Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software  Versions   +v1.5a typos corrected 18.09.2019 old version 1.4:+ v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256  30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add  OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand  1994-2019    

🏆 Code Hub Contribution of the Year 2019!👍 Endorsed by Check Point Support! One-liner (Bash) to show a summary about each gateway interfaces' calculated topology and address spoofing setting.In expert mode run: echo; tput bold; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; tput sgr0; echo; elif [[ `grep $(grep $(hostname) /etc/hosts | cut -f1 -d' ') $FWDIR/state/local/FW1/local.set | wc -l` == "0" ]]; then echo ' Main IP of '$(hostname)' doesn`t match it`s management interface IP!'; tput sgr0; echo; else echo -n ' Interface Topology '; tput sgr0; echo -n '> '; tput bold; tput setaf 1; if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]; then echo $vsname' (ID: '$INSTANCE_VSID')'; else hostname; fi; tput sgr0; echo -n ' '; printf '%.s-' {1..80}; echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)*$/,\$ p" | tail -n +3 | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | sed '/objtype/q' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo; fi The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments also within VSX, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for easier identification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script. Thanks to Tim Hall's preliminary work in this thread.Thanks to Norbert Bohusch for IPv6 support and testing.Thanks to Kaspars Zibarts & Bob Zimmerman for VSX support and testing.Thanks to Anthony Joubaire for support and testing multiple installation targets. -- More one-liners -- One-liner to show VPN topology on gatewaysOne-liner to show Geo Policy on gatewaysFW Monitor SuperTool

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.     What happens when you execute! It is a macro that executes the following commands:   fw ctl debug -buf 1024fw ctl debug [The option behind "fw ctl zdebug"]fw ctl kdebug -f       [Wait until CTRL+C is pressed]fw ctl debug 0   Node: A current list with kernel debug flags can be found here. Kernel Debug Flags R80.10 Kernel Debug Flags R77  Here are some good examples for debugging:   fw ctl zdebug + packetfw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)"      <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...fw ctl zdebug + all |grep -A 1 "Monitor" | grep "1.1.1.1"            <<< change IP addressfw ctl zdebug + all |grep -A 2 "Monitor"fw ctl zdebug + sync                     fw ctl zdebug + conn |grep "After  VM:" |grep "(SYN)"fw ctl zdebug + xlatefw ctl zdebug + monitorall                                                     <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."fw ctl zdebug + monitor                                                            <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."fw ctl zdebug + filter conn | grep -A 8 "rule 1"                          <<< change rule number - show connetions to rule xyzfw ctl zdebug + filter monitor  | grep -A 8 "rule 2"                     <<< change rule number - show connetions to rule xyz     Attention, if you turn on debugging, this will affect the performance of the firewall.   Regards, Heiko

Introduction This overview gives you an view of the changes in R80.20 fw monitor. All R80.10 and R80.20 changes are contained in this command overview (cheat sheet). You could download the cheat sheet at the end of this article as a PDF file. Unfortunately not all information for R80.20 is included in SK30583 "What is FW Monitor?". Therefore this small overview with the changes. I hope it helps you. Cheat Sheet Chapter Architecture:R80.x Security Gateway Architecture (Logical Packet Flow)R80.x Security Gateway Architecture (Content Inspection) R80.x Security Gateway Architecture (Acceleration Card Offloading) R80.x Ports Used for Communication by Various Check Point Modules  Performance Tuning:R80.x Performance Tuning Tip - AES-NI R80.x Performance Tuning Tip - SMT (Hyper Threading) R80.x Performance Tuning Tip - Multi Queue R80.x Performance Tuning Tip - Connection Table R80.x Performance Tuning Tip - fw monitorR80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“  Cheat Sheet:R80.x cheat sheet - fw monitor R80.x cheat sheet - ClusterXL  More interesting articles:Article list (Heiko Ankenbrand)

This CLI command shows you the address spoofing networks as list and the IP settings per interface. Type this command on security gateway.   Last version  - command:   ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -ng| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'   Now you can see the states of: - ANTISPOOFING ENABLED - ANTISPOOFING MODE - ANTISPOOFING TOPO       Old versions:   27.06.2018 change "|grep -o false" issue and add TOPO ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -ng| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -ng| uniq` ]; then echo "PREVENT"; else echo "DETECT"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -ng| uniq |tr \(\)\<\>\:\" \ ;echo " "'

R80.20 - fw monitor Tip 1 SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor". Since R80.20  "fw monitor" is able to show the traffic accelerated with SecureXL. Thus it is possible to see SecureXL (provide more performance) modules in fw monitor chain. For more informations revert to "SecureXL offloading chain modules" in this article. Now you can see that SecureXL is used, which increases the performance of the firewall.SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more. # fwaccel off                                      > no longer necessary in R80.20 and above # fw monitor -e "accept(...);" R77.30 and R80.10 - fw monitor On R77.30 and R80.10 only disabling SecureXL allows to see the complete connection in fw monitor, which may be required for troubleshooting purposes or revert to "How to disable SecureXL for specific IP addresses". # fwaccel off                             # fw monitor -e "accept(...);" Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) New fw monitor inspection points in R80.20 Tip 2 Furthermore there are new fw monitor inspection points available: Inspection point Name of fw monitor inspection point Relation to firewall VM Available since version i Pre-Inbound Before the inbound FireWall VM                            (for example, eth1:i) always I Post-Inbound After the inbound FireWall VM                               (for example, eth1:I) always id Pre-Inbound VPN Inbound before decrypt                                          (for example, eth1:id) R80.20 iD Post-Inbound VPN Inbound after decrypt                                             (for example, eth1:ID) R80.20 iq Pre-Inbound QoS Inbound before QoS                                               (for example, eth1:iq) R80.20 iQ Post-Inbound QoS Inbound after QoS                                                  (for example, eth1:IQ) R80.20 o Pre-Outbound Before the outbound FireWall VM                           (for example, eth1:o) always O Post-Outbound After the outbound FireWall VM                              (for example, eth1:O) always e oe Pre-Outbound VPN* Outbound before encrypt                                        (for example, eth1:e)    in R80.10                                                                                 (for example, eth1:oe)  in R80.20 R80.10 R80.20 E OE Post-Outbound VPN* Outbound after encrypt                                           (for example, eth1:E)    in R80.10                                                                                 (for example, eth1:OE)  in R80.20 R80.10 R80.20 oq Pre-Outbound QoS Outbound before QoS                                             (for example, eth1:oq) R80.20 oQ Post-Outbound QoS Outbound after QoS                                                (for example, eth1:OQ) R80.20 * The fw monitor inspection point is different in R80.10 ("e" or "E") and R80.20 ("oe" and "OE") For more information, see sk30583, fw monitor or How to use FW Monitor. SecureXL offloading chain modules Tip 3 Like I said SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor" There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine. # fw ctl chain  The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm).SecureXL inbound (sxl_in)                 > Packet received in SecureXL from networkSecureXL inbound CT (sxl_ct)           > Accelerated packets moved from inbound to outbound processing (post routing)SecureXL outbound (sxl_out)            > Accelerated packet starts outbound processingSecureXL deliver (sxl_deliver)          > SecureXL transmits accelerated packet New VM chain modules in R80.20 Tip 4 There are more new chain modules in R80.20 vpn before offload (vpn_in)                  > FW inbound preparing the tunnel for offloading the packet (along with the connection)fw offload inbound (offload_in)            > FW inbound that perform the offloadfw post VM inbound  (post_vm)            > Packet was not offloaded (slow path) - continue processing in FW inbound # fw ctl chain  New fw monitor chain key (00000000) Tip 5 In Firewall kernel (now also SecureXL), each kernel is associated with a key (red) witch specifies the type of traffic applicable to the chain modul.  # fw ctl chain  Key Function ffffffff IP Option Stip/Restore 00000001 new processed flows 00000002 wire mode 00000003 will applied to all ciphered traffic (VPN) 00000000 SecureXL offloading (new in R80.20+)   References R&D meeting Israel Copyright by Heiko Ankenbrand  1994-2019

You can find many models in the article sk37692.  I have added my list of the last 20 years, which might not be found in the SK. If you have other dmi codes, I would be happy if you could add them.   Here are the commands to display the models:SPLAT:# dmiparse System ProductIPSO:# ipsctl -a | grep modelname > show asset hardwareGAIA:> show asset system# dmiparse System Product> system_info System Information # /usr/sbin/dmidecode |grep "Product Name" DMI-List: Appliance UTM-1 U-40-00                        UTM-1 3070 Appliance U-30-00                        UTM-1 2070 Appliance U-20-00                        UTM-1 1070 Appliance U-15-00                        UTM-1 570 Appliance U-15-01                        UTM-1 570 Appliance U-10-00                        UTM-1 270 Appliance U-5-00                          UTM-1 130 Appliance T-180-00                       UTM-1 4800 T-160-00                       UTM-1 4600 T-140-00                       UTM-1 4400 T-120-00                       UTM-1 4200 2012 Appliance T-110-00                       UTM-1 2200 2012 Appliance C6P_UTM                      UTM-1 2050 Appliance C6_UTM                        UTM-1 1050 Appliance C2_UTM                        UTM-1 450 Appliance Appliance 2012 G-50                             Appliance 21400 G-70                             Appliance 21600 G-72                             Appliance 21700 G-75                             Appliance 21800 P-380-00                      Appliance 13800         P-370-00                      Appliance 13500 P-231-00                      Appliance 12600 P-230-00                      Appliance 12600 P-220-00                      Appliance 12400 P-210-00                      Appliance 12200 Appliance PB-05-00                     Appliance 3100 PB-10-00                     Appliance 3200 PB-15-00                     Appliance 5100 PB-20-00                     Appliance 5200 PL-10-00                     Appliance 5400 PL-20-00                     Appliance 5600 PL-30-00                     Appliance 5800 PL-40-00                     Appliance 5900 PH-20-00                    Appliance 15400 PH-30-00                    Appliance 15600 PD-10-00                    Appliance 23500 PD-20-00                    Appliance 23800 Power-1 P-30-00                       Power-1 11000 P-20-00                       Power-1 9070 Appliance P-10-00                       Power-1 5075 Appliance P-10-00                       Power-1 5070 Appliance Smart-1 S-10-00                        Smart-1 5 S-20-00                        Smart-1 25 S-21-00                        Smart-1 25B S-30-00                        Smart-1 50 S-40-00                        Smart-1 150 ST-5-00                        Smart-1 205 ST-10-00                      Smart-1 210 ST-25-00                      Smart-1 225 ST-50-00                      Smart-1 3050 ST-150-00                    Smart-1 3150 U-40-00                        Smart-1 3070 ST-105-00                    Smart-1 405 ST-110-00                     Smart-1 410 ST-425-00                     Smart-1 525 ST-4050-00                   Smart-1 5050 ST-4150-00                   Smart-1 5150 TE T-181-00                       TE250 P-231-00                       TE1000 P-371-00                       TE2000 TT-10-00                       TE100X TT-20-00                       TE250X TT-30-00                       TE1000X TT-40-00                       TE2000X IPS U-31-00                         IPS-1 2076 P-11-00                          IPS-1 5076 P-21-00                          IPS-1 9076 DLP P-22-00                          DLP-1 9571 U-42-00                          DLP-1 2571 41K/ 44K/ 61K /64K A-20                              SGM-220 - 41K/ 61K A-40                              SGM-240 - 41K/ 61K A-60                              SGM-260 - 41K/ 61K IP (Nokia) Elephant                          IP150 Kenai                               IP280 Kenai                               IP290 Trooper                           IP380 Hoplite                             IP390 Caesar                            IP530 Gladiator                          IP560 Janus                               IP690 Phalanx                            IP1280 Phalanx                            IP2450 Connectra             P-20-00                            Connectra 9070 U-40-00                            Connectra 3070 U-10-00                            Connectra 270 SMB L-50                                 Security Gateway 80 L-50                                 Check Point 600 S2 (SMB)                         Check Point 700 L-50                                 Check Point 1100 L-61i                                Check Point 1200R S1 (Enterprise)                 Check Point 1430 / 1450 S2 (Enterprise)                 Check Point 1470 / 1490 L-71                                 Check Point 1430/1450 L-71W                              Check Point 1430/1450 WiFiL-72                                 Check Point 1470/1490 L-72W                              Check Point 1470/1490 WiFi L-72P                               Check Point 1470/1490 PoE Univerge SA-UW1 (OS)                   UNIVERGE UnifiedWall 1000     Regards, Heiko

What is Multi Queue?   It is an acceleration feature that lets you assign more than one packet queue and CPU to an interface. When most of the traffic is accelerated by the SecureXL, the CPU load from the CoreXL SND instances can be very high, while the CPU load from the CoreXL FW instances can be very low. This is an inefficient utilization of CPU capacity. By default, the number of CPU cores allocated to CoreXL SND instances is limited by the number of network interfaces that handle the traffic. Because each interface has one traffic queue, only one CPU core can handle each traffic queue at a time. This means that each CoreXL SND instance can use only one CPU core at a time for each network interface. Check Point Multi-Queue lets you configure more than one traffic queue for each network interface. For each interface, you can use more than one CPU core (that runs CoreXL SND) for traffic acceleration. This balances the load efficiently between the CPU cores that run the CoreXL SND instances and the CPU cores that run CoreXL FW instances. Important - Multi-Queue applies only if SecureXL is enabled. Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Multi-Queue Requirements and Limitations Tip 1 Multi-Queue is not supported on computers with one CPU core. Network interfaces must use the driver that supports Multi-Queue. Only network cards that use the igb (1Gb), ixgbe (10Gb), i40e (40Gb), or mlx5_core (40Gb) drivers support the Multi-Queue. You can configure a maximum of five interfaces with Multi-Queue. You must reboot the Security Gateway after all changes in the Multi-Queue configuration.       For best performance, it is not recommended to assign both SND and a CoreXL FW instance to the same CPU core. Do not change the IRQ affinity of queues manually. Changing the IRQ affinity of the queues manually can adversely affect performance. Multi-Queue is relevant only if SecureXL and CoreXL is enabled. Do not change the IRQ affinity of queues manually. Changing the IRQ affinity of the queues manually can adversely affect performance. You cannot use the “sim affinity” or the  “fw ctl affinity” commands to change and query the IRQ affinity of the Multi-Queue interfaces. The number of queues is limited by the number of CPU cores and the type of interface driver: Network card driver Speed Maximal number of RX queues igb 1 Gb 4 ixgbe 10 Gb 16 i40e 40 Gb 14 mlx5_core 40 Gb 10      The maximum RX queues limit dictates the largest number of SND/IRQ instances that can empty packet buffers for an individual interface using that driver that has Multi-Queue enabled.  Multi-Queue does not work on 3200 / 5000 / 15000 / 23000 appliances in the following scenario (sk114625) MQ is enabled for on-board interfaces (e.g., Mgmt, Sync) the number of active RX queues was set to either 3 or 4 (with cpmq set rx_num igb <number> command) This problem was fixed in: Check Point R80.10 Jumbo Hotfix Accumulator for R77.30 - since Take_198 The number of traffic queues is limited by the number of CPU cores and the type of network interface card driver.The on-board interfaces on these appliances use the igb driver, which supports up to 4 RX queues.However, the I211 controller on these on-board interfaces supports only up to 2 RX queues. When Multi-Queue will not help Tip 2 When most of the processing is done in CoreXL - either in the Medium path, or in the Firewall path (Slow path). All current CoreXL FW instances are highly loaded, so there are no CPU cores that can be reassigned to SecureXL. When IPS, or other deep inspection Software Blades are heavily used. When all network interface cards are processing the same amount of traffic. When all CPU cores that are currently used by SecureXL are congested. When trying to increase traffic session rate. When there is not enough diversity of traffic flows. In the extreme case of a single flow, for example, traffic will be handled only by a single CPU core. (Clarification: The more traffic is passing to/from different ports/IP addresses, the more you benefit from Multi-Queue. If there is a single traffic flow from a single Client to a single Server, then Multi-Queue will not help.) Multi-Queue is recommended Load on CPU cores that run as SND is high (idle < 20%). Load on CPU cores that run CoreXL FW instances is low (idle > 50%). There are no CPU cores left to be assigned to the SND by changing interface affinity. Multi-Queue support on Appliance vs. Open Server Gateway type Network interfaces that support the Multi-Queue Check Point Appliance MQ is supported on all applications that use the following drivers igb, ixgbe, i40e, mlx5_core. These expansion line cards for 4000, 12000, and 21000 appliances support the Multi-Queue: CPAC-ACC-4-1C CPAC-ACC-4-1F CPAC-ACC-8-1C CPAC-ACC-2-10F CPAC-ACC-4-10F This expansion line card for 5000, 13000, and 23000 appliances supports the Multi-Queue: ·         CPAC-2-40F-B Open Server Network cards that use igb (1Gb), ixgbe (10Gb), i40e (40Gb), or mlx5_core (40Gb) drivers support the Multi-Queue.     Multi-Queue support on Open Server (Intel Network Cards) Tip 3   The following list shows an overview with all Intel cards from Check Point HCL for open server from 11/21/2018.   The list is cross-referenced to the Intel drivers. I do not assume any liability for the correctness of the information. These lists should only be used to help you find the right drivers. It is not an official document of Check Point!   So please always read the official documents of Check Point.  Intel network card Ports Chipset PCI ID Driver PCI Speed MQ 10 Gigabit AT 1 82598EB 8086:25e7 ixgbe PCI-E 10G  Copper yes 10 Gigabit CX4 2 82598EB 8086:10ec ixgbe PCI-E 10G Copper yes 10 Gigabit XF family (Dual and Single Port models, SR and LR) 2 82598 8086:10c6 Ixgbe PCI-E 10G Fiber yes Ethernet Converged Network Adapter X540-T2 2 X540 8086:1528 ixgbe PCI-E 100/1G/10GCopper yes Ethernet Server Adapter I340-T2 2 82580 - Igb PCI-E 10/100/1GCopper yes Ethernet Server Adapter I340-T4 2 82580 - Igb PCI-E 10/100/1G Copper yes Ethernet Server Adapter X520 X520-SR2, X520-SR1, X520-LR1, X520-DA2 2 X520 - ixgbe PCI-E 10G Fiber yes Gigabit VT Quad Port Server Adapter 4 82575GB 8086:10d6 igb PCI-E 10/100/1G Copper yes Intel Gigabit ET2 Quad Port Server Adapter 4   - igb PCI-E 1G Copper yes PRO/10GbE CX4 1 82597EX 8086:109e Ixgb PCI-X 10G Copper no PRO/10GbE LR 1 82597EX 8086:1b48 Ixgb PCI-X 10G Fiber no PRO/10GbE SR 1 82597EX 8086:1a48 Ixgb PCI-X 10G Fiber no PRO/1000 Dual 82546GB 2 82546GB 8086:108a E1000 PCI-E 10/100/1G Copper no Pro/1000 EF Dual 2 82576 8086:10e6 Igb ? PCI-E 1G Fiber yes ? Pro/1000 ET Dual port Server Adapter 2 82576   igb PCI-E 1G Copper yes PRO/1000 ET Quad Port Server Adapter 4 82576 8086:10e8 Igb PCI-E 10/100/1G Copper yes PRO/1000 GT Quad 4 82546 8086:10b5 E1000 PCI-X 10/100/1G Copper no PRO/1000 MF 1 82546 ? 82545 ? - E1000 PCI-X 1G Fiber no PRO/1000 MF (LX) 1 82546 ? 82545 ? - E1000 PCI-X 1G Fiber no PRO/1000 MF Dual 2 82546 ? 82545 ? - E1000 PCI-X 1G Fiber no PRO/1000 MF Quad 4 82546 ? 82545 ? - E1000 PCI-X 1G Fiber no PRO/1000 PF 1 82571 ? 8086:107e E1000 PCI-E 1G Fiber no PRO/1000 PF Dual 2 82571 ? 8086:115f E1000 PCI-E 1G Fiber no PRO/1000 PF Quad Port Server Adapter 4 82571 ? 8086:10a5 E1000 PCI-E 1G Fiber no PRO/1000 PT 1 82571 8086:1082 E1000 PCI-E 10/100/1G Copper no PRO/1000 PT Dual 2 82571 8086:105e E1000 PCI-E 10/100/1G Copper no PRO/1000 PT Dual UTP 2 82571 8086:108a E1000 PCI-E 10/100/1G Copper no PRO/1000 PT Quad 4 82571 8086:10a4 E1000 PCI-E 10/100/1G Copper no PRO/1000 PT Quad Low Profile 4 82571 8086:10bc E1000 PCI-E 10/100/1G Copper no PRO/1000 XF 1 82544   E1000 PCI-X 1G Fiber no  For all "?" I could not clarify the points exactly.  Multi-Queue support on Open Server (HP and IBM Network Cards) Tip 4 The following list shows an overview with all HP cards from Check Point HCL for open server from 11/22/2018.   The list is cross-referenced to the Intel drivers. I do not assume any liability for the correctness of the information. These lists should only be used to help you find the right drivers. It is not an official document of Check Point!   So please always read the official documents of Check Point. HP network card Ports Chipset PCI ID Driver PCI Speed MQ Ethernet 1Gb 4-port 331T 4 BCM5719 14e4:1657 tg3 PCI-E 1G Copper no Ethernet 1Gb 4-port 366FLR 4 Intel  I350 8086:1521 igb PCI-E 1G Copper yes Ethernet 1Gb 4-port 366T 4 Intel  I350 8086:1521 igb PCI-E 1G Copper yes Ethernet 10Gb 2-port 560SFP+ 2 Intel 82599EB 0200: 8086:10fb ixgbe PCI-E 10G Fiber yes Ethernet 10Gb 2-port 561FLR-T 2 Intel X540-AT2 8086:1528 ixgbe PCI-E 10G Copper yes HPE Ethernet 10Gb 2-port 562FLR-SFP+ 2 Intel X710 8086:1572 i40e PCI-E 10G Copper yes Ethernet 10Gb 2-port 561T 2 Intel X540-AT2 8086:1528 ixgbe PCI-E 10G Copper yes NC110T 1 Intel 82572GI 8086:10b9 E1000 PCI-E 10/100/1G Copper no NC320T 1 BCM5721 KFB 14e4:1659 tg3 PCI-E 10/100/1G Copper no NC325m Quad Port 4 BCM5715S 14e4:1679 tg3 PCI-E 1G Copper no NC326m PCI Express Dual Port 1Gb Server Adapter for c-Class Blade System 2 BCM5715S   tg3 PCI-E 1G Copper no NC340T 4 Intel 82546GB 8086:10b5 E1000 PCI-X 10/100/1G Copper no NC360T 2 Intel 82571EB 8086:105e E1000 PCI-E 10/100/1G Copper no NC364T Official site 4 Intel 82571EB 8086:10bc E1000 PCI-E 10/100/1G Copper no NC365T PCI Express Quad Port 4 Intel82580 8086:150e igb PCI-E 10/100/1G Copper yes NC373F 1 Broadcom 5708 14e4:16ac bnx2 PCI-E 1G Copper no NC373m Dual Port 2 BCM5708S 14e4:16ac bnx2 PCI-E 10/100/1G Copper no NC373T 1 Broadcom 5708 14e4:16ac bnx2 PCI-E 10/100/1G Copper no NC380T PCI Express Dual Port Multifunction Gigabit server 2 BCM5706 - bnx2 PCI-E 10/100/1G Copper no NC522SFP Dual Port 10GbE Server Adapter 2 NX3031 4040:0100 ??? PCI-E 10G Fiber no NC550SFP Dual Port 10GbE Server Adapter Official site 2 Emulex OneConn 19a2:0700 be2net PCI-E 10G Fiber no NC552SFP 10GbE 2-port Ethernet Server 2 Emulex OneConn 19a2:0710 be2net PCI-E 10G Fiber no NC7170 2 Intel  82546EB 8086:1010 E1000 PCI-X 10/100/1G Copper no For all "?" I could not clarify the points exactly.   IBM network card Ports Chipset PCI ID Driver PCI Speed MQ Broadcom 10Gb 4-Port Ethernet Expansion Card (CFFh) for IBM BladeCenter 4 BCM57710   bnx2x PCI-E 10G Fiber no Broadcom NetXtreme Quad Port GbE network Adapter 4 I350   igb PCI-E 1G Copper yes NetXuleme 1000T 1 ??? (1)   ??? PCI-X 10/100/1G Copper ??? NetXuleme 1000T Dual 2 ??? (1)   ??? PCI-X 10/100/1G Copper ??? PRO/1000 PT Dual Port Server Adapter 2 82571GB   E1000 PCI-E 10/100/1G Copper no  (1) These network cards can't even be found at Goggle. Notes to Intel igb and ixgbe driver I used the LKDDb Database to identify the drivers. LKDDb is an attempt to build a comprensive database of hardware and protocols know by Linux kernels. The driver database includes numeric identifiers of hardware, the kernel configuration menu needed to build the driver and the driver filename. The database is build automagically from kernel sources, so it is very easy to have always the database updated. This was the basis of the cross-reverence between Check Point HCL and Intel drivers. Link to LKDDb web database:https://cateee.net/lkddb/web-lkddb/ Link to LKDDb database driver: igb, ixgbe, i40e, mlx5_core     Here you can find the following output for all drivers e.g. igb: Numeric ID (from LKDDb) and names (from pci.ids) of recognized devices: vendor: 8086 ("Intel Corporation"), device: 0438 ("DH8900CC Series Gigabit Network Connection") vendor: 8086 ("Intel Corporation"), device: 10a9 ("82575EB Gigabit Backplane Connection") vendor: 8086 ("Intel Corporation"), device: 10c9 ("82576 Gigabit Network Connection") vendor: 8086 ("Intel Corporation"), device: 10d6 ("82575GB Gigabit Network Connection") and many more... How to recognize the driver With the ethtool you can display the version and type of the driver. For example for the interface eth0. # ethtool -i eth0 driver: igbversion: 2.1.0-k2firmware-version: 3.2-9bus-info: 0000:02:00.0 Active RX multi queues - formula By default, Security Gateway calculates the number of active RX queues based on this formula: RX queues = [Total Number of CPU cores] - [Number of CoreXL FW instances] Configure Here I would refer to the following links: Performance Tuning R80.10 Administratio GuidePerformance Tuning R80.20 Administration Guide References Best Practices - Security Gateway Performance Multi-Queue does not work on 3200 / 5000 / 15000 / 23000 appliances when it is enabled for on-board interfacesPerformance Tuning R80.10 Administratio GuidePerformance Tuning R80.20 Administration Guide Intel:Download Intel® Network Adapter Virtual Function Driver for Intel® 10 Gigabit Ethernet Network Connections Download Network Adapter Driver for Gigabit PCI Based Network Connections for Linux* Download Intel® Network Adapter Driver for 82575/6, 82580, I350, and I210/211-Based Gigabit Network Connections for Linu…  LKDDb (Linux Kernel Driver Database):https://cateee.net/lkddb/web-lkddb/ Copyright by Heiko Ankenbrand  1994-2019

The following command shows detailed policy based routing on the CLI. You found the policy based VPN routes  to the corresponding external gateway. The basic Check Point table is "fw tab -f -t vpn_routing -u".   Command: echo -e "\033[0m####################\n# VPN Routing      #\n####################";fw tab -f -t vpn_routing -u 2>&1 |grep -v "+"| awk '{split($0,a,";"); print a[8]}' |sort -ng |uniq | awk '{split($0,a," "); print a[2]}' | xargs -I % sh -c  'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e "  Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[6] b[7]}'\''| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '   Regards, Heiko Ankenbrand

Soon we will get R80.20 and the Falcon modules!   The new acceleration Falcon architecture with R80.20:- Low Latency- High Connections Rate- SSL Boost- Deep Inspection Acceleration- Modular Connectivity- Multible Acceleration modules - Falcon 1G (8x1 GbE), 10G (4x10 GbE) and 40G (2x40 GbE)- Compatible with 5900, 15000 & 23000 Appliance Series   Regards, Heiko

  Issue description: Many of our customers have reported the following issue in recent weeks. Telephone VoIP connections are terminated and can no longer be established. Issue debug: On the firewall you see a typical issue with the following message if you start: # fw ctl zdebug drop Issue message: fwconn_key_init_links (INBOUND) failed Solution: There are two different Servers on the SIP/RTP provider's side that take part in the process of establishing the SIP/RTP call: Server for SIP (Management and control) Server for RTP (Media and Voice Data) Make sure that the UDP high ports from the internal RTP VoIP telephone system to the provider RTP server on the RTP provider's side are dropped by the rule base on 600 / 1100 / 1200 / 1400 appliance: RTP rules: Create a service for the UDP high ports and use it in an incoming Accept rule, which also has to allow the RTP ports. Create a drop rule to block outgoing connections from the Internal RTP server (VoIP telephone system) to the provider's RTP server on high UDP ports SIP rule: Create an allow rule for incoming and outgoing SIP traffic on UDP port 5060   Example:   A similar description can be found in SK104082.   Regards, Heiko

This command shows the interface speed and duplex as list for R77.xx and R80.10.   # ifconfig -a | grep encap | awk '{print $1}' | grep -v lo | grep -v bond | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'ethtool %; ethtool -i %' | grep '^driver\|Speed\|Duplex\|Setting' | sed "s/^/ /g" | tr -d "\t" | tr -d "\n" | sed "s/Settings for/\nSettings for/g" | awk '{print $5 " "$7 "\t " $9 "\t" $3}' | grep -v "Unknown" | grep -v "\."     Version 1.1     A older version of the document can be found under the following link:   https://community.checkpoint.com/docs/DOC-2840   Regards, Heiko  

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.   Attention! You can quickly destroy your gateways if you enter the wrong commands! Command syntax: Command Description # gw_detect # gw_detect80 Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". # gw_mbash <command>  Execute expert mode command on all gateway  simultaneously # gw_mclish <command> Execute clish command on all gateway  simultaneously An example! You want see the version of all gateway they are defined in the topology. Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mclish show version os edition        -> execute this command on all gateways   Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie. The same also works for the expert mode. For example: Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mbash fw ver                                      -> execute this command on all gateways   Tip 1 Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀.   Tip 2 Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s                         -> show state table for all gateways Management# gw_mbash fwaccel stat                                              -> show  fwaccel state's for all gatewaysManagement# gw_mbash ips stat                                                       -> check on witch gateway ips is enabled ... Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script.     echo '#!/bin/bash' > /usr/local/bin/gw_mbash echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo 'while read line' >> /usr/local/bin/gw_mbash echo 'do' >> /usr/local/bin/gw_mbash echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash echo 'then' >> /usr/local/bin/gw_mbash echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash chmod +x /usr/local/bin/gw_mbash echo '#!/bin/bash' > /usr/local/bin/gw_mclish echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo 'while read line' >> /usr/local/bin/gw_mclish echo 'do' >> /usr/local/bin/gw_mclish echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish echo 'then' >> /usr/local/bin/gw_mclish echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish chmod +x /usr/local/bin/gw_mclish echo '#!/bin/bash' > /usr/local/bin/gw_detect echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect echo 'while read line' >> /usr/local/bin/gw_detect echo 'do' >> /usr/local/bin/gw_detect echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect echo 'then' >> /usr/local/bin/gw_detect echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo 'else' >> /usr/local/bin/gw_detect echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect echo 'fi' >> /usr/local/bin/gw_detect echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect chmod +x /usr/local/bin/gw_detect echo '#!/bin/bash' > /usr/local/bin/gw_detect80 echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80 echo 'while read line' >> /usr/local/bin/gw_detect80 echo 'do' >> /usr/local/bin/gw_detect80 echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80 echo 'then' >> /usr/local/bin/gw_detect80 echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80 echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo 'else' >> /usr/local/bin/gw_detect80 echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80 echo 'fi' >> /usr/local/bin/gw_detect80 echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80 chmod +x /usr/local/bin/gw_detect80   Versions:v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> betav0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugsv0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80" Video tutorial: (view in My Videos)   Copyright by Heiko Ankenbrand 1996-2019

Hi,Resetting checkpoint 1200R to Factory default (Physically by pressing the small button), make the device enter to maintenance mode. (connected by console cable)How can i reset to factory defaults ???currently stack at this maintenance mode.cat logs/boot_log  :[Expert@MAINTENANCE_MODE]# cat check /logs/boot_logcat: can't open 'check': No such file or directoryKernel boot messages:--------------------- memory: 000000002e000000 @ 0000000020000000 (usable) memory: 000000000084e000 @ 0000000000100000 (usable) memory: 0000000000452000 @ 000000000094e000 (usable after init)Wasting 14336 bytes for tracking 256 unused pagesInitrd not found or empty - disabling initrdUsing passed Device Tree <8000000000080000>.software IO TLB [mem 0x01e0c000-0x01e4c000] (0MB) mapped at [8000000001e0c000-8000000001e4bfff]Zone ranges:  DMA32    [mem 0x00100000-0xefffffff]  Normal   emptyMovable zone start for each nodeEarly memory node ranges  node   0: [mem 0x00100000-0x00d9ffff]  node   0: [mem 0x00f00000-0x0eefffff]  node   0: [mem 0x0f200000-0x0fdfffff]  node   0: [mem 0x20000000-0x4dffffff]On node 0 totalpages: 252064  DMA32 zone: 3447 pages used for memmap  DMA32 zone: 0 pages reserved  DMA32 zone: 252064 pages, LIFO batch:31Primary instruction cache 78kB, virtually tagged, 39 way, 16 sets, linesize 128 bytes.Primary data cache 32kB, 32-way, 8 sets, linesize 128 bytes.Secondary unified cache 512kB, 4-way, 1024 sets, linesize 128 bytes.pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768pcpu-alloc: [0] 0Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 248617Kernel command line:  bootoctlinux 0x20000200 coremask=1 cp_net_config=2,(00:1C:7F:72:A4:59)(00:1C:7F:72:A4:5A),mtu=1500 console=ttyS0,115200 quiet blkdevparts=mmcblk0:10M(boot)ro,512K(bootldr-env),32M@11M(kernel-1),480M(rootfs-1),32M(kernel-2),480M(rootfs-2),200M(default_sw),650M(logs),1M(preset_cfg),1M(adsl),1000M(storage) noExtPorts=PID hash table entries: 4096 (order: 3, 32768 bytes)Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes)Inode-cache hash table entries: 65536 (order: 7, 524288 bytes)Memory: 979004k/1008256k available (5781k kernel code, 29252k reserved, 2722k data, 4424k init, 0k highmem)NR_IRQS:512CIB interrupt controller probed: 800107000000e000 23 bitsCIB interrupt controller probed: 800107000000e200 12 bitsCIB interrupt controller probed: 800107000000e400 6 bitsCIB interrupt controller probed: 800107000000ec00 15 bitsCIB interrupt controller probed: 800107000000e600 4 bitsCIB interrupt controller probed: 800107000000e800 11 bitsCIB interrupt controller probed: 800107000000e900 11 bitsConsole: colour dummy device 80x25Calibrating delay loop (skipped) preset value.. 2400.00 BogoMIPS (lpj=12000000)pid_max: default: 32768 minimum: 501Security Framework initializedMount-cache hash table entries: 256Checking for the daddi bug... no.Performance counters: octeon PMU enabled, 4 64-bit counters available to each CPU, irq 7NET: Registered protocol family 16Installing handlers for error tree at: ffffffff808baf30PCIe: Initializing port 0PCIe: Port 0 not in PCIe mode, skippingPCIe: Initializing port 1PCIe: Port 1 not in PCIe mode, skippingPCIe: Initializing port 2PCIe: Port 2 not in PCIe mode, skippingbio: create slab <bio-0> at 0vgaarb: loadedSCSI subsystem initializedusbcore: registered new interface driver usbfsusbcore: registered new interface driver hubusbcore: registered new device driver usbpps_core: LinuxPPS API ver. 1 registeredpps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>PTP clock support registeredEDAC MC: Ver: 3.0.0PCI host bridge to bus 0000:00pci_bus 0000:00: root bus resource [mem 0x1000000000000]pci_bus 0000:00: root bus resource [io  0x0000]pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00NET: Registered protocol family 8NET: Registered protocol family 20Switching to clocksource OCTEON_CVMCOUNTNET: Registered protocol family 2TCP established hash table entries: 8192 (order: 5, 131072 bytes)TCP bind hash table entries: 8192 (order: 4, 65536 bytes)TCP: Hash tables configured (established 8192 bind 8192)TCP: reno registeredUDP hash table entries: 512 (order: 2, 16384 bytes)UDP-Lite hash table entries: 512 (order: 2, 16384 bytes)NET: Registered protocol family 1RPC: Registered named UNIX socket transport module.RPC: Registered udp transport module.RPC: Registered tcp transport module.RPC: Registered tcp NFSv4.1 backchannel transport module.PCI: CLS 0 bytes, default 128octeon_pci_console: Initialized./proc/octeon_perf: Octeon performance counter interface loadedHugeTLB registered 2 MB page size, pre-allocated 0 pagessquashfs: version 4.0 (2009/01/31) Phillip LougherNFS: Registering the id_resolver key typeKey type id_resolver registeredKey type id_legacy registeredNTFS driver 2.1.30 [Flags: R/W].msgmni has been set to 1912io scheduler noop registeredio scheduler deadline registeredio scheduler cfq registered (default)octeon_gpio 1070000000800.gpio-controller: OCTEON GPIOHDLC line discipline maxframe=4096N_HDLC line discipline registered.Serial: 8250/16550 driver, 6 ports, IRQ sharing disabled1180000000800.serial: ttyS0 at MMIO 0x1180000000800 (irq = 34) is a OCTEONconsole [ttyS0] enabled, bootconsole disabled1180000000c00.serial: ttyS1 at MMIO 0x1180000000c00 (irq = 35) is a OCTEONSofaWare LED driver initializebrd: module loadedloop: module loadedlibphy: mdio-octeon: probedmdio-octeon 1180000001800.mdio: Version 1.0libphy: mdio-octeon: probedmdio-octeon 1180000001900.mdio: Version 1.0spi_ks8995: Micrel KS8995 Ethernet switch SPI driver version 0.1.1e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPIe100: Copyright(c) 1999-2006 Intel Corporatione1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPIe1000: Copyright (c) 1999-2006 Intel Corporation.e1000e: Intel(R) PRO/1000 Network Driver - 2.3.2-ke1000e: Copyright(c) 1999 - 2013 Intel Corporation.igb: Intel(R) Gigabit Ethernet Network Driver - version 5.0.3-kigb: Copyright (c) 2007-2013 Intel Corporation.octeon-ethernet 2.0Interface 0 has 1 ports (SGMII)Interface 1 has 1 ports (SGMII)Interface 4 has 1 ports (AGL)number of interfaces in command line is 2      o MTU set to 1500cvm_oct_common_set_rx_filtering: Could not get device 'LAN1'cvm_oct_common_set_rx_filtering: Could not get device 'LAN2'cvm_oct_common_set_rx_filtering: Could not get device 'LAN3'cvm_oct_common_set_rx_filtering: Could not get device 'LAN4'PPP generic driver version 2.4.2PPP BSD Compression module registeredPPP MPPE Compression module registeredNET: Registered protocol family 24usbcore: registered new interface driver cdc_etherGobiNet: 2013-10-08/NTGR_2.21usbcore: registered new interface driver GobiNetusbcore: registered new interface driver sierra_netMadge ATM Ambassador driver version 1.2.4amb: debug bitmap is 0Madge ATM Horizon [Ultra] driver version 1.2.1hrz: debug bitmap is 0platform 1180068000000.uctl: clocks initialized.platform 1180069000000.uctl: clocks initialized.ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driverehci-pci: EHCI PCI platform driverohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driveruhci_hcd: USB Universal Host Controller Interface driverxhci-hcd xhci-hcd.0.auto: xHCI Host Controllerxhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 1xhci-hcd xhci-hcd.0.auto: irq 25, io mem 0x1680000000000xHCI xhci_add_endpoint called for root hubxHCI xhci_check_bandwidth called for root hubhub 1-0:1.0: USB hub foundhub 1-0:1.0: 1 port detectedxhci-hcd xhci-hcd.0.auto: xHCI Host Controllerxhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 2xHCI xhci_add_endpoint called for root hubxHCI xhci_check_bandwidth called for root hubhub 2-0:1.0: USB hub foundhub 2-0:1.0: 1 port detectedxhci-hcd xhci-hcd.1.auto: xHCI Host Controllerxhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 3xhci-hcd xhci-hcd.1.auto: irq 26, io mem 0x1690000000000xHCI xhci_add_endpoint called for root hubxHCI xhci_check_bandwidth called for root hubhub 3-0:1.0: USB hub foundhub 3-0:1.0: 1 port detectedxhci-hcd xhci-hcd.1.auto: xHCI Host Controllerxhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 4xHCI xhci_add_endpoint called for root hubxHCI xhci_check_bandwidth called for root hubhub 4-0:1.0: USB hub foundhub 4-0:1.0: 1 port detectedusbcore: registered new interface driver cdc_acmcdc_acm: USB Abstract Control Model driver for USB modems and ISDN adaptersusbcore: registered new interface driver usblpusbcore: registered new interface driver usb-storageusbcore: registered new interface driver ums-datafabusbcore: registered new interface driver ums-freecomusbcore: registered new interface driver ums-jumpshotusbcore: registered new interface driver ums-sddr09usbcore: registered new interface driver ums-sddr55usbcore: registered new interface driver ums-usbatusbcore: registered new interface driver usbserialusbcore: registered new interface driver usbserial_genericusbserial: USB Serial support registered for genericusbcore: registered new interface driver ftdi_siousbserial: USB Serial support registered for FTDI USB Serial Deviceusbcore: registered new interface driver ipwusbserial: USB Serial support registered for IPWireless converterusbcore: registered new interface driver optionusbserial: USB Serial support registered for GSM modem (1-port)usbcore: registered new interface driver pl2303usbserial: USB Serial support registered for pl2303usbcore: registered new interface driver sierrausbserial: USB Serial support registered for Sierra USB modemusbcore: registered new interface driver GobiSerialusbserial: USB Serial support registered for GobiSerialGobiSerial: 2013-10-08/NTGR_2.12:GobiSerialmousedev: PS/2 mouse device common for all micei2c /dev entries driveri2c-octeon 1180000001000.i2c: version 2.5rtc-ds1307 1-0068: rtc core: registered ds1337 as rtc0i2c-octeon 1180000001200.i2c: version 2.5 phy_dice initialize error!nct7802: sensors_nct7802_initnct7802: snct7802_probenct7802: snct7802_probeocteon_wdt: Initial granularity 5 Secdevice-mapper: ioctl: 4.24.0-ioctl (2013-01-15) initialised: dm-devel@redhat.comEDAC DEVICE0: Giving out device to module 'octeon-cpu' controller 'cache': DEV 'octeon_pc_edac' (INTERRUPT)EDAC DEVICE1: Giving out device to module 'octeon-l2c' controller 'octeon_l2c_err': DEV 'octeon_l2c_edac' (POLLED)octeon_lmc_edac octeon_lmc_edac.0: Disabled (ECC not enabled)usbcore: registered new interface driver usbhidusbhid: USB HID core driverGeneric LED driver initializeipip: IPv4 over IPv4 tunneling driverTCP: cubic registeredNET: Registered protocol family 17lec:lane_module_init: lec.c: initializedmpoa:atm_mpoa_init: mpc.c: initialized8021q: 802.1Q VLAN Support v1.8Key type dns_resolver registeredL2 lock: TLB refill 256 bytesL2 lock: General exception 128 bytesL2 lock: low-level interrupt 128 bytesL2 lock: interrupt 640 bytesL2 lock: memcpy 1152 bytesrtc-ds1307 1-0068: setting system clock to 2018-02-28 22:01:00 UTC (1519855260)Freeing unused kernel memory: 4424K (ffffffff8094e000 - ffffffff80da0000)mmc0: BKOPS_EN bit is not setmmc0: new high speed DDR MMC card at address 0001mmcblk0: mmc0:0001 MMC04G 3.52 GiBmmcblk0boot0: mmc0:0001 MMC04G partition 1 16.0 MiBmmcblk0boot1: mmc0:0001 MMC04G partition 2 16.0 MiBmmcblk0rpmb: mmc0:0001 MMC04G partition 3 128 KiB mmcblk0: p1(boot) p2(bootldr-env) p3(kernel-1) p4(rootfs-1) p5(kernel-2) p6(rootfs-2) p7(default_sw) p8(logs) p9(preset_cfg) p10(adsl) p11(storage) mmcblk0boot1: unknown partition table mmcblk0boot0: unknown partition tableEXT4-fs: Warning: mounting with data=journal disables delayed allocation and O_DIRECT support!EXT4-fs (mmcblk0p8): mounted filesystem with journalled data mode. Opts: barrier=1,commit=1EXT4-fs (mmcblk0p11): mounted filesystem with journalled data mode. Opts: barrier=1,commit=1EXT4-fs (mmcblk0p4): mounted filesystem with journalled data mode. Opts: (null)cvm_oct_common_set_rx_filtering: Could not get device 'LAN1'cvm_oct_common_set_rx_filtering: Could not get device 'LAN2'cvm_oct_common_set_rx_filtering: Could not get device 'LAN3'cvm_oct_common_set_rx_filtering: Could not get device 'LAN4'cvm_oct_common_set_rx_filtering: Could not get device 'LAN1'cvm_oct_common_set_rx_filtering: Could not get device 'LAN2'cvm_oct_common_set_rx_filtering: Could not get device 'LAN3'cvm_oct_common_set_rx_filtering: Could not get device 'LAN4'cvm_oct_common_set_rx_filtering: Could not get device 'LAN1'cvm_oct_common_set_rx_filtering: Could not get device 'LAN2'cvm_oct_common_set_rx_filtering: Could not get device 'LAN3'cvm_oct_common_set_rx_filtering: Could not get device 'LAN4'marvellmod: module license 'unspecified' taints kernel.Disabling lock debugging due to kernel taintDSDT Driver InitPHY ID:4Trying to load DSDTqdLoadDriver SucessgstatsFlushAll SucessgpvtInitialize Sucess//Initialize the LAN ports and group them with their CPU port 0dsdt_set_port_vid Sucess=0gprtSetEgressMode Sucess=0gprtSetFrameMode Sucess=0gsysSetJumboMode Sucess=0gprtSetVlanTunnel Sucess=0gvlnSetPortVlanDot1qMode Sucess=0gprtSetPortAutoMode Sucess GT_LPORT_2_PHY(0)=0 ret=0gprtSetPortAutoMode Sucess=0gprtPortAutoNegEnable Sucess=0port_mask Sucess=0gprtSetPortAutoMode Sucess GT_LPORT_2_PORT(0)=0 ret=0//Initialize the LAN ports and group them with their CPU port 1dsdt_set_port_vid Sucess=1gprtSetEgressMode Sucess=1gprtSetFrameMode Sucess=1gsysSetJumboMode Sucess=1gprtSetVlanTunnel Sucess=1gvlnSetPortVlanDot1qMode Sucess=1gprtSetPortAutoMode Sucess GT_LPORT_2_PHY(1)=1 ret=0gprtSetPortAutoMode Sucess=1gprtPortAutoNegEnable Sucess=1port_mask Sucess=1gprtSetPortAutoMode Sucess GT_LPORT_2_PORT(1)=1 ret=0//Initialize the LAN ports and group them with their CPU port 2dsdt_set_port_vid Sucess=2gprtSetEgressMode Sucess=2gprtSetFrameMode Sucess=2gsysSetJumboMode Sucess=2gprtSetVlanTunnel Sucess=2gvlnSetPortVlanDot1qMode Sucess=2gprtSetPortAutoMode Sucess GT_LPORT_2_PHY(2)=2 ret=0gprtSetPortAutoMode Sucess=2gprtPortAutoNegEnable Sucess=2port_mask Sucess=2gprtSetPortAutoMode Sucess GT_LPORT_2_PORT(2)=2 ret=0//Initialize the LAN ports and group them with their CPU port 3dsdt_set_port_vid Sucess=3gprtSetEgressMode Sucess=3gprtSetFrameMode Sucess=3gsysSetJumboMode Sucess=3gprtSetVlanTunnel Sucess=3gvlnSetPortVlanDot1qMode Sucess=3gprtSetPortAutoMode Sucess GT_LPORT_2_PHY(3)=3 ret=0gprtSetPortAutoMode Sucess=3gprtPortAutoNegEnable Sucess=3port_mask Sucess=3gprtSetPortAutoMode Sucess GT_LPORT_2_PORT(3)=3 ret=0mrv_gtw_set_port_based_vlan numOfports=7 ports_mask=0 gvlnSetPortVlanPorts successmrv_gtw_set_port_based_vlan Sucess=4  dsdt_add_cpu_mac_internal(201) Successfully added 00:1c:7f:72:a4:59 on DBnum 1dsdt_set_port_vid Sucess=0ATU List:(00-1c-7f-72-a4-59) PortVec 0x20, DBNum: 1, EntryState: 0xf, MCEntryState: 0xfB4 gstpSetMode =0**********DSDT Driver was initialized succsefully*****************mrv_industrial_board_startmrv_industrial_board_start ksw_mad_load_drivermrv_industrial_board_start enable 4 phydsdtFdbPortLearnEnable(429) port 3f, enable 0, command 1CIP Switch+Phy driver installedNET: Registered protocol family 32kernel UMI module loadedSIM: Linux kernel version 3.10.20 ()Sim: driver installed[fw4_0];FW-1: Linux kernel version 3.10.20--1[fw4_0];FW-1: driver installedVPN-1: driver installedVPNT: IPv4 over VPN Tunnel driver installedFG-1: driver installed[fw4_0];FW-1: ld_commit: Attempting to commit unbound or invalid ld 8115Scripts boot messages:---------------------_Entering Full multiuser mode..... RTC Device: ds1337Brining up loopback interface... DoneSetting Hostname... DoneNumber of LAN ports is 4.Active Partition is 1dumpe2fs 1.42.6 (21-Sep-2012)Setting pfrm2.0 journal_data optiontune2fs 1.42.6 (21-Sep-2012)Active Configuration Flag is 1Creating /data/tmp if not there.ls: /data/tmp: No such file or directoryUSB Device Installationexpert mode Installation... DoneExecuting platform initialization scriptWaiting for event dispatcher (1)...x509Init : UDI-INFO : ProductID=, VendorID=, SerialNo=, DeviceId=, CN_WITH_UDI=Installing new self signed certificates with 10 years validity...cp: cannot remove '/data/tmp/https.crt': No such file or directorycp: cannot remove '/data/tmp/https.key': No such file or directoryDonestarting ntpd Daemon...DoneCreating devices for WPS push buton ... DoneCreating /dev/led3 device for Security LED... DoneCreating /dev/restore_default device... DoneCreating /dev/ppp device... DoneDisabling IP forwarding======================Starting Check Point Modules...ln: /fwtmp/opt/database/logo: No such file or directoryln: /flash/fw1/lib/cpsc.conf: File existscp: cannot stat '/pfrm2.0/opt/fw1/uf/sc/update/incoming/urlflib.inx': No such file or directorycp: cannot stat '/pfrm2.0/opt/fw1/uf/sc/update/incoming/urlflib.inx': No such file or directorycp: cannot stat '/pfrm2.0/opt/fw1/lib/libuf_service.so': No such file or directorycp: cannot stat '/pfrm2.0/opt/fw1/conf/uf_service.conf': No such file or directoryifconfig: eth0: error fetching interface information: Device not foundRunning Multi Portal Post Install scriptConfiguring Multiportal featureInserting SXL module...Done.Inserting fw1 module...doneInserting VPN module...doneInserting VPNT module...doneInserting FG-1 module...Done.Fetching default filter...Installing Security Policy... hostaddr(RD6281) failed: Connection refusedDone.killall: cpca: no process killedInitializing Internal Certificate Authority...rm: cannot remove '/opt/fw1/conf/InternalCA.db': No such file or directoryrm: cannot remove '/opt/fw1/conf/crls/*': No such file or directory Creating Internal CA with default DN 'O=00:1C:7F:72:A4:58..ht3hv5' Could not create Certificate Authority. General problem in Certificate AuthorityFailed to create ICA.killall: cpca: no process killedFailed to create ICA[Expert@MAINTENANCE_MODE]#

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. You only need to enter the IP address of the gateways and the command will be executed there. Cppy and paste this lines to the management server or download the script "new_commands.sh" and execute the script.   echo "echo Gateways configured in policy:" > /usr/local/bin/g_show echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show chmod 777 /usr/local/bin/g_show echo '#!/bin/bash' > /usr/local/bin/g_bash echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "else" >> /usr/local/bin/g_bash echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo "fi" >> /usr/local/bin/g_bash chmod 777 /usr/local/bin/g_bash echo '#!/bin/bash' > /usr/local/bin/g_cli echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "else" >> /usr/local/bin/g_cli echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo "fi" >> /usr/local/bin/g_cli chmod 777 /usr/local/bin/g_cli   Command syntax: Command Description # g_show show all gateway IP addresses # g_bash <gateway IP> <command>  execute expert mode command on gateway # g_cli <gateway IP> <command> execute clish command on gateway An example! You want to see the configuration of the gateway with IP 1.2.3.4 from the management. So you only have to enter the following command: Management# g_cli 1.2.3.4 show configuration Now the command "show configuration" is executed on the gateway and the output is displayed on the management server. The same also works for the expert mode. For example: Management# g_bash 1.2.3.4 cphaprob stat Show all gateway IP addresses. For example: Management# g_show Show all gateways configured in policy: 1.2.3.41.2.3.51.1.1.1 Video tutorial: (view in My Videos)       Copyright by Heiko Ankenbrand 1996-2019