Friday, August 29, 2014

CPUG will be back, as we all hope

Hello, world.

I do not want to be too optimistic, but according to some sources, CPUG will be back very soon. No more details are available for now.

Monday, August 25, 2014

Setting proxy ARP for bonded interface

One of the interesting challenges is about setting proxy ARP on a FW  bond interface to facilitate manual NAT rules.

There is a very good SK article about proxy ARP configuration that covers both physical firewalls and VSX. There is only one problem with that: it is not applicable to bond interfaces. HA or LS bond type, does not matter. The main issue is that one cannot use either MAC address of the NICs in bond, as frames may sometimes go through another physical link.

So is it absolutely impossible to use a combination of proxy ARP, manual NAT rules and bond interfaces?

Not exactly. Here are several steps that you need to do.

1. Set up VSX and not a physical FW. Even if you do not have VSX licenses, physical FW license will allow you to run a single Virtual System. That is all you need.
2. Instead of connecting your bond interface to the Virtual System (VS), define a Virtual Switch (license will also allow that) and connect it to the bond.
3. Create a virtual link (warp) between VS and the Virtual Switch.
4. Go to CLI, check MAC address of the warp link and use it in local.arp file. Do not forget, you have to set unique ARP entries for each cluster member.

Problem solved.

Friday, August 22, 2014


Uri Lewitus has commented on my previous post about CCMA/CCSM certification, and his comment is valuable enough to be quoted as a separate post. This is what he says about CCMA and CCSM:

Q: What happened to CCMA?
A: The CCMA lab is no longer available. It is being replaced by the online, multiple-choice written exam for the CCSM. The new exam, when available will be the 156-120.77. The new CCSM should be available Late September, Early October.

Q: Which is the prerequisite for CCSM?
A: CCSM will have a CCSE pre-requisite.

Q: What is the cost of the CCSM exam and where do I take it?
A: CCSM exam cost has not yet been set.

Q: How do I pay for the CCSM lab?
A: Payment will be managed through Pearson VUE voucher system.

Q: Does the CCMA and/or CCSM certification supersede the CCSE certification?
A: Yes.

Q: What is require to recertify/renew CCSM?
A: CCSM renewal consists of maintaining current CCSA and CCSE certifications. Certification expiration of two years or more automatically results in expiration of the CCMA older than four years.

Friday, August 15, 2014

CCMA is no more or Should I rename this blog?

Have you seen the certification page on CP site lately? If you have not, go take a look.

The funniest part is CCMA is no longer on the list. Although CCMA page still exists on the site, there is no link to it from the training portal anymore. Apparently Master Architect certification is to retire. New CCSM (Security Master?) will come instead. There is not much information about this new certification, but according to Don Paterson's post in LinkedIn, this new exam will not have the lab part.

Now a have a bunch of questions:

  1. What happens to CCMA that is still valid for some years? Will it be converted to CCMS eventually?
  2. When CCSM will be out?
  3. Why Check Point keeps revolting certification process every 5 years? Are they even interested in having something as serious and respected on the field as Cisco certification route?
  4. Should I rename my blog any time soon?  

Friday, August 8, 2014

Gaia: how to cron binaries depending on shared libraries

I have recently came across an issue that scheduling custom scripts with cron may not work properly on Gaia for binaries that require shared libraries to run.

For example, sendmail uses and requires access to this lib file when scripted. Path is defined for your bash shell, but not for cron. So if you make a simple script like this one:

/opt/CPsuite-R77/fw1/bin/sendmail -t -m /var/tmp/testmail.txt

to send an email on a particular even, it works perfectly from bash CLI but fails when running through cron job.

To fix it, you need the script to call shell parameters explicitly. To do it, add source /etc/bashrc before executing any other command:

source /etc/bashrc
/opt/CPsuite-R77/fw1/bin/sendmail -t -m /var/tmp/testmail.txt

By the way, Check Point own sendmail sucks big time and can only run when using message file and not as just a CLI command, even with 100% correct syntax. But this is something for another post.

Wednesday, August 6, 2014

CPUG - message from Barry

Barry J. Stiefel has reach out to me the last night. He has asked me to share with you all his side of the story. Here is what he has to say to us:

"I am unable to re-open the discussion board while I am still the owner. Negotiations over a possible sale continue... it is a forced decision.

Some background: I was recruited into a full-time career position with a major Check Point competitor and they are requiring that I divest myself from CPUG. I have already started the job and they want it all done now. That’s what’s forcing all this."

I have nothing to add.

Reminder: sign petition to save CPUG here, please

Monday, August 4, 2014

Petition to save CPUG

Hello all.

If you care about CPUG future and existence, please sign this petition:

Thank you.

Update. If you cannot open the document for editing, just leave a comment here below, I will add your details to the petition as soon as I can. Sorry for this inconvenience. 

Can we save CPUG?

Wow, I never through I would write something like that. But it is happening, now.

As you probably know already, CPUG is down. Barry Stiefel shut down the site the last week. I do not want to discuss why he did that, it's pointless. It is done.

Forum that was arguably the best independent technical board around Check Point is off. Resource with (quoting Barry's sales pitch message) "80,526 immediately useful technical posts.., 18,664 unique discussion threads, 26,208 currently active members..." has vanished out of existence.

We all know Barry for years, and I believe most of us appreciate his efforts for running that board and promoting it. We are also grateful to Dameon Welch-Abernathy, who's phoneboy knowledge base was the foundation for CPUG.

Barry has a right to get paid for his effort. But what about these 26208 active members? What about people contributing to this site? What about Dameon? He never asked for a dime from Barry when handing over the data.

There is twist here. Someone owning a public free resource wants to shut it down. He does it without warning, without any attempt to reach out to the community of his users and discuss his case. He just shuts it down, willing to collect offers.

Offers for what? Public knowledge base he "owns"? Engine? Trademarks?

After years of using, nurturing and developing this site, what can we do as a community? Wait till a new sugar daddy comes around and buys it off Barry's?

Is all this even real? I try to shake a feeling this is just a practical joke of some kind.

Can we do something? Can we start collecting donations to buy off the site or at least its content? Or should we look for a sponsor? Seriously, what can we do?

UPDATE. If you care about CPUG future and existence, please sing this petition.