cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

command to check the hotfix version installed in Gaia

Hi,Can someone please explain me the difference between "cpinfo -y all" and "show installer packages installed"??? Thanks in Advance 🙂Srinu K

Machine stuck on boot due to incorrect time and date in BIOS

Machine stuck on boot due to incorrect time and date in BIOScan any one help me

Massive users update passwords fwm dbimport

Hello,In CP R77.30 I have to massively update vpn users (without LDAP).I saw "fwm dbimport" but they say in manual (https://sc1.checkpoint.com/documents/R77/CP_R77_CLI_ReferenceGuide_WebAdmin/html_frameset.htm?topic=documents/R77/CP_R77_CLI_ReferenceGuide_WebAdmin/12590)that The password should be encrypted with the C language encrypt function! But I don´t find what is this "C language encrypt function".Any one has an idea?Thanks
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS Thursday
views 297344 212 323

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    
Kul
Kul inside Enterprise Appliances and Gaia OS Wednesday
views 140 7

Unable to boot from USB

Hello everyone, I am unable to install r77.30 on 4200 device. I even changed USB drive and still failed. It leads to the same page and I see no option for USB.I tried in other 4200 device and it works fine. 

Message seen on /var/log/messages - "simi_reorder_enqueue_packet"

Hi there guys, I'm seeing this message  "simi_reorder_enqueue_packet" on /var/log/messages. Is this an indication traffic congestion? My network is  momentarily encountering intermittent application connectivity especially on VOIP. As usual, no drops are seen on tracker and zebug. Hope someone had encountered this.

How to Create Multiple Admin Accounts

Hi,how can I create multiple Admin-Acounts wit GAIA Clish.  To Create one account, I can write this commands in clishadd user [User] uid [number] homedir /home/userset user [User] passwordsave config‍‍‍‍‍‍‍‍‍‍‍‍‍‍and so on...for out installation I don´t want set up all admin user manual on out checkpoint Appliances. We use GAIA R80.10.What can I do? API? User-File?Thanks for help.

GRE Tunnel

Hi Experts,I believe the the GRE tunnel cannot be terminated in the Check Point firewalls (Please confirm if by any way or in any version hardware or software or any model its supported). Also this GRE is proprietary of other vendor, is that a reason CP does not support or any other technical reasons there? Please let me know, any information is highly appreciable.Thanks in advance.Vijay 

Why CCP packets in VSX are send to network address of internal network subnet?

I'm trying to figure out a strange case when we are able to catch traffic towards VSX internal subnet in different part of network. I have a VSX VSLS cluster. Multiple virtual systems are connected to the same virtual switch, which is connected to normal network terminated by router. Router has default route out and here we can see the bottleneck. I can see traffic following traffic 0.0.0.0 -> 192.168.196.96 (UDP) 8116 going out of my network via that router.I started to search why. According ClusterXL Advanced Technical Reference Guide is the source IP 0.0.0.0 fine for CCP traffic because it does not care about it. However, I am confused from the destination. I use Internal VSX cluster network 192.168.196.0/22 which is default setup. If I check the interface configurations in CLISH  I can see that was divided to /28 networks for the interfaces and some internal IPs were assigned there (multiple times for same interfaces, but it is correct according sk110345 - Identical IP addresses from VSX "Internal Communication Network" are assigned to interfaces that belong to different Virtual Systems).So I expected to see communication of CCP on broadcast or particular addresses but I see it towards 192.168.196.96 – which is /28 subnet IP and not assigned to particular interface. There are send FWHA_MY_STATE messages there for example. Funny thing is that this traffic blocking stealth rule in the policy.I found the same results on multiple all my VSX clusters on R77.30 and on one running on R77.10. Therefore, it seems to be regular thing. All clusters are fully synchronized and fine.Do you know why is it communicate this way? I was not able to find it anywhere. You can see FW monitor result from one of clusters in attachment.P.S. – I’ll ask support of course as well.

OSPF route TAG

HiI'm trying to filter some OSPF tagged routes using route-maps.Seems like it filters all the OSPF external routes rather then specific tagged one's.Anyone encountered same or can advice?Version:  R77.30 Commands:set routemap ospf-import id 10 onset routemap ospf-import id 10 restrictset routemap ospf-import id 10 match tag 778 onset routemap ospf-import id 20 onset routemap ospf-import id 20 allowset ospf import-routemap ospf-import preference 1 on Before:FW1> show route ospfCodes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,U - Unreachable, i - InactiveO 10.2.2.4/30 via 10.11.7.10, bond1.1107, cost 5, age 4863523via 172.23.101.80, bond1.1106via 172.23.101.81, bond1.1106O 10.14.98.11/32 via 10.14.99.11, bond2.1499, cost 2, age 5024684O 10.14.98.12/32 via 10.14.99.12, bond2.1499, cost 2, age 5024684O 10.14.98.13/32 via 10.14.99.13, bond2.1499, cost 2, age 5024684O 10.14.98.14/32 via 10.14.99.14, bond2.1499, cost 2, age 5024684O E 10.165.249.0/24 via 10.14.99.11, bond2.1499, cost 1:20, age 4863523, tag 0x00000000via 10.14.99.12, bond2.1499via 10.14.99.13, bond2.1499via 10.14.99.14, bond2.1499O E 10.165.0.0/24 via 10.14.99.11, bond2.1499, cost 1:20, age 4863523, tag 0x00000000via 10.14.99.12, bond2.1499via 10.14.99.13, bond2.1499via 10.14.99.14, bond2.1499O E 10.0.0.0/8 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aO E 172.16.0.0/12 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aO E 192.168.0.0/16 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aAKmdrL9LabDCFW1> After:FW1> show route ospfCodes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,U - Unreachable, i - InactiveO 10.2.2.4/30 via 10.11.7.10, bond1.1107, cost 5, age 4863590via 172.23.101.80, bond1.1106via 172.23.101.81, bond1.1106O 10.14.98.11/32 via 10.14.99.11, bond2.1499, cost 2, age 5024751O 10.14.98.12/32 via 10.14.99.12, bond2.1499, cost 2, age 5024751O 10.14.98.13/32 via 10.14.99.13, bond2.1499, cost 2, age 5024751O 10.14.98.14/32 via 10.14.99.14, bond2.1499, cost 2, age 5024751AKmdrL9LabDCFW1>

SSH Banners in R80.30

Hi,Some characters like dashes "-" or "_" do not work anymore in R80.30 bannersSSH to the box should show these banners. In R80.30, the '---' are not visible anymore. R8030>set message banner onset message banner on line msgvalue "-----------"set message banner on line msgvalue "R80.30 TEST"set message banner on line msgvalue "-----------"R8030> show configurationset message banner onset message banner on line msgvalue "R80.30 TEST"R8020> show configurationset message banner onset message banner on line msgvalue "-----------"set message banner on line msgvalue "R80.20 TEST"set message banner on line msgvalue "-----------"Is this a bug or feature or misconfiguration?Best Regards,

Gaia HealthCheck Script v7.04 released

Check Point released v7.04 of it's Gaia HealthCheck Script. Attention: This is wrongly listed as version v7.05 on sk121447. Script author: @Nathan_Davieau (LinkedIn profile) What's new: Updated CPUSE and JHF build numbers What's missing: Automatically retrieve latest CPUSE, JHF, CPINFO build numbers rather than manually updating the script code Download Package Link Date  healthcheck.sh script v7.04 04Oct2019

Can SMS in R77.30 Splat manage R77.30 gaia gateways?

Hello community.A question: Can SMS in R77.30 Splat manage R77.30 gaia gateways? Please help me. Thank you vey much.

Appliance BIOS Updates?

Has anyone ever been required to update the BIOS of their Check Point appliances for any reason?  If so could you share the circumstances that made it necessary?  I've never needed to perform a BIOS update that I can remember.  More info: sk120915: Check Point Appliances BIOS Firmware versions map sk128712: Upgrading the BIOS using BIOS Upgrade Tool  
Danny
Danny inside Enterprise Appliances and Gaia OS 2 weeks ago
views 68966 43 31

One-liner for Address Spoofing Troubleshooting

🏆 Code Hub Contribution of the Year 2019!👍 Endorsed by Check Point Support! One-liner (Bash) to show a summary about each gateway interfaces' calculated topology and address spoofing setting.In expert mode run: echo; tput bold; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; tput sgr0; echo; elif [[ `grep $(grep $(hostname) /etc/hosts | cut -f1 -d' ') $FWDIR/state/local/FW1/local.set | wc -l` == "0" ]]; then echo ' Main IP of '$(hostname)' doesn`t match it`s management interface IP!'; tput sgr0; echo; else echo -n ' Interface Topology '; tput sgr0; echo -n '> '; tput bold; tput setaf 1; if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]; then echo $vsname' (ID: '$INSTANCE_VSID')'; else hostname; fi; tput sgr0; echo -n ' '; printf '%.s-' {1..80}; echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)*$/,\$ p" | tail -n +3 | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | sed '/objtype/q' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo; fi The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments also within VSX, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for easier identification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script. Thanks to Tim Hall's preliminary work in this thread.Thanks to Norbert Bohusch for IPv6 support and testing.Thanks to Kaspars Zibarts & Bob Zimmerman for VSX support and testing.Thanks to Anthony Joubaire for support and testing multiple installation targets. -- More one-liners -- One-liner to show VPN topology on gatewaysOne-liner to show Geo Policy on gatewaysFW Monitor SuperTool