cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

When is the System Alert sent out?

What is the trigger of "System Alert" displayed in the following settings? I want to test this setting, but I don't know how to do it. Please tell me as much as you know.Regards

NAT diferent ISPs to a single Host IP

Hi, I have 2 ISPs( ISP1 and ISP2) and i would like to do a static NAT from both ISPs( 1 and 2) to a Specific internal machine ( WEB-1). I would like to know if this works?  Because Checkpoint Accepted the configuration but i can only get to the WEB-1 using one of the Public IPs ( ISP1) . I'm new to checkpoint. Regards,Mauro 

Low throughput from 4200 appliance

We have a CheckPoint 4200 appliance running as our gateway/firewall. Our WAN speed is 1Gbps, but we can only seem to get 100Mbps throughput from the appliance.I have connected a computer directly to our WAN-connection to confirm WAN speed, and without going through the firewall i get the correct speed (1Gbps). The WAN interface (eth1) says "Link Speed: 1000Mbps / Full Duplex".I have been monitoring with CPview on the firewall, and I have not seen "Total Mbits/sec" go above 102 Mbps. To me it seems like speed is capped at 100Mbps. I am wondering what the cause of this can be, and what steps should I do to troubleshoot this issue? Appreciate any help. 
John_Ejaife
John_Ejaife inside Enterprise Appliances and Gaia OS 10 hours ago
views 2207 5 1

How do I add SecureGateway to Cisco ISE 2.4 using RADIUS?

I'm having trouble adding a Checkpoint firewall to ISE 2.4. I've been following a blog where the author claims to have successfully added it to ISE 2.1, (here http://mdtnets.blogspot.com/2016/07/checkpoint-gaia-radius-authentication.html). In the part where he gets to "Authentication Policy" I assume it's been replaced by Policy Sets. Running into trouble setting up the conditional "If DEVICE:Device Type Equals Device Type#All Device Types#Checkpoint" I can do the"if DEVICE:Device Type Equals: All Device Types" but am not given an option for any other parameters. Am I missing something here?
FWNinja
FWNinja inside Enterprise Appliances and Gaia OS 17 hours ago
views 117 8

VPN Link Selection - Question

Hi all,I have other question for you.I have configured VPN link selection with "Outgoing Route Selection -> When initiating a tunnel -> Operating system routing table"."Operating system routing table" conteins PBR route? Or PBR route are in a separeted table? Thanks and Best regardsFrancesco

Message seen on /var/log/messages - "simi_reorder_enqueue_packet"

Hi there guys, I'm seeing this message  "simi_reorder_enqueue_packet" on /var/log/messages. Is this an indication traffic congestion? My network is  momentarily encountering intermittent application connectivity especially on VOIP. As usual, no drops are seen on tracker and zebug. Hope someone had encountered this.

R80.30 3.10 Interface issues?

Has anyone had issues with interfaces flapping on R80.30 3.10?  I have two Intel x710 nic cards installed on an HPE G10, where the ports from one card are in bond1 and ports from the other are in bond2. I was running R80.20 3.10, where everything was functioning. I upgraded to .30 and my ports on bond2 started flapping.  I took the ports out of the bond and destroyed the PO on the switch, but the ports continue to flap. I’m hoping I’m missing something, but I’ve noticed weird things like the lacp-rate not honoring the clish setting (I set fast, but the bond shows slow), auto negotiate not honoring the clish setting (I set auto, ethtool says autoneg not supported), rx/tx ringsize not honoring the clish setting (I increased it, but ethtool still shows default) and the default multiqueue setting does not match for all ports (the working 10G ports have more CPU allocated than should be). I have a ticket open, but was curious if others have this issue.  I also installed JHF50 (ongoing take), but no dice.  I tried this on two boxes, same result. I noticed the i40e driver was upgraded when I went to .30 3.10, so I tried to use the older version from .20 3.10, but no luck. The driver seems OK based on internet searches, but Check Point documentation says the i40e driver is for 40G nics and not 10G. Maybe the driver should be the ixgbe driver, but 80.20 3.10 also used the i40e driver. Thoughts?
Danny
Danny inside Enterprise Appliances and Gaia OS Monday
views 11417 7 16

HowTo - Creating an scpuser account on Gaia Clish

While reviewing Check Point installations I often encounter setups where the shell of the admin user account was changed to /bin/bash in order to allow copying documents via scp to and from Check Point Gaia systems. This is because the scponly shell isn't known. Follow these steps to create an scpuser for copying documents securely without compromising your admin account. [ R77.30 ] add user scpuser uid 2600 homedir /home/scpuser set user scpuser shell /usr/bin/scponly set user scpuser password save config‍‍‍‍‍‍‍‍ [ R80.x ] add user scpuser uid 2600 homedir /home/scpuser set user scpuser realname Scpuser add rba role scpRole domain-type System readwrite-features expert add rba user scpuser roles scpRole set user scpuser gid 100 shell /usr/bin/scponly set user scpuser password save config‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Gaia HealthCheck Script v7.01 released

Check Point released v7.01 of it's Gaia HealthCheck Script. Script author: @Nathan_Davieau (LinkedIn profile) What's new: Added self-update routine Added logger calls to write script statuses to /var/log/messages Added check for Active SMS/DMS Minor code improvements Download Package Link Date  healthcheck.sh script v7.01 12Sep2019

'Invalid segment retransmission. Packet dropped.'

Hi All, we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line. Thank you for any comments. 

Proxy ARP after upgrade to R80.30

This week we had some clusters upgraded from R80.10 to R80.30, the customer wants the new and improved HTTPS functionality. When we were done, on 2 VRRP clusters we had some automatic NAT and a special Hide NAT (for WiFi guests) After upgrading you install the policy twice, first the acces and then again for the Threat Prevention policy. After some time we were told the Guest WiFi did not work, investigation pointed in the end to the proxy ARP that was not active, so we added the Proxy ARP command for the Hide address, pushed the access policy (the third time). After looking with fw ctl arp we then saw 2 Proxy ARP addresses, the one we added and the other was a automatic NAT. After removing the manual Proxy ARP again, the fw ctl arp kept showing both ARP entries. When we upgraded the other cluster we checked again after 1, 2 and 3 pushes of the access policy and only after the third push the Proxy ARP addresses showed up. It has been reported and R&D will be informed.

Smart-1 625 and R80.10

Hoping someone can clarify for me whether I should be able to re-image a Smart-1 625 with R80.10?   It picks up the USB but the 625 is not listed in the boot options.  I would have expected to see it in option 4 with the other Smart-1 models (Smart-1 5/25/50/200/400/525/3000/5050/5150).  I selected option 4 anyway, the installation starts then it tells me it's unable to find the driver.  My contact at Check Point tells me R80.10 is listed as a supported version in the Smart-1 625 release notes tho personally I can't find any RN for this appliance.  The R80.10 supported platforms list doesn't include the 625 but then again it doesn't include the 525 so I'm unsure how accurate it is.   Can anyone help?
Employee

Security Checkup with Sandblast Now

Is anyone already using Sandblast Now for doing Security Checkups? There is a Blink image available for R80.30. Use that to quickly start your Sandblast Now Checkup. Setting this up saves you time compared to our original way of doing Checkups. One you setup the device and online details the device will automatically start logging online where data is being processed. You don't have to download data or wait for cloud scripts. Within minutes you already see what's happening. Tried this for the first time this week and if you do Checkups you should definitely give it a try!

Reboot no explanation

Hi,  I recently have the issue that a customer from us has an appliance that reboots without explanation.  We have noticed following behaviour: [Expert@clusterFW2:0]# last -x |head |tacreboot   system boot  2.6.18-92cpx86_6 Fri Apr 12 02:44          (00:03)runlevel (to lvl 3)   2.6.18-92cpx86_6 Fri Apr 12 02:44 - 02:48  (00:03)runlevel (to lvl 6)   2.6.18-92cpx86_6 Fri Apr 12 02:48 - 02:48  (00:00)shutdown system down  2.6.18-92cpx86_6 Fri Apr 12 02:48 - 15:59  (13:10)reboot   system boot  2.6.18-92cpx86_6 Fri Apr 12 02:51          (13:07)runlevel (to lvl 3)   2.6.18-92cpx86_6 Fri Apr 12 02:51 - 15:59  (13:07)sseidewi pts/2        dez7acomdv010.in Fri Apr 12 06:05 - 06:25  (00:20)admin    pts/2        dez7acomdv002.in Fri Apr 12 09:29 - 09:41  (00:12)admin    pts/2        dez7acomdv001.in Fri Apr 12 14:23 - 14:57  (00:33)admin    pts/2        dez7acomdv001.in Fri Apr 12 15:46   still logged in This looks like a normal reboot, however runlevel 6 is making me wonder, a normal reboot should not show runlevel6, On messages file I can see the message Restart, but no errors previous to this, system reboots normally. There are no crash dumps available or errors. Can I somehow confirm that the system was not rebooted by simply pressing the power or imputing a command?

PBR Question

Hi all,I configured a pbr with two gateways.Related to it, I would like to know the behaviuor of a pakcet matching this pbr.For example, a PC tries to go to the internet. This traffic matches PBR mentioned above with 2 gateways configured. What is the behaviuor?Will this PC use always the first configured gateway? Or it can use, in other/next communication, the second configured gateway? Thanks and Best RegardsFrancesco