Category Archives: Security

Unable to remove Check Point evaluation license

I had an issue with a firewall that showed three blades, TP-blades, licensed as “evaluation” and furthermore the license was expired. The firewall itself, showed the licenses to be alright as shown in the picture below: Various things were tried in order to solve the issue, but none of them made any difference. cplic eval_disable […]

How to search and lookup in FortiGate Internet Service Database(ISDB)

Just a quick note on how to lookup and search in the FortiGate Internet Service Database(ISDB) for later reference. Search for a service: FortiGate80D # get system status | grep Version Version: FortiGate-80D v6.2.2,build1010,191008 (GA) FortiGate80D # diagnose internet-service id | grep -i microsoft ID: 327681 name: “Microsoft-Web” ID: 327682 name: “Microsoft-ICMP” ID: 327683 name: […]

How to check external CA store on FortiGate

Didn’t find alot of information on how to view the FortiNet approved CA-store, so I thought I’d make a post about it.This is the command to check the store (details can be omitted). Note there is a difference between an unit running VDOM – With VDOM: get certificate ca details – Without VDOM: get vpn […]

Windows Update fails when Check Point HTTPS-inspection is enabled

In a freshly installed Windows Server 2016-environment, there was feedback that Windows Update failed when HTTPS-inspection was enabled. Even though “Bypass HTTPS inspection of traffic to well known software update services” was ticked off. The servers was stuck with this error message: Some update files aren’t signed correctly.Error code: (0x800b0109) In the tracker I could […]

Passive Virtual System on Check Point VSX ARPs using physical intf. IP address instead og Cluster IP

I came across some important information. Although I did not find any useful information (at first), so hopefully this post will help speed up someone elses troubleshooting. Problem statement: Passive VS on VSX ARPs for default GW using physical interface IP instead of cluster IP and no traffic flows from passive Virtual System. If ARP […]

Check Point VSX DHCP relaying

In order to enable DHCP-relaying for interfaces belonging to Virtual Systems on a VSX-cluster, you have to set the context to the specific virtual system the interface belongs to. List all Virtual Systems on the VSX-cluster show virtual-system all

Nested group object not present on FortiGate when configured through FortiManager

I encountered a problem with a firewall blocking traffic even though it was supposed to let traffic through. This particular policy used nested object grouping (Main group > Sub-group > NetworkAdr-member). The odd thing was, it seemed to only affect one vDom. What was happening: The traffic did not match the configured policy and was […]

Upgrading a quad supt VSS-cluster 6807 with minimal network interruptions

Scope and disclaimer This blog post is primarily to explain and show the process of upgrading a Quad-sup 6807 VSS-cluster using the In Service Software Upgrade (ISSU) feature, also known as Enchanged Fast Software Upgrade(EFSU) in VSS terminology. The entire process is very painless as long as the cabling is done right. Requirements Dual homed […]