cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

Finding Bandwidth consuming for particular Host

Dear All, Just wanted to check if any workaround to check the Bandwidth consumed/consuming for particular host machine.Customer's Internet Bandwidth was choked due to "few hosts to some destination IP" consuming high.From SmartMonitor we can see only Source or Destination which is consuming.But we need to check for the "Which Source against Which Destination" more bandwidth consumed/consuming. Just like in Cisco command: --ip flow top-talkersCISCO-ASA#sh ip flow top-talkersSrcIf     SrcIPaddress         DstIf        DstIPaddress         Pr       SrcP      DstP         BytesGi0/1    172.215.114.126    Gi0/0      202.100.109.236     06       0050      BBEB         19MGi0/1    123.175.213.143    Gi0/0      202.100.109.236     06       0050      3891           16MIn above we could see 2 Sources against 2 Destinations with "Bytes" consumed.By any chance can we see something like this in CheckPoint?? Regards, Prabulingam.N

blink install and xfs

Upgrading an R77.30 gateway to R80.20 using the blink command options "--reimage" and "--delete-old-partitions" leads to the following results:the old partition lv_current is deleted while all other partitions are being kept, including lv_logthe file system type is still ext3 for all partitions2 Questions arise here:Are our observatins correct?Is the xfs-type filesystem used for Management Servers ONLY, meaning that even if we istall the gateway from scratch, it would still by ext3?thx for clarification

Unable to boot from USB on 12400

I have been trying to perform a clean install on two 12400 chassis with no success. I am upgrading to R80.30 and have used the latest Polymorphic tool to build a bootable USB. I am not specifying any particular MAC, it should install on any machine. I have rebuild the USB several times an am confident it is correct. I am following the direction for clean install for this unit. I interrupt the boot process and perform a default reload. Once the system is reloaded, I begin the first time configuration wizard where I select the option to do a clean install from USB. I insert the USB and the system reloads but does not boot from the USB.

Common Criteria EAL4+ compliance for R80.10?

Does anyone have any information on Common Criteria EAL4+ compliance for R80.10?There is no info here: Certified Check Point Solutions | Check Point Software regards anything beyond R77.30.Anyone with info regards implied compliance or an ETA on a statement would be most welcomed. I appreciate that sometimes these statements come someway behind release.ThanksJon
Employee

2 new Common Criteria certificates R80.30: Protection Profile and EAL4+ and certification update

I’m pleased to announce that Check Point have been awarded two new Common Criteria certificates for R80.30: EAL4+ certificate of R80.30  The Target of Evaluation (TOE) included claims for Firewall IPS Blade Pattern Matcher REST API Enterprise appliances, TE appliances, Smart-1, CloudGuard Protection Profile compliance of R80.30 The Target of Evaluation (TOE) included claims for Network Device Stateful Traffic Filter Firewall Extended VPN Package SmartConsole Enterprise appliances, TE appliances, Smart-1, CloudGuard The Protection Profile and EAL4+ listings include the Certificates, Security Target and Validation Report.  In addition R80.30 is now listed by the NSA CSFC component list for protecting classified NSS data, and qualifies for listing by NIAPC (NATO Information Assurance Product Catalogue), and the UK National Cyber Security Center (NCSB) Commercial Product Assurance (CPA) certification.   A full press release can be seen here:  https://www.globenewswire.com/news-release/2020/01/16/1971274/0/en/Check-Point-Software-Technologies-Receives-2-New-Common-Criteria-Certifications-to-Meet-the-Security-Needs-of-31-Nations.html   
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS Wednesday
views 31570 27 23

GAIA - Easy execute CLI commands from management on gateways!

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. You only need to enter the IP address of the gateways and the command will be executed there. Cppy and paste this lines to the management server or download the script "new_commands.sh" and execute the script.   echo "echo Gateways configured in policy:" > /usr/local/bin/g_show echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show chmod 777 /usr/local/bin/g_show echo '#!/bin/bash' > /usr/local/bin/g_bash echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "else" >> /usr/local/bin/g_bash echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo "fi" >> /usr/local/bin/g_bash chmod 777 /usr/local/bin/g_bash echo '#!/bin/bash' > /usr/local/bin/g_cli echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "else" >> /usr/local/bin/g_cli echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo "fi" >> /usr/local/bin/g_cli chmod 777 /usr/local/bin/g_cli   Command syntax: Command Description # g_show show all gateway IP addresses # g_bash <gateway IP> <command>  execute expert mode command on gateway # g_cli <gateway IP> <command> execute clish command on gateway An example! You want to see the configuration of the gateway with IP 1.2.3.4 from the management. So you only have to enter the following command: Management# g_cli 1.2.3.4 show configuration Now the command "show configuration" is executed on the gateway and the output is displayed on the management server. The same also works for the expert mode. For example: Management# g_bash 1.2.3.4 cphaprob stat Show all gateway IP addresses. For example: Management# g_show Show all gateways configured in policy: 1.2.3.41.2.3.51.1.1.1 Video tutorial: (view in My Videos)       Copyright by Heiko Ankenbrand 1996-2019

Announcement - Max Power 2020: Check Point Firewall Performance Optimization (Third Edition)

The third edition of the book Max Power 2020: Check Point Firewall Performance Optimization is now available. For more information including the FAQ and a CPX-related discount code, please visit the site http://www.maxpowerfirewalls.com. Feel free to PM or email me with questions, but please be sure to read the FAQ in its entirety first.  Thanks!  

VoIP Issue and SMB Appliance (600/1000/1200/1400)

  Issue description: Many of our customers have reported the following issue in recent weeks. Telephone VoIP connections are terminated and can no longer be established. Issue debug: On the firewall you see a typical issue with the following message if you start: # fw ctl zdebug drop Issue message: fwconn_key_init_links (INBOUND) failed Solution: There are two different Servers on the SIP/RTP provider's side that take part in the process of establishing the SIP/RTP call: Server for SIP (Management and control) Server for RTP (Media and Voice Data) Make sure that the UDP high ports from the internal RTP VoIP telephone system to the provider RTP server on the RTP provider's side are dropped by the rule base on 600 / 1100 / 1200 / 1400 appliance: RTP rules: Create a service for the UDP high ports and use it in an incoming Accept rule, which also has to allow the RTP ports. Create a drop rule to block outgoing connections from the Internal RTP server (VoIP telephone system) to the provider's RTP server on high UDP ports SIP rule: Create an allow rule for incoming and outgoing SIP traffic on UDP port 5060   Example:   A similar description can be found in SK104082.   Regards, Heiko

Migrating cluster from old to new hardware

Hi,We are finally replacing our FW cluster with old UTM appliances for 5600 appliances. I would like to keep the same names in the policy, but since the interface names change I would like to know what the best way is to migrate to the new appliances with minimal outage.I was about to failover to HA -- move cables from the Primary appliance to the new 5600 Primary appliance,- migrate export of the policy. Then remove all references of the existing cluster from the policy and delete the whole cluster from the management server.- create a new cluster with initially 1 member (the new primary 5600) establish SIC and configure cluster with all new interfaces - Add cluster to the rules where the old cluster was removed- Remove cables from Old HA Firewall,while installing the policy to the new Primary- connect new 5600 HA and add to the cluster (and install policy)Any other (or better) recommendations for a smooth migration to the new hardware?Or can I just delete 1 cluster member and add the new hardware with different interface names to the cluster object?Many thanks.

Replace/Upgrade Cluster

I currently have two 4800s in a cluster on R80.10. I am looking to utilize the same cluster name/configuration and replace these gateways with two 6500s on R80.30. I just wanted to brain storm on the easiest way to accomplish this. Also, seems like this should be a common ask. Are there any Check Point guides for something like this?

R80.20 Installation Error "doAutoPartition" Exception Occured on 4800 appliance

Hi,I have issue very similar to the one described in older post (https://community.checkpoint.com/t5/General-Management-Topics/R80-10-Installation-Error-quot-doAutoPartition-quot-Exception/td-p/3536) - i.e. I am getting exactly the same error message.Differences are that this is a CP 4800 appliance and version I am going to install is R80.20.I made USB few times using different versions of ISOmorphis as well as used USB-attached DVD - all the same.Ran a HW Diagnostics Tool – all tests OK …I was using ISO image “R80.20 Gaia Fresh Install for Security Gateway and Standalone T101” – the same image was used for installation of over 10 other gateways on 4000 appliances.SHA1 checksum for the image is OK. Any ideas? I have none at this moment ... 😕

SecureXL DoS Rate Limiting (samp rules)

I have been working a lot with the rate limiting rules via the "fw samp" CLI interface, but unfortunately I cannot get the gateway to actually enforce them.  It appears SecureXL is very unhappy when I try to enable rate limiting:[Expert@PROD-FW02a:0]# fwaccel dos config set --enable-rate-limitERROR: No rate limiting policy is installed, can't enable.What exactly is the "rate limiting policy" it is referring to?  I have dug fairly deep in documentation, sks, etc. and cannot figure out what triggers the rate limiting capabilities of SecureXL to turn on, based on policy settings.  I also thought maybe enabling QoS blade and the QoS policy component would trigger things, but it had no effect on things.Of course, this same status is reflected when you query the configuration (fwaccel dos config get):rate limit: disabled (without policy)pbox: disabledblacklists: disableddrop frags: disableddrop opts: disabledfwaccinternal: disabledmonitor: disabledlog drops: enabledlog pbox: enablednotif rate: 100 notifications/secondpbox rate: 500 packets/secondpbox tmo: 180 secondsThe gateways are R80.30 5800 appliances. 

Cluster dropping packets in R80.30 unicast Load sharing Mode

Cluster is dropping packets in unicast Load sharing Mode after upgrading from R80.10 to R80.30, while in HA mode it is working fine.below are the output of "fw ctl zdebug + drop"@;825535;[cpu_8];[SIM-207416775];pkt_handle_stateless_checks: Packet dropped (cluster decision). conn: <xxx.xxx.xxx.xxx,46667,xxx.xxx.xxx.xxx,443,6>;@;825535;[cpu_8];[SIM-207416775];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<xxx.xxx.xxx.xxx,46667,xxx.xxx.xxx.xxx,443,6>;@;825535;[cpu_0];[SIM-207416775];sim_pkt_send_drop_notification: (0,0) received drop, reason: cluster error, conn: <1xxx.xxx.xxx.xxx,46667,xxx.xxx.xxx.xxx,443,6>;@;825535;[cpu_0];[SIM-207416775];sim_pkt_send_drop_notification: no track is needed for this drop - not sending a notificaion, conn: <xxx.xxx.xxx.xxx,46667,xxx.xxx.xxx.xxx,443,6>;
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS 2 weeks ago
views 33204 57 42

GAIA - Easy execute CLI commands on all gateways simultaneously

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.   Attention! You can quickly destroy your gateways if you enter the wrong commands! Command syntax: Command Description # gw_detect # gw_detect80 Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". # gw_mbash <command>  Execute expert mode command on all gateway  simultaneously # gw_mclish <command> Execute clish command on all gateway  simultaneously An example! You want see the version of all gateway they are defined in the topology. Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mclish show version os edition        -> execute this command on all gateways   Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie. The same also works for the expert mode. For example: Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mbash fw ver                                      -> execute this command on all gateways   Tip 1 Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀.   Tip 2 Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s                         -> show state table for all gateways Management# gw_mbash fwaccel stat                                              -> show  fwaccel state's for all gatewaysManagement# gw_mbash ips stat                                                       -> check on witch gateway ips is enabled ... Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script.     echo '#!/bin/bash' > /usr/local/bin/gw_mbash echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo 'while read line' >> /usr/local/bin/gw_mbash echo 'do' >> /usr/local/bin/gw_mbash echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash echo 'then' >> /usr/local/bin/gw_mbash echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash chmod +x /usr/local/bin/gw_mbash echo '#!/bin/bash' > /usr/local/bin/gw_mclish echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo 'while read line' >> /usr/local/bin/gw_mclish echo 'do' >> /usr/local/bin/gw_mclish echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish echo 'then' >> /usr/local/bin/gw_mclish echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish chmod +x /usr/local/bin/gw_mclish echo '#!/bin/bash' > /usr/local/bin/gw_detect echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect echo 'while read line' >> /usr/local/bin/gw_detect echo 'do' >> /usr/local/bin/gw_detect echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect echo 'then' >> /usr/local/bin/gw_detect echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo 'else' >> /usr/local/bin/gw_detect echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect echo 'fi' >> /usr/local/bin/gw_detect echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect chmod +x /usr/local/bin/gw_detect echo '#!/bin/bash' > /usr/local/bin/gw_detect80 echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80 echo 'while read line' >> /usr/local/bin/gw_detect80 echo 'do' >> /usr/local/bin/gw_detect80 echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80 echo 'then' >> /usr/local/bin/gw_detect80 echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80 echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo 'else' >> /usr/local/bin/gw_detect80 echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80 echo 'fi' >> /usr/local/bin/gw_detect80 echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80 chmod +x /usr/local/bin/gw_detect80   Versions:v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> betav0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugsv0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80" Video tutorial: (view in My Videos)   Copyright by Heiko Ankenbrand 1996-2019
AndyDixon
AndyDixon inside Enterprise Appliances and Gaia OS 2 weeks ago
views 195 1

Migration of IP details on VLAN interface

Hello all.Firstly, Happy New Year!This question is more of a sense check to the hive mind as I am still finding my way with CP security gateways.My organisation is migrating it's primary Internet access link to a new supplier.  I have arranged a suitable out of hours maintenance window and want to verify that what I'm planning will work.Our perimeter 4900s running R80.20 are configured with 4 x 1Gb interfaces bonded together.  There are a number of VLAN interfaces that are members of this bond.  One of the VLAN interfaces for the Internet access.  This is VLAN 4 (10.145.91.144/28).  The 4900s are in HA and each VLAN interface has a ClusterXL VIP.  VLAN 4 node 1: 10.145.91.155, node 2: 10.145.91.156, VIP: 10.145.91.147The 4900s are configured with a default static route to push all non-specific traffic to the next hop IP address of 10.145.91.150.  This is the HSRP IP address of our current provider's CPE.I have requested that the new supplier configure their CPE IP details to mirror that of our current provider and to tag the sub-interfaces with VLAN 4.The new supplier is presenting their circuits via 10Gb capable copper cables. Our 4900s have the expansion card installed allowing 4 x 10Gb interfaces.  During the maintenance window, my plan is to amend the IP addressing of the existing VLAN 4 VLAN interface and VIP to something unused by my organisation, create a new VLAN interface on one of the 10Gb physical interfaces tagged with VLAN 4, re-apply the IP addressing, import topology and create the VIP. The 4900s should then send all default routed traffic out of a different interface.I have a pair of spare 4600s that I'm using to duplicate the bond and VLANs and my plan appears to work but I want to ensure that I'm not missing any 'gotchas'. Many thanks in advance.Andy