Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.30 stability status

Dear all, I have 15600 Security Gateway appliance and smart-1 225 Management appliance that is currently running on R80.10 Take 189 is install . I am facing VPN unsuitability issue with current version maximum site to site VPN is with AWS.Is R80.30 is stable version?? Is this version resole VPN issue??
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS yesterday
views 265096 207 318

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter Architecture:R80.x Security Gateway Architecture (Logical Packet Flow)R80.x Security Gateway Architecture (Content Inspection) R80.x Security Gateway Architecture (Acceleration Card Offloading) R80.x Ports Used for Communication by Various Check Point Modules Performance Tuning:R80.x Performance Tuning Tip - AES-NI R80.x Performance Tuning Tip - SMT (Hyper Threading) R80.x Performance Tuning Tip - Multi Queue R80.x Performance Tuning Tip - Connection Table R80.x Performance Tuning Tip - fw monitorR80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ Cheat Sheet:R80.x cheat sheet - fw monitor R80.x cheat sheet - ClusterXL More interesting articles:Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software Versions + v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256 30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand 1994-2019

BGP ISP advertise /24

Hello, I am considering replacing my cisco routers with a checkpoint to advertise my /24 to each of my ISP providers. Has anyone every done this? If so are there any caveats or issues that you have found? Thanks, Aaron

GAIA - Easy execute CLI commands on all gateways simultaneously

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. Attention! You can quickly destroy your gateways if you enter the wrong commands! Command syntax: Command Description # gw_detect # gw_detect80 Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". # gw_mbash <command> Execute expert mode command on all gateway simultaneously # gw_mclish <command> Execute clish command on all gateway simultaneously An example! You want see the version of all gateway they are defined in the topology. Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mclish show version os edition -> execute this command on all gateways Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie. The same also works for the expert mode. For example: Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mbash fw ver -> execute this command on all gateways Tip 1 Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀. Tip 2 Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s -> show state table for all gateways Management# gw_mbash fwaccel stat -> show fwaccel state's for all gatewaysManagement# gw_mbash ips stat -> check on witch gateway ips is enabled ... Cppy and paste this lines to the management server or download the script "" and execute the script. echo '#!/bin/bash' > /usr/local/bin/gw_mbash echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo 'while read line' >> /usr/local/bin/gw_mbash echo 'do' >> /usr/local/bin/gw_mbash echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash echo 'then' >> /usr/local/bin/gw_mbash echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash chmod +x /usr/local/bin/gw_mbash echo '#!/bin/bash' > /usr/local/bin/gw_mclish echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo 'while read line' >> /usr/local/bin/gw_mclish echo 'do' >> /usr/local/bin/gw_mclish echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish echo 'then' >> /usr/local/bin/gw_mclish echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish chmod +x /usr/local/bin/gw_mclish echo '#!/bin/bash' > /usr/local/bin/gw_detect echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect echo 'while read line' >> /usr/local/bin/gw_detect echo 'do' >> /usr/local/bin/gw_detect echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect echo 'then' >> /usr/local/bin/gw_detect echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo 'else' >> /usr/local/bin/gw_detect echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect echo 'fi' >> /usr/local/bin/gw_detect echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect chmod +x /usr/local/bin/gw_detect echo '#!/bin/bash' > /usr/local/bin/gw_detect80 echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80 echo 'while read line' >> /usr/local/bin/gw_detect80 echo 'do' >> /usr/local/bin/gw_detect80 echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80 echo 'then' >> /usr/local/bin/gw_detect80 echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80 echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo 'else' >> /usr/local/bin/gw_detect80 echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80 echo 'fi' >> /usr/local/bin/gw_detect80 echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80 chmod +x /usr/local/bin/gw_detect80 Versions:v0.1 - 04-14-2019 - -> betav0.2 - 04-16-2019 - -> remove bugsv0.3 - 04-17-2019 - -> split to two commands (gw_detect and the old commands)v0.4 - 05-05-2019 - -> add command "gw_detect80" Video tutorial: LITHIUM.OoyalaPlayer.addVideo('https:\/\/\/static\/v4\/production\/', 'lia-vid-9wdnRtaDE62K43G6H0BgrmwVXzp0YJzvw822h520r170', '9wdnRtaDE62K43G6H0BgrmwVXzp0YJzv', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"822px","height":"520px"});(view in My Videos) Copyright by Heiko Ankenbrand 1996-2019

Unable to Trace from Inside Network to External Network after upgrading from R77.30 to R80.20

Hi Team,We have upgraded our Firewall from R77.30 (CP 4800 Appliance) to R80.20 (CP 5800 Appliance). And we have the same set of rules and policy from existing Management to New Management. But after upgrading to R80.20, we are unable to Tracert the IP/URL from Inside Network to External Network but we are not getting any drops on logs and zdebug. However, we are able to ping/telnet the IP/URL from Inside to External.While tracing any IP/URL, packet it entering in Firewall Inside Interface but it's not going out through External Network and in Logs, it's not showing any drops. However, when we are tracing the same IP/URL from Firewall Gateway itself, it's working fine and able to Trace successfully.Can anyone please help us with this concern and do let us know if any information is required. Thanks,Chandan

12600 with VSX low on memory

Ran into a problem with the upgrade of a 12600 for a customer that was asked to assist. The setup of this customer was pretty simple, 2 management servers on R80.20 in HA. 2 x 12600 with R80.10 running VSX. One piece of giveaway, one of the 12600's has 12GB memory the other (the backup) has 6GB memory Now the challenge was to upgrade to R80.20 to be able to use the dynamic objects for Office 365. So we start with the backup unit, there are 5 VS's and 55 virtual switches. When done with the upgrade which went well (cpuse upgrade) we reboot the box and let it do it's things to see where we are I check with vsx stat -v and get a list of 39 problems like this: Unable to open '/vs2/dev/fw0': Connection refused Unable to open '/vs4/dev/fw0': Connection refused Unable to open '/vs6/dev/fw0': Connection refused Unable to open '/vs7/dev/fw0': Connection refused Unable to open '/vs9/dev/fw0': Connection refused Unable to open '/vs12/dev/fw0': Connection refused Unable to open '/vs14/dev/fw0': Connection refused On the console there were messages about SIC problems, we ended up doing a reinstall of the box with a USB stick and a clean R80.20, then ran a vsx_util reconfigure (after the base interface config) however the number of errors remains the same. Opened a TAC case, but nobody could find the cause of the messages and errors. We decided to add more memory, so we sent 3 x 4GB onsite, but as the box has 2 physical CPU's it needs a even number of memory banks, so we put in 2 x 4GB to see if it would improve, it sure did, The number of problems went back to 20 with the added 2GB. One other thing that was bothering me was the 55 Virtual Switches. The engineer that helped this customer during the first setup told the customer to create a vSwitch for each VLAN they use... 🤔 All these switches ended up in 1 trunk port and terminated a VLAN, out of the 55 there were 19 vSwitches that had no connection to any VS, so I tried to delete 1 that was all ok in SmartConsole, this went ok and got removed from both boxes. I continued to remove all the ones that had no issues. After a reboot the box came back without any of the previous errors. Then I could remove the last couple of unused vSwitches. Then the local contact came back with 6 x 4GB DIMM's and put them all in, now the box is happily running with 24GB, why CP says it only supports 12 GB, I don't know. We will see tomorrow that we upgrade the other box from R80.10 to R80.20 and also put more memory in them.

Internal CA VPN certificate

After performing an external vulnerability scan, the following vulnerability shows up. It appears to be getting flagged because the IP address of the firewall was changed at some point and there is a mismatch. The firewall that was scanned (ie: is showing the following in the certificate (ie: for Subject Alternate Name. This is not causing any issues with VPN tunnels. What is being presented is the Internal CA VPN certificate and wondering if there is an easy fix other possibly a re-SIC?X.509 Certificate Subject CN Does Not Match the Entity NameThe subject common name found in the X.509 certificate does not seem to match the scan target:Subject CN fw-xxxxxxxxxx VPN Certificate does not match target name specified in the site.Subject CN fw-xxxxxxxxxx VPN Certificate could not be resolved to an IP address via DNS lookup.Subject Alternative Name x.x.x.x does not match target name specified in the site.The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server. If wildcard certificates are in use please submit the FQDN for the host for validation of the wildcard.

VPN Tunnels Capacity

Hi Masters,I`m working in important opportunity where I`m offering appliances 730 and 5200 and the customer is requiring the following IPSEC VPN Tunnels capacity:For 730 appliance, more than 20 IPSec Site-to-Site tunnels and more than 20 IPSec Client to Site Tunnels.For 5200 appliance, more than 2,500 IPSec Site-to-Site tunnels and more than 2,500 IPSec Client to Site Tunnels.Please, could some one help me answering if the above appliances support the customer`s requirement ?Sincerely.Tiago Marques.

Promoting Secondary MDS to be Primary MDS

Hello guys,I would like to know if there is any way how to promote Secondary Multi-Domain Security Management (Provider-1) to be Primary Multi-Domain Security Management (Provider-1). I am familiar with sk114933 (promote_util tool) but this is valid only for SMS (Security management server).Both MDS are running on R77.30, latest Jumbo hotfix.Thank you.

HA ClusterXL Connectivity Upgrade

Hi mates,I am facing an issue with a cluster upgrade and no idea why the problem appeared, i hope someone could provide any guidance or help. I describe the scenario here below:*Two 4400 R80.10 appliances in HA cluster --> Upgrade to R80.30*Performing Connectivity Upgrade procedure due to customer needs zero downtime if possible (followed steps described in CP_R80.30_Installation_and_Upgrade_Guide)*After the upgrade in standby member, we did the connectivity upgrade with cphacu start command. Members status were ok, Ready for upgraded member and Active(!) for old one.*Doing the failover with cpstop command in old member, traffic some vlan's started to lose connectivity and connection to SMS was lost. As the traffic this cluster handles is very very critical we had to do cpstart in old member which is handling the traffic righ now.*During the review after the failed upgrade we see that pnote RouteD is with state "Problem" in upgraded appliance. Active member RouteD Pnote state is "ok". Taking into consideration that it is a cluster and that it is using OSPF, should the state of Routed Ponte be that?*In this moment active member is running R80.10 and the other R80.30, version in smartconsole object is R80.10 in order to let the customer install policy.*We opened a case with TAC who is asking for a maintenance window in order to troubleshoot during the failover, it implies a downtime and the customer wants to do this as the last option, until all possible attempts were made before.Any ideas to try solve this? Thanks in advance

How to manually delete an entry from the Connections Table

Not that you really need to use this often but it has saved my day once or twice a year. Great SK103876 is available but in a stressful situation calculating HEX numbers is the last thing you want to do and then compiling a complex command out of it is even more challenging This one-liner actually gives you an opportunity to generate all fw tab kill commands in one file for a pair of given IP addresses. Tested on R80.10 GW but I'm fairly confident it would work in R77. IPA="x.x.x.x"; IPB="y.y.y.y"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofallYou will need to dump all your current connections into a file called table first of course. You may add this to front of the above to make it true one-liner.. But I found it easier to do this in two steps as you have more controlfw tab -t connections -u > tableAnd result is in file called listofall. Then you just execute those commands by copy-paste for example or chmod the file itself and run it.Here's an example And of course, you can add port numbers if needed

Dynamic Routing Anti Spoofing

hey1) how can you enforce AntiSpoofing on interfaces that learn routes from dynamic protocol (OSPF / RIP )?2) i also have one network which is directlry connected to the FW and in a DR scenario someone will shut the interface and this network will failover to the DR so i need the FW to be updated acordingly with the anti-spoofing configurationFW Version is R77.30

Comparing 15000 series appliances against 6000 series

Hello!Check Point released a new appliance line of 6000 series and here comes the new challenge. For a customer who wants NGTP functionality and in the scenario where based on sizing 15600 is a perfect match for them, should we go for it or it is even better to go with 6800 model? You see NGTP performance of 6800 is far better by datasheet and price is much lower too.Enterprise Testing Conditions:6800 Security Gateway- 8.9 Gbps of Threat Prevention15600 Security Gateway- 7.4 Gbps of Threat Prevention2Both numbers are provided with R80.20 Your opinions?BRVato

Message seen on /var/log/messages - "simi_reorder_enqueue_packet"

Hi there guys, I'm seeing this message "simi_reorder_enqueue_packet" on /var/log/messages. Is this an indication traffic congestion? My network is momentarily encountering intermittent application connectivity especially on VOIP. As usual, no drops are seen on tracker and zebug. Hope someone had encountered this.

checkpoint r80.20 gaia os dhcp server option 150

Hi,i want to configure DHCP server on my GAIA os with dhcp server option 150 - tftp for ip phones.i saw sk92473 but it says we can only use the options showed in option 150 isn't there.someone knows if this is supported and how to configure it? thanks