Author Archives: the worlds gone mad
Author Archives: the worlds gone mad
The directories that need to be emptied to delete all the logs on the Checkpoint managers.
A recent project I was working on involved the need to join a new office to our existing Data Centres and OSPF core using a Gig circuit over the Internet. To flesh out this idea and test its viability I thought I would try and solve an ESX capacity problem I have at home by moving vCentre into the cloud.
The VM hardware version designates the virtual hardware functions supported by a virtual machine, which relates to the hardware on the host server. A VMware product will not be able to power on a VM with a hardware version higher than what it supports.
All Checkpoint portals are configured under the Gateway properties.
The IP address of the portal must be that of an IP of an interface on the checkpoint (loopback or physical).
Can either use a different IP for each portal or the same IP for all portals. All portals with the same IP address use the same certificate.
Due to close scare in my lab I decided to switch the datastore from a single onboard hdd to iSCSI. I use a WD MyCloud EX2 Ultra but there are a lot of more advanced NAS out there with a whole host of extra features. The WD is rather basic but is sufficient for my needs of partitioning it into a backup drive and an iSCSI drive. Since moving onto this I haven’t noticed any real performance degradation in my lab, its run over 1 Gig port.
Useful commands for managing VMs and vSwitches from ESX console. If the command has been executed successfully there will be no output returned to screen (no output = success!!!).
Intel NUCs only come with 1 built in NIC so when using them as ESX hosts it is useful to add additional USB ethernet adaptors. Before these will be recognised by the ESX OS the drivers need to be installed using a VIB file.
The Checkpoint database holds the network objects whereas the policy is how those objects are used.
A cisco vswitch that can be used instead of the default VMware DvS to have a similar environment to that of Cisco physical NXOS switches. The control and packet communication can either be carried over VLANs in Layer2 mode or IP addresses in Layer3 mode. The default and Cisco recommended solution is L3 mode.
Local and Distributed vSwitches server the same purpose as physical switches allowing for VM vNICs to be assigned to specific VLANs. In a production environment it is usual to define a local vSwitch on each ESX host for management and backdoor and have distributed vSwitches shared between hosts for VMs.
Checkpoint Firewalls are not zone based Firewalls so have a different type of policy compared to ASA and Juniper. A typical build consist of a Security Gateways managed by a centralised Management Server using the Checkpoint Smart Dashboard software. Firewall policies are created and managed on the management server and pushed to the security gateway.
Ever thought about how ACS gets an end users IP or how when showing an interfaces authentication sessions it had the IP of the host attached? This all stems from IP Device Tracking. I only recently came across it when troubleshooting an issue we had with windows machines not getting a DHCP address due collision detection involving the 0.0.0.0 address. Although there are lots of posts about people having a similar issue and the workarounds, I couldn’t find much information on the exact reason why this happened. This post is designed to give more reasoning on why this happens.