Re: [FW-1] Trouble in communication on port 18182

[Ramki Security]

Try using no authentication (if not already done).  That is old version 
compatibilityRK


Serwatko Pawel wrote:


Hi everybody
I have big trouble with my firewall. I have web filter working as UFP
security server. It was worked about a year without any trouble.
Suddenly I noticed that communication between management station and
webfilter station gone. I tried to repair this. I even reinstalled
webfilter machine from the beginning. Then I tried to configure another
webfilter which use the same method to communicate with Checkpoint FW
(UFP server). Communication on AMON port is working in case both web
filters. But when i try te get dictionary (downlaod web categories to
smartdashboard on management station) on port fw_ufp (TCP 18182) I have
a trouble. The Get dictionaries windows is turning up and thats all. I
checked the rules on firewall communication on this port was set. I had
webfilter server on DMZ zone and it didn't work so I cross this server
to LAN network and it's still not working. I installed sniffer on
webfilter server and try to track the packets. It was suprise for me
that none packet from fw manegement station didn't got to webfilter. I
don't know what to do with it. Does anybody can help how to restore
communication on TCP 18182 port. 
Of course I tried to change the port to another and it is also not

working.

Thanks for any help.

Pawel
[EMAIL PROTECTED]

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

 



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Unable to connect - SecureClient on XP SP2

[Ramki Security]

We are using NGX Client on XP SP2 with firewall on without any issues.  
Have you tried in another machine?



Tom Brown wrote:



I have installed NGX SecureClient (598000191_1) on my laptop (XP SP2) 
- so

far so good. When I try and create a new site, I give it the IP address,
click Next and I go straight to the Select Connectivity Settings screen,
bypassing the Authentication screen altogether (so I can't select my
certficate). If I click Next again, I get the Connecting screen with the
blue bars marching across - but it never seems to time out. I've had the
problem once or twice in the past, and uninstalling then reinstalling
SecureClient usually fixes it, but this time it simply won't behave. I
haven't found anything sensible on teh Checkpoint KB on this either.
===
 

firewall on SP2 blocking it? i had a similar thing using sementec as 
the personal firewall was messing with things


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Backup rules - Fix for enter issue on 'upgrade export'

[Ramki Security]

I have a related question.  When doing upgrade_export  in a script 
through cron, I get an error FWDIR env variable not set.  But I have 
given FWDIR=/opt/cpfw1-r55.  Is there any mistake done here.  echo 
$FWDIR on the command prompt returns the same.  Upgrade export work from 
the command line and this is a solaris 9 machine.  Thanks for the help 
in advance.RK


Tahir Khan wrote:


upgrade_export requires an enter key to be pressed. The following
command will work:

echo | upgrade_export FILENAME

Tahir

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

 



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Cannot see the ipsec peer to set preshared key

[Ramki Security]

Choosing the topology depends on what kind of requirement you have.  If 
you just have to communicate with your network and the collegues 
network, star topology is the right choice.  If you have more than two 
gateways and all the gateways have to communicate with each other, then 
you should go for mesh topology.


ThanksRamki

Tauseef Khan wrote:

Can I choose mesh topology or do I have to use start topology in this
scenario.
Kind regards
Tauseef

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
Priyakant Taneja
Sent: 06 January 2006 10:34
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Cannot see the ipsec peer to set preshared key


Hi Tauseef,

He will have to add your checkpoint as externally managed gateway and
have to define vpn domain in topology of that. Then he will have to add
both the gateways ( his own and yours) in vpn community. After that he
will be able to define preshared keys and other vpn parameters.

Try and let us know..

Regards

Priyakant

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Tauseef
Khan
Sent: Friday, January 06, 2006 3:48 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Cannot see the ipsec peer to set preshared key

Good morning/evening Gurus

I am setting up a vpn in traditional mode.  Both the peers are running
checkpoint.  I set up the community on my side having both the peers and
went to VPN properties to set the preshare keys.  I can see my peer in
the list of preshare keys bout my colleague  in US cannot see his peer
in the list to set presahred key. 
Help would be appreciated.

Kind regards



*
For addressee only. No legally binding commitments will be created by
this e-mail message. Where we intend to create legally binding
commitments these will be made through hard copy correspondence or
documents.

3i Investments plc
Registered office: 91 Waterloo Road
 London SE1 8XP
Registered no:3975789
Authorised and Regulated by the Financial Services Authority

If you are not the intended recipient it may be unlawful for you to
read, copy, distribute, disclose or otherwise use the information in
this e-mail. If you are not the intended recipient please contact us
immediately. E-mail may be susceptible to data corruption, interception
and unauthorised amendment, and we do not accept liability for any such
corruption, interception or amendment or the consequences thereof.

3i is committed to following policies which protect your privacy and
comply with current international data protection laws and regulations
in respect of personal data. Further details of these policies can be
found at www.3i.com.
*


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

DISCLAIMER:

--

This e-mail contains confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in
error)please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure, use or distribution of the material in
this e-mail is strictly forbidden.

---

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


*
For addressee only. No legally binding commitments will be created by this 
e-mail message. Where we intend to create legally binding commitments these 
will be made through hard copy correspondence or documents.

3i Investments plc
Registered office: 91 Waterloo Road
 London SE1 8XP
Registered no:3975789
Authorised and Regulated by the Financial Services Authority

Re: [FW-1] NGX ClusterXl office mode

[Ramki Security]

Since the return packet from the host is sent back to the office mode 
ip, i have few questions.


1. Are you seeing the packets reach the firewall
2. Are you able to ping the officemode ip from inside the firewall machine
4. When you try connecting from the internal network to the om ip, is 
the traffic getting encrypted by the firewall.


ThanksRamki

Thorsten Heyming wrote:

Hi,

I have some trouble setting up office mode in NGX Cluster Xl.

The connection succeeds and the client gets the office mode ip from the
defined pool. (different pool on each cluster member)

A connection to a host inside doesn't succeed (ping or telnet).
The log shows the packet being decrypted. A network monitor shows the
packet arriving hat the host and the reply packet being send back to the
office mode ip.

The office mode pool is different from my inside address space and
routed towards the firewall.
The office mode pool is not part of the encryption domain.

Secure Client connections without office mode enabled work fine.


Any help would be appreciated.


Regards
Thorsten

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] PLEASE READ: CHECKPOINT TECHNICAL SUPPORT SUCKS

[Ramki Security]

ITs True.  Although I had many good experiences with CP Support, I had 
that many bad experiences tooRK


Dahate, Pramod wrote:
 
I am in total agreement. I had an issue while applying HFA 16 on

Checkpoint R55 NG AI on Nokia and they wanted me to rebuild the
firewalls.Till date no solution but insist on closing the case and
then reopening at later date. And the people r downright RUDE. That way
the support at Juniper is excellent

Pramod Dahate(MCSE,CCNA,CCSA,CISSP)
Security Analyst
Network Management Centre

Getronics Australia Pty Limited

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew
Austin
Sent: Saturday, 7 January 2006 12:06
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] PLEASE READ: CHECKPOINT TECHNICAL SUPPORT SUCKS

If I can suggest anything for you, use the Nokia  support, they are
excellent, and have never posed a problem support  wise for my
organization. Checkpoint support is notorious for being BAD!

cisco4ng [EMAIL PROTECTED] wrote:  I sincerely hope someone from
checkpoint management read this forum.
   
  I opened a TAC case with checkpoint regarding a Provider-1 issue and

RSA issue.
  Nobody from Checkpoint contacted me after two days of opening the TAC
case.
  When I called checkpoint TAC regarding the case, they put me on hold
for over
  2 hours and I finally hung up out of frustration.  
   
  This is not the first time this has happened to me regarding

checkpoint TAC
  support.  About 99% of the time, the solution they gave me has been
  absolutely useless.  Furthermore, because we run provider-1 on sun
solaris
  platform, these checkpoint bastards blames it on Sun solaris and
refused
  to help us.  
   
  We are also a cisco shop and we never have problems with Cisco TAC

  support since we are an MSP.  Cisco TAC engineers are on-site once a
week
  to help us troubleshoot problem and when we have a problem, we can get
them
  in less than 5 minutes.  
   
  Checkpoint has been pushing us to upgrade our current support to

diamond
  level.  I am going to tell my management to tell checkpoint to go to
hell.  
I am going to do my best to convince my management to gradually migrate

  all our existing customers from Nokia/Checkpoint to Pix firewalls.
   
  cisco4ng


  
-

 Yahoo! DSL Something to write home about. Just $16.99/mo. or less

=
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=




-
Yahoo! Photos
 Got holiday prints? See all the ways to get quality prints in your
hands ASAP.

=
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] AW: [FW-1] NGX ClusterXl office mode

[Ramki Security]

Since the traffic is getting encrypted it looks the configuration at the 
firewall is fine.  I am thinking the problem might be at the client 
side.  Are you using desktop policy for the secureclient or any other 
firewall at the client side?  You may want to check the logs at the 
client side if the traffic is getting blocked.  You can also try 
traceroute to see where the traffic is getting blocked.


Regds...Ramki

Thorsten Heyming wrote:

Hi,

thanks for your answer.

Regarding your questions:

I am quite sure the packets reach the firewall although I did not use fw
monitor to ensure this.
But when I try to connect from the internal network I see the packets
being encrypted and the vpn peer gateway is correct.


From the firewall itself I can't ping the office mode IP.



Thorsten



Von: Mailing list for discussion of Firewall-1 [mailto:FW-1-
[EMAIL PROTECTED] Im Auftrag von Ramki Security
Gesendet: Freitag, 6. Januar 2006 13:25
An: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Betreff: Re: [FW-1] NGX ClusterXl office mode

Since the return packet from the host is sent back to the office mode
ip, i have few questions.

1. Are you seeing the packets reach the firewall
2. Are you able to ping the officemode ip from inside the firewall


machine


4. When you try connecting from the internal network to the om ip, is
the traffic getting encrypted by the firewall.

ThanksRamki

Thorsten Heyming wrote:


Hi,

I have some trouble setting up office mode in NGX Cluster Xl.

The connection succeeds and the client gets the office mode ip from


the


defined pool. (different pool on each cluster member)

A connection to a host inside doesn't succeed (ping or telnet).
The log shows the packet being decrypted. A network monitor shows


the


packet arriving hat the host and the reply packet being send back to


the


office mode ip.

The office mode pool is different from my inside address space and
routed towards the firewall.
The office mode pool is not part of the encryption domain.

Secure Client connections without office mode enabled work fine.


Any help would be appreciated.


Regards
Thorsten

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] SMTP Forwarding

[Ramki Security]

I would like to point out that keeping firewall-1 out of smtp routing 
will avoid lot of trouble and performance issues...Ramki


Reinhard Stich wrote:

hi,

if you have private IPs in your DMZ-network you can change the NAT for 
the IP of MX.yourdomain.com to the mail-router (and back if your 
anti-spam gw is up again).


cheers
reinhard

At 14:03 08.01.2006, you wrote:

My current setup for email is a Lotus Domino server sitting on the DMZ 
and
a Lotus Domino server on the network.  The server in the DMZ is setup 
with
a static NAT with a public IP address and the MX record points to it 
and it
routes mail into the network.  I'm adding a spam firewall to the mix 
so I'm

trying to determine the best route to take to add this with redundancy in
mind..

One way is to setup the spam firewall in the DMZ the same as the email
server and change the MX record to point to it and have it route to the
email server.  The problem here is if the spam firewall go's down I can't
reroute the SMTP traffic to the email server to bypass the spam firewall
until it is back online unless I change the MX record.

I'm no expert with Firewall-1 but I'm thinking I should point the MX 
record
to the firewall external interface and have it forward SMTP traffic to 
the

spam firewall and then have it route to the email server.  If the spam
firewall go's down I can change the forwarding to the email server 
instead

of the spam firewall until it is back online.  The little research I have
done so far looks like I would just setup a SMTP resource to do what I
would like to do and let the firewall do the routing.

John

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=





=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Prevent current policies being loaded on next boot

[Ramki Security]

Hi Alex,

If you have made the changes in the object and pushed the policy to the 
enforcement module, the next time it will load the new policy only even 
though you don't have the management server around.  Only thing you need 
to take care is the os config for network and routing tables.  That 
depends on the kind of OS you are using.


Ramki

Alexander Simbun wrote:

Dear Techie,

How to prevent the current policies being loaded during the next boot? I 
reconfigured the enforcement server with a new network settings and I 
had moved it to another new network. I would like the old local policies 
are not loaded when the server reboot as usual. Please advise. Thanks.


Regards,
Alex

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Retain check point firewall software after network settings are changed.

[Ramki Security]

As long as you configure your OS settings and reconfigure the 
smartdashboard objects and push the policy, you should be good to go. 
May be you will require to re-establish the SIC if required.


RegardsRamki

Alexander Simbun wrote:

Hi all,

What should I do if I re-configured my existing firewall using different 
network settings and replaced the existing QuadCard with a new GigaSwift 
QuadCard? Do I need to uninstall the check point firewall and re-install 
it from scratch? I want to retain the firewall even after the network 
settings are different including using a new QuadCard.


Regards,
Alex


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] FW-1-MAILINGLIST Digest - 6 Jan 2006 to 7 Jan 2006 (#2006-7)

[Ramki Security]

And you need to move all the licenses to the new smartcenter IP 
address...Ramki


no-need to-list wrote:

Thanks for letting the Mailing list know...
 that you have Blackberry Wireless Handheld device

Cooper, Colin [EMAIL PROTECTED] wrote: --
Sent from myckBerry  BlaWireless Handheld


-Original Message-
From: FW-1-MAILINGLIST automatic digest system 

To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM 
Sent: Sun Jan 08 08:00:01 2006

Subject: FW-1-MAILINGLIST Digest - 6 Jan 2006 to 7 Jan 2006 (#2006-7)

There are 7 messages totalling 860 lines in this issue.

Topics of the day:

  1. Cannot connect with SecuRemote (SR)
  2. Backup rules (2)
  3. Please help :TCP packet out of state for FTP ACCESS
  4. PLEASE READ: CHECKPOINT TECHNICAL SUPPORT SUCKS (2)
  5. Vendors -- a good one for me.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

--

Date:Sat, 7 Jan 2006 19:12:34 +0530
From:Vadiraj_Joshi 
Subject: Re: Cannot connect with SecuRemote (SR)


SR doesn't do the Automatic MTU discovery, I have seen users getting 
authenticated but unable to update nor access the resources using the SR when 
on Broadband or PPPoE. Setting the MTU on the local machine to 1320 has solved 
the problems most of the time for me. One can use a utility available in SR 
installation  .../bin Folder  MTUAdjust.exe to change the MTU.

Thanks
 
Vadiraj 


-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On 
Behalf Of Lino Eduardo Avila Rodr�guez
Sent: Tuesday, January 03, 2006 4:52 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Cannot connect with SecuRemote (SR)

You can try using srfw monitor 


It is located in the bin directory of your securemote installation. Maybe
you can debug your problem with the client.


Best Regards,



Lino E. Avila

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Ray
Sent: Viernes, 30 de Diciembre de 2005 09:16 p.m.
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Cannot connect with SecuRemote (SR)



Nevertheless, I still have a select few users that cannot connect to the
server.  The errors are Update failed or if creating a new site, they get
timeouts.  Strangely in the logs, I don't see any activity of the attempt 
to

connect which leads me to believe something is blocking it on their site or
somewhere in the middle.



If you're using Implied Rules to accept the remote access connections, make 
sure you're logging the Implied Rules. I think it's off by default.




One particular user has both cable and DSL
connections and could not connect while on DSL.  Switching to cable did the
trick.  Now that the site has been created, he can successfully reconnect
over DSL.  Unfortunately most of my users have only a single broadband
connection.



This is almost always a MTU problem. ADSL using PPPoE adds eight bytes to 
the packet, pushing it over the 1,500 byte limit and causing fragmentation. 
I don't know if SR does automatic MTU adjustment, but SC does.


I've also seen this exact problem caused by junk home routers. Junk as 
spelled DLink. They could hook their computer directly to the Internet 
modem, create the site and then go back behind the router and all would be 
well.


Is your firewall object specified with the internal interface or the 
external interface IP address? It really needs to be the external IP 
address.


You don't happen to have SC, do you? Visitor Mode, which tunnels all of the 
IPSec protocols over TCP 443, is a real life-saver in situations like this. 
We've had many a hotel where they block all outbound traffic except 80  443


where Visitor Mode saved the day.

Another fix, if they are semi-technically inclined and have admin access, is

to email them a copy of the userc.C file from a computer that works. They 
will need to stop both CheckPoint services, save the file in the correct 
folder to overwrite the existing one and re-start the services. If you do 
this while the services are running, it won't work. I've used this procedure


on a few computers that were behind junk routers but we could not risk 
exposing them to the Internet.


Ray

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set 

Re: [FW-1] Change of IP for remote VPN

[Ramki Security]

You can use vpn tu to reset any particular SPI or remote peer.  I 
think the option is 6 for this.Ramki


Tom Brown wrote:

Hi

The firewall we connect to at the other end of a VPN has changed IP - It 
appears from our logs that our firewall still thinks the other firewall 
is on the origional IP - Is there anyway to flush the state or something 
without upsetting other tunnels?


This is on SPLAT AI R55

thanks

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Gurus in this list. Please help

[Ramki Security]

Did you tried putting the internal IP addressed in those machines local 
host table.  This should by pass the dns server and resolve the fqdn 
locally to the private IP addressRamki


cisco4ng wrote:

Hi Gurus,
   
  Please advise with the following scenario:
   
  Checkpoint Secureplatform NG with AI R55w and the lastest HFA_04.

This firewall has 3 interfaces, Internet, Internal and Dmz.
   
  I have a host in my Internal network with an IP address of 192.168.1.10.
This host is static NAT to the Internet with an IP address 
of 129.174.1.8.
   
  I have a host on the Dmz network work with an IP address 
of 192.168.2.50.  This host is static NAT to the Internet with an

IP address of 129.174.1.13.
   
  The DNS server is being hosted by my ISP.  The host 129.174.1.8 has

a Fully Qualified Domain Name (FQDN) of db1.newco.com and the host
129.174.1.13 has an FQDN of crm.newco.com.
   
  Back to my network, the host 192.168.1.10 and the host 192.168.2.50

communicates with each other with the real address and everything is
working fine via IP adress.
   
  Here is my problem:

  The customer just recently migrated from a Cisco Pix to Checkpoint
Firewall.  The customer has a propriatery application installed on 
both host 192.168.1.10 and host 192.168.2.50.  This application 
communicates between host 192.168.1.10 and host 192.168.2.50 via 
Fully Qualified Domain Name (FQDN).  It means that the application is 
embedded with the FQDN of db.newco.com and crm.newco.com in the 
application itself.  To make the matter worse, it looks up the name 
via DNS.  As you can see, it causes the problem because two hosts 
behind the firewall trying communicate with each other via public

addresses.
   
  With Cisco pix firewall, there is a feature called DNS doctoring.

For example, when host 192.168.1.10 communicates with crm.newco.com,
it goes to the DNS server, which sits outside the firewall, and get
a resolution of 129.174.1.13.  Before, the reply comes back to host
192.168.1.10, the Pix firewall modifies the dns query and replaces
129.174.1.13 with 192.168.2.50.  
   
  Is there something similar that can be done with Checkpoint as well?
   
  Right now, the workaround for me is to put up an Internal DNS server

and have host 192.168.1.10 and host 192.168.2.50 use that Internal
DNS Server.  But the customer wants to use the Internal DNS server 
for some other functions.  
   
  Please help.  TIA
   
  cisco4ng



-
Yahoo! Photos
 Got holiday prints? See all the ways to get quality prints in your hands ASAP.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Two IP Ranges

[Ramki Security]

Hi Saludos,

You don't have to assign a secondary IP address.  As long as your ISP 
router is forwarding the traffic for that IP range to your firewall, you 
can go ahead and implement static NAT (or Hide NAT) with the new IP 
range and it does works.


Regards...Ramki

Alvaro Gastambide wrote:

Hi,
I have a Check Point R55, and i a used all ip's provides by my ISP. So 
my ISP give me another IP range.


To can use static nat with the second range, i have to put the public ip 
that i use in static nat as a secondary ip of the internet interface of 
the check point.


Is it the correct way to use a secondary range ? Thanks.



Saludos,

Alvaro Gastambide - CCSA - MCSA
Security Advisor
www.sadvisor.com

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Secondary firewall shows unknown status in SmartViewStatus

[Ramki Security]

Some time you may be unable to contact the cluster member if you 
configure the external ip in the member object.  Try using the internal 
ip if the smartcenter server is inside your networkRamki


David DeSimone wrote:

Alexander Simbun [EMAIL PROTECTED] wrote:

I have not yet re-establish the SIC.  To do so, I have to detach the
cluster member and re-initialize it again.  Meanwhile, I'm also unable
to ping the physical IP of the cluster's member.


It is often the case that when you create a cluster, only the current
cluster master can receive traffic.  This is due to some settings on the
cluster gateway object.  Under 3rd Party Config you will find some
options:  Hide Cluster Member's outgoing traffic behind Cluster IP, and
Forward Cluster incoming traffic to Cluster Member IP.

I turn both of these options off.  When they are on, the secondary
member will try to send out NTP or DNS requests, and they get NAT'd
behind the cluster IP, then when the replies come in, they are directed
to the primary member, which doesn't understand why it is receiving such
traffic.  The traffic never reaches the secondary member that initiated
the traffic.

By turning these off, the traffic can reach the particular cluster
member that originated the traffic.



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Urgent please help. VPN issue

[Ramki Security]

My experience is that simplified mode more relates to checkpoint at the 
other end.  Traditional mode config is used with other vendors.  It is 
ideal that we set both similarly and also matching the other end 
configurationRamki


cisco4ng wrote:

Hi everyone,
   
  I guess I should have elaborated a little more in the previous thread.

  I know how to do that in traditional mode.  However, according to both
  Nokia and checkpoint documentation, whatever changes are being made
  in traditional has NO effects in Simplified mode, especially simplified
  VPN configuration (vpn community).  Furthermore, according to Nokia,
  changes made in the traditional mode tab is NOT supported if the vpn
  is configured in simplified mode.
   
  I guess bottom line is that it is not supported in simplified mode.  Thanks again 
  everyone.
   
  cisco4ng


Christopher Hoff [EMAIL PROTECTED] wrote:
  You can change the settings on a per node gateway by editing the
traditional mode settings and going to the advanced settings.

Thank you,


Christopher Hoff
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Crist
Clark
Sent: Wednesday, January 18, 2006 4:45 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Urgent please help. VPN issue

cisco4ng wrote:

Hi gurus,

Please help me with this problem.

I am setting a site-to-site vpn between a Checkpoint NG firewall and
a Cisco IOS 

device.

The dude on the Cisco side keeps insisting that the IPSec phase II

key re-negotiation

be data-limit instead of of timeout limit. I know how to do that on

Cisco device.

For example:

set security-association lifetime kilobytes 57193933

How can I achieve this in Checkpoint? In Checkpoint Simplified

mode, I can only
specify the timeout setting for IPSec phase II. 


FWIW, specifying the lifetime in time or byte count or both at once all
MUST be supported according to the standard.

Going straight to the Checkpoint database, I see the following,

:isakmp.phase2_rekeying_kbytes (5)
:isakmp.phase2_rekeying_time (3600)
:isakmp.phase2_use_rekeying_kbytes (false)

As attributes of IPsec endpoints. Names seem self explanatory. Can't
say if they actually work. Dunno how to access them through the
Dashboard or whatever they're calling it for now. You may need to
edit the database with DBedit or the ol' 'vi objects_5_0.C'.


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Performance Pack and SPLAT

[Ramki Security]

Performance Pack (Secure XL) is a software pack which provides multi cpu 
support and performance improvements to encryption, NAT and many other 
operations.  This is an additional license above your normal gateway 
license.


It is not mandatory to install, unless you need the additional cpu 
support and other performance improvements which it provides.  I know 
you cannot use Floodgate with performance pack and there are other 
dependencies which you may have to refer the performance pack guide.


The license is included with NGX unless you already have a ppk license 
which you upgraded to NGX.  But the software is available as part of NGX 
when you install.


Smartdefense software is included in NGX (and some older versions too). 
 What you need to buy is the subscription which provides regular 
updates for current threats.  When you install, there will be the basic 
configuration which comes with the product.


Smartview monitor is a licensed product which you need to purchase 
seperately.  As usual the software is part of the NGX CD.


Regards,
Ramki

Sam Ghannadi wrote:

What is Performance Pack (SPLAT NGX)?
Does Performance pack need to be installed on SPLAT
(NGX)?
what is included in NGX?
is Smart Defense or Smart View Monitor included in
NGX?
thanks
Sam



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] cp express license upgrade question

[Ramki Security]

If you asked for an upgrade quote from checkpoint, it is kind of a 
trade-in.  You have to remove the 100 ip license after putting in the 
500 ip license.


Regards,
Ramki

Tim Pearson wrote:

Sorry for the simple question.  I have a CP express that came with the 100
licensed ip's our environment grew past that and I bought the upgrade to
500.  Once I add the 500 ip license, do I remove the original 100?

 


Thanks

 

 

 

Tim 

 

 

 




The information contained in this message is confidential and is intended for 
the above addresses only.  If you have received this message in error or if 
there are any problems, please notify the sender immediately.  The unauthorized 
use, disclosure, copying or alteration of this message is strictly forbidden.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Secure Client question

[Ramki Security]

Just a related question?  What kind of hardware is required for a 
E-Token.  Is this some special hardware?Ramki


fwguru wrote:

Marius,

 Import the .p12 file and dont select the enable strong option.  You will
not be asked for a pass.  SecureClient will have the password filed
blanked-out.  You should not need the cert pass.  I dont recommend doing
that, as probably many on this list would too.  I would always get the cert
and private off of the machine and onto an E-Token.

After importing the cert, you can have the private stored onto an E-Token
instead of the CAPI store.  I use E-Token everday with certs.  Works great
with SecureClient and SSL Network Extender.  You could even log onto a
Windows network with it using a cert or an extremely long, randomly
generated password that you dont need to know what it is.

The cert can be stolen even if not marked as exportable if the .p12 file is
still on the disk.  ;)


Neil Delacruz



On 1/18/06, Ray [EMAIL PROTECTED] wrote:

And as secure as the Windows logon pasword is.

Ray



From: Janis Myers [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Secure Client question
Date: Wed, 18 Jan 2006 07:54:55 -0800

Sure you can! Under Windows doubleclick the
certificate file (*.p12 file) and import it to your
Certificate Store (MyStore) of Windows XP for example.
During this procedure you have to specify your
certificate password/pin.

Then you can use the SecureClient with this
certificate for authentication. You are able to find
your Certificate in the pull down list of the
SecureClient. You can use it without putting in the
password again. The MyStore from Windows XP is secure
(as secure as MS$ is).

HTH

Regards,
Janis

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Secure Client question

[Ramki Security]

Thanks...Ramki

fwguru wrote:

Ramki,

Etoken is a hardware authenticator that connects to your USB port.  Used for
authenticating to just about anything.

http://www.aladdin.com/etoken/default.asp


Neil Delacruz



On 1/29/06, Ramki Security [EMAIL PROTECTED] wrote:

Just a related question?  What kind of hardware is required for a
E-Token.  Is this some special hardware?Ramki

fwguru wrote:

Marius,

 Import the .p12 file and dont select the enable strong option.  You

will

not be asked for a pass.  SecureClient will have the password filed
blanked-out.  You should not need the cert pass.  I dont recommend doing
that, as probably many on this list would too.  I would always get the

cert

and private off of the machine and onto an E-Token.

After importing the cert, you can have the private stored onto an

E-Token

instead of the CAPI store.  I use E-Token everday with certs.  Works

great

with SecureClient and SSL Network Extender.  You could even log onto a
Windows network with it using a cert or an extremely long, randomly
generated password that you dont need to know what it is.

The cert can be stolen even if not marked as exportable if the .p12 file

is

still on the disk.  ;)


Neil Delacruz



On 1/18/06, Ray [EMAIL PROTECTED] wrote:

And as secure as the Windows logon pasword is.

Ray



From: Janis Myers [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Secure Client question
Date: Wed, 18 Jan 2006 07:54:55 -0800

Sure you can! Under Windows doubleclick the
certificate file (*.p12 file) and import it to your
Certificate Store (MyStore) of Windows XP for example.
During this procedure you have to specify your
certificate password/pin.

Then you can use the SecureClient with this
certificate for authentication. You are able to find
your Certificate in the pull down list of the
SecureClient. You can use it without putting in the
password again. The MyStore from Windows XP is secure
(as secure as MS$ is).

HTH

Regards,
Janis

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED

Re: [FW-1] firewall performance

[Ramki Security]

cpstat.  There are different options for that.  Just run cpstat and 
find the optionsRamki


Lino Eduardo Avila Rodríguez wrote:
 


Hello Guys!

 


What commands should I issue in the firewall to check if the firewall is
perfoming ok? 

 

 


Best regards,

Lino Avila

 



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Weird thing - Xtra space FW IP350

[Ramki Security]

use fwm logswitch to switch the log to a new file and move/delete the 
old log fileRamki


Harold Rugama C wrote:

Hello Mr. Smaff,

Thank you for replying to my message, your comments give an idea how to
solve the inconvenience. I was surfing the file structure of my Nokia box to
try free up some space in the hard drive with no luck. In linux if want to
blank a log file, I simply use the following:
$  logfile.log
And this creates a file with the 0 bytes file size ready to use by the
daemon to continue logging events. But in Nokia box, an errors show ups,
expressing that the syntax isn't right and doesn't perform anything.

Any ideas or comments, how to do this?

Regards,

 -Original Message-
From:   Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]  On Behalf Of Andrew
Smaff Matthews
Sent:   Thursday, February 02, 2006 4:38 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject:Re: [FW-1] Weird thing - Xtra space FW IP350

On Wed, Feb 01, 2006 at 06:03:46PM -0600, Harold Rugama C wrote:

Hi to All,

It's a pleasure to write to all of you for assistance. I've been checking
something strange with Nokia box, when I check the disk usage of the FW1,
something really strange happen. Below you will see the actual disk
utilization of my Nokia 350.
/dev/wd0d   1473293514719891-1165590109%567 
3562951 0%  /var

As you may see, there something not normal with /var partition. Can

someone

help me to find out what could be the problem???


Its just full... Its a UNIX thing rather than a nokia thing. UNIX allocates
a certain amount of spare space on any partition purely for root (or admin
on the Nokia - uid 0 either way) processes. Its basically to prevent
non-administrative processes breaking the system by filling the disk to the
point that admin process start failing because they can't write to various
files.

It'll almost certainly be your firewall logs. If you're using NG, you can
set the log cycling periods, and maximum amount of logs it'll keep in the
gui. If its an older version you'll need to setup a cron entry to do this.
There's various examples out there of such scripts.

Smaff

--
You happen to be here, now.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] R: [FW-1] License Question

[Ramki Security]

I believe the VFF license includes the VPN/Firewall license.  Please 
note that checkpoint doesn't have any separate license for VPN.  VPN  
FIrewall are same product.


THanks,
Ramki

Lorenzo wrote:

Shane
If you launch SmartUpdate and choose the Licenses tab, you should see the
details of installed license(s) and their use, else you can connect to the
User Center on CP's internet site

L.

-Messaggio originale-
Da: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Per conto di Shane
Presley
Inviato: martedì 14 febbraio 2006 1.18
A: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Oggetto: [FW-1] License Question

Hello,

I have a firewall with this license...(key changed obviously)

10.1.1.1never   CPMP-VFF-25-NG CPVP-VSR-25-NG CPVP-VPS-1-NG
CK-123456789C12


Can someone help me dissect this license?

As best I can tell it's
CPMP-VFF-25-NG - SVN Foundation 25 node
CPVP-VSR-25-NG - Secure Remote 25 clients CPVP-VPS-1-NG - Secure Client
policy server?

Is one of those the firewall license?  Would this license allow for VPNs?

Thanks
Shane

=
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

[FW-1] upgrade_export fails

[Ramki Security]

Hi all,

When I do upgrade_export on R55 HFA16, gives failed to export.  No 
other specific messages.  Tried restarting the firewall and the machine. 
  No luck.  Any ideas.


Thanks in advance.
Ramki

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] CLearing VPN tunnel in ASF

[Ramki Security]

Try vpn tunnelutil.  You can clear all or specific tunnels using 
thisRamki


john maverick wrote:

HI all,

WE have an ASF 6000 series cluster and lot of site to site VPNs
used.Periodically we need to clear some of these tunnel SAs.
COuld anyone point out how the same can be achieved in a ASF cluster for a
particular peer.


ANy pointers would be appreciated

Thanks and regards

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] CLearing VPN tunnel in ASF

[Ramki Security]

I have tried it on Unix. Not on ASF...Ramki

john maverick wrote:

Hi,

WE have tried that have you ever tried the same in ASF ???did you see it
work ??


On 2/17/06, Ramki Security [EMAIL PROTECTED] wrote:

Try vpn tunnelutil.  You can clear all or specific tunnels using
thisRamki

john maverick wrote:

HI all,

WE have an ASF 6000 series cluster and lot of site to site VPNs
used.Periodically we need to clear some of these tunnel SAs.
COuld anyone point out how the same can be achieved in a ASF cluster for

a

particular peer.


ANy pointers would be appreciated

Thanks and regards

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Route issue ... newbie alert

[Ramki Security]

Routing is totally handled by the underlying OS.  Can you provide more 
information on the kind of OS.  Looks like obviously a route 
configuration issue.  Check all the other interfaces/routes on the box 
to see if any issues there.


Ramki

MARTIN, SAM wrote:

All:
... maybe a mispost to the checkpoint list,  Idunno  ...
Checkpoint FW1 v4 (192.168.1.1) won't forward packets to an internal network, 
172.16.21.0
route add 172.16.21.0 mask 255.255.255.0 192.168.1.100
the gw of choice ( 192.168.1.100) is an hp9308m switch, altho' I don';t see an 
issue here, since Ethereal shows 'ping 172.16.21.63' going out the public 
interface of the  checkpoint box. Other routes on checkpoint to internal 
networks work fine.
route add 172.16.21.0 mask 255.255.255.0 192.168.1.100 works fine on my PC, 
192.168.1.222
Maybe this has nothing to do with checkpoint at all, any suggestions welcome
atb
S



Notice: This email was scanned by the C-SPAN InoculateIT AntiVirus Engine and 
is virus free.
=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] upgrade_checker_Solaris

[Ramki Security]

Look at checkpoint upgrade guide documentRamki

libone mhlanga wrote:

Anyone know how to run this ? I have searched CP knowledge base to exhaustion ? 
...possibly the worst documenters in the ENTIRE world bar none ?



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] New management console/server

[Ramki Security]

Hi,

Do you mean management console or management server.  Which version of 
checkpoint you have?  If on NG, you can use the upgrade utility to 
export the configuration and import it on the new box. 
(upgrade_export).  You can download the latest pack for your version of 
software from checkpoint website.


I would not recommend XP Pro for smartcenter server.  Better get 
hardware that works with secureplatform and use it.  That would do a lot 
of good.


Regds,
Ramki

Stig Bull wrote:

I'm about to retire our old management console since it's an aging W2K
box, and I don't trust its single disk drive to last for too long. It's
also low on CPU, mem and disk space.

I'm setting up a new XP Pro in its place, same IP and same Windows name;
with NG AI console.

I haven't found too much 'solid' documentation about doing this, so how
exactly would I go on about it?
Use cp_merge for export and import, turn off the old server and put up
the new one and everything is okay, ot do I have to delete the FW object
first and do several steps in addition?

--
 
Stig Bull

Networking and Systems Administrator
Hugin ASA
http://www.hugincorporate.com
Phone: +47 22 80 79 89 Mobile: +47 91 60 88 74 Fax: +47 22 80 79 79
- Your reputation connects through Hugin

Any views expressed in this email are those of the author and do not
necessarily represent those of Hugin or its subsidiary companies.

This email and its attachments are intended solely for the addressee and
any information contained therein is confidential.  If you are not the
intended recipient of this email, please notify the sender by reply
email or by telephone as soon as possible; do not copy or disclose its
contents to any third party; and note that any action taken on the basis
of its contents may be prohibited and/or unlawful.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Cluster HFA17 node in Ready State

[Ramki Security]

Ready state seems to be a known state with checkpoint.  This happens 
when you do an upgrade on the cluster.  The behaviour will make the 
lowest version member be active and the highest version be in Ready 
state thereby reducing inadvertent fail over to a gateway under upgrade. 
 The checkpoint upgrade guide gives some details about this operation. 
 Read the cluster upgrade portion of it.


Manual switching may work to a Ready member, but I am not sure about 
session fail over.  Refer the guide for more details.


Thanks,
Ramki

Dave Row wrote:

I recently upgraded one node of an NG R55 (SPlat) cluster from HFA06 to
HFA17 (the active node is still HFA06).

The hotfix went well, but the node came up not in active or standby
mode, but Ready.  What does this mean?  Is the difference in HFAs
causing this?

I would like to force failover to this Ready node, but am not sure how
to proceed (I'd like to see the HFA17 node pass traffic properly, before
upgrading the known-good active HFA06 node).

Any pointers/insight out there?  Much appreciated.


- Dave

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Floodgate Installation

[Ramki Security]

You have to enable floodgate using cpconfig on the modules.  Remember 
that floodgate and PPK does not work togetherRamki


Lino Eduardo Avila Rodríguez wrote:

Remember to set up the interfaces with the required bandwidth in your
modules


cheers



Lino E. Avila
[EMAIL PROTECTED]

 
 



-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of sin
Sent: Jueves, 02 de Marzo de 2006 10:59 a.m.
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Floodgate Installation

Neil Kemp wrote:

Dear All

Just want to confirm the procedure for installing Floodgate. I am 
looking to install this in a distributed environment, with a single

management server.
So, the floodgate module needs to be installed on the management 
server
(W2003) and the modules enabled on the two Nokias, the firewall 
objects need to be ticked to say they have floodgate, and the licences

installed.

you don't install floodgate on the management server.
just edit the properties of the firewall, check the floodgate option, add
the liceneses and install the policy.

=
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Floodgate Installation

[Ramki Security]

PPK is Performance Pack or SecurXL which provides software based 
acceleration.


Ramki

Neil Kemp wrote:

PPK ?

On 02/03/06, Ramki Security [EMAIL PROTECTED] wrote:

You have to enable floodgate using cpconfig on the modules.  Remember
that floodgate and PPK does not work togetherRamki

Lino Eduardo Avila Rodríguez wrote:

Remember to set up the interfaces with the required bandwidth in your
modules


cheers



Lino E. Avila
[EMAIL PROTECTED]





-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of sin
Sent: Jueves, 02 de Marzo de 2006 10:59 a.m.
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Floodgate Installation

Neil Kemp wrote:

Dear All

Just want to confirm the procedure for installing Floodgate. I am
looking to install this in a distributed environment, with a single

management server.

So, the floodgate module needs to be installed on the management
server
(W2003) and the modules enabled on the two Nokias, the firewall
objects need to be ticked to say they have floodgate, and the licences

installed.

you don't install floodgate on the management server.
just edit the properties of the firewall, check the floodgate option,

add

the liceneses and install the policy.

=
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options,

email

[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

[FW-1] Copying Files to secureplatform

[Ramki Security]

Hi all,

I am trying to copy hotfix files to secureplatform using winscp.  Have 
added the default user in scpusers file and restarted the sshd process. 
 Still winscp not working.  Any help will be appreciated.


Thanks,
Ramki

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Copying Files to secureplatform

[Ramki Security]

Thanks all for your replies.

I had made the changes to scpuser file already but didn't help.  And I 
did receive a message in winscp that the shell is not compatible and 
recommending BASH.  I am not sure if it is ok to change the admin id's 
shell from cpshell to bash without affecting checkpoint functions.


I followed cisco4ng's option of using another linux server and done my 
work, but really would like if I can use winscp.  I would also try pscp 
and check if that works.


Thanks,
Ramki

Marius Banica wrote:

the default shell called cpshell works great with scp all you need to do
is define /etc/scpuser in this file add the admin entry and save file
then u can use admin for scp access


 Original message 
Subject:Re: [FW-1] Copying Files to secureplatform
Author: [EMAIL PROTECTED]
Date:		08th March 2006 11:30:48 


hi,

you have to change the shell of the user you want to use for scp - 
because the checkpoint-shell does not work with scp.


cheers
reinha rd

At 04:26 08.03.2006, you wrote:

I don't think Secureplatform will work with WinSCP.  The only way for

me to

  get it to work is to use scp from my linux server.  But I also use

key

  authentication.  You may want to look at using key authentication

instead

  of password.  That way, you can automate a lot of cron process

without

  having to put password inside your script(s)

  my 2c



Ramki Security [EMAIL PROTECTED] wrote:
  Hi all,

I am trying to copy hotfix files to secureplatform using winscp. Have
added the default user in scpusers file and restarted the sshd process.
Still winscp not working. Any help will be appreciated.

Thanks,
Ramki

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



-
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=




=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Splitting Management and Enforcement modules.

[Ramki Security]

Here is what you can do.

1.  Make the new management module with the same name as your current 
machine.

2.  Do an upgrade_export on the current machine.
3.  Install management (select only smartcenter) on the new machine and 
use the exported configuration (advanced install).
4.  Create a new checkpoint gateway (new name) for your firewall and 
provide all required parameters.

5.  Modify your rule base (if required) to push policy to this object.
6.  Install vpn-1 pro only on the current machine. (Before that you can 
uninstall the complete product).

7.  Establish sic with the new management.
8.  Push policy.
9.  You are set to go.

This to note:  If you have central licensing, you have to create all new 
licenses with your new managment IP.  This can be done via your 
usercenter login.  If you have local license you have to split the 
management and firewall license, but it is better to have central 
license.  If you want to give a new name to your management, you will 
have some issues including the internal CA has to be reconfigured 
invalidating all the certificates.


Regards,
Ramki



Simon Ashford wrote:

I currently have a single firewall running both Management
and Enforcement modules.  I am intending to split this
into a two-server configuration with the Management Module
on a new machine and the Enforcement Module staying where
it is.

How difficult is this to do?  Is there any documentation
or guidance anywhere I should read?


Thanks.


Simon Ashford.


---
This e-mail and any attachments may contain confidential and/or
privileged material; it is for the intended addressee(s) only.
If you are not a named addressee, you must not use, retain or
disclose such information.

NPL Management Ltd cannot guarantee that the e-mail or any
attachments are free from viruses.

NPL Management Ltd. Registered in England and Wales. No: 2937881
Registered Office: Serco House, 16 Bartley Wood Business Park,
   Hook, Hampshire, United Kingdom  RG27 9UY
---

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] SmartView Monitor on enforcement.

[Ramki Security]

You need to enable Smartview monitor on the enforcement point which you 
want to monitor.  It is a separate package which you can select during 
the install as well as you need to check mark the box in the checkpoint 
object for the enforcement moduleRamki


Alexander Simbun wrote:

Hi all,

Sorry for a lame question.

I would like to activate my SmartView Monitor on my firewall cluster. I 
had received a license for it recently. According to the guide, I'm only 
need to install on management server but what about enforcement? Do I 
need to activate it also?


Thanks.

Regards,

Al

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] SmartView Monitor on enforcement.

[Ramki Security]

Yes.  I believe you have to start is through cpconfig too but not 
sureRamki


Alexander Simbun wrote:

Hi,

This mean I just install the SmartView Monitor on top of existing 
FW-1/VPN-1 software on enforcement module, am I right?


Regards,

Al


Ramki Security wrote:
You need to enable Smartview monitor on the enforcement point which 
you want to monitor.  It is a separate package which you can select 
during the install as well as you need to check mark the box in the 
checkpoint object for the enforcement moduleRamki


Alexander Simbun wrote:

Hi all,

Sorry for a lame question.

I would like to activate my SmartView Monitor on my firewall cluster. 
I had received a license for it recently. According to the guide, I'm 
only need to install on management server but what about enforcement? 
Do I need to activate it also?


Thanks.

Regards,

Al

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] SmartView Monitor on enforcement.

[Ramki Security]

You don't have to re-install.  Run the checkpoint setup and select the 
smartview monitor package.  This will install only that package on top 
of the existing installation.  Then start it through cpconfig.  You may 
have to install it on both the cluster members, although I have not used 
it in a cluster.  But on the smartcenter you don't have to install any 
software(If my memory is correct.  I don't have any current installation 
to verify).  Just use the smartview monitor GUIRamki


Alexander Simbun wrote:
Another question, I have one management server which manage a firewall 
cluster. Currently both enforcement servers in the cluster are installed 
using standard installation (i.e., VPN-1  FW-1) while SmartCenter is 
installed at management server. I'm still not sure on how to proceed 
with SmartView Monitor set up, do I need to install SmartView Monitor on 
each enforcement servers on top of existing VPN-1  FW-1 firewall module 
including at SmartCenter server?


My concern is I'm reluctant to do re-installation on enforcement servers 
to include just the SmartView Monitor functionality. This is my first 
time to set up SmartView Monitor so I need some good guide about this.


Thanks very much.

Regards,

Al



Ramki Security wrote:
You need to enable Smartview monitor on the enforcement point which 
you want to monitor.  It is a separate package which you can select 
during the install as well as you need to check mark the box in the 
checkpoint object for the enforcement moduleRamki


Alexander Simbun wrote:

Hi all,

Sorry for a lame question.

I would like to activate my SmartView Monitor on my firewall cluster. 
I had received a license for it recently. According to the guide, I'm 
only need to install on management server but what about enforcement? 
Do I need to activate it also?


Thanks.

Regards,

Al

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

[FW-1] NGX Upgrade issue

[Ramki Security]

Hi all,

We were trying to upgrade from NG R55 to NGX.  The upgrade is failing
with segment fault (core dumped) on solaris 9 box.  This happens when
the license upgrade status is checked.  When I run the license upgrade
utility manually (separately) also this problem comes.  Have any of you
faced a smilar situation.  Any ideas will be helpful.

Thanks,
Ramki

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] VPN acceleration card is disabled and wants to turn it on duringboot up.

[Ramki Security]

Did you checked cpconfig?

Ramki

Alexander Simbun wrote:

Hi,

I just noticed that our firewall's VPN's accelerator card is turn off. I 
can enable it by using a command line but I wonder how to set it to be 
automatically activate during boot up or during firewall restarts? Thanks.


Regards,

Al

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] NGX Upgrade issue

[Ramki Security]

Hi,

I am trying a smartcenter upgrade with no firewall.  Running HFA17. 
Failing process is license_upgrade.  I tried running the license_upgrade 
separately with same results (core dump).


Thanks,
Ramakrishnan

Adam BE wrote:

Hi Ramki,

Is it an upgrade of SmartCenter or firewall?
Which HFA does your R55 have (latest vesion is recommended) ?
Which process fails with a core dump?  
I suggest you also get the stack from the core dump and post it here.


Thanks,
Adam.

Ramki Security [EMAIL PROTECTED] wrote: Hi all,

We were trying to upgrade from NG R55 to NGX.  The upgrade is failing
with segment fault (core dumped) on solaris 9 box.  This happens when
the license upgrade status is checked.  When I run the license upgrade
utility manually (separately) also this problem comes.  Have any of you
faced a smilar situation.  Any ideas will be helpful.

Thanks,
Ramki

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



-
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ 
countries) for 2¢/min or less.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] management server not seeing logs from cluster

[Ramki Security]

Check the cluster object parameters and ensure that it is configured to 
log to the management server.Ramki


Adam BE wrote:

Here are a few suggestions:

1. See sk30530 - SmartCenter Server not receiving logs from Security Gateway, 
after migrating to distributed configuration.
* Make sure to convert your SmartCenter to a *host* and *delete all interfaces* 
in Topology Tab and re-install policy.
2. See sk26214 - Firewall not sending logs to SmartCenter Server, is storing 
logs locally.
3. Try to install database on your SmartCentrer and re-open SmartView Tracker.

Keep us posted if any of these suggestions solved your problem.

Thanks,
Adam.

Mark Senior [EMAIL PROTECTED] wrote: Hello list

I've got a peculiar situation here:  I've built a SPLAT R55 cluster (two
modules, HA new mode), and a Windows 2003 R55 management server.  For
some reason, the firewall logs aren't being received by the management
server.


From a network perspective, everything seems to be able to communicate

fine.  I can ping both directions between cluster members and management
server, install policies on the cluster, SSH to the cluster from the
management server, and so on.

As you can see from the output below, the modules are able to make
connections on TCP port 257 (FW1_log) to the management cluster, and
they're sending _something_ over the wire on those connections (not
much, as the ACK numbers don't seem to go above about 70)

Also, I'm unable to fetch the logs off the remote machines within
smartview tracker (tools  remote files management  pick a module, get
file list  pick a log file, fetch files).  The result is that the fetch
failed, with 0% progress.  However, I can fetch the logs successfully by
commandline with fw lslogs / fw fetchlogs.

Thanks in advance for your help
Mark



Some diagnostic output, which shows that:
(1) the module is generating, and at least attempting to send, logging
data:

[EMAIL PROTECTED] fw log -ft

Date: Mar 20, 2006
11:31:35 accept module-2 
cluster; s_port: 32900; dst: management; service: FW1_log; proto: tcp;

rule: 0; message_info: Implied rule;

11:31:50 accept module-2 
cluster; s_port: 32901; dst: management; service: FW1_log; proto: tcp;

rule: 0; message_info: Implied rule;


(2) the module is sending actual data on those logging connections, and
the management server is acknowledging its receipt, at layer three if
not higher:

[EMAIL PROTECTED] tcpdump -i eth2 -s 0 port 257
tcpdump: listening on eth2
11:28:32.715848 module-2.32888  management.257: S
2425846703:2425846703(0) win 5840 
(DF)

11:28:32.716150 management.257  module-2.32888: S
2256300641:2256300641(0) ack 2425846704 win 16384 
0,nop,nop,sackOK

11:28:32.716190 module-2.32888  management.257: . ack 1 win 5840 (DF)
11:28:32.716251 module-2.32888  management.257: P 1:5(4) ack 1 win 5840
(DF)
11:28:32.716806 management.257  module-2.32888: P 1:5(4) ack 5 win
65531 (DF)
11:28:32.716837 module-2.32888  management.257: P 5:9(4) ack 5 win 5840
(DF)
11:28:32.868495 management.257  module-2.32888: . ack 9 win 65527 (DF)
11:28:32.868515 module-2.32888  management.257: P 9:69(60) ack 5 win
5840 (DF)
11:28:32.869060 management.257  module-2.32888: P 5:59(54) ack 69 win
65467 (DF)
11:28:32.905408 module-2.32888  management.257: . ack 59 win 5840 (DF)
11:28:32.905634 management.257  module-2.32888: P 59:72(13) ack 69 win
65467 (DF)
11:28:32.905652 module-2.32888  management.257: . ack 72 win 5840 (DF)
11:28:32.906653 module-2.32888  management.257: F 69:69(0) ack 72 win
5840 (DF)
11:28:32.906854 management.257  module-2.32888: . ack 70 win 65467 (DF)
11:28:32.906970 management.257  module-2.32888: F 72:72(0) ack 70 win
65467 (DF)
11:28:32.906989 module-2.32888  management.257: . ack 73 win 5840 (DF)
11:28:47.915845 module-2.32889  management.257: S
2443795765:2443795765(0) win 5840 
(DF)

11:28:47.916162 management.257  module-2.32889: S
647665702:647665702(0) ack 2443795766 win 16384 
0,nop,nop,sackOK

11:28:47.916204 module-2.32889  management.257: . ack 1 win 5840 (DF)
11:28:47.916267 module-2.32889  management.257: P 1:5(4) ack 1 win 5840
(DF)
11:28:47.917000 management.257  module-2.32889: P 1:5(4) ack 5 win
65531 (DF)
11:28:47.917014 module-2.32889  management.257: P 5:9(4) ack 5 win 5840
(DF)
11:28:48.071400 management.257  module-2.32889: . ack 9 win 65527 (DF)
11:28:48.071420 module-2.32889  management.257: P 9:69(60) ack 5 win
5840 (DF)
11:28:48.071966 management.257  module-2.32889: P 5:59(54) ack 69 win
65467 (DF)
11:28:48.105407 module-2.32889  management.257: . ack 59 win 5840 (DF)
11:28:48.105668 management.257  module-2.32889: P 59:72(13) ack 69 win
65467 (DF)
11:28:48.105685 module-2.32889  management.257: . ack 72 win 5840 (DF)
11:28:48.106663 module-2.32889  management.257: F 69:69(0) ack 72 win
5840 (DF)
11:28:48.106878 management.257  module-2.32889: . ack 70 win 65467 (DF)
11:28:48.107070 management.257  module-2.32889: F 72:72(0) ack 70 win
65467 (DF)
11:28:48.107087 module-2.32889  management.257: . ack 

Re: [FW-1] NGX Upgrade issue

[Ramki Security]

Thanks for your comments.  I forgot to mention that I had already done 
the upgrade of all the NG licenses to NGX as recommended by the upgrade 
guide.  When I did the license upgrade first time it went on fine and 
did the upgrade.  When I run the NGX install and selected upgrade after 
the license upgrade is done, it core dumped at the point where license 
upgrade status is being checked.


Thanks,
Ramki

Bhavin Gandhi wrote:

U can try the upgrade seperately. Download the license from Usercenter  attach 
the same using Checkpoint configuration.

Regds,
bG

-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On 
Behalf Of Ramki Security
Sent: Wednesday, March 22, 2006 8:45 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] NGX Upgrade issue

Hi,

I am trying a smartcenter upgrade with no firewall.  Running HFA17.
Failing process is license_upgrade.  I tried running the license_upgrade
separately with same results (core dump).

Thanks,
Ramakrishnan

Adam BE wrote:

Hi Ramki,

Is it an upgrade of SmartCenter or firewall?
Which HFA does your R55 have (latest vesion is recommended) ?
Which process fails with a core dump? 
I suggest you also get the stack from the core dump and post it here.


Thanks,
Adam.

Ramki Security [EMAIL PROTECTED] wrote: Hi all,

We were trying to upgrade from NG R55 to NGX.  The upgrade is failing
with segment fault (core dumped) on solaris 9 box.  This happens when
the license upgrade status is checked.  When I run the license upgrade
utility manually (separately) also this problem comes.  Have any of you
faced a smilar situation.  Any ideas will be helpful.

Thanks,
Ramki

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



-
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ 
countries) for 2¢/min or less.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email.

www.wipro.com

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail

Re: [FW-1] NGX Upgrade issue

[Ramki Security]

Hi Adam,

Thanks for the syntax.  Infact I have been looking for the way to get 
the stack.  Thanks again.  I will get it and post it here.


And about the step I followed:
1.  Ran ngx install and checked the upgrade verifier.  It exited after 
the completion.
2.  Ran ngx install again, selected upgrade and did a license upgrade 
simulation.  It successfully simulated and exited.
3.  Ran ngx install again, selected upgrade and did a online license 
upgrade.  It accessed usercenter and upgraded the license and gave a 
report.  Then the program exited.
4.  Ran ngx install again, selected upgrade and the license checking 
screen comes and it core dumps.  Initially it was giving segmentation 
fault and now it give bus error.


Hi Lino:  I have valid software subscription and was able to 
successfully upgrade the licenses before bumping into this issue.


Thanks,
Ramki

Adam BE wrote:

Hi Ramki,

1. I suggest you get the stack from the core file and post it here.
It might help in pinpointing what has caused the problem.
 The general syntax for getting the stack from a core file is:
 debugger  path_to_executable  corefile
Examples: gdb `which license_upgrade` core.license_upgrade.1721(linux)
dbx `which license_upgrade` core.license_upgrade.1721
(solaris)

Once the debugger has finished loading type:  where
This should output the stack.

2. Could you be more specific as to the exact steps which caused the problem?
If I recall correctly there are several ways you could perform license upgrade 
(online before software update, offline before software update etc')... which 
commands did you type and in which exact order that causes this problem to 
reproduce?

Thanks,
Adam.

Ramki Security [EMAIL PROTECTED] wrote: Thanks for your comments.  I forgot to mention that I had already done 
the upgrade of all the NG licenses to NGX as recommended by the upgrade 
guide.  When I did the license upgrade first time it went on fine and 
did the upgrade.  When I run the NGX install and selected upgrade after 
the license upgrade is done, it core dumped at the point where license 
upgrade status is being checked.


Thanks,
Ramki

Bhavin Gandhi wrote:

U can try the upgrade seperately. Download the license from Usercenter  attach 
the same using Checkpoint configuration.

Regds,
bG

-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On 
Behalf Of Ramki Security
Sent: Wednesday, March 22, 2006 8:45 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] NGX Upgrade issue

Hi,

I am trying a smartcenter upgrade with no firewall.  Running HFA17.
Failing process is license_upgrade.  I tried running the license_upgrade
separately with same results (core dump).

Thanks,
Ramakrishnan

Adam BE wrote:

Hi Ramki,

Is it an upgrade of SmartCenter or firewall?
Which HFA does your R55 have (latest vesion is recommended) ?
Which process fails with a core dump? 
I suggest you also get the stack from the core dump and post it here.


Thanks,
Adam.

Ramki Security  wrote: Hi all,

We were trying to upgrade from NG R55 to NGX.  The upgrade is failing
with segment fault (core dumped) on solaris 9 box.  This happens when
the license upgrade status is checked.  When I run the license upgrade
utility manually (separately) also this problem comes.  Have any of you
faced a smilar situation.  Any ideas will be helpful.

Thanks,
Ramki

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


 
-

Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ 
countries) for 2�/min or less.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see

[FW-1] site-to-site with ezVPN

[Ramki Security]

Hi all,

We have a requirement to make site-to-site VPN between checkpoint and 
Cisoc ezVPN.  Is this possible.  Have any one tried this?


Thanks in advance,
Ramki

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] VPN acceleration card is disabled and wants to turn it on duringboot up.

[Ramki Security]

Al,

Did you tried giving vpn accel on at command line.  Did it start the 
accelerator?  If starting, you can put this command in startup as Adam 
has suggested.


Regards,
Ramki

Adam BE wrote:

Hi,

A simple solution would be to add the command to a startup script such as 
/etc/rc.local.  I think there should be a command which automatically enables / 
disables it during boot but I can't recall (need to review all the available 
documentation)...

Adam.

Alexander Simbun [EMAIL PROTECTED] wrote: Yes, I did. Even though the automatic firewall module starts up during 
boot is set but it still doesn't starts up the VPN accelerator. If still 
not working, I guess I have to reinstall back the driver.


Thanks,

Al


Ramki Security wrote:

Did you checked cpconfig?

Ramki

Alexander Simbun wrote:

Hi,

I just noticed that our firewall's VPN's accelerator card is turn 
off. I can enable it by using a command line but I wonder how to set 
it to be automatically activate during boot up or during firewall 
restarts? Thanks.


Regards,

Al

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



-
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ 
countries) for 2¢/min or less.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Technical specification of Firewall-1 GX

[Ramki Security]

It all depends on which hardware platform you want to choose.  Fw1-gx is 
a software.  Hardware requirement will be based on your requirement of 
performance and features.


Regards,
Ramki

Sanisca, Dewa wrote:

Hi All
I make a document for my office project, and I need information about
technical specification about Firewall-1 GX (power consumption, widht,
height, etc) ?
Maybe some one have the soft document or information ? Thank you all!

BR
Sanisca 


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] NGX Upgrade issue

[Ramki Security]

Hi Adam,

I am copying the output of the debugger below.  I am not sure if the 
debugger ran properly as I seem some error like message, no debugging 
symbols found.  I have copied the whole capture here.  Let me know if 
you could decipher any information from this.  Thanks for your help.


# gdb /cdrom/solaris2/license_upgrade 
/var/core/core_license_upgrade_0_0_44554

GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as sparc-sun-solaris2.9...
(no debugging symbols found)...
Core was generated by `./license_upgrade'.
Program terminated with signal 10, Bus error.
Reading symbols from /usr/lib/libthread.so.1...(no debugging symbols 
found)...

done.
Loaded symbols for /usr/lib/libthread.so.1
Reading symbols from /usr/lib/librt.so.1...(no debugging symbols 
found)...done.

Loaded symbols for /usr/lib/librt.so.1
Reading symbols from /usr/lib/libresolv.so.2...(no debugging symbols 
found)...

done.
Loaded symbols for /usr/lib/libresolv.so.2
Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols 
found)...

done.
Loaded symbols for /usr/lib/libsocket.so.1
Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libnsl.so.1
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols 
found)...done.

Loaded symbols for /usr/lib/libdl.so.1
Reading symbols from /usr/lib/libintl.so.1...
warning: Lowest section in /usr/lib/libintl.so.1 is .hash at 0074
(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libintl.so.1
Reading symbols from /usr/lib/libm.so.1...(no debugging symbols 
found)...done.

Loaded symbols for /usr/lib/libm.so.1
---Type return to continue, or q return to quit---
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols 
found)...done.

Loaded symbols for /usr/lib/libc.so.1
Reading symbols from /usr/lib/libw.so.1...
warning: Lowest section in /usr/lib/libw.so.1 is .hash at 0074
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libw.so.1
Reading symbols from /usr/lib/libkstat.so.1...(no debugging symbols 
found)...

done.
Loaded symbols for /usr/lib/libkstat.so.1
Reading symbols from /usr/lib/libkvm.so.1...(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libkvm.so.1
Reading symbols from /usr/lib/libelf.so.1...(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libelf.so.1
Reading symbols from /usr/lib/libCrun.so.1...(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libCrun.so.1
Reading symbols from /usr/lib/libaio.so.1...(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libaio.so.1
Reading symbols from /usr/lib/libmd5.so.1...(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libmd5.so.1
Reading symbols from /usr/lib/libmp.so.2...(no debugging symbols 
found)...done.

Loaded symbols for /usr/lib/libmp.so.2
Reading symbols from /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1...
(no debugging symbols found)...done.
Loaded symbols for /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1
#0  0x000cfd5c in do_test ()
(gdb) where
#0  0x000cfd5c in do_test ()
#1  0x63656e7b in ?? ()
Cannot access memory at address 0x74204ca5
(gdb)

Thanks,
Ramakrishnan

Adam BE wrote:

Hi Ramki,

1. I suggest you get the stack from the core file and post it here.
It might help in pinpointing what has caused the problem.
 The general syntax for getting the stack from a core file is:
 debugger  path_to_executable  corefile
Examples: gdb `which license_upgrade` core.license_upgrade.1721(linux)
dbx `which license_upgrade` core.license_upgrade.1721
(solaris)

Once the debugger has finished loading type:  where
This should output the stack.

2. Could you be more specific as to the exact steps which caused the problem?
If I recall correctly there are several ways you could perform license upgrade 
(online before software update, offline before software update etc')... which 
commands did you type and in which exact order that causes this problem to 
reproduce?

Thanks,
Adam.

Ramki Security [EMAIL PROTECTED] wrote: Thanks for your comments.  I forgot to mention that I had already done 
the upgrade of all the NG licenses to NGX as recommended by the upgrade 
guide.  When I did the license upgrade first time it went on fine and 
did the upgrade.  When I run the NGX install and selected upgrade after 
the license upgrade is done, it core dumped at the point where license 
upgrade status is being checked.


Thanks,
Ramki

Bhavin Gandhi wrote:

U can try the upgrade seperately. Download the license from Usercenter  attach 
the same using Checkpoint configuration.

Regds,
bG

-Original Message-
From: Mailing

Re: [FW-1] Backup of Solaris

[Ramki Security]

By far the best way I have seen and also the check point recommended way 
is to use upgrade_export to export the firewall configuration if you are 
using NGAI R55 or later.


Ramki

Hal Dorsman wrote:

Yes, this is good advice.  By far ufsdump is the best way to clone your
entire disk
from one machine to another.  However, I suppose it is just another
strategy, but I
feel that is you are going to have a backup hardware system, you might
as well go ahead
and build it exactly like your primary, and you don't need an external
disk or mess
with ufsdump and altering your vfstab.  I simply installed my secondary
OS exactly like
my primary, and when my firewall and interface stuff was set up
(including OS hardening),
I tarred up /etc and firewall conf directory, ftp'ed it over to my
secondary, and reboot
secondary.  Voila' ! Identical secondary backup since Solaris gets
everything out of /etc,
including your hardening in RC start files.  I keep my secondary
running, and periodically
retar my /etc and fwconf, and copy over to secondary.  


Then Downtime=time to move your network cables.

hope this helps.

best regards,

Hal

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, March 27, 2006 10:39 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Backup of Solaris


Hi,
the easiest way is to connect an external Disk to the Sytsme and make an
ufsdump (with cron) of all partions. With a little script (sed) you have
to modify the vfstab and set an bootblock on the disk.

If your system crashes you can boot the external disk from an other
machine (same Hardware). Downtime = Boottime. If you need a script mail
me.

Regards
Reiner

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Bhavin
Gandhi
Sent: Tuesday, March 28, 2006 5:50 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Backup of Solaris

Hi Hal,

Thanks for pointing that how can the same be restored in case if
server crashes.

Thanks,
bG

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Behalf Of Hal
Dorsman
Sent: Monday, March 27, 2006 9:40 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Backup of Solaris


As others have mentioned upgrade_export will back up FW config, but it
will not get your Solaris OS settings which are numerous.  All exist in
/etc so what I do is cd to /etc, 'tar -cvf fwbackupdate.tar *', then
move tar file to $FWDIR/conf, then tar contents of FWDIR, then ftp tar
file off to cold standby backup server. This way you will have a tar
file that contains everything you need that you can easily move to
backup server or to tape.

You can put these steps in a script and run it with cron periodically.

hope this helps

Hal

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Bhavin
Gandhi
Sent: Monday, March 27, 2006 2:13 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Backup of Solaris


Gurus,

We have R55 Mgmt server  fw module installed on Solaris. Need help in
taking backup of the configuration.

Thanks,
bG


The information contained in this electronic message and any attachments
to this message are intended for the exclusive use of the addressee(s)
and may contain proprietary, confidential or privileged information. If
you are not the intended recipient, you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately and
destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of viruses.
The company accepts no liability for any damage caused by any virus
transmitted by this email.

www.wipro.com

=
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL 

Re: [FW-1] Can Cisco Content Switching works with firewall cluster (Check Point+ RainWall) ?

[Ramki Security]

Hi,

Check Point has a license called Connect Control which will accomplish 
the same load balancing on HTTP as well as other protocols. Not sure 
about Rainwall.


Thanks,
Ramki

Alexander Simbun wrote:

Hi,

Well... we going to use Content Switch to load balance the web, ftp  
email servers. Can Rainwall do the same thing without do it using 
Content Switch?


Al

billford wrote:
Are you using the Content Switch to load balance web servers or are 
you replacing Rainwall with the Content switch? The latter is a bad 
idea, the former should work fine. I think a few more details about 
what you're trying to accomplish with these two solutions would help 
in answering your questions.


Bill

Alexander Simbun wrote:

Dear Honorable Experts,

I have a question about Cisco Content Switching and firewall cluster 
(Check Point + RainWall) which made me wonders if these can work each 
others. We currently in progress to set up Content Switching between 
two location (which shares same private and public VLANs). At the 
same time, we running a firewall cluster which covers three 
enforcement servers (two at location A and one at location B). For 
load-balancing/H.A solution we used RainWall in the firewall cluster. 
FYI, there are one public VLAN, two private VLANs (behind the 
firewalls) and one synchronization network for three enforcements to 
synchronize each others.


So, my questions are

a) Do Cisco Content Switch works with firewall cluster (Check Point + 
RainWall) ? As I understand Content Switch and RainWall is a similar 
load-balance/H.A. solutions except both running on different platform 
(hardware and software based).


b) If it works, any documents or resources out there which helps us 
to set up this?


c) If it doesn't works due to similar natures of these products 
(Content Switching  RainWall), which is the best way to solve this?


Thanks for your reply and enlightenment about this matter.

Regards,

Al

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Solaris module with splat smartcentre ?

[Ramki Security]

It doesn't matter which OS you are running the management on.  You can 
always push policy on any VPN-1 module (sun, ipso, splat, windows, linux 
etc).Ramki


Mark Pace Balzan wrote:

Hi All,


I currently have a splat smartcentre mgmt NGX Express, which is managing
a couple of standalone NGX vpn-1 modules, also on splat. All works ok.

The Question:  Is it possible to also manage - ie push the policy, user
database etc...  another standalone express vpn module running on sun
solaris (instead of splat) from the splat express smartcentre mgmt
server ?  



Thanks


Mark

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] ipassignment.conf

[Ramki Security]

Also note that you cannot give an IP which is part of your encryption 
domain.  You should use a totally different subnet (different from your 
officemode pool) for the ipassignment.conf to work.


Regards,
Ramki

Lino Eduardo Avila Rodríguez wrote:

 I have configured office mode and It works ok, the I edited the
ipassignment.conf file with one user to test it but It doesn't asign me the
ipaddress I want. I have installed the policy but the same problem. What I
wrote in the file is:


GatewayType   IP Address  User Name
=  =  ==
=

*   addr10.36.1.9,dns=(10.90.1.174) INKEPR


 Am I correct?




-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of sin
Sent: Martes, 18 de Abril de 2006 01:41 p.m.
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] ipassignment.conf

Lino Eduardo Avila Rodríguez wrote:
 
 
I have tried installing the policy and nothing happens.
 
The I read somewhere you have to restart de cp services, but I don't 
know if it's going to work.
 


why just not try and see if it works or not ?

=
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Cannot Get Topology on new SC setup

[Ramki Security]

Try enabling IKE over TCP and other enhanced settings in SC.  It may 
help in case you use a NAT device at the SC endRamki


Sean Donaghey/HDGH wrote:
All of a sudden on a new clean install I cannot get the topology to 
download.  I am using Username and password authentication, and it just 
tries for a long time, and then errors out with a 'Timeout Error'.


In the logs, I see an inbound FW1_top, and ISAKMP request from the SC 
computer, and they are both accepted.  This problem is not affecting VPN 
users that already have a site defined, just the ones that needs to add 
the site.


What can I check to find out what is going on?

Thanks,

Sean



The information contained in this e-mail message is confidential and 
protected by law.  The information is intended only for the person or 
organization addressed in this e-mail.  If you share or copy the 
information you may be breaking the law.  If you have received this e-mail 
by mistake, please notify the sender of the e-mail by the telephone number 
listed on this e-mail.  Please destroy the original; do not e-mail back 
the information or keep the original.


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] hotfix question

[Ramki Security]

Yes.  HFA-03 is the latest hotfix for R60.

Regards,
Ramki

Clive Luk wrote:

Hi all,

One more silly question.

http://www.checkpoint.com/downloads/latest/hfa/vpn1pro_express.html#r60

is this the latest hotfix for NGX60?

Thanks!

Cheers,
Clive

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] export configuration

[Ramki Security]

Hi Clive,

Are you planning to use ClusterXL for clustering?

About cluster, you cannot setup cluster and management on the same box. 
 You need to have a separate management and two other boxes to setup 
cluster.  Once you have this infrastructure, you can follow these steps.


1.  Use the upgrade_export from NGX R60 cd to do an upgrade_export.  Run 
 unixinstallscript from the NGX CD and select export configuration.
2.  Store the exported file in a directory and transfer this to the NGX 
R60 box.
3.  Do an upgrade_import onto the NGX R60 box.  You can also do a fresh 
install and select advanced upgrade using the exported configuration.
4.  Follow the cluster configuration guidelines to configure the smart 
dashboard objects for the cluster.  Install policy on the cluster.  You 
will need a common IP, sync network etc.


Regards,


Clive Luk wrote:

Dear FW-1 list members,

Hope someone can help me here. Let me explain my situation.

I am currently running single NGX55 on Solaris 8 and SmartCenter on a
different box (Solaris 9).

I have been assigned to a project to setup a cluster(load balance/fail-over)
firewall. I have just setup a test box on a Solaris 9 box running both NGX60
and Smartcenter(just to playing around). I am wondering if I can export the
old configurations + policy from my old NGX55 to the new NGX60?

Thanks in advance!

Cheers,
Clive

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] R61 for VPN1/Pro Express

[Ramki Security]

Hi Reinhard,

Can you explain what is the change in edge management in R61.

Thanks,
Ramki

Reinhard Stich wrote:

hi,

yes - edge-mgmt is enhanced in R61, I guess checkpoint is waiting for 
nokia to test and release the ipso-version.


then R61 will be released. should be within the next 1-2 weeks as I see it.

cheers
reinhard

At 18:09 03.05.2006, you wrote:

Has anyone heard a firm date on when R61 will be released? I know that
some people have been able to get it from their firewall vendors etc. I
had thought it was to be out a few weeks back. I'm interested in the new
Edge management functionality that is supposed to be included with this
release.

Jeremy Lieb CCSE-NG CCSE+NG
Firewall Administrator
Open Text Corporation
100 Tri-State Int'l Pkwy
Third Floor
Lincolnshire, IL 60069
18472679330  ext 4395


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=




--
Ramki
CCNA, CCSE-NGAI

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] CheckPoint on RHEL4

[Ramki Security]

I would suggest using SecurePlatform instead.  Checkpoint supports it 
and you have less integration issues.  SPLAT is modified/hardened Redhat 
linux.


Ramki
CCNA, CCSE-NGAI

Eric Janz wrote:

Hi all,

somebody knows if Checkpoint will support RHEL4 in the near future?


Thanks in advance for your comments,
Regards,

Eric Janz 
Departamento de Sistemas

Grupo Barceló Viajes

C\ 16 de Julio, 75
07009 Polígono Son Castelló
Palma de Mallorca - Baleares
Tel.: +34 971 448030
Fax.: +34 971 436986

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Load Balancing for SPLAT

[Ramki Security]

You can try checkpoints native ClusterXL.  I am not sure what is the 
feature wise difference between the two products.


Ramki
CCNA, CCSE-NGAI

Joe Pope wrote:

We just received notice that the RainWall/RainConnect we are using is
being discontinued by EMC.  We use this to cluster our two SPLAT
gateways.
Anyone have any recommendations for a replacement?

Thanks!

Joe

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Installing SPLAT on Dell PowerEdge 2850 (UNCLASSIFIED)

[Ramki Security]

I had done the same install on R60 HFA3 on the same hardware but without 
the additional harddisks you have.  It went through fine.  May be you 
want to put only one HDD in its default configuration and try installing 
again to see it that helps.


Ramki
CCNA, CCSE-NGAI

Dearing, Jimmy (EDS Contractor) wrote:
Classification:  UNCLASSIFIED 
Caveats: NONE


Ive been attempting to install SPLAT on a Dell PowerEdge 2850 Server that
has dual 3.8ghz processors with 2mb L2 Cache, 12gb RAM, Dual Embedded Intel
Gigabit1 82541 Server Adapter, PERC 4e/Di controller. It has six 15,000rpm
146gb hard drives that are setup as follows:

 


On Channel 0 of the PERC controller there are two disks, setup in a RAID 1
(mirror)

 


On Channel 1 of the PERC controller there are 4 disks, setup in a RAID 5.

 


The SPLAT install says all hardware is compatible and it goes into the
install. Once it begins formatting the /opt partition, it seems to hang.
I_ve tried it three different times and it has currently been setting at the
formatting /opt screen for 24 hours.

 


Ive tried this on two different identical 2850_s with both giving the same
results.

 


Am I missing something here? Can anyone see something wrong with my hardware
setup?

 

 

 

 

Classification:  UNCLASSIFIED 
Caveats: NONE



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] mac address

[Ramki Security]

Checkpoint being an IP firewall, doesn't work on MAC address.  Hence I 
don't think there is a way to do this.  By the way, why you want to do this?


Ramki
CCNA, CCSE-NGAI

Roberto González Sagredo wrote:

Hi,

I would like to know if it is possible to create objects in Firewall-1 VPN
Pro based on its MAC address instead of its IP number.

Regards

___
Roberto González Sagredo
Director de Sistemas
mailto:[EMAIL PROTECTED]

ComuNET S.A.
Gral. Concha 39,6º
48012 Bilbao España
Tel: +34 944 700 101
Fax: +34 944 700 185
http://www.comunet.es
___ 






Este  correo  electrónico  contiene  información  privada  que puede estar 
legalmente   protegida,   parcial  o  totalmente.  Es  sólo  para  uso  del 
destinatario  al  que está dirigido. Si ha recibido este mensaje por error, le 
rogamos que lo notifique al remitente del email y que además borre de su 
sistema  el  mensaje  así  como  todas  sus copias, incluyendo las posibles 
copias  del  mismo  en  su  disco  duro,  y  se  abstenga de usar, revelar, 
distribuir  a  terceros,  imprimir  o  copiar ninguna de las partes de este 
mensaje.


Los datos personales  que pueda contener el presente mensaje, ya sea en su 
contenido o en los  destinatarios, cumplen  con lo  establecido  en la Ley 
Orgánica  15/1999, de 13  de diciembre, de Protección Datos de Carácter 
Personal.





This  e-mail  contains proprietary information some or all of which may be 
legally  protected.  It  is for sole use of the intended recipient only. If you 
 have received this message by mistake, you are requested to notify the e-mail  
sender  and erase both the message and any copies from your system, including  
hard  disk  copies.   You  are further requested to refrain from using,  
distributing  to  third  parties,  printing or making copies of any parts of 
this message.


The personal data that may  appear in this e-mail message are in accordance 
with the Organic Law  15/1999 of  13 December on the Protection of Personal 
Data.





=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

[FW-1] Sun bge interface issue

[Ramki Security]

Hi,

Have you had any issues with sun bge interface on NGAI R55.  I know it 
doesn't work with performance pack (securexl).  But other wise we are 
seeing lot of interface up/downs on the log and seems to be causing some 
sync issues.  But no visible impact.


Any one has experienced any issues with this.  Thanks in advance.

--
Ramki
CCNA, CCSE-NGAI

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Migrate IPSO SmartCenter to a Windows Platform

[Ramki Security]

Study the upgrade guide of Checkpoints.  It has step by step method of 
migrating smartcenter.  In a nutshell use upgrade_export and 
upgrade_import to migrate checkpoint configuration and policies. 
Migrate the network/routing configuration seperately.


By the way, why would you migrate from IPSO to Windows?  Splat may be a 
better choice.


Ramki
CCNA, CCSE-NGAI

Neil Kemp wrote:

Hi there,

I have a customer who needs to migrate from an IPSO platform running both
SmartCenter and Enforcement, to running the SnartCenter on Windows and
having the enforcement purley on Windows - does anyone know how to
accomplish this ? (R60)

Thanks.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Sun bge interface issue

[Ramki Security]

Thanks Trevor,

This seems to be a logical reason in our case even though we don't use 
VLAN.  But the symptoms seems to be same.  May be there are still some 
issues with ClusterXL and BGE.


We are upgrading to NGX shortly.  Will see if that makes any difference.

Ramki
CCNA, CCSE

Trevor Lee wrote:

Hi Ramki,

I don't know if you are running vlans on your BGE interfaces, but had a
lot of issues when running NGAI R55 on Solaris 9 with vlans and BGE
interfaces.

This is what we got told from our local Checkpoint techs:

Just to confirm that we do not support the Broadcom BGE interfaces with
VLAN's when running ClusterXL (R55).  Our official recommendation is to
use the CE GigaSwift card, however a bug has been found in the Sun
driver (reference page 71, section 29 of the R55 release notes) that can
cause a Solaris Panic under certain load scenarios.  We still support
this configuration, however if it is found the issue you are having is a
result of this bug our hands are tied.

Symptoms
Unable to activate a BGE interface with VLAN support in a ClusterXL
configuration. 
cphaprob -a if command displays down, when vlans on the BGE
interfaces are configured. 


Environment
The native BGE configuration with ClusterXL is working as should be. The
status displays up when using a cphaprob -a if command.

Solution
Check Point recommends using Sun Microsystems CE GigaSwift interface

card for ClusterXL configurations with VLANs. The BGE interface card is
supported, but not in a ClusterXL configuration with VLANs

We ended up switching to a gigaswitft card and the messages went away,
and the machines seemed more stable.

Regards,
Trevor Lee




-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Ramki
Security
Sent: Tuesday, 6 June 2006 8:53 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Sun bge interface issue

Hi,

Have you had any issues with sun bge interface on NGAI R55.  I know it 
doesn't work with performance pack (securexl).  But other wise we are 
seeing lot of interface up/downs on the log and seems to be causing some


sync issues.  But no visible impact.

Any one has experienced any issues with this.  Thanks in advance.



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] upgrading from R55 to NGX

[Ramki Security]

We performed the upgrade from R55-HFA16 to NGX R60 HFA3 few weeks ago 
and its doing fine.  Our enforcements are still on R55-HFA16.


Ramki
CCNA, CCSE-NGAI

Brummer, Steven wrote:
Shiroma, 


I just recently performed the same upgrade that you're speaking of with
no ill effects. 


I upgraded my R55 HFA17 smartcenter server to NGX and was able to push
policy to the gateways and lost no VPN connections. I saw where many of
the connections dropped, but they reconnected with no issues. 


I ran into some issues with my Nokia enforcement points however with
trying to perform the zero-downtime upgrade. It's been a little while
since I did the upgrade to remember the specifics, but the biggest thing
that I remember was that I lost the VRRP interfaces which basically gave
me two standalone gateways instead of a two-node clustered gateway. This
caused all the Internet traffic to stop.

I had to reconfigure everything, but I won't recommed to you that it was
a problem with the upgrade. It very well could have been an operator
problem since this was the first time I had performed a upgrade to a
Nokia platform on my own.

Hope this helps, 

Steve 


-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Shiroma
Dassanayake
Sent: Wednesday, June 07, 2006 2:53 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] upgrading from R55 to NGX

Dear all
   
  I currently have a distributed env. My smartcenter server is running

R55 HFA 14 and my gateway is running R55 HFA09.
   
  I am going to upgrade to NGX R60.
   
  However, this is what I got from the R61 release notes under

clarifications and limitations:
   
  VPN

  1. After upgrading a pre-NGX SmartCenter Server to NGX, existing VPN
connections
  will be dropped the first time policy is installed if the enforcement
modules are not
  also upgraded to NGX. New connections will succeed as expected. For
connections
  with static source-destination ports (for example, GRE connections),
reinitialize
  them by running cpstop/cpstart on the module.
   
  My upgrade path will be as follows:
   
  Upgrade Smartcenter server first

  Upgrade gateway/module
   
  The timeframe between the smartcenter upgrade and the gateway upgrade

could be anywhere from between a week to a month. In this scenario: does
this mean that once the smartcenter server has been upgraded to NGX and
the gateway is still at R55, my existing VPN client connections and
site-site VPNs will cease to function?
   
  Has anyone encountered such  a problem during an R55 to NGX upgrade?

Any ideas would be greatly appreciated.
   
  Thanks and regards

  Shiroma

 __
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] How to find NAT logs in NG AI R55?

[Ramki Security]

Use smartview tracker.  All NAT traffic are logged normally.  You may 
have to enable certain field to see the Xlated source/destination in the 
log.


Ramki
CCNA, CCSE-NGAI

saravanakumar wrote:

Hi,

Will CheckPoint log tracker help?

regards,
kumar

Eva Wang wrote:


Hi there,
do you know how to find NAT logs either via SmartDashboard or fw monitor
or other commands?

great thanks.

br, eva

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

 



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] ISP Redundancy on Windows

[Ramki Security]

We are running NGX on Solaris 9.  I believe ISP Redundancy is not 
supported here either.  Is there any suggestion on how to implement it 
in such cases.


Ramki
CCNA, CCSE-NGAI

Roberto Lauriola wrote:

Hi list,

Reading NGX R60 documentation ISP Redundancy on Windows is not possible 
and not supported.

Do you know a method or work-around to have that working?

Thank-you.
Bye.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] NGX Hotfix Confusion !

[Ramki Security]

1.  The release note may have been modified in June 2006.
3.  Smartconsole HFA numbers are different from product HFAs and can be 
followed independently.  Hence going by what you have mentioned, the 
VOIP hotfix may be the latest.


Ramki
CCNA, CCSE

Mark Pace Balzan wrote:

Hello All,


Im currently running splat NGX R60 with HFA 03 - but ive got some
problems, so I dug a bit deeper and found some stuff related to HFA and
Hotfixes which is very confusing, so I hope someone out there can help.


i. HFA 03 is listed as released in April, and the pdf of the release
notes when I downloaded it also carries a date of April, but the latest
release notes say 'Take 25' and carry a date of June 2006, so is there a
more recent HFA03 that should be used ?


ii. There is also a VoIP Hotfix for NGX. It states it should be
installed on top of HFA 02, but its not clear if it is included as part
of HFA03, or if it should be installed together with HFA 03  ?


iii. Smartconsole:   Both HFA02 and the VoIP Hotfix come with a
Smartconsole Hotfix with different version and build numbers. No
Smartconsole with HFA03 however.   So which is to be used ?Looks
like the VoIP Hotfix one has a higher release number.



Thanks in advance to all for shedding some light on this. I'll be
pleased to summarise all answers.



Cheers


Mark

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Nokia IP350 License problem

[Ramki Security]

You have got a NGX license here which is in your license database.  The 
error is because you have R55 loaded.  Check this license and remove it 
if not intended to be there.


Ramki
CCNA, CCSE-NGAI

Jean-Christophe Valiere wrote:

Hello,

I'm trying to add the license for a new firewall (Nokia IP350) 
using SmartUpdate (R55 Build 62).
Nokia Firewall Software Version is: Software Release: 4.1-BUILD016 
and Software Version: releng 1515  05.19.2006-052320.

I got the following eroor when adding the new license:
* Warning: Can't find ::cpxp-sc1-50-mgmt-ngx in cp.macro. License 
version might be not compatible
* Failed to install license 


Do you know where the problem is ?
Thanks in advance.


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Solaris 9 BGE card and NGX60

[Ramki Security]

Hi Clive,

NG R55 is known to have some compatibility issues with BGE interface, 
but NGX R60 is suppose to have resolved those issue.  I have installed 
NGX R60 with HFA3 on V240 server and it works fine.


Try adding the line bge accept in the file /etc/fw.boot/ifdev if it is 
not already there.


Ramki
CCNA, CCSE-NGAI

Clive Luk wrote:

Dear List,

I am trying to do a new installation on my newly bought two SUN FIRE V240.
Actually I want to setup as a cluster. However, When I installed NGX60 to a
freshly built box, it seems that CP doesn't recognise the bge card.

Does anyone has the same problem? Is there anyway I can solve it.

Thanks in advance!

Cheers,
Clive

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Firewall slowdown?

[Ramki Security]

May be there is some attack going in your network.  I had seen such 
behavior earlier.


Ramki
CCNA, CCSE-NGAI

Mike Smith wrote:

The Checkpoint NGX R60 HFA02 system I support recently exhusted all of the 
Concurrent Connections (the checkpoint log eas showing dropped connections). I 
increased the value of Maximum concurrent Connections on the Capacity 
Optimization property screen of the cluster object definition.  The Calculate 
connection hash table size and memory pool option is set to Automatic.

There has been a very hard to explain slowdown during the afternoon.  I have 
satisfied myself that the performance problem is within the Firewall.  
Memory/processor utilization is less than 25% of the machine.

Are there any options, related to the concurrent connections value, which 
should be adjusted or reviewed?


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=
 



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Solaris 9 BGE card and NGX60

[Ramki Security]

Yes.  My setup is active/standby cluster (not loadsharing) in new mode. 
 There is no VLAN involved.  Both cluster members are V240 servers on 
Solaris 9.  Using broadcast mode instead of multicast.


Ramki
CCNA, CCSE-NGAI

Clive Luk wrote:

Hi Ramki,

Thanks for your reply. I have done some research on the net and
SecureKnowledge. It seems it will not work with Cluster and VLAN. Because I
have got two V240 wanted to setup a Cluster.

Just a question have you got your V240 working with Cluster?

Cheers,
Clive

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Ramki
Security
Sent: Thursday, 13 July 2006 12:15 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Solaris 9 BGE card and NGX60

Hi Clive,

NG R55 is known to have some compatibility issues with BGE interface, 
but NGX R60 is suppose to have resolved those issue.  I have installed 
NGX R60 with HFA3 on V240 server and it works fine.


Try adding the line bge accept in the file /etc/fw.boot/ifdev if it is 
not already there.


Ramki
CCNA, CCSE-NGAI

Clive Luk wrote:

Dear List,

I am trying to do a new installation on my newly bought two SUN FIRE V240.
Actually I want to setup as a cluster. However, When I installed NGX60 to

a

freshly built box, it seems that CP doesn't recognise the bge card.

Does anyone has the same problem? Is there anyway I can solve it.

Thanks in advance!

Cheers,
Clive

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Bad Anti-Spoof Recovery

[Ramki Security]

Try giving fwm unloadlocal on the module and then push policy from the 
smartdashboard after modifying the anti-spoofing parameters.


Ramki
CCNA, CCSE-NGAI

Crist Clark wrote:

I have an enforcement module that appears to have a bad
policy installed. That is, it feels that traffic coming in
from the management server is spoofed. So how does one
install a corrected policy on this system? Obviously, you
cannot push a policy, but sometimes traffic originating from
the firewall itself gets through the anti-spoofing, so I
thought a,

# fw fetch master

Might work, but I no. So then I tried,

# fw ctl uninstall

To kill the anti-spoofing, but the fetches would still fail.

What is a procedure to reaquire a module that has incorrectly
decided the management server is spoofing?


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] Solaris 9 BGE card and NGX60

[Ramki Security]

Hi Clive,

Broadcast/Multicast:  This differentiates how the cluster members
communicate with each other.  Multicast would required special
configuration in some switches connecting the cluster members and hence
may create issues.  Broadcast would eliminate this issue.

Ramki
CCNA, CCSE-NGAI

Clive Luk wrote:

Thanks for you quick reply Ramki,

I am new to checkpoint. Do you think you can give me some direction on
setting up my v240 as a HA cluster?

Actually I have a few questions want to ask.

What is the different between broadcast mode and multicast mode?
Does that require an extra license to setup HA/LS cluster?
Do you use cross over cable to sync. the state?

Cheers,
Clive

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Ramki
Security
Sent: Thursday, 13 July 2006 1:26 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Solaris 9 BGE card and NGX60

Yes.  My setup is active/standby cluster (not loadsharing) in new mode. 
  There is no VLAN involved.  Both cluster members are V240 servers on 
Solaris 9.  Using broadcast mode instead of multicast.


Ramki
CCNA, CCSE-NGAI

Clive Luk wrote:

Hi Ramki,

Thanks for your reply. I have done some research on the net and
SecureKnowledge. It seems it will not work with Cluster and VLAN. Because

I

have got two V240 wanted to setup a Cluster.

Just a question have you got your V240 working with Cluster?

Cheers,
Clive

-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Ramki
Security
Sent: Thursday, 13 July 2006 12:15 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Solaris 9 BGE card and NGX60

Hi Clive,

NG R55 is known to have some compatibility issues with BGE interface, 
but NGX R60 is suppose to have resolved those issue.  I have installed 
NGX R60 with HFA3 on V240 server and it works fine.


Try adding the line bge accept in the file /etc/fw.boot/ifdev if it is 
not already there.


Ramki
CCNA, CCSE-NGAI

Clive Luk wrote:

Dear List,

I am trying to do a new installation on my newly bought two SUN FIRE

V240.

Actually I want to setup as a cluster. However, When I installed NGX60 to

a

freshly built box, it seems that CP doesn't recognise the bge card.

Does anyone has the same problem? Is there anyway I can solve it.

Thanks in advance!

Cheers,
Clive

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=


=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services

Re: [FW-1] Upgrade from NGX R60 to NGX R61

[Ramki Security]

First upgrade the management station.  Before that take an 
upgrade_export of your current configuration.  Once the management 
station is upgraded, then upgrade the modules.  Refer the checkpoint 
upgrade guide for detailed instructions.


I have heard that NGX R61 is older than NGX R60 with HFA03.

The NGX license is same for R60 and R61.  No license upgrade required.

Ramki
CCNA, CCSE-NGAI

Thiago Formagi - TECLógica wrote:

Hello guys,

I'm have a SPLAT NGX R60 issue and I need to upgrade it for NGX R61.

Which are the procedures that I have to perform after of install the NGX 
R61?


I would like to know when I do this upgrade procedure, my lincenses will 
be upgrade too?


Thank you,

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=

Re: [FW-1] SmartView Monitor error in NGX R61

[Ramki Security]

SView Monitor is a thick client.  Does it use IE?  Then did you try it 
on another PC and confirm it is not client specific?


Ramki
CCNA, CCSE-NGAI

Mark Elsen wrote:

NGX - R61
--

S-View monitor can't display full node status  ; following error
is reported.

 Internet Explorer Script Error

   - An error has occurred on the script in this page.
  Line  : 47
  Char : 2
  Error : Object doesn't support this property or method
  Code : 0

Anyone else seen this and or, got it solved ?

M.

=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=



=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=