Showing results for 
Search instead for 
Did you mean: 
Create a Post
HitManExp inside Enterprise Appliances and Gaia OS a minute ago
views 48 1

R77.30 - rpm command is not working.

Hello guys, i need help with "rpm" command. If i started command 'rpm -qa ntp' causes session to hang indefinitely. How can i check, what wrong with this command?

Load balance ISP and VPN

Hi,An upcoming activity is for a customer office move but their leased line will not be available until a few months after they move in.To mitigate this the client has ordered 2 ADSL lines and has asked to do active/active across these for their connectivity. The office does not host any external services. They have a VPN mesh community for their DC and other offices. Apart from one office where the VPN terminates on a cisco router.Has anyone any guidance on issues they think this setup might encounter. I'm not confident on how the site to DC VPN would function in an active/active manner. Many thanks Andy

PBR and SecureXL issues in R80.20

Hi Guys,Has anyone had any issues with PBR on R80.20 ?I have tried an upgrade from a working R80.10 to R80.20 twice now and found that the PBR is an issue once upgraded to R80.20.This is on JHF 33 and now JHF 73 .One of the troubleshooting steps after seeing sk109741 was to switch off SecureXL - once we did that all worked as it did on R80.10 .<also tried the PBR route lookup option - it made no difference)We have opened a TAC case and have had the environment running succesfully without SecureXL for the entire day - but obviously we want to enable SecureXL ultimately . Just thought I would post in case anyone else is having PBR issues on R80.20 ?(also if you have any ideas on how to fix this - before TAC gets back to me - let me know)

R80.20 MTU and SecureXL Problem

Hello,we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get the ICMP Fragmentation Packet and start to send packets with smaller MTU.When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.Did anybody had the same problem? Jan
Richard_Scott1 inside Enterprise Appliances and Gaia OS 14 hours ago
views 3089 17 1

ClusterXL - standby cannot reach gateway

I've got a R77.30 cluster of two nodes (running on vmware). The active node can ping the default gateway and onward to the rest of the network without any issue. However, the standby node can't even ping the gateway, let alone anything beyond it. If I unload the policy from the node, then it is able ping it.Logs suggest the traffic is being nat'd to the cluster's address. The gateway can ping active, standby and cluster addresses. I've tried fw ctl set int fwha_forw_packet_to_not_active 1 on both nodes, but that didn't help. The management interface is reachable via a different gateway (and static route).Any suggestions greatly appreciated!
inside Enterprise Appliances and Gaia OS 16 hours ago
views 1793 14 4

R80.30 3.10 EA Program is now available!

Hi all, We are happy to announce that R80.30 3.10 EA program for Security Gateway and VSX is now available. For production EA path please contact For public EA path login to and go to Try Our Products -> Early Availability Programs. Then register to CPEA-EVAL-R80.30-3.10 public EA program. Release notes for this EA program are available here

CPUSE will fail to install new Jumbo on restored gateway

Just run into a interesting scenario with CPUSE failing to install take 203 on very last gateway (nearly 40 updated without any issues). Won't be creating TAC case out of pure laziness and too much to do as is DA agent version is 1677, so all good there and gateway had take 154 installed before attempt to upgrade to 203. What turned out was that this particular box was recently fully re-built from factory image due to SSD failure (second SSD dying on 5900 appliances! not good trend there). So we went R77.30 > R80.10 > take 154 > backup restore. All went great and box was running like a charm. But now when I attempted to install take 203 it failed at very early stage with following error: Digging into more detailed logs I found that CPUSE was looking for an older file that was not there (/opt/CPInstLog/install_cpfc_wrapper_HOTFIX_R80_10_JUMBO_HF.log) So I compared the deployment agent backup directory contents on both cluster members. /opt/CPda/backup/ This was restored node and this was the secondary that was in it's "original" state Ok - bunch of archives missing.. Then it clicked - when we restored the box from backup, we did not install all jumbo HFs that were installed over time originally but went straight to the latest take 154 that was running on the node when backup was taken. So quick action was simply to copy all missing archives from "original" node /opt/CPda/backup to restored one and then take 203 installation succeeded. It might be a known issue, but there's a definitely room for improvement for CPUSE in case you use backup for restore instead of snapshot

Service Temporarily Unavailable

I get the errorService Temporarily Unavailable when trying to access GAIA GUIWhat could be problem

12600 with VSX low on memory

Ran into a problem with the upgrade of a 12600 for a customer that was asked to assist. The setup of this customer was pretty simple, 2 management servers on R80.20 in HA. 2 x 12600 with R80.10 running VSX. One piece of giveaway, one of the 12600's has 12GB memory the other (the backup) has 6GB memory Now the challenge was to upgrade to R80.20 to be able to use the dynamic objects for Office 365. So we start with the backup unit, there are 5 VS's and 55 virtual switches. When done with the upgrade which went well (cpuse upgrade) we reboot the box and let it do it's things to see where we are I check with vsx stat -v and get a list of 39 problems like this: Unable to open '/vs2/dev/fw0': Connection refused Unable to open '/vs4/dev/fw0': Connection refused Unable to open '/vs6/dev/fw0': Connection refused Unable to open '/vs7/dev/fw0': Connection refused Unable to open '/vs9/dev/fw0': Connection refused Unable to open '/vs12/dev/fw0': Connection refused Unable to open '/vs14/dev/fw0': Connection refused On the console there were messages about SIC problems, we ended up doing a reinstall of the box with a USB stick and a clean R80.20, then ran a vsx_util reconfigure (after the base interface config) however the number of errors remains the same. Opened a TAC case, but nobody could find the cause of the messages and errors. We decided to add more memory, so we sent 3 x 4GB onsite, but as the box has 2 physical CPU's it needs a even number of memory banks, so we put in 2 x 4GB to see if it would improve, it sure did, The number of problems went back to 20 with the added 2GB. One other thing that was bothering me was the 55 Virtual Switches. The engineer that helped this customer during the first setup told the customer to create a vSwitch for each VLAN they use... 🤔 All these switches ended up in 1 trunk port and terminated a VLAN, out of the 55 there were 19 vSwitches that had no connection to any VS, so I tried to delete 1 that was all ok in SmartConsole, this went ok and got removed from both boxes. I continued to remove all the ones that had no issues. After a reboot the box came back without any of the previous errors. Then I could remove the last couple of unused vSwitches. Then the local contact came back with 6 x 4GB DIMM's and put them all in, now the box is happily running with 24GB, why CP says it only supports 12 GB, I don't know. We will see tomorrow that we upgrade the other box from R80.10 to R80.20 and also put more memory in them.

Network Card Issue

Hi all,I've got a network issue which isn't Check Point per se, but it's leaving one of my VSX cluster members down so figured I'd put it out there and see if anyone has any ideas...Everything was working perfectly, but after nearly 500 days uptime I did a routine reboot. The server never came back.Connecting via the local console and doing some testing with tcpdump I have concluded that the NIC is receiving traffic, but not sending traffic. I've proved this beyond doubt. So this is the problem.If I boot the server from a Knoppix live CD I can configure the interfaces and they all work perfectly. So the hardware is fine. Something has gone screwy with the GAiA TCP stack on the server, receiving but not sending.Does anyone know what I can do? Or is the best option to reinstall from the ISO? (I hope not - it's a little drastic!)Thanks,Matt

Black screen during Gaia install

Hello, I am trying to install Gaia R80.30 on Dell OptiPlex 780 (4GB Ram, 500GB HDD, two Intel 100/1000 Nic)Boot from the DVD iso works and I get the following screen: “Welcome to Check Point Gaia R80.30”.I choose “Install Gaia on this system” and I get a black screen with the cursor on the top left, a min or two later the hard drive and the DVD stops working and the system hangs in this state. No errors or any messages.That computer works well with other operating systems, so I do not think it’s a hardware issue. Any idea what can be done in order to complete the Gaia install?

GAIA - Easy execute CLI commands on all gateways simultaneously

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. Attention! You can quickly destroy your gateways if you enter the wrong commands! Command syntax: Command Description # gw_detect # gw_detect80 Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". # gw_mbash <command> Execute expert mode command on all gateway simultaneously # gw_mclish <command> Execute clish command on all gateway simultaneously An example! You want see the version of all gateway they are defined in the topology. Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mclish show version os edition -> execute this command on all gateways Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie. The same also works for the expert mode. For example: Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mbash fw ver -> execute this command on all gateways Tip 1 Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀. Tip 2 Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s -> show state table for all gateways Management# gw_mbash fwaccel stat -> show fwaccel state's for all gatewaysManagement# gw_mbash ips stat -> check on witch gateway ips is enabled ... Cppy and paste this lines to the management server or download the script "" and execute the script. echo '#!/bin/bash' > /usr/local/bin/gw_mbash echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo 'while read line' >> /usr/local/bin/gw_mbash echo 'do' >> /usr/local/bin/gw_mbash echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash echo 'then' >> /usr/local/bin/gw_mbash echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash chmod +x /usr/local/bin/gw_mbash echo '#!/bin/bash' > /usr/local/bin/gw_mclish echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo 'while read line' >> /usr/local/bin/gw_mclish echo 'do' >> /usr/local/bin/gw_mclish echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish echo 'then' >> /usr/local/bin/gw_mclish echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish chmod +x /usr/local/bin/gw_mclish echo '#!/bin/bash' > /usr/local/bin/gw_detect echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect echo 'while read line' >> /usr/local/bin/gw_detect echo 'do' >> /usr/local/bin/gw_detect echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect echo 'then' >> /usr/local/bin/gw_detect echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo 'else' >> /usr/local/bin/gw_detect echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect echo 'fi' >> /usr/local/bin/gw_detect echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect chmod +x /usr/local/bin/gw_detect echo '#!/bin/bash' > /usr/local/bin/gw_detect80 echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80 echo 'while read line' >> /usr/local/bin/gw_detect80 echo 'do' >> /usr/local/bin/gw_detect80 echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80 echo 'then' >> /usr/local/bin/gw_detect80 echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80 echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo 'else' >> /usr/local/bin/gw_detect80 echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80 echo 'fi' >> /usr/local/bin/gw_detect80 echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80 chmod +x /usr/local/bin/gw_detect80 Versions:v0.1 - 04-14-2019 - -> betav0.2 - 04-16-2019 - -> remove bugsv0.3 - 04-17-2019 - -> split to two commands (gw_detect and the old commands)v0.4 - 05-05-2019 - -> add command "gw_detect80" Video tutorial: LITHIUM.OoyalaPlayer.addVideo('https:\/\/\/static\/v4\/production\/', 'lia-vid-9wdnRtaDE62K43G6H0BgrmwVXzp0YJzvw822h520r487', '9wdnRtaDE62K43G6H0BgrmwVXzp0YJzv', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"822px","height":"520px"});(view in My Videos) Copyright by Heiko Ankenbrand 1996-2019

export the 4400 checkpoint configuration

Good morning.Is there a way to export the 4400 checkpoint configuration?I want to make a backup of security.thanks to everyone

No of Core mismatched with number of CPU

Hi,We have cluster R77.30 hosted in open server with 4 cores assigned for the compute. However, in one gateway we are seeing one CPU is functional in top. fw ctl get int fwlic_num_of_allowed_cores out shows four core is allowed.Then what could be the issue?GW#fw ctl get int fwlic_num_of_allowed_coresfwlic_num_of_allowed_cores = 4 GW# fw ctl affinity -l -rCPU 0:All: eth2 eth3 eth4 eth10 eth11 fw_0 fw_1 fw_2 in.geod mpdaemon fwd cprid cpd RegardsDipayan Nayak

Message seen on /var/log/messages - "simi_reorder_enqueue_packet"

Hi there guys, I'm seeing this message "simi_reorder_enqueue_packet" on /var/log/messages. Is this an indication traffic congestion? My network is momentarily encountering intermittent application connectivity especially on VOIP. As usual, no drops are seen on tracker and zebug. Hope someone had encountered this.