Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

PP26 inside Enterprise Appliances and Gaia OS 2 hours ago
views 22 1

Replace Cluster Member 2200 (77.30)

Hi Community I was looking for steps to replace a failed member in ClusterXL (1 SMS and 2 GW). We already have an RMAI do not have a backup (config or snapshot) of the failed member. I cannot find those steps in the R77 Guide and the sk160533 is like very generic . Can someone who has done this or has an idea kindly help list the steps , starting with connecting the new RMA to the console and then what needs to be done , right until adding it to the clusterxl and testing failover. Help is much appreciated , thanks in advance.  

Finding Bandwidth consuming for particular Host

Dear All, Just wanted to check if any workaround to check the Bandwidth consumed/consuming for particular host machine.Customer's Internet Bandwidth was choked due to "few hosts to some destination IP" consuming high.From SmartMonitor we can see only Source or Destination which is consuming.But we need to check for the "Which Source against Which Destination" more bandwidth consumed/consuming. Just like in Cisco command: --ip flow top-talkersCISCO-ASA#sh ip flow top-talkersSrcIf     SrcIPaddress         DstIf        DstIPaddress         Pr       SrcP      DstP         BytesGi0/1    Gi0/0     06       0050      BBEB         19MGi0/1    Gi0/0     06       0050      3891           16MIn above we could see 2 Sources against 2 Destinations with "Bytes" consumed.By any chance can we see something like this in CheckPoint?? Regards, Prabulingam.N

Is there any step by step procedure on how to replace a defective member of a ClusterXL?

Is there a good document that shows on how to replace a defective member of a Cluster-XL?  We are running Gaia R77.30. Thank you in advance. 

R80.20 Cluster Load sharing issue

Dear CheckMates,I ran into below issue for customer using Loadsharing mode.1) Mgmt Server in R80.20 Smart appliance with latest JHF_Take_118 (followed sk162637) - (No IPSec blade enabled)2) FW Clusters in R80.20 with JHF_Take_118 as well (5800 appliances)a)When we use Cluster Load sharing - Multicast - All working fineb)When we use Cluster Load sharing - Unicast (without VMAC) - All working finec)When we use Cluster Load sharing - Unicast (with VMAC) - Complete halt of traffic.Even Pivot member unable to reach default gateway IP and their production halted. (So reverted to HA mode) The above scenario I had tested in my lab environment and faced exactly same issue.Loadsharing Unicast (without VMAC) & Multicast works fine post JHF_Take_118 on both Mgmt server & FWs.But when LS-with VMAC option = stops working. Any one had faced such scenario? (I haven't tried the above LS in R80.30 for now - will check that as well) Regards, Prabulingam.N 

Have a 3150 and 10G interfaces? DO NOT upgrade to 80.30 with the interfaces enabled!

In December we attempted an in-place upgrade on our 3150's from 80.10 to 80.30.While we were not actually using our 10G interface, it was installed and enabled.  And we were planning on migrating to it during that upgrade.Unfortunately, after 80.30 rebooted the machine after the upgrade, the machine locked up solid.  Not knowing what was going on, and running out of change window time, we reverted.  Thank God for snapshots.  In the meantime, we decide that a fresh install is our only upgrade path for the MDS boxes.Fast forward to this weekend.Spend 3 hours backing everything up and kick off a fresh install on our primary MDS.  It comes up, we upgrade to Jumbo Hotfix 111 and then enable the 10Gig card.  Good time to switch over, right?Machine looks up HARD.  No ethernet, no serial connection responses.We revert to factory settings and try again.  As soon as I click on OK to enable the interface, BAM!  Machine locks up hard again.We're (my SE hung out with me for the upgrade) hungry so we go get lunch and talk to TAC.Turns out, there's a known issue with the 10G NIC drivers in 3150's.  There's a hotfix for Jumbo HF 50.  Or, it is resolved in ongoing take 135.Really not wanting to be on an older hotfix, we elected to wait for 135 to go GA.  We took 111 and will stay on copper for now.It sure would be nice that if CheckPoint gets wind of issues like this, they write out a new ISO file to either disable the drivers so we're not lost with an unbootable box, or install proper drivers so, again, we're not left with an unbootable box.Our 5150 SmartEvent and SmartLog boxes sailed through in-place upgrades to 80.30. 

Gaia R80.20 Administration Guide contains deprecated options that aren't available in Gaia portal

One customer reports that our Gaia R80.20 Admin Guide is not up to date, some options/features described in this document cannot be found in our Gaia R80.20 system. They need us to update our Admin Guide and give them a correct one. Here is my findings based on the customer’s report on the section [List of Available Features in Roles], the [High Availability] and some other role features [Maintenance, System Management, User Management] seems had been deprecated starting from R80. We cannot find these several options in the Gaia Portal >User Management>Roles>>Features and these options are not available in Clish too. As mentioned in the guide, I have sent email to '', but no response received yet. Any one could possibly have a look on this query?  Many thanks. 1. The R80.20 Admin Guide: Online version and PDF version. 2. The Gaia Portal These role features are existed in R77.30.

blink install and xfs

Upgrading an R77.30 gateway to R80.20 using the blink command options "--reimage" and "--delete-old-partitions" leads to the following results:the old partition lv_current is deleted while all other partitions are being kept, including lv_logthe file system type is still ext3 for all partitions2 Questions arise here:Are our observatins correct?Is the xfs-type filesystem used for Management Servers ONLY, meaning that even if we istall the gateway from scratch, it would still by ext3?thx for clarification

Unable to boot from USB on 12400

I have been trying to perform a clean install on two 12400 chassis with no success. I am upgrading to R80.30 and have used the latest Polymorphic tool to build a bootable USB. I am not specifying any particular MAC, it should install on any machine. I have rebuild the USB several times an am confident it is correct. I am following the direction for clean install for this unit. I interrupt the boot process and perform a default reload. Once the system is reloaded, I begin the first time configuration wizard where I select the option to do a clean install from USB. I insert the USB and the system reloads but does not boot from the USB.

Common Criteria EAL4+ compliance for R80.10?

Does anyone have any information on Common Criteria EAL4+ compliance for R80.10?There is no info here: Certified Check Point Solutions | Check Point Software regards anything beyond R77.30.Anyone with info regards implied compliance or an ETA on a statement would be most welcomed. I appreciate that sometimes these statements come someway behind release.ThanksJon

2 new Common Criteria certificates R80.30: Protection Profile and EAL4+ and certification update

I’m pleased to announce that Check Point have been awarded two new Common Criteria certificates for R80.30: EAL4+ certificate of R80.30  The Target of Evaluation (TOE) included claims for Firewall IPS Blade Pattern Matcher REST API Enterprise appliances, TE appliances, Smart-1, CloudGuard Protection Profile compliance of R80.30 The Target of Evaluation (TOE) included claims for Network Device Stateful Traffic Filter Firewall Extended VPN Package SmartConsole Enterprise appliances, TE appliances, Smart-1, CloudGuard The Protection Profile and EAL4+ listings include the Certificates, Security Target and Validation Report.  In addition R80.30 is now listed by the NSA CSFC component list for protecting classified NSS data, and qualifies for listing by NIAPC (NATO Information Assurance Product Catalogue), and the UK National Cyber Security Center (NCSB) Commercial Product Assurance (CPA) certification.   A full press release can be seen here:   
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS Wednesday
views 31793 27 23

GAIA - Easy execute CLI commands from management on gateways!

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. You only need to enter the IP address of the gateways and the command will be executed there. Cppy and paste this lines to the management server or download the script "" and execute the script.   echo "echo Gateways configured in policy:" > /usr/local/bin/g_show echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show chmod 777 /usr/local/bin/g_show echo '#!/bin/bash' > /usr/local/bin/g_bash echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "else" >> /usr/local/bin/g_bash echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo "fi" >> /usr/local/bin/g_bash chmod 777 /usr/local/bin/g_bash echo '#!/bin/bash' > /usr/local/bin/g_cli echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "else" >> /usr/local/bin/g_cli echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo "fi" >> /usr/local/bin/g_cli chmod 777 /usr/local/bin/g_cli   Command syntax: Command Description # g_show show all gateway IP addresses # g_bash <gateway IP> <command>  execute expert mode command on gateway # g_cli <gateway IP> <command> execute clish command on gateway An example! You want to see the configuration of the gateway with IP from the management. So you only have to enter the following command: Management# g_cli show configuration Now the command "show configuration" is executed on the gateway and the output is displayed on the management server. The same also works for the expert mode. For example: Management# g_bash cphaprob stat Show all gateway IP addresses. For example: Management# g_show Show all gateways configured in policy: Video tutorial: (view in My Videos)       Copyright by Heiko Ankenbrand 1996-2019

Announcement - Max Power 2020: Check Point Firewall Performance Optimization (Third Edition)

The third edition of the book Max Power 2020: Check Point Firewall Performance Optimization is now available. For more information including the FAQ and a CPX-related discount code, please visit the site Feel free to PM or email me with questions, but please be sure to read the FAQ in its entirety first.  Thanks!  

VoIP Issue and SMB Appliance (600/1000/1200/1400)

  Issue description: Many of our customers have reported the following issue in recent weeks. Telephone VoIP connections are terminated and can no longer be established. Issue debug: On the firewall you see a typical issue with the following message if you start: # fw ctl zdebug drop Issue message: fwconn_key_init_links (INBOUND) failed Solution: There are two different Servers on the SIP/RTP provider's side that take part in the process of establishing the SIP/RTP call: Server for SIP (Management and control) Server for RTP (Media and Voice Data) Make sure that the UDP high ports from the internal RTP VoIP telephone system to the provider RTP server on the RTP provider's side are dropped by the rule base on 600 / 1100 / 1200 / 1400 appliance: RTP rules: Create a service for the UDP high ports and use it in an incoming Accept rule, which also has to allow the RTP ports. Create a drop rule to block outgoing connections from the Internal RTP server (VoIP telephone system) to the provider's RTP server on high UDP ports SIP rule: Create an allow rule for incoming and outgoing SIP traffic on UDP port 5060   Example:   A similar description can be found in SK104082.   Regards, Heiko

Migrating cluster from old to new hardware

Hi,We are finally replacing our FW cluster with old UTM appliances for 5600 appliances. I would like to keep the same names in the policy, but since the interface names change I would like to know what the best way is to migrate to the new appliances with minimal outage.I was about to failover to HA -- move cables from the Primary appliance to the new 5600 Primary appliance,- migrate export of the policy. Then remove all references of the existing cluster from the policy and delete the whole cluster from the management server.- create a new cluster with initially 1 member (the new primary 5600) establish SIC and configure cluster with all new interfaces - Add cluster to the rules where the old cluster was removed- Remove cables from Old HA Firewall,while installing the policy to the new Primary- connect new 5600 HA and add to the cluster (and install policy)Any other (or better) recommendations for a smooth migration to the new hardware?Or can I just delete 1 cluster member and add the new hardware with different interface names to the cluster object?Many thanks.
Kevin_Orrison inside Enterprise Appliances and Gaia OS 2 weeks ago
views 578 17 1

Replace/Upgrade Cluster

I currently have two 4800s in a cluster on R80.10. I am looking to utilize the same cluster name/configuration and replace these gateways with two 6500s on R80.30. I just wanted to brain storm on the easiest way to accomplish this. Also, seems like this should be a common ask. Are there any Check Point guides for something like this?