Dear all UTM-1 guru,
I am currently running a 2 members UTM-1 3070 cluster (R70.5). We are
planning to change the management IP address. The current IPs are as
following.
The current objects in SmartDashBoard are:
utm-1-cluster (172.16.0.1) on Internal interface
utm-1-fw1 (172.16.0.11) on In
"drop" rules you find in the policy other than the cleanup rule are proof that you have
rules that are allowing more than they should, and you're trying to prune that access with a few
specific drop rules.)
Does that make sense, or did I explain the concept badly?
-----Origin
king about fundamental differences in
architecture between Juniper (and Cisco, for that matter) and Check Point.
Juniper and Cisco use interface-centric ACLs, whereas Check Point is an
object-oriented firewall.
On Tue, Jan 29, 2013 at 1:09 AM, Clive Luk wrote:
Hi all,
I am just wondering if I ca
Hi all,
I am just wondering if I can define a policy restricted by zone. As I
can see on the CP tracker there is inzone, outzone.
I have UTM-1 with multiple interfaces.
1 x Internet
1 x DMZ
1 x Staff internal
1 x Wireless
1 x Public internal
I am wondering if I can have a policy define to al
5. Get off R70. And don't do another in-place upgrade.
On Wed, Nov 30, 2011 at 6:07 PM, Clive Luk wrote:
Thanks your reply Hugo!
The weird issues actually including high cpu usage.
and I am running 2 utm-1 in active/standby mode. sometime when i install
new rule. the current active fw wil
ob of the UTM-1 configuration. due to the space issue.
Thanks in advance!
Cheers!
On 30/11/11 22:44, Hugo van der Kooij wrote:
On 30.11.2011 00:52, Clive Luk wrote:
Dear list,
I just
want some advice on UTM-1 upgrade. I am currently running 2 UTM-1
R70.40. I am thinking of upgrading. Should I
Dear list,
I just want some advice on UTM-1 upgrade. I am currently running 2 UTM-1
R70.40. I am thinking of upgrading. Should I stick with R70? or should I
go to R75?
The reason I am upgrading is I found the appliances has been acting
weird when I installing the policy.
Check Point R70.50
Hi,
I have recently setup a cluster with 2 utm1 devices using crossover
cable. I assume is similar to your environment. I has similar problem
with you but not really complaining the IP address. Just the 2 utm1
wouldn't sync.
I had to set a rule to allow communication between the 2 utm1 devic
-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Bandwidth throttle
Clive Luk wrote:
> Dear List,
>
> I am wondering if checkpoint can handle bandwidth throttling. I am
currently
> running R60.
>
Yes, it's called Flood Gate in checkpoint and as of NGX is free of charge.
Sc
Dear List,
I am wondering if checkpoint can handle bandwidth throttling. I am currently
running R60.
Thanks in advance!
Cheers!
Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security
=
To set vacation, Out-Of-Office, or away messages,
Hi all,
I just got one question.
Is that a best practice to leave/allow the implied rule for DNS traffic
going from any to any? Is that vulnerable?
Should I just setup my own policy to allow DNS traffic accordingly? If I am
going to setup my own policy would that affect the performance on the FW
Dear list,
I have one issue with my VPN.
When I am at home connected back to my work via secureRemote. I can access
all resource on 172.16.* (as this is the physical interface on FW). However,
I can't access any other resources which on not on the physical interface.
For example, we have a separ
all this helps.
Regards
On 12/26/06, Clive Luk <[EMAIL PROTECTED]> wrote:
>
> Hi all,
>
> I hope someone can help me out here.
>
> I have try everything I could.
>
> I have newly setup a cluster NGX R60 firewall with RSA authentication
> manager with SecurID wo
Hi all,
I hope someone can help me out here.
I have try everything I could.
I have newly setup a cluster NGX R60 firewall with RSA authentication
manager with SecurID working. They all running on Solaris 9.
I have also tested the connection from my home to the cluster FW. I have
connected succe
Thanks Guys!
I will give it a go.
Cheers,
Clive
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Sergio
Alvarez
Sent: Wednesday, 27 September 2006 12:05 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Need hel
Hi Guru,
I want to ask if there is a easy method to do a management server upgrade?
Actually I want to move all configuration and license from a piece of old
hardware to a new hardware.
Anything I need to pay attention?
Thanks in advance!
Cheers,
Clive
=
necessary for cluster-status health checks,
when a Check Point ClusterXL clustering solution is implemented.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Clive
Luk
Sent: Tuesday, August 15, 2006 8:11 PM
To: FW-1-MAILINGLIST
Hi list,
I have setup a CP R60 high availability new mode using clusterxl. I am just
wondering if it is normal that there lots of broadcast traffic generating on
all interfaces?
Cheers,
Clive
=
To set vacation, Out-Of-Office, or away messages,
send
ducts/choice/platforms.html
Regards
Sergio
On 8/2/06, Clive Luk <[EMAIL PROTECTED]> wrote:
>
> Dear list,
>
> I want to get some suggestions from you guys on what hardware firewall to
> get.
>
> My requirement is to be able to handle gigabit traffic. As 2 of my
> inte
Dear list,
I want to get some suggestions from you guys on what hardware firewall to
get.
My requirement is to be able to handle gigabit traffic. As 2 of my internal
interfaces will need to pass through a lot of traffic. To the internet it's
ok to have 10/100. I have not much experience on H/W fi
Dear list,
I have just setup a cluster HA gateway in my test area. I have one
question(I am not sure if this is normal). In my cluster gateway, I have 2
cluster members. For example cluster1 is active and cluster2 is standby.
Cluster2 can ping the Virtual IP. But cluster1 can't. is that normal?
E
: Re: [FW-1] Solaris 9 BGE card and NGX60
Yes. My setup is active/standby cluster (not loadsharing) in new mode.
There is no VLAN involved. Both cluster members are V240 servers on
Solaris 9. Using broadcast mode instead of multicast.
Ramki
CCNA, CCSE-NGAI
Clive Luk wrote:
> Hi Ra
with BGE interface,
but NGX R60 is suppose to have resolved those issue. I have installed
NGX R60 with HFA3 on V240 server and it works fine.
Try adding the line "bge accept" in the file /etc/fw.boot/ifdev if it is
not already there.
Ramki
CCNA, CCSE-NGAI
Clive Luk wrote:
> Dear
Dear List,
I am trying to do a new installation on my newly bought two SUN FIRE V240.
Actually I want to setup as a cluster. However, When I installed NGX60 to a
freshly built box, it seems that CP doesn't recognise the bge card.
Does anyone has the same problem? Is there anyway I can solve it.
Hi Szurok,
I am not sure if that is the right solution. Correct me if I am wrong. I
think you can reset the Activation Key by using cpconfig and choose
Secure Internal Communication
To reset the activation key.
Cheers,
Clive
-Original Message-
From: Mailing list for discussion of Fire
will need to use the Virtual Tunnel
Interface, a new option in R60.
Regards,
Reinoud.
-Mailing list for discussion of Firewall-1
wrote: -
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
From: Clive Luk <[EMAIL PROTECTED]>
=
To set
machine
fails, control is passed to the next highest priority machine. If that
machine fails, control is passed to the next machine, and so on.
regards
Zubair
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Behalf Of Clive
Luk
Sent: Friday, May
Dear CP gurus,
I have just one question regarding the clustering on NGX60.
High Availability
Will have 2 or more members. When the primary cluster down the secondary
will pickup. Without load sharing in between,
Load Sharing
Will have 2 or more members. Loan will share among members. For example
Dear CP gurus,
I am trying to do a fresh installation on a solaris 9.
Here is my question and step.
I want to install a FW gateway and smartcenter on 2 different box.
I am wondering what to choose on FW gateway and what to choose on a
smartcenter. Here are the options.
1.[ ] VPN-1 Pro.
2.[ ] U
-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] export configuration
If you want to migrate to R60, use the upgrade_export for R60.
The error message indicates "/conf/rulebases_5_0.fws does not exists".
Did you check if the file exists under $FWDIR/conf.
Ramki
CCNA, CCSE-NGAI
Clive
the exported configuration.
4. Follow the cluster configuration guidelines to configure the smart
dashboard objects for the cluster. Install policy on the cluster. You
will need a common IP, sync network etc.
Regards,
Clive Luk wrote:
> Dear FW-1 list members,
>
> Hope someone can help me he
common IP, sync network etc.
Regards,
Clive Luk wrote:
> Dear FW-1 list members,
>
> Hope someone can help me here. Let me explain my situation.
>
> I am currently running single NGX55 on Solaris 8 and SmartCenter on a
> different box (Solaris 9).
>
> I have been assigned
Subject: Re: [FW-1] hotfix question
Yes. HFA-03 is the latest hotfix for R60.
Regards,
Ramki
Clive Luk wrote:
> Hi all,
>
> One more silly question.
>
> http://www.checkpoint.com/downloads/latest/hfa/vpn1pro_express.html#r60
>
> is this the latest hotfix for NGX60?
>
Dear FW-1 list members,
Hope someone can help me here. Let me explain my situation.
I am currently running single NGX55 on Solaris 8 and SmartCenter on a
different box (Solaris 9).
I have been assigned to a project to setup a cluster(load balance/fail-over)
firewall. I have just setup a test box
Hi all,
One more silly question.
http://www.checkpoint.com/downloads/latest/hfa/vpn1pro_express.html#r60
is this the latest hotfix for NGX60?
Thanks!
Cheers,
Clive
=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTE
Hi all,
Has fw-1-mailinglist got archive anywhere? Thanks in advance!
Cheers,
Clive
=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
===
That is what it does after an install.
Did you try the export after? It may work now (depending on if your
licensed, I think).
Christian Chiaverini
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Clive Luk
Sent: Wednesday, Febr
ewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Clive Luk
Sent: Wednesday, February 01, 2006 5:46 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] export log question
Thanks cisco4ng & Christian!
I have tried to export the log in the default log directory. But still no
luc
it that way. I believe the file
2006-01-30_235900.log has to
stay in the $FWDIR/log directory. If you move it outside the $FWDIR/log
directory,
it will not work. Remember the 2006-01-30_235900.log also has pointer
files
associate with it. The output file can be anywhere but the input file
(-i) h
using NGx R60 so the "source" is different AI R55. If you don't
put
in the source, the cron will not work because it will not source all the
environment variable properly and you will be scratching your head wondering
why it works mannually but fails in cron.
Good Luck!!!!!
cisc
Hi all,
I hope someone can help me here.
I want to export a raw log to an ASCII file.
I have used this command:
fw logexport -n -m raw -i fw.log -o out.txt
However, I got the following error message.
ld.so.1: fw: fatal: relocation error: file fw: symbol __user_mode_inet6__:
referenced symbol
NGX (R55)
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Clive
Luk
Sent: Thursday, 15 December 2005 11:51 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] VPN quesiton
Hi all,
I am new to CP. I would like a help of setting
Thanks RK!
I can see it now!
Cheers,
Clive
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
Ramakrishnan Pillai
Sent: Thursday, 15 December 2005 1:34 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] VPN quesito
Hi,
One more thing is I don't even have the VPN Manager Tab. Is that something
simple?
Cheers,
Clive
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Lars Troen
Sent: Thursday, 15 December 2005 12:02 PM
To: FW-1-MAILINGLIST@AMADEUS
Hi Lars,
Thanks for your quick reply. I have checked. I have got the VPN checked. I
am sure we have got the license. Is there any quick way to check to confirm
that we have the VPN license?
Thank you!
Kind Regards,
Clive
-Original Message-
From: Mailing list for discussion of Firewall-1
Hi all,
I am new to CP. I would like a help of setting up a VPN tunnel from our LAN
to another external company' LAN.
I have found some doco on the net. However, on my SmartDashboard. I couldn't
find a 'VPN' column. I am using SmartDashboard NG with Application
Intelligence (R55) Build 127.
It w
Hi all,
Is Checkpoint possible to setup a rule to allow an email send to a few
email address?
E.g.
Source from Any
Destination to smpt.mailserver.com
Email send to [EMAIL PROTECTED] or [EMAIL PROTECTED] are accepted
but not others?
Cheers,
Clive
===
services are up and running.
For more information use the SmartView Status application.
Can someone please help. I can install and verify the policy. But just
can save it.
Thanks,
Clive Luk
=
To set vacation, Out-Of-Office, or away messages,
send an email
48 matches
Mail list logo
