NAC and Checkpoint firewall

Similar Messages

• Oracle server and Checkpoint firewall

  When setting block Findricset SQL Injection
  on Checkpoint firewall and try to login by sqlplus
  to the db server (8.1.7) behind that firewall
  the following error messages occur:
  ORA-24323: value not allowed
  ERROR:
  ORA-03114: not connected to ORACLE
  Error accessing PRODUCT_USER_PROFILE
  Warning: Product user profile information not loaded!
  You may need to run PUPBLD.SQL as SYSTEM
  ORA-24323: value not allowed
  ORA-24323: value not allowed
  Error accessing package DBMS_APPLICATION_INFO
  ERROR:
  ORA-03114: not connected to ORACLE
  SP2-0575: Use of Oracle SQL feature not in SQL92 Entry Level
  ORA-24323: value not allowed
  Can anyone tell me where's the problem?

  It appears that the firewall is blocking the connection to the database. Since this appears to be something more than a basic firewall product (i.e. it is doing more than allowing and denying requests on particular ports for particular IP addresses), you would need to talk to your firewall vendor to determine why it thinks a SQL*Plus connection is a SQL injection risk and how to get around the problem.
  Of course, you could set up something like Oracle Connection Manager to proxy the connection through the firewall, but that may well defeat the point of an active firewall product.
  Justin

• No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

  Hello!
  We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
  From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
  The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
  Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
  Any help would be very much appreciated!
  Jakob J. Blaette

  Hi Jakob,
  Adding my two cents here.
  You always need to confirm that the following ports and protocol are opened:
  1- UDP port 500 --> ISAKMP
  2- UDP port 4500 --> NAT-T
  3- Protocol 50 ---> ESP
  A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
  HTH.
  Portu.
  Please rate any helpful posts and mark this post as answered.

• Cisco NAC and Checkpoint VPN

  Hi,
  Wondering if anyone has ever come across a scenario where they've integrated Cisco NAC with a Checkpoint VPN solution (using Power1 5075)?
  Any ideas or collateral would be appreciated.
  Thanks
  mark

  Mark,
  If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
  HTH,
  Faisal

• Checkpoint Firewall Management Server Lost Identity in MARS

  About a month ago, we added our Checkpoint firewall to MARS as well as the 2 Firewall agents who reported to the device. The devices were recognized and running properly.
  At some point in the last week, the Checkpoint management server lost it's identity within MARS. Instead of being recognized as a Checkpoint device, the server is now considered a "Generic Router Version Unknown" via the Device Type.
  The agent firewalls beneath this device still exist as desired, but MARS is no longer recording logs for the primary device.
  I'm ready to remove and recreate the device, but I'm interested to figure out how this could have happened. Nothing in the Audit Trail points to any weird configuration changes.
  I've posted a picture here: http://pixpin.com/viewer.php?file=mars-checkpoint-j1zc.jpg

  It might have to do with bug CSCse03097 - CheckPoint LEA record comes to MARS later and later for better understanding

• RADIUS and CHECKPOINT and NORTEL

  I have installed the NMAS modules from Border Manager 3.8 onto a Netware 6 SP3 box. I installed per TID 10078616 and can authenicate from my W2K workstation fine.
  I am now trying to authenicate from a Nortel switch and a VPN from a checkpoint firewall. So far I have installed all of the login methods and I still get an unknown RADIUS client on the RADIUS server, when loging in from the Nortel switch. I have not tried to authenicate from the checkpoint firewall yet.
  Does anyone have pointers as to the configuration to use the RADIUS server with Nortel or Checkpoint or a pointer to a technical description of the various login methods?
  John

  John,
  I have a very similar problem with our 3com switches, can you give me more
  details of what you did to get it working?
  Thanks a lot,
  Matt Hudson
  (CNE6.5)
  "John Curran" <[email protected]> wrote in message
  news:[email protected]...
  > Thank you very much, Jordack. The instructions were clear and concise.
  >
  > We go the Checkpoint firewall to authenicate VPN's with the RADIUS server.
  >
  > Also, I got the information from Nortel to allow authenication. I had to
  > set up the Radius server to allow Service-Type Administrative and
  > Service-Type NAS-Prompt. Then I had to go into each user and set up
  > one of the service types.
  >
  > Thanks for your help.
  >
  > John
  >
  >
  > >>> Jordack<[email protected]> 01/26 9:36 AM >>>
  > I uploaded a quick draft guide. It should help.
  >
  > http://www.thiscorner.com/guides/cp-radius.pdf
  >
  > Jordack
  >
  > "John Curran" <[email protected]> wrote in message
  > news:[email protected]...
  > > Thanks for the input. I will get that book.
  > >
  > > With the Nortel switch it is curious. I had forgotten to add the switch
  > > to the client list. When I did, the radius server accepts the
  > > authenication and sends an accpt message, but the Nortel switch says
  > > access denied. I put a Sniffer on the link and the accept message looks
  > > just like any other accept message (follows RFC 2865). I have a feeling
  > > Nortel does not follow RFC 2865 or does not like the authenication ID
  for
  > > some reason. I guess I will have to work more with Nortel to resolve
  that
  > > one.
  > >
  > > John
  > >
  > >
  > >>>> Jordack<[email protected]> 01/26 7:53 AM >>>
  > > Sorry about not responding, I saw your post and meant to dig up my
  notes
  > > and respond.
  > >
  > > I don't know much about the Nortel stuff.
  > >
  > > Make sure you have added the IP address of your Nortel and Checkpoint
  box
  > > to
  > > the 'Clients' page of the 'Radius:Dial access System". The DAS will
  only
  > > except connections from known clients. From the sounds of it that might
  > > be
  > > the issue.
  > >
  > > For the CheckPoint Setup stuff there is a few things you will need to do
  > > on
  > > the Checkpoint Box.
  > >
  > > I used this book http://www.syngress.com/catalog/chapter.cfm?pid=25903
  and
  > > Everything worked.
  > >
  > > I was working on a small guide for CheckPoint radius but got pulled to
  > > other
  > > things. If I get it finished Ill post it
  > >
  > >
  > > "John Curran" <[email protected]> wrote in message
  > > news:[email protected]...
  > >>I have installed the NMAS modules from Border Manager 3.8 onto a Netware
  6
  > >>SP3 box. I installed per TID 10078616 and can authenicate from my W2K
  > >>workstation fine.
  > >>
  > >> I am now trying to authenicate from a Nortel switch and a VPN from a
  > >> checkpoint firewall. So far I have installed all of the login methods
  > >> and
  > >> I still get an unknown RADIUS client on the RADIUS server, when loging
  in
  > >> from the Nortel switch. I have not tried to authenicate from the
  > >> checkpoint firewall yet.
  > >>
  > >> Does anyone have pointers as to the configuration to use the RADIUS
  > >> server
  > >> with Nortel or Checkpoint or a pointer to a technical description of
  the
  > >> various login methods?
  > >>
  > >> John
  > >>
  > >
  > >
  > >
  > >
  >
  >
  >
  >

• NMAS based token for radius authentication towards checkpoint firewall

  hi,
  i'm looking for token based access towards a checkpoint firewall. i found
  out about radius, and think that's the way to go.
  our user administration is NW65SP2 & Edir 8.7.3 based.
  has anyone a success story about a token based radius server based on this
  configuration ?
  which token ?
  additional software ?
  anyone ?

  Hi Peter,
  have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
  chris
  > We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
  > authentication, and iChain 2.2 RADIUS authentication. The current
  > RADIUS.NLM that we use is from the iChain authentication CD.
  >
  > The only problem I can think of to mention is the "Unknown RADIUS client"
  > error that we got after NW6 SP5. That was solved by the latest NMAS
  patches
  > and an upgrade from eDir 8.6.2 to 8.7.3.
  >
  >
  > "Peter van de Meerendonk" <[email protected]>
  wrote in
  > message news:JNiQd.595$[email protected]..
  > > > Well, just let me cover my hiney a little. We did have extremely bad
  > > > results with Activcard ACO000 tokens, but that is an old product from
  > > about
  > > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
  > > >
  > > OK, but the licensing policy makes activcard a costly alternative.
  we've
  > got
  > > a good deal on RSA, and are negociating a deal on Vasco. eventually we
  > might
  > > need 250+ tokens.
  > >
  > > I am very interested in configuration details of your setup. do you use
  > the
  > > tokens only for checkpoint authentication, or for novell
  authentication as
  > > well?
  > >
  > >
  > >
  >
  >

• ACE - Probe suggestion for CheckPoint Firewall ?

  Hi to all,
  Assume that inbound interface of FW1 side cable unplugged. In this scenario the probes are still up. Probes cannot detect this situation and fail over doesn't take place. As you can see it is impossible to detect cable tear down unless we have an IP address from different vlan. I have an idea about to solve this issue, I need to create a new vlan (for instance vlan 200) on the ACE_INSIDE. We will insert a static route on ACE_OUTSIDE. That static route will try to access vlan 200 via FW1 outside interface. Then we will be sure when the FW1 fails. Of course vice versa will be valid. We can use similar configuration for the FW0 too. According to the configuration that I have attached and my solution, can you give me a configuration example or do you have a better way to accomplish this task. I will be waiting for your suggestion or solution as soon as possible. I have little time to solve this. Thanks in advance.
  Best Regards.
  Note: Topology and all necessary configs are attached.

  First of all, this is the FIRST time I've heard
  someone is running Securreplatform NGx R65
  in Active/Active WITHOUT ClusterXL. I could
  be wrong, though unlikely, but that is not
  possible. Take a look at the pair of Checkpoint
  firewall NGx R65 Secureplatform in Active/Active
  Unicast mode:
  [Expert@NGx-lab2]# cphaprob state
  Cluster Mode: Load Sharing (Unicast/SDF)
  Number Unique Address Assigned Load State
  1 10.0.0.1 30% Active (pivot)
  2 (local) 10.0.0.2 70% Active
  [Expert@NGx-lab2]# cphaprob -a if
  Required interfaces: 4
  Required secured interfaces: 1
  eth0 UP non sync(non secured), broadcast
  eth1 UP non sync(non secured), broadcast
  eth7 UP non sync(non secured), broadcast
  eth13 UP sync(secured), broadcast
  Virtual cluster interfaces: 3
  eth0 65.129.75.1
  eth1 129.174.1.1
  eth7 192.168.128.1
  [Expert@NGx-lab2]#
  Again, I think it is NOT possible to run
  Checkpoint in Active/Active mode without
  ClusterXL. You may want to check the
  configuration again. You can NOT have
  active/active without VIP IPs.

• WAAS and Checkpoint compatibility.

  Hello
  Is there such a thing? Can I hope to install a WAE behind a Checkpoint firewall? Should I use tunnel mode udp 4050?
  I´ve run into a paper that suggests using "Wire Mode" on Checkpoint.
  Are there alternatives? Did someone out there have to do anything like this?
  Thanks a lot.
  GG

  Thanks for your replies. The following rules were modified and waas worked just fine.
  Sequence Verifier
  http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-17.html
  Packet Sanity
  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1071
  Thanks again
  Guido

• Keepalives over Checkpoint Firewall

  Hello!
  I'm having some problems, with CSS Keepalives over a Checkpoint Firewall.
  It is not a CSS Problem, but may anyone expected the same and can help me how i can solve it.
  We do some TCP or HTTP Head Keepalives over the Firewall to some Application servers.
  The Firewall seems to terminate the TCP Connecten and also the HTTP Requests and the Service is always alive, because the Firewall answert the requests.
  The guys who administrate the firewall do not know, why the firewall do this and do not know how to disable that feature.
  Has anyone an idea how the firewall must by modified to not answer the keepalives?
  This problem does only appear on TCP Port 80. All other TCP Ports work.
  Best regards
  Sven

  Hello Gilles,
  thanks for that fast response.
  Not sure if this is the feature.
  But my Head Keepalives does not work. Because the Firewall is generating a Error Webpage with a Responsecode of 200 OK
  Leets have a look into this:
  REQUEST: **************\nGET /monitor/alive?op=css HTTP/1.1\r\n
  Host: 172.21.86.135\r\n
  Accept: */*\r\n
  Authorization: Basic U3ZlbkJ1dHplazo=\r\n
  \r\n
  RESPONSE: **************\nHTTP/1.0 200\r\n
  Pragma: no-cache\r\n
  Cache-Control: no-cache\r\n
  Content-Type: text/html\r\n
  Content-Length: 108\r\n
  \r\n
  Error\n\n
  Error\nFW-1 at fw1gsb2bln: Failed to connect to the WWW server.\r\nWWWConnect::Close("172.21.86.135","80")\nclosed source port: 2314\r\n
  finished.
  The IP 172.21.86.135 is not configured on any device.
  Doing HTTP Get Keepalives would solve this on CSS, but not on CSM and i also want to include more das 256 keepalives per CSS.
  Sven

• Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA

  Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
  Could the last CISCO Security Manager product help in this process ?
  thanks in advance

  Joel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
  Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
  http://www.lumeta.com/
  Also reference this thread, it may help.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
  HTH
  Jorge

• With CheckPoint Firewall

            I am using CheckPoint firewall and running a cluster with 2 nodes on the same machines
            with a E10K machine. The application is running fine without the firewall. However,
            when I run a stress test within the firewall. The system is down around an hour,
            even the whole network will go down. Any Advise ?
            

  Could you please elaborate more on "the system is down around an hour, even the whole
            network will go down" ?
            Friend wrote:
            > I am using CheckPoint firewall and running a cluster with 2 nodes on the same machines
            > with a E10K machine. The application is running fine without the firewall. However,
            > when I run a stress test within the firewall. The system is down around an hour,
            > even the whole network will go down. Any Advise ?
            Rajesh Mirchandani
            Developer Relations Engineer
            BEA Support
            

• Checkpoint Firewall

  Do you know about any problem with checkpoint firewall and SGD4.2?
  I've a costumer with that firewall and he is disconnected quite often. Without firewall no problem. We check firewall log and see that some times it blocks traffic to our site...
  Any help?
  Thank You

  Define "some times". A snip of the log with successful connections compared to unsuccessful connections would be helpful.

• WAAS Cached content access through Checkpoint firewall

            Hello,
  I would like to open access to the cached content on the WAAS from a server through a Checkpoint firewall. The server has to have L3 access to the actual WAE device, from what I understand. Is this feasable? What ports would I need to open in the Checkpoint?
  Thanks
  Doug Bradfield      

  Hello Douglas,
  You're correct, if you see an optimized connection  is probably being cache ( probably not the whole file)  there is a big difference between "cache data" and "preposition data" .
  Cache data is not for you to control or manually retrieve from the WAE box. WAAS controls what is being cache or delete when more new data comes through.
  Preposition data is something you can manually store on the Remote WAE so remote users are benefit of a faster access to files already preposition. But this is uppon remote users request to the server( Users don't know that WAAS exist they just see the  server-share they've always use) so WAAS notice that a user is requesting a file that a remote WAE already got in their preposition files, so it provide faster access to the file.
  Neither of this two options above will let you access WAAS content like you describe on the initial question, you said you want open access to WAE files from a server right ?  you can still get the files on your server and this files can be optimazed if you  server is behind the WAAS optimization path, but you'd need to go and from the server copy the files one by one just like if you were retrieving them from a  client PC.
  hope this helps!

• Issue bringing up VPN between ASA and Checkpoint - HELP

  Hi all
  We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
  on the ASA I see the following
  any ideas what this is ?
  7
  Jan 30 2014
  11:52:03
  715065
  IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

  Phase 2 failures means several things:
  Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,
  Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
  Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
  - output of "uname -a" and "fw ver"
  - is this Nokia, Windows or Secureplatform Checkpoint?
  - run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 
  Disable/turn OFF kilobytes timeouts is not the solution.