cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Di_Junior
Di_Junior inside Enterprise Appliances and Gaia OS 6 hours ago
views 460 4

OSPF Instances R80.20

Good day Mates I have recently read about the possibility of creating different OSPF instances in R80.20. This feature is really important for us as we have had issue with OSPF before, and we decided to use static routes instead.I would like to know if anyone has already implemented OSPF instances and if it is working as expected.Thanks in Advance

SSH Cipher, SSH Hmac Version

Anyone can provide me the step of SSH Server Cipher and Hmac Version to change.Thanks Win
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS 7 hours ago
views 10708 54 39

GAIA - Easy execute CLI commands on all gateways simultaneously

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. Attention! You can quickly destroy your gateways if you enter the wrong commands! Command syntax: Command Description # gw_detect # gw_detect80 Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". # gw_mbash <command> Execute expert mode command on all gateway simultaneously # gw_mclish <command> Execute clish command on all gateway simultaneously An example! You want see the version of all gateway they are defined in the topology. Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mclish show version os edition -> execute this command on all gateways Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie. The same also works for the expert mode. For example: Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mbash fw ver -> execute this command on all gateways Tip 1 Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀. Tip 2 Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s -> show state table for all gateways Management# gw_mbash fwaccel stat -> show fwaccel state's for all gatewaysManagement# gw_mbash ips stat -> check on witch gateway ips is enabled ... Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script. echo '#!/bin/bash' > /usr/local/bin/gw_mbash echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo 'while read line' >> /usr/local/bin/gw_mbash echo 'do' >> /usr/local/bin/gw_mbash echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash echo 'then' >> /usr/local/bin/gw_mbash echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash chmod +x /usr/local/bin/gw_mbash echo '#!/bin/bash' > /usr/local/bin/gw_mclish echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo 'while read line' >> /usr/local/bin/gw_mclish echo 'do' >> /usr/local/bin/gw_mclish echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish echo 'then' >> /usr/local/bin/gw_mclish echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish chmod +x /usr/local/bin/gw_mclish echo '#!/bin/bash' > /usr/local/bin/gw_detect echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect echo 'while read line' >> /usr/local/bin/gw_detect echo 'do' >> /usr/local/bin/gw_detect echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect echo 'then' >> /usr/local/bin/gw_detect echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo 'else' >> /usr/local/bin/gw_detect echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect echo 'fi' >> /usr/local/bin/gw_detect echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect chmod +x /usr/local/bin/gw_detect echo '#!/bin/bash' > /usr/local/bin/gw_detect80 echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80 echo 'while read line' >> /usr/local/bin/gw_detect80 echo 'do' >> /usr/local/bin/gw_detect80 echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80 echo 'then' >> /usr/local/bin/gw_detect80 echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80 echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo 'else' >> /usr/local/bin/gw_detect80 echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80 echo 'fi' >> /usr/local/bin/gw_detect80 echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80 chmod +x /usr/local/bin/gw_detect80 Versions:v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> betav0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugsv0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80" Video tutorial: LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-9wdnRtaDE62K43G6H0BgrmwVXzp0YJzvw822h520r352', '9wdnRtaDE62K43G6H0BgrmwVXzp0YJzv', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"822px","height":"520px"});(view in My Videos) Copyright by Heiko Ankenbrand 1996-2019
Jan_Kleinhans
Jan_Kleinhans inside Enterprise Appliances and Gaia OS 8 hours ago
views 901 14 2

R80.20 MTU and SecureXL Problem

Hello,we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get the ICMP Fragmentation Packet and start to send packets with smaller MTU.When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.Did anybody had the same problem? Jan

What is the expected traffic in a packet capture for Checkpoint High Avalibility?

While working on a issue I noticed this on a wireshark packet capture on my Nexus 9000 switch is connected to a 15400 XL running Gaia 80.33 (whatever the current version is). There are two 15400 XL in one DC1 and 2 in DC2. The 4 are all clustered together for the VSS. The 192.168.xxx.xx is checkpoint's "internal switch" address. My question is should I be seeing these messages sent to the switchport that is connected to the firewall? The port that is connected to the firewall from the Nexus is for multicast traffic. I did a packet capture in our QA environment which is a mirror of our production with the exception of there are only 2 15400 XL and I don't see these messages below. Is this a mis- configuration of the Firewall High Availability being sent to the Nexus connecting port? 2019-07-10 15:34:26.154998 0.0.0.0 -> 192.168.xxx.xx CPHA CPHAv3223: FWHA_MY_STATE2019-07-10 15:34:26.155007 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ2019-07-10 15:34:26.155010 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ2019-07-10 15:34:26.155013 0.0.0.0 -> 0.0.0.0 CPHA CPHAv3223: FWHA_IFCONF_REQ

'Invalid segment retransmission. Packet dropped.'

Hi All, we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line. Thank you for any comments.

CPAP-23800 and CPAC-2-40F-B

Hi,are there guidelines how to install two CPAC-2-40F-B modules into a CPAP-23800 appliance in order to achieve optimal performance (CPU/PCIe topology)? I had a look into the various guides, sk116742 and sk107516, but wasn't able to find any information about which cpu connects to which expansion slot. ByeMichael

Not able to find the serial no.

Hi Every One.I have a UTM-1 570 and i want to get the Serial no of the device.But i am not able to do that.Please suggest the CLI command to get the serial no of the unit.thanks in advance.

Dropped Radius Packets with 80.20 Gateway

Hello,just upgraded a CPAP-13500 cluster to R80.20. Everything worked fine except that RADIUS packets (1812/udp) larger than about 1000 bytes getting dropped without log, not even with a drop debug message. Seems like they get dropped at the interface level, somewhere between interface and In-Chain.If I tcpdump on incoming and outgoing interface, I can see packets incoming to the gateway but none is leaving on the outgoing interface. If I'm using fw monitor, I even can't see any packets.Reverting to R77.30 solved the problem.Does anybody have a clue? Is this a known issue? ByeMichael

Proxy ARP after upgrade to R80.30

This week we had some clusters upgraded from R80.10 to R80.30, the customer wants the new and improved HTTPS functionality. When we were done, on 2 VRRP clusters we had some automatic NAT and a special Hide NAT (for WiFi guests) After upgrading you install the policy twice, first the acces and then again for the Threat Prevention policy. After some time we were told the Guest WiFi did not work, investigation pointed in the end to the proxy ARP that was not active, so we added the Proxy ARP command for the Hide address, pushed the access policy (the third time). After looking with fw ctl arp we then saw 2 Proxy ARP addresses, the one we added and the other was a automatic NAT. After removing the manual Proxy ARP again, the fw ctl arp kept showing both ARP entries. When we upgraded the other cluster we checked again after 1, 2 and 3 pushes of the access policy and only after the third push the Proxy ARP addresses showed up. It has been reported and R&D will be informed.

Netflow for R80.10

Anyone ever send Netflow data to Stealthwatch, I'm can't find any data sheet that list the collectors that are compatible with Checkpoint Firewall.

R77.10 maintenance mode

Hi,after rebooting the primary in XL cluster , I got the below message:*** please reboot in the maintenance mode to repair filesystem when I rebooted the firewall , can't see "press any key to see boot menu " . I read it could be defaulted to 0 second.is there is thing I can do ? any advice is highly appreciated .

High dispatcher cpu

I've had ongoing issues since moving to R80.x with high dispatcher core usage. We have 21800 gateways . We've had multiple TAC cases, they had us add a 3rd dispatcher core and set the affinity for the cores manually, but i still consistently see the 10Gb interfaces spike the dispatcher CPU's in what should be low utilization situations for this model gw. We are on R80.20 jumbo 87, gateways were freshly reinstalled direct on R80.20 after continuous crashes across both cluster members in the last few days (will not be upgrading cluster in place again)..priority queues are off per TAC.any ideas would be appreciated... put some info below for context CPU 0: eth1-02 eth1-04CPU 1: eth3-02 eth1-01 eth1-03CPU 2: eth3-01 eth3-03 eth3-04 MgmtCPU 3: fw_16in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 4: fw_15in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 5: fw_14in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 6: fw_13in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 7: fw_12in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 8: fw_11in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 9: fw_10in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 10: fw_9in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 11: fw_8in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 12: fw_7in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 13: fw_6in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 14: fw_5in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 15: fw_4in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 16: fw_3in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 17: fw_2in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 18: fw_1in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridCPU 19: fw_0in.acapd fgd50 lpd cp_file_convertd rtmd usrchkd rad in.geod mpdaemon in.msd wsdnsd pdpd pepd in.asessiond vpnd fwd cpd cpridAll: scanengine_b sim affinity -lMgmt : 2eth1-01 : 1eth1-02 : 0eth1-03 : 1eth1-04 : 0eth3-01 : 2eth3-02 : 1eth3-03 : 2eth3-04 : 2 fwaccel stats -sAccelerated conns/Total conns : 5632/11726 (48%)Accelerated pkts/Total pkts : 87217254/91349341 (95%)F2Fed pkts/Total pkts : 4132087/91349341 (4%)F2V pkts/Total pkts : 349157/91349341 (0%)CPASXL pkts/Total pkts : 78606120/91349341 (86%)PSLXL pkts/Total pkts : 5653296/91349341 (6%)CPAS inline pkts/Total pkts : 0/91349341 (0%)PSL inline pkts/Total pkts : 0/91349341 (0%)QOS inbound pkts/Total pkts : 89478397/91349341 (97%)QOS outbound pkts/Total pkts : 90834289/91349341 (99%)Corrected pkts/Total pkts : 0/91349341 (0%) fw ctl multik statID | Active | CPU | Connections | Peak----------------------------------------------0 | Yes | 19 | 927 | 11041 | Yes | 18 | 805 | 9432 | Yes | 17 | 781 | 16063 | Yes | 16 | 814 | 12174 | Yes | 15 | 944 | 17225 | Yes | 14 | 895 | 11526 | Yes | 13 | 1102 | 16807 | Yes | 12 | 781 | 16748 | Yes | 11 | 1063 | 10639 | Yes | 10 | 741 | 102410 | Yes | 9 | 1002 | 105311 | Yes | 8 | 810 | 101612 | Yes | 7 | 799 | 96413 | Yes | 6 | 831 | 183714 | Yes | 5 | 833 | 101715 | Yes | 4 | 841 | 108716 | Yes | 3 | 862 | 1329 free -mtotal used free shared buffers cachedMem: 64282 12574 51708 0 105 3124-/+ buffers/cache: 9344 54938Swap: 32765 0 32765

Check and config SSHv1 or SSHv2 on GAIA

Check and config supported SSH protocol version. Method One If you want to check what SSH protocol version are supported by a local OpenSSH server, you can refer to /etc/ssh/sshd_config file. Open /etc/ssh/sshd_config with a vi editor and look for "Protocol" field. You can also config the version over this parameter. If you change the paarameter so you should restart sshd. If it shows the following, it means that OpenSSH server supports SSH2 only. Protocol 2 If it displays the following instead, OpenSSH server supports both SSH1 and SSH2. Protocol 1,2 Method Two If you cannot access /etc/ssh/sshd_config because OpenSSH server is running on a remote server, you can test its SSH protocol support by using SSH client program called ssh. More specifically, we force ssh to use a specific SSH protocol, and see how the remote SSH server responds. The following command will force ssh command to use SSH1 # ssh -1 user@remote_server If the remote SSH server supports SSH2 only, the first command with "-1" option will fails with an error message like this: # ssh -2 user@remote_server

VPN Routing through Center?

We need:Traffic flow: Satellites GW from branch B、C need to contact to Remote GW X , the traffic must always pass through Center A.Example : host (behind branch B or C )=====VPN====>Center A=====VPN=====> Server (behind Remote GW X) So now the question is How to configure the “Remote GW X “? Please share configuration methods and suggestions. Thanks!