Hello, fellow checkpoint-heads.
I know you have been waiting for this for a long long time, and now it happens – Checkpoint announced that Check Point Certified Master Architect Certification lab can be taken at “convenience of your desktop” – that is Online. You don’t need to ride your horses over the dusty Texas any more, for mere 1500US$ you can take it online and be happy ever after (me thinks you will be happy anyway, cause if you can throw away easily 1500 bucks you are all set already).
In addition their CCSA/CCSE training classes are also available online,details on their website.
yurisk.info
Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise
Category: Checkpoint NG/NGX/GAIA (page 4 of 10)
There is a not critical but rather annoying bug in the Checkpoint Edge devices firmware 8.1.x preventing any host behind it to reach class A network 2.0.0.0/8 . If you notice this problem then it is most probably because recently the pool 2.16.0.0/13 was assigned to Akamai Technologies . Checkpoint have a bug-fix firmware for that , so open a ticket with them and you will get one.
Photo courtesy of The Voice of Russia http://english.ruvr.ru/
Today we have got reports from the clients that all their UTM Edge devices did a reboot early at night, at about 03:00 AM Israel time 31st of October. While no official press-release has been seen so far from the Checkpoint, looking at cpug.org posts where people from around the globe report the same I can assume with high degree of certainty that indeed it was the case.
While I do hold the opinion that reboot is always good for the Edge, I didn’t think they meant to act upon it .
I can hope the same doesn’t happen one day to the UTM-1 ….
Update 2 Nov Checkpoint released SecureKnowledge (sk56641) note about that where they say yeah it happened, caused by bug, next time it will happen in 13 years from now when no Edge of this series is supposed to be in use .
Someone has finally found the best use of the Checkpoint UTM 450 – turned it into the Windows Media player and recorded the instructions so others may follow. In case you still wonder – yes , it certainly voids the warranty. Enjoy youtube.com And to those very few that will try to do it – word of caution: UTM 450 makes such noise you will not be able to put it in your living room.
It was rather unusual request of the client that for no matter which reasons asked me to “shut down the Checkpoint firewall”. What ? “Shutdown, you know, that it just passes the traffic from interface to interface by its routing table no checking , also I need to add few routes on the way, Okay ?” . The allocated downtime was up to few minutes , so I understood that no testing/return back/etc could be done beforehand but did what I knew and it actually worked. Here is the things I changed .
Shutdown Checkpoint with #cpstop . I looked for ways to shutdown the firewall kernel module completely but hadn’t found , so warned the client if someone does restart to the machine all is screwed.
The following settings I set in file /etc/sysctl.conf and after saving changes activated them with #sysctl –p
net.ipv4.conf.default.rp_filter = 0 // Disable RPF checks, for some reason it blocked routed networks and timelimit of 2 minutes didn’t allow debug .
net.ipv4.ip_forward = 1 // Enable routing
net.ipv4.conf.default.arp_filter = 0 // Disable ARp filtering , meaningful with networks that are reachable through multiple interfaces , while it wasn’t the case just to make sure.
net.ipv4.conf.all.arp_filter = 0
Here is how to see number of connected to the gateway users. Nothing special/interesting and I am sure somewhere in the SecureKnowledgeBase it is to be found but with recent licensing improvements people ask a lot about that.
# fw tab -t userc_users -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost userc_users 73 1 3 0
localhost userc_users 73 1 3 0
I must confess that I prefer good solutions today over perfect solutions tomorrow.
So when the need aroused to do a script that takes netconf.C and transforms all the
route statements in it to the general linux form of “route add xxx” I did this one-liner you can see below. The script looks ugly and sketchy but it works. For those preferring perfect solutionscheck this website "Monkey with agun" that has script to manage mane networking settings of the SPLAT. I haven’t tried it myself though but looks serious investment of time and effort.
awk ' (/dest/ || /via/) && ! /127.0.0.0/ ' /etc/sysconfig/netconf.C | sed 's/[():]/ /g' | sed ' s/^.* via/ gw/' | sed ' s/^.*dest / route add -net /' | awk ' {if($0~/\/32/) { gsub(/-net/,"-host "); print} else print} '| awk ' {if(NR % 2 == 1) {gsub(/$/," "); printf($0)} else print} '
After you run you will get something like that to the stdout:
route add -net “192.168.9.0/22” gw 10.20.20.6
route add -net "172.16.11.0/24" gw 10.20.20.6
route add -net "172.16.12.0/24" gw 10.20.20.6
route add -net "172.16.13.0/24" gw 10.20.20.6
route add -net "172.16.11.0/24" gw 10.20.20.6
route add -net "172.16.12.0/24" gw 10.20.20.6
route add -net "172.16.13.0/24" gw 10.20.20.6