Yesterday I got asked to check the VPN client issue . After upgrade from NGX R65 to R70 VPN client doesn’t connect when Visitor mode is enabled . The moment you disable Visitor mode the same client to the same firewall works just fine. This happens
often so I bring it here . Actually I see [...]
Feb
25
2010
25
2010
VPN client stops working in visitor mode after major update
Feb
13
2010
13
2010
fw monitor add-on
There is something I didn’t include in the previous post fw monitor command reference about fw monitor as I think it is rather optional and you can do well without it . I talk about tables in defining filter expressions. INSPECT – proprietary scripting language by the Checkpoint on which filtering expressions are [...]
Feb
3
2010
3
2010
Fortigate firewall demo free access. Also FortiManager and FortiAnalyzer
As someone said best things in life are free.
Here are links to the demo Forigate firewall, ForiAnalyzer and FortiManager open to access from anywhere . So that you can
familiarize yourself with the Management GUI look and feel.
NOTE: Access is read-only.
NOTE 2: No , it is not me being so generous, it’s Fortinet caring for us.
Fortigate [...]
Jan
26
2010
26
2010
Enabling antispam or antivirus on the Checkpoint gateway blocks smtp or http traffic
Recently I was unplesantly presented with “it is not a bug ,it is a feature” case with the Checkpoint .
There was some UTM with TS (Total Security) valid license that includes antivirus and antispam services that client paid for and even asked to enable. So far so good. Part of the routine I checked on [...]
Jan
18
2010
18
2010
Cisco ASA privilege separation for a local user or read only user on ASA
Today I had the need to create a user in ASA that would have read-only permissions and also could issue
only 2 commands: show run and show conn. Here is how to do it.
We talk here about user with local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command to [...]
Dec
31
2009
31
2009
Print rulebase in Checkpoint
The best place to hide something is to place it before your eyes. Thanks to theacademypro.com I discovered a cool feature of the SmartDashboard – ability to print rules directly from the Dashboard , you just go to File -> Print -> Rule Base.. and that’s it. Just amazing , I have been using Dashboards throughout [...]
Dec
30
2009
30
2009
Checkpoint – back up centrally for recovery.
Backing up firewall configs for disaster recovery is tedious and mundane task. And if you have enough firewalls doing it manually becomes impractical . To address this case I set up a highly secured server that periodically runs script backing up the clients’ firewalls.
I use here poll model – this central server connects by SSH [...]
Dec
19
2009
19
2009
Checkpoint winscp troubles
Checkpoint firewalls have 3 means of transferring files in/out – ftp (client ) , SCP and SFTP (haven’t tried it yet) .
At some stage of the debug/upgrade process you will have to move files in either direction. The most secure is SCP protocol. On windows platforms picking the GUI SCP client is not hard – [...]
Dec
15
2009
15
2009
ARP table overflow in Checkpoint and Linux in general
Not specific to the Checkpoint but rather any Linux-based system issue, still people often
forget about that and look for the Checkpoint-specific solutions to that , so to help with this search I wrote the note
how to fix it below:
Problem usually shows itself in randomly distributed inability of stations to pass the firewall, slowness and other network problems [...]
Dec
14
2009
14
2009
Increase and rotate SSH log files in Checkpoint
Log is knowledge (of who did what) and knowledge is power. All modern Operating Sytems today provide extensive logging facilities, and Linux on which Checkpoint products are based is no exception.
Checkpoint have own logging capabilities where logs are enabled in Security rulebase. And that’s fine, but SSHD daemon also has logging and rotating feature which [...]