2 Things to know about Manual NAT and ARP
on the upstream router you have to route the external NAT address or address range to the external interface address of the firewall,if its cluster then add routes to vip ip
If you can't manage the router then you have to add the nat ip and mac addresses of related ext interface described at sk30197
The Simplest and Best Way to Manage Checkpoint Secure Platform http://www.smartsplat.com
Friday, February 17, 2012
Saturday, January 7, 2012
Saturday, December 10, 2011
Checkpoint and Multicast Traffic
In order to allow multicast traffic by the gateway, you need to follow sk35996, In addition you also need to create an allow rule with the service “pim”.
Regarding sk31190 Secure platform pro needs to be enabled if you would like the gateway to participate in the multicasting traffic.
If you just want to let that traffic pass through the gateway and the gateway does not need to perform any dynamic routing decisions then there is no need to enable Splat Pro.
Some tips,
# tcpdump ip multicast will show you multicast packets..
to enable Secure Platform Router Config mode type “pro enable”
This will need a license of “Advanced Routing Blade”
Lets enable multicast routing with sparse mode
[Expert@NGx-gw1]# router config
localhost.localdomain>enable
localhost.localdomain#config t
localhost.localdomain(config)#interface eth0
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config-if)#exit
localhost.localdomain(config)#interface eth1
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config-if)#exit
localhost.localdomain(config)#ip pim enable
localhost.localdomain(config)#exit
localhost.localdomain#wr mem
Regarding sk31190 Secure platform pro needs to be enabled if you would like the gateway to participate in the multicasting traffic.
If you just want to let that traffic pass through the gateway and the gateway does not need to perform any dynamic routing decisions then there is no need to enable Splat Pro.
Some tips,
# tcpdump ip multicast will show you multicast packets..
to enable Secure Platform Router Config mode type “pro enable”
This will need a license of “Advanced Routing Blade”
Lets enable multicast routing with sparse mode
[Expert@NGx-gw1]# router config
localhost.localdomain>enable
localhost.localdomain#config t
localhost.localdomain(config)#interface eth0
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config-if)#exit
localhost.localdomain(config)#interface eth1
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config-if)#exit
localhost.localdomain(config)#ip pim enable
localhost.localdomain(config)#exit
localhost.localdomain#wr mem
Tuesday, October 18, 2011
Cluster Status Active - Ready
Last night I have faced a problem after replacing cluster nodes to new hardwares,
Although software versions was same at # cphaprob stat command, One node was at active and other was at ready
Solution is at CoreXL: Noticed that enabled cores differs on nodes, # fw ctl multik stat shows this to you.
number of cores should be same at both members.
Although software versions was same at # cphaprob stat command, One node was at active and other was at ready
Solution is at CoreXL: Noticed that enabled cores differs on nodes, # fw ctl multik stat shows this to you.
number of cores should be same at both members.
Monday, October 10, 2011
R75.20 Console Error
If you are getting the below error at SmartConsole,
Failed to save object firewall_properties.
Server error is:Validation error in field 'SynDefender active mode' at
object 'firewall_properties' @ 'properties' --> The value '0' is not in the list of valid values '1~2'. (Code: 0x800415A6, Object Validation Failed)
Create an upgrade_export then Close all SmartConsoles and open GuiDBedit.exe located at SmartConsole directory X:\Program Files\CheckPoint\SmartConsole\R7X\PROGRAM
Find the related object via CTRL+F,In this example its firewall_properties, Change the value of the property (1) and click saveall, If it gives a similar error continue to fix it with needed parameter.
Failed to save object firewall_properties.
Server error is:Validation error in field 'SynDefender active mode' at
object 'firewall_properties' @ 'properties' --> The value '0' is not in the list of valid values '1~2'. (Code: 0x800415A6, Object Validation Failed)
Create an upgrade_export then Close all SmartConsoles and open GuiDBedit.exe located at SmartConsole directory X:\Program Files\CheckPoint\SmartConsole\R7X\PROGRAM
Find the related object via CTRL+F,In this example its firewall_properties, Change the value of the property (1) and click saveall, If it gives a similar error continue to fix it with needed parameter.
Mobile Access VPN Policy tab is Empty
An exception occured while constructing the view:
CDIeException Exception:
Error Code: 0(Unspecified error)
User Message: Genera Error: Invalid or No UID
Debug Message:
CDleDereferenceReqHandler::_dereferenceSingleFieldObject not found in CPMI
File Name:
f:\ckp\src\cpdle_flow_983000029\cpdle\comm_itf\CommandCpmiAsync.h
Line number: 207
Inner: NONE
Solution:
Backup and delete the files
applications.C
CPMILinksMGR.db
at $FWDIR/conf
This is a general solution for SmartConsole problems..
Updated Note: Checkout connectra_policy.C File , correct the corrupted lines.
CDIeException Exception:
Error Code: 0(Unspecified error)
User Message: Genera Error: Invalid or No UID
Debug Message:
CDleDereferenceReqHandler::_dereferenceSingleFieldObject not found in CPMI
File Name:
f:\ckp\src\cpdle_flow_983000029\cpdle\comm_itf\CommandCpmiAsync.h
Line number: 207
Inner: NONE
Backup and delete the files
applications.C
CPMILinksMGR.db
at $FWDIR/conf
This is a general solution for SmartConsole problems..
Updated Note: Checkout connectra_policy.C File , correct the corrupted lines.
Sunday, October 2, 2011
Changing Mac Magic numbers at Checkpoint Cluster
Below operation should be done at the scenario where two checkpoint clusters work on the same network.
To view the values
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
default values are 254 and 253
Lets change them to 251 and 250
# fw ctl set int fwha_mac_magic 251
# fw ctl set int fwha_mac_forward_magic 250
Also we should write these to $FWDIR/boot/modules/fwkern.conf with hex values like the example below
fwha_mac_magic=0xfb
fwha_mac_forward_magic=0xfa
To view the values
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
default values are 254 and 253
Lets change them to 251 and 250
# fw ctl set int fwha_mac_magic 251
# fw ctl set int fwha_mac_forward_magic 250
Also we should write these to $FWDIR/boot/modules/fwkern.conf with hex values like the example below
fwha_mac_magic=0xfb
fwha_mac_forward_magic=0xfa
Tuesday, August 23, 2011
R65.X to R7x Upgrade - How to Uninstall Connectra Plugin
Dont forget to uninstall the plugins,
Uninstall Connectra plugin
# /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier
# /opt/CPPIconnectra*R65/bin/plugin_uninstall
Uninstalling VOIP Plugin
# /opt/CPPIvoip-R65/bin/plugin_preuninstall_verifier
# rpm –e CPVOIPCMP
# /opt/CPPIvoip-R65/bin/plugin_uninstall
Uninstall Connectra plugin
# /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier
# /opt/CPPIconnectra*R65/bin/plugin_uninstall
Uninstalling VOIP Plugin
# /opt/CPPIvoip-R65/bin/plugin_preuninstall_verifier
# rpm –e CPVOIPCMP
# /opt/CPPIvoip-R65/bin/plugin_uninstall
R75 Console Crash Problem
We have faced some dashboard problems after upgrading to R75 , SmartDashboard or Tracker crashes randomly , There is an improved version named Check_Point_SmartConsole_r75_Improved.exe , I will suggest you to request this file from Checkpoint Support.
R75.20 Upgrade failed via Check_Point_Upgrade_for_R75.20.Splat.tgz
So Interesting but I have encountered this problem at two different customers and
followed a solution with # patch add cd command via Check_Point_R75.20.Splat.iso
As you already know you can use SmartSplat to upload an iso file to firewall and mount it like a CDROM with single clicks.
followed a solution with # patch add cd command via Check_Point_R75.20.Splat.iso
As you already know you can use SmartSplat to upload an iso file to firewall and mount it like a CDROM with single clicks.
Subscribe to:
Posts (Atom)