Press "Enter" to skip to content

Problem when two Checkpoint Clusters Connected on same Cisco Switch

2

Got mac address flapping messages on Cisco Switch log.  Dec 22 17:27:16: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe01 in vlan 20 is flapping between port Gi0/12 and port Gi0/11 Dec 22 17:27:16: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe00 in vlan 20 is flapping between port Gi0/15 and port Gi0/16 Dec 22 17:27:31: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe01 in vlan 20 is flapping between port Gi0/12 and port Gi0/11 Dec 22 17:27:31: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe00 in vlan 20 is flapping between port Gi0/16 and port Gi0/15 Dec 22 17:27:46:…

Cisco Pre-defined Access-list Port Number

0

Working on move PIX/ASA migration to Juniper SRX. Some of ports name convention Cisco is using which is different from JunOS. I found following list to map port number to cisco name convention from a Cisco 2901Router runing “Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M4,” Router(config)#access-list 101 permit tcp any any  eq ?   <0-65535>    Port number   bgp          Border Gateway Protocol (179)   chargen      Character generator (19)   cmd        …

Checkpoint R75 new feature violated PCI rules

0

My company recently upgraded our firewall UTM from R71 to R75. It was neat and no worries upgrade until today our External Security company sent us a report our public Internet ip scanning report failed on PCI compliance. Report shows there is self-sign checkpoint certification on our Internet facing firewall. Yes, it is right. All checkpoint firewall has a Certification on it which default is self signed. Our policy doesn’t allow any http/https access to our firewalls. There is a…

Tcpdump or Fw Monitor, which is better ?

0

FW MONITOR————It is said that it captures at 4 important points in the firewall namely i,I,o & O. You would see them in the capture in the same sequence.i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the the capture after this, you could infer…

IEEE STANDARD 802.3AD – JunOS Configuration

0

The  802.3ad standard supports aggregation on full duplex, point to point  links,  to form a Link Aggregation Group (LAG), so that a Media Access Control (MAC) Client can treat the LAG as if it was a single link.  The sublayer defines multiple functions like Link Aggregation Control (LAC), Link Aggregation Control Protocol (LACP). LAC manages the Link Aggregation sub layer by static information local to the LAG groups, and dynamic information that is exchanged as part of the LACP. Each…

SecureXL Process Details

0

SecureXL is a patented technology consisting of a software package with an API for the acceleration for multiple, intensive security operations. In addition to the IPS, SecureXL also accelerates operations carried out by a Stateful Inspection firewall from Check Point. Through the SecureXL API, this firewall can offload the handling of those operations to a special module, the “SecureXL device,” which is a performance-optimized software module. In a SecureXL-enabled gateway, the firewall first uses the SecureXL API to query the…

WebUI port change doesn’t survive a firewall policy push or reboot

2

Change WebUI port to 4434 from Command line: webui disable webui enable 4434 Unfortunately after a cpstop/cpstart or reboot, the 4434 port will not survive. It rolled back to 443 again.  Solution: Firewall ->Properties -> SecurePlatform -> change main url to :http://x.x.x.x:4434 goto command line do webui changes push policy. 

Route-based VPN between Juniper and Cisco

1

Another useful post for route-based vpn from http://x443.wordpress.com/page/5/  Cisco router configuration: crypto isakmp policy 1 encr aes 256 authentication pre-share group 5crypto isakmp invalid-spi-recoverycrypto isakmp keepalive 10crypto isakmp key 0 keyforlab123 address 2.2.2.2crypto ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmaccrypto ipsec profile CIPHER-AES-256 set transform-set ESP_AES_256 Tunnel interface configuration: interface Tunnel18 description tunnel_to_srx ip address 192.168.100.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 2.2.2.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile CIPHER-AES-256end Juniper SRX configuration: interfaces { st0 { unit 0…

Policy NAT-ing with overlap message – Order is important

0

Existing rule : static (dmz,outside) 200.147.90.89 172.17.1.3 netmask 255.255.255.255 There is a special situation come up today. When 172.17.1.3 access to another site 200.200.200.200 , it has to be nat-ed to different ip address 200.147.90.83 So what I did : 1. Add a new access-list PNAT-T: access-list PNAT-T extended permit ip host 172.17.1.3 host 200.200.200.200  2. Add a new access-list FW1/act/pri(config)# static (dmz,outside) 200.147.90.83 access-list PNAT-T INFO: overlap with existing static   Alphadmz:172.17.1.3 to outside:200.147.90.89 netmask 255.255.255.255 During testing, it is not…

Checkpoint Domain Object

16

Was thinking to use Domain Object as a source in our firewall rule. After consulted with checkpoint support, it seems impossible if your domain object represented multiple ip addresses. SK42128 Symptoms     Rules containing a Domain object will only resolve to one of the associated IP addresses, causing request for a site not to return a web page.  Cause A Domain object resolves a domain name by the first IP Address that appears when running the nslookup command. Solution…