If you can't ping the cluster member (assuming your rules allow it),
then you're not going to be able to re-establish SIC. You don't have
to detach the cluster member to do that. Just go onto the module, run
cpconfig and choose reset SIC from there. Then within SmartDashboard,
there is an
Get yourself a usercenter account. Now. Go to
usercenter.checkpoint.com and register.
You can then search for all sorts of stuff. This one: http://
secureknowledge.checkpoint.com/SecureKnowledge/
viewSolutionDocument.do?id=sk16564 will probably help. It goes
through the steps for setting
Just update the firewall object, reset SIC, and you're good to go.
Once you've got SIC working, you can push out licenses and policy. No
need to export anything from the module.
Only other things to consider are interfaces and routes, plus any
SecurID or client auth stuff you might have on
If you've downloaded an HFA, you'll need to unpack the *HFA*.tgz
file, and then separately import the cpshared* and fw1* packages
contained within. You can't just import the HFA as one chunk, it
needs to be separate.
I understand what cisco4ng means about issues with SmartUpdate. I
used
What troubleshooting have you done so far? What are your logs telling
you? tcpdump?
Is traffic from the clients coming in via the gateway? Is it passing
the gateway? Are responses coming back from the HP-UX boxes?
Are the HP systems in the same subnet? Is that subnet in the
encryption
Doesn't matter what your logs say they were generated by, Ray's
solution is the correct one. It is SmartDefense. It may not say that,
since that particular protection/setting has been around for a while,
possibly (can't quite remember) from before SmartDefense was called
that.
On 23 Dec
I've heard several people now say things along the lines of this -
i.e. installing any other package will void your support. However, I
haven't been able to find any documentation from Check Point that
confirms this. I have had conversations with Check Point engineers,
who have told me
Have you defined the VRRP multicast address as being behind one of
the other interfaces?
On 14 Dec 2005, at 22:52, Oliver wrote:
Hello everybody.
I have 2 Nokias with VRRP configuration, NG with AI
R55. When i check the antispoofing feature on External
interface (in Cluster Topology) the
Rather than use any, you are usually better off to define explicit
services. Some dynamic services don't match for any. Besides the
fact that it is inefficient and insecure.
As for part 1 though, what kind of traffic are you trying to do from
the terminal services manager to the remote
Ummmhave you tried looking at the Address Translation tab?
On 12 Dec 2005, at 20:48, Miguel Angel Gutierrez wrote:
Hello all...
I've lost track of all my static NAT objects (bad admin from the last
guy).
This FW has more than 200 objects defined but only 20 of them are
supposed to have a
Think carefully about the implications of having a session that never
times out. What would happen if the session was not properly closed
down by the client/server? Your connection tables would eventually
fill up with old connections.
The right solution for this problem (better than
If you've replaced the system with the same hardware, and it's now
running slowly, I would check for duplex mismatches between your
server and the switches it is connected to.
Check your netstat -in output for errors.
You can look at things like the numbers of connections with fw tab -t
I don't see why Nokia would be saying that they won't condone it.
There haven't been any changes to the actual operation of the
protocol between 3.7 and 3.9. Some changes to the way you configure
it, yes, but not to the way it actually works. You will still have a
master sending out
Try cat /proc/cpuinfo
uname -a (look for smp in the kernel version)
top
You'll see 4 processors if you've got hyperthreading on (the default).
All this assumes you're running SPLAT. Generally, it just detects
both processors at install time, and installs the SMP kernel. In your
grub config,
Quick points:
* Are you using NGX? That offers you the SmartDefense option of
blocking ssh over non-standard ports. You can also block sshv1 from
about R54 onwards.
* What do your logs say? Make sure you also check your SmartDefense logs
* Is DNS all OK?
* What does tcpdump/fw monitor
. (but we were looking for something more
redundant e.g. that could have supported a firewall node + a router
failure at the same time... Ok very unlikely to happen :)
Thanks,
Alain
-Original Message-
From: Lindsay Hill [mailto:[EMAIL PROTECTED]
Sent: Friday, November 25, 2005 9:00 PM
To: Delava
the internet to router A even if router A
cannot communicate with the firewall nodes anymore (switch 1 is down,
remember).
If you have any comments or ideas... You're welcome :)
Kind regards,
Alain
-Original Message-
From: Lindsay Hill [mailto:[EMAIL PROTECTED]
Sent: Monday, November 28, 2005 8
It's a limitation of express. If you want to support more
connections, you need to purchase enterprise licenses. I believe
someone on the list did the same a few months ago, and was able to
change to enterprise with no problems, no reinstall required.
- Lindsay
On 25 Nov 2005, at 11:09,
If your certification is for AI, then yes, it is still valid, and you
can put it on your CV, no problems.
I would say though that if you are regularly doing searches in
SecureKnowledge, then having the certs makes a big difference - you
get access to far more articles, which for me is the big
Put in a rule to silently drop the traffic. It's pretty much a
standard rule. Something like:
Any - broadcast address - any - drop - None
On 11 Nov 2005, at 19:02, Bernard Jen wrote:
I am using NGX R60. I see lots of dropping traffic for the broadcast
packet. How can I stop seeing
I would suggest reading the release notes for both the version of
IPSO and the version of Check Point that you are planning on
installing. Look for the Installation Instructions section. If you
are only doing a minor upgrade, it is quite straightforward. Install
the new IPSO image with
Random thoughts:
1/ Running fw monitor, what behaviour were you seeing with the auto
NAT not working? Do those NATs require proxy ARP entries in place?
When they were making external connections, was the traffic being
passed, without the source being NATted? Or was traffic not being
You need to look into dynamic objects. Someone was asking about them
the other day on this list. My two cents - don't use them, they're
more trouble than they're worth. See if you can find another way of
solving the problem.
- Lindsay
On 7 Oct 2005, at 00:29, Zubair Jalal wrote:
Hi.
I
know how I can solve this ? I tried to put some external
hosts in VPN
group used for Topology, but, don't work.
Thanks again for your BIG help !
From: Lindsay Hill [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
To: FW-1
Every packet? Or just old sessions that the firewall doesn't know
about, since its connection table was cleared by you rebooting it?
Sounds like the firewall is acting ok.
After rebooting it, do new sessions work ok?
It's one of the problems with standalone firewalls, and why many
people use
I would suggest reading the Nokia docs on VRRP:
https://support.nokia.com/knowledge/resolutionView.jsp?ResolutionId=1214
Use simplified mode though, it makes your life much easier once you
get beyond a few interfaces.
Check Point has some documentation on VPNS - look here:
you verify the
link or append the file?
Thanks.
-Mensaje original-
De: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] nombre de Lindsay
Hill
Enviado el: dijous, 6 / octubre / 2005 10:22
Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Asunto: Re: [FW-1
vpn tu
You'll get a menu with some options for resetting SAs for all, or
specific, peers. There's probably a way of doing it in one line from
the command line, but the menu makes life easier.
If it's a regular occurrence, you might want to do some digging into
why it's occurring - make
Create a group containing the topology you want, then on the topology
tab of the firewall object, set topology to manual. and use that
group. The default is to use all addresses behind the firewall based
on the topology information, which may not be what you want.
Install policy, then
this, but doesn't work. In this
topology group, I must put the source IP address or destination ? I
think this can be the trouble.
Thanks a lot.
From: Lindsay Hill [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
You could try logging onto the console of the firewalls, see if
anything interesting is going on there. You can also run tcpdump, etc
from there, see what's happening with your traffic. fw monitor can
also be helpful, but it gets killed on policy install. If I was you,
I'd also change your
that block icmp traffic sometimes can not be very good
because of
udp traffic. is this true?
I dont want people in internet pinging my web servers.
thanks again to all.
-Mensagem original-
De: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] nome de Lindsay
Hill
Enviada em
Normally you would have the global option turned off. You can then
allow any specific ICMP that you do want (e.g. from your monitoring
server) with the use of a normal rule.
If you turn the option on in your global properties, it effectively
just adds another rule. Go View - Implied Rules to see
Is your encryption domain set correctly?
You shouldn't be setting any routes.
- Lindsay
On 27 Sep 2005, at 08:51, Meyers, Duncan wrote:
More on Secureclient...
I have SecureClient talking nicely with the firewall - but I can't get
traffic to go across the VPN unless I set hub mode on
34 matches
Mail list logo