cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Gaia API - Loss of functionality with upgrade?

I've been running on Gaia API version 1.0 successfully since its release.  As we continue to build more integrations, some features of v1.2 intrigued me, so I upgraded.  After I upgrade, we lost the 'run-script' functionality.  It now results in a generic_error.  Has anyone else noticed this?  Why would an "upgrade" result in a downgrade?  When will the run-script API be back?  I'm downgrading my API version to v1.0 since v1.2 doesn't support the same things v1.0 did. Here is what I'm seeing:curl -w '%{http_code}' -k -X POST "https://gw.site.net/gaia_api/run-script " -H "Content-Type: application/json" -H "X-chkp-sid: $MYSECRET" -d "{\"script-name\":\"do-it\",\"script\":\"/var/log/myscript.sh\"}" -s{"code": "generic_error","message": "Internal error."}500 Thanks!
Danny
Danny inside Enterprise Appliances and Gaia OS 12 hours ago
views 61 1

Stateful Inspection Explained

One-liner (Bash) to check if a firewall gateway drops out of state TCP packets. In expert mode run: echo; echo -n " Out of state TCP packets are "; if [[ `fw ctl get int fw_allow_out_of_state_tcp` -eq 0 ]]; then echo dropped.; else echo allowed.; fi; echo

command to check the hotfix version installed in Gaia

Hi,Can someone please explain me the difference between "cpinfo -y all" and "show installer packages installed"??? Thanks in Advance 🙂Srinu K
Darius
Darius inside Enterprise Appliances and Gaia OS yesterday
views 111 3

USB to RJ45 Console Cable

Hi guys, I'm planning to send a console cable to each of our remote site for troubleshooting purposes. The original RS232 console cables are no longer available so I check the possible replacement in the internet. Instead of using a USB-Serial adapter, I'm looking at USB to RJ45 Console Cable.I checked here in CheckMates and could not find any existing posts/topic. Can someone please help to check if the pin definition from image below are possible to use for checkpoint firewalls like 2200, 1100 series? Here's the item I want to buy online USB to RJ45 Console CableI want to confirm before placing the order. Thanks.
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS yesterday
views 22552 25 20

GAIA - Easy execute CLI commands from management on gateways!

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. You only need to enter the IP address of the gateways and the command will be executed there. Cppy and paste this lines to the management server or download the script "new_commands.sh" and execute the script.   echo "echo Gateways configured in policy:" > /usr/local/bin/g_show echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show chmod 777 /usr/local/bin/g_show echo '#!/bin/bash' > /usr/local/bin/g_bash echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "else" >> /usr/local/bin/g_bash echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo "fi" >> /usr/local/bin/g_bash chmod 777 /usr/local/bin/g_bash echo '#!/bin/bash' > /usr/local/bin/g_cli echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "else" >> /usr/local/bin/g_cli echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo "fi" >> /usr/local/bin/g_cli chmod 777 /usr/local/bin/g_cli   Command syntax: Command Description # g_show show all gateway IP addresses # g_bash <gateway IP> <command>  execute expert mode command on gateway # g_cli <gateway IP> <command> execute clish command on gateway An example! You want to see the configuration of the gateway with IP 1.2.3.4 from the management. So you only have to enter the following command: Management# g_cli 1.2.3.4 show configuration Now the command "show configuration" is executed on the gateway and the output is displayed on the management server. The same also works for the expert mode. For example: Management# g_bash 1.2.3.4 cphaprob stat Show all gateway IP addresses. For example: Management# g_show Show all gateways configured in policy: 1.2.3.41.2.3.51.1.1.1 Video tutorial: (view in My Videos)       Copyright by Heiko Ankenbrand 1996-2019

Machine stuck on boot due to incorrect time and date in BIOS

Machine stuck on boot due to incorrect time and date in BIOScan any one help me

Massive users update passwords fwm dbimport

Hello,In CP R77.30 I have to massively update vpn users (without LDAP).I saw "fwm dbimport" but they say in manual (https://sc1.checkpoint.com/documents/R77/CP_R77_CLI_ReferenceGuide_WebAdmin/html_frameset.htm?topic=documents/R77/CP_R77_CLI_ReferenceGuide_WebAdmin/12590)that The password should be encrypted with the C language encrypt function! But I don´t find what is this "C language encrypt function".Any one has an idea?Thanks
HeikoAnkenbrand
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS Thursday
views 297594 212 323

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    
Kul
Kul inside Enterprise Appliances and Gaia OS Wednesday
views 153 7

Unable to boot from USB

Hello everyone, I am unable to install r77.30 on 4200 device. I even changed USB drive and still failed. It leads to the same page and I see no option for USB.I tried in other 4200 device and it works fine. 

Message seen on /var/log/messages - "simi_reorder_enqueue_packet"

Hi there guys, I'm seeing this message  "simi_reorder_enqueue_packet" on /var/log/messages. Is this an indication traffic congestion? My network is  momentarily encountering intermittent application connectivity especially on VOIP. As usual, no drops are seen on tracker and zebug. Hope someone had encountered this.

How to Create Multiple Admin Accounts

Hi,how can I create multiple Admin-Acounts wit GAIA Clish.  To Create one account, I can write this commands in clishadd user [User] uid [number] homedir /home/userset user [User] passwordsave config‍‍‍‍‍‍‍‍‍‍‍‍‍‍and so on...for out installation I don´t want set up all admin user manual on out checkpoint Appliances. We use GAIA R80.10.What can I do? API? User-File?Thanks for help.

GRE Tunnel

Hi Experts,I believe the the GRE tunnel cannot be terminated in the Check Point firewalls (Please confirm if by any way or in any version hardware or software or any model its supported). Also this GRE is proprietary of other vendor, is that a reason CP does not support or any other technical reasons there? Please let me know, any information is highly appreciable.Thanks in advance.Vijay 
Petr_Hantak
Petr_Hantak inside Enterprise Appliances and Gaia OS a week ago
views 3655 9 1

Why CCP packets in VSX are send to network address of internal network subnet?

I'm trying to figure out a strange case when we are able to catch traffic towards VSX internal subnet in different part of network. I have a VSX VSLS cluster. Multiple virtual systems are connected to the same virtual switch, which is connected to normal network terminated by router. Router has default route out and here we can see the bottleneck. I can see traffic following traffic 0.0.0.0 -> 192.168.196.96 (UDP) 8116 going out of my network via that router.I started to search why. According ClusterXL Advanced Technical Reference Guide is the source IP 0.0.0.0 fine for CCP traffic because it does not care about it. However, I am confused from the destination. I use Internal VSX cluster network 192.168.196.0/22 which is default setup. If I check the interface configurations in CLISH  I can see that was divided to /28 networks for the interfaces and some internal IPs were assigned there (multiple times for same interfaces, but it is correct according sk110345 - Identical IP addresses from VSX "Internal Communication Network" are assigned to interfaces that belong to different Virtual Systems).So I expected to see communication of CCP on broadcast or particular addresses but I see it towards 192.168.196.96 – which is /28 subnet IP and not assigned to particular interface. There are send FWHA_MY_STATE messages there for example. Funny thing is that this traffic blocking stealth rule in the policy.I found the same results on multiple all my VSX clusters on R77.30 and on one running on R77.10. Therefore, it seems to be regular thing. All clusters are fully synchronized and fine.Do you know why is it communicate this way? I was not able to find it anywhere. You can see FW monitor result from one of clusters in attachment.P.S. – I’ll ask support of course as well.

OSPF route TAG

HiI'm trying to filter some OSPF tagged routes using route-maps.Seems like it filters all the OSPF external routes rather then specific tagged one's.Anyone encountered same or can advice?Version:  R77.30 Commands:set routemap ospf-import id 10 onset routemap ospf-import id 10 restrictset routemap ospf-import id 10 match tag 778 onset routemap ospf-import id 20 onset routemap ospf-import id 20 allowset ospf import-routemap ospf-import preference 1 on Before:FW1> show route ospfCodes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,U - Unreachable, i - InactiveO 10.2.2.4/30 via 10.11.7.10, bond1.1107, cost 5, age 4863523via 172.23.101.80, bond1.1106via 172.23.101.81, bond1.1106O 10.14.98.11/32 via 10.14.99.11, bond2.1499, cost 2, age 5024684O 10.14.98.12/32 via 10.14.99.12, bond2.1499, cost 2, age 5024684O 10.14.98.13/32 via 10.14.99.13, bond2.1499, cost 2, age 5024684O 10.14.98.14/32 via 10.14.99.14, bond2.1499, cost 2, age 5024684O E 10.165.249.0/24 via 10.14.99.11, bond2.1499, cost 1:20, age 4863523, tag 0x00000000via 10.14.99.12, bond2.1499via 10.14.99.13, bond2.1499via 10.14.99.14, bond2.1499O E 10.165.0.0/24 via 10.14.99.11, bond2.1499, cost 1:20, age 4863523, tag 0x00000000via 10.14.99.12, bond2.1499via 10.14.99.13, bond2.1499via 10.14.99.14, bond2.1499O E 10.0.0.0/8 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aO E 172.16.0.0/12 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aO E 192.168.0.0/16 via 172.23.101.69, bond1.1106, cost 2401:0, age 6929627, tag 0x0000030aAKmdrL9LabDCFW1> After:FW1> show route ospfCodes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,U - Unreachable, i - InactiveO 10.2.2.4/30 via 10.11.7.10, bond1.1107, cost 5, age 4863590via 172.23.101.80, bond1.1106via 172.23.101.81, bond1.1106O 10.14.98.11/32 via 10.14.99.11, bond2.1499, cost 2, age 5024751O 10.14.98.12/32 via 10.14.99.12, bond2.1499, cost 2, age 5024751O 10.14.98.13/32 via 10.14.99.13, bond2.1499, cost 2, age 5024751O 10.14.98.14/32 via 10.14.99.14, bond2.1499, cost 2, age 5024751AKmdrL9LabDCFW1>
S_E_
S_E_ inside Enterprise Appliances and Gaia OS a week ago
views 273 3

SSH Banners in R80.30

Hi,Some characters like dashes "-" or "_" do not work anymore in R80.30 bannersSSH to the box should show these banners. In R80.30, the '---' are not visible anymore. R8030>set message banner onset message banner on line msgvalue "-----------"set message banner on line msgvalue "R80.30 TEST"set message banner on line msgvalue "-----------"R8030> show configurationset message banner onset message banner on line msgvalue "R80.30 TEST"R8020> show configurationset message banner onset message banner on line msgvalue "-----------"set message banner on line msgvalue "R80.20 TEST"set message banner on line msgvalue "-----------"Is this a bug or feature or misconfiguration?Best Regards,