Showing results for 
Search instead for 
Did you mean: 
Create a Post
Enterprise Appliances and Gaia OS

Have questions about Security Gateway Appliances, Gaia OS, CoreXL, SecureXL, or ClusterXL? This is where to ask them! This also includes legacy operating systems like SecurePlatform, IPSO, or XOS.

For Small Business Security appliances (600/700/1200R/1400/1500), see the SMB Appliances and SMP space.

Upgrading 3 members cluster

Hi, I need to upgrade a 3 member cluster from R77.30 to R80.10Until now i have been using the CP_Conectivity_Upgrade.Where you upgrade first the two passive members to R80.10 and later the last one. This time i need to upgrade one by one the members like this:member1 - R77.30 activemember2 -R77.30 standbymember3 - R77.30 standbytomember1 - R77.30 downmember2 - R77.30 downmember3 - R80.10 activeto member1 - R77.30 downmember2 - R80.10 activemember3 - R80.10 standbytomember1 - R80.10 activemember2 - R80.10 standbymember3 - R80.10 standby  Do i need to do a cpstop in member2 then follow the CP_Conectivity_Upgrade with member1 and 3. And then upgrade member1 and 2 one by one Is this correct? Thank you!


Hi Guys,Is it normal in VSX CLI that even if I go into a VS then I do "show configuration", it always shows me the VS0?How can I do a "show configuration" per each VS? I am running R80.20.Thanks
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS yesterday
views 60075 12 38

"fw ctl zdebug" Helpful Command Combinations

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.     What happens when you execute! It is a macro that executes the following commands:   fw ctl debug -buf 1024fw ctl debug [The option behind "fw ctl zdebug"]fw ctl kdebug -f       [Wait until CTRL+C is pressed]fw ctl debug 0   Node: A current list with kernel debug flags can be found here. Kernel Debug Flags R80.10 Kernel Debug Flags R77  Here are some good examples for debugging:   fw ctl zdebug + packetfw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)"      <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...fw ctl zdebug + all |grep -A 1 "Monitor" | grep ""            <<< change IP addressfw ctl zdebug + all |grep -A 2 "Monitor"fw ctl zdebug + sync                     fw ctl zdebug + conn |grep "After  VM:" |grep "(SYN)"fw ctl zdebug + xlatefw ctl zdebug + monitorall                                                     <<< use with host IP "| grep" or network range "| grep 1.1."fw ctl zdebug + monitor                                                            <<< use with host IP "| grep" or network range "| grep 1.1."fw ctl zdebug + filter conn | grep -A 8 "rule 1"                          <<< change rule number - show connetions to rule xyzfw ctl zdebug + filter monitor  | grep -A 8 "rule 2"                     <<< change rule number - show connetions to rule xyz     Attention, if you turn on debugging, this will affect the performance of the firewall.   Regards, Heiko
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS yesterday
views 41621 17 53

Show VPN Routing on CLI

The following command shows detailed policy based routing on the CLI. You found the policy based VPN routes  to the corresponding external gateway. The basic Check Point table is "fw tab -f -t vpn_routing -u".   Command: echo -e "\033[0m####################\n# VPN Routing      #\n####################";fw tab -f -t vpn_routing -u 2>&1 |grep -v "+"| awk '{split($0,a,";"); print a[8]}' |sort -ng |uniq | awk '{split($0,a," "); print a[2]}' | xargs -I % sh -c  'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e "  Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[6] b[7]}'\''| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '   Regards, Heiko Ankenbrand

Traffic not accelerated by Secure XL

Hi,I have been dealing with the secure XL for a while and cannot have the traffic accelerated as you can see the output below.The problem is the cpus are going over %95 during day time and i think the reason is the secure XL not handling traffic as expected as everything is going through the slow path.I have been through many topics here and I will put the outputs you may ask.Just a brief information of the firewall, working with ClusterXL, 8 cpu (2 SND, 6 workers) , OPEN SERVER ( I'm not sure if this could be any issue) , This is an external firewall, having DMZ, vpn and internet traffic of users and servers and more as you can think.#fwaccel stats -sAccelerated conns/Total conns : 14/79668 (0%)Accelerated pkts/Total pkts   : 370720/214400236 (0%)F2Fed pkts/Total pkts   : 211158051/214400236 (98%)PXL pkts/Total pkts   : 2871465/214400236 (1%)QXL pkts/Total pkts   : 0/214400236 (0%) # fwaccel conns -sThere are 211889 connections in SecureXL connections table The template number is so low.# fwaccel templates -sThere are 48 templates in SecureXL templates table # fwaccel statAccelerator Status : onAccept Templates   : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule #xxx ( just above the last rule)                     Throughput acceleration still enabled.Drop Templates     : enabledNAT Templates      : disabled by Firewall                     Layer CL-EXT Security disables template offloads from rule xxx ( just above the last rule)                     Throughput acceleration still enabled.NMR Templates      : enabledNMT Templates      : enabled I downloaded the fwaccel conns table and when investigated we see that most of traffic is about these 4 sources with 1 destination address (exchange related F5 traffic) as nearly 1/3 of the whole table is this connection. SourceDestinationDPortPRFlags     C2Si/f S2Ci/f InstAX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40CX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40AX4436F..A...S......40/3232/40BX4436F..A...S......40/3232/40DX4436F..A...S......40/3232/40 My question is, how come this traffic isn't accelerated?  Thank you 

How to send G-ARP manually?

Dear team      I encounter a problem. I replace a juniper firewall with checkpoint application,all dnat is not accessible when i online checkpoint application.I believe this is a arp cache problem,because the dnat is accessible when i modify checkpoint wan interface mac and replace it with juniper wan interface mac.    I think if i can send a g-arp manually,all problem will be solved.So,how to i can send a g-arp  manually,thanks!

SAN card configuration procedure on Gaia OS

Hi, Following sk134476, I’m trying to allocate a certified procedure for properly configuring the SAN card on Gaia OS… After installing the supported SAN card on the Open Server – what procedure needs to be executed on Gaia so it will recognize the external storage as the GW’s partition?   Background story: One of my customers wants to connect his Log Server (R80.30) to an external storage (Infinidat) using a dedicated SAN card installed (LPe 11002) on his Open Server. So I’m looking for the relevant procedure that he should follow… Does anyone has any practical experience with that?

problem with routed daemon on R80.30 kernel 3.10

Dear CheckMates, recently we updated two clusters from R77.30 to R80.30 kernel 3.10. Since then we had some problems regarding OSPF (routes are sometimes not propagated or learned). After research we found some unusual cluster failovers. All these failovers are done automatically as a result of problems with the "routed" daemon. After these failovers all OSPF-features starts working fine. I saw these problem only on kernel 3.10 environment. Has anyone running kernel 3.10 with dynamic routing feature like BGP, OSPF etc. enabled? We had a TAC case open, but I want to know something from the field. Thanks, Wolfgang

Sync Interface Sizing

HiI am about to build a VSX cluster and am going round in circles on the sync interface.I've decided that it will be a port channel of 2 but I can't decide on whether it needs to be 10Gb or not.Currently we have a VSX pair with a mix of 1Gb / 10Gb interface north and south, about 5 VS's and 2 x 1Gb for the sync and it works fine.The new pair will have a mix of 1Gb, 10Gb, and 7 VS's and the same mix of 1Gb / 10Gb interfaces.I am trying to decide whether I should be using 10Gb for the sync... I'm not really sure the full detail of what is on it and if it needs to be sized cautiously.Any advice please?Many thanks

ssh protocol with proxy

helloI have installed  checkpoint as a proxy server, and all users go internet with this proxy i want  to pass ssh trafic via  proxy for some users, how i can do it ?i did it  as it is in a screenshot but still not  working .   

Too many pending data connections for one control connection

Hi,I am getting this Alert email and Log message after upgrading from R77.30 to R80.10.HeaderDateHour: 28May2018 16:18:44; ContentVersion: 5; HighLevelLogKey: N/A; LogUid: N/A; SequenceNum: N/A; Action: drop; Origin: TPLCPFW1; IfDir: <; InterfaceName: bond28; Alert: alert; OriginSicName: CN=TPLCPFW1,O=TPLCPMGMT..er27t2; OriginSicName: CN=TPLCPFW1,O=TPLCPMGMT..er27t2; HighLevelLogKey: 18446744073709551615; src: CZO_Exchange; dst: TPIVRCTR; proto: udp; message_info: Too many pending data connections for one control connection; ProductName: VPN-1 & FireWall-1; svc: sip; sport_svc: sip; ProductFamily: Network;I have raised a case with Checkpoint TAC and they have asked me to follow the sk33760 every time I get this alert. I have gradually increased the value from 50 to 400 but still I am getting this error. Can anyone help? Is there any other solution to this?Regards,Yash

You should use active/active mode only if your single gateway is not able to handle traffic/ CPU/ Me

You should use active/active mode only if your single gateway is not able to handle traffic/ CPU/ Memory-Why

LAN Ethernets set to State Off - when power cut.

Hi everyone,I was hoping someone could shine some light on a problem I'm facing. I have a Checkpoint 3200 running on R80.10. Over the weekend we experienced a power outage, and upon bringing the equipment back up, the bridged connection that I had created was unavailable. No lights on the ethernet port for both eth3 or 4. Upon inspection via the management port and the shell, I found;show interface eth4state offmac-addr 00:1c:7f:8b:5a:f8type ethernetlink-state link downmtu 1500auto-negotiation Not configuredspeed N/Aipv6-autoconfig Not configuredduplex N/Amonitor-mode Not configuredlink-speed Not configuredcommentsipv4-address Not Configuredipv6-address Not Configuredipv6-local-link-address Not Configured I had to manually type ''set interface eth4 state on'' for both interfaces, and my environment came back up, no other settings were changed... Short of getting this CP on a UPS, is there a way to configure it not to change the eth state when it loses power, is this a feature or a hotfix bug type deal? Cheers!

http security server port

Hi How do you enable the http security server to listen on another port (default is 80)? I am trying to build a rule with service with resource and I dont think its matching because the target web port is 8080. Using R80.20 gateway.more $FWDIR/conf/fwauthd.conf......80 fwssd in.ahttpd wait -8

R80.20 MTU and SecureXL Problem

Hello,we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get  the ICMP Fragmentation Packet and start to send packets with smaller MTU.When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.Did anybody had the same problem? Jan