Showing results for 
Search instead for 
Did you mean: 
Create a Post

R80.30 3.10 Interface issues?

Has anyone had issues with interfaces flapping on R80.30 3.10?  I have two Intel x710 nic cards installed on an HPE G10, where the ports from one card are in bond1 and ports from the other are in bond2. I was running R80.20 3.10, where everything was functioning. I upgraded to .30 and my ports on bond2 started flapping.  I took the ports out of the bond and destroyed the PO on the switch, but the ports continue to flap. I’m hoping I’m missing something, but I’ve noticed weird things like the lacp-rate not honoring the clish setting (I set fast, but the bond shows slow), auto negotiate not honoring the clish setting (I set auto, ethtool says autoneg not supported), rx/tx ringsize not honoring the clish setting (I increased it, but ethtool still shows default) and the default multiqueue setting does not match for all ports (the working 10G ports have more CPU allocated than should be). I have a ticket open, but was curious if others have this issue.  I also installed JHF50 (ongoing take), but no dice.  I tried this on two boxes, same result. I noticed the i40e driver was upgraded when I went to .30 3.10, so I tried to use the older version from .20 3.10, but no luck. The driver seems OK based on internet searches, but Check Point documentation says the i40e driver is for 40G nics and not 10G. Maybe the driver should be the ixgbe driver, but 80.20 3.10 also used the i40e driver. Thoughts?
Danny inside Enterprise Appliances and Gaia OS 9 hours ago
views 11379 7 16

HowTo - Creating an scpuser account on Gaia Clish

While reviewing Check Point installations I often encounter setups where the shell of the admin user account was changed to /bin/bash in order to allow copying documents via scp to and from Check Point Gaia systems. This is because the scponly shell isn't known. Follow these steps to create an scpuser for copying documents securely without compromising your admin account. [ R77.30 ] add user scpuser uid 2600 homedir /home/scpuser set user scpuser shell /usr/bin/scponly set user scpuser password save config‍‍‍‍‍‍‍‍ [ R80.x ] add user scpuser uid 2600 homedir /home/scpuser set user scpuser realname Scpuser add rba role scpRole domain-type System readwrite-features expert add rba user scpuser roles scpRole set user scpuser gid 100 shell /usr/bin/scponly set user scpuser password save config‍‍‍‍‍‍‍‍‍‍‍‍‍‍
Danny inside Enterprise Appliances and Gaia OS 11 hours ago
views 48

Gaia HealthCheck Script v7.01 released

Check Point released v7.01 of it's Gaia HealthCheck Script. Script author: @Nathan_Davieau (LinkedIn profile) What's new: Added self-update routine Added logger calls to write script statuses to /var/log/messages Added check for Active SMS/DMS Minor code improvements Download Package Link Date script v7.01 12Sep2019
FWNinja inside Enterprise Appliances and Gaia OS 13 hours ago
views 82 5

VPN Link Selection - Question

Hi all,I have other question for you.I have configured VPN link selection with "Outgoing Route Selection -> When initiating a tunnel -> Operating system routing table"."Operating system routing table" conteins PBR route? Or PBR route are in a separeted table? Thanks and Best regardsFrancesco

'Invalid segment retransmission. Packet dropped.'

Hi All, we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line. Thank you for any comments. 

Proxy ARP after upgrade to R80.30

This week we had some clusters upgraded from R80.10 to R80.30, the customer wants the new and improved HTTPS functionality. When we were done, on 2 VRRP clusters we had some automatic NAT and a special Hide NAT (for WiFi guests) After upgrading you install the policy twice, first the acces and then again for the Threat Prevention policy. After some time we were told the Guest WiFi did not work, investigation pointed in the end to the proxy ARP that was not active, so we added the Proxy ARP command for the Hide address, pushed the access policy (the third time). After looking with fw ctl arp we then saw 2 Proxy ARP addresses, the one we added and the other was a automatic NAT. After removing the manual Proxy ARP again, the fw ctl arp kept showing both ARP entries. When we upgraded the other cluster we checked again after 1, 2 and 3 pushes of the access policy and only after the third push the Proxy ARP addresses showed up. It has been reported and R&D will be informed.

Smart-1 625 and R80.10

Hoping someone can clarify for me whether I should be able to re-image a Smart-1 625 with R80.10?   It picks up the USB but the 625 is not listed in the boot options.  I would have expected to see it in option 4 with the other Smart-1 models (Smart-1 5/25/50/200/400/525/3000/5050/5150).  I selected option 4 anyway, the installation starts then it tells me it's unable to find the driver.  My contact at Check Point tells me R80.10 is listed as a supported version in the Smart-1 625 release notes tho personally I can't find any RN for this appliance.  The R80.10 supported platforms list doesn't include the 625 but then again it doesn't include the 525 so I'm unsure how accurate it is.   Can anyone help?

Security Checkup with Sandblast Now

Is anyone already using Sandblast Now for doing Security Checkups? There is a Blink image available for R80.30. Use that to quickly start your Sandblast Now Checkup. Setting this up saves you time compared to our original way of doing Checkups. One you setup the device and online details the device will automatically start logging online where data is being processed. You don't have to download data or wait for cloud scripts. Within minutes you already see what's happening. Tried this for the first time this week and if you do Checkups you should definitely give it a try!

Reboot no explanation

Hi,  I recently have the issue that a customer from us has an appliance that reboots without explanation.  We have noticed following behaviour: [Expert@clusterFW2:0]# last -x |head |tacreboot   system boot  2.6.18-92cpx86_6 Fri Apr 12 02:44          (00:03)runlevel (to lvl 3)   2.6.18-92cpx86_6 Fri Apr 12 02:44 - 02:48  (00:03)runlevel (to lvl 6)   2.6.18-92cpx86_6 Fri Apr 12 02:48 - 02:48  (00:00)shutdown system down  2.6.18-92cpx86_6 Fri Apr 12 02:48 - 15:59  (13:10)reboot   system boot  2.6.18-92cpx86_6 Fri Apr 12 02:51          (13:07)runlevel (to lvl 3)   2.6.18-92cpx86_6 Fri Apr 12 02:51 - 15:59  (13:07)sseidewi pts/2 Fri Apr 12 06:05 - 06:25  (00:20)admin    pts/2 Fri Apr 12 09:29 - 09:41  (00:12)admin    pts/2 Fri Apr 12 14:23 - 14:57  (00:33)admin    pts/2 Fri Apr 12 15:46   still logged in This looks like a normal reboot, however runlevel 6 is making me wonder, a normal reboot should not show runlevel6, On messages file I can see the message Restart, but no errors previous to this, system reboots normally. There are no crash dumps available or errors. Can I somehow confirm that the system was not rebooted by simply pressing the power or imputing a command?

PBR Question

Hi all,I configured a pbr with two gateways.Related to it, I would like to know the behaviuor of a pakcet matching this pbr.For example, a PC tries to go to the internet. This traffic matches PBR mentioned above with 2 gateways configured. What is the behaviuor?Will this PC use always the first configured gateway? Or it can use, in other/next communication, the second configured gateway? Thanks and Best RegardsFrancesco

Gaia R80.10 DHCP Reservation not working

I followed sk92473 to add DHCP reservation for some hosts on my 3100 running R80.10. But it's not working at all, the reservation isn't working for the specified host and worst then that the DHCP isn't working anymore for any other host. I can't figure out the problem here's the content of my dhcpd.conf file : ddns-update-style none;subnet netmask {default-lease-time 43200;max-lease-time 86400;option host-name= pick(option host-name,concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address)));range;option routers;option domain-name-servers,;}#dhcpd.private:host LAP-MTL-007.telesystem.intra {60:45:BD:FA:C9:E1;;}Thanks,  

PBR Question

Hi all, I have a question about PBR configuration.I configured a pbr action table with two gateways.Related to it, I would like to know the behaviuor of a pakcet matching this pbr.For example, a PC tries to go to the internet. This traffic matches PBR rule related to the PBR action table mentioned above with 2 gateways configured. Now, what is the behaviuor?Will this PC use always the first configured gateway? Or it can use, in other/next communication, the second configured gateway? Thanks and Best RegardsFrancesco

Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Good day,I have recently completed an upgrade from R80.10 to R80.30 (Management + 2 gateways in HA cluster).  The upgrade itself was successful but I have noticed one issue on the standby gateway.  We cannot ping or do NSlookups etc from the standby node.  License checks also fails on this node.What I have attempted thus far:Set the "fw ctl set int fwha_forw_packet_to_not_active 1" on both gatewaysFollowed the guidance in sk147093 (fw ctl zdebug output matched that in the SK, as per below, IP sanitised)121670435;[cpu_1];[SIM-207375815];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x10, cdir=0) -> dropping packet, conn: [<,2022,,88,6>][PPK0];@;121670435;[cpu_1];[SIM-207375815];sim_pkt_send_drop_notification: (0,0) received drop, reason: general reason, conn: It is important to note that all connectivity is restored when I do a fw unloadlocal.  There has also been no changes to either NAT or firewall policies.I've found a couple of posts on Checkmates describing similiar issue, but unfortunately no resolution apart from the steps above.I will also log a TAC case, but hoping to hear if anyone has experienced similiar issues after an upgrade?Thanks,Ruan 
Kul inside Enterprise Appliances and Gaia OS Wednesday
views 60 1

Unable to boot from USB

Hello everyone, I am unable to install r77.30 on 4200 device. I even changed USB drive and still failed. It leads to the same page and I see no option for USB.I tried in other 4200 device and it works fine. 

Mirror and Decrypt for SMTP with TLS

Starting on R80.20 Checkpoint offer the option to "Mirror and Decrypt" traffic that pass the ssl inspection can be mirror as clear text. Can we inspect in the ssl inspection poet 25 for smtp mails with TLS encryption? (this is needed to be decrypt of course in the mirror).