Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

R80.30 set message banner fails

Hello everyone,I just tried to set a multiline message banner as I used to do in R77.30 (which did not change in R80.30) but could not:~~~~~~~~~~~~~~~~~~~~~~~~openserver> show message bannerBanner message: This system is for authorized use only.openserver> delete message banneropenserver> set message banner on line msgvalue "Only authorized personnel is allowed to connect to the server"openserver> set message banner on line msgvalue "Access is monitored"openserver> set message banner on line msgvalue "Additional laws and regulations may apply" openserver> show message bannerBanner message: This system is for authorized use only.~~~~~~~~~~~~~~~~~~~~~~~~The same in the WebUI:GAiA WebUI         Does anyone have a clue what might be causing this?  Best regardsCarsten

R80.10 GW - VSX HA/VSLS - Loopback Interfaces on VS ?

Hi folks I'm currently staging 2 Open Server gateway  with ClusterXL HA and VSLS on R80.10, with the main goal to setup dynamic routing between Virtual Systems and some external routers using eBGP sessions.So far, the setup is running fine, but I want to go further.Is there any way to configure one or several loopback interfaces on a Virtual System ? If no, is there any chance this feature is already on development roadmap of future version ?I will open a case to Check Point support asap for this feature request.
Timothy_Hall inside Enterprise Appliances and Gaia OS 6 hours ago
views 944 6 26

Announcement - Max Power 2020: Check Point Firewall Performance Optimization (Third Edition)

The third edition of the book Max Power 2020: Check Point Firewall Performance Optimization is now available. For more information including the FAQ and a CPX-related discount code, please visit the site Feel free to PM or email me with questions, but please be sure to read the FAQ in its entirety first.  Thanks!  
inside Enterprise Appliances and Gaia OS 10 hours ago
views 636 2 2

2 new Common Criteria certificates R80.30: Protection Profile and EAL4+ and certification update

I’m pleased to announce that Check Point have been awarded two new Common Criteria certificates for R80.30: EAL4+ certificate of R80.30  The Target of Evaluation (TOE) included claims for Firewall IPS Blade Pattern Matcher REST API Enterprise appliances, TE appliances, Smart-1, CloudGuard Protection Profile compliance of R80.30 The Target of Evaluation (TOE) included claims for Network Device Stateful Traffic Filter Firewall Extended VPN Package SmartConsole Enterprise appliances, TE appliances, Smart-1, CloudGuard The Protection Profile and EAL4+ listings include the Certificates, Security Target and Validation Report.  In addition R80.30 is now listed by the NSA CSFC component list for protecting classified NSS data, and qualifies for listing by NIAPC (NATO Information Assurance Product Catalogue), and the UK National Cyber Security Center (NCSB) Commercial Product Assurance (CPA) certification.   A full press release can be seen here:   

What does VRRP State Flag "InterfaceDown" mean

On my cluster, the VRRP summary shows:VRRP StateVRRP Router State: UpFlags: On,MonitorFirewall,InterfaceDownInterface enabled: 17Virtual routers configured: 17In Init state 0In Backup state 17In Master state 0What does the flag "InterfaceDown" mean, and how is ist set?

How to use scripts from IPSO in Gaia as well

Hi allThe scripts used by IPSO can't be used as they have been moved to Gaia. Is there a problem with scripts?open adminpasswdaspromptcd /var/loglcd c:\usffw_accesslog\krsefw05mget *messages*mget *wtmp*disconnectaspromptquitIt aims to import logs using ftp every night.   
SCSupport inside Enterprise Appliances and Gaia OS yesterday
views 123 4 1

PBR Rules/R80.30 and Hide NAT

Hi all, I have been given an answer by Check Point support, however wondered if anyone could explain to me what the changes are and the consequences of turning SecureXL off in the future. So - we migrated a customer to R80.30 from a R77.30 firewall.They have a list of PBR rules.An issue came up where certain traffic was being received on the correct interface, but was leaving on the incorrect one. There is a PBR rule to point the traffic back to the correct interface. (The traffic wasn't being picked up by another PBR rule, it was just following OS routes)Turning SecureXL off fixes the issue.Check Point support pointed me to sk163320.The customer does indeed translate his source IP, but his PBR rules was always set on the existing, original IP and not the NAT'd IP.It appears now that PBR is calculated after NAT, therefore on the NAT address - firstly, is my understanding correct?The customer is abit dismayed at the fact he now needs to adjust all his PBR rules to work with translated NAT source address. He also queries why this is the case in R80.20 and above, what changed? and also if he turns SecureXL off, will PBR's still be calculated on the NAT'd source address? or will he need to keep PBR rules for original and NAT'd addresses?

Script to get arp table and routing table

Hi there,        May I ask is there any previous sample script for accessing our GW to grab arp table and routing table from CLI via ssh?   thanks a lot David

New CheckPoint Appliances

Seeing as there's once again new CheckPoint appliances I wanted to get a thread going so we can collect some knowledge on the new units here. There was a Press Release on Tuesday January 14th, 2020 about the new units. It looks like a 3600 Quantum Security Gateway, 6200 Quantum Security Gateway, 6600 and 6900 Quantum Security Gateways, and a 16000 Quantum Turbo Hyerscale Gateway. Firstly I have to laugh a bit at the new naming as I type out the new Quantum naming, especially for the 16000 Quantum Turbo Hyperscale Gateway (what a mouthful); but I also wonder if the new Quantum naming is so that if people search for Quantum (thinking of Quantum computing) and CheckPoint at the same time they'll finally get a result. I've also been interested in the 6000 series as we were considering a 6500 cluster but noticed the 6500 and 6800 that came out last year still do not support the new 3.10 kernel, but the 6200, 6600 and 6900 units do. I do remember researching the CPU in the 5800 (Intel Xeon E3-1285L v4) which released in May 2016 compared to the CPU in the 6500 (Intel Core i7 4790S) which released in January 2019 and noticed that the older 5800 unit actually has a newer CPU. This has left me hoping that the new "Quantum" gateways actually have a proper hardware refresh with newer generation CPU's and DDR4 RAM. Another interesting thing I noticed is the new 6200 unit seems to have a different CPU (or is handicapped) based on which SKU you buy. The datasheet shows: 1x CPUs, 2 physical cores, 4 virtual cores (Base, Plus)1x CPUs, 4 physical cores (Turbo)This is the first time I can remember CheckPoint changing the CPU so much on the same model. Has anyone else gotten their hands on the new units or any interesting information you'd like to share? 😃🤔
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS yesterday
views 305821 222 334

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Download Download: R80.x Ports Used for Communication PDF (new R80.30 version) Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    

Finding Bandwidth consuming for particular Host

Dear All, Just wanted to check if any workaround to check the Bandwidth consumed/consuming for particular host machine.Customer's Internet Bandwidth was choked due to "few hosts to some destination IP" consuming high.From SmartMonitor we can see only Source or Destination which is consuming.But we need to check for the "Which Source against Which Destination" more bandwidth consumed/consuming. Just like in Cisco command: --ip flow top-talkersCISCO-ASA#sh ip flow top-talkersSrcIf     SrcIPaddress         DstIf        DstIPaddress         Pr       SrcP      DstP         BytesGi0/1    Gi0/0     06       0050      BBEB         19MGi0/1    Gi0/0     06       0050      3891           16MIn above we could see 2 Sources against 2 Destinations with "Bytes" consumed.By any chance can we see something like this in CheckPoint?? Regards, Prabulingam.N

Policy Based Routing (PBR) and Domain vpn

Policy Based Routing sk100500 just shortly states that PBR cannot be used with Domain vpn. If I use PBR just for a certain network, am I able to use Domain vpn with other networks or how does it affect Domain vpn?My other problem is that we have 2 ISPs and some networks need to be routed via ISP1 and some via ISP2. I currently have many s2s domain vpns via ISP1 and at some point would like to start moving them one-by-one to ISP2, but if PBR doesn't work with domain vpn, I don't see a way to do this with one Gateway cluster? If I remove PBR, either the ISP1 or ISP2 owned network will route wrong with static routes. 

Multithread ZIP

Hi Communtiy,during the last days I had to work a lot with backups.I recognized that the bottle neck is always gzip, because it only utilize one single core.Additinally I recognized while gzip is utilizing one thread by 100% it is impacting other processes.Question: There are already different zip tools in the unix universe supporting multiple threads. Are there plans to implement a multithread zip tool into GAIA and adding its functionallity to gaiabackup and scripts like this?Thanks in advance.CheersSven

Enabling SMTP port for mail security appliance in the DMZ

Is there a reason why a mail security appliance that's located at the DMZ cannot send mail to outside of my organization? Port 25 is enabled on the firewall. SmartView tracker does not show dropped smtp traffic from the host. Even a simple telnet from the appliance on port 25 is dropped.Any suggestion would greatly be appreciated.Thanks

Replace Cluster Member 2200 (77.30)

Hi Community I was looking for steps to replace a failed member in ClusterXL (1 SMS and 2 GW). We already have an RMAI do not have a backup (config or snapshot) of the failed member. I cannot find those steps in the R77 Guide and the sk160533 is like very generic . Can someone who has done this or has an idea kindly help list the steps , starting with connecting the new RMA to the console and then what needs to be done , right until adding it to the clusterxl and testing failover. Help is much appreciated , thanks in advance.