Always Networks Blog - Check Point

Check Point Deployment Tool (CDT)

Sun 24 March 2019

Update

We have been working with one of our clients doing Check Point upgrades - applying jumbo hotfix accumulators (JHA) and also upgrading from R7x to R80.

Check Point Deployment Tool (CDT) is a fantastic tool for making this process quick, easy and painless.

What is it?

Central Deployment Tool (CDT) is a utility that runs on Security Management Servers and Multi-Domain Security Management Servers running Gaia …

Read whole post...

Check Point Certified System Administrator (CCSA) Study Notes - R77

Fri 22 January 2016

I'm now a Check Point Certified System Administrator (CCSA)! I took the R77 exam and passed. I have to say I was a little disappointed with the exam - there were 100 questions in 90 minutes, but I found a lot of the questions were repeated - albeit with a slightly different phrasing.

Below are the notes I made while I was studying. Definitely lab it (download …

Read whole post...

Checkpoint GAiA BGP Network Origination

Fri 30 January 2015

I was recently involved in a project upgrading the core firewall pair from Checkpoint R71.40 SPLAT to R77.20 GAiA. While very different, a lot of the configuration is pretty straight forward, and well documented in various articles on the Checkpoint website.

This setup runs BGP on the firewalls, to learn routes from our internal VRF's and also the WAN VRF where our MPLS …

Read whole post...

Upgrading Checkpoint Management Server from R71.40 to R77.20

Sun 11 January 2015

We have just undertaken a project to upgrade the Checkpoint Management server from R71.40 to R77.20. It went very smoothly, and was probably a lot easier than I first expected.

The first thing to note is that this upgrade cannot be done direct. In accordance with the upgrade path, you must first upgrade to R75.40.

Luckily for us, we had shiny new …

Read whole post...

Checkpoint VPN Error: According to the policy the packet should not have been decrypted

Magnifying Glass

I encountered an issue recently while trying to allow access to a new subnet over an existing VPN. The far end device was a Cisco router, and had an access list matching an entire class A subnet which was applied to the crypto map. The traffic destined for the new subnet was arriving at our firewall, and showing in the logs as dropped, with the …

Read whole post...