CPShared Forums

Domain based VPN to route based VPN and working with interops

lammbo — Fri, 18 May 2012 20:44:56 GMT

My current Check Point deployment currently consists of 9 sites, all managed by the same management server. In addition to the Check Point sites, I have 10 Cisco ASA and 2 Watchguard sites from recent acquisitions.

Goals that must be met:
1) Be able to use MPLS unencrypted (the ISP encrypts the circuit so no need to have the firewall also encrypt it).
2) Must work with Cisco AND Check Point gateways
3) On MPLS failure, move traffic though an encrypted path over the Public circuit.
4) Resume traffic on MPLS once it becomes available again
5) This must be automated

Where I am at now: Goals met: 3, 4 and 5
6 of my 9 CP sites are using an MPLS network. This network is configured using the proprietary solution provided by CP. This deployment is setup as I've explained in this linked post. So what this means is that I have encryption domains, all traffic on MPLS is encrypted/decrypted by the firewalls and because of CP's probing method using what they call an RDP packet, if the MPLS fails, the tunnel will automatically switch over to the public circuit. Likewise, it will fail back to the primary circuit (MPLS) once it detects it's back up and usable. Because this method is proprietary, interops may not participate.

Option 1: Goals met: 1, 3, 4 and 5
Another option now exists if running R71 or higher by using the 'vpn_trusted' parameter and using GuiDBedit to mark your MPLS interfaces on all participating gateways as trusted. This is detailed in the section entitled 'Configuring Trusted Links' in the R75/40 VPN Admin Guide. The issue with this method is that (once again) it is CP proprietary and uses the RDP probe. Although it will provide me with temporary relief, this doesn't work for my interop sites, where we also wish to use MPLS.

Option 2: Goals Met: 1, 3, 4 and 5
There is the option to use advanced routing (SPLAT Pro/ADN Blade) and use OSPF and VTIs to accomplish this task. The details of how to proceed are listed out in Mr. Snakey's White Paper.
Since this method uses a standard routing protocol (OSPF) and therefore should be supported by a Cisco on the other side of a CP <--> Cisco tunnel, you would think this is a good start. However, the issue with this solution is that since it's all route based, the VPN encryption domains are blanked out. The results of this blank encrypt domain when working with interops can be seen here and here as unanswered questions on the CP forums. At least I know I'm not the only one trying to do this. So despite the fact it would be an excellent solution with all CP sites, even my current IPSec tunnels that already exist with these sites would fail upon deployment.

Does anyone out there have any ideas at all on how to do this or do I get crickets?

Multi-Domain Management (Provider-1) R75.40 with GAiA is now available!

phoneboy — Thu, 17 May 2012 15:09:13 GMT

https://supportcenter.checkpoint.com...tionid=sk69682

Management upgrade R71.10 to R75.30

bibster — Wed, 16 May 2012 15:03:07 GMT

Hi folks,

It's my 1st time CP upgrade, starting with the management server, taking it from r71.10 to r75.30 (SPLAT). I've been reading the CP documentation and labbing things up, but am still unclear on what my best method is going to be.

From what I have read, I need to get to r71.30 first, so it will go like this:

1. upgrade current SMS to r71.30
2. upgrade_export using r75.30 upgrade_export (migrate) tool
3. clean install r75.20, upgrade to r75.30
4. import from upgrade_export taken in step 2

Can anyone confirm if this would be a good way to go?
Do I have to go to r71.30 first or can I just run the r75.30 migrate tool on my r71.10 SMS?

Many thanks

Rich

E75.10 Endpoint Connect MSI customisations not being installed

jrdld — Tue, 15 May 2012 13:13:15 GMT

I'm using cpmsi_tool.exe to add and modify files in my MSI file, but nothing I do appears on the client PC after I install the MSI. I've used the copyout option to extract the files again, to confirm that they are definitely added to the MSI.

The full story

I'm using the AdminMode.bat file to create a new MSI package to include my site definition. I specify Endpoint Connect VPN as the install type. This works OK, and the site is there when I install the resulting MSI on a clean client PC. However, it seems that the default firewall policy is not included. So when the client is first installed, a pop-up in the system tray complains that it is "not compliant" and that the policy is "missing or corrupted." If I open the client, it shows that the firewall is off, but I want it to be on from the time of installation. It's like this until the first connection to the gateway (R71.30), after which the errors go away, and the firewall is always on thereafter.

I checked the Trac.defaults file, and it has the firewall disabled by default, and gives the user the ability to switch it off and on, and says that the firewall policy is desktop_policy.ini. I've found that desktop_policy.ini is not created until I connect for the first time.

To try and cure this, I have taken my custom MSI and tried to customise it further using cpmsi_tool.exe. We had to do a similar thing with SecureClient R60 to include our custom userc.C and local.dt, so I thought I should be able to do it again, to include my own customised Traf.defaults and desktop_policy.ini. The tool does allow me to add those two files, plus a post-connect script. But when I install my final MSI on a clean client PC, none of the additional files are there, and the Trac.defaults is just as it was initially. E75.10 still complains about not being compliant, and the firewall is still off until the first connection.

I've even tried using the cpmsi_tool.exe from E75.20 to create my E75.10 MSI, in case this was a bug in 75.10, but it made no difference. (BTW, I can't move to E75.20 yet because that is giving us too many connectivity problems).

CP's website has very little on cpmsi_tool. Can anyone here help?

Thanks

Still Annoying

Sevendoh — Mon, 14 May 2012 20:48:16 GMT

Quote:

************************************************** *********
Welcome to Check Point R75.30 installation
************************************************** *********
Software installation aborted.
This Check Point software version requires usage of Software Blade licenses.
For more details go to http://www.checkpoint.com/products/p...ade/index.html or contact Account Services

Evals, what are they good for?

Embedded Software Deveoper

m3rck — Mon, 14 May 2012 15:11:11 GMT

I help develop system software for small routers. Most of my work revolves around the IP stack and services like VPN. I am currently trying to do interoperability testing, and this forum seems like the first stop to find info on Check Point.

Splat WebUI port interception/redirection

Whoa! — Sun, 13 May 2012 20:51:53 GMT

Hi All,

I have an R75.20 Splat FW which after several re-installations and research I cannot get the FW to STOP intercepting port 80 traffic (which it redirects to 443) and port 443 traffic. I've done the "webui enable " command. I've modified the FW object > Secure Platform tab > Main URL to the specified port, but no matter what...it still intercepts all port 80 and 443 traffic rather than what the security policy and NAT specify... So please...what do I need to do?

Thanks!

Showing Value

boldin — Fri, 11 May 2012 17:13:31 GMT

I'm trying to find ways of showing value, workload and scope to our CEO, who will be visiting us in about a week.

Our thought was to show the number of drops at our external firewall, number of IPS hits, etc. correlating to number of people (e.g. 150 alerts/drops per person per day) or something along those lines.

The problem is trying to count the number of dropped sessions in Tracker. I've tried exporting to .txt and then into Excel, but the number is way too high and the file gets truncated.

Any ideas? Can we use Crystal Reports to parse the log files?

Installing GAIA onto Dell R310 with > 2 TB HDD

pneuma — Fri, 11 May 2012 09:08:37 GMT

I tried to upgrade GAIA on a Dell R310 which was deployed as a CLM log server with 4 hard drives of 500 Gigs each in a RAID 0 (Stripe) configuration, and ran into some issues.

I was unable to upgrade cleanly, as the basic WebUI upgrade path tries to write the temp files et al to the root directory instead of "/var/", and a default Splat install has very little available disk space in this partition.

I fudged this with some symbolic link hacking, and managed to get the installation to work, but on first reboot the system tanked.

I then resorted to installing GAIA through a clean installation, but after much trial and error, found that the RAID config was not supported by GAIA.

I ended up getting around this by rebuilding the RAID config into two separate volumes, each with 2 x 500 GB hard drives. I was then able to install GAIA successfully, and create the partitions I want.

It appears that overly large "physical" drives are not supported by GAIA, however at installation time, GAIA creates VLM partitions, so one is able to over come the limitation and have a single very large Log partition in any case.

Hope this helps someone out there! :)

Hello All

Whoa! — Thu, 10 May 2012 20:34:07 GMT

I've been supporting Checkpoint FW1 since it was 4.1. Most recently I was involved in a migration from R60 to R75.20, which is why I'm here. I have some questions regarding SPlat and the admin GUI port.

Remote Access Clients E75.30 EA1 now available!

phoneboy — Thu, 10 May 2012 17:18:05 GMT

Two new features in this EA release: Support for Windows 8 and Intel Smart Connect Technology.

Get thee to User Center, select My Products > Early Availability to sign up and download!

R71.40 CLM to act as a log archive

dougg01 — Thu, 10 May 2012 15:50:58 GMT

We have a pair of Provider-1 boxes in HA with 3 CMAs. We have one CLM license with container. We were told this would work for log archiving and not necessarily be good for viewing active logs (which is not necessary). I do not want to send yet another stream of logs froom the gateways to yet another box (we have all of them assigned either a SmartReporter or are redirecting logs to another box managed by another CMA to combine like-use logs).

We just need a place that can easily accept firewall logs that we want moved off the Provider boxes to conserve space. There is no requirement to resolve object names, or policies, or much of anything. We just need a larger record without keeping it on the Provider box and having 30 files to wade through when looking for a log to troubleshoot.

We are managing approximately 32 gateways and that number will be doubling in the next year or so (small policies for the most part).

GAiA: ClusterXL magic mac settings - no changes

varera — Thu, 10 May 2012 08:46:10 GMT

http://checkpoint-master-architect.b...ings-same.html

What Open Servers does GAIA work with?

FireBob — Wed, 09 May 2012 15:45:55 GMT

I will be honest this install is terrible and does not work on anything I have tried. Someone please let me know what servers you have successfully installed GAIA on.

I have struck out on the following:

Dell R610
HP DL360 G5
Dell Precision 490
Dell
Optiplex GX620

Here is the HCL: http://www.checkpoint.com/services/t...t/hcl/all.html

SFTP Blocked by Check Point

mr_mike — Tue, 08 May 2012 20:29:11 GMT

I have a user who needs to connect to an external FTP site that is using SSL or TLS. My Check Point security gateway (R75.30) blocks this connection, I think this article is talking about what I am experiencing.

sk39793

FTP message:
�220 Check Point FireWall-1 Secure FTP server running on fwname�

A quick explanation of what/why this is going on would be greatly appreciated, as well as any ideas on how to get the connection to work. I'd rather not disable FTP Bounce Protection (as stated in the article) unless it's the only option.

Thanks,
Mike