Hi Douglas,
this is not possible to do on VSX. We are trying to have this feature for a long
time now but unsuccessfully...
Matthias
Sawyer, Douglas
Good Morning All
I have a customer with the following environment.
SmartCenter server running on an internal IP address, 2 * Nokia Firewalls in
an HA Pair (VRRP / IPSO Clustering (tried both)) which are working fine.
They need the management station to manage a third Nokia in another location
-- Forwarded message --
From: Neil Kemp [EMAIL PROTECTED]
Date: 25-Aug-2006 09:25
Subject: NG R61 Smartcenter communications
To: Mailing list for discussion of Firewall-1
FW-1-MAILINGLIST@amadeus.us.checkpoint.com
Good Morning All
I have a customer with the following
Neil Kemp wrote:
Good Morning All
I have a customer with the following environment.
SmartCenter server running on an internal IP address, 2 * Nokia
Firewalls in
an HA Pair (VRRP / IPSO Clustering (tried both)) which are working fine.
They need the management station to manage a third
According to Checkpoint, when upgrading from let say HFA_17 to HFA_18 in NG
AI R55: ALL changes made to the INSPECT files (aka, *.def files) will be
overwritten
Well, that is NOT entirely true. I ran a few tests on my provider-1 systems
and I made a few changes in the user.def file
I can confirm, but I can't tell you which .def files are changed, I
think this may vary depending on whether or not the hfa contains changes
to that particular .def file. Yes CP does leave you hanging here, here
is a clip from a KB solution, note the word may.
Any .def file modification may not
Hi All
How can tell from the cli that which firewall is active. I am running
AI r55 on ipso3.8. I ca run tcpdump on the interface to see the traffic
going through live firewall but is there any other way to tell which
machine Is active and which is standby..
Kind regards
Tauseef
cphaprob stat
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Tauseef
Khan
Sent: Friday, August 25, 2006 10:07 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Active firewall.
Hi All
How can tell from the
If you are running VRRP, then the best thing to do would be to run
clish from the command line and then run show vrrp interfaces
There is probably another command for checking IP clustering status, but
I haven't tried to look for it.
Cheers
Matthew Odendaal
-Original Message-
From:
in addition to cphaprob state, on the nokia, you can also use 'show vrrp' |
iclid:
Nokia[admin]# echo 'show vrrp' | iclid
VRRP State
Flags: On,LocalReceive
10s coldstart delay (completed)
12 interface enabled
12 virtual routers configured
0
Rock and a hard place, gents. There are historic considerations here.
With HFAs, certain files change that may impact the way the policy behaves, and
thus these files are not overwritten by default since NG (FP3 first HFAs, I
think, but memory fails).
Rock: Overwrite the files no-matter-what.
clish
show vrrp
or on the csh: ifconfig -a ... you should see the real if ip and the vrrp
address.
Best rgds
jochen
[EMAIL PROTECTED] 25.08.2006 16:06 pm
Hi All
How can tell from the cli that which firewall is active. I am running
AI r55 on ipso3.8. I ca run tcpdump on the interface to see
Many Thanks for everyone's input. Much appreciated and very useful
Kind regards
T
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of cisco4ng
Sent: 25 August 2006 15:42
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re:
Hi all,
what is the load average on your CheckPoint FW system?
My customer has a CheckPoint ClusterXL with two nodes on SPLAT and a
permanent load average from 1.0 on both nodes. I think a load average
from 1.0 all over the time is courious, isn't it? Sometimes the load is
over 1.0.
The
Many thanks for the detailed response. If I have to manually failover nokias,
Is there any way of doing that from cli.
Kind regards
Tauseef
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of cisco4ng
Sent: 25 August 2006 15:42
To:
Looking at a much smaller SPLAT cluster - two single CPU Poweredge 850s
with 512 MB memory, 3 Broadcom NICs, running R55 HFA18 - shows:
10:45am up 17:13, 1 user, load average: 0.00, 0.00, 0.00
60 processes: 58 sleeping, 1 running, 1 zombie, 0 stopped
CPU states: 0.0% user, 4.3% system,
You can use the set command to de-activate/activate an interface participating
in vrrp.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Tauseef Khan
Sent: Friday, August 25, 2006 12:25 PM
To:
Hi,
What is the best method for implementing 2 different internet connections
to 1 firewall. I would like to try to separate general web browsing off
to another DSL connection away from our main G.SHDSL connection.
Thanks,
Sean
The information contained in this e-mail message is
hi,
or you can just see at the origin part of the
logs to see what box logs the traffic.
cheers
reinhard
At 19:29 25.08.2006, you wrote:
You can use the set command to
de-activate/activate an interface participating in vrrp.
-GS
-Original Message-
From: Mailing list for
Hi all,
what is the load average on your CheckPoint FW system?
My customer has a CheckPoint ClusterXL with two nodes on SPLAT and a
permanent load average from 1.0 on both nodes. I think a load average
from 1.0 all over the time is courious, isn't it? Sometimes the load is
over 1.0.
Hi Peter
This is a known issue on the NGX platform. It seems that 1.0 is
equivalent to 0.00 on the newer builds of SPLAT.
I mentioned this to the SPLAT product manager at Check Point a few
months ago. He looked into it and mentioned that it is something that
they will be fixing in a later
Hello,
I have a customer who recently resigned to his old Secure Client licenses to
use the budget on improvements on other CP products. They require DNS
resolution for use of local resources for their VPN clients and since Office
Mode was no longer available, we configured a SecuRemote DNS
hi,
I have a TAC-case for that and up to now they did _not_ say that this
is a but - the first reply (I could just lough) was this is by design.
as I see it this happenes on _all_ linux based fw1-systems with R60,
R61 and also with the R62EA.
or is anyone out there with a R6x on linux where
Greetings,
The quoted text really is great information so pay attention to it.
Quote
Hope that clears things up a bit. Best practice is:
- Document any and all manual changes to CheckPoint files, such as .def
files, .h files, .C files.
- When applying a new HFA to a management station or
All,
Our Nokia currently running at 3.7 is crapping out with a defective HDD.
Our thought is to switch on a backup SPLAT box with identical IP
config as the production Nokia. Currently licenses are being managed by
the management server thru central licensing.
Question: do we need a separate
Checkpoint licensing depends on Checkpoint, irrespective of platform
On 25/08/06, Liu, David [EMAIL PROTECTED] wrote:
All,
Our Nokia currently running at 3.7 is crapping out with a defective HDD.
Our thought is to switch on a backup SPLAT box with identical IP
config as the production Nokia.
Just make sure that once you put the SPLAT box on line and get SIC properly,
attach the license to it via SmartUpdate.
As Neil said, it doesn't matter at all it used to be on a Nokia box and now
will be a SPLAT one.
On 8/25/06, Neil Kemp [EMAIL PROTECTED] wrote:
Checkpoint licensing depends on
Hi,
Iam new in checkpoint. So i really need help regarding to migration issues.
I have one stand alone checkpointsecure platform. It is the firewall module and
primary smartcenter.(Machine A)
Then, i have 1 Nokia IP 390 platform (Machine B), and 1 Smart Center Server
(SCS) based on
There is no need to be in a rock or hard place
Why they cannot program their software to accect CUSTOMER defined files,
these files that will not be overwritten by HFA, upgrade, etc.
If syntax or definitions change over of the hot fixes, upgrade, etc, these
files will not be
Very well said indeed.
It is ok if someone is using smartcenter; however, I am using Provider-1 and
I have
over 500 CMAs so you can see how big of a task this can be. It consumes
un-necessary resources on my end. Why can't checkpoint just make my existing
*.def files backward
You said:
At best, I would say that the documentation for .def files are lacking as to
whether or not they will be overwritten. It turns out that keeping that
information up to date would be quite the undertaking. Read the release
notes for an HFA and follow the best practices and you'll be
31 matches
Mail list logo