cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS 7 hours ago
views 299508 214 323

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    

Filtering learned BGP routes

Good Afternoon,I'm setting up a new datacenter cluster and I'm going to be learning routes from three peers via BGP.  I understand I need an inbound filter to add them to my routing table, but I don't want to blindly learn any route that I'm sent based on AS number.  How can I setup a prefix list and apply it to a neighbor (in Cisco terms) so I can trust but verify?I understand its probably in CLI as opposed to WebUI, but I'm having trouble finding documentation for specifically what I'm trying to do.  Any guidance would be appreciated.Thanks,Paul

Demonstrating pause frames

Hello!I am trying to find a mysterious source of packet loss using my R80.10 JHF 225 gateways. The administrator of the access layer is saying their switch is receiving "pause frames" from the firewall and so it's dropping packets it cannot deliver in a timely manner. I am not sure how to evaluate this - from reading, it does not appear that they would necessarily show up in a packet capture. I've also read that those perhaps exclusively originate from an endpoint or a switch. I tried a tcpdump from the gateway and wireshark filter "macc.opcode == pause" - no results.In the specific scenario I am troubleshooting that I hope is indicative of the larger problem, an attempt to connect to an https server reliably gets SYN-SYN/ACK-ACK-Client Hello ... Client Hello ... RST (from server). We've seen it before with a QoS/CoS issue on our switch hardware.In searching for similar issues, I found https://community.checkpoint.com/t5/General-Topics/Ifconfig-dropped-explanation/m-p/24447#M4885 but ifconfig does not report any Rx or Tx errors, so our situation does not map well to that scenario.I'm not getting indications that the gateway is under any meaningful load, though cpview does show 195,627 "Instance High CPU" drops, though on a "Inbound Packets/sec" rate of around 70k.How can I determine whether the gateway is telling the switch to suspend passing packets? 

Help with SNMP

Hi all,Is anyone able to help with an SNMP query please?  My customer has SNMP traps enabled within GAIA, and they are getting tons and tons of Cold Start Notifications.  Pasted below is just a very small sample of what they are seeing on their SNMP system.  I kind of get why it's alerting on so many things because the values are higher than the expected "0.000000".  I have two questions. Firstly - for my own understanding, what are "Cold Start Notifications" anyway?  (I've looked in the WebUI and the "coldStart" trap is currently disabled).Secondly, is there a way to change the values/thresholds?  E.g.  If the fan speed is 11.76, but Gaia thinks it should be 0.00000, how can I alter this setting?  Clearly a fan speed should be more than 0.00 otherwise it's broken and the machine will overheat.  So a speed of 11.76 is probably normal and therefore I don't want to get continual alerts about it.  So how do I alter it from 0.00 to, say, 12?  So that it only alerts me if the fans are running too quickly - or too slowly?  Or the CPU tempurature is too low, or too high (but doesn't alert when it's a normal tempurature)?Thanks!  😁Cold Start Notification at 13:25 - Info. Only - sysUpTime 9:22:15:17.98, Temperature sensor '44-Fuse': Temperature is 22 should be under 0.000000, 44-Fuse, 22 Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.95, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.2.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Fan sensor 'Fan 3': Speed is 11.76, should be 0.000000 - 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.2.1.2 "Fan 3", .1.3.6.1.4.1.2620.1.6.7.8.2.1.3 "11.76" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.95, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.2.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Fan sensor 'Fan 3 DutyCycle': Speed is 11.76, should be 0.000000 - 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.2.1.2 "Fan 3 DutyCycle", .1.3.6.1.4.1.2620.1.6.7.8.2.1.3 "11.76" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.95, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.2.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Fan sensor 'Fan 4': Speed is 11.76, should be 0.000000 - 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.2.1.2 "Fan 4", .1.3.6.1.4.1.2620.1.6.7.8.2.1.3 "11.76" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.95, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.2.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Fan sensor 'Fan 4 DutyCycle': Speed is 11.76, should be 0.000000 - 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.2.1.2 "Fan 4 DutyCycle", .1.3.6.1.4.1.2620.1.6.7.8.2.1.3 "11.76" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.95, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.2.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Fan sensor 'Fan 5': Speed is 11.76, should be 0.000000 - 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.2.1.2 "Fan 5", .1.3.6.1.4.1.2620.1.6.7.8.2.1.3 "11.76" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.95, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.2.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Fan sensor 'Fan 5 DutyCycle': Speed is 11.76, should be 0.000000 - 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.2.1.2 "Fan 5 DutyCycle", .1.3.6.1.4.1.2620.1.6.7.8.2.1.3 "11.76" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.95, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.2.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Fan sensor 'Fan 6': Speed is 11.76, should be 0.000000 - 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.2.1.2 "Fan 6", .1.3.6.1.4.1.2620.1.6.7.8.2.1.3 "11.76" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.95, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.2.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Fan sensor 'Fan 6 DutyCycle': Speed is 11.76, should be 0.000000 - 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.2.1.2 "Fan 6 DutyCycle", .1.3.6.1.4.1.2620.1.6.7.8.2.1.3 "11.76" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.98, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.1.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Temperature sensor '01-Inlet Ambient': Temperature is 13, should be under 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.1.1.2 "01-Inlet Ambient", .1.3.6.1.4.1.2620.1.6.7.8.1.1.3 "13" Rcv 1572960289 Src UDP: [192.168.0.176]:38371->[192.168.0.90] Tim 13:24 Cold Start 00, TRAP2, SNMP v2c, community public, sysUpTime.0 0:00:00.00, OIDs, .1.3.6.1.2.1.1.3.0 9:22:14:37.98, .1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.2620.1.3000.5.1.1, .1.3.6.1.4.1.2620.1.3000.0.12.0 "Temperature sensor '02-CPU 1': Temperature is 40, should be under 0.000000", .1.3.6.1.4.1.2620.1.6.7.8.1.1.2 "02-CPU 1", .1.3.6.1.4.1.2620.1.6.7.8.1.1.3 "40" 

ECMP with OSPF - how the gateway determines the next-hop

Hello,We have a setup where a ClusterXL is connected to two ASR routers and OSPF is running.The ASRs advertise to the cluster default route and the cluster installs these default routes in it's routing table so it has two equal-cost default routes to two different next hops.The ASRs are used as our internet routers and they perform hide NAT when accessing the internet.We are now facing an issue where one TCP session is routed towards router 1, gets NATed using that router's hide NAT pool, and at a certain time the CP gateway might choose the 2nd router for the same flow and then it gets a different hide NAT IP and hence the session is being terminated.Is it possible to set the CheckPoint to maintain the same session to be routed to the same router? how does the CheckPoint determine which default route to use? I am reading this article and it says:(4) Limitations"Round robin" next hop algorithm is not supported."Source hash" next hop algorithm is not supported."Destination hash" next hop algorithm is not supported.ECMP over OSPF supports up to 8 simultaneous routes.So, what is then the algorithm that the CheckPoint uses in order to determine the next hop?

Blink for fresh install?

We've been doing fresh installs on gateways whenever we upgrade to a major rev, so as not to leave previous files behind. As more of our work becomes remote/international, fresh install on appliances becomes more difficult to arrange.  We came across the Blink utility in Checkmates. Is the Blink utility as good as doing a fresh install? If so, can it be used to upgrade R75 and R77 to R80.10 as a fresh install? @phoneboy

Upgrade to R80.30 fails

Standalone full HA deployment running R80.10 in a test lab environment.Trying to upgrade to R80.30 using the following guide:https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Guide/html_frameset.htmI've exported the R80.30_T200_Fresh_Install_and_Upgrade_Security_Gateway.tgz file from a separate (LIVE) firewall and imported this onto the 2nd cluster member as the cluster doesn't have internet connectivity.When attempting to upgrade (right click and selecting 'Upgrade') the installation fails shortly after.  Here is a copy of the install log:[11/08/19 - 15:44:59][18264 4126043024]:------ Installing: ------[11/08/19 - 15:45:00][18264 4126043024]:------ Validating Install: ------[11/08/19 - 15:45:00][18264 4126043024]:/var/log/CPda/metadata/CheckPoint#Major#All#6.0#5#0#R80.30_GW_T200/tmp//major.conf file is in wrong format, unknown key: NEW_UPGRADE_VERSION[11/08/19 - 15:45:00][18264 4126043024]:Error: Could not read config file /var/log/CPda/metadata/CheckPoint#Major#All#6.0#5#0#R80.30_GW_T200/tmp//major.confAny assistance with this would be greatly appreciated.  

OSPF instance

We are running R80.20 on VSX and have question about OSPF instance. The firewall have OSPF default instance going to other firewall on vlan-97 as follow. > show configuration ospfset ospf instance default graceful-restart-helper onset ospf instance default area backbone onset ospf instance default interface bond0.97 area backbone onset ospf instance default import-routemap ospf-bast-import preference 10 onset ospf instance default export-routemap ospf-bast-export preference 10 on Now we want to add new 3 vlans 35, 36, 37. Each vlan have /30 subnet, one IP on firewall and 2nd IP on Cisco vpn-rtr. Cisco Vpn-rtr is running vrf for each vlan. We want to run OSPF. Can we add following instance on OSPF config.Are the following command are good. And to delete instance “ delete ospf instance 35” will work? set ospf instance 35 graceful-restart-helper onset ospf instance 35 area backbone onset ospf instance 35 interface bond0.35 area backbone onset ospf instance 35 import-routemap ospf-prtr-import preference 10 onset ospf instance 35 export-routemap ospf-prtr-export preference 10 on set ospf instance 36 graceful-restart-helper onset ospf instance 36 area backbone onset ospf instance 36 interface bond0.36 area backbone onset ospf instance 36 import-routemap ospf-prtr-import preference 10 onset ospf instance 36 export-routemap ospf-prtr-export preference 10 on set ospf instance 37 graceful-restart-helper onset ospf instance 37 area backbone onset ospf instance 37 interface bond0.37 area backbone onset ospf instance 37 import-routemap ospf-prtr-import preference 10 onset ospf instance 37 export-routemap ospf-prtr-export preference 10 on ==================== VPN-RT ospf config for one vlan as follow. interface Port-channel1.35encapsulation dot1Q 35vrf forwarding Partner-Exampleip address 10.118.126.2 255.255.255.252ip ospf 35 area 0 router ospf 35 vrf Partner-Examplepassive-interface defaultno passive-interface Port-channel1.35 Thanks in advance. 

Gaia API - Loss of functionality with upgrade?

I've been running on Gaia API version 1.0 successfully since its release.  As we continue to build more integrations, some features of v1.2 intrigued me, so I upgraded.  After I upgrade, we lost the 'run-script' functionality.  It now results in a generic_error.  Has anyone else noticed this?  Why would an "upgrade" result in a downgrade?  When will the run-script API be back?  I'm downgrading my API version to v1.0 since v1.2 doesn't support the same things v1.0 did. Here is what I'm seeing:curl -w '%{http_code}' -k -X POST "https://gw.site.net/gaia_api/run-script " -H "Content-Type: application/json" -H "X-chkp-sid: $MYSECRET" -d "{\"script-name\":\"do-it\",\"script\":\"/var/log/myscript.sh\"}" -s{"code": "generic_error","message": "Internal error."}500 Thanks!

'Invalid segment retransmission. Packet dropped.'

Hi All, we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line. Thank you for any comments. 

r80.10 VSX change sync interface

Hi,Does anyone know how to change a single sync interface, on a R80.10 VSX-cluster, to a bond-interface?
Nbto
Nbto inside Enterprise Appliances and Gaia OS Wednesday
views 222 5

Host access to Internet by using separate link than all traffic

Hello,I have small question, im not sure but how I can configure one specific host to access Internet by using different link than all traffic - it's a separate link (like all traffic goes by ISP1 and this host will go through ISP2). I would like to try configure PBR: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100500 Maybe, I should use some static routes ?Im using R80.10.Thx!

how to mount windows file share on gaia r80.10 ?

Hello, I'd like to mount a windows file share using mount.cifs command.The command systematically fails with the outputStatus code returned 0xc000006a NT_STATUS_WRONG_PASSWORD CIFS VFS: Send error in SessSetup = -13 CIFS VFS: cifs_mount failed w/return code = -13The mount syntax is : mount -vvv -t cifs -o username=myuser,domain=DOM,ver=3,sec=ntlm //10.10.10.107/share /mnt/share1the mount command produces the following.mount.cifs kernel mount options unc=//10.10.10.107\share,ip=10.10.10.107,pass=*****,ver=1,rw,username=myuser,domain=DOM,ver=3,sec=ntlmmount error 13 = Permission deniedRefer to the mount.cifs(8) manual page (e.g.man mount.cifs)did anyone already manage to mount a windows file share on gaia r80.10 ?
-TJ-
-TJ- inside Enterprise Appliances and Gaia OS a week ago
views 190 1

VM SDA drive cache, modprobe FAILED, reboot FAILED

When booting a new Management Server VM on R80.20.   (built from ISO  R80.20 T117)   -Thick provision lazy The maintenance mode prompt and that white bar that moves from left to write doesn't display.  Instead, I see:sd 0.0.0.0: [sda] Assuming drive cache: write through--30 second pause---modprobe startup FAILEDWhen I issue a reboot from GAIA, the standard "the system is going down for reboot NOW!" message, then--short pause--FAILEDplease stand by while rebooting the system...I recently lost my primary management server file system was corrupted, unable to retrieve local snapshot and VM restore failed.  [rough day] I had to promote secondary.  I build a new primary which has no issues.   Now I'm building a new standby.  That info isn't relative to the issue above.  I'm only sharing that to convey how wary I am to discount any error messages.sk126473 says to reinstall GAIA.    Which I have now twice.  but message continues.  ISO image MD5 is matchy matchy too.     Anybody have advice?  Phoneboy 

Changing IP of cluster and members

Hello,I am trying to change the IP address of the cluster and members, i have the following setup with 2 checkpoints in a clusterCluster-IP x.x.x.x - Member-01 x.x.x.x - Member-02 x.x.x.xCP-Management x.x.x.xIs anyone able to advise on the correct way to change these IP's and if this will break the cluster by doing so? i want to use the management port IP's as the new IP for members.Thanks