Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

Jan_Kleinhans inside Enterprise Appliances and Gaia OS 9 hours ago
views 9140 35 2

R80.20 MTU and SecureXL Problem

Hello,we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get  the ICMP Fragmentation Packet and start to send packets with smaller MTU.When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.Did anybody had the same problem? Jan

ssh protocol with proxy

helloI have installed  checkpoint as a proxy server, and all users go internet with this proxy i want  to pass ssh trafic via  proxy for some users, how i can do it ?i did it  as it is in a screenshot but still not  working .   

http security server port

Hi How do you enable the http security server to listen on another port (default is 80)? I am trying to build a rule with service with resource and I dont think its matching because the target web port is 8080. Using R80.20 gateway.more $FWDIR/conf/fwauthd.conf......80 fwssd in.ahttpd wait -8

R80.30 3.10 Interface issues?

Has anyone had issues with interfaces flapping on R80.30 3.10?  I have two Intel x710 nic cards installed on an HPE G10, where the ports from one card are in bond1 and ports from the other are in bond2. I was running R80.20 3.10, where everything was functioning. I upgraded to .30 and my ports on bond2 started flapping.  I took the ports out of the bond and destroyed the PO on the switch, but the ports continue to flap. I’m hoping I’m missing something, but I’ve noticed weird things like the lacp-rate not honoring the clish setting (I set fast, but the bond shows slow), auto negotiate not honoring the clish setting (I set auto, ethtool says autoneg not supported), rx/tx ringsize not honoring the clish setting (I increased it, but ethtool still shows default) and the default multiqueue setting does not match for all ports (the working 10G ports have more CPU allocated than should be). I have a ticket open, but was curious if others have this issue.  I also installed JHF50 (ongoing take), but no dice.  I tried this on two boxes, same result. I noticed the i40e driver was upgraded when I went to .30 3.10, so I tried to use the older version from .20 3.10, but no luck. The driver seems OK based on internet searches, but Check Point documentation says the i40e driver is for 40G nics and not 10G. Maybe the driver should be the ixgbe driver, but 80.20 3.10 also used the i40e driver. Thoughts?

Replace/Upgrade Cluster

I currently have two 4800s in a cluster on R80.10. I am looking to utilize the same cluster name/configuration and replace these gateways with two 6500s on R80.30. I just wanted to brain storm on the easiest way to accomplish this. Also, seems like this should be a common ask. Are there any Check Point guides for something like this?

Traffic not accelerated by Secure XL

Hi,I have been dealing with the secure XL for a while and cannot have the traffic accelerated as you can see the output below.The problem is the cpus are going over %95 during day time and i think the reason is the secure XL not handling traffic as expected as everything is going through the slow path.I have been through many topics here and I will put the outputs you may ask.Just a brief information of the firewall, working with ClusterXL, 8 cpu (2 SND, 6 workers) , OPEN SERVER ( I'm not sure if this could be any issue) , This is an external firewall, having DMZ, vpn and internet traffic of users and servers and more as you can think.#fwaccel stats -sAccelerated conns/Total conns : 14/79668 (0%)Accelerated pkts/Total pkts   : 370720/214400236 (0%)F2Fed pkts/Total pkts   : 211158051/214400236 (98%)PXL pkts/Total pkts   : 2871465/214400236 (1%)QXL pkts/Total pkts   : 0/214400236 (0%) # fwaccel conns -sThere are 211889 connections in SecureXL connections table The template number is so low.# fwaccel templates -sThere are 48 templates in SecureXL templates table # fwaccel statAccelerator Status : onAccept Templates   : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule #xxx ( just above the last rule)                     Throughput acceleration still enabled.Drop Templates     : enabledNAT Templates      : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule xxx ( just above the last rule)                     Throughput acceleration still enabled.NMR Templates      : enabledNMT Templates      : enabled I downloaded the fwaccel conns table and when investigated we see that most of traffic is about these 4 sources with 1 destination address (exchange related F5 traffic) as nearly 1/3 of the whole table is this connection. SourceDestinationDPortPRFlags     C2Si/f S2Ci/f InstAX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40 My question is, how come this traffic isn't accelerated?  Thank you 

TACACS+ Authentication-Failure:Only TACACS+ Users can do enable (r80.10/r80.20)

Already preparing to open an SR for this but wanted to post my issue to see if anyone else has run into this when using TACACS for Authentication on the Gateways. No issues authenticating the first time, get my MFA prompt and all is well. Then comes my attempt to elevate privilege::TACP-0> tacacs_enable TACP-15Failure: Only TACACS+ users can do enableFigured it was worth a shot to see if anyone else has seen this issue while I get all of the necessary information to Checkpoint for further investigation.

Hardware for home-lab

Hi,I want to run R80.30 in my home lab and get all R80 features. Management will run on another remote server.What are you using? I am thinking on running Gaia on a NUC or other small PC and run vmware, or should I get an 1430 firewall?Any recommentations?

reset user admin r80.10

good morning group, I have a problem I found the following sk163461 to be able to reset the admin psw since my client forgot it and it was not documented, only that at the time of mounting live centers I do not appear options, someone who can help me ??
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS Thursday
views 301799 219 331

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    

2 Factor authentication on GAIA?

Can we Implement 2 Factor authentication on GAIA ?
S_E_ inside Enterprise Appliances and Gaia OS Thursday
views 1698 6

How to identify transceiver / SFP+ adapter?

Hi,I'm looking for a command to identify if a SFP+ adapter has been inserted and if, which one.E.g. 5xxx / 15xxx series appliance.The "show asset all" does not really helpNumber of line cards: 1Line card 1 type: 2 ports 10GbE SFP+ Rev 2.0Something like this (guess the vendor) would be great"show interface ethernet 1/1 transceiver"dmesg command does not really help either.any ideas?Regards,

Restore snapshot from USB drive via CLI

Trying to restore a R80.30 snapshot image (stored on USB) via CLII have completed the following to mount the USB drive:mkdir /mnt/usbmodprobe usb-storagedmesgmount /dev/sdb1 /mnt/usbcd /mnt/usblsSnapshot image is named 80_30.tar.Then ran the following to import the image and revert:set snapshot import 80_30.tar path /mnt/usb/ name 80_30set snapshot revert 80_30After issuing the revert command, nothing seems to happen.  There is no on-screen messages or progress bars.Tried viewing snapshots using show snapshots but that returns nothing.Any help here would be appreciated.

DNS error affecting CP updates

Hello all.My second question here.  Hopefully I will supply all the necessary information.My organisation has a ClusterXL HA pair of 5900 appliances running R80.20 Jumbo HF take 118.  I have noticed on SmartConsole Gateways & Servers that the standby node is showing an error.  Looking at the Device Status of the node, the IPS, Anti-Bot & Anti-Virus blades are displaying 'Error: Update failed. Contract entitlement check failed. Could not reach"". Check DNS and Proxy configuration on the gateway'. I have connected via SSH to both nodes in the cluster and verified that I can ping external and internal endpoints from both nodes.  I entered Expert mode on both nodes and ran dig against a known internal and external domain name.  This was successful on the active node but failed on the problematic standby node with 'connection timed out; no servers could be reached'.I power cycled the standby node this morning.  I am now seeing Connection Alerts in the SmartConsole log for DNS queries originating from the problematic gateway.  The reason is 'Firewall - Domain resolving error. Check DNS configuration on the gateway (0)'.  We are not using domain objects.Both HA nodes have identical NAT and policy.I have reviewed DNS Error Message  but it does not appear relevant.It may be unrelated, but there is a noticeable delay between entering the username and the password prompt appearing when accessing the problematic node via ssh.I'm wondering what else I can test before pushing the issue out to TAC.Thanks,Andy

Enabled SecureXL means no traffic

Hi there,have anyone got problem with SecureXL after upgrade from R80.10 to R80.20?At beginning I thought that it might be a problem with NAT Templates, as they are disabled on 80.10 and enabled on 80.20 but it's not. I've turned them off and issue persist.Frankly speaking I don't understand what is going on. FW.log  shows everything is fine, rules are applied and working, but physically there is no internet communication.And here comes the miracle:When I turn off SecureXL everything goes as it should. I have already opened a Technical Assistance Case, but it looks like they suck more than I do (except one wonderful woman with which we found that SecureXL is an issue). So I decided to ask here, have you guys faced such a crazy issue?RegardsArek