Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

Finding Bandwidth consuming for particular Host

Dear All, Just wanted to check if any workaround to check the Bandwidth consumed/consuming for particular host machine.Customer's Internet Bandwidth was choked due to "few hosts to some destination IP" consuming high.From SmartMonitor we can see only Source or Destination which is consuming.But we need to check for the "Which Source against Which Destination" more bandwidth consumed/consuming. Just like in Cisco command: --ip flow top-talkersCISCO-ASA#sh ip flow top-talkersSrcIf     SrcIPaddress         DstIf        DstIPaddress         Pr       SrcP      DstP         BytesGi0/1    Gi0/0     06       0050      BBEB         19MGi0/1    Gi0/0     06       0050      3891           16MIn above we could see 2 Sources against 2 Destinations with "Bytes" consumed.By any chance can we see something like this in CheckPoint?? Regards, Prabulingam.N

Gaia R80.20 Administration Guide contains deprecated options that aren't available in Gaia portal

One customer reports that our Gaia R80.20 Admin Guide is not up to date, some options/features described in this document cannot be found in our Gaia R80.20 system. They need us to update our Admin Guide and give them a correct one. Here is my findings based on the customer’s report on the section [List of Available Features in Roles], the [High Availability] and some other role features [Maintenance, System Management, User Management] seems had been deprecated starting from R80. We cannot find these several options in the Gaia Portal >User Management>Roles>>Features and these options are not available in Clish too. As mentioned in the guide, I have sent email to '', but no response received yet. Any one could possibly have a look on this query?  Many thanks. 1. The R80.20 Admin Guide: Online version and PDF version. 2. The Gaia Portal These role features are existed in R77.30.

R80.20 Cluster Load sharing issue

Dear CheckMates,I ran into below issue for customer using Loadsharing mode.1) Mgmt Server in R80.20 Smart appliance with latest JHF_Take_118 (followed sk162637) - (No IPSec blade enabled)2) FW Clusters in R80.20 with JHF_Take_118 as well (5800 appliances)a)When we use Cluster Load sharing - Multicast - All working fineb)When we use Cluster Load sharing - Unicast (without VMAC) - All working finec)When we use Cluster Load sharing - Unicast (with VMAC) - Complete halt of traffic.Even Pivot member unable to reach default gateway IP and their production halted. (So reverted to HA mode) The above scenario I had tested in my lab environment and faced exactly same issue.Loadsharing Unicast (without VMAC) & Multicast works fine post JHF_Take_118 on both Mgmt server & FWs.But when LS-with VMAC option = stops working. Any one had faced such scenario? (I haven't tried the above LS in R80.30 for now - will check that as well) Regards, Prabulingam.N 

blink install and xfs

Upgrading an R77.30 gateway to R80.20 using the blink command options "--reimage" and "--delete-old-partitions" leads to the following results:the old partition lv_current is deleted while all other partitions are being kept, including lv_logthe file system type is still ext3 for all partitions2 Questions arise here:Are our observatins correct?Is the xfs-type filesystem used for Management Servers ONLY, meaning that even if we istall the gateway from scratch, it would still by ext3?thx for clarification

Unable to boot from USB on 12400

I have been trying to perform a clean install on two 12400 chassis with no success. I am upgrading to R80.30 and have used the latest Polymorphic tool to build a bootable USB. I am not specifying any particular MAC, it should install on any machine. I have rebuild the USB several times an am confident it is correct. I am following the direction for clean install for this unit. I interrupt the boot process and perform a default reload. Once the system is reloaded, I begin the first time configuration wizard where I select the option to do a clean install from USB. I insert the USB and the system reloads but does not boot from the USB.

Common Criteria EAL4+ compliance for R80.10?

Does anyone have any information on Common Criteria EAL4+ compliance for R80.10?There is no info here: Certified Check Point Solutions | Check Point Software regards anything beyond R77.30.Anyone with info regards implied compliance or an ETA on a statement would be most welcomed. I appreciate that sometimes these statements come someway behind release.ThanksJon

2 new Common Criteria certificates R80.30: Protection Profile and EAL4+ and certification update

I’m pleased to announce that Check Point have been awarded two new Common Criteria certificates for R80.30: EAL4+ certificate of R80.30  The Target of Evaluation (TOE) included claims for Firewall IPS Blade Pattern Matcher REST API Enterprise appliances, TE appliances, Smart-1, CloudGuard Protection Profile compliance of R80.30 The Target of Evaluation (TOE) included claims for Network Device Stateful Traffic Filter Firewall Extended VPN Package SmartConsole Enterprise appliances, TE appliances, Smart-1, CloudGuard The Protection Profile and EAL4+ listings include the Certificates, Security Target and Validation Report.  In addition R80.30 is now listed by the NSA CSFC component list for protecting classified NSS data, and qualifies for listing by NIAPC (NATO Information Assurance Product Catalogue), and the UK National Cyber Security Center (NCSB) Commercial Product Assurance (CPA) certification.   A full press release can be seen here:   
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS Wednesday
views 31676 27 23

GAIA - Easy execute CLI commands from management on gateways!

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. You only need to enter the IP address of the gateways and the command will be executed there. Cppy and paste this lines to the management server or download the script "" and execute the script.   echo "echo Gateways configured in policy:" > /usr/local/bin/g_show echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show chmod 777 /usr/local/bin/g_show echo '#!/bin/bash' > /usr/local/bin/g_bash echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash echo "else" >> /usr/local/bin/g_bash echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash echo "fi" >> /usr/local/bin/g_bash chmod 777 /usr/local/bin/g_bash echo '#!/bin/bash' > /usr/local/bin/g_cli echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli echo "else" >> /usr/local/bin/g_cli echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli echo "fi" >> /usr/local/bin/g_cli chmod 777 /usr/local/bin/g_cli   Command syntax: Command Description # g_show show all gateway IP addresses # g_bash <gateway IP> <command>  execute expert mode command on gateway # g_cli <gateway IP> <command> execute clish command on gateway An example! You want to see the configuration of the gateway with IP from the management. So you only have to enter the following command: Management# g_cli show configuration Now the command "show configuration" is executed on the gateway and the output is displayed on the management server. The same also works for the expert mode. For example: Management# g_bash cphaprob stat Show all gateway IP addresses. For example: Management# g_show Show all gateways configured in policy: Video tutorial: (view in My Videos)       Copyright by Heiko Ankenbrand 1996-2019

Announcement - Max Power 2020: Check Point Firewall Performance Optimization (Third Edition)

The third edition of the book Max Power 2020: Check Point Firewall Performance Optimization is now available. For more information including the FAQ and a CPX-related discount code, please visit the site Feel free to PM or email me with questions, but please be sure to read the FAQ in its entirety first.  Thanks!  

VoIP Issue and SMB Appliance (600/1000/1200/1400)

  Issue description: Many of our customers have reported the following issue in recent weeks. Telephone VoIP connections are terminated and can no longer be established. Issue debug: On the firewall you see a typical issue with the following message if you start: # fw ctl zdebug drop Issue message: fwconn_key_init_links (INBOUND) failed Solution: There are two different Servers on the SIP/RTP provider's side that take part in the process of establishing the SIP/RTP call: Server for SIP (Management and control) Server for RTP (Media and Voice Data) Make sure that the UDP high ports from the internal RTP VoIP telephone system to the provider RTP server on the RTP provider's side are dropped by the rule base on 600 / 1100 / 1200 / 1400 appliance: RTP rules: Create a service for the UDP high ports and use it in an incoming Accept rule, which also has to allow the RTP ports. Create a drop rule to block outgoing connections from the Internal RTP server (VoIP telephone system) to the provider's RTP server on high UDP ports SIP rule: Create an allow rule for incoming and outgoing SIP traffic on UDP port 5060   Example:   A similar description can be found in SK104082.   Regards, Heiko

Migrating cluster from old to new hardware

Hi,We are finally replacing our FW cluster with old UTM appliances for 5600 appliances. I would like to keep the same names in the policy, but since the interface names change I would like to know what the best way is to migrate to the new appliances with minimal outage.I was about to failover to HA -- move cables from the Primary appliance to the new 5600 Primary appliance,- migrate export of the policy. Then remove all references of the existing cluster from the policy and delete the whole cluster from the management server.- create a new cluster with initially 1 member (the new primary 5600) establish SIC and configure cluster with all new interfaces - Add cluster to the rules where the old cluster was removed- Remove cables from Old HA Firewall,while installing the policy to the new Primary- connect new 5600 HA and add to the cluster (and install policy)Any other (or better) recommendations for a smooth migration to the new hardware?Or can I just delete 1 cluster member and add the new hardware with different interface names to the cluster object?Many thanks.

Replace/Upgrade Cluster

I currently have two 4800s in a cluster on R80.10. I am looking to utilize the same cluster name/configuration and replace these gateways with two 6500s on R80.30. I just wanted to brain storm on the easiest way to accomplish this. Also, seems like this should be a common ask. Are there any Check Point guides for something like this?

R80.20 Installation Error "doAutoPartition" Exception Occured on 4800 appliance

Hi,I have issue very similar to the one described in older post ( - i.e. I am getting exactly the same error message.Differences are that this is a CP 4800 appliance and version I am going to install is R80.20.I made USB few times using different versions of ISOmorphis as well as used USB-attached DVD - all the same.Ran a HW Diagnostics Tool – all tests OK …I was using ISO image “R80.20 Gaia Fresh Install for Security Gateway and Standalone T101” – the same image was used for installation of over 10 other gateways on 4000 appliances.SHA1 checksum for the image is OK. Any ideas? I have none at this moment ... 😕

SecureXL DoS Rate Limiting (samp rules)

I have been working a lot with the rate limiting rules via the "fw samp" CLI interface, but unfortunately I cannot get the gateway to actually enforce them.  It appears SecureXL is very unhappy when I try to enable rate limiting:[Expert@PROD-FW02a:0]# fwaccel dos config set --enable-rate-limitERROR: No rate limiting policy is installed, can't enable.What exactly is the "rate limiting policy" it is referring to?  I have dug fairly deep in documentation, sks, etc. and cannot figure out what triggers the rate limiting capabilities of SecureXL to turn on, based on policy settings.  I also thought maybe enabling QoS blade and the QoS policy component would trigger things, but it had no effect on things.Of course, this same status is reflected when you query the configuration (fwaccel dos config get):rate limit: disabled (without policy)pbox: disabledblacklists: disableddrop frags: disableddrop opts: disabledfwaccinternal: disabledmonitor: disabledlog drops: enabledlog pbox: enablednotif rate: 100 notifications/secondpbox rate: 500 packets/secondpbox tmo: 180 secondsThe gateways are R80.30 5800 appliances. 

Cluster dropping packets in R80.30 unicast Load sharing Mode

Cluster is dropping packets in unicast Load sharing Mode after upgrading from R80.10 to R80.30, while in HA mode it is working fine.below are the output of "fw ctl zdebug + drop"@;825535;[cpu_8];[SIM-207416775];pkt_handle_stateless_checks: Packet dropped (cluster decision). conn: <,46667,,443,6>;@;825535;[cpu_8];[SIM-207416775];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<,46667,,443,6>;@;825535;[cpu_0];[SIM-207416775];sim_pkt_send_drop_notification: (0,0) received drop, reason: cluster error, conn: <,46667,,443,6>;@;825535;[cpu_0];[SIM-207416775];sim_pkt_send_drop_notification: no track is needed for this drop - not sending a notificaion, conn: <,46667,,443,6>;