cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

James_Liao
James_Liao inside Enterprise Appliances and Gaia OS 2 hours ago
views 578 24

Does R80.40 support HP DL380 G10 ?

Hardware Compatibility List do not show anything about R80.40 , do I need to open case for the answer ?  
abihsot__
abihsot__ inside Enterprise Appliances and Gaia OS yesterday
views 1273 17

High memory usage

Hello,Wanted to share the issue we have with our gateway.  We have following blades enabled:fw urlf appi identityServer SSL_INSPECT content_awareness monAppliance is with 16gb, running latest R80.30.The problem we are having is that at some point memory usage increases sharply and it never comes down, unless we reboot appliance. This is causing issues to the traffic because some connections are getting disconnected during occurrence. I can't find in top (shift+m) any process which would contribute to this behaviour.I hope I am not alone with this issue, so please give a shout if you have something similar. Some of the occurrences from the past to show what happens: 

R80.40 GW on openservers and JHF page

  In reading about R80.40, I noticed the disclaimer on the download page:Note:R80.40 for Open Servers is supported only for Security Management.Security Gateways and Standalone are supported on VMware, Hyper-V and KVM.Security Gateways and Standalone configurations support for Open Servers is expected with R80.40 Jumbo Hotfix Accumulator.R80.40 is fully supported on all Check Point appliances.  However, in looking for an SK titled "Jumbo Hotfix Accumulator for R80.40", I cannot find one.   Is there a JHF page for R80.40 just not indexed by Google yet?  Just checking to see if OpenServer Gateway support is available yet.Best Regards,Dale

cloning group error after upgrade from R77.30 to R80.20 T101

Hello, After I upgrade firewall from R77.30 to R80.20 T101, I have this when I check on the status of the cloning group:show cloning-group status Synchronization Failedbut most of the time I have this:show cloning-group status Authentication Error Is it a problem with that version? Please help me to understand and solve the issue. 

Traffic not accelerated by Secure XL

Hi,I have been dealing with the secure XL for a while and cannot have the traffic accelerated as you can see the output below.The problem is the cpus are going over %95 during day time and i think the reason is the secure XL not handling traffic as expected as everything is going through the slow path.I have been through many topics here and I will put the outputs you may ask.Just a brief information of the firewall, working with ClusterXL, 8 cpu (2 SND, 6 workers) , OPEN SERVER ( I'm not sure if this could be any issue) , This is an external firewall, having DMZ, vpn and internet traffic of users and servers and more as you can think.#fwaccel stats -sAccelerated conns/Total conns : 14/79668 (0%)Accelerated pkts/Total pkts   : 370720/214400236 (0%)F2Fed pkts/Total pkts   : 211158051/214400236 (98%)PXL pkts/Total pkts   : 2871465/214400236 (1%)QXL pkts/Total pkts   : 0/214400236 (0%) # fwaccel conns -sThere are 211889 connections in SecureXL connections table The template number is so low.# fwaccel templates -sThere are 48 templates in SecureXL templates table # fwaccel statAccelerator Status : onAccept Templates   : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule #xxx ( just above the last rule)                     Throughput acceleration still enabled.Drop Templates     : enabledNAT Templates      : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule xxx ( just above the last rule)                     Throughput acceleration still enabled.NMR Templates      : enabledNMT Templates      : enabled I downloaded the fwaccel conns table and when investigated we see that most of traffic is about these 4 sources with 1 destination address (exchange related F5 traffic) as nearly 1/3 of the whole table is this connection. SourceDestinationDPortPRFlags     C2Si/f S2Ci/f InstAX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40 My question is, how come this traffic isn't accelerated?  Thank you 
li_hd
li_hd inside Enterprise Appliances and Gaia OS Thursday
views 2445 10 1

CPUSE Agent import package option not available

Dear all,We upgrade Gateway for R77.30 to R80.10,The upgrade went smoothly。But,in web GUI CPUSE Agent find  import package option not available.We tried changing browsersTry changing computersRestart  CPUSE Agent Servers ,issue still .Please help us ,thanks a lot 

PBR limitations

Hi Mates,reading the sk100500 I was very surprised when it describedThe following features/blades are not supported with PBR:IPv6Locally-generated trafficSecurity ServersData Loss Prevention (DLP) bladeAnti-Spam bladeMail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)ISP RedundancyThe following applications (which use Check Point Active Streaming [CPAS]):VoIP (H323, SIP, Skinny, etc.)HTTPS InspectionHTTP Header SpoofingHTTP ProxyIMAP in IPSDespite my idea where, routing feature on the gateway musn't influence the security features, at the moment I need to have a PBR on a gateway where MTA is active for the TEX blade.In the enviroment where I'd like to implement PBR and I have MTA enabled on a R80.10 gateway, the PBR doesn't work.Does someone face the same scenario ?Does someone know a workaround/solution?

CheckPoint bridge mode is not working between the Fortigate and H3C switch

-------17/2/2020------- Add screen capture on the below reply for further troubleshooting. -------16/2/2020------- HI all, I just have a Checkpoint as bridge mode and have a scanning over the Trunk link.Both Fortigate and H3C has a Trunk link up already before. Vlan 10 is tagged with untagged VLAN 1.All my users are in Vlan 10.They need to have both CP and FG scanning while visiting the internet.Then we set up port 3 and 4 as br1 on the Check point.FortiGate connects to p3 while h3c switch uplink to p4.Both p3 and p4 are in the Internal zone with anti-spoofing disabled.CP Firewall policy just has the clean up one with any to any accepted. From the debug flow on FortiGate, I can not find the traffic to the internet, let says the dst. is "1.1.1.1"Nevertheless, both 192.168.100.1 and 172.16.10.101 can ping mutually and have the debug log result from Fortigate.I think this proves the CP policy working well? Interestingly, both Firewall traffic Logging reveal the traffic is accepted if to the internet.Only no outcome from the debug log result from Fortigate if the dst. is to internet or "1.1.1.1" I swear to god that FortiGate original settings are good.As we use it before and everything just normal. Please someone helps. Below is the lab topology after the deployment.  

Dynamic Routing - Real World Experience

Hello all,I consider to configure dynamic routing (main goal is OSPF, potentially BGP for some specific needs) on some of our Checkpoint appliances. In the past we avoided to apply any dynamic routing on our checkpoint firewalls. However, for some needs it would be really beneficial.The SMS is running in R80.30The SGWs are running in R80.30 (some are still in R77.30, but the question specifically targets for R80.30) Can i still sleep well at night doing this? 🙂To everybody who has deployed it in critical networks. What are your real world experiences with this? Is it stable? No drawbacks/strange behaviors when used in ClusterXL deployments? Discovered unexpected limitations etc. etc.I´m really targeting for the field experience here. Please specify if you are talking about OSPF or BGP. Regards

suspicious interrupts values

Hello CheckMates, since two days we see this very low interrupts, normally all cores around 100.000           Looks like everything is running fine but I'm wondering. Has anyone an idea ? Wolfgang

Cannot Access Active Cluster Member via HTTPS/SSH Over VPN

I can access the MGMT interface of active and standby cluster members via ICMP over the VPN but not SSH or HTTPS. Their is an SMS that sits behind these GWs and I can reach the SMS via ICMP, SSH and HTTPS. As the SMS is on the same MGMT network as the GWs, I can also access the GWs ia ICMP, SSH and HTTPS (using telnet) from the SMS. I'm aware of sk42695, sk42733 and sk93204 which could explain the behavior of the standby cluster member but it's odd that I'm able to ping both units. So I don't think any of those sk's apply plus I would expect to be able to access the active cluster member without issue. I also have a another 5100 cluster that works with the same configuration. The firewalls logs show traffic being allowed, encrypted/decrypted and I don't see any drops via "fw ctl zdebug drop" on either cluster member. A packet capture also shows the SSH/HTTPS traffic ingressing eth1 where the VPN is terminated but I only see a SYN with no ACK or further traffic. There are no host restrictions per the statement "add allowed-client host any-host". Any ideas on where I can look to troubleshoot further? I'm not seeing any noticeable in /var/log/messages. GWs are running R80.20 JHF Take 87.

Odd cphaprob output

Having an unusual issue with a cluster firewall interface. Firewall was rebooted and post reboot one side of the sync interface is showing an issue where the inbound is up but the outbound is down. The other side is UP & UP.fw1-cxl1:0]# cphaprob -a ifRequired interfaces: 7Required secured interfaces: 1eth7 Inbound: UP Outbound: DOWN (6062.3 secs) sync(secured), multicasteth5 UP non sync(non secured), multicast (eth5.71 )bond2 UP non sync(non secured), multicast, bond Load Sharing (bond2.32 )bond0 UP non sync(non secured), multicast, bond Load Sharing (bond0.17 )bond1 UP non sync(non secured), multicast, bond Load Sharing (bond1.80 )bond0 UP non sync(non secured), multicast, bond Load Sharing (bond0.245 )eth5 UP non sync(non secured), multicast (eth5.246 )Any obvious (to you!) ideas what might cause this before I roll up my sleeves?TIA

Gaia HealthCheck Script v7.09 released

Check Point released v7.09 of it's Gaia HealthCheck Script Script author: @Nathan_Davieau (LinkedIn profile)QA Director: @Barak_Ran (LinkedIn profile) What's new: Added R80.40 support Added VLAN/IP overlap and Any GUI Client checks courtesy of our ccc script Updated JHF version information Added Dynamic Split Check for Check Point Appliances running on R80.40 or higher Added Mgmt API and CPM status checks What's MISSING: Recognition of expired 1-year licenses to avoid warnings on such systems  (example: CPSB-COMP-5-1Y) Download Package Link Date  healthcheck.sh script v7.09 11Feb2020

Migrate to 10Gb interface

Hi, I'm about to move a Checkpoint 15k cluster from the current 1Gb interfaces to new 10Gb interfaces.There are clans created on the 1Gb interfaces and I have to remove those and create the same vlan interfaces on the new 10Gb interfaces.Have anyone done this before? What steps are included in this change?
Derek
Derek inside Enterprise Appliances and Gaia OS 2 weeks ago
views 166 1

Move traffic flow from checkpoint A to B.

Hello Guys, wondering if someone could help. I am currently trying to move all internet traffic from checkpoint A to checkpoint B. I am currently testing on myself. The reason for this is because CPU usage is high on checkpoint A which is 4000 appliance version R80.10 and checkpoint B is 5000 appliance version R80.10. I would like to test myself ONLY for now where my http and https traffic flows out of checkpoint B. I have attached some diagrams hopefully this will helps, the red arrow is where I want my traffic to go, the riverbed talks to both checkpoint A and B. My question is how do I make myself flow out of checkpoint B. I am almost certain there is something I need to do in the checkpoint