Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

Jeff_Gao inside Enterprise Appliances and Gaia OS 4 hours ago
views 111 4

How to send G-ARP manually?

Dear team      I encounter a problem. I replace a juniper firewall with checkpoint application,all dnat is not accessible when i online checkpoint application.I believe this is a arp cache problem,because the dnat is accessible when i modify checkpoint wan interface mac and replace it with juniper wan interface mac.    I think if i can send a g-arp manually,all problem will be solved.So,how to i can send a g-arp  manually,thanks!

Traffic not accelerated by Secure XL

Hi,I have been dealing with the secure XL for a while and cannot have the traffic accelerated as you can see the output below.The problem is the cpus are going over %95 during day time and i think the reason is the secure XL not handling traffic as expected as everything is going through the slow path.I have been through many topics here and I will put the outputs you may ask.Just a brief information of the firewall, working with ClusterXL, 8 cpu (2 SND, 6 workers) , OPEN SERVER ( I'm not sure if this could be any issue) , This is an external firewall, having DMZ, vpn and internet traffic of users and servers and more as you can think.#fwaccel stats -sAccelerated conns/Total conns : 14/79668 (0%)Accelerated pkts/Total pkts   : 370720/214400236 (0%)F2Fed pkts/Total pkts   : 211158051/214400236 (98%)PXL pkts/Total pkts   : 2871465/214400236 (1%)QXL pkts/Total pkts   : 0/214400236 (0%) # fwaccel conns -sThere are 211889 connections in SecureXL connections table The template number is so low.# fwaccel templates -sThere are 48 templates in SecureXL templates table # fwaccel statAccelerator Status : onAccept Templates   : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule #xxx ( just above the last rule)                     Throughput acceleration still enabled.Drop Templates     : enabledNAT Templates      : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule xxx ( just above the last rule)                     Throughput acceleration still enabled.NMR Templates      : enabledNMT Templates      : enabled I downloaded the fwaccel conns table and when investigated we see that most of traffic is about these 4 sources with 1 destination address (exchange related F5 traffic) as nearly 1/3 of the whole table is this connection. SourceDestinationDPortPRFlags     C2Si/f S2Ci/f InstAX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40 My question is, how come this traffic isn't accelerated?  Thank you 
inside Enterprise Appliances and Gaia OS 5 hours ago
views 41 3

SAN card configuration procedure on Gaia OS

Hi, Following sk134476, I’m trying to allocate a certified procedure for properly configuring the SAN card on Gaia OS… After installing the supported SAN card on the Open Server – what procedure needs to be executed on Gaia so it will recognize the external storage as the GW’s partition?   Background story: One of my customers wants to connect his Log Server (R80.30) to an external storage (Infinidat) using a dedicated SAN card installed (LPe 11002) on his Open Server. So I’m looking for the relevant procedure that he should follow… Does anyone has any practical experience with that?

Upgrading 3 members cluster

Hi, I need to upgrade a 3 member cluster from R77.30 to R80.10Until now i have been using the CP_Conectivity_Upgrade.Where you upgrade first the two passive members to R80.10 and later the last one. This time i need to upgrade one by one the members like this:member1 - R77.30 activemember2 -R77.30 standbymember3 - R77.30 standbytomember1 - R77.30 downmember2 - R77.30 downmember3 - R80.10 activeto member1 - R77.30 downmember2 - R80.10 activemember3 - R80.10 standbytomember1 - R80.10 activemember2 - R80.10 standbymember3 - R80.10 standby  Do i need to do a cpstop in member2 then follow the CP_Conectivity_Upgrade with member1 and 3. And then upgrade member1 and 2 one by one Is this correct? Thank you!

problem with routed daemon on R80.30 kernel 3.10

Dear CheckMates, recently we updated two clusters from R77.30 to R80.30 kernel 3.10. Since then we had some problems regarding OSPF (routes are sometimes not propagated or learned). After research we found some unusual cluster failovers. All these failovers are done automatically as a result of problems with the "routed" daemon. After these failovers all OSPF-features starts working fine. I saw these problem only on kernel 3.10 environment. Has anyone running kernel 3.10 with dynamic routing feature like BGP, OSPF etc. enabled? We had a TAC case open, but I want to know something from the field. Thanks, Wolfgang

Sync Interface Sizing

HiI am about to build a VSX cluster and am going round in circles on the sync interface.I've decided that it will be a port channel of 2 but I can't decide on whether it needs to be 10Gb or not.Currently we have a VSX pair with a mix of 1Gb / 10Gb interface north and south, about 5 VS's and 2 x 1Gb for the sync and it works fine.The new pair will have a mix of 1Gb, 10Gb, and 7 VS's and the same mix of 1Gb / 10Gb interfaces.I am trying to decide whether I should be using 10Gb for the sync... I'm not really sure the full detail of what is on it and if it needs to be sized cautiously.Any advice please?Many thanks
Pantsu inside Enterprise Appliances and Gaia OS yesterday
views 221 5

ssh protocol with proxy

helloI have installed  checkpoint as a proxy server, and all users go internet with this proxy i want  to pass ssh trafic via  proxy for some users, how i can do it ?i did it  as it is in a screenshot but still not  working .   

Too many pending data connections for one control connection

Hi,I am getting this Alert email and Log message after upgrading from R77.30 to R80.10.HeaderDateHour: 28May2018 16:18:44; ContentVersion: 5; HighLevelLogKey: N/A; LogUid: N/A; SequenceNum: N/A; Action: drop; Origin: TPLCPFW1; IfDir: <; InterfaceName: bond28; Alert: alert; OriginSicName: CN=TPLCPFW1,O=TPLCPMGMT..er27t2; OriginSicName: CN=TPLCPFW1,O=TPLCPMGMT..er27t2; HighLevelLogKey: 18446744073709551615; src: CZO_Exchange; dst: TPIVRCTR; proto: udp; message_info: Too many pending data connections for one control connection; ProductName: VPN-1 & FireWall-1; svc: sip; sport_svc: sip; ProductFamily: Network;I have raised a case with Checkpoint TAC and they have asked me to follow the sk33760 every time I get this alert. I have gradually increased the value from 50 to 400 but still I am getting this error. Can anyone help? Is there any other solution to this?Regards,Yash

You should use active/active mode only if your single gateway is not able to handle traffic/ CPU/ Me

You should use active/active mode only if your single gateway is not able to handle traffic/ CPU/ Memory-Why

LAN Ethernets set to State Off - when power cut.

Hi everyone,I was hoping someone could shine some light on a problem I'm facing. I have a Checkpoint 3200 running on R80.10. Over the weekend we experienced a power outage, and upon bringing the equipment back up, the bridged connection that I had created was unavailable. No lights on the ethernet port for both eth3 or 4. Upon inspection via the management port and the shell, I found;show interface eth4state offmac-addr 00:1c:7f:8b:5a:f8type ethernetlink-state link downmtu 1500auto-negotiation Not configuredspeed N/Aipv6-autoconfig Not configuredduplex N/Amonitor-mode Not configuredlink-speed Not configuredcommentsipv4-address Not Configuredipv6-address Not Configuredipv6-local-link-address Not Configured I had to manually type ''set interface eth4 state on'' for both interfaces, and my environment came back up, no other settings were changed... Short of getting this CP on a UPS, is there a way to configure it not to change the eth state when it loses power, is this a feature or a hotfix bug type deal? Cheers!


Hi Guys,Is it normal in VSX CLI that even if I go into a VS then I do "show configuration", it always shows me the VS0?How can I do a "show configuration" per each VS? I am running R80.20.Thanks

http security server port

Hi How do you enable the http security server to listen on another port (default is 80)? I am trying to build a rule with service with resource and I dont think its matching because the target web port is 8080. Using R80.20 gateway.more $FWDIR/conf/fwauthd.conf......80 fwssd in.ahttpd wait -8

R80.20 MTU and SecureXL Problem

Hello,we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get  the ICMP Fragmentation Packet and start to send packets with smaller MTU.When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.Did anybody had the same problem? Jan

R80.30 3.10 Interface issues?

Has anyone had issues with interfaces flapping on R80.30 3.10?  I have two Intel x710 nic cards installed on an HPE G10, where the ports from one card are in bond1 and ports from the other are in bond2. I was running R80.20 3.10, where everything was functioning. I upgraded to .30 and my ports on bond2 started flapping.  I took the ports out of the bond and destroyed the PO on the switch, but the ports continue to flap. I’m hoping I’m missing something, but I’ve noticed weird things like the lacp-rate not honoring the clish setting (I set fast, but the bond shows slow), auto negotiate not honoring the clish setting (I set auto, ethtool says autoneg not supported), rx/tx ringsize not honoring the clish setting (I increased it, but ethtool still shows default) and the default multiqueue setting does not match for all ports (the working 10G ports have more CPU allocated than should be). I have a ticket open, but was curious if others have this issue.  I also installed JHF50 (ongoing take), but no dice.  I tried this on two boxes, same result. I noticed the i40e driver was upgraded when I went to .30 3.10, so I tried to use the older version from .20 3.10, but no luck. The driver seems OK based on internet searches, but Check Point documentation says the i40e driver is for 40G nics and not 10G. Maybe the driver should be the ixgbe driver, but 80.20 3.10 also used the i40e driver. Thoughts?

Replace/Upgrade Cluster

I currently have two 4800s in a cluster on R80.10. I am looking to utilize the same cluster name/configuration and replace these gateways with two 6500s on R80.30. I just wanted to brain storm on the easiest way to accomplish this. Also, seems like this should be a common ask. Are there any Check Point guides for something like this?