Showing results for 
Search instead for 
Did you mean: 
Create a Post

Firewall rule for any tcp and udp port

How can we create a service for Any tcp and UDP ports.Port should be- Any And protocol should be - TCP and UDP ??

Optimal steps for ClusterXL cluster upgrade

I have an upcoming change that will involve replacing a pair of ClusterXL firewalls with new hardware. My organization has only been using ClusterXL for a year and this will be the first time we are replacing a cluster that is extremely high-impact to applications/end users. The new cluster will have different physical address IPs but will take over the existing Virtual IPs. I am wondering what are the recommended steps for transitioning from one cluster to another with the least amount of impact. For the clusters I have replaced since moving from VRRP to ClusterXL, I have stood up the new cluster side-by-side the existing one with different physical IPs in the same subnets. Added them to Smart Console with those IPs and left the VIPs blank on the new cluster until the time to cutover to them. The new pair would already have the same policy before the change is done, but would not have any VIP information in them.For the actual cutover my steps have been:1) Update new cluster object to add both VIPs and save2) Begin policy push to new cluster3) While policy is pushing stop services on backup member of old cluster, then stop services on primary member4) As soon as policy shows it is pushed verify that the VIPs show up in the new cluster5) Refresh ARP manually if necessary on connecting L3 switches to avoid issues with ARP cacheCan I do anything to improve upon this plan? Have any suggestions for minimizing the impact?

How can i create a SNAT Pool (Specific public IPs) with ISP redundancy

Hi all,I've been looking for SK to talk about how to configure a Hide NAT with specific Public IPs in ISP Redundancy. I mean how to can i create a outbound traffic with a Hide NAT pool (Specific IP for each ISP) not Gateway IP address.I've been searching in history of GAIA OS from R76 to R80.30. I cannot see that this feature have been added.For example: Email Servers: When we have a this scenario to load balanced a SMTP traffic, always need to respond from the same source for inbound and outbound. When we have a ISP Redundancy, the concepts to configure a ISP Redundancy are:- To have redundance of services in most cases SMTP Traffic inbound and outbound for each ISP Public.I know that Check Point is not a Load Balancer but at least need to have this feature because the only outbound load balancer is the Gateway IP Address.Any information or SK or future feature in R80.40 and above, please let me know i will appreciate it.Regards,

Hotifix installtion 345 r77.30

I have 1 Management server with Gaia r77.30 which i wanted to install hotfix 345 can you help me what precation should i take before install this on Management and Cluster configured firewall.

R80.20-R80.30 ClusterXL vlan monitoring

Hello,I cannot find any discussion about the fact that in OS R80.20 and R80.30 admin guide in the section "vlan support in clusterXL" monitor all vlan id is no longer supported. I would like to understand why 🙂Any other way to monitor all vlan then ?Can someone help ? Thank you Best regards;Furil

R80.20 MTU and SecureXL Problem

Hello,we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get the ICMP Fragmentation Packet and start to send packets with smaller MTU.When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.Did anybody had the same problem? Jan

VPN routing

Hi, ***********************ENVIRONMENTVPN COMMUNITY TYPE: StarCENTER GW: CheckPoint R80.10 (appliances 5900) (manage our customer)SATELLITE GW: Cisco (manage external 1)SATELLITE GW: Fortinet (manage external 2)SATELLITE GW: Cisco ASA (manage external 3)SATELLITE GW: Checkpoint (manage external 4)**************************TRAFFIC FLOWSATELLITE GW from external 2, 3 y 4 needs to contact to SATELLITE GW external 1, the traffic must always pass through CENTER GW.*************************CONFIGURATIONEach SATELLITE (2,3,4) arrive to CENTER GW with a follow IP addresscustomer 2 --> customer 3 --> customer 4 --> they try to connect to (host behid SATELLITE GW: Cisco (manage external 1))When Host GW: Fortinet (manage external 2) AND host10.10.10.20-SATELLITE GW: Checkpoint (manage external 4) did the telnet connection to GW: Cisco (manage external 1) EVERITHING WORKS FINEWhenHost GW: Cisco (manage external 3) did the telnet connection to GW: Cisco (manage external 1) DOES NOT OPEN******************************LOGS1. When the traffic works fine between satellites the log traffic show action VPN Routig2. When the traffic does no work the log traffci show action DECRIPT (never show VPN Routing)*******************QUESTION1. How can we check by CLI the routes created by VPN Routing from Start COmmunity2. Could you explain us how is the orden in a VPN routing First decript Second Nat Third Encript3. Do you know how other troubleshooting could we run?


Danny inside Enterprise Appliances and Gaia OS Wednesday
views 67361 38 27

One-liner for Address Spoofing Troubleshooting

One-liner (Bash) to show a summary about each gateway interfaces' calculated topology and address spoofing setting.In expert mode run: if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; echo ' Not a firewall gateway!'; tput sgr0; echo; else echo; tput bold; echo -n ' Interface Topology '; tput sgr0; echo -n '> '; tput bold; tput setaf 1; if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]; then echo $vsname' (ID: '$INSTANCE_VSID')'; else hostname; fi; tput sgr0; echo -n ' '; printf '%.s-' {1..80}; echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)*$/,\$ p" | tail -n +3 | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | sed '/objtype/q' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo; fi The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments also within VSX, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for easier identification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script. Thanks to Tim Hall's preliminary work in this thread.Thanks to Norbert Bohusch for IPv6 support and testing.Thanks to Kaspars Zibarts & Bob Zimmerman for VSX support and testing.Thanks to Anthony Joubaire for support and testing multiple installation targets. -- More one-liners -- One-liner to show VPN topology on gatewaysOne-liner to show Geo Policy on gatewaysFW Monitor SuperTool

Downloading CPUSE updates outside of Check Point Cloud

Hello all, Not all companies are allowed to have internet access for their managements and gateways. With internet access, installing the latest Jumbo or even upgrade to Major releases is just one command. What just comes to my mind is the idea that CPUSE can be used in case there is no internet access, but you can choose whether use internet or some internal IP address where will be stored all needed packages.Something like 2 new CPUSE commands:1. set installer source internet2. set installer source local <IP_ADDRESS> In case admin would like to use a local repository, CPUSE will connect to the server over https and download packages from there. I am fully aware that a similar idea is already created by Central Deployment Tool (CDT) or using SmartUpdate.What is even better is to use dedicated API and later UI like was mentioned by @Dorit_Dor.

What is the equivalent of cphaprob show_bond for a Standalone Gateway (ClusterXL not running)?

The cphaprob show_bond commands in expert for gateways running ClusterXL is very handy, but this doesn't work for bond interfaces running on a standalone gateway. Is there some other command that would show me similar information for troubleshooting bonded interfaces on a standalone gateway?

Please tell me how to disable 'activate_sw_raid" command

In the past, I entered "activate_sw_raid" command to do testing HDD mirroring.After that, I removed secondary HDD because finished testing HDD mirroring.There is no plan to do HDD mirroring, in the future.So, It is a problem /var/log/messages filled with following messages;-----------------------------Aug 15 11:28:45 2019 12200App cpd: Raid: Failed at getting the rev number for Disk 1Aug 15 11:28:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:28:45 2019 12200App cpd: Raid: Failed at getting the LBA for Disk 1Aug 15 11:28:51 2019 12200App kernel: [fw4_1];fw_send_kmsg: No buffer for tsid 15Aug 15 11:28:58 2019 12200App ntpd[8125]: kernel time sync enabled 0001Aug 15 11:29:06 2019 12200App kernel: [fw4_1];fw_send_kmsg: No buffer for tsid 15Aug 15 11:29:36 2019 12200App last message repeated 2 timesAug 15 11:29:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:29:45 2019 12200App cpd: Raid: Failed at getting the vendor name for Disk 1Aug 15 11:29:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:29:45 2019 12200App cpd: Raid: Failed at getting the product ID for Disk 1Aug 15 11:29:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:29:45 2019 12200App cpd: Raid: Failed at getting the rev number for Disk 1Aug 15 11:29:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:29:45 2019 12200App cpd: Raid: Failed at getting the LBA for Disk 1-----------------------------I do not want to output these messages.Please tell me solution.
Maarten_Sjouw inside Enterprise Appliances and Gaia OS a week ago
views 2938 13 2

Proxy ARP after upgrade to R80.30

This week we had some clusters upgraded from R80.10 to R80.30, the customer wants the new and improved HTTPS functionality. When we were done, on 2 VRRP clusters we had some automatic NAT and a special Hide NAT (for WiFi guests) After upgrading you install the policy twice, first the acces and then again for the Threat Prevention policy. After some time we were told the Guest WiFi did not work, investigation pointed in the end to the proxy ARP that was not active, so we added the Proxy ARP command for the Hide address, pushed the access policy (the third time). After looking with fw ctl arp we then saw 2 Proxy ARP addresses, the one we added and the other was a automatic NAT. After removing the manual Proxy ARP again, the fw ctl arp kept showing both ARP entries. When we upgraded the other cluster we checked again after 1, 2 and 3 pushes of the access policy and only after the third push the Proxy ARP addresses showed up. It has been reported and R&D will be informed.
Ryan_Ryan inside Enterprise Appliances and Gaia OS a week ago
views 3129 9

Lost access to gaia portal

Hi guys, running R77.30, not long ago we lost the ability to web to our gateway and manager, it used to work (self signed cert) but now the browser throws an error such as: "Can’t connect securely to this page" with no option to continue anyway.Have tried 3 different browsers, and enabled all tls versions and even sslv3 but nothing helps. Wireshark capture shows a client hello requesting, tlsv1.2 then tls v1.0, sslv3.0 then it stops. Anyone got any solution for this? I would be happy just running plain http but it seems not an option.config:set web table-refresh-rate 15set web session-timeout 10set web ssl-port 443set web ssl3-enabled onset web daemon-enable onthanks!
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS a week ago
views 292140 211 320

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter Architecture:R80.x Security Gateway Architecture (Logical Packet Flow)R80.x Security Gateway Architecture (Content Inspection) R80.x Security Gateway Architecture (Acceleration Card Offloading) R80.x Ports Used for Communication by Various Check Point Modules Performance Tuning:R80.x Performance Tuning Tip - AES-NI R80.x Performance Tuning Tip - SMT (Hyper Threading) R80.x Performance Tuning Tip - Multi Queue R80.x Performance Tuning Tip - Connection Table R80.x Performance Tuning Tip - fw monitorR80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ Cheat Sheet:R80.x cheat sheet - fw monitor R80.x cheat sheet - ClusterXL More interesting articles:Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software Versions + v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256 30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand 1994-2019