cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

JozkoMrkvicka
JozkoMrkvicka inside Enterprise Appliances and Gaia OS 9 hours ago
views 1138 4 2

Detected Hardware Unit Hang

Hello everyone,Environment:Cluster of SG4800 with R77.30 and jumbo Take 216.I just noticed that from time to time following messages are visible in /var/log/messages:Dec 28 07:23:22 2018 GWB kernel: e1000e 0000:0f:00.0: eth4: Detected Hardware Unit Hang:Dec 28 07:23:22 2018 GWB kernel:   TDH                  <218>Dec 28 07:23:22 2018 GWB kernel:   TDT                  <21b>Dec 28 07:23:22 2018 GWB kernel:   next_to_use          <21b>Dec 28 07:23:22 2018 GWB kernel:   next_to_clean        <218>Dec 28 07:23:22 2018 GWB kernel: buffer_info[next_to_clean]:Dec 28 07:23:22 2018 GWB kernel:   time_stamp           <62cafbcd>Dec 28 07:23:22 2018 GWB kernel:   next_to_watch        <218>Dec 28 07:23:22 2018 GWB kernel:   jiffies              <62cb0098>Dec 28 07:23:22 2018 GWB kernel:   next_to_watch.status <0>Dec 28 07:23:22 2018 GWB kernel: MAC Status             <80783>Dec 28 07:23:22 2018 GWB kernel: PHY Status             <796d>Dec 28 07:23:22 2018 GWB kernel: PHY 1000BASE-T Status  <3800>Dec 28 07:23:22 2018 GWB kernel: PHY Extended Status    <3000>Dec 28 07:23:22 2018 GWB kernel: PCI Status             <10>Dec 28 01:32:53 2018 GWB kernel: e1000e 0000:0f:00.0: eth4: Detected Hardware Unit Hang:Dec 28 01:32:53 2018 GWB kernel:   TDH                  <1fc>Dec 28 01:32:53 2018 GWB kernel:   TDT                  <1ff>Dec 28 01:32:53 2018 GWB kernel:   next_to_use          <1ff>Dec 28 01:32:53 2018 GWB kernel:   next_to_clean        <1fc>Dec 28 01:32:53 2018 GWB kernel: buffer_info[next_to_clean]:Dec 28 01:32:53 2018 GWB kernel:   time_stamp           <618a1136>Dec 28 01:32:53 2018 GWB kernel:   next_to_watch        <1fc>Dec 28 01:32:53 2018 GWB kernel:   jiffies              <618a15f2>Dec 28 01:32:53 2018 GWB kernel:   next_to_watch.status <0>Dec 28 01:32:53 2018 GWB kernel: MAC Status             <80783>Dec 28 01:32:53 2018 GWB kernel: PHY Status             <796d>Dec 28 01:32:53 2018 GWB kernel: PHY 1000BASE-T Status  <3800>Dec 28 01:32:53 2018 GWB kernel: PHY Extended Status    <3000>Dec 28 01:32:53 2018 GWB kernel: PCI Status             <10>Looks like something is wrong with eth4. This interface is part of bond interface, together with eth3. Purpose of bond interface is Sync link between both members. All interfaces are 1G TP. Distance between both cluster members is 40 km.[Expert@GWB:0]# cphaconf show_bond bond1Bond name:      bond1Bond mode:      Load SharingBond status:    UPBalancing mode: 802.3ad Layer3+4 Load BalancingConfigured slave interfaces: 2In use slave interfaces:     2Required slave interfaces:   1Slave name      | Status          | Link----------------+-----------------+-------eth3            | Active          | Yeseth4            | Active          | Yes[Expert@GWB:0]# cat /proc/net/bonding/bond1Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)Bonding Mode: IEEE 802.3ad Dynamic link aggregationTransmit Hash Policy: layer3+4 (1)MII Status: upMII Polling Interval (ms): 100Up Delay (ms): 200Down Delay (ms): 200802.3ad infoLACP rate: slowActive Aggregator Info:        Aggregator ID: 1        Number of ports: 2        Actor Key: 17        Partner Key: 33071        Partner Mac Address: 00:23:04:ea:cd:05Slave Interface: eth3MII Status: upLink Failure Count: 1Permanent HW addr: 00:1c:7f:35:1e:67Aggregator ID: 1Slave Interface: eth4MII Status: upLink Failure Count: 3Permanent HW addr: 00:1c:7f:35:1e:69Aggregator ID: 1Interface statistics:[Expert@GWB:0]# ethtool -i eth3driver: e1000eversion: 2.1.4-NAPIfirmware-version: 2.1-0bus-info: 0000:0b:00.0[Expert@GWB:0]# ethtool -i eth4driver: e1000eversion: 2.1.4-NAPIfirmware-version: 2.1-0bus-info: 0000:0f:00.0[Expert@GWB:0]# ifconfig eth3eth3        Link encap:Ethernet  HWaddr 00:1C:7F:35:1E:67            UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1            RX packets:1755761152 errors:0 dropped:0 overruns:0 frame:0            TX packets:1722666300 errors:0 dropped:0 overruns:0 carrier:0            collisions:0 txqueuelen:1000            RX bytes:2574922192 (2.3 GiB)  TX bytes:4123666606 (3.8 GiB)            Interrupt:185 Memory:fe9e0000-fea00000[Expert@GWB:0]# ifconfig eth4eth4        Link encap:Ethernet  HWaddr 00:1C:7F:35:1E:67            UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1            RX packets:74346835 errors:0 dropped:0 overruns:0 frame:0            TX packets:129992397 errors:0 dropped:0 overruns:0 carrier:0            collisions:0 txqueuelen:1000            RX bytes:2213595757 (2.0 GiB)  TX bytes:2373454427 (2.2 GiB)            Interrupt:185 Memory:febe0000-fec00000 [Expert@GWB:0]# netstat -aniKernel Interface tableIface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flgbond1      1500   0 1830071571      0      0      0 1852622059      0      0      0 BMmRUeth3       1500   0 1755725351      0      0      0 1722632073      0      0      0 BMsRUeth4       1500   0 74346220      0      0      0 129989986      0      0      0 BMsRU[Expert@GWB:0]# ethtool -S eth4NIC statistics:     rx_packets: 74346141     tx_packets: 129989592     rx_bytes: 36870531721     tx_bytes: 75906486583     rx_broadcast: 72425523     tx_broadcast: 128068474     rx_multicast: 1917491     tx_multicast: 1917919     rx_errors: 0     tx_errors: 0     tx_dropped: 0     multicast: 1917491     collisions: 0     rx_length_errors: 0     rx_over_errors: 0     rx_crc_errors: 0     rx_frame_errors: 0     rx_no_buffer_count: 0     rx_missed_errors: 0     tx_aborted_errors: 0     tx_carrier_errors: 0     tx_fifo_errors: 0     tx_heartbeat_errors: 0     tx_window_errors: 0     tx_abort_late_coll: 0     tx_deferred_ok: 0     tx_single_coll_ok: 0     tx_multi_coll_ok: 0     tx_timeout_count: 0     tx_restart_queue: 201     rx_long_length_errors: 0     rx_short_length_errors: 0     rx_align_errors: 0     tx_tcp_seg_good: 0     tx_tcp_seg_failed: 0     rx_flow_control_xon: 0     rx_flow_control_xoff: 0     tx_flow_control_xon: 0     tx_flow_control_xoff: 0     rx_long_byte_count: 36870531721     rx_csum_offload_good: 72427507     rx_csum_offload_errors: 0     rx_header_split: 0     alloc_rx_buff_failed: 0     tx_smbus: 0     rx_smbus: 0     dropped_smbus: 0     rx_dma_failed: 0     tx_dma_failed: 0[Expert@GWB:0]# ethtool -S eth3NIC statistics:     rx_packets: 1755721963     tx_packets: 1722628786     rx_bytes: 181392964784     tx_bytes: 212883823014     rx_broadcast: 1753601078     tx_broadcast: 1720420399     rx_multicast: 1917328     tx_multicast: 1917924     rx_errors: 0     tx_errors: 0     tx_dropped: 0     multicast: 1917328     collisions: 0     rx_length_errors: 0     rx_over_errors: 0     rx_crc_errors: 0     rx_frame_errors: 0     rx_no_buffer_count: 0     rx_missed_errors: 0     tx_aborted_errors: 0     tx_carrier_errors: 0     tx_fifo_errors: 0     tx_heartbeat_errors: 0     tx_window_errors: 0     tx_abort_late_coll: 0     tx_deferred_ok: 0     tx_single_coll_ok: 0     tx_multi_coll_ok: 0     tx_timeout_count: 0     tx_restart_queue: 0     rx_long_length_errors: 0     rx_short_length_errors: 0     rx_align_errors: 0     tx_tcp_seg_good: 0     tx_tcp_seg_failed: 0     rx_flow_control_xon: 0     rx_flow_control_xoff: 0     tx_flow_control_xon: 0     tx_flow_control_xoff: 0     rx_long_byte_count: 181392964784     rx_csum_offload_good: 1753575650     rx_csum_offload_errors: 0     rx_header_split: 0     alloc_rx_buff_failed: 0     tx_smbus: 0     rx_smbus: 0     dropped_smbus: 0     rx_dma_failed: 0     tx_dma_failed: 0Sync stats:[Expert@GWB:0]# fw ctl pstatSystem Capacity Summary:  Memory used: 24% (317 MB out of 1318 MB) - below watermark  Concurrent Connections: 95 (Unlimited)  Aggressive Aging is not activeHash kernel memory (hmem) statistics:  Total memory allocated: 134217728 bytes in 32768 (4096 bytes) blocks using 32 pools  Total memory bytes  used: 18721768   unused: 115495960 (86.05%)   peak: 37117084  Total memory blocks used:     6293   unused:    26475 (80%)   peak:     9638  Allocations: 3370097210 alloc, 0 failed alloc, 3369886583 freeSystem kernel memory (smem) statistics:  Total memory  bytes  used: 306889492   peak: 310893628  Total memory bytes wasted: 24536339    Blocking  memory  bytes   used:  6230064   peak:  6722532    Non-Blocking memory bytes used: 300659428   peak: 304171096  Allocations: 21376530 alloc, 0 failed alloc, 21372364 free, 0 failed free  vmalloc bytes  used:  6291456 expensive: yesKernel memory (kmem) statistics:  Total memory  bytes  used: 191218320   peak: 207504120  Allocations: 3391446510 alloc, 0 failed alloc               3391233868 free, 0 failed free  External Allocations: 0 for packets, 93818736 for SXLCookies:        3761509268 total, 42662 alloc, 42662 free,        3777276 dup, 4288962429 get, 247007545 put,        3969813062 len, 119751361 cached len, 0 chain alloc,        0 chain freeConnections:        110810622 total, 58628503 TCP, 46986057 UDP, 5196047 ICMP,        15 other, 0 anticipated, 1473 recovered, 95 concurrent,        4935 peak concurrentFragments:        309498393 fragments, 112535931 packets, 19491 expired, 0 short,        0 large, 0 duplicates, 0 failuresNAT:        9569835/0 forw, 7439782/0 bckw, 7345619 tcpudp,        234246 icmp, 2178810-2955934 allocSync:        Version: new        Status: Able to Send/Receive sync packets        Sync packets sent:         total : 256132610,  retransmitted : 945, retrans reqs : 254,  acks : 1120386        Sync packets received:         total : 143020690,  were queued : 1949226, dropped by net : 928271         retrans reqs : 443, received 2619713 acks         retrans reqs for illegal seq : 0         dropped updates as a result of sync overload: 0        Callback statistics: handled 69537 cb, average delay : 1,  max delay : 56[Expert@GWB:0]# cphaprob syncstatSync Statistics (IDs of F&A Peers - 1 😞Other Member Updates:Sent retransmission requests...................  254Avg missing updates per request................  1Old or too-new arriving updates................  126Unsynced missing updates.......................  0Lost sync connection (num of events)...........  133Timed out sync connection .....................  0Local Updates:Total generated updates .......................  21792644Recv Retransmission requests...................  443Recv Duplicate Retrans request.................  0Blocking Events................................  0Blocked packets................................  0Max length of sending queue....................  0Avg length of sending queue....................  0Hold Pkts events...............................  69537Unhold Pkt events..............................  69537Not held due to no members.....................  1Max held duration (sync ticks).................  0Avg held duration (sync ticks).................  0Timers:Sync tick (ms).................................  100CPHA tick (ms).................................  500Queues:Sending queue size.............................  512Receiving queue size...........................  512Not sure if this might be Check Point issue, or Linux related bug...Any ideas ?
Chauhanrht8
Chauhanrht8 inside Enterprise Appliances and Gaia OS 12 hours ago
views 1308 7

Firewall rule for any tcp and udp port

How can  we create a service for Any tcp and UDP ports.Port should be-  Any And protocol should be - TCP and UDP ??  
David_Spencer
David_Spencer inside Enterprise Appliances and Gaia OS 16 hours ago
views 162 6 1

Changing clusterXL from HA to Active-active

We're looking of changing from our HA passive-active setup to active active. Unsure if we will go multicast or unicast yet.  I've been looking for any documentation on changing modes, and what considerations we should have, but have not found any. lots of information is available for setting them up from scratch.Anyone have any experience with doing this kind of change, or have any resources I can look at?  *Edit* - Meant to put this in the management board, not general topics. woops. Can we move the post?
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS yesterday
views 306307 224 337

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Download Download: R80.x Ports Used for Communication PDF (new R80.30 version) Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019+v1.5b port update 26.01.2020 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    

Script to get arp table and routing table

Hi there,May I ask is there any previous sample script for accessing our GW to grab arp table and routing table from CLI via ssh?Regards.Wanda

VoIP Issue and SMB Appliance (600/1000/1200/1400)

  Issue description: Many of our customers have reported the following issue in recent weeks. Telephone VoIP connections are terminated and can no longer be established. Issue debug: On the firewall you see a typical issue with the following message if you start: # fw ctl zdebug drop Issue message: fwconn_key_init_links (INBOUND) failed Solution: There are two different Servers on the SIP/RTP provider's side that take part in the process of establishing the SIP/RTP call: Server for SIP (Management and control) Server for RTP (Media and Voice Data) Make sure that the UDP high ports from the internal RTP VoIP telephone system to the provider RTP server on the RTP provider's side are dropped by the rule base on 600 / 1100 / 1200 / 1400 appliance: RTP rules: Create a service for the UDP high ports and use it in an incoming Accept rule, which also has to allow the RTP ports. Create a drop rule to block outgoing connections from the Internal RTP server (VoIP telephone system) to the provider's RTP server on high UDP ports SIP rule: Create an allow rule for incoming and outgoing SIP traffic on UDP port 5060   Example:   A similar description can be found in SK104082.   Regards, Heiko

Cron job help

I literally need a cron job to run the commandioc_feeds pushI just can't get it to work in any format, bash, clish, Gaia GUI. I guess GUI would be simplest, I am running this:/etc/profile.d/CP.sh ; source /opt/CPsuite-R80.30/fw1/bin/ioc_feeds pushBut the email alert is telling me it's wrong: /opt/CPsuite-R80.30/fw1/bin/ioc_feeds: line 3: /Python/bin/python: No such file or directoryTrying to follow:sk90441And Gaia Admin guide which says: Note - If you wish to run a Check Point command, then use this syntax (see sk90441 http://supportcontent.checkpoint.com/solutions?id=sk90441😞 source /etc/profile.d/CP.sh ;But having zero luck. Please help.  

R80.30 set message banner fails

Hello everyone,I just tried to set a multiline message banner as I used to do in R77.30 (which did not change in R80.30) but could not:~~~~~~~~~~~~~~~~~~~~~~~~openserver> show message bannerBanner message: This system is for authorized use only.openserver> delete message banneropenserver> set message banner on line msgvalue "Only authorized personnel is allowed to connect to the server"openserver> set message banner on line msgvalue "Access is monitored"openserver> set message banner on line msgvalue "Additional laws and regulations may apply" openserver> show message bannerBanner message: This system is for authorized use only.~~~~~~~~~~~~~~~~~~~~~~~~The same in the WebUI:GAiA WebUI         Does anyone have a clue what might be causing this?  Best regardsCarsten

Save Backupfile to Unix Server through VPN Connection

Hi Checkmates,i want to configure on the SecurityGateway (Checkpoint Appliance 3100)  automatic Backup Job.The Destination is a central Unixserver in the Headquater by SCP connection through VPN Connection configured on this SecurityGateway. The SecurityGateway have more Interfaces and also one Interfaces to the Internet with static public IP-Address. This public IP-Address is also the MGMT IP of the Security Gateway. The Destination BackupServer have a private IP-Adress and is only reachable over the VPN-Connection.If I start the Backupjob the Backup is not successfully. If I check in the same time on the Backupserver the connections, then I see, the Gateway comes with the public IP and maybe this is the problem. My Question is, how to configure the Backupjob that the Securitygateway use another source IP (his private IP not the public MGMT IP-Address. 

R80.10 GW - VSX HA/VSLS - Loopback Interfaces on VS ?

Hi folks I'm currently staging 2 Open Server gateway  with ClusterXL HA and VSLS on R80.10, with the main goal to setup dynamic routing between Virtual Systems and some external routers using eBGP sessions.So far, the setup is running fine, but I want to go further.Is there any way to configure one or several loopback interfaces on a Virtual System ? If no, is there any chance this feature is already on development roadmap of future version ?I will open a case to Check Point support asap for this feature request.
Timothy_Hall
Timothy_Hall inside Enterprise Appliances and Gaia OS Wednesday
views 1031 6 26

Announcement - Max Power 2020: Check Point Firewall Performance Optimization (Third Edition)

The third edition of the book Max Power 2020: Check Point Firewall Performance Optimization is now available. For more information including the FAQ and a CPX-related discount code, please visit the site http://www.maxpowerfirewalls.com. Feel free to PM or email me with questions, but please be sure to read the FAQ in its entirety first.  Thanks!  
Employee

2 new Common Criteria certificates R80.30: Protection Profile and EAL4+ and certification update

I’m pleased to announce that Check Point have been awarded two new Common Criteria certificates for R80.30: EAL4+ certificate of R80.30  The Target of Evaluation (TOE) included claims for Firewall IPS Blade Pattern Matcher REST API Enterprise appliances, TE appliances, Smart-1, CloudGuard Protection Profile compliance of R80.30 The Target of Evaluation (TOE) included claims for Network Device Stateful Traffic Filter Firewall Extended VPN Package SmartConsole Enterprise appliances, TE appliances, Smart-1, CloudGuard The Protection Profile and EAL4+ listings include the Certificates, Security Target and Validation Report.  In addition R80.30 is now listed by the NSA CSFC component list for protecting classified NSS data, and qualifies for listing by NIAPC (NATO Information Assurance Product Catalogue), and the UK National Cyber Security Center (NCSB) Commercial Product Assurance (CPA) certification.   A full press release can be seen here:  https://www.globenewswire.com/news-release/2020/01/16/1971274/0/en/Check-Point-Software-Technologies-Receives-2-New-Common-Criteria-Certifications-to-Meet-the-Security-Needs-of-31-Nations.html   

What does VRRP State Flag "InterfaceDown" mean

On my cluster, the VRRP summary shows:VRRP StateVRRP Router State: UpFlags: On,MonitorFirewall,InterfaceDownInterface enabled: 17Virtual routers configured: 17In Init state 0In Backup state 17In Master state 0What does the flag "InterfaceDown" mean, and how is ist set?

How to use scripts from IPSO in Gaia as well

Hi allThe scripts used by IPSO can't be used as they have been moved to Gaia. Is there a problem with scripts?open 10.1.25.243user adminpasswdaspromptcd /var/loglcd c:\usffw_accesslog\krsefw05mget *messages*mget *wtmp*disconnectaspromptquitIt aims to import logs using ftp every night.   

PBR Rules/R80.30 and Hide NAT

Hi all, I have been given an answer by Check Point support, however wondered if anyone could explain to me what the changes are and the consequences of turning SecureXL off in the future. So - we migrated a customer to R80.30 from a R77.30 firewall.They have a list of PBR rules.An issue came up where certain traffic was being received on the correct interface, but was leaving on the incorrect one. There is a PBR rule to point the traffic back to the correct interface. (The traffic wasn't being picked up by another PBR rule, it was just following OS routes)Turning SecureXL off fixes the issue.Check Point support pointed me to sk163320.The customer does indeed translate his source IP, but his PBR rules was always set on the existing, original IP and not the NAT'd IP.It appears now that PBR is calculated after NAT, therefore on the NAT address - firstly, is my understanding correct?The customer is abit dismayed at the fact he now needs to adjust all his PBR rules to work with translated NAT source address. He also queries why this is the case in R80.20 and above, what changed? and also if he turns SecureXL off, will PBR's still be calculated on the NAT'd source address? or will he need to keep PBR rules for original and NAT'd addresses?