Wednesday, September 10, 2014

R77.20 gateway forward compatibility, SIC!

Something revolutionary is happening with Check Point releases lately. For example, it was never supported to have a Firewall software version higher that Management server's one.

Now it is no longer an issue. Quoting from R77.20 release notes:



Posted by at 1 comment:

Thursday, September 4, 2014

CPUG is back to life

Great news for the community: CPUG is back to life. Read by the link if you are interested to know the details.

Thanks to Netanium and Eric Anderson for their efforts.


Posted by at No comments:

Friday, August 29, 2014

CPUG will be back, as we all hope

Hello, world.

I do not want to be too optimistic, but according to some sources, CPUG will be back very soon. No more details are available for now.
Posted by at No comments:

Monday, August 25, 2014

Setting proxy ARP for bonded interface

One of the interesting challenges is about setting proxy ARP on a FW  bond interface to facilitate manual NAT rules.

There is a very good SK article about proxy ARP configuration that covers both physical firewalls and VSX. There is only one problem with that: it is not applicable to bond interfaces. HA or LS bond type, does not matter. The main issue is that one cannot use either MAC address of the NICs in bond, as frames may sometimes go through another physical link.

So is it absolutely impossible to use a combination of proxy ARP, manual NAT rules and bond interfaces?

Not exactly. Here are several steps that you need to do.

1. Set up VSX and not a physical FW. Even if you do not have VSX licenses, physical FW license will allow you to run a single Virtual System. That is all you need.
2. Instead of connecting your bond interface to the Virtual System (VS), define a Virtual Switch (license will also allow that) and connect it to the bond.
3. Create a virtual link (warp) between VS and the Virtual Switch.
4. Go to CLI, check MAC address of the warp link and use it in local.arp file. Do not forget, you have to set unique ARP entries for each cluster member.

Problem solved.


Posted by at 12 comments:

Friday, August 22, 2014

CCSM Q&A

Uri Lewitus has commented on my previous post about CCMA/CCSM certification, and his comment is valuable enough to be quoted as a separate post. This is what he says about CCMA and CCSM:

 Q: What happened to CCMA?
A: The CCMA lab is no longer available. It is being replaced by the online, multiple-choice written exam for the CCSM. The new exam, when available will be the 156-120.77. The new CCSM should be available Late September, Early October.

 Q: Which is the prerequisite for CCSM?
A: CCSM will have a CCSE pre-requisite.

 Q: What is the cost of the CCSM exam and where do I take it?
A: CCSM exam cost has not yet been set.

 Q: How do I pay for the CCSM lab?
A: Payment will be managed through Pearson VUE voucher system.

 Q: Does the CCMA and/or CCSM certification supersede the CCSE certification?
A: Yes.

 Q: What is require to recertify/renew CCSM?
A: CCSM renewal consists of maintaining current CCSA and CCSE certifications. Certification expiration of two years or more automatically results in expiration of the CCMA older than four years.



Posted by at No comments:

Friday, August 15, 2014

CCMA is no more or Should I rename this blog?

Have you seen the certification page on CP site lately? If you have not, go take a look.

The funniest part is CCMA is no longer on the list. Although CCMA page still exists on the site, there is no link to it from the training portal anymore. Apparently Master Architect certification is to retire. New CCSM (Security Master?) will come instead. There is not much information about this new certification, but according to Don Paterson's post in LinkedIn, this new exam will not have the lab part.

Now a have a bunch of questions:


  1. What happens to CCMA that is still valid for some years? Will it be converted to CCMS eventually?
  2. When CCSM will be out?
  3. Why Check Point keeps revolting certification process every 5 years? Are they even interested in having something as serious and respected on the field as Cisco certification route?
  4. Should I rename my blog any time soon?  




Posted by at 3 comments:

Friday, August 8, 2014

Gaia: how to cron binaries depending on shared libraries

I have recently came across an issue that scheduling custom scripts with cron may not work properly on Gaia for binaries that require shared libraries to run.

For example, sendmail uses libProdUtils.so and requires access to this lib file when scripted. Path is defined for your bash shell, but not for cron. So if you make a simple script like this one:


#!/bin/bash 
/opt/CPsuite-R77/fw1/bin/sendmail -t 1.1.1.1 -m /var/tmp/testmail.txt

to send an email on a particular even, it works perfectly from bash CLI but fails when running through cron job.

To fix it, you need the script to call shell parameters explicitly. To do it, add source /etc/bashrc before executing any other command:

#!/bin/bash 
source /etc/bashrc
/opt/CPsuite-R77/fw1/bin/sendmail -t 1.1.1.1 -m /var/tmp/testmail.txt

By the way, Check Point own sendmail sucks big time and can only run when using message file and not as just a CLI command, even with 100% correct syntax. But this is something for another post.
Posted by at 4 comments:
Subscribe to: Comments (Atom)