Site to Site VPN between Checkpoint and pfSense

I would like to share my experience on making Site to Site VPN between Checkpoint and pfSense
This is a working procedure..
Good Luck :)

note: If the pfsense part has more than one subnet defined, then you have to play with user.def file at checkpoint side,otherwise tunnel will just be up on one subnet.

3DES MD5

Phase 1

AntiBot crashes and SmartDashboard stops responding..

There is a dll fix for new Anti-Bot blade, Request it from Support.

IPS Update: ips scheduled update ended with errors

Check the internet connection on SMC and Check dns config to see updates.checkpoint.com resolves correctly

Manually update the IPS database,
Close all GUI applications,
Open a GUIDBEdit to the SMC
Application name:GuiDBedit.exe
Search (Search->Find) for:
autoupdate_and_install_status_obj
Once found you will see a field named status under that object.
Change the value of status 0
Save changes,close GUIDBEDIT
Open Dashboard and verify if the issue resolved.

Updated Note : There is a fix for this issue, Request it from Support.

How to use SCP upload-download option at New OS Gaia

To use SCP with GAIA, You have to change the users shell to bash

# chsh -s /bin/bash admin

To go back to cli.sh
Use  # chsh -s /etc/cli.sh admin

Or you may do these actions via Web UI as below

www.smartsplat.com

R75 UFP causes high CPU usage

Be Careful when upgrading R65 to R75
There is a hotfix for UFP Opsec Connection, request it from support before going in to Production..
Symptomps are,
CPU Peak %100 , ping latency , drop packets..
How to replicate,
Try high size downloads..

SmartSPLAT v5 Redesigned from your feedbacks..

    New Telnet Option,
    New Right Click Menu,
    New SSH Port definition,
    New Duplicate SSH Option,
    New Health Check Option,
    New Cluster Terminal,

    and more...

    http://www.smartsplat.com/

How to reset SmartEvent database, Cause:Error at Reports

1. Run evstop to stop the reporter module.
2. Delete all files in the \var\$RTDIR\Database\log directory.
3. Delete all files in the \var\$RTDIR\Database\data directory
4. Extract the contents of $RTDIR\conf\db_files.tgz to \var\$RTDIR\Database\data directory.
5. Run evstart to start the reporter module.

This process will completely overwrite the existing database files with clean new ones.

Manual NAT not working!

2 Things to know about Manual NAT and ARP

on the upstream router you have to route the external NAT address or address range to the external interface address of the firewall,if its cluster then add routes to vip ip

If you can't manage the router then you have to add the nat ip and mac addresses of related ext interface described at sk30197

SmartSPLAT v4.2 is Released

New VSX and Provider-1 commands are added to this release, Enjoy it.

http://www.smartsplat.com/ 

Checkpoint and Multicast Traffic

In order to allow multicast traffic by the gateway, you need to follow sk35996, In addition you also need to create an allow rule with the service “pim”.

Regarding sk31190 Secure platform pro needs to be enabled if you would like the gateway to participate in the multicasting traffic.

If you just want to let that traffic pass through the gateway and the gateway does not need to perform any dynamic routing decisions then there is no need to enable Splat Pro.

Some tips,
# tcpdump ip multicast  will show you multicast packets..

to enable Secure Platform Router Config mode type “pro enable”
This will need a license of “Advanced Routing Blade”
Lets enable multicast routing with sparse mode

[Expert@NGx-gw1]# router config
localhost.localdomain>enable
localhost.localdomain#config t
localhost.localdomain(config)#interface eth0
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config-if)#exit
localhost.localdomain(config)#interface eth1
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config-if)#exit
localhost.localdomain(config)#ip pim enable
localhost.localdomain(config)#exit
localhost.localdomain#wr mem