Checkpoint Firewall

Do you know about any problem with checkpoint firewall and SGD4.2?
I've a costumer with that firewall and he is disconnected quite often. Without firewall no problem. We check firewall log and see that some times it blocks traffic to our site...
Any help?
Thank You

Define "some times". A snip of the log with successful connections compared to unsuccessful connections would be helpful.

Similar Messages

  • Oracle server and Checkpoint firewall

    When setting block Findricset SQL Injection
    on Checkpoint firewall and try to login by sqlplus
    to the db server (8.1.7) behind that firewall
    the following error messages occur:
    ORA-24323: value not allowed
    ERROR:
    ORA-03114: not connected to ORACLE
    Error accessing PRODUCT_USER_PROFILE
    Warning: Product user profile information not loaded!
    You may need to run PUPBLD.SQL as SYSTEM
    ORA-24323: value not allowed
    ORA-24323: value not allowed
    Error accessing package DBMS_APPLICATION_INFO
    ERROR:
    ORA-03114: not connected to ORACLE
    SP2-0575: Use of Oracle SQL feature not in SQL92 Entry Level
    ORA-24323: value not allowed
    Can anyone tell me where's the problem?

    It appears that the firewall is blocking the connection to the database. Since this appears to be something more than a basic firewall product (i.e. it is doing more than allowing and denying requests on particular ports for particular IP addresses), you would need to talk to your firewall vendor to determine why it thinks a SQL*Plus connection is a SQL injection risk and how to get around the problem.
    Of course, you could set up something like Oracle Connection Manager to proxy the connection through the firewall, but that may well defeat the point of an active firewall product.
    Justin

  • No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

    Hello!
    We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
    From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
    The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
    Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
    Any help would be very much appreciated!
    Jakob J. Blaette

    Hi Jakob,
    Adding my two cents here.
    You always need to confirm that the following ports and protocol are opened:
    1- UDP port 500 --> ISAKMP
    2- UDP port 4500 --> NAT-T
    3- Protocol 50 ---> ESP
    A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
    HTH.
    Portu.
    Please rate any helpful posts and mark this post as answered.

  • Checkpoint Firewall Management Server Lost Identity in MARS

    About a month ago, we added our Checkpoint firewall to MARS as well as the 2 Firewall agents who reported to the device. The devices were recognized and running properly.
    At some point in the last week, the Checkpoint management server lost it's identity within MARS. Instead of being recognized as a Checkpoint device, the server is now considered a "Generic Router Version Unknown" via the Device Type.
    The agent firewalls beneath this device still exist as desired, but MARS is no longer recording logs for the primary device.
    I'm ready to remove and recreate the device, but I'm interested to figure out how this could have happened. Nothing in the Audit Trail points to any weird configuration changes.
    I've posted a picture here: http://pixpin.com/viewer.php?file=mars-checkpoint-j1zc.jpg

    It might have to do with bug CSCse03097 - CheckPoint LEA record comes to MARS later and later for better understanding

  • NAC and Checkpoint firewall

    Hi to all,
    Does anyone know if it is possible to configure SSO using NAC and a checkpoint firewall VPN client software on an user machine??
    Thanks in advance for your help

    Mark,
    If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
    HTH,
    Faisal

  • NMAS based token for radius authentication towards checkpoint firewall

    hi,
    i'm looking for token based access towards a checkpoint firewall. i found
    out about radius, and think that's the way to go.
    our user administration is NW65SP2 & Edir 8.7.3 based.
    has anyone a success story about a token based radius server based on this
    configuration ?
    which token ?
    additional software ?
    anyone ?

    Hi Peter,
    have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
    chris
    > We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
    > authentication, and iChain 2.2 RADIUS authentication. The current
    > RADIUS.NLM that we use is from the iChain authentication CD.
    >
    > The only problem I can think of to mention is the "Unknown RADIUS client"
    > error that we got after NW6 SP5. That was solved by the latest NMAS
    patches
    > and an upgrade from eDir 8.6.2 to 8.7.3.
    >
    >
    > "Peter van de Meerendonk" <[email protected]>
    wrote in
    > message news:JNiQd.595$[email protected]..
    > > > Well, just let me cover my hiney a little. We did have extremely bad
    > > > results with Activcard ACO000 tokens, but that is an old product from
    > > about
    > > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
    > > >
    > > OK, but the licensing policy makes activcard a costly alternative.
    we've
    > got
    > > a good deal on RSA, and are negociating a deal on Vasco. eventually we
    > might
    > > need 250+ tokens.
    > >
    > > I am very interested in configuration details of your setup. do you use
    > the
    > > tokens only for checkpoint authentication, or for novell
    authentication as
    > > well?
    > >
    > >
    > >
    >
    >

  • ACE - Probe suggestion for CheckPoint Firewall ?

    Hi to all,
    Assume that inbound interface of FW1 side cable unplugged. In this scenario the probes are still up. Probes cannot detect this situation and fail over doesn't take place. As you can see it is impossible to detect cable tear down unless we have an IP address from different vlan. I have an idea about to solve this issue, I need to create a new vlan (for instance vlan 200) on the ACE_INSIDE. We will insert a static route on ACE_OUTSIDE. That static route will try to access vlan 200 via FW1 outside interface. Then we will be sure when the FW1 fails. Of course vice versa will be valid. We can use similar configuration for the FW0 too. According to the configuration that I have attached and my solution, can you give me a configuration example or do you have a better way to accomplish this task. I will be waiting for your suggestion or solution as soon as possible. I have little time to solve this. Thanks in advance.
    Best Regards.
    Note: Topology and all necessary configs are attached.

    First of all, this is the FIRST time I've heard
    someone is running Securreplatform NGx R65
    in Active/Active WITHOUT ClusterXL. I could
    be wrong, though unlikely, but that is not
    possible. Take a look at the pair of Checkpoint
    firewall NGx R65 Secureplatform in Active/Active
    Unicast mode:
    [Expert@NGx-lab2]# cphaprob state
    Cluster Mode: Load Sharing (Unicast/SDF)
    Number Unique Address Assigned Load State
    1 10.0.0.1 30% Active (pivot)
    2 (local) 10.0.0.2 70% Active
    [Expert@NGx-lab2]# cphaprob -a if
    Required interfaces: 4
    Required secured interfaces: 1
    eth0 UP non sync(non secured), broadcast
    eth1 UP non sync(non secured), broadcast
    eth7 UP non sync(non secured), broadcast
    eth13 UP sync(secured), broadcast
    Virtual cluster interfaces: 3
    eth0 65.129.75.1
    eth1 129.174.1.1
    eth7 192.168.128.1
    [Expert@NGx-lab2]#
    Again, I think it is NOT possible to run
    Checkpoint in Active/Active mode without
    ClusterXL. You may want to check the
    configuration again. You can NOT have
    active/active without VIP IPs.

  • Keepalives over Checkpoint Firewall

    Hello!
    I'm having some problems, with CSS Keepalives over a Checkpoint Firewall.
    It is not a CSS Problem, but may anyone expected the same and can help me how i can solve it.
    We do some TCP or HTTP Head Keepalives over the Firewall to some Application servers.
    The Firewall seems to terminate the TCP Connecten and also the HTTP Requests and the Service is always alive, because the Firewall answert the requests.
    The guys who administrate the firewall do not know, why the firewall do this and do not know how to disable that feature.
    Has anyone an idea how the firewall must by modified to not answer the keepalives?
    This problem does only appear on TCP Port 80. All other TCP Ports work.
    Best regards
    Sven

    Hello Gilles,
    thanks for that fast response.
    Not sure if this is the feature.
    But my Head Keepalives does not work. Because the Firewall is generating a Error Webpage with a Responsecode of 200 OK
    Leets have a look into this:
    REQUEST: **************\nGET /monitor/alive?op=css HTTP/1.1\r\n
    Host: 172.21.86.135\r\n
    Accept: */*\r\n
    Authorization: Basic U3ZlbkJ1dHplazo=\r\n
    \r\n
    RESPONSE: **************\nHTTP/1.0 200\r\n
    Pragma: no-cache\r\n
    Cache-Control: no-cache\r\n
    Content-Type: text/html\r\n
    Content-Length: 108\r\n
    \r\n
    Error\n\n
    Error\nFW-1 at fw1gsb2bln: Failed to connect to the WWW server.\r\nWWWConnect::Close("172.21.86.135","80")\nclosed source port: 2314\r\n
    finished.
    The IP 172.21.86.135 is not configured on any device.
    Doing HTTP Get Keepalives would solve this on CSS, but not on CSM and i also want to include more das 256 keepalives per CSS.
    Sven

  • Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA

    Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
    Could the last CISCO Security Manager product help in this process ?
    thanks in advance

    Joel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
    Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
    http://www.lumeta.com/
    Also reference this thread, it may help.
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
    HTH
    Jorge

  • With CheckPoint Firewall

              I am using CheckPoint firewall and running a cluster with 2 nodes on the same machines
              with a E10K machine. The application is running fine without the firewall. However,
              when I run a stress test within the firewall. The system is down around an hour,
              even the whole network will go down. Any Advise ?
              

    Could you please elaborate more on "the system is down around an hour, even the whole
              network will go down" ?
              Friend wrote:
              > I am using CheckPoint firewall and running a cluster with 2 nodes on the same machines
              > with a E10K machine. The application is running fine without the firewall. However,
              > when I run a stress test within the firewall. The system is down around an hour,
              > even the whole network will go down. Any Advise ?
              Rajesh Mirchandani
              Developer Relations Engineer
              BEA Support
              

  • WAAS Cached content access through Checkpoint firewall

              Hello,
    I would like to open access to the cached content on the WAAS from a server through a Checkpoint firewall. The server has to have L3 access to the actual WAE device, from what I understand. Is this feasable? What ports would I need to open in the Checkpoint?
    Thanks
    Doug Bradfield      

    Hello Douglas,
    You're correct, if you see an optimized connection  is probably being cache ( probably not the whole file)  there is a big difference between "cache data" and "preposition data" .
    Cache data is not for you to control or manually retrieve from the WAE box. WAAS controls what is being cache or delete when more new data comes through.
    Preposition data is something you can manually store on the Remote WAE so remote users are benefit of a faster access to files already preposition. But this is uppon remote users request to the server( Users don't know that WAAS exist they just see the  server-share they've always use) so WAAS notice that a user is requesting a file that a remote WAE already got in their preposition files, so it provide faster access to the file.
    Neither of this two options above will let you access WAAS content like you describe on the initial question, you said you want open access to WAE files from a server right ?  you can still get the files on your server and this files can be optimazed if you  server is behind the WAAS optimization path, but you'd need to go and from the server copy the files one by one just like if you were retrieving them from a  client PC.
    hope this helps!

  • Cisco 8851 phones registering through Checkpoint firewall

    We have a customer with a secured network, using Checkpoint firewalls and have a VPN site-to-site tunnel between our Cisco ASA and their Checkpoint firewall, with Cisco phones on the far side of the tunnel and CallManager 8.6 behind the ASAs.  We have all the proper network ports referenced, but cannot get either a new Cisco 8851 (SIP) or a Cisco 7942 phone to register.  The 8851 phone, when it tries to register, uses the 6970 port for distributed TFTP via HTTP first (by design), followed by TFTP/69.  The 7900 phone never generates TFTP on port 69 at all.  What is also strange is that the source port 5060 on the 8851 phone seems to be masked with an upper ephemeral network port (51566) when the request traverses the network, regardless of it passing through the firewall or a router.  I know that TFTP uses UDP, but there is nothing in the docs that state it uses these upper port ranges?
    Is this behavior normal for a Cisco SIP-based phone, and with the Skinny phone, is there something with Checkpoint firewalls that causes issues with Cisco VOIP phones.  I have done key-word searches on the Forum for this issue, but have not found anything significant.  I have also looked at the Nokia support forum, and saw some briefs, but it didn't directly describe our issue.  Any help would b e greatly appreciated.
    Thanks,

    Hi Andrew
    The attached document may assist:
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
    A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
    Hope this helps.
    Barry Hesk
    Intrinsic Network Solutions

  • SCOM Management pack for Checkpoint Firewall & Fortigate UTM

    HI ,
    Any body knows that is there Management pack for Checkpoint ( <cite>www.checkpoint.com ) </cite>and
    Fortigate Appliance ( http://www.fortinet.com/products/fortigate/index.html ).
    please advise me.
    Regards, COMDINI

    Hi,
    If you cannot find them in system center marketplace:
    http://systemcenter.pinpoint.microsoft.com/en-US/home
    you can contact the vendors for management pack.
    Alex Zhao
    TechNet Community Support

  • HSRP with single checkpoint firewall...

    Hi,
    i need the some advice from the expert here... does it all right if we implement the firewall in such design?

      you might be able to get it to fly if you can make sure the multicast hsrp packets can flow both ways.
    I would suggest a common link between the two routers in front of the cloud for hsrp.

  • Nexus 5548UP with Checkpoint firewall

    I know this is a little out of scope, but was hoping someone would have some insight.
    I have two Checkpoint firewalls connected to Cisco Nexus 5548UPs 10G. I am noticing a lot of dropped RC on the Checkpoint interfaces. I'm wondering if the firewalls cannot support the fast cut-through speed of the Cisco switches. Is there anything I can do on the Cisco side to help the Checkpoints handle the traffic? Flow control maybe? Thanks.

    Hi Adnan,
    Kindly check the PPT attached  for more detailed design tips for same.
    Best Regards
    Sachin Garg

Maybe you are looking for

  • 1st gen ipod touch apps compatability

    We have 1st gen ipod touch's. Kids say that facebook and You Tube dont work on it. Apparently ios software is too old and cant be upgraded? Is this true?

  • How to Extract Paragraph from Pdf using Adobe Pdf Library in C# or Java

    By Using This library I extracted Content of Pdf File. I got Content Line by Line(by using Last wordOnline ) <Line> Content </Line> But I want to Extract Content Paragraph by Paragraph Like <Paragrph> Content </paragraph>

  • Using NVL function in subselect of an update

    Hi, nvl is not working in my situation Here is my select SELECT nvl(a.id, 'WAS NULL') FROM table_1 a, table_2 b WHERE a.id=b.id; Now here I get NULL instead of 'WAS NULL' as I accepted. Table a and table b do not have any identical ids, still I need

  • SAP Netweaver Trial Version under Win 7

    Dear Support - Team, I have a new laptop installed with Win 7 Home Premium 32bit version. Now i wanted install the trial version from DVD (it was an additional to the book " ABAP Objects in SAP Netweaver). At first the installer tried to start and ne

  • Error 400 occurs when opening Photoshop Elements 7

    I have an older version of PHotoshop Elements 7.  I am reinstalling on my computer after an upgrade to Windows 7. Everytime I open or try to down load updates, I get an error message 400. What can I do?