cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

dhcp responses over vlans from Gaia dhcpd

I would like to know if anyone has successfully configured dhcp in Gaia to serve addresses over vlans.  In our case, a 3100 running R80.30.  The eth2 interface leads to some wireless access points, and dhcp is configured in Gaia to lease addresses.  All is well.  However, we wish to make the distinction between SSIDs by trunking vlans from the WAPs to the 3100.  So we remove the address from eth2; and instead make 4 vlans, with various vlan IDs, and dhcp scopes for each subinterface.  Trunking is configured at the WAPs and the switch and the 3100.  We now see requests come from the WAPs over the correct vlan, reach the 3100, get processed by dhcpd (confirmed in /var/log/messages,) but the reply packet never leaves the firewall.  We cannot see it with fw monitor, with fw ctl zdebug, or in the logs.  Case opened with Support 6-0001773135 but no magic yet.Has anyone else been able to make dhcp in Gaia work over vlans?  Thanks.

Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Good day,I have recently completed an upgrade from R80.10 to R80.30 (Management + 2 gateways in HA cluster).  The upgrade itself was successful but I have noticed one issue on the standby gateway.  We cannot ping or do NSlookups etc from the standby node.  License checks also fails on this node.What I have attempted thus far:Set the "fw ctl set int fwha_forw_packet_to_not_active 1" on both gatewaysFollowed the guidance in sk147093 (fw ctl zdebug output matched that in the SK, as per below, IP sanitised)121670435;[cpu_1];[SIM-207375815];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x10, cdir=0) -> dropping packet, conn: [<1.1.1.1,2022,2.2.2.2,88,6>][PPK0];@;121670435;[cpu_1];[SIM-207375815];sim_pkt_send_drop_notification: (0,0) received drop, reason: general reason, conn: It is important to note that all connectivity is restored when I do a fw unloadlocal.  There has also been no changes to either NAT or firewall policies.I've found a couple of posts on Checkmates describing similiar issue, but unfortunately no resolution apart from the steps above.I will also log a TAC case, but hoping to hear if anyone has experienced similiar issues after an upgrade?Thanks,Ruan 

Smart-1 625 and R80.10

Hoping someone can clarify for me whether I should be able to re-image a Smart-1 625 with R80.10?   It picks up the USB but the 625 is not listed in the boot options.  I would have expected to see it in option 4 with the other Smart-1 models (Smart-1 5/25/50/200/400/525/3000/5050/5150).  I selected option 4 anyway, the installation starts then it tells me it's unable to find the driver.  My contact at Check Point tells me R80.10 is listed as a supported version in the Smart-1 625 release notes tho personally I can't find any RN for this appliance.  The R80.10 supported platforms list doesn't include the 625 but then again it doesn't include the 525 so I'm unsure how accurate it is.   Can anyone help?

Low throughput from 4200 appliance

We have a CheckPoint 4200 appliance running as our gateway/firewall. Our WAN speed is 1Gbps, but we can only seem to get 100Mbps throughput from the appliance.I have connected a computer directly to our WAN-connection to confirm WAN speed, and without going through the firewall i get the correct speed (1Gbps). The WAN interface (eth1) says "Link Speed: 1000Mbps / Full Duplex".I have been monitoring with CPview on the firewall, and I have not seen "Total Mbits/sec" go above 102 Mbps. To me it seems like speed is capped at 100Mbps. I am wondering what the cause of this can be, and what steps should I do to troubleshoot this issue? Appreciate any help. 

When is the System Alert sent out?

What is the trigger of "System Alert" displayed in the following settings? I want to test this setting, but I don't know how to do it. Please tell me as much as you know.Regards

NAT diferent ISPs to a single Host IP

Hi, I have 2 ISPs( ISP1 and ISP2) and i would like to do a static NAT from both ISPs( 1 and 2) to a Specific internal machine ( WEB-1). I would like to know if this works?  Because Checkpoint Accepted the configuration but i can only get to the WEB-1 using one of the Public IPs ( ISP1) . I'm new to checkpoint. Regards,Mauro 

Multiple ISP traffic Segregation

Question1:I have 2 ISPs ( ISP-1 and ISP-2) that are doing load sharing.  My DNS and WEB proxy are Nated to ISP-1 public IPs (ex. DNS=ISP-1 Public IP:  x.x.x.1 ; WEB = ISP-1 Public IP:  x.x.x.2) .Recently we got another ISP (ISP-3), and we need to make sure that this ISP is only used by a specific Service( ex. access to portal www.bbb.com) and no other traffic passes through this link. Question2: I have a total bandwidth of 60Mbps, i would like to reserve 10 Mbps for VPN, 10 Mbps for mail, etc. How do I guarantee that i will always have this bandwidth for this services?  Regards,Mauro de Sousa

Partition /var/log has: 1487 of free space and its lower required :2000mb.

Hello mate: Kindly assist with the right steps to have this resolved. Thanks 

How do I add SecureGateway to Cisco ISE 2.4 using RADIUS?

I'm having trouble adding a Checkpoint firewall to ISE 2.4. I've been following a blog where the author claims to have successfully added it to ISE 2.1, (here http://mdtnets.blogspot.com/2016/07/checkpoint-gaia-radius-authentication.html). In the part where he gets to "Authentication Policy" I assume it's been replaced by Policy Sets. Running into trouble setting up the conditional "If DEVICE:Device Type Equals Device Type#All Device Types#Checkpoint" I can do the"if DEVICE:Device Type Equals: All Device Types" but am not given an option for any other parameters. Am I missing something here?

VPN Link Selection - Question

Hi all,I have other question for you.I have configured VPN link selection with "Outgoing Route Selection -> When initiating a tunnel -> Operating system routing table"."Operating system routing table" conteins PBR route? Or PBR route are in a separeted table? Thanks and Best regardsFrancesco

Message seen on /var/log/messages - "simi_reorder_enqueue_packet"

Hi there guys, I'm seeing this message  "simi_reorder_enqueue_packet" on /var/log/messages. Is this an indication traffic congestion? My network is  momentarily encountering intermittent application connectivity especially on VOIP. As usual, no drops are seen on tracker and zebug. Hope someone had encountered this.

R80.30 3.10 Interface issues?

Has anyone had issues with interfaces flapping on R80.30 3.10?  I have two Intel x710 nic cards installed on an HPE G10, where the ports from one card are in bond1 and ports from the other are in bond2. I was running R80.20 3.10, where everything was functioning. I upgraded to .30 and my ports on bond2 started flapping.  I took the ports out of the bond and destroyed the PO on the switch, but the ports continue to flap. I’m hoping I’m missing something, but I’ve noticed weird things like the lacp-rate not honoring the clish setting (I set fast, but the bond shows slow), auto negotiate not honoring the clish setting (I set auto, ethtool says autoneg not supported), rx/tx ringsize not honoring the clish setting (I increased it, but ethtool still shows default) and the default multiqueue setting does not match for all ports (the working 10G ports have more CPU allocated than should be). I have a ticket open, but was curious if others have this issue.  I also installed JHF50 (ongoing take), but no dice.  I tried this on two boxes, same result. I noticed the i40e driver was upgraded when I went to .30 3.10, so I tried to use the older version from .20 3.10, but no luck. The driver seems OK based on internet searches, but Check Point documentation says the i40e driver is for 40G nics and not 10G. Maybe the driver should be the ixgbe driver, but 80.20 3.10 also used the i40e driver. Thoughts?
Danny
Danny inside Enterprise Appliances and Gaia OS a week ago
views 11499 7 16

HowTo - Creating an scpuser account on Gaia Clish

While reviewing Check Point installations I often encounter setups where the shell of the admin user account was changed to /bin/bash in order to allow copying documents via scp to and from Check Point Gaia systems. This is because the scponly shell isn't known. Follow these steps to create an scpuser for copying documents securely without compromising your admin account. [ R77.30 ] add user scpuser uid 2600 homedir /home/scpuser set user scpuser shell /usr/bin/scponly set user scpuser password save config‍‍‍‍‍‍‍‍ [ R80.x ] add user scpuser uid 2600 homedir /home/scpuser set user scpuser realname Scpuser add rba role scpRole domain-type System readwrite-features expert add rba user scpuser roles scpRole set user scpuser gid 100 shell /usr/bin/scponly set user scpuser password save config‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Gaia HealthCheck Script v7.01 released

Check Point released v7.01 of it's Gaia HealthCheck Script. Script author: @Nathan_Davieau (LinkedIn profile) What's new: Added self-update routine Added logger calls to write script statuses to /var/log/messages Added check for Active SMS/DMS Minor code improvements Download Package Link Date  healthcheck.sh script v7.01 12Sep2019

'Invalid segment retransmission. Packet dropped.'

Hi All, we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line. Thank you for any comments.