What version are you using? We're seeing the same continual license delete and
add nonsense on R76 Gaia and it was not there on R75.20. I'll have to look and
see what the client IP is on Monday. We noticed it because if the syslog alerts.
Ray
> Date: Fri, 7 Jun 2013 07:02:00
Yes, pretty much zero issues. They were all clean installs on new Dell hardware
using Gaia 64-bit. "migrate" was used to bring the R75.20 policies over to the
Gaia 64-bit SmartCenter, again with zero issues. Geo protection is much more
accurate.
Ray
There were a few critical Gai
We don't have to patch Check Point any more except very rarely, ever since
Check Point effectively stopped using HFAs in favor of new version numbers.
They're just upgrades now and as long as the current version is still
supported, we don't have to upgrade.
Ray
> Date: Wed,
I just hit the same issue on a SPLAT R75.20 box. SmartView Monitor showed 3+ GB
of Virtual Memory Active which seemed way high. A cpstop;cpstart on the
firewall dropped the SmartView Monitor number to just over 1 GB and policies
installed fine again. The box had been up for about 320 days.
> Da
I think I confused mutli-core with multi-CPU. When we bought new hardware about
four years ago we had to buy a 2-core CPU instead of the normal quad core
because of our licensing.
Until CoreXL supports QoS it's staying disabled.
Ray
> Date: Fri, 24 Feb 2012 07:41:36 -0500
> From: i
heck Point licensing. :-)
Ray
> Date: Thu, 23 Feb 2012 12:18:33 +0530
> From: moham...@fss.co.in
> Subject: Re: [FW-1] Connections dropping when pushing policy
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> I am not getting this NTP error message, anyway have enabled "Kee
: [FW-1] Connections dropping when pushing policy
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Dear Ray,
>
> Ours is a Nokia box hardware and Smart center running in another
> separate PC with 4GB RAM
> Version: NGX (R65)
> OS: IPSO Version: 4.2
>
> Avergae C
It sounds more like under-powered hardware. What are you using and is the
SmartCenter on the same box as the firewall?
Ray
> Date: Mon, 20 Feb 2012 17:33:05 +0530
> From: moham...@fss.co.in
> Subject: Re: [FW-1] Connections dropping when pushing policy
> To: FW-1
Thanks for mentioning that R75.30 one on open server. Do you have any more
details? We're still on R75.20 on Dell 2950's and are thinking about R75.30.
Ray
> Date: Thu, 16 Feb 2012 19:37:08 -0800
> From: accesslimi...@yahoo.com
> Subject: Re: [FW-1] SNX failure, page canno
Check this:
https://www.cpug.org/forums/snx-ssl-network-extender/16989-problem-ssl-network-extender-page-cannot-displayed.html#post74614
Ray
> Date: Wed, 15 Feb 2012 11:26:02 -0800
> From: accesslimi...@yahoo.com
> Subject: [FW-1] SNX failure, page cannot be displayed
> To: FW-1
lot of that when I was in
manufacturing.
Everyone is just trying to do their job but non-firewall types rarely
understand how the applications they manage actually work. So it's a big part
of the job to help people "just make it work" while keeping things to least
privilege.
Ray
er, does that fix it? I'm
guessing the answer is Yes.
This is also affecting SSL terminating proxies such as older versions of
Websense. I think they have a hot fix for v7.5.5 and v7.6.x has the fix built
in.
Ray
> Date: Sat, 4 Feb 2012 10:23:49 -0800
> From: cprev...@gosecure.ca
s. In SmartView Monitor we have its alerts set to email
also. All policy installations generate an email alert so everyone knows it
happened.
Ray
> Date: Fri, 3 Feb 2012 14:17:12 -0800
> From: dly...@placer.ca.gov
> Subject: [FW-1] Change control
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKP
If an RC4 cipher is the first one offered in the server preference (and the
server does not offer up ciphers in a random order), then this should not
affect your system.
Ray
> Date: Sat, 4 Feb 2012 12:59:19 -0500
> From: sixsigm...@hotmail.com
> Subject: Re: [FW-1] KB2585542 vs SNX
>
Have you opened a case with Check Point yet? They have developed a hotfix for
R75.20 and were working to backport it to earlier versions. I do not know what
that progress is.
It's not just Check Point products that are affected. It's breaking other
vendor's SSL VPN system
The same as others have reported. Running SPLAT and a year uptime is not
uncommon. I generally do a version update once a year unless there is a
security patch. When I started one job, their IP530's running IPSO 3.7 had
almost 600 days of uptime.
Ray
> Date: Fri, 13 Jan 2012 17:22:
1 bit per second? Is that what you mean by 1 Bps? Try something more usual like
56 K/bps and set just a limit and not a guarantee. It definitely works on R55
because I used to use it all the time. Do you have the QoS value set properly
on the firewall's QoS tab?
Ray
> Date: Fri
>From the upgrade_tools directory, I run mine as
./migrate export /var/cpexport.tgz
Ray
> Date: Tue, 13 Dec 2011 12:41:49 +0200
> From: vbavbal...@gmail.com
> Subject: Re: [FW-1] Upgrade with a flush install from R70 to R75.20
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
worked just fine on two R75.20 SmartCenters.
I'd also consider running "gzip --test' on your export before you flatten the
box. I had one that corrupted for some reason.
Ray
> Date: Mon, 12 Dec 2011 11:40:31 +0200
> From: vbavbal...@gmail.com
> Subject
It's never been possible in the past versions. The SmartCenter compiles the
policy and pushes the compiled code to the firewall.
Have you opened a support case to ask about your version? Have you tried
mounting the hard
drive in another computer to see if you can retrieve its files?
k.a. "Insecure by default" :-)
http://www.networkworld.com/news/2011/041311-firewall-vendor-response.html?hpg1=bn
Ray
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.chec
> This issue started happening after we change the address of the
> internal interface of our fw1.Is the other side using the same IP address as
> your internal interface anywhere? Maybe it's for real.
Ray
> Date: Tue, 18 Jan 2011 07:28:36 +1100
> From: c...@ans.com.au
l after re-IP'ing.
FWIW,
Ray
> Date: Sat, 15 Jan 2011 11:50:13 +1100
> From: c...@ans.com.au
> Subject: [FW-1] Local Interface Address Spoofing
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Hi,
>
> We're getting now "Local Interface Address Spoofing&q
7;s a real attack
or a false positive and then decide what to do based on your exposure.
3. Once a system has been patched, disable that IPS protection.
Ray
> Date: Sun, 24 Oct 2010 09:52:05 +0300
> From: vbavbal...@gmail.com
> Subject: [FW-1] Setting /Reviewing/Monitoring IPS policy
>
What does "web project" mean?
What ports, protocols and traffic is expected? Is SSL going to be used?
Who is connecting to who?
What access does the thing being connected to have on the internal network? For
example, is it a web server that is installed on your internal network?
R
ld be,
putting the Imperva SecureSphere appliance in allows it to see web traffic to
and from the web server AND allows it to see database traffic between the web
server and the back-end database. If you buy the appropriate licenses, it can
then act as a database activity monitor and as a databa
d terminate each one on their own NIC.
Ray
> Date: Wed, 20 Oct 2010 15:34:21 -0400
> From: jason.ebers...@sti-ultrasound.com
> Subject: [FW-1] Staying with SecurePlatform?
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> I'm at a crossroads. My maintenance renewal is com
https://forums.checkpoint.com/forums/thread.jspa?threadID=10241
When you launch SNX and go look at the certificate details tab, does it say the
signature hash algorithm is SHA1 or MD5?
Ray
> Date: Mon, 9 Aug 2010 16:29:13 -0600
> From: seral...@gmail.com
> Subject: [FW-1] SNX Warn
ly SmartView Monitor says a gateway is
disconnected when it never is.
Doesn't R71 require blade licenses? Have you done that yet?
Ray
> Date: Mon, 7 Jun 2010 14:51:24 -0500
> From: jlindb...@mico.com
> Subject: [FW-1] R65 to R70.30 or R71
> To: FW-1-MAILINGLIST@AMADEUS.US.C
Yeah, that's how I do it. Sometimes a few weeks go by before the gateways get
upgraded. BTW, R71 is out.
http://supportcontent.checkpoint.com/solutions?id=sk44675
Ray
> Date: Mon, 26 Apr 2010 13:39:15 -0700
> From: ychap...@parc.com
> Subject: [FW-1] Upgrade to R70.20 (or R70.
of course, they are ex-Check Point
employees. :-)
Ray
> Date: Mon, 5 Apr 2010 14:37:13 +0300
> From: vbavbal...@gmail.com
> Subject: [FW-1] ipsec between database (LAN) and aplication server (DMZ)
> through CP
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Hi,
&g
could come into work on
Monday, look at its log and say to yourself "Great, we got hacked on Friday
evening because my company was too cheap to buy it. Now I get to clean up the
mess and then we'll buy it so this doesn't happen again." :-)
FWIW,
Ray
> Date: Sat, 20 Ma
dcast to every port,
including the SQL_NET port of the bridge firewall interface. SmartView Tracker
will show two "internal" devices trying to talk to each other and you'll be
scratching your head trying to figure out why that traffic is hitting the
firewall at all. Or at least I di
Correct, but if it stops somewhere else for Giacomo that says it's some kind of
routing problem. If it goes to roughly the same endpoint, that means it's some
kind of protocol problem.
Ray
> Date: Thu, 24 Dec 2009 09:01:59 -0600
> From: oscar.esqui...@digicelgroup.com
>
23 314 ms 292 ms 260 ms h193.s91.ts.hinet.net [168.95.91.193]
24 *** Request timed out.
25 *** Request timed out.
26 ** ^C
So it's timing out somewhere in Taiwan, which is where that IP address is
registered.
Ray
) and I think the last one is a month.
It will give you the top three talkers when you click on any graph, but that
may not be enough. A SmartView Monitor license will fill in the gap.
Ray
> Date: Mon, 21 Dec 2009 10:18:47 +0200
> From: vbavbal...@gmail.com
> Subject: [FW-1] Best prac
you would do for those situations would work for a DoS except if the attacker
is using DNS the outage would follow you.
Ray
> Date: Tue, 8 Dec 2009 21:49:45 +0200
> From: vboz...@e-kolay.net
> Subject: [FW-1] Checkpoint DOS/DDOS
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.
I thought the 2048 bit requirement was only for the 2-year EV certs. I just did
one for a 1-year EV cert and it only needed 1024 from Verisign.
Ray
> Date: Thu, 22 Oct 2009 11:18:20 -0400
> From: mqnguy...@gmail.com
> Subject: [FW-1] Generating a CSR with 2048 key possible on R65 firew
Check Point just announced iConn, a VPN client for the iPhone. That might be
more useful. It's supposed to be free from the App Store.
http://www.cpug.org/forums/secureclient-securemote/11697-iconn-vpn-client-iphone-now-app-store.html
Ray
> Date: Mon, 21 Sep 2009 05:52:47 -060
sus features we'll be looking at other
vendors as well.
Heck, the feature list for Microsoft's ISA replacement, their Threat Management
Gateway, is very impressive. They have SSL termination and inspection built in
now, have HTTP malware inspection built in and we already have
I'm more interested in how my current licenses are going to map to R70. I am
not paying more for what I already have.
Ray
> Date: Tue, 3 Mar 2009 12:16:08 +0100
> From: carlopm...@gmail.com
> Subject: [FW-1] Release date for R70
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOIN
What version of FW-1 are you using on your side and what HFA?
You ought to consider changing MD5 to SHA-1 given all of the bad publicity
about MD5 recently.
Are you sure PFS is disabled on both sides?
Ray
> Date: Fri, 30 Jan 2009 18:57:56 +
> From: miguel.ferre...@link.pt
> Subje
On Wed, Jan 14, 2009 at 10:23:30AM -0800, Ray Van Dolson wrote:
> Hi folks; I'm looking for a little information on how the SmartDefense
> DNS stuff works in CheckPoint.
>
> We run BIND 9.3.5 behind our firewalls which have SmartDefense on, but
> occasionally have problems
ld work fine however).
Our current solution is either to disable EDNS queries or to turn of
SmartDefense for DNS -- neither is an ideal solution.
Any thoughts or insight?
Thanks,
Ray
[1] https://lists.isc.org/pipermail/bind-users/2009-January/074558.html
Scanned by Check Point Total Secur
http://www.checkpoint.com/downloads/latest/hfa/vpn1_power/index.html#NGX%20R60
http://dl3.checkpoint.com/paid/4c/VPN-1_NGX_R60_HFA_07_Release_Notes.pdf?HashKey=1226799517_0cd45cb9179080820b961ffa3a6e8ba5&xtn=.pdf
Ray
_
Get
The vulnerability is reported in Checkpoint Connectra NGX R62 HFA_01,
Hotfix 601, Builds 006 and 014. Other versions may also be affected."
Ray
_
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://win
in that article. HFA30 is
the only HFA approved for the Common Criteria configuration.
Ray
_
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!
It's kind of odd that this is listed as an HFA yet the release notes do not
document that the fixes in the 249 rollup are included.
Ray
> Date: Mon, 15 Sep 2008 08:23:47 +0200
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] R65 HFA30 released
> To: FW-1-MAILINGLIST@AMADEUS.
Sounds like you're losing the ARP entry if NAT is involved in getting to the
proxy.
Ray
> Date: Wed, 16 Jul 2008 21:45:00 -0500
> From: [EMAIL PROTECTED]
> Subject: [FW-1] Compile FW Rules (No changes) to get the FW to work correcly
> again
> To: FW-1-MAILINGLIST@AMADE
What's the problem?
Ray
> Date: Fri, 20 Jun 2008 12:25:18 -0400
> From: [EMAIL PROTECTED]
> Subject: [FW-1] How to get a checkpoint rep ASAP
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Hi all,
>
> UTM-1 appliance; Secureplatform; R62
>
> Have c
http://www.checkpoint.com/downloads/latest/hfa/vpn1_power/index.html
56 fixes.
Ray
_
The i’m Talkathon starts 6/24/08. For now, give amongst yourselves.
http://www.imtalkathon.com?source=TXT_EML_WLH_LearnMore_GiveAmongst
Scanned
Thanks to everyone who took the time to respond. There were a few new points I
hadn't heard of before.
Take care,
Ray
> Date: Mon, 16 Jun 2008 12:55:49 -0400
> From: [EMAIL PROTECTED]
> Subject: [FW-1] How are SSL VPNs safer than IPSec?
> To: FW-1-MAILINGLIST@AMADEUS.US.CHEC
ree" as in "It's included with
Microsoft Server" comes with a high price in terms of manageability.
The only advantage I can see is that the client software is pushed instead of
pulled IF the end user has admin rights.
Any enlightenment would be appreciated.
Ray
> the
Possibly. You could have policies to control how they are set up, but
personally I don't believe in policies without technical controls to back them
up.
Ray
> Date: Sat, 14 Jun 2008 17:26:06 -0700
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] R60 and Linux (FreeSwan)/VPN Clien
Correct. Those rules and features are downloaded by the laptop client and
implemented by the desktop client.
Ray
> Date: Sat, 14 Jun 2008 15:34:53 -0700
> From: [EMAIL PROTECTED]
> Subject: [FW-1] R60 and Linux (FreeSwan)/VPN Client Support
> To: FW-1-MAILINGLIST@AMADEUS.US.CH
PSO upgrade in-place,
which I've never had an issue with (as long as I had enough disk space).
Ray
> Date: Wed, 4 Jun 2008 03:09:35 -0400
> From: [EMAIL PROTECTED]
> Subject: [FW-1] Upgrade advice
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Hello all,
>
>
You shouldn't have to edit anything in that file. Topology downloads without
authentication stopped being the norm around NG FP3. Was this an upgrade from a
really old version?
Ray
> I found where I should edit objects_5_0.C but I am not sure which copy I
> should edit.
>
>
Asian subsidiaries even though they
were our employees.
Ray
> Date: Sun, 11 May 2008 09:42:59 -0500
> From: [EMAIL PROTECTED]
> Subject: [FW-1] VPN Wire Mode
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> While preparing to add a second external interface and a T1 to have a
>
ce. I bought new quad NIC
cards as well.
Ray
> We also ran into problems with the hardware compatibility list, more
> specifically the supported network cards. In R55, we had quadport
> adaptec 10/100 cards that worked great, but in R65 they broke if you
> were using vlan subinterfac
capabilities to manage the R55 firewalls. This works
well.
Ray
> Date: Fri, 9 May 2008 15:53:42 +0100
> From: [EMAIL PROTECTED]
> Subject: [FW-1] NG AI R55 end of life?
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Dear All,
>
> Have just received notice that NG
re doing RSA, not so much worry. :-)
Ray
> Date: Thu, 8 May 2008 08:08:23 +0200
> From: [EMAIL PROTECTED]
> Subject: [FW-1] Question about implementing Connectra
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Hi all,
>
> After doing some tests with Connectra over 30 d
domain accounts, their
regular restricted one and another that is a local admin that they can use with
RunAs to install software.
Make darn sure you encrypt the laptops, which may be mandatory depending on
your industry. If it's only a few people consider TrueCrypt from
www.truecrypt.org.
tform 2.6. It says HFA03 is not supported on the
2.6 kernel, so I guess we have to wait a bit longer. :-)
Ray
> Date: Wed, 23 Apr 2008 21:30:36 -0400
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] any feedback regarding secureplatform 2.6
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOI
I was told that the plan is for an HFA or other update to be released later
this year that will upgrade all R65 installations of the 2.4 kernel to the R65
2.6 kernel.
Ray
> But at present it is not clear if this version will receive the same
> HFA's as the other versions. That is
There's a hotfix in SK for Edge management problems, but I don't think this one
is specifically called out.
sk33821 -
VPN-1 Power/UTM and Provider-1 NGX R65 HFA_02 issues Hotfix
Ray
> Date: Tue, 18 Mar 2008 20:01:32 -0500
> From: [EMAIL PROTECTED]
> Subject: [FW-1] upgrade
TITLE:
CheckPoint VPN-1 IP Address Collision Security Issue
SECUNIA ADVISORY ID:
SA29394
VERIFY ADVISORY:
http://secunia.com/advisories/29394/
CRITICAL:
Less critical
IMPACT:
Exposure of sensitive information, DoS
WHERE:
>From local network
SOFTWARE:
Check Point VPN-1/FireWall-1 NG with
I had to put that one in Monitor Only quite awhile ago because it caused issues
with several websites.
Ray
> Date: Wed, 12 Mar 2008 23:23:30 +0100
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] SmartDefense blocking
> https://supportcenter.checkpoint.com/
> To: F
lex. You'll need to hard-code those with ethtool in rc.local
HTH,
Ray
> Date: Sat, 8 Mar 2008 17:24:22 -0800
> From: [EMAIL PROTECTED]
> Subject: [FW-1] Upgrade from AI R55 to NGx R65
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> I am asking for advice from gurus in
Sure. I bought the 2950 II's a week before CP certified the 2950 III. :-(
Ray
> Date: Mon, 25 Feb 2008 14:48:29 +0100
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] SPLAT RAID
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
>
> Hi Ray,
>
> You're
controller.
Ray
> Date: Sat, 23 Feb 2008 10:40:04 +0100
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] SPLAT RAID
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> I tryied a lot of hardware solution. But SPLAT was unable to boot from
> Hardware RAID Configuration.
&
Agreed, but for what a firewall costs you and for what a failure can cost your
company you should use hardware RAID.
> Date: Fri, 22 Feb 2008 11:02:14 +0100
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] SPLAT RAID
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Thanks Sin,
> but i will t
Just do it! The files produced by upgrade_export and used by upgrade_import are
platform-neutral. It's one of the real beauties of the system. If you have
applied R65 HFA01 or HFA02, there is a hotfix you'll need to apply for the tool
to work properly, though.
Ray
> Date: Wed, 1
VPN-1 Power/UTM and Provider-1 NGX R65 HFA_02 issues Hotfix - sk33821
It looks like they put the Edge policy push, ICA crash, upgrade_export and plus
a new anti-virus hotfix into one article. There's no mention of that Floodgate
memory leak patch, though.
I'm not sure if this works for RSA. Try checking the box to cache passwords on
the desktop.
Ray
> Date: Tue, 22 Jan 2008 05:29:41 -0800
> From: [EMAIL PROTECTED]
> Subject: [FW-1] SecureClient authentication window pop up
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
CA and Upgrade_* tools problems.
Ray
> Date: Sun, 20 Jan 2008 04:11:17 -0500
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] Automatic Nat problem in Cluster XL R65 NGX
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Sir,
>
> Inside global properties is checked
The CIS software that's available for many different devices will scan a device
and give you a score based on their template (benchmark). This is one of the
more basic ones I've seen, however firewalls are kind of a niche device.
Ray
> Date: Mon, 24 Dec 2007 14:12:56 +0100
&
will define the upper limit
for the interface. I just use QoS on the external interface myself.
Ray
> Date: Sun, 23 Dec 2007 17:38:03 +
> From: [EMAIL PROTECTED]
> Subject: [FW-1] QoS Best Practices...
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Hi Guys,
>
>
http://www.cisecurity.org/bench_checkpoint.html - 30 pages
Ray
_
Get the power of Windows + Web with the new Windows Live.
http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwindows_122007
ble to the router.
Ray
> Date: Fri, 21 Dec 2007 09:29:05 +0100
> From: [EMAIL PROTECTED]
> Subject: [FW-1] AW: [FW-1] Office-Mode egress filtering
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Ray, Reinhard,
>
> thanks for your replies!
> Ray,
> > Since you
Since you can use any IP range at all for Office Mode, it would be tough. Why
is this an issue?
Ray
> Date: Thu, 20 Dec 2007 17:00:25 +0100
> From: [EMAIL PROTECTED]
> Subject: [FW-1] Office-Mode egress filtering
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Hel
Have you tried it yourself? Personally I don't trust UDP scanning very much.
Can you list the UDP ports here?
Ray
> Date: Fri, 14 Dec 2007 07:21:47 +0530
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] AW: Re: [FW-1] Nmap scan of NGX-Strange
> To: FW-1-MAILINGLIST@AMADEUS.
onsole cable to restore access, as sad as
that sounds.
Ray
> Date: Tue, 11 Dec 2007 21:09:08 -0500
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] boot security
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Bill, the firewall should not be loading the initial policy because
You probably can do it by modifying the .def INSPECT files, but that will cause
you issues when you apply HFAs or upgrades by making you do a bunch of stuff
manually. It would be best to just block the ports on the next-hop router if it
really bothers you.
Ray
> Date: Wed, 12 Dec 2007 10
What ports? Ones like 4500 and 18264? If so, do you have implied rules enabled?
Banner obfuscation is useful only to befuddle attackers that don't know what
they're doing and to keep checklist-using auditors happy.
In my opinion, of course. :-)
Ray
> Date: Wed, 12 Dec 2007 0
Nah, the two grand is for understanding multi-core processors. The 2.6 kernel
version is "free." The "Messaging security" one is for anti-spam.
Ray
> Date: Sun, 9 Dec 2007 23:12:53 +0200
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] AW: Re: [FW-1] R65 and ot
That one is so new I don't even know if there is a license price yet.
Ray
> Date: Sat, 8 Dec 2007 19:57:31 +0100
> From: [EMAIL PROTECTED]
> Subject: [FW-1] AW: Re: [FW-1] R65 and other .iso images now available for
> download!
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT
There's now two available, the old one and a new one using the Linux 2.6 kernel
that was released in the last week or so. Unless you need that one for hardware
compatibility, I'd stay away from it until the pioneers get the arrows removed
from their backs.
Ray
> Date: Sat, 8 Dec
Eight fixes, including the local administrator privilege escalation issue.
Ray
_
Peek-a-boo FREE Tricks & Treats for You!
http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
Nine fixes, including the one for the recently reported local privilege
escalation problem if you're an administrator.
Ray
_
Windows Live Hotmail and Microsoft Office Outlook – together at last. Get it
now.
No issues on SPLAT so far.
Ray
> Date: Mon, 29 Oct 2007 13:57:59 -0400
> From: [EMAIL PROTECTED]
> Subject: [FW-1] R65 HFA-02
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> Hey guys, anyone been successful in getting HFA-02 for R65 installed?
> Had a win 2003 SCS tha
, well, that was
all they would ever use. And I can't blame them.
Ray
> Date: Thu, 25 Oct 2007 07:34:21 +0200
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] SSL VPN performance vs. SecureClient
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> -BEGIN PGP SIGNED ME
SSL VPN you still have to worry about endpoint protection. With
SecureClient I use its built-in 2-way firewall and know what's going on
security-wise.
Ray
_
Boo! Scare away worms, viruses and so much more! Try Windows Live O
Yep, you read it right. Six fixes, including that local privilege one.
Ray
_
Climb to the top of the charts! Play Star Shuffle: the word scramble
challenge with star power.
http://club.live.com/star_shuffle.aspx?icid
censes for
SecureClient for the Mac. This kind of nickel-and-dime behavior really sours
management on their products.
Ray
_
Boo! Scare away worms, viruses and so much more! Try Windows Live OneCare!
http://onecare.live.com/stand
I believe the last two posts, from Melipa and DannTro, were regarding issues
with the public release.
Ray
> All I saw in the post was a remark that HFA-01 as earlier provided to
> CSP's was not alright. No one reported issues with the normal HFA-01 as
> far as I can read i
A.
Thanks,
Ray
_
Help yourself to FREE treats served up daily at the Messenger Café. Stop by
today.
http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline
==
We use RSA SecurID with a Juniper SA-2000 for remote access.
I did use Check Point ICA certificates with a Connectra R62 box in my previous
job.
As long as you stay away from plain old user name and password, you'll be in a
lot better shape almost regardless of what you use.
Ray
> D
used SmartView Reporter to generate the reports. I'm not sure how you would
do it manually.
Ray
> Date: Fri, 19 Oct 2007 13:22:59 +0300
> From: [EMAIL PROTECTED]
> Subject: [FW-1] Performance effect of track Account
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> What
56 fixes.
Ray
_
Climb to the top of the charts! Play Star Shuffle: the word scramble
challenge with star power.
http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_oct
ing worked well.
Ray
> Date: Tue, 9 Oct 2007 05:14:01 -0700
> From: [EMAIL PROTECTED]
> Subject: Re: [FW-1] smart defence service and ddos attacks
> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>
> at my previous job, we did a stress test on Nokia IP2260 (2GB ram box)
> on
1 - 100 of 1059 matches
Mail list logo
