Thursday, 29 August 2013

Sending Syslog flow to an External Log Server

Dear Checkpoint Fellows and Followers,

Syslog data is possible to be sent as shown in sk33423, however only from physical boxes.

If you have VSX infrastructure, it is not possible to send syslogs of each vsx customer to another syslog server. All and all..


Checkpoint R77

Very excited to test the new blades! :)

Friday, 2 August 2013

Check Point R75.47 Released!

The release notes and the resolved issues, it’s mainly a maintenance or bug fix version.

There are a lot of fixed bugs.

It would be good to install the version firstly within the test environment, and then get it into production a.s.a.p.

Wednesday, 31 July 2013

License Info Tool / Checkpoint

License Tool for Checkpoint. I found it pretty useful actually as the license issues seem complicated most often. My Products > License Info Tool.

Sunday, 21 July 2013

Fortinet Upgrade Procedures

The upgrade processes have usually been a issue with Check Point. However, it is unbelievably easy for security vendor Fortinet (even in the cluster env.)

- .out file is downloaded from the support site.
- it is uploaded through GUI.

then, all process goes on automatically; firstly the active member is upgraded with losing 4 - 6 ping packets, and then 2-3 ping lost while  upgrading the second member.

I suppose the reason is truly the architecture difference behind these boxes.

Friday, 22 February 2013

Network Troubleshooting - Cisco Packet Flow

To be or not to be.
Incoming or Outgoing Packets, sometimes understanding these two subjects are very vital in troubleshooting process.

ip access-list  extended gre-debug-out
permit gre any any log // optional 
permit ip any any log

ip access-list  extended gre-debug-in
permit gre any any log // optional
permit ip any any log

interface GigabitEthernet0/1
ip access-group gre-debug-in in
ip access-group gre-debug-out out

Here it is; 

show ip access-list gre-debug-in

show ip access-list gre-debug-out out

believe me you will like the result..

Identity Awareness - User & Machine Identification

Even though you see users and/or machines as acquired in Smart Dashboard, pdp monitor is the place where AD query comes in. If you do not see users/machines in pdp monitor, It means that Check Point did not actually acquire the users/machines.

pdp monitor all |more

pdp monitor all |grep machine/username

Friday, 15 February 2013

IPS Update: ips scheduled update ended with errors

Check the internet connection on SMC and Check dns config to see resolves to an IP.

To manually update the IPS database;

1- Close all GUI applications,
2- Open a GUIDBEdit to the SMC (Application:GuiDBedit.exe)
3- Search (Search->Find) for: autoupdate_and_install_status_obj

Once found you will see a field named status under that object.
4- Change the value of status 0
5- Save changes,close GUIDBEDIT
6- Open Dashboard and verify if the issue resolved.

Note : There is a fix for this issue, Request it from Support.

Wednesday, 13 February 2013

ClusterXL - Do not Consume Public IPs for ClusterXL

Configuring Cluster Addresses on Different Subnets
Only one routable IP address is required in a ClusterXL cluster, for the virtual cluster interface that faces the Internet. All cluster member physical IP addresses can be non-routable.Configuring different subnets for the cluster IP addresses and the member addresses is useful in order to:

- Enable a multi-machine cluster to replace a single-machine gateway in a pre-configured network, without the need to allocate new addresses to the cluster members.
- Allow organizations to use only one routable address for the ClusterXL Gateway Cluster. This saves routable addresses.
ClusterXL virtual IPs and your members physical (or VLAN) interfaces do not need to be on the same subnet. So you can simply use whichever addresses you like for each of the cluster interfaces (apart from internal/management and external/VPN-routable interfaces obviously). And of course this applies to physical untagged interfaces unlike our case too.
I settled for using  tiny Class B private space /30 subnets for each VLAN, enough for just our 2 cluster members like this. The topology would then look like this.