cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

R80.30 3.10 Interface issues?

Has anyone had issues with interfaces flapping on R80.30 3.10?  I have two Intel x710 nic cards installed on an HPE G10, where the ports from one card are in bond1 and ports from the other are in bond2. I was running R80.20 3.10, where everything was functioning. I upgraded to .30 and my ports on bond2 started flapping.  I took the ports out of the bond and destroyed the PO on the switch, but the ports continue to flap. I’m hoping I’m missing something, but I’ve noticed weird things like the lacp-rate not honoring the clish setting (I set fast, but the bond shows slow), auto negotiate not honoring the clish setting (I set auto, ethtool says autoneg not supported), rx/tx ringsize not honoring the clish setting (I increased it, but ethtool still shows default) and the default multiqueue setting does not match for all ports (the working 10G ports have more CPU allocated than should be). I have a ticket open, but was curious if others have this issue.  I also installed JHF50 (ongoing take), but no dice.  I tried this on two boxes, same result. I noticed the i40e driver was upgraded when I went to .30 3.10, so I tried to use the older version from .20 3.10, but no luck. The driver seems OK based on internet searches, but Check Point documentation says the i40e driver is for 40G nics and not 10G. Maybe the driver should be the ixgbe driver, but 80.20 3.10 also used the i40e driver. Thoughts?
Kevin_Orrison
Kevin_Orrison inside Enterprise Appliances and Gaia OS 3 hours ago
views 214 16 1

Replace/Upgrade Cluster

I currently have two 4800s in a cluster on R80.10. I am looking to utilize the same cluster name/configuration and replace these gateways with two 6500s on R80.30. I just wanted to brain storm on the easiest way to accomplish this. Also, seems like this should be a common ask. Are there any Check Point guides for something like this?

Traffic not accelerated by Secure XL

Hi,I have been dealing with the secure XL for a while and cannot have the traffic accelerated as you can see the output below.The problem is the cpus are going over %95 during day time and i think the reason is the secure XL not handling traffic as expected as everything is going through the slow path.I have been through many topics here and I will put the outputs you may ask.Just a brief information of the firewall, working with ClusterXL, 8 cpu (2 SND, 6 workers) , OPEN SERVER ( I'm not sure if this could be any issue) , This is an external firewall, having DMZ, vpn and internet traffic of users and servers and more as you can think.#fwaccel stats -sAccelerated conns/Total conns : 14/79668 (0%)Accelerated pkts/Total pkts   : 370720/214400236 (0%)F2Fed pkts/Total pkts   : 211158051/214400236 (98%)PXL pkts/Total pkts   : 2871465/214400236 (1%)QXL pkts/Total pkts   : 0/214400236 (0%) # fwaccel conns -sThere are 211889 connections in SecureXL connections table The template number is so low.# fwaccel templates -sThere are 48 templates in SecureXL templates table # fwaccel statAccelerator Status : onAccept Templates   : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule #xxx ( just above the last rule)                     Throughput acceleration still enabled.Drop Templates     : enabledNAT Templates      : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule xxx ( just above the last rule)                     Throughput acceleration still enabled.NMR Templates      : enabledNMT Templates      : enabled I downloaded the fwaccel conns table and when investigated we see that most of traffic is about these 4 sources with 1 destination address (exchange related F5 traffic) as nearly 1/3 of the whole table is this connection. SourceDestinationDPortPRFlags     C2Si/f S2Ci/f InstAX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40 My question is, how come this traffic isn't accelerated?  Thank you 

Hardware for home-lab

Hi,I want to run R80.30 in my home lab and get all R80 features. Management will run on another remote server.What are you using? I am thinking on running Gaia on a NUC or other small PC and run vmware, or should I get an 1430 firewall?Any recommentations?

reset user admin r80.10

good morning group, I have a problem I found the following sk163461 to be able to reset the admin psw since my client forgot it and it was not documented, only that at the time of mounting live centers I do not appear options, someone who can help me ??
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS yesterday
views 301635 219 331

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    

http security server port

Hi How do you enable the http security server to listen on another port (default is 80)? I am trying to build a rule with service with resource and I dont think its matching because the target web port is 8080. Using R80.20 gateway.more $FWDIR/conf/fwauthd.conf......80 fwssd in.ahttpd wait -8

2 Factor authentication on GAIA?

Can we Implement 2 Factor authentication on GAIA ?
S_E_
S_E_ inside Enterprise Appliances and Gaia OS yesterday
views 1688 6

How to identify transceiver / SFP+ adapter?

Hi,I'm looking for a command to identify if a SFP+ adapter has been inserted and if, which one.E.g. 5xxx / 15xxx series appliance.The "show asset all" does not really helpNumber of line cards: 1Line card 1 type: 2 ports 10GbE SFP+ Rev 2.0Something like this (guess the vendor) would be great"show interface ethernet 1/1 transceiver"dmesg command does not really help either.any ideas?Regards,

Restore snapshot from USB drive via CLI

Trying to restore a R80.30 snapshot image (stored on USB) via CLII have completed the following to mount the USB drive:mkdir /mnt/usbmodprobe usb-storagedmesgmount /dev/sdb1 /mnt/usbcd /mnt/usblsSnapshot image is named 80_30.tar.Then ran the following to import the image and revert:set snapshot import 80_30.tar path /mnt/usb/ name 80_30set snapshot revert 80_30After issuing the revert command, nothing seems to happen.  There is no on-screen messages or progress bars.Tried viewing snapshots using show snapshots but that returns nothing.Any help here would be appreciated.

DNS error affecting CP updates

Hello all.My second question here.  Hopefully I will supply all the necessary information.My organisation has a ClusterXL HA pair of 5900 appliances running R80.20 Jumbo HF take 118.  I have noticed on SmartConsole Gateways & Servers that the standby node is showing an error.  Looking at the Device Status of the node, the IPS, Anti-Bot & Anti-Virus blades are displaying 'Error: Update failed. Contract entitlement check failed. Could not reach"updates.checkpoint.com". Check DNS and Proxy configuration on the gateway'. I have connected via SSH to both nodes in the cluster and verified that I can ping external and internal endpoints from both nodes.  I entered Expert mode on both nodes and ran dig against a known internal and external domain name.  This was successful on the active node but failed on the problematic standby node with 'connection timed out; no servers could be reached'.I power cycled the standby node this morning.  I am now seeing Connection Alerts in the SmartConsole log for DNS queries originating from the problematic gateway.  The reason is 'Firewall - Domain resolving error. Check DNS configuration on the gateway (0)'.  We are not using domain objects.Both HA nodes have identical NAT and policy.I have reviewed DNS Error Message  but it does not appear relevant.It may be unrelated, but there is a noticeable delay between entering the username and the password prompt appearing when accessing the problematic node via ssh.I'm wondering what else I can test before pushing the issue out to TAC.Thanks,Andy

Enabled SecureXL means no traffic

Hi there,have anyone got problem with SecureXL after upgrade from R80.10 to R80.20?At beginning I thought that it might be a problem with NAT Templates, as they are disabled on 80.10 and enabled on 80.20 but it's not. I've turned them off and issue persist.Frankly speaking I don't understand what is going on. FW.log  shows everything is fine, rules are applied and working, but physically there is no internet communication.And here comes the miracle:When I turn off SecureXL everything goes as it should. I have already opened a Technical Assistance Case, but it looks like they suck more than I do (except one wonderful woman with which we found that SecureXL is an issue). So I decided to ask here, have you guys faced such a crazy issue?RegardsArek 

Upgarde to R80.30 keeps failig

I am upgrading management server in HA running R80.10 to R80.30. I have managed to upgrade the standby server successfully without any issues using CPUSE. the primary upgrade keeps failing with error " CPUSE encountered a problem while importing the package to the Gaia machine. try to import the package again. if the problem persist, contact check point Technical Service"I have tried to upgrade the DA to the latest version , but the upgrade keeps failing with error message "File is not DA package". can anyone help please ? 

Upgrade to R80.30 fails

Standalone full HA deployment running R80.10 in a test lab environment.Trying to upgrade to R80.30 using the following guide:https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Guide/html_frameset.htmI've exported the R80.30_T200_Fresh_Install_and_Upgrade_Security_Gateway.tgz file from a separate (LIVE) firewall and imported this onto the 2nd cluster member as the cluster doesn't have internet connectivity.When attempting to upgrade (right click and selecting 'Upgrade') the installation fails shortly after.  Here is a copy of the install log:[11/08/19 - 15:44:59][18264 4126043024]:------ Installing: ------[11/08/19 - 15:45:00][18264 4126043024]:------ Validating Install: ------[11/08/19 - 15:45:00][18264 4126043024]:/var/log/CPda/metadata/CheckPoint#Major#All#6.0#5#0#R80.30_GW_T200/tmp//major.conf file is in wrong format, unknown key: NEW_UPGRADE_VERSION[11/08/19 - 15:45:00][18264 4126043024]:Error: Could not read config file /var/log/CPda/metadata/CheckPoint#Major#All#6.0#5#0#R80.30_GW_T200/tmp//major.confAny assistance with this would be greatly appreciated.  

Many logs "kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL"

Hi team,We have a dedicated management in R80.30 and many gateway in R80.10 or R80.30From one gateway in R80.30 with JUMBO_HF_Bundle_T50, we have many the following error message:Oct 23 08:57:16 2019 Gateway kernel: [fw4_0];[A.B.50.1:316 -> A.B.6.3:0] [ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLOct 23 08:58:57 2019 Gateway kernel: [fw4_1];[A.C.51.225:61106 -> A.E.3.201:49155] [ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLOct 23 08:59:15 2019 Gateway kernel: [fw4_0];[A.C.51.225:61154 -> A.E.3.201:49155] [ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLOct 23 09:06:28 2019 Gateway kernel: [fw4_1];[X.187.172.9:63237 -> 81.18.Z.123:443] [ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLOct 23 09:08:16 2019 Gateway kernel: [fw4_2];[A.E.16.53:49458 -> A.F.2.200:60001] [ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLOct 23 09:09:34 2019 Gateway kernel: [fw4_0];[A.E.102.224:49180 -> 18.X.169.249:80] [ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLOct 23 09:10:05 2019 Gateway kernel: [fw4_0];[A.E.3.201:56124 -> 185.84.112.151:443] [ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL These errors appear generally every 3/4/5 min, without SecureXL or not, we still have these logs. I have installed the Take_76, we still have these logs.My question is: Before to open a case to the TAC, does anyone has faced with these errors ? If so, what was the resolution?  Regards