cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

Changing clusterXL from HA to Active-active

We're looking of changing from our HA passive-active setup to active active. Unsure if we will go multicast or unicast yet.  I've been looking for any documentation on changing modes, and what considerations we should have, but have not found any. lots of information is available for setting them up from scratch.Anyone have any experience with doing this kind of change, or have any resources I can look at?  *Edit* - Meant to put this in the management board, not general topics. woops. Can we move the post?

VoIP Issue and SMB Appliance (600/1000/1200/1400)

  Issue description: Many of our customers have reported the following issue in recent weeks. Telephone VoIP connections are terminated and can no longer be established. Issue debug: On the firewall you see a typical issue with the following message if you start: # fw ctl zdebug drop Issue message: fwconn_key_init_links (INBOUND) failed Solution: There are two different Servers on the SIP/RTP provider's side that take part in the process of establishing the SIP/RTP call: Server for SIP (Management and control) Server for RTP (Media and Voice Data) Make sure that the UDP high ports from the internal RTP VoIP telephone system to the provider RTP server on the RTP provider's side are dropped by the rule base on 600 / 1100 / 1200 / 1400 appliance: RTP rules: Create a service for the UDP high ports and use it in an incoming Accept rule, which also has to allow the RTP ports. Create a drop rule to block outgoing connections from the Internal RTP server (VoIP telephone system) to the provider's RTP server on high UDP ports SIP rule: Create an allow rule for incoming and outgoing SIP traffic on UDP port 5060   Example:   A similar description can be found in SK104082.   Regards, Heiko
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS Thursday
views 306161 223 336

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Download Download: R80.x Ports Used for Communication PDF (new R80.30 version) Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    

Cron job help

I literally need a cron job to run the commandioc_feeds pushI just can't get it to work in any format, bash, clish, Gaia GUI. I guess GUI would be simplest, I am running this:/etc/profile.d/CP.sh ; source /opt/CPsuite-R80.30/fw1/bin/ioc_feeds pushBut the email alert is telling me it's wrong: /opt/CPsuite-R80.30/fw1/bin/ioc_feeds: line 3: /Python/bin/python: No such file or directoryTrying to follow:sk90441And Gaia Admin guide which says: Note - If you wish to run a Check Point command, then use this syntax (see sk90441 http://supportcontent.checkpoint.com/solutions?id=sk90441😞 source /etc/profile.d/CP.sh ;But having zero luck. Please help.  

R80.30 set message banner fails

Hello everyone,I just tried to set a multiline message banner as I used to do in R77.30 (which did not change in R80.30) but could not:~~~~~~~~~~~~~~~~~~~~~~~~openserver> show message bannerBanner message: This system is for authorized use only.openserver> delete message banneropenserver> set message banner on line msgvalue "Only authorized personnel is allowed to connect to the server"openserver> set message banner on line msgvalue "Access is monitored"openserver> set message banner on line msgvalue "Additional laws and regulations may apply" openserver> show message bannerBanner message: This system is for authorized use only.~~~~~~~~~~~~~~~~~~~~~~~~The same in the WebUI:GAiA WebUI         Does anyone have a clue what might be causing this?  Best regardsCarsten

Save Backupfile to Unix Server through VPN Connection

Hi Checkmates,i want to configure on the SecurityGateway (Checkpoint Appliance 3100)  automatic Backup Job.The Destination is a central Unixserver in the Headquater by SCP connection through VPN Connection configured on this SecurityGateway. The SecurityGateway have more Interfaces and also one Interfaces to the Internet with static public IP-Address. This public IP-Address is also the MGMT IP of the Security Gateway. The Destination BackupServer have a private IP-Adress and is only reachable over the VPN-Connection.If I start the Backupjob the Backup is not successfully. If I check in the same time on the Backupserver the connections, then I see, the Gateway comes with the public IP and maybe this is the problem. My Question is, how to configure the Backupjob that the Securitygateway use another source IP (his private IP not the public MGMT IP-Address. 

R80.10 GW - VSX HA/VSLS - Loopback Interfaces on VS ?

Hi folks I'm currently staging 2 Open Server gateway  with ClusterXL HA and VSLS on R80.10, with the main goal to setup dynamic routing between Virtual Systems and some external routers using eBGP sessions.So far, the setup is running fine, but I want to go further.Is there any way to configure one or several loopback interfaces on a Virtual System ? If no, is there any chance this feature is already on development roadmap of future version ?I will open a case to Check Point support asap for this feature request.
Timothy_Hall
Timothy_Hall inside Enterprise Appliances and Gaia OS Wednesday
views 1010 6 26

Announcement - Max Power 2020: Check Point Firewall Performance Optimization (Third Edition)

The third edition of the book Max Power 2020: Check Point Firewall Performance Optimization is now available. For more information including the FAQ and a CPX-related discount code, please visit the site http://www.maxpowerfirewalls.com. Feel free to PM or email me with questions, but please be sure to read the FAQ in its entirety first.  Thanks!  
Employee

2 new Common Criteria certificates R80.30: Protection Profile and EAL4+ and certification update

I’m pleased to announce that Check Point have been awarded two new Common Criteria certificates for R80.30: EAL4+ certificate of R80.30  The Target of Evaluation (TOE) included claims for Firewall IPS Blade Pattern Matcher REST API Enterprise appliances, TE appliances, Smart-1, CloudGuard Protection Profile compliance of R80.30 The Target of Evaluation (TOE) included claims for Network Device Stateful Traffic Filter Firewall Extended VPN Package SmartConsole Enterprise appliances, TE appliances, Smart-1, CloudGuard The Protection Profile and EAL4+ listings include the Certificates, Security Target and Validation Report.  In addition R80.30 is now listed by the NSA CSFC component list for protecting classified NSS data, and qualifies for listing by NIAPC (NATO Information Assurance Product Catalogue), and the UK National Cyber Security Center (NCSB) Commercial Product Assurance (CPA) certification.   A full press release can be seen here:  https://www.globenewswire.com/news-release/2020/01/16/1971274/0/en/Check-Point-Software-Technologies-Receives-2-New-Common-Criteria-Certifications-to-Meet-the-Security-Needs-of-31-Nations.html   

What does VRRP State Flag "InterfaceDown" mean

On my cluster, the VRRP summary shows:VRRP StateVRRP Router State: UpFlags: On,MonitorFirewall,InterfaceDownInterface enabled: 17Virtual routers configured: 17In Init state 0In Backup state 17In Master state 0What does the flag "InterfaceDown" mean, and how is ist set?

How to use scripts from IPSO in Gaia as well

Hi allThe scripts used by IPSO can't be used as they have been moved to Gaia. Is there a problem with scripts?open 10.1.25.243user adminpasswdaspromptcd /var/loglcd c:\usffw_accesslog\krsefw05mget *messages*mget *wtmp*disconnectaspromptquitIt aims to import logs using ftp every night.   

PBR Rules/R80.30 and Hide NAT

Hi all, I have been given an answer by Check Point support, however wondered if anyone could explain to me what the changes are and the consequences of turning SecureXL off in the future. So - we migrated a customer to R80.30 from a R77.30 firewall.They have a list of PBR rules.An issue came up where certain traffic was being received on the correct interface, but was leaving on the incorrect one. There is a PBR rule to point the traffic back to the correct interface. (The traffic wasn't being picked up by another PBR rule, it was just following OS routes)Turning SecureXL off fixes the issue.Check Point support pointed me to sk163320.The customer does indeed translate his source IP, but his PBR rules was always set on the existing, original IP and not the NAT'd IP.It appears now that PBR is calculated after NAT, therefore on the NAT address - firstly, is my understanding correct?The customer is abit dismayed at the fact he now needs to adjust all his PBR rules to work with translated NAT source address. He also queries why this is the case in R80.20 and above, what changed? and also if he turns SecureXL off, will PBR's still be calculated on the NAT'd source address? or will he need to keep PBR rules for original and NAT'd addresses?
Employee

Script to get arp table and routing table

Hi there,        May I ask is there any previous sample script for accessing our GW to grab arp table and routing table from CLI via ssh?   thanks a lot David

New CheckPoint Appliances

Seeing as there's once again new CheckPoint appliances I wanted to get a thread going so we can collect some knowledge on the new units here. There was a Press Release on Tuesday January 14th, 2020 about the new units. It looks like a 3600 Quantum Security Gateway, 6200 Quantum Security Gateway, 6600 and 6900 Quantum Security Gateways, and a 16000 Quantum Turbo Hyerscale Gateway. Firstly I have to laugh a bit at the new naming as I type out the new Quantum naming, especially for the 16000 Quantum Turbo Hyperscale Gateway (what a mouthful); but I also wonder if the new Quantum naming is so that if people search for Quantum (thinking of Quantum computing) and CheckPoint at the same time they'll finally get a result. I've also been interested in the 6000 series as we were considering a 6500 cluster but noticed the 6500 and 6800 that came out last year still do not support the new 3.10 kernel, but the 6200, 6600 and 6900 units do. I do remember researching the CPU in the 5800 (Intel Xeon E3-1285L v4) which released in May 2016 compared to the CPU in the 6500 (Intel Core i7 4790S) which released in January 2019 and noticed that the older 5800 unit actually has a newer CPU. This has left me hoping that the new "Quantum" gateways actually have a proper hardware refresh with newer generation CPU's and DDR4 RAM. Another interesting thing I noticed is the new 6200 unit seems to have a different CPU (or is handicapped) based on which SKU you buy. The datasheet shows: 1x CPUs, 2 physical cores, 4 virtual cores (Base, Plus)1x CPUs, 4 physical cores (Turbo)This is the first time I can remember CheckPoint changing the CPU so much on the same model. Has anyone else gotten their hands on the new units or any interesting information you'd like to share? 😃🤔

Finding Bandwidth consuming for particular Host

Dear All, Just wanted to check if any workaround to check the Bandwidth consumed/consuming for particular host machine.Customer's Internet Bandwidth was choked due to "few hosts to some destination IP" consuming high.From SmartMonitor we can see only Source or Destination which is consuming.But we need to check for the "Which Source against Which Destination" more bandwidth consumed/consuming. Just like in Cisco command: --ip flow top-talkersCISCO-ASA#sh ip flow top-talkersSrcIf     SrcIPaddress         DstIf        DstIPaddress         Pr       SrcP      DstP         BytesGi0/1    172.215.114.126    Gi0/0      202.100.109.236     06       0050      BBEB         19MGi0/1    123.175.213.143    Gi0/0      202.100.109.236     06       0050      3891           16MIn above we could see 2 Sources against 2 Destinations with "Bytes" consumed.By any chance can we see something like this in CheckPoint?? Regards, Prabulingam.N