cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

Demonstrating pause frames

Hello!I am trying to find a mysterious source of packet loss using my R80.10 JHF 225 gateways. The administrator of the access layer is saying their switch is receiving "pause frames" from the firewall and so it's dropping packets it cannot deliver in a timely manner. I am not sure how to evaluate this - from reading, it does not appear that they would necessarily show up in a packet capture. I've also read that those perhaps exclusively originate from an endpoint or a switch. I tried a tcpdump from the gateway and wireshark filter "macc.opcode == pause" - no results.In the specific scenario I am troubleshooting that I hope is indicative of the larger problem, an attempt to connect to an https server reliably gets SYN-SYN/ACK-ACK-Client Hello ... Client Hello ... RST (from server). We've seen it before with a QoS/CoS issue on our switch hardware.In searching for similar issues, I found https://community.checkpoint.com/t5/General-Topics/Ifconfig-dropped-explanation/m-p/24447#M4885 but ifconfig does not report any Rx or Tx errors, so our situation does not map well to that scenario.I'm not getting indications that the gateway is under any meaningful load, though cpview does show 195,627 "Instance High CPU" drops, though on a "Inbound Packets/sec" rate of around 70k.How can I determine whether the gateway is telling the switch to suspend passing packets? 

How to fully accelerate SIP RTP media streams using SecureXL

Hi, We deployed a relatively simple Check Point vSec security gateway as the perimeter firewall for a VoIP provider utilising SIP. Public IPs are routed directly to the servers so the only NAT rules apply to VPN clients. We have an ongoing case with TAC regarding SecureXL not forwarding traffic on kernel 3.10, hence the gateway being R80.30 kernel 2.16.18. We have Jumbo Hotfix Accumulator take 50 installed, as the most recent GA release. Architecture:VoIP server in VLAN with gateway pointing at Check Point security gatewayCheck Point security gateway has eth0 as internet upstream and eth1 in VoIP server VLANvSec gateway managed by external MDS environment is non-publicly routed subnet (management via eth0) What we've done thus far:Changed protocol objects to not reference SIP, disabling protocol inspection.Firewall blade policy set to use custom udp service object, rule 8.3Application and URL filtering blade policy set to allow all inbound (rule 1) and all outbound traffic originating from VoIP servers using custom udp service object, rule 8.1Threat Prevention policy exceptions have been definedDisabled Hyper Threading on the VM host and pinned guest VM cores to reserved physical cores, on CPU1 (attached to network interfaces) SIP RTP media udp service object details: Network (Firewall) blade policy layer:Application (Applications & URL Filtering) blade policy layer:Threat Prevention - Exceptions blade policy layer: SecureXL stats: [Expert@fwcp1:0]# fwaccel stat +-----------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +-----------------------------------------------------------------------------+ |0 |SND |enabled |eth0,eth1 |Acceleration,Cryptography | | | | | |Crypto: Tunnel,UDPEncap,MD5, | | | | | |SHA1,NULL,3DES,DES,CAST, | | | | | |CAST-40,AES-128,AES-256,ESP, | | | | | |LinkSelection,DynamicVPN, | | | | | |NatTraversal,AES-XCBC,SHA256 | +-----------------------------------------------------------------------------+ Accept Templates : enabled Drop Templates : enabled NAT Templates : enabled [Expert@fwcp1:0]# fwaccel stats -s Accelerated conns/Total conns : 10/1882 (0%) Accelerated pkts/Total pkts : 2199407627/4400568146 (49%) F2Fed pkts/Total pkts : 6510799/4400568146 (0%) F2V pkts/Total pkts : 3514127/4400568146 (0%) CPASXL pkts/Total pkts : 0/4400568146 (0%) PSLXL pkts/Total pkts : 2194649720/4400568146 (49%) QOS inbound pkts/Total pkts : 0/4400568146 (0%) QOS outbound pkts/Total pkts : 0/4400568146 (0%) Corrected pkts/Total pkts : 0/4400568146 (0%) [Expert@fwcp1:0]# fwaccel stats Name Value Name Value ---------------------------- ------------ ---------------------------- ------------ Accelerated Path -------------------------------------------------------------------------------------- accel packets 2199474632 accel bytes 255604723479 outbound packets 2199468895 outbound bytes 255661260470 conns created 3331162 conns deleted 3329257 C total conns 1905 C TCP conns 29 C non TCP conns 1876 nat conns 0 dropped packets 26624 dropped bytes 2028392 fragments received 1280 fragments transmit 4 fragments dropped 0 fragments expired 0 IP options stripped 63 IP options restored 63 IP options dropped 0 corrs created 0 corrs deleted 0 C corrections 0 corrected packets 0 corrected bytes 0 Accelerated VPN Path -------------------------------------------------------------------------------------- C crypt conns 0 enc bytes 0 dec bytes 0 ESP enc pkts 0 ESP enc err 0 ESP dec pkts 0 ESP dec err 0 ESP other err 0 espudp enc pkts 0 espudp enc err 0 espudp dec pkts 0 espudp dec err 0 espudp other err 0 Medium Streaming Path -------------------------------------------------------------------------------------- CPASXL packets 0 PSLXL packets 2194716725 CPASXL async packets 0 PSLXL async packets 2194691770 CPASXL bytes 0 PSLXL bytes 253353244667 C CPASXL conns 0 C PSLXL conns 1895 CPASXL conns created 0 PSLXL conns created 3330706 PXL FF conns 0 PXL FF packets 0 PXL FF bytes 0 PXL FF acks 0 PXL no conn drops 0 Inline Streaming Path -------------------------------------------------------------------------------------- PSL Inline packets 0 PSL Inline bytes 0 CPAS Inline packets 0 CPAS Inline bytes 0 QoS Paths -------------------------------------------------------------------------------------- QoS General Information: ------------------------ Total QoS Conns 0 QoS Classify Conns 0 QoS Classify flow 0 Reclassify QoS policy 0 FireWall QoS Path: ------------------ Enqueued IN packets 0 Enqueued OUT packets 0 Dequeued IN packets 0 Dequeued OUT packets 0 Enqueued IN bytes 0 Enqueued OUT bytes 0 Dequeued IN bytes 0 Dequeued OUT bytes 0 Accelerated QoS Path: --------------------- Enqueued IN packets 0 Enqueued OUT packets 0 Dequeued IN packets 0 Dequeued OUT packets 0 Enqueued IN bytes 0 Enqueued OUT bytes 0 Dequeued IN bytes 0 Dequeued OUT bytes 0 Firewall Path -------------------------------------------------------------------------------------- F2F packets 6510843 F2F bytes 4112863976 TCP violations 9 F2V conn match pkts 13981 F2V packets 3514178 F2V bytes 1410988147 GTP -------------------------------------------------------------------------------------- gtp tunnels created 0 gtp tunnels 0 gtp accel pkts 0 gtp f2f pkts 0 gtp spoofed pkts 0 gtp in gtp pkts 0 gtp signaling pkts 0 gtp tcpopt pkts 0 gtp apn err pkts 0 General -------------------------------------------------------------------------------------- memory used 792 C tcp handshake conns 0 C tcp established conns 25 C tcp closed conns 4 C tcp pxl handshake conns 0 C tcp pxl established conns 25 C tcp pxl closed conns 4 outbound cpasxl packets 0 outbound pslxl packets 0 outbound cpasxl bytes 0 outbound pslxl bytes 0 DNS DoR stats 0 (*) Statistics marked with C refer to current value, others refer to total value Resource utilisation is very high, with two CoreXL instances and only 6 Mbps traffic: |------------------------------------------------------------------------------| | CPVIEW.Overview 15Nov2019 9:42:49 | |------------------------------------------------------------------------------| | Overview SysInfo Network CPU I/O Software-blades Hardware-Health Advanced | |------------------------------------------------------------------------------| | CPU: | | | | Num of CPUs: 2 | | | | CPU Used | | 0 93% | | 1 58% | | ---------------------------------------------------------------------------- | | Memory: | | | | Total MB Used MB Free MB | | Physical 3,815 1,842 1,973 | | FW Kernel 3,052 785 2,267 | | Swap 4,095 0 4,095 | | ---------------------------------------------------------------------------- | | Network: | | | | Bits/sec 8,950K | | Packets/sec 15,889 | | Connections/sec 17 | | Concurrent connections 1,931 | | ---------------------------------------------------------------------------- | | Disk space (top 3 used partitions): | | | | Partition Total MB Used MB Free MB | | / 15,558 6,323 8,521 | | /boot 288 23 250 | | /var/log 19,806 876 17,908 | | ---------------------------------------------------------------------------- | | Events: | | | | # of monitored daemons crashes since last cpstart 0 | | | |------------------------------------------------------------------------------| Load average:CPU utilisation:Network throughput:
Muazzam
Muazzam inside Enterprise Appliances and Gaia OS 4 hours ago
views 60 3 1

High CPU on Multi Queue Cores

Hardware: 13800 with 20 cores, 8/12 Split, no SMT.OS: R80.20 Take 47Blades enabled: None (just FW/VPN).MQ is enabled on two 10g interfaces. The 4 CPU cores tied to these interfaces are running 75-85%, spikes up to 95%. One core is tied with fwd. The other 3 SND's are running 1-2%. Workers are running around 50%.From Cpview:Bandwidth 4-5 Gbps800k-900K packets/sec, 10K conn/sec.Netstat -ni is NOT showing any drops.[Expert@13800:0]# fwaccel stats -sAccelerated conns/Total conns : (-3%)Accelerated pkts/Total pkts : (51%)F2Fed pkts/Total pkts : (4%)F2V pkts/Total pkts : (1%)CPASXL pkts/Total pkts : (0%)PSLXL pkts/Total pkts : (44%)Question: what could be a reason for 44% PSLXL pkts/Total pkts?What can be done to reduce load on the first 4 cores?
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS 4 hours ago
views 299832 217 326

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    

Sync interface migration

Hello everyone,I have to migrate a sync link from its current interface "eth3" to the interface "eth2".Is there a best practice to avoid some side-effects like an Active/Active situation ?Thanks to your expertise !Trif
Nbto
Nbto inside Enterprise Appliances and Gaia OS yesterday
views 106 10

Question about license - Two MGMTs

Hello, I'm starting to migrate form Gaia R77.30 to R80 and I'm wondering how the situation looks with license. I would like to add new MGMT server with R80 (new IP) and keep the R77.30 as a backup if R80 will be problemathic. The question is, did I can have the same licenses on both machines but with different IP ? Best Wishes  

How to delete admin user

Hello all,I try to delete admin user. I didn't find any sk about this issue. Sk's related to disable admin user.Thanks.

Modifying bond

Hello,R77.30 cluster (active/standby) running on Open Servers with a bunch of bonds.I need to modify one of the bonds on the standby unit (and replace one of the interfaces in the bond).  Do I need to get the topology at the end and push the policy? I don't see any references of individual interfaces in SmartDashboard.Thank you.

BGP default route hidden and inactive

Standalone full HA deployment running R80.10 in a test lab environment.iBGP peering with two upstream Cisco routers.  Upstream routers advertising default route to Checkpoints.Default route is not being installed in routing table but appearing as 'hidden' and 'inactive'.I have read that you must use an explicit inbound route filter with BGP to have a route accepted.  I've created a BGP policy filter based on AS) but the default route remains hidden/inactive.I've tried clearing the BGP sessions but to no avail.EDGE-FW-01> show route bgp allCodes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,U - Unreachable, i - InactiveB H i 0.0.0.0/0 via 172.16.10.1, eth2, cost 0, age 3165 B i 172.16.10.0/28 via 172.16.10.1, eth2, cost 0, age 3140 

How to effectively migrate configuration from CP4400 R77.30 to 3100 Next Generation Threat Preventio

Right now we have CP4400 R77.30 running in production and yet to deliver a 3100 to the client. We will have to migrate the configuration from the existing appliance to this new one. My question is. Is it possible to do migration of running config from of this CP 4400 R77.30 to this new appliance 3100 models?. If yes then how can i do this? 
CPRQ
CPRQ inside Enterprise Appliances and Gaia OS Wednesday
views 262 5

OSPF instance

We are running R80.20 on VSX and have question about OSPF instance. The firewall have OSPF default instance going to other firewall on vlan-97 as follow. > show configuration ospfset ospf instance default graceful-restart-helper onset ospf instance default area backbone onset ospf instance default interface bond0.97 area backbone onset ospf instance default import-routemap ospf-bast-import preference 10 onset ospf instance default export-routemap ospf-bast-export preference 10 on Now we want to add new 3 vlans 35, 36, 37. Each vlan have /30 subnet, one IP on firewall and 2nd IP on Cisco vpn-rtr. Cisco Vpn-rtr is running vrf for each vlan. We want to run OSPF. Can we add following instance on OSPF config.Are the following command are good. And to delete instance “ delete ospf instance 35” will work? set ospf instance 35 graceful-restart-helper onset ospf instance 35 area backbone onset ospf instance 35 interface bond0.35 area backbone onset ospf instance 35 import-routemap ospf-prtr-import preference 10 onset ospf instance 35 export-routemap ospf-prtr-export preference 10 on set ospf instance 36 graceful-restart-helper onset ospf instance 36 area backbone onset ospf instance 36 interface bond0.36 area backbone onset ospf instance 36 import-routemap ospf-prtr-import preference 10 onset ospf instance 36 export-routemap ospf-prtr-export preference 10 on set ospf instance 37 graceful-restart-helper onset ospf instance 37 area backbone onset ospf instance 37 interface bond0.37 area backbone onset ospf instance 37 import-routemap ospf-prtr-import preference 10 onset ospf instance 37 export-routemap ospf-prtr-export preference 10 on ==================== VPN-RT ospf config for one vlan as follow. interface Port-channel1.35encapsulation dot1Q 35vrf forwarding Partner-Exampleip address 10.118.126.2 255.255.255.252ip ospf 35 area 0 router ospf 35 vrf Partner-Examplepassive-interface defaultno passive-interface Port-channel1.35 Thanks in advance. 

Static route does not work

Hi,I am curious why my added static route does not get effectiv. The route shows up via "netstat -nr" and there is no other route I can see for this network:100.66.36.0 192.168.54.36 255.255.248.0 UGD 0 0 0 eth10tracert shows[Expert@FW:0]# tracert 100.66.36.10traceroute to 100.66.36.10 (100.66.36.10), 30 hops max, 40 byte packets1 oldgw.acme.int (192.168.54.37) 4.602 ms 4.870 ms 5.202 ms******** Anybody any idea how to troubleshoot ?I can not even find info via it routes the traffic to 192.168.54.37 ... Thanks and regardsTom

Power Supply consumption power

Hi all,i read datasheet Checkpoint 16000. i want send information for team data center about power but i confused about power supply1. what the meaning from "single power suppy rating : 1300 W"2. why single power supply rating different with the power consumption.thanks.reff:https://www.checkpoint.com/downloads/products/16000-security-gateway-datasheet.pdf

Accelerated drop feature

Hello,Can I confirm that the accelerated drop feature as described in sk67861 is supported on R80.20 and R80.30 as well?Many thanks.

Filtering learned BGP routes

Good Afternoon,I'm setting up a new datacenter cluster and I'm going to be learning routes from three peers via BGP.  I understand I need an inbound filter to add them to my routing table, but I don't want to blindly learn any route that I'm sent based on AS number.  How can I setup a prefix list and apply it to a neighbor (in Cisco terms) so I can trust but verify?I understand its probably in CLI as opposed to WebUI, but I'm having trouble finding documentation for specifically what I'm trying to do.  Any guidance would be appreciated.Thanks,Paul