cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Kul
Kul inside Enterprise Appliances and Gaia OS an hour ago
views 123 7

Unable to boot from USB

Hello everyone, I am unable to install r77.30 on 4200 device. I even changed USB drive and still failed. It leads to the same page and I see no option for USB.I tried in other 4200 device and it works fine. 
support_suppor1
support_suppor1 inside Enterprise Appliances and Gaia OS 11 hours ago
views 2768 21 3

Message seen on /var/log/messages - "simi_reorder_enqueue_packet"

Hi there guys, I'm seeing this message  "simi_reorder_enqueue_packet" on /var/log/messages. Is this an indication traffic congestion? My network is  momentarily encountering intermittent application connectivity especially on VOIP. As usual, no drops are seen on tracker and zebug. Hope someone had encountered this.
Dioklo
Dioklo inside Enterprise Appliances and Gaia OS 16 hours ago
views 21

Massive users update passwords fwm dbimport

Hello,In CP R77.30 I have to massively update vpn users (without LDAP).I saw "fwm dbimport" but they say in manual (https://sc1.checkpoint.com/documents/R77/CP_R77_CLI_ReferenceGuide_WebAdmin/html_frameset.htm?topic=documents/R77/CP_R77_CLI_ReferenceGuide_WebAdmin/12590)that The password should be encrypted with the C language encrypt function! But I don´t find what is this "C language encrypt function".Any one has an idea?Thanks

How to Create Multiple Admin Accounts

Hi,how can I create multiple Admin-Acounts wit GAIA Clish.  To Create one account, I can write this commands in clishadd user [User] uid [number] homedir /home/userset user [User] passwordsave config‍‍‍‍‍‍‍‍‍‍‍‍‍‍and so on...for out installation I don´t want set up all admin user manual on out checkpoint Appliances. We use GAIA R80.10.What can I do? API? User-File?Thanks for help.

GRE Tunnel

Hi Experts,I believe the the GRE tunnel cannot be terminated in the Check Point firewalls (Please confirm if by any way or in any version hardware or software or any model its supported). Also this GRE is proprietary of other vendor, is that a reason CP does not support or any other technical reasons there? Please let me know, any information is highly appreciable.Thanks in advance.Vijay 

Why CCP packets in VSX are send to network address of internal network subnet?

I'm trying to figure out a strange case when we are able to catch traffic towards VSX internal subnet in different part of network. I have a VSX VSLS cluster. Multiple virtual systems are connected to the same virtual switch, which is connected to normal network terminated by router. Router has default route out and here we can see the bottleneck. I can see traffic following traffic 0.0.0.0 -> 192.168.196.96 (UDP) 8116 going out of my network via that router.I started to search why. According ClusterXL Advanced Technical Reference Guide is the source IP 0.0.0.0 fine for CCP traffic because it does not care about it. However, I am confused from the destination. I use Internal VSX cluster network 192.168.196.0/22 which is default setup. If I check the interface configurations in CLISH  I can see that was divided to /28 networks for the interfaces and some internal IPs were assigned there (multiple times for same interfaces, but it is correct according sk110345 - Identical IP addresses from VSX "Internal Communication Network" are assigned to interfaces that belong to different Virtual Systems).So I expected to see communication of CCP on broadcast or particular addresses but I see it towards 192.168.196.96 – which is /28 subnet IP and not assigned to particular interface. There are send FWHA_MY_STATE messages there for example. Funny thing is that this traffic blocking stealth rule in the policy.I found the same results on multiple all my VSX clusters on R77.30 and on one running on R77.10. Therefore, it seems to be regular thing. All clusters are fully synchronized and fine.Do you know why is it communicate this way? I was not able to find it anywhere. You can see FW monitor result from one of clusters in attachment.P.S. – I’ll ask support of course as well.

OSPF route TAG

HiI'm trying to filter some OSPF tagged routes using route-maps.Seems like it filters all the OSPF external routes rather then specific tagged one's.Anyone encountered same or can advice?Version:  R77.30 Commands:set routemap ospf-import id 10 onset routemap ospf-import id 10 restrictset routemap ospf-import id 10 match tag 778 onset routemap ospf-import id 20 onset routemap ospf-import id 20 allowset ospf import-routemap ospf-import preference 1 on Before:FW1> show route ospfCodes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,U - Unreachable, i - InactiveO 10.2.2.4/30 via 10.11.7.10, bond1.1107, cost 5, age 4863523via 172.23.101.80, bond1.1106via 172.23.101.81, bond1.1106O 10.14.98.11/32 via 10.14.99.11, bond2.1499, cost 2, age 5024684O 10.14.98.12/32 via 10.14.99.12, bond2.1499, cost 2, age 5024684O 10.14.98.13/32 via 10.14.99.13, bond2.1499, cost 2, age 5024684O 10.14.98.14/32 via 10.14.99.14, bond2.1499, cost 2, age 5024684O E 10.165.249.0/24 via 10.14.99.11, bond2.1499, cost 1:20, age 4863523, tag 0x00000000via 10.14.99.12, bond2.1499via 10.14.99.13, bond2.1499via 10.14.99.14, bond2.1499O E 10.165.0.0/24 via 10.14.99.11, bond2.1499, cost 1:20, age 4863523, tag 0x00000000via 10.14.99.12, bond2.1499via 10.14.99.13, bond2.1499via 10.14.99.14, bond2.1499O E 10.0.0.0/8 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aO E 172.16.0.0/12 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aO E 192.168.0.0/16 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aAKmdrL9LabDCFW1> After:FW1> show route ospfCodes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,U - Unreachable, i - InactiveO 10.2.2.4/30 via 10.11.7.10, bond1.1107, cost 5, age 4863590via 172.23.101.80, bond1.1106via 172.23.101.81, bond1.1106O 10.14.98.11/32 via 10.14.99.11, bond2.1499, cost 2, age 5024751O 10.14.98.12/32 via 10.14.99.12, bond2.1499, cost 2, age 5024751O 10.14.98.13/32 via 10.14.99.13, bond2.1499, cost 2, age 5024751O 10.14.98.14/32 via 10.14.99.14, bond2.1499, cost 2, age 5024751AKmdrL9LabDCFW1>

SSH Banners in R80.30

Hi,Some characters like dashes "-" or "_" do not work anymore in R80.30 bannersSSH to the box should show these banners. In R80.30, the '---' are not visible anymore. R8030>set message banner onset message banner on line msgvalue "-----------"set message banner on line msgvalue "R80.30 TEST"set message banner on line msgvalue "-----------"R8030> show configurationset message banner onset message banner on line msgvalue "R80.30 TEST"R8020> show configurationset message banner onset message banner on line msgvalue "-----------"set message banner on line msgvalue "R80.20 TEST"set message banner on line msgvalue "-----------"Is this a bug or feature or misconfiguration?Best Regards,

Gaia HealthCheck Script v7.04 released

Check Point released v7.04 of it's Gaia HealthCheck Script. Attention: This is wrongly listed as version v7.05 on sk121447. Script author: @Nathan_Davieau (LinkedIn profile) What's new: Updated CPUSE and JHF build numbers What's missing: Automatically retrieve latest CPUSE, JHF, CPINFO build numbers rather than manually updating the script code Download Package Link Date  healthcheck.sh script v7.04 04Oct2019

Can SMS in R77.30 Splat manage R77.30 gaia gateways?

Hello community.A question: Can SMS in R77.30 Splat manage R77.30 gaia gateways? Please help me. Thank you vey much.

Appliance BIOS Updates?

Has anyone ever been required to update the BIOS of their Check Point appliances for any reason?  If so could you share the circumstances that made it necessary?  I've never needed to perform a BIOS update that I can remember.  More info: sk120915: Check Point Appliances BIOS Firmware versions map sk128712: Upgrading the BIOS using BIOS Upgrade Tool  
Danny
Danny inside Enterprise Appliances and Gaia OS Thursday
views 68902 43 31

One-liner for Address Spoofing Troubleshooting

🏆 Code Hub Contribution of the Year 2019!👍 Endorsed by Check Point Support! One-liner (Bash) to show a summary about each gateway interfaces' calculated topology and address spoofing setting.In expert mode run: echo; tput bold; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; tput sgr0; echo; elif [[ `grep $(grep $(hostname) /etc/hosts | cut -f1 -d' ') $FWDIR/state/local/FW1/local.set | wc -l` == "0" ]]; then echo ' Main IP of '$(hostname)' doesn`t match it`s management interface IP!'; tput sgr0; echo; else echo -n ' Interface Topology '; tput sgr0; echo -n '> '; tput bold; tput setaf 1; if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]; then echo $vsname' (ID: '$INSTANCE_VSID')'; else hostname; fi; tput sgr0; echo -n ' '; printf '%.s-' {1..80}; echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)*$/,\$ p" | tail -n +3 | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | sed '/objtype/q' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo; fi The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments also within VSX, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for easier identification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script. Thanks to Tim Hall's preliminary work in this thread.Thanks to Norbert Bohusch for IPv6 support and testing.Thanks to Kaspars Zibarts & Bob Zimmerman for VSX support and testing.Thanks to Anthony Joubaire for support and testing multiple installation targets. -- More one-liners -- One-liner to show VPN topology on gatewaysOne-liner to show Geo Policy on gatewaysFW Monitor SuperTool

R80.30 3.10 Interface issues?

Has anyone had issues with interfaces flapping on R80.30 3.10?  I have two Intel x710 nic cards installed on an HPE G10, where the ports from one card are in bond1 and ports from the other are in bond2. I was running R80.20 3.10, where everything was functioning. I upgraded to .30 and my ports on bond2 started flapping.  I took the ports out of the bond and destroyed the PO on the switch, but the ports continue to flap. I’m hoping I’m missing something, but I’ve noticed weird things like the lacp-rate not honoring the clish setting (I set fast, but the bond shows slow), auto negotiate not honoring the clish setting (I set auto, ethtool says autoneg not supported), rx/tx ringsize not honoring the clish setting (I increased it, but ethtool still shows default) and the default multiqueue setting does not match for all ports (the working 10G ports have more CPU allocated than should be). I have a ticket open, but was curious if others have this issue.  I also installed JHF50 (ongoing take), but no dice.  I tried this on two boxes, same result. I noticed the i40e driver was upgraded when I went to .30 3.10, so I tried to use the older version from .20 3.10, but no luck. The driver seems OK based on internet searches, but Check Point documentation says the i40e driver is for 40G nics and not 10G. Maybe the driver should be the ixgbe driver, but 80.20 3.10 also used the i40e driver. Thoughts?

PBR limitations

Hi Mates,reading the sk100500 I was very surprised when it describedThe following features/blades are not supported with PBR:IPv6Locally-generated trafficSecurity ServersData Loss Prevention (DLP) bladeAnti-Spam bladeMail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)ISP RedundancyThe following applications (which use Check Point Active Streaming [CPAS]):VoIP (H323, SIP, Skinny, etc.)HTTPS InspectionHTTP Header SpoofingHTTP ProxyIMAP in IPSDespite my idea where, routing feature on the gateway musn't influence the security features, at the moment I need to have a PBR on a gateway where MTA is active for the TEX blade.In the enviroment where I'd like to implement PBR and I have MTA enabled on a R80.10 gateway, the PBR doesn't work.Does someone face the same scenario ?Does someone know a workaround/solution?
Longson_Ho1
Longson_Ho1 inside Enterprise Appliances and Gaia OS a week ago
views 3229 3 2

Check Point Appliance Hardware Spec.

Hi,I would like to know the spec. of Checkpoint Appliance Hardware, as one of my customers would use virtual edition of checkpoint and sizing its own server spec.I cannot find the CPU details used in different appliance model in official KB.While Check Point Appliance Hardware (Lachmann List, Update February 28st 2017) – Lying Weasel Factor  seems provide me the answer.Is it good to go to have the CP Virtual GW installed on open server with similar spec.?Eg. By using CP sizing tools, it is projected to use CP5100 / CP5200. So I could suggest customer to have their own open server with similar spec. of CP5100/5200?Thanks.