Starting CCSE Training on Monday. TOPICS Management Upgrade and Migration Management High Availability Security Gateway Upgrades Advanced Check Point Maintenance Security Gateway Operations Policy Installation Gaia and Management APIs Acceleration Site-to-Site VPN Remote Access VPN Mobile Access VPN Clustering Advanced Logs and Monitoring Links https://www.checkpoint.com/downloads/training/CCSE_Overview_Flyer.pdf
BGP – Asymmetric Routing Fortigate or when it is the policy
Change the Setup to have two dedicated links from the fortigate to the Edgerouter. Internal6 and 7 on the Fortigate and eth4 on the edgerouters. Note to myself Policy blocked the traffic. Needed to change the source interfaces to include i6 and i7. config firewall policy edit 1 set srcintf internal1.997 next end Links https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementation-and/ta-p/194382
BGP – Do not advertise a network
Remove routes from Advertisement on a Forigate firewall Not to myself: 10.255.32.0/20 was wired on C1, local pref was missing. so it might make sens to add this to all incoming routes 'set local-preference 100', incoming there is no issue. show router route-map show router route-map config router route-map edit "EBGP-OUT-R2" config rule edit 1 …
BGP – MultiHoming
Cisco cisco01config show ip bgp summaryshow ip routeshow ip bgpcisco02config show ip bgp summaryshow ip routeEdgeRouter-Xedge01configshow ip routeedge02configshow ip routeFortiGateconfigget router info routing-table detailsTestsChanging the AS Numbersshow ip routeshow ip bgpOptimizing route mapscisco1show ip bgp neighbors 10.255.80.29 received-routesshow ip bgpshow ip routecisco2show ip bgp neighbors 10.255.80.28 received-routesshow ip routeBGP Prevent becoming an Transit ASNo-Export CommunityLinks …
Check Point – CCSA
So this one is done. https://www.credly.com/badges/5f6ac312-1694-404e-a46d-841b8191fe20/public_url
Fortinet – Named Static Routes
Fortinet Firewalls support the use of address objects in static routes. This includes individual address objects, address groups and FQDN address objects. This feature is particularly useful if you have numerous VPN connections or if you reach the maximum number of configurable static routes on the gateway. For example, lower-end models like the 60E support …
Check Point – VSX Upgrade
Note to my self. Since i am not dealing with VSX Systems that often, please be reminded. When dealing with VSX Gateways/Clusters to finalize the upgrade the SMS needs to Upgrade the VSX Objects in the SMS Database. [Expert@CheckPointSMS:0]# vsx_util upgrade ****************************************************************************************** * Note: the operation you are about to perform changes the information in …
Check Point – Security Gateway internal statistics
fw ctl pstat Links fw ctl pstat (checkpoint.com)
Check Point – Policy Layers
Fortinet Lookup Policies
Some times you need to know which firewall policy will allow traffic and does it have be used. I had allready posted Fortigate – Policy lookup a while ago. diagnose firewall iprope lookup <src ip> <src port> <dst ip> <dst port> <protocol> <device> <src_ip> Source IP address. <src_port> Source port. <dst_ip> Destination IP address. <dst_port> Destination …
Fortinet – Fragmentation – DF – IPSec
System SettingsFragmentation Check Interface MTULinks System Settings config global config system global set honor-df enable end end Fragmentation The default ip-fragmentation setting is post-encapsulation as that is RFC compliant. config vpn ipsec phase1-interface edit <name> set ip-fragmentation post-encapsulation next end Check Interface MTU To check the MTU size of an interface, use 'diag netlink interface …
Patrick Marc's Networks 