to worry about endpoint protection. With
SecureClient I use its built-in 2-way firewall and know what's going on
security-wise.
Ray
_
Boo! Scare away worms, viruses and so much more! Try Windows Live OneCare!
http://onecare.live.com
, well, that was
all they would ever use. And I can't blame them.
Ray
Date: Thu, 25 Oct 2007 07:34:21 +0200
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] SSL VPN performance vs. SecureClient
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ray wrote
No issues on SPLAT so far.
Ray
Date: Mon, 29 Oct 2007 13:57:59 -0400
From: [EMAIL PROTECTED]
Subject: [FW-1] R65 HFA-02
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hey guys, anyone been successful in getting HFA-02 for R65 installed?
Had a win 2003 SCS that would not let me
Nine fixes, including the one for the recently reported local privilege
escalation problem if you're an administrator.
Ray
_
Windows Live Hotmail and Microsoft Office Outlook – together at last. Get it
now.
http
Eight fixes, including the local administrator privilege escalation issue.
Ray
_
Peek-a-boo FREE Tricks Treats for You!
http://www.reallivemoms.com?ocid=TXT_TAGHMloc=us
=
To set
There's now two available, the old one and a new one using the Linux 2.6 kernel
that was released in the last week or so. Unless you need that one for hardware
compatibility, I'd stay away from it until the pioneers get the arrows removed
from their backs.
Ray
Date: Sat, 8 Dec 2007 07:49:22
That one is so new I don't even know if there is a license price yet.
Ray
Date: Sat, 8 Dec 2007 19:57:31 +0100
From: [EMAIL PROTECTED]
Subject: [FW-1] AW: Re: [FW-1] R65 and other .iso images now available for
download!
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
there is a 3rd
Nah, the two grand is for understanding multi-core processors. The 2.6 kernel
version is free. The Messaging security one is for anti-spam.
Ray
Date: Sun, 9 Dec 2007 23:12:53 +0200
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] AW: Re: [FW-1] R65 and other .iso images now available
What ports? Ones like 4500 and 18264? If so, do you have implied rules enabled?
Banner obfuscation is useful only to befuddle attackers that don't know what
they're doing and to keep checklist-using auditors happy.
In my opinion, of course. :-)
Ray
Date: Wed, 12 Dec 2007 01:08:01 +0530
From
access, as sad as
that sounds.
Ray
Date: Tue, 11 Dec 2007 21:09:08 -0500
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] boot security
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Bill, the firewall should not be loading the initial policy because it
can't contact the management server
Have you tried it yourself? Personally I don't trust UDP scanning very much.
Can you list the UDP ports here?
Ray
Date: Fri, 14 Dec 2007 07:21:47 +0530
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] AW: Re: [FW-1] Nmap scan of NGX-Strange
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Since you can use any IP range at all for Office Mode, it would be tough. Why
is this an issue?
Ray
Date: Thu, 20 Dec 2007 17:00:25 +0100
From: [EMAIL PROTECTED]
Subject: [FW-1] Office-Mode egress filtering
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hello List,
when defining
to the router.
Ray
Date: Fri, 21 Dec 2007 09:29:05 +0100
From: [EMAIL PROTECTED]
Subject: [FW-1] AW: [FW-1] Office-Mode egress filtering
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Ray, Reinhard,
thanks for your replies!
Ray,
Since you can use any IP range at all for Office Mode, it would
http://www.cisecurity.org/bench_checkpoint.html - 30 pages
Ray
_
Get the power of Windows + Web with the new Windows Live.
http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007
will define the upper limit
for the interface. I just use QoS on the external interface myself.
Ray
Date: Sun, 23 Dec 2007 17:38:03 +
From: [EMAIL PROTECTED]
Subject: [FW-1] QoS Best Practices...
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi Guys,
I am working with a Standard
The CIS software that's available for many different devices will scan a device
and give you a score based on their template (benchmark). This is one of the
more basic ones I've seen, however firewalls are kind of a niche device.
Ray
Date: Mon, 24 Dec 2007 14:12:56 +0100
From: [EMAIL
* tools problems.
Ray
Date: Sun, 20 Jan 2008 04:11:17 -0500
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] Automatic Nat problem in Cluster XL R65 NGX
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Sir,
Inside global properties is checked:
1.- Allow bi-directional nat
2.- Translate
I'm not sure if this works for RSA. Try checking the box to cache passwords on
the desktop.
Ray
Date: Tue, 22 Jan 2008 05:29:41 -0800
From: [EMAIL PROTECTED]
Subject: [FW-1] SecureClient authentication window pop up
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi
Just a quick question
VPN-1 Power/UTM and Provider-1 NGX R65 HFA_02 issues Hotfix - sk33821
It looks like they put the Edge policy push, ICA crash, upgrade_export and plus
a new anti-virus hotfix into one article. There's no mention of that Floodgate
memory leak patch, though.
Ray
Just do it! The files produced by upgrade_export and used by upgrade_import are
platform-neutral. It's one of the real beauties of the system. If you have
applied R65 HFA01 or HFA02, there is a hotfix you'll need to apply for the tool
to work properly, though.
Ray
Date: Wed, 13 Feb 2008 16
Agreed, but for what a firewall costs you and for what a failure can cost your
company you should use hardware RAID.
Date: Fri, 22 Feb 2008 11:02:14 +0100
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] SPLAT RAID
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Thanks Sin,
but i will try.
.
Ray
Date: Sat, 23 Feb 2008 10:40:04 +0100
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] SPLAT RAID
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
I tryied a lot of hardware solution. But SPLAT was unable to boot from
Hardware RAID Configuration.
I tryied a lot of SATA RAID Controller
Sure. I bought the 2950 II's a week before CP certified the 2950 III. :-(
Ray
Date: Mon, 25 Feb 2008 14:48:29 +0100
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] SPLAT RAID
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi Ray,
You're speakig about SPLAT R65 with the 2.6 kernel
HTH,
Ray
Date: Sat, 8 Mar 2008 17:24:22 -0800
From: [EMAIL PROTECTED]
Subject: [FW-1] Upgrade from AI R55 to NGx R65
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
I am asking for advice from gurus in this list:
Current situation:
I have about 23 SPLAT firewalls (8 pairs of Active
I had to put that one in Monitor Only quite awhile ago because it caused issues
with several websites.
Ray
Date: Wed, 12 Mar 2008 23:23:30 +0100
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] SmartDefense blocking
https://supportcenter.checkpoint.com/
To: FW-1-MAILINGLIST
TITLE:
CheckPoint VPN-1 IP Address Collision Security Issue
SECUNIA ADVISORY ID:
SA29394
VERIFY ADVISORY:
http://secunia.com/advisories/29394/
CRITICAL:
Less critical
IMPACT:
Exposure of sensitive information, DoS
WHERE:
From local network
SOFTWARE:
Check Point VPN-1/FireWall-1 NG with
There's a hotfix in SK for Edge management problems, but I don't think this one
is specifically called out.
sk33821 -
VPN-1 Power/UTM and Provider-1 NGX R65 HFA_02 issues Hotfix
Ray
Date: Tue, 18 Mar 2008 20:01:32 -0500
From: [EMAIL PROTECTED]
Subject: [FW-1] upgrade from R65 no HFA to NGX
I was told that the plan is for an HFA or other update to be released later
this year that will upgrade all R65 installations of the 2.4 kernel to the R65
2.6 kernel.
Ray
But at present it is not clear if this version will receive the same
HFA's as the other versions. That is a much more
2.6. It says HFA03 is not supported on the
2.6 kernel, so I guess we have to wait a bit longer. :-)
Ray
Date: Wed, 23 Apr 2008 21:30:36 -0400
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] any feedback regarding secureplatform 2.6
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
I was told
domain accounts, their
regular restricted one and another that is a local admin that they can use with
RunAs to install software.
Make darn sure you encrypt the laptops, which may be mandatory depending on
your industry. If it's only a few people consider TrueCrypt from
www.truecrypt.org.
Ray
much worry. :-)
Ray
Date: Thu, 8 May 2008 08:08:23 +0200
From: [EMAIL PROTECTED]
Subject: [FW-1] Question about implementing Connectra
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi all,
After doing some tests with Connectra over 30 days I am very happy with
the product, but I have
capabilities to manage the R55 firewalls. This works
well.
Ray
Date: Fri, 9 May 2008 15:53:42 +0100
From: [EMAIL PROTECTED]
Subject: [FW-1] NG AI R55 end of life?
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Dear All,
Have just received notice that NG AI R55 will cease to be supported
bought new quad NIC
cards as well.
Ray
We also ran into problems with the hardware compatibility list, more
specifically the supported network cards. In R55, we had quadport
adaptec 10/100 cards that worked great, but in R65 they broke if you
were using vlan subinterfaces (which we were
subsidiaries even though they
were our employees.
Ray
Date: Sun, 11 May 2008 09:42:59 -0500
From: [EMAIL PROTECTED]
Subject: [FW-1] VPN Wire Mode
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
While preparing to add a second external interface and a T1 to have a
dedicated T1 for a site-to-site VPN
You shouldn't have to edit anything in that file. Topology downloads without
authentication stopped being the norm around NG FP3. Was this an upgrade from a
really old version?
Ray
I found where I should edit objects_5_0.C but I am not sure which copy I
should edit.
Scanned
as I had enough disk space).
Ray
Date: Wed, 4 Jun 2008 03:09:35 -0400
From: [EMAIL PROTECTED]
Subject: [FW-1] Upgrade advice
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hello all,
I'm preparing to upgrade two Nokia 1260's from IPSO 3.8.1-Build028 and
Checkpoint R55 to IPSO
Correct. Those rules and features are downloaded by the laptop client and
implemented by the desktop client.
Ray
Date: Sat, 14 Jun 2008 15:34:53 -0700
From: [EMAIL PROTECTED]
Subject: [FW-1] R60 and Linux (FreeSwan)/VPN Client Support
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
So I
Possibly. You could have policies to control how they are set up, but
personally I don't believe in policies without technical controls to back them
up.
Ray
Date: Sat, 14 Jun 2008 17:26:06 -0700
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] R60 and Linux (FreeSwan)/VPN Client Support
To: FW
with
Microsoft Server comes with a high price in terms of manageability.
The only advantage I can see is that the client software is pushed instead of
pulled IF the end user has admin rights.
Any enlightenment would be appreciated.
Ray
they only have access to what you allow in your rulebase.
if you
Thanks to everyone who took the time to respond. There were a few new points I
hadn't heard of before.
Take care,
Ray
Date: Mon, 16 Jun 2008 12:55:49 -0400
From: [EMAIL PROTECTED]
Subject: [FW-1] How are SSL VPNs safer than IPSec?
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
I have
http://www.checkpoint.com/downloads/latest/hfa/vpn1_power/index.html
56 fixes.
Ray
_
The i’m Talkathon starts 6/24/08. For now, give amongst yourselves.
http://www.imtalkathon.com?source=TXT_EML_WLH_LearnMore_GiveAmongst
Scanned
What's the problem?
Ray
Date: Fri, 20 Jun 2008 12:25:18 -0400
From: [EMAIL PROTECTED]
Subject: [FW-1] How to get a checkpoint rep ASAP
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi all,
UTM-1 appliance; Secureplatform; R62
Have contacted Professional Services with Checkpoint
Sounds like you're losing the ARP entry if NAT is involved in getting to the
proxy.
Ray
Date: Wed, 16 Jul 2008 21:45:00 -0500
From: [EMAIL PROTECTED]
Subject: [FW-1] Compile FW Rules (No changes) to get the FW to work correcly
again
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
png";
google_ad_width = 160;
google_ad_height = 600;
google_ad_format = "160x600_as";
google_ad_channel = "8427791634";
google_color_border = "FF";
google_color_bg = "FF";
google_color_link = "006792";
google_color_url = "006792&q
It's kind of odd that this is listed as an HFA yet the release notes do not
document that the fixes in the 249 rollup are included.
Ray
Date: Mon, 15 Sep 2008 08:23:47 +0200
From: [EMAIL PROTECTED]
Subject: Re: [FW-1] R65 HFA30 released
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
hi
is
the only HFA approved for the Common Criteria configuration.
Ray
_
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295
is reported in Checkpoint Connectra NGX R62 HFA_01,
Hotfix 601, Builds 006 and 014. Other versions may also be affected.
Ray
_
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post
http://www.checkpoint.com/downloads/latest/hfa/vpn1_power/index.html#NGX%20R60
http://dl3.checkpoint.com/paid/4c/VPN-1_NGX_R60_HFA_07_Release_Notes.pdf?HashKey=1226799517_0cd45cb9179080820b961ffa3a6e8ba5xtn=.pdf
Ray
_
Get 5 GB
What version of FW-1 are you using on your side and what HFA?
You ought to consider changing MD5 to SHA-1 given all of the bad publicity
about MD5 recently.
Are you sure PFS is disabled on both sides?
Ray
Date: Fri, 30 Jan 2009 18:57:56 +
From: miguel.ferre...@link.pt
Subject: [FW-1
I'm more interested in how my current licenses are going to map to R70. I am
not paying more for what I already have.
Ray
Date: Tue, 3 Mar 2009 12:16:08 +0100
From: carlopm...@gmail.com
Subject: [FW-1] Release date for R70
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi all
vendors as well.
Heck, the feature list for Microsoft's ISA replacement, their Threat Management
Gateway, is very impressive. They have SSL termination and inspection built in
now, have HTTP malware inspection built in and we already have ISA licensed and
in use behind FW-1.
Ray
Check Point just announced iConn, a VPN client for the iPhone. That might be
more useful. It's supposed to be free from the App Store.
http://www.cpug.org/forums/secureclient-securemote/11697-iconn-vpn-client-iphone-now-app-store.html
Ray
Date: Mon, 21 Sep 2009 05:52:47 -0600
From: seral
I thought the 2048 bit requirement was only for the 2-year EV certs. I just did
one for a 1-year EV cert and it only needed 1024 from Verisign.
Ray
Date: Thu, 22 Oct 2009 11:18:20 -0400
From: mqnguy...@gmail.com
Subject: [FW-1] Generating a CSR with 2048 key possible on R65 firewall?
To: FW
) and I think the last one is a month.
It will give you the top three talkers when you click on any graph, but that
may not be enough. A SmartView Monitor license will fill in the gap.
Ray
Date: Mon, 21 Dec 2009 10:18:47 +0200
From: vbavbal...@gmail.com
Subject: [FW-1] Best practices
292 ms 260 ms h193.s91.ts.hinet.net [168.95.91.193]
24 *** Request timed out.
25 *** Request timed out.
26 ** ^C
So it's timing out somewhere in Taiwan, which is where that IP address is
registered.
Ray
Date: Wed, 23 Dec
Correct, but if it stops somewhere else for Giacomo that says it's some kind of
routing problem. If it goes to roughly the same endpoint, that means it's some
kind of protocol problem.
Ray
Date: Thu, 24 Dec 2009 09:01:59 -0600
From: oscar.esqui...@digicelgroup.com
Subject: Re: [FW-1
port of the bridge firewall interface. SmartView Tracker
will show two internal devices trying to talk to each other and you'll be
scratching your head trying to figure out why that traffic is hitting the
firewall at all. Or at least I did. :-)
Ray
Date: Thu, 18 Mar 2010 18:04:47 +0100
to yourself Great, we got hacked on Friday
evening because my company was too cheap to buy it. Now I get to clean up the
mess and then we'll buy it so this doesn't happen again. :-)
FWIW,
Ray
Date: Sat, 20 Mar 2010 13:08:57 +0200
From: vbavbal...@gmail.com
Subject: [FW-1] Preventing SQL
, they are ex-Check Point
employees. :-)
Ray
Date: Mon, 5 Apr 2010 14:37:13 +0300
From: vbavbal...@gmail.com
Subject: [FW-1] ipsec between database (LAN) and aplication server (DMZ)
through CP
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi,
There is an database server at LAN and an application
Yeah, that's how I do it. Sometimes a few weeks go by before the gateways get
upgraded. BTW, R71 is out.
http://supportcontent.checkpoint.com/solutions?id=sk44675
Ray
Date: Mon, 26 Apr 2010 13:39:15 -0700
From: ychap...@parc.com
Subject: [FW-1] Upgrade to R70.20 (or R70.30)
To: FW-1
says a gateway is
disconnected when it never is.
Doesn't R71 require blade licenses? Have you done that yet?
Ray
Date: Mon, 7 Jun 2010 14:51:24 -0500
From: jlindb...@mico.com
Subject: [FW-1] R65 to R70.30 or R71
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
I'm in the process
https://forums.checkpoint.com/forums/thread.jspa?threadID=10241
When you launch SNX and go look at the certificate details tab, does it say the
signature hash algorithm is SHA1 or MD5?
Ray
Date: Mon, 9 Aug 2010 16:29:13 -0600
From: seral...@gmail.com
Subject: [FW-1] SNX Warning about
on their own NIC.
Ray
Date: Wed, 20 Oct 2010 15:34:21 -0400
From: jason.ebers...@sti-ultrasound.com
Subject: [FW-1] Staying with SecurePlatform?
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
I'm at a crossroads. My maintenance renewal is coming due and my Checkpoint
representative
in allows it to see web traffic to
and from the web server AND allows it to see database traffic between the web
server and the back-end database. If you buy the appropriate licenses, it can
then act as a database activity monitor and as a database firewall.
Ray
Date: Sun, 24 Oct 2010 12:49:22
What does web project mean?
What ports, protocols and traffic is expected? Is SSL going to be used?
Who is connecting to who?
What access does the thing being connected to have on the internal network? For
example, is it a web server that is installed on your internal network?
Ray
Date: Fri
attack
or a false positive and then decide what to do based on your exposure.
3. Once a system has been patched, disable that IPS protection.
Ray
Date: Sun, 24 Oct 2010 09:52:05 +0300
From: vbavbal...@gmail.com
Subject: [FW-1] Setting /Reviewing/Monitoring IPS policy
To: FW-1-MAILINGLIST
-IP'ing.
FWIW,
Ray
Date: Sat, 15 Jan 2011 11:50:13 +1100
From: c...@ans.com.au
Subject: [FW-1] Local Interface Address Spoofing
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi,
We're getting now Local Interface Address Spoofing message_info. this
normal occurs just before an IKE key
This issue started happening after we change the address of the
internal interface of our fw1.Is the other side using the same IP address as
your internal interface anywhere? Maybe it's for real.
Ray
Date: Tue, 18 Jan 2011 07:28:36 +1100
From: c...@ans.com.au
Subject: Re: [FW-1] Local
://www.networkworld.com/news/2011/041311-firewall-vendor-response.html?hpg1=bn
Ray
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add
It's never been possible in the past versions. The SmartCenter compiles the
policy and pushes the compiled code to the firewall.
Have you opened a support case to ask about your version? Have you tried
mounting the hard
drive in another computer to see if you can retrieve its files?
Ray
SmartCenters.
I'd also consider running gzip --test' on your export before you flatten the
box. I had one that corrupted for some reason.
Ray
Date: Mon, 12 Dec 2011 11:40:31 +0200
From: vbavbal...@gmail.com
Subject: [FW-1] Upgrade with a flush install from R70 to R75.20
To: FW-1
From the upgrade_tools directory, I run mine as
./migrate export /var/cpexport.tgz
Ray
Date: Tue, 13 Dec 2011 12:41:49 +0200
From: vbavbal...@gmail.com
Subject: Re: [FW-1] Upgrade with a flush install from R70 to R75.20
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Thanks Ray
1 bit per second? Is that what you mean by 1 Bps? Try something more usual like
56 K/bps and set just a limit and not a guarantee. It definitely works on R55
because I used to use it all the time. Do you have the QoS value set properly
on the firewall's QoS tab?
Ray
Date: Fri, 13 Jan 2012
Have you opened a case with Check Point yet? They have developed a hotfix for
R75.20 and were working to backport it to earlier versions. I do not know what
that progress is.
It's not just Check Point products that are affected. It's breaking other
vendor's SSL VPN systems as well.
Ray
Date
cipher is the first one offered in the server preference (and the
server does not offer up ciphers in a random order), then this should not
affect your system.
Ray
Date: Sat, 4 Feb 2012 12:59:19 -0500
From: sixsigm...@hotmail.com
Subject: Re: [FW-1] KB2585542 vs SNX
To: FW-1-MAILINGLIST
. In SmartView Monitor we have its alerts set to email
also. All policy installations generate an email alert so everyone knows it
happened.
Ray
Date: Fri, 3 Feb 2012 14:17:12 -0800
From: dly...@placer.ca.gov
Subject: [FW-1] Change control
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
I'm
it? I'm
guessing the answer is Yes.
This is also affecting SSL terminating proxies such as older versions of
Websense. I think they have a hot fix for v7.5.5 and v7.6.x has the fix built
in.
Ray
Date: Sat, 4 Feb 2012 10:23:49 -0800
From: cprev...@gosecure.ca
Subject: Re: [FW-1] KB2585542 vs
was in
manufacturing.
Everyone is just trying to do their job but non-firewall types rarely
understand how the applications they manage actually work. So it's a big part
of the job to help people just make it work while keeping things to least
privilege.
Ray
Date: Tue, 7 Feb 2012 08:07:06 -0800
From: dly
Check this:
https://www.cpug.org/forums/snx-ssl-network-extender/16989-problem-ssl-network-extender-page-cannot-displayed.html#post74614
Ray
Date: Wed, 15 Feb 2012 11:26:02 -0800
From: accesslimi...@yahoo.com
Subject: [FW-1] SNX failure, page cannot be displayed
To: FW-1-MAILINGLIST
Thanks for mentioning that R75.30 one on open server. Do you have any more
details? We're still on R75.20 on Dell 2950's and are thinking about R75.30.
Ray
Date: Thu, 16 Feb 2012 19:37:08 -0800
From: accesslimi...@yahoo.com
Subject: Re: [FW-1] SNX failure, page cannot be displayed
To: FW-1
It sounds more like under-powered hardware. What are you using and is the
SmartCenter on the same box as the firewall?
Ray
Date: Mon, 20 Feb 2012 17:33:05 +0530
From: moham...@fss.co.in
Subject: Re: [FW-1] Connections dropping when pushing policy
To: FW-1-MAILINGLIST
pushing policy
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Dear Ray,
Ours is a Nokia box hardware and Smart center running in another
separate PC with 4GB RAM
Version: NGX (R65)
OS: IPSO Version: 4.2
Avergae CPU - 14%
Active virtual memory - 650MB
Disk free % - 84
cpmodule
licensing. :-)
Ray
Date: Thu, 23 Feb 2012 12:18:33 +0530
From: moham...@fss.co.in
Subject: Re: [FW-1] Connections dropping when pushing policy
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
I am not getting this NTP error message, anyway have enabled Keep all
connections as per Tom's advice
I think I confused mutli-core with multi-CPU. When we bought new hardware about
four years ago we had to buy a 2-core CPU instead of the normal quad core
because of our licensing.
Until CoreXL supports QoS it's staying disabled.
Ray
Date: Fri, 24 Feb 2012 07:41:36 -0500
From: itsec.itcons
I just hit the same issue on a SPLAT R75.20 box. SmartView Monitor showed 3+ GB
of Virtual Memory Active which seemed way high. A cpstop;cpstart on the
firewall dropped the SmartView Monitor number to just over 1 GB and policies
installed fine again. The box had been up for about 320 days.
We don't have to patch Check Point any more except very rarely, ever since
Check Point effectively stopped using HFAs in favor of new version numbers.
They're just upgrades now and as long as the current version is still
supported, we don't have to upgrade.
Ray
Date: Wed, 13 Feb 2013 15:02
Yes, pretty much zero issues. They were all clean installs on new Dell hardware
using Gaia 64-bit. migrate was used to bring the R75.20 policies over to the
Gaia 64-bit SmartCenter, again with zero issues. Geo protection is much more
accurate.
Ray
There were a few critical Gaia hotfixes
What version are you using? We're seeing the same continual license delete and
add nonsense on R76 Gaia and it was not there on R75.20. I'll have to look and
see what the client IP is on Monday. We noticed it because if the syslog alerts.
Ray
Date: Fri, 7 Jun 2013 07:02:00 -0700
From
are no longer
available.
Anyone know why this happened? They weren't used much but I did glean some
good information off of them.
Thanks,
Ray
_
MSN Shopping upgraded for the holidays! Snappier product search...
http://shopping.msn.com
Hi Christian,
I don't have it in front of me, but there's a Nokia support bulletin on
this. You need to use dbedit (or in my preference, GUIdbedit) and make a
change for this to work. I don't have a clue why it's turned off by default.
Try searching the Nokia support site for user monitor
Ray
Copy the entire existing rulebase to the clipboard and then create a brand
new policy and select for the Floodgate tab to be displayed. Then paste in
the old rulebase.
Ray
From: Kunz, T [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED
Monitor doesn't show it until later.
Ray
From: Christian Koefoed [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] User Monitor, Policy server status = Unknown
Date: Fri, 28 Nov 2003 14:16:24 +0100
Hi, and thanks
their ability to unload the security policy, etc.
You'll then set a desktop security policy rule that allows SecureClient to
comunicate with the encryption domain unencrypted when they are not logged
in via SecureClient.
Ray
From: Eric Brouwer (Corporate DET) [EMAIL PROTECTED]
Reply-To: Mailing
The new release of NG AI has been posted on Check Point's site. The What's
new document can be found here:
http://www.checkpoint.com/support/downloads/docs/firewall1/r55/WhatsNew.pdf
Ray
_
From the hottest toys to tips on keeping fit
.
The source definitely was from the external interface and our router people
did their magic to the Internet router to block everything with a source of
127.0.0.1 and it immediately stopped.
Ray
From: Crist Clark [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED
Thanks for the clarification, Crist. Those packets are long gone now, so I
can't look at them anymore.
Ray
From: Crist Clark [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] log entry: source localhost
Date: Wed, 3
Do you have a rule in the main security policy allowing SecureClient users
to connect to your internal network? I put each SC user in a group and then
allow access if via remote access
Ray
From: Eric Brouwer (Corporate DET) [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474 and its
related link should do it.
Ray
From: Craig Baltzer [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [FW-1] Keberos V5 though client VPN
Date: Fri, 5 Dec
, we had to add a specifc rule to get Outlook to work right
over remote access because service any didn't cut it. You might try
putting a specific rule to accept TCP 88 and UDP 88 via Remote Access and
log it to see what's going on.
Ray
From: Craig Baltzer [EMAIL PROTECTED]
Reply-To: Mailing list
Are you running UDP encapsulation and IKE over TCP? We also dropped the
default MTU to 1300 using MTUAdjust but that shouldn't be needed with AI.
Ray
From: Craig Baltzer [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [FW
701 - 800 of 943 matches
Mail list logo
