I saw somewhere on the firewall also says that the trial period has gone (though i installed it before 15 days ). I opened the smartupdate on the current R65 windows and tried to export the licenses ( i see 2 one for firewall, one for vpn) to a file (named it fw.lic and fwvpn.lic) and copied them to the /home/admin with usb flashdisk. Run cpconfig and tried to add the license with fetch from file but it gave error. I opened the web management portal from the laptop and took to the licenses part but it doesnt give the option to add by file. I have to find an easier way or remember the parts of the license file (by opening the file with notepad). i saw the cplic command but dont know the details how to use at this situation. So how can i bypass the license adding problem? Regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
[FW-1] L2TP connection from iPhone
Hello guys, I have a customer who would like to try enable support for iPhone users to VPN to their VPN-1 R65 HFA50 HA cluster. I already downloaded the L2TP Supplement, read the Release Notes and also a couple of threads I found on this list about the deployment, so I have clear the deal with AES-128 setting. I have a few doubts though and maybe some of you can help me. First is the fact that Resease Notes include Office Mode configuration as part of the setup. My customer has been using Office Mode for quite a while for his Secure Client users, but never really acquired a Secure Client license becase they are not using any other of the Secure Client specific features and OM just worked fine that way, but since we applied HFA50, he started getting issues, at some point and after some of the Secure Client users have logged in with no problem, new users are able to get connected but do not get an OM license, SV Tracker reports something like there are not enough licenses and the product shown is Office Mode, so apparently HFA50 introduced a Secure Client license enforcement for the OM feature. So my specific question is if OM is a must for L2TP connections to work, or if we can get around it, maybe deploying IP Pool NAT. Any ideas would be really appreciated. Regards -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Migration from NGX65 to R70
Well Andre, we were told by Check Point sales staff that pre UTM/Pro licenses were NOT suported by R70, after that I haven't tried to upgrade any of our older customers assuming that premise was true. Now, those sales guys have proved not to be 100% right on R70 stuff, and if you tried Pro/Express licenses with R70 and that worked fine, seems ike they were wrong. I'll have to do a few tests myself. Those are great news, by the way. On Mon, Jul 27, 2009 at 10:18 AM, No Name Available ychap...@parc.comwrote: Eugeniu, Yes we have the Enterprise Software Subscription. Thank you. Yuriko -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Eugeniu Patrascu Sent: Saturday, July 25, 2009 1:39 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Migration from NGX65 to R70 No Name Available wrote: Hello. I'd like to ask some of you who upgraded your NGX to R70 + software blades if you had to pay a lot of money. We recently got a quote from CheckPoint for the migration. According to that, before discount, they charge us over 70% of the new version Product since their trade-in limit is 22%. Even after discount, we can trade-in only about 50% of product price of what we have now. It doesn't make sense to me. Are you covered by an Enterprise Software Subscription ? Because if you would, when you do functionality upgrade it should cost you a little bit less than what you're saying. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Migration from NGX65 to R70
Yuriko. I wouldn't know about that. After all, the info I had seems to be wrong according to Andre's experience. Regards On Mon, Jul 27, 2009 at 9:57 PM, Sergio Alvarez seral...@gmail.com wrote: Well Andre, we were told by Check Point sales staff that pre UTM/Pro licenses were NOT suported by R70, after that I haven't tried to upgrade any of our older customers assuming that premise was true. Now, those sales guys have proved not to be 100% right on R70 stuff, and if you tried Pro/Express licenses with R70 and that worked fine, seems ike they were wrong. I'll have to do a few tests myself. Those are great news, by the way. On Mon, Jul 27, 2009 at 10:18 AM, No Name Available ychap...@parc.comwrote: Eugeniu, Yes we have the Enterprise Software Subscription. Thank you. Yuriko -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Eugeniu Patrascu Sent: Saturday, July 25, 2009 1:39 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Migration from NGX65 to R70 No Name Available wrote: Hello. I'd like to ask some of you who upgraded your NGX to R70 + software blades if you had to pay a lot of money. We recently got a quote from CheckPoint for the migration. According to that, before discount, they charge us over 70% of the new version Product since their trade-in limit is 22%. Even after discount, we can trade-in only about 50% of product price of what we have now. It doesn't make sense to me. Are you covered by an Enterprise Software Subscription ? Because if you would, when you do functionality upgrade it should cost you a little bit less than what you're saying. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Migration from NGX65 to R70
Hello Yuriko, I have no idea who had the bright idea of making so many changes in the licensing scheme from R65 to R70, obviousy some guy who has never dealt directly with installations or customers, just thinking about making extra money and nothing else, but I do agree is a complete rip off. I work for a Check Point reseller and every single one of our customers is upset due to the amount of money they will have to pay to level up with the new version. Now, the deal here is R70 does support all licenses in the UTM/Power line, so if you bought all your licenses after NGX was released or made Functionality Upgrades to licenses in that line, you can safely upgrade to R70, although off course some of the new features in that software version will not be available, you will still have a fully functional firewall platform with at least the same features as before. BUT, if you still hold some of the licenses in the Pro/Express line, you will forcibly need to do a Functionality Upgrade, otherwise your licenses will not be recognized by an R70 installation. Regards On Fri, Jul 24, 2009 at 6:45 PM, No Name Available ychap...@parc.comwrote: Hello. I'd like to ask some of you who upgraded your NGX to R70 + software blades if you had to pay a lot of money. We recently got a quote from CheckPoint for the migration. According to that, before discount, they charge us over 70% of the new version Product since their trade-in limit is 22%. Even after discount, we can trade-in only about 50% of product price of what we have now. It doesn't make sense to me. Please tell me your experience. Thank you. Yuriko Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Strange VPN problem
I have seen that some times you have to force the VPN Client to refresh the VPN Topology by recreating the site, especially when doing multiple changes, so I guess you could try that. Also bare in mind that even when by default the VPN Domain for site to site and Remote Access VPNs is the same, there is a button the same section you mentioned, where you can define a specific VPN Domain for Remote Access clients, maybe it was set to something specific at some point and it is not reflecting recent changes in the regular VPN Domain. Regards On Tue, Jun 30, 2009 at 9:56 AM, c0re dumped ez.c...@gmail.com wrote: Some of networks listed in a obejct group that is applied in Manage Network Objects New Check Point Gateway Topology VPN Domain - Manually Defined are not being passed to my vpn clients. These clients are connecting using office mode. Even when I remove some networks of the group, the same set of routes are transmitted to the client What could this be ? # fw ver This is Check Point VPN-1(TM) FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006 SPLAT Thanks -- To err is human, to blame it on somebody else shows management potential. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505
= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] VPN Client 64 bits
Actually they released SNX R71, which now adds support for Windows Vista 64 bit. Windows XP 64 bit is still not supported. Regards On Mon, Jun 29, 2009 at 6:21 AM, Alexey Baltacov alex...@office.artnet.co.il wrote: In order to use Endpoint Connect with R65 GW you need to upgrade to HFA40 first. Second - you should use correct license. But In case you already have SNX you only need to upgrade SNX on your GW and you'll be able to connect via SNX Alexey -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Roberto Lauriola Sent: 29 June, 2009 2:36 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] VPN Client 64 bits Hi All, As mentioned in the SecureClient NGX R60_HFA_02 Release Notes, SecureClient for 64bits Windows is not supported. We are running VPN-1 NGX R65 how can we connect using VPN from a remote Windows Vista 64bit system? I read about Endpoint Connect is that a good idea? Thank-you all for your help. Bye, Roberto. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Problem logging with Dashboard using read only admin
Thanks for your answers but the tests of the new read-only admins was donde from the machine of one of the regular read/write admins, so there is no way this is an issue with the GUI Clients list. On any case, if I'm not mistaken, the error you get when attempting to get connected from a machine not included in the GUI Clients is the one saying something about making sure the service is up and running and that you are included in the GUI clients list. Any other ideas? Regards On Fri, Jun 26, 2009 at 7:58 PM, Independent IT Consultant itsec.itcons...@gmail.com wrote: be sure the machines these 2 additional admins are attempting to access SDB from are defined as GUI clients. Alternatively, consider implementing Smart Portal(so long as you're licensed for it). SmartPortal provides web-based read access into the Smart Center. On Fri, Jun 26, 2009 at 8:26 PM, Sergio Alvarez seral...@gmail.com wrote: Hello, This customer of mine has an R65 SmartCenter and has several administrators with read/write permissions that regularly log in via Smart Dashboard with no problems. Now they need to add two extra administrators but with read only permissions, so they created the users under the Administrators section, added a read only profile to them and defined a password for each, but when those 2 users try to login they get an error that says Connection cannot be established. Since it is not an authentication error nor a regular ...make sure the service is up and running.. message, seems like something strange is going on. I checked the SK, but could not find anything that seemed related with this scenario. Has anybody seen anything liek this before? Any help will be very appreciated. Regards -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
[FW-1] Problem logging with Dashboard using read only admin
Hello, This customer of mine has an R65 SmartCenter and has several administrators with read/write permissions that regularly log in via Smart Dashboard with no problems. Now they need to add two extra administrators but with read only permissions, so they created the users under the Administrators section, added a read only profile to them and defined a password for each, but when those 2 users try to login they get an error that says Connection cannot be established. Since it is not an authentication error nor a regular ...make sure the service is up and running.. message, seems like something strange is going on. I checked the SK, but could not find anything that seemed related with this scenario. Has anybody seen anything liek this before? Any help will be very appreciated. Regards -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] SNMP monitor for spooled email files??
I whish I had an answer for you regarding what you want to do with SNMP, but what I would suggest is going to the root of the problem and try to solve the issue of your firewall getting stuck with the email messages. I have found both the HTTP proxy and SMTP relay of those UTM-1 boxes are pretty buggy and have had to apply several patches provided by Check Point Support to the ones we have sold so far to multiple customers. I haven't seen the exact problem you have, but maybe there is a patch for it and you can avoid having to find a way to monitor it. On Thu, Jun 18, 2009 at 3:00 PM, Eugeniu Patrascu eu...@imacandi.netwrote: Ken Cameron wrote: SNMP is a great way to watch out for things and to track them (MRTG/BigBrother). We have a 270 appliance running R65 (so basically a splat box) but from time to time email will get stuck there and build up in the spool directory. Simply pushing a rule or database on the firewall will wake it up and it quickly catches up and the mails flow through just fine. But if I had an easy way to track how many files are in that directory via SNMP, life would be easy as I could see it happen instead of a gang of users come hunting!! Does anybody have suggestions of how to best deal with this?? I use SNMP and monitor the disk and CPU just fine, but am looking for something a bit farther off the norm. SNMP supports writing a script and the run it periodically when you query an OID. Just look into a snmpd.conf file in RHEL 3 (for R65) to see how you can get something up and running pretty quick.J Eugeniu Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Unstable VPN traffic
Hello, I forgot to let you guys know that Matthew nailed it. After changing to One VPN Tunnel per Gateway pair on the comunity settings, the problem with the VPNs dissapeared. Thanks a lot Matt. Regards On Fri, Jun 12, 2009 at 6:47 AM, Sergio Alvarez seral...@gmail.com wrote: Hello Matthew, Thanks for your reply. Actually what you are explaining here makes a lot of sense, I'll try it and will let the list know if the issue gets resolved. Regards On Fri, Jun 12, 2009 at 1:07 AM, Matthew Odendaal matt...@isa.co.zawrote: It sounds like the sofaware box can't handle the amount of tunnels, because the default configuration on VPN communities is to create a pair of VPN keys for each subnet. If there are many subnets, that results in many keys being created which puts extra load on the Sofaware box. We previously had similar issues with one of our larger s...@office deployments. To overcome this, we changed the VPN Tunnel Sharing options under Tunnel Management to use One VPN Tunnel per Gateway pair. That should reduce the overhead on the s...@office devices somewhat, as it will only use a single pair of keys to communicate with all subnets behind the gateway. Good luck. Matt -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Sergio Alvarez Sent: 11 June 2009 05:24 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] Unstable VPN traffic Hello, I have this very strange issue with a deployment of a VPN-1 (SPLAT R65) HA cluster on a main site and ADSL s...@office boxes on several remote locations, site to site VPNs were configured and the phase 1 negotiation goes with no issues, but then something wrong is happening with phase 2. On the remote locations there are only flat networks behind each Sofa box, but behind the HA pair of the main location there are lots of different IP ranges, which forced the administrator to configure very wide ranges when creating the VPN on the Sofa GUI (using the specify configuration option). What happens is some of the IP ranges behind the VPN-1 HA pair are reachable while some are not, you might think it was a config issue or an overlapping ip range causing trouble, but suddenly the situation changes and networks that were not reachable become reachable and ones that were working fine stop working. In the same way, moving to the other side, main site ip ranges that were able to get to the networks behind the Sofa boxes are no loger able to do so and some that were failing, sudenly are able to get there. The situation occurs not only for one VPN with a Sofa box, but it has occured with every box they have deployed (5 at this point). They purchased 10 of those boxes but stopped the deployment due to these issues and have made rollbacks on most of them as the issue makes it almost impossible for the poeple on the remote offices to work properly. The Tracker on the main site shows all attempts to reach remote networks as encrypted (no drops) and on the Sofa logs there are no errors or drops either. Captures on both sides where taken while doing tests from a remote office trying to reach several ip ranges on the main site and apparently packets to failing networks reach the Sofa but never make it through the tunnel as are not shown on the main site. Has anybody seen something like this? Any help will be very appreaciated. Regards -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office
Re: [FW-1] Unstable VPN traffic
Hello Matthew, Thanks for your reply. Actually what you are explaining here makes a lot of sense, I'll try it and will let the list know if the issue gets resolved. Regards On Fri, Jun 12, 2009 at 1:07 AM, Matthew Odendaal matt...@isa.co.za wrote: It sounds like the sofaware box can't handle the amount of tunnels, because the default configuration on VPN communities is to create a pair of VPN keys for each subnet. If there are many subnets, that results in many keys being created which puts extra load on the Sofaware box. We previously had similar issues with one of our larger s...@office deployments. To overcome this, we changed the VPN Tunnel Sharing options under Tunnel Management to use One VPN Tunnel per Gateway pair. That should reduce the overhead on the s...@office devices somewhat, as it will only use a single pair of keys to communicate with all subnets behind the gateway. Good luck. Matt -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Sergio Alvarez Sent: 11 June 2009 05:24 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] Unstable VPN traffic Hello, I have this very strange issue with a deployment of a VPN-1 (SPLAT R65) HA cluster on a main site and ADSL s...@office boxes on several remote locations, site to site VPNs were configured and the phase 1 negotiation goes with no issues, but then something wrong is happening with phase 2. On the remote locations there are only flat networks behind each Sofa box, but behind the HA pair of the main location there are lots of different IP ranges, which forced the administrator to configure very wide ranges when creating the VPN on the Sofa GUI (using the specify configuration option). What happens is some of the IP ranges behind the VPN-1 HA pair are reachable while some are not, you might think it was a config issue or an overlapping ip range causing trouble, but suddenly the situation changes and networks that were not reachable become reachable and ones that were working fine stop working. In the same way, moving to the other side, main site ip ranges that were able to get to the networks behind the Sofa boxes are no loger able to do so and some that were failing, sudenly are able to get there. The situation occurs not only for one VPN with a Sofa box, but it has occured with every box they have deployed (5 at this point). They purchased 10 of those boxes but stopped the deployment due to these issues and have made rollbacks on most of them as the issue makes it almost impossible for the poeple on the remote offices to work properly. The Tracker on the main site shows all attempts to reach remote networks as encrypted (no drops) and on the Sofa logs there are no errors or drops either. Captures on both sides where taken while doing tests from a remote office trying to reach several ip ranges on the main site and apparently packets to failing networks reach the Sofa but never make it through the tunnel as are not shown on the main site. Has anybody seen something like this? Any help will be very appreaciated. Regards -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com
[FW-1] Unstable VPN traffic
Hello, I have this very strange issue with a deployment of a VPN-1 (SPLAT R65) HA cluster on a main site and ADSL s...@office boxes on several remote locations, site to site VPNs were configured and the phase 1 negotiation goes with no issues, but then something wrong is happening with phase 2. On the remote locations there are only flat networks behind each Sofa box, but behind the HA pair of the main location there are lots of different IP ranges, which forced the administrator to configure very wide ranges when creating the VPN on the Sofa GUI (using the specify configuration option). What happens is some of the IP ranges behind the VPN-1 HA pair are reachable while some are not, you might think it was a config issue or an overlapping ip range causing trouble, but suddenly the situation changes and networks that were not reachable become reachable and ones that were working fine stop working. In the same way, moving to the other side, main site ip ranges that were able to get to the networks behind the Sofa boxes are no loger able to do so and some that were failing, sudenly are able to get there. The situation occurs not only for one VPN with a Sofa box, but it has occured with every box they have deployed (5 at this point). They purchased 10 of those boxes but stopped the deployment due to these issues and have made rollbacks on most of them as the issue makes it almost impossible for the poeple on the remote offices to work properly. The Tracker on the main site shows all attempts to reach remote networks as encrypted (no drops) and on the Sofa logs there are no errors or drops either. Captures on both sides where taken while doing tests from a remote office trying to reach several ip ranges on the main site and apparently packets to failing networks reach the Sofa but never make it through the tunnel as are not shown on the main site. Has anybody seen something like this? Any help will be very appreaciated. Regards -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] Observing the rules
Another suggestion would be to use time objects for those temp rules. When someone asks for temp access to something in particular, you assign that person a particular amount of time, add the proper time object to the rule and the rule stops working when that period goes by. That way you don't have to worry about remembering to disable or delete the rule when is no longer needed. It is even easier if you define a section on your rulebase for those temp rules, so from time to time you check it out and decide which rules are no longer needed and clean them up or you can keep those disabled so you can take advantage of them when someone else needs one. Regards On Mon, Jun 8, 2009 at 3:58 AM, pkc_mls pkc_...@yahoo.fr wrote: a bv a écrit : Hi list, Hi a, There are many rules on our R65 and when someone needs we add temporary rules but mostly the user who needs the temp rule dont warn us when he/she no longer needs it , and also we cant follow . So how can these rules effectively be observed , how often used or not used since x time? Are there any tricks on Smartview Tracker? What is the best practise? I recommend to use the comment section of the rule to add the date at which the rule was added and the name of the person who added the rule. You can use also the comment for the network objects. I also recommend to use personnal admin logins instead of generic ones, so if you search in the audit log you know exactly who did the rule modification. To know if some rules are not used, you can check your logs, but the best is to ask the person who may use the service if this is in use or not. Smartview tracker will only give you information on the current log (you can also open older ones), but if you have quite a huge traffic, it can be really painfull to find the info from the logs. hope this helps. regards Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
[FW-1] ISP Redundancy / DNS Proxy not working
Hello, Yesterday I visited a customer who wanted to deploy ISP Redundancy with his VPN-1 HA pair. He has two firewall modules running R65 SPLAT 2.6, which are managed by a SmartCenter running R65 SPLAT 2.4 HFA30. He wanted to make sure of all the changes that would be required and also do some testing, so I first installed a stand alone firewall on a lab machine, made the entire configuration and everything worked perfect. Later, out of business hours, we started working on the production machines, I made the entire configuration for the cluster and evertyhing worked fine with the outbound traffic, as the cluster started balancing the connections properly between the 2 IPSs, but the inbound traffic did not work. The manua NAT rules work fine, it is in fact possible to send traffic to servers on the DMZ via public IPs of both ISPs, but the DNS Proxy doesn't work at all, I checked the configuration again and again and everything looks fine, but the cluster just won't answer to any DNS queries sent to it. I checked the SmartView Tracker and saw all the DNS requests arriving to the cluster public IPs from the outside and everything appears accepted. I'm sure many of you are thinking if I got fw monitor captures to see what exactly happens after the cluster accepts the incomming requests... well, I did get fw monitor and tcpdump captures but it is a real pain to find a way to get those out of the firewall module locally on my customer's network and by the time I got them it was already 4am, so I uploaded those directly to Check Point Support's FTP, who asked for them, and I'm expecting for the customer to upload them to an FTP I just brought up, so I can check them out, but in the mean time I wanted to know if any of you guys has seen anything like this before. Thanks in advance for any help you could provide. Regards -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] SPLAT log
If you use the df command to check how much disk space is available, look for the /var partition, it is there where the logs are stored and the only partition that should experience real changes in space usage. On Wed, Apr 8, 2009 at 9:05 AM, pkc_mls pkc_...@yahoo.fr wrote: Sam Ghannadi a écrit : Hi guys, Could someone please tell me how to Check the Disk space, get to log and delete old log from R60 SPLAT Standalone firewall. Thanks, Sam There are some options to automatically rotate logs periodically. Regarding the disk space check, there are various options : smartview monitor, snmp, etc. Rather than delete, I suggest to move periodically the old logs to a server or backup media. I don't know if you have a policy regarding the firewall logs retention, but if it's not the case, it's time to define one. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = -- Sergio Alvarez +(506)88301342 = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
