Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

PBR limitations

Hi Mates,reading the sk100500 I was very surprised when it describedThe following features/blades are not supported with PBR:IPv6Locally-generated trafficSecurity ServersData Loss Prevention (DLP) bladeAnti-Spam bladeMail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)ISP RedundancyThe following applications (which use Check Point Active Streaming [CPAS]):VoIP (H323, SIP, Skinny, etc.)HTTPS InspectionHTTP Header SpoofingHTTP ProxyIMAP in IPSDespite my idea where, routing feature on the gateway musn't influence the security features, at the moment I need to have a PBR on a gateway where MTA is active for the TEX blade.In the enviroment where I'd like to implement PBR and I have MTA enabled on a R80.10 gateway, the PBR doesn't work.Does someone face the same scenario ?Does someone know a workaround/solution?

Traffic not accelerated by Secure XL

Hi,I have been dealing with the secure XL for a while and cannot have the traffic accelerated as you can see the output below.The problem is the cpus are going over %95 during day time and i think the reason is the secure XL not handling traffic as expected as everything is going through the slow path.I have been through many topics here and I will put the outputs you may ask.Just a brief information of the firewall, working with ClusterXL, 8 cpu (2 SND, 6 workers) , OPEN SERVER ( I'm not sure if this could be any issue) , This is an external firewall, having DMZ, vpn and internet traffic of users and servers and more as you can think.#fwaccel stats -sAccelerated conns/Total conns : 14/79668 (0%)Accelerated pkts/Total pkts   : 370720/214400236 (0%)F2Fed pkts/Total pkts   : 211158051/214400236 (98%)PXL pkts/Total pkts   : 2871465/214400236 (1%)QXL pkts/Total pkts   : 0/214400236 (0%) # fwaccel conns -sThere are 211889 connections in SecureXL connections table The template number is so low.# fwaccel templates -sThere are 48 templates in SecureXL templates table # fwaccel statAccelerator Status : onAccept Templates   : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule #xxx ( just above the last rule)                     Throughput acceleration still enabled.Drop Templates     : enabledNAT Templates      : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule xxx ( just above the last rule)                     Throughput acceleration still enabled.NMR Templates      : enabledNMT Templates      : enabled I downloaded the fwaccel conns table and when investigated we see that most of traffic is about these 4 sources with 1 destination address (exchange related F5 traffic) as nearly 1/3 of the whole table is this connection. SourceDestinationDPortPRFlags     C2Si/f S2Ci/f InstAX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40 My question is, how come this traffic isn't accelerated?  Thank you 

CheckPoint bridge mode is not working between the Fortigate and H3C switch

-------17/2/2020------- Add screen capture on the below reply for further troubleshooting. -------16/2/2020------- HI all, I just have a Checkpoint as bridge mode and have a scanning over the Trunk link.Both Fortigate and H3C has a Trunk link up already before. Vlan 10 is tagged with untagged VLAN 1.All my users are in Vlan 10.They need to have both CP and FG scanning while visiting the internet.Then we set up port 3 and 4 as br1 on the Check point.FortiGate connects to p3 while h3c switch uplink to p4.Both p3 and p4 are in the Internal zone with anti-spoofing disabled.CP Firewall policy just has the clean up one with any to any accepted. From the debug flow on FortiGate, I can not find the traffic to the internet, let says the dst. is ""Nevertheless, both and can ping mutually and have the debug log result from Fortigate.I think this proves the CP policy working well? Interestingly, both Firewall traffic Logging reveal the traffic is accepted if to the internet.Only no outcome from the debug log result from Fortigate if the dst. is to internet or "" I swear to god that FortiGate original settings are good.As we use it before and everything just normal. Please someone helps. Below is the lab topology after the deployment.  

Dynamic Routing - Real World Experience

Hello all,I consider to configure dynamic routing (main goal is OSPF, potentially BGP for some specific needs) on some of our Checkpoint appliances. In the past we avoided to apply any dynamic routing on our checkpoint firewalls. However, for some needs it would be really beneficial.The SMS is running in R80.30The SGWs are running in R80.30 (some are still in R77.30, but the question specifically targets for R80.30) Can i still sleep well at night doing this? 🙂To everybody who has deployed it in critical networks. What are your real world experiences with this? Is it stable? No drawbacks/strange behaviors when used in ClusterXL deployments? Discovered unexpected limitations etc. etc.I´m really targeting for the field experience here. Please specify if you are talking about OSPF or BGP. Regards

suspicious interrupts values

Hello CheckMates, since two days we see this very low interrupts, normally all cores around 100.000           Looks like everything is running fine but I'm wondering. Has anyone an idea ? Wolfgang

Cannot Access Active Cluster Member via HTTPS/SSH Over VPN

I can access the MGMT interface of active and standby cluster members via ICMP over the VPN but not SSH or HTTPS. Their is an SMS that sits behind these GWs and I can reach the SMS via ICMP, SSH and HTTPS. As the SMS is on the same MGMT network as the GWs, I can also access the GWs ia ICMP, SSH and HTTPS (using telnet) from the SMS. I'm aware of sk42695, sk42733 and sk93204 which could explain the behavior of the standby cluster member but it's odd that I'm able to ping both units. So I don't think any of those sk's apply plus I would expect to be able to access the active cluster member without issue. I also have a another 5100 cluster that works with the same configuration. The firewalls logs show traffic being allowed, encrypted/decrypted and I don't see any drops via "fw ctl zdebug drop" on either cluster member. A packet capture also shows the SSH/HTTPS traffic ingressing eth1 where the VPN is terminated but I only see a SYN with no ACK or further traffic. There are no host restrictions per the statement "add allowed-client host any-host". Any ideas on where I can look to troubleshoot further? I'm not seeing any noticeable in /var/log/messages. GWs are running R80.20 JHF Take 87.

Odd cphaprob output

Having an unusual issue with a cluster firewall interface. Firewall was rebooted and post reboot one side of the sync interface is showing an issue where the inbound is up but the outbound is down. The other side is UP & UP.fw1-cxl1:0]# cphaprob -a ifRequired interfaces: 7Required secured interfaces: 1eth7 Inbound: UP Outbound: DOWN (6062.3 secs) sync(secured), multicasteth5 UP non sync(non secured), multicast (eth5.71 )bond2 UP non sync(non secured), multicast, bond Load Sharing (bond2.32 )bond0 UP non sync(non secured), multicast, bond Load Sharing (bond0.17 )bond1 UP non sync(non secured), multicast, bond Load Sharing (bond1.80 )bond0 UP non sync(non secured), multicast, bond Load Sharing (bond0.245 )eth5 UP non sync(non secured), multicast (eth5.246 )Any obvious (to you!) ideas what might cause this before I roll up my sleeves?TIA

Does R80.40 support HP DL380 G10 ?

Hardware Compatibility List do not show anything about R80.40 , do I need to open case for the answer ?  

Gaia HealthCheck Script v7.09 released

Check Point released v7.09 of it's Gaia HealthCheck Script Script author: @Nathan_Davieau (LinkedIn profile)QA Director: @Barak_Ran (LinkedIn profile) What's new: Added R80.40 support Added VLAN/IP overlap and Any GUI Client checks courtesy of our ccc script Updated JHF version information Added Dynamic Split Check for Check Point Appliances running on R80.40 or higher Added Mgmt API and CPM status checks What's MISSING: Recognition of expired 1-year licenses to avoid warnings on such systems  (example: CPSB-COMP-5-1Y) Download Package Link Date script v7.09 11Feb2020

Migrate to 10Gb interface

Hi, I'm about to move a Checkpoint 15k cluster from the current 1Gb interfaces to new 10Gb interfaces.There are clans created on the 1Gb interfaces and I have to remove those and create the same vlan interfaces on the new 10Gb interfaces.Have anyone done this before? What steps are included in this change?
Derek inside Enterprise Appliances and Gaia OS a week ago
views 162 1

Move traffic flow from checkpoint A to B.

Hello Guys, wondering if someone could help. I am currently trying to move all internet traffic from checkpoint A to checkpoint B. I am currently testing on myself. The reason for this is because CPU usage is high on checkpoint A which is 4000 appliance version R80.10 and checkpoint B is 5000 appliance version R80.10. I would like to test myself ONLY for now where my http and https traffic flows out of checkpoint B. I have attached some diagrams hopefully this will helps, the red arrow is where I want my traffic to go, the riverbed talks to both checkpoint A and B. My question is how do I make myself flow out of checkpoint B. I am almost certain there is something I need to do in the checkpoint  
Enrique inside Enterprise Appliances and Gaia OS a week ago
views 161 1

Mobile Access with NAT in the firewall

Hello everyone, After reading so many post here, I decided to join the community and this is my first post.  I'm configuring a Mobile Access  from scratch. The MAP (Mobile Access Portal) is accessible through all interfaces. In the external interface we have private IP address configured, and so the ISP router (let's say And .1 is the cluster floating IP, .1 and .2 are the gateway's IPs and .5 is the router). The router just forward all the traffic from a certain public IP address range (let's say I would like the MAP be accessible through one of the public IPs ( for example). I tried several NAT rules to translate the to the floaing IP address of the cluster ( Also I tried to use the dynamic Object "LocalMachine". From the traffic captures that I performed, I see that:When I access to the floating IP address (, the portal is reachable.When I access to the public IP address (, I see that the firewall is performing the NAT in the incoming traffic, but it is answering with RST packet to every SYN packet that it receive from this connection. Any help?

HDD failures on 5900 appliances

Has anyone else "suffered" from HDD failures on 5900 appliances? Lost 3 HDDs within one year in 16 devices. Two on the same appliance! Seems like a proper bad batch of HDDs. Never RMAed  disks before in many many years. Just curious if it's just us

Cluster dropping packets in R80.30 unicast Load sharing Mode

Cluster is dropping packets in unicast Load sharing Mode after upgrading from R80.10 to R80.30, while in HA mode it is working fine.below are the output of "fw ctl zdebug + drop"@;825535;[cpu_8];[SIM-207416775];pkt_handle_stateless_checks: Packet dropped (cluster decision). conn: <,46667,,443,6>;@;825535;[cpu_8];[SIM-207416775];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<,46667,,443,6>;@;825535;[cpu_0];[SIM-207416775];sim_pkt_send_drop_notification: (0,0) received drop, reason: cluster error, conn: <,46667,,443,6>;@;825535;[cpu_0];[SIM-207416775];sim_pkt_send_drop_notification: no track is needed for this drop - not sending a notificaion, conn: <,46667,,443,6>;


Hello Dear All,I need your help to configure a Cluster in Bridge Mode(Active/Standby).I was able to read and view the tutorials on the cluster in Route mode.But in Bridge mode, I do not know which physical IP address I must configure on the Appliance for the choice between Appliances because of we are in Bridge Mode, I configured 2 IP addresses (MGMT IP and Synchronistaion ).You will find an architecture with numbers in attachment to understand and help me.Thanks to you for helping me. Regards, Yanick DJINZOU