With CheckPoint Firewall

          I am using CheckPoint firewall and running a cluster with 2 nodes on the same machines
          with a E10K machine. The application is running fine without the firewall. However,
          when I run a stress test within the firewall. The system is down around an hour,
          even the whole network will go down. Any Advise ?
          

Could you please elaborate more on "the system is down around an hour, even the whole
          network will go down" ?
          Friend wrote:
          > I am using CheckPoint firewall and running a cluster with 2 nodes on the same machines
          > with a E10K machine. The application is running fine without the firewall. However,
          > when I run a stress test within the firewall. The system is down around an hour,
          > even the whole network will go down. Any Advise ?
          Rajesh Mirchandani
          Developer Relations Engineer
          BEA Support
          

Similar Messages

  • Nexus 5548UP with Checkpoint firewall

    I know this is a little out of scope, but was hoping someone would have some insight.
    I have two Checkpoint firewalls connected to Cisco Nexus 5548UPs 10G. I am noticing a lot of dropped RC on the Checkpoint interfaces. I'm wondering if the firewalls cannot support the fast cut-through speed of the Cisco switches. Is there anything I can do on the Cisco side to help the Checkpoints handle the traffic? Flow control maybe? Thanks.

    Hi Adnan,
    Kindly check the PPT attached  for more detailed design tips for same.
    Best Regards
    Sachin Garg

  • Checkpoint Firewall

    Do you know about any problem with checkpoint firewall and SGD4.2?
    I've a costumer with that firewall and he is disconnected quite often. Without firewall no problem. We check firewall log and see that some times it blocks traffic to our site...
    Any help?
    Thank You

    Define "some times". A snip of the log with successful connections compared to unsuccessful connections would be helpful.

  • No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

    Hello!
    We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
    From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
    The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
    Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
    Any help would be very much appreciated!
    Jakob J. Blaette

    Hi Jakob,
    Adding my two cents here.
    You always need to confirm that the following ports and protocol are opened:
    1- UDP port 500 --> ISAKMP
    2- UDP port 4500 --> NAT-T
    3- Protocol 50 ---> ESP
    A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
    HTH.
    Portu.
    Please rate any helpful posts and mark this post as answered.

  • ACS with Checkpoint

    Hi,
    We have a Checkpoint Firewall using ACS for authentication with RADIUS protocol.
    We have two ACS servers configured as primary and secondary on the Checkpoint. Both the ACS servers are configured to use AD as the external database.
    Checkpoint is forwarding the authentication request to the primary ACS server. The primary ACS server receives the request and keeps trying to authenticate with the AD. For some reason, the authentication is failing. Please check the attached failed login attempt log. ACS tries the authentication many times and hence the account of the user is being locked out on the AD.
    Meanwhile, Checkpoint does not receive any response from the primary ACS server. So, it goes to the secondary ACS server. Checkpoint is able to authenticate with the Secondary ACS server.
    To add more information to the case, the primary ACS server is successfully authenticating requests from wireless Access Points for the same user accounts.
    The External Database configuration on both the ACS servers look the same.
    Please let me know, what could be the problem and why the Primary ACS server is not authenticating requests from Checkpoint, while it can authenticate requests from Wireless Access Points.
    Regards,
    Suresh

    Hi Suresh,
    In the package.cab this is what I find,
    5/2/200723:48:13Authen failedjiwilsonGlobal_AdminsExternal DB account locked outjiwilson10.64.45.1
    5/2/200723:48:18Authen failedjiwilsonGlobal_AdminsExternal DB account locked outjiwilson10.64.45.1
    AUTH 05/02/2007 23:47:14 E 0365 0728 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
    AUTH 05/02/2007 23:47:14 I 0365 0728 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain PLT
    AUTH 05/02/2007 23:47:14 I 0365 0728 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user jiwilson
    Windows is returning error code "error 1326L"
    1326L ERROR_LOGON_FAILURE : The attempted logon is invalid. This is due to either a bad user name or authentication information.
    I would like you to check for permission issue since the same user is able to login from secondary acs.
    In the domain controller serving the ACS server:
    - Create a user.
    - To make it hard to hack, give it a very long complicated password.
    - Make the user a member of Domain Admins group.
    - Make the user a member of Administrators group.
    On the Windows 2000 server running ACS:
    - Add new user to proper local group.
    -- Open "Administrative Tools" from the control panel.
    -- Open "Computer Management."
    -- Open "Local Users and Groups" and then "Groups."
    -- Double-click the "Administrators" group.
    -- Click "Add."
    -- Choose the domain from the "Look in" box.
    -- Double-click the user created earlier to add it.
    -- Click OK.
    - Give new user special rights on ACS server.
    -- Open "Administrative Tools" from the control panel.
    -- Open "Local Security Policy."
    -- Open "Local Policies."
    -- Open "User Rights Assignment."
    -- Double-click on "Act as part of the operating system."
    -- Click "Add."
    -- Choose the domain from the "Look in" box.
    -- Double-click the user created earlier to add it.
    -- Click OK.
    -- Double-click on "Log on as a service."
    -- Click "Add."
    -- Choose the domain from the "Look in" box.
    -- Double-click the user created earlier to add it.
    -- Click OK.
    - Set the ACS services to run as the created user.
    -- Open "Administrative Tools" from the control panel.
    -- Open "Services."
    -- Double-click the CSADMIN entry.
    -- Click the "Log On" tab.
    -- Click "This Account" and then the "Browse" button.
    -- Choose the domain, double-click the user created earlier.
    -- Click "OK."
    -- Repeat for the rest of the CS services.
    - Wait for Windows to apply the security policy changes, or reboot the
    server.
    - If you rebooted the server, skip the rest of these instructions.
    - Stop and then start the CSADMIN service.
    - Open the ACS GUI.
    - Click on System Config.
    - Click on Service Control.
    - Click "Restart."
    Note that if the Domain Security Policy is set to override settings for "Act as part of the operating system" and "Log on as a service" rights,
    the user rights changes listed above will also need to be made there.
    Regards,
    Jagdeep

  • Checkpoint Firewall Management Server Lost Identity in MARS

    About a month ago, we added our Checkpoint firewall to MARS as well as the 2 Firewall agents who reported to the device. The devices were recognized and running properly.
    At some point in the last week, the Checkpoint management server lost it's identity within MARS. Instead of being recognized as a Checkpoint device, the server is now considered a "Generic Router Version Unknown" via the Device Type.
    The agent firewalls beneath this device still exist as desired, but MARS is no longer recording logs for the primary device.
    I'm ready to remove and recreate the device, but I'm interested to figure out how this could have happened. Nothing in the Audit Trail points to any weird configuration changes.
    I've posted a picture here: http://pixpin.com/viewer.php?file=mars-checkpoint-j1zc.jpg

    It might have to do with bug CSCse03097 - CheckPoint LEA record comes to MARS later and later for better understanding

  • NAC and Checkpoint firewall

    Hi to all,
    Does anyone know if it is possible to configure SSO using NAC and a checkpoint firewall VPN client software on an user machine??
    Thanks in advance for your help

    Mark,
    If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
    HTH,
    Faisal

  • NMAS based token for radius authentication towards checkpoint firewall

    hi,
    i'm looking for token based access towards a checkpoint firewall. i found
    out about radius, and think that's the way to go.
    our user administration is NW65SP2 & Edir 8.7.3 based.
    has anyone a success story about a token based radius server based on this
    configuration ?
    which token ?
    additional software ?
    anyone ?

    Hi Peter,
    have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
    chris
    > We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
    > authentication, and iChain 2.2 RADIUS authentication. The current
    > RADIUS.NLM that we use is from the iChain authentication CD.
    >
    > The only problem I can think of to mention is the "Unknown RADIUS client"
    > error that we got after NW6 SP5. That was solved by the latest NMAS
    patches
    > and an upgrade from eDir 8.6.2 to 8.7.3.
    >
    >
    > "Peter van de Meerendonk" <[email protected]>
    wrote in
    > message news:JNiQd.595$[email protected]..
    > > > Well, just let me cover my hiney a little. We did have extremely bad
    > > > results with Activcard ACO000 tokens, but that is an old product from
    > > about
    > > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
    > > >
    > > OK, but the licensing policy makes activcard a costly alternative.
    we've
    > got
    > > a good deal on RSA, and are negociating a deal on Vasco. eventually we
    > might
    > > need 250+ tokens.
    > >
    > > I am very interested in configuration details of your setup. do you use
    > the
    > > tokens only for checkpoint authentication, or for novell
    authentication as
    > > well?
    > >
    > >
    > >
    >
    >

  • Keepalives over Checkpoint Firewall

    Hello!
    I'm having some problems, with CSS Keepalives over a Checkpoint Firewall.
    It is not a CSS Problem, but may anyone expected the same and can help me how i can solve it.
    We do some TCP or HTTP Head Keepalives over the Firewall to some Application servers.
    The Firewall seems to terminate the TCP Connecten and also the HTTP Requests and the Service is always alive, because the Firewall answert the requests.
    The guys who administrate the firewall do not know, why the firewall do this and do not know how to disable that feature.
    Has anyone an idea how the firewall must by modified to not answer the keepalives?
    This problem does only appear on TCP Port 80. All other TCP Ports work.
    Best regards
    Sven

    Hello Gilles,
    thanks for that fast response.
    Not sure if this is the feature.
    But my Head Keepalives does not work. Because the Firewall is generating a Error Webpage with a Responsecode of 200 OK
    Leets have a look into this:
    REQUEST: **************\nGET /monitor/alive?op=css HTTP/1.1\r\n
    Host: 172.21.86.135\r\n
    Accept: */*\r\n
    Authorization: Basic U3ZlbkJ1dHplazo=\r\n
    \r\n
    RESPONSE: **************\nHTTP/1.0 200\r\n
    Pragma: no-cache\r\n
    Cache-Control: no-cache\r\n
    Content-Type: text/html\r\n
    Content-Length: 108\r\n
    \r\n
    Error\n\n
    Error\nFW-1 at fw1gsb2bln: Failed to connect to the WWW server.\r\nWWWConnect::Close("172.21.86.135","80")\nclosed source port: 2314\r\n
    finished.
    The IP 172.21.86.135 is not configured on any device.
    Doing HTTP Get Keepalives would solve this on CSS, but not on CSM and i also want to include more das 256 keepalives per CSS.
    Sven

  • Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA

    Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
    Could the last CISCO Security Manager product help in this process ?
    thanks in advance

    Joel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
    Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
    http://www.lumeta.com/
    Also reference this thread, it may help.
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
    HTH
    Jorge

  • ARP table clash with checkpoint and ASA firewal issue

    We are migrating DMZ segments from a checkpoint to a ASA 5585 firewall that we had connected to the same segments as the Checkpoint except on different IP addresses then the checkpoint interfaces. The Checkpoint interfaces are the default gateway for the servers. When I implemented the NATs entries below we experienced an arp table clash with the checkpoint and ASA firewall on the local segments that caused a application outage. What was determined was that the checkpoint firewall was showing that all the IP addresses in particular on vlan130 segment was associating the MAC address of the ASA interface instead of the real sever MAC address. I need assistance understanding the reason why the Checkpoint was pointing the ARP entries for many different address on VLAN130 to the ASA firewall MAC?
    nat (any,internet-outside) source static any any destination static isxh2007_Xlate_167.9.6.21 isxh2007_10.121.201.86 unidirectional description To match chkpt NAT rule #5
    nat (VLAN130,internet-outside) source static ISX_EDI_Hosts isxh2008_Xlat_167.9.6.22 unidirectional
    nat (any,internet-outside) source static Private-Addresses ISX_OUTBOUND_NAT_167.9.6.1 destination static external_167.9.x external_167.9.x unidirectional
    nat (any,any) source static Mars-Internal-All Mars-Internal-All destination static Private-Addresses Private-Addresses
    nat (internet-dmz,internet-outside) source static acs-vmww2419.mars-ad.net acs-vmww2419_xlate_167.9.6.23
    nat (internet-dmz,internet-outside) source static acs_vmww2420 acs_vmww2420_xlate_167.9.6.24
    nat (internet-dmz,internet-outside) source static pass_reset_internal_10.121.201.50 pass_reset_external_167.9.6.25
    nat (internet-dmz,internet-outside) source static HE-Portal-poland_10.121.120.10 ext_HE-Portal-poland_167.9.6.26
    nat (any,internet-outside) source dynamic any ISX_OUTBOUND_NAT_167.9.6.1
    isxasa04/wwy-legacy# sho interface
    Interface TenGigabitEthernet0/8.129 "core-inside", is down, line protocol is down
    MAC address 442b.0330.aba2, MTU 1500
    IP address 10.121.129.X, subnet mask 255.255.255.0
    Traffic Statistics for "core-inside":
    241633 packets input, 12094352 bytes
    44788 packets output, 3032584 bytes
    109732 packets dropped
    Interface TenGigabitEthernet0/9.130 "VLAN130", is down, line protocol is down
    MAC address 442b.0330.aba3, MTU 1500
    IP address 10.121.130.X, subnet mask 255.255.255.0
    Traffic Statistics for "VLAN130":
    1264203 packets input, 136452168 bytes
    326080 packets output, 69216516 bytes
    794035 packets dropped
    Interface TenGigabitEthernet0/9.136 "VLAN136", is down, line protocol is down
    MAC address 442b.0330.aba3, MTU 1500
    IP address 10.121.136.X, subnet mask 255.255.255.0
    Traffic Statistics for "VLAN136":
    374547 packets input, 23696109 bytes
    51186 packets output, 3324895 bytes
    173500 packets dropped
    Interface GigabitEthernet0/1 "internet-outside", is down, line protocol is down
    MAC address 442b.0330.ab9b, MTU 1500
    IP address 167.9.6.X, subnet mask 255.255.255.0
    Traffic Statistics for "internet-outside":
    352158 packets input, 17245425 bytes
    76888 packets output, 3872904 bytes
    12255 packets dropped
    Interface GigabitEthernet0/2 "internet-dmz", is down, line protocol is down
    MAC address 442b.0330.ab9c, MTU 1500
    IP address 10.121.201.X, subnet mask 255.255.255.0
    Traffic Statistics for "internet-dmz":
    237795 packets input, 12460108 bytes
    40787 packets output, 2775684 bytes
    27378 packets dropped
    Interface GigabitEthernet0/4 "VLAN140", is down, line protocol is down
    MAC address 442b.0330.ab9e, MTU 1500
    IP address 10.121.140.X, subnet mask 255.255.255.0
    Traffic Statistics for "VLAN140":
    386931 packets input, 18807725 bytes
    48936 packets output, 3319712 bytes
    114417 packets dropped
    We crosschecked MAC addresses and this is what we found:
    Checkpoint ARP table:
    10.121.130.101 44:2b:3:30:ab:a3 3285
    ASA ARP table:
    isxasa04/wwy-legacy# sh arp | i 10.121.130.101
    VLAN130 10.121.130.101 001a.4b06.dd45 10525
    Server real address provided by processing:
    0x001A4B06DD45
    When we saw that the Checkpoints had a different/wrong entry we shut down all the physical ports on the new ASAs (except for failover and management);
    Kevin cleared the ARP table on the Checkpoints and problem was solved;
    Later I saw this:
    isxasa04# sh int | i MAC
    MAC address 442b.0330.ab9a, MTU not set
    MAC address 442b.0330.ab9b, MTU not set
    MAC address 442b.0330.ab9c, MTU not set
    MAC address 442b.0330.ab9d, MTU 1500
    MAC address 442b.0330.ab9e, MTU not set
    MAC address 442b.0330.ab9f, MTU not set
    MAC address 442b.0330.aba0, MTU not set
    MAC address 442b.0330.aba1, MTU not set
    MAC address 442b.0330.ab98, MTU not set
    MAC address 442b.0330.ab99, MTU not set
    MAC address 442b.0330.aba2, MTU not set
    MAC address 442b.0330.aba3, MTU not set

    The Asa is proxy Arping those macs. Turn off proxy arp and put in static arp entries until you completely shut down the checkpoint.
    Sent from Cisco Technical Support iPad App

  • Cisco 8851 phones registering through Checkpoint firewall

    We have a customer with a secured network, using Checkpoint firewalls and have a VPN site-to-site tunnel between our Cisco ASA and their Checkpoint firewall, with Cisco phones on the far side of the tunnel and CallManager 8.6 behind the ASAs.  We have all the proper network ports referenced, but cannot get either a new Cisco 8851 (SIP) or a Cisco 7942 phone to register.  The 8851 phone, when it tries to register, uses the 6970 port for distributed TFTP via HTTP first (by design), followed by TFTP/69.  The 7900 phone never generates TFTP on port 69 at all.  What is also strange is that the source port 5060 on the 8851 phone seems to be masked with an upper ephemeral network port (51566) when the request traverses the network, regardless of it passing through the firewall or a router.  I know that TFTP uses UDP, but there is nothing in the docs that state it uses these upper port ranges?
    Is this behavior normal for a Cisco SIP-based phone, and with the Skinny phone, is there something with Checkpoint firewalls that causes issues with Cisco VOIP phones.  I have done key-word searches on the Forum for this issue, but have not found anything significant.  I have also looked at the Nokia support forum, and saw some briefs, but it didn't directly describe our issue.  Any help would b e greatly appreciated.
    Thanks,

    Hi Andrew
    The attached document may assist:
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
    A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
    Hope this helps.
    Barry Hesk
    Intrinsic Network Solutions

  • I can no longer load Google since I upgraded to the new version of fierfox & its definitely not anything to do with my firewall. How do I figure out what the problem is?

    I upgraded to Firefox 4 and every time I try to open the home page with the Google search bar teh connection times out and its unable to connect. If I type any other address in the address bar it will open up the site, it's only Google it won't open. I've worked through every step on the Firefox support page and checked all my settings, run scans for malware, checked the firewall settings etc and even with my firewall, antivirus & spam filters all turned off I still can't open Google. I even uninstalled Firefox 4 and went back to version 3.6.16 but still have the same problem. Will I ever be able to Google again? Is there anything else I can try? Any help would be greatly appreciated!

    https://discussions.apple.com/message/25085868#25085868
    I started a thread in safari maverics, I ment to put it in iOS Safari.  New Thread lists all the steps I've taken.  No I haven't tried another browser.  I've only ever used Safari on my iDevices.

  • I have an old external drive with a firewall connection-How do I use this on my Mac with it's USB3 ports?

    I have an old external drive with a firewall connection-How do I use this on my Mac with it's USB3 ports?

    Does your Mac have ThunderBolt ports?
    There are ThunderBolt to FireWire adapters.
    As far as I know there are no FireWire to USB 3 adapters.
    Allan

  • Oracle server and Checkpoint firewall

    When setting block Findricset SQL Injection
    on Checkpoint firewall and try to login by sqlplus
    to the db server (8.1.7) behind that firewall
    the following error messages occur:
    ORA-24323: value not allowed
    ERROR:
    ORA-03114: not connected to ORACLE
    Error accessing PRODUCT_USER_PROFILE
    Warning: Product user profile information not loaded!
    You may need to run PUPBLD.SQL as SYSTEM
    ORA-24323: value not allowed
    ORA-24323: value not allowed
    Error accessing package DBMS_APPLICATION_INFO
    ERROR:
    ORA-03114: not connected to ORACLE
    SP2-0575: Use of Oracle SQL feature not in SQL92 Entry Level
    ORA-24323: value not allowed
    Can anyone tell me where's the problem?

    It appears that the firewall is blocking the connection to the database. Since this appears to be something more than a basic firewall product (i.e. it is doing more than allowing and denying requests on particular ports for particular IP addresses), you would need to talk to your firewall vendor to determine why it thinks a SQL*Plus connection is a SQL injection risk and how to get around the problem.
    Of course, you could set up something like Oracle Connection Manager to proxy the connection through the firewall, but that may well defeat the point of an active firewall product.
    Justin

Maybe you are looking for

  • Get rid of the accordion highlights

    Is there a way to get rid of the highlights around the accordion when it is active? right now it is the default blue highlight. Thanks

  • Mobile me chat?

    I visited a genius bar today. So much for that, the guy had no idea how to get my comments to publish. He said my next step would be to chat with the mobile me people. He navigated to a spot on this site that said so much, something like "chat with m

  • SAMBA error? Printer on Windows XP

    I have downloaded the open driver for my hp d145. When I print it says that it cannot connect SAMBA error. It found the printer on my network (attached to an XP computer), but now doesn't print. Please help if possible.

  • Feathered edges on graphics within Keynote 6.1?

    Is there a way to create feathered edges on graphics within Keynote 6.1 without bringing it in from another program? I know I can use Photoshop or some other program to create the mask but it seems there should be an easy way to do this from within K

  • New to iCal - can i import holidays to iCal?

    Just wondering how or if I can import the major holidays to iCal? thanks