Press "Enter" to skip to content

ASA 8.02 in Vmware Workstation


Here are all related posts in this blog: ASA 8.02 in Vmware Workstation ASA 8.42 in VMware Workstation ASA 9.21 in Vmware Workstation 10 Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1) Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2) Cisco ASAv 9.5.1 200 and ASDM 7.5.1 in Workstation / ESXi  1. Found a…

Problem when two Checkpoint Clusters Connected on same Cisco Switch


Got mac address flapping messages on Cisco Switch log.  Dec 22 17:27:16: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe01 in vlan 20 is flapping between port Gi0/12 and port Gi0/11 Dec 22 17:27:16: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe00 in vlan 20 is flapping between port Gi0/15 and port Gi0/16 Dec 22 17:27:31: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.0000.fe01 in vlan 20 is flapping between port Gi0/12 and port Gi0/11…

Cisco Pre-defined Access-list Port Number


Working on move PIX/ASA migration to Juniper SRX. Some of ports name convention Cisco is using which is different from JunOS. I found following list to map port number to cisco name convention from a Cisco 2901Router runing “Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M4,” Router(config)#access-list 101 permit tcp any any  eq ?   <0-65535>    Port number   bgp  …

Checkpoint R75 new feature violated PCI rules


My company recently upgraded our firewall UTM from R71 to R75. It was neat and no worries upgrade until today our External Security company sent us a report our public Internet ip scanning report failed on PCI compliance. Report shows there is self-sign checkpoint certification on our Internet facing firewall. Yes, it is right. All checkpoint firewall has a Certification…

Tcpdump or Fw Monitor, which is better ?


FW MONITOR————It is said that it captures at 4 important points in the firewall namely i,I,o & O. You would see them in the capture in the same sequence.i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.I – Postinbound, where…

IEEE STANDARD 802.3AD – JunOS Configuration


The  802.3ad standard supports aggregation on full duplex, point to point  links,  to form a Link Aggregation Group (LAG), so that a Media Access Control (MAC) Client can treat the LAG as if it was a single link.  The sublayer defines multiple functions like Link Aggregation Control (LAC), Link Aggregation Control Protocol (LACP). LAC manages the Link Aggregation sub layer…

SecureXL Process Details


SecureXL is a patented technology consisting of a software package with an API for the acceleration for multiple, intensive security operations. In addition to the IPS, SecureXL also accelerates operations carried out by a Stateful Inspection firewall from Check Point. Through the SecureXL API, this firewall can offload the handling of those operations to a special module, the “SecureXL device,”…

WebUI port change doesn’t survive a firewall policy push or reboot


Change WebUI port to 4434 from Command line: webui disable webui enable 4434 Unfortunately after a cpstop/cpstart or reboot, the 4434 port will not survive. It rolled back to 443 again.  Solution: Firewall ->Properties -> SecurePlatform -> change main url to :http://x.x.x.x:4434 goto command line do webui changes push policy. 

Route-based VPN between Juniper and Cisco


Another useful post for route-based vpn from  Cisco router configuration: crypto isakmp policy 1 encr aes 256 authentication pre-share group 5crypto isakmp invalid-spi-recoverycrypto isakmp keepalive 10crypto isakmp key 0 keyforlab123 address ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmaccrypto ipsec profile CIPHER-AES-256 set transform-set ESP_AES_256 Tunnel interface configuration: interface Tunnel18 description tunnel_to_srx ip address tunnel source GigabitEthernet0/0 tunnel…