Showing results for 
Search instead for 
Did you mean: 
Create a Post
Furil inside Enterprise Appliances and Gaia OS yesterday
views 121 1

R80.20-R80.30 ClusterXL vlan monitoring

Hello,I cannot find any discussion about the fact that in OS R80.20 and R80.30 admin guide in the section "vlan support in clusterXL" monitor all vlan id is no longer supported. I would like to understand why 🙂Any other way to monitor all vlan then ?Can someone help ? Thank you Best regards;Furil


Danny inside Enterprise Appliances and Gaia OS yesterday
views 67333 38 27

One-liner for Address Spoofing Troubleshooting

One-liner (Bash) to show a summary about each gateway interfaces' calculated topology and address spoofing setting.In expert mode run: if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; echo ' Not a firewall gateway!'; tput sgr0; echo; else echo; tput bold; echo -n ' Interface Topology '; tput sgr0; echo -n '> '; tput bold; tput setaf 1; if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]; then echo $vsname' (ID: '$INSTANCE_VSID')'; else hostname; fi; tput sgr0; echo -n ' '; printf '%.s-' {1..80}; echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)*$/,\$ p" | tail -n +3 | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | sed '/objtype/q' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo; fi The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments also within VSX, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for easier identification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script. Thanks to Tim Hall's preliminary work in this thread.Thanks to Norbert Bohusch for IPv6 support and testing.Thanks to Kaspars Zibarts & Bob Zimmerman for VSX support and testing.Thanks to Anthony Joubaire for support and testing multiple installation targets. -- More one-liners -- One-liner to show VPN topology on gatewaysOne-liner to show Geo Policy on gatewaysFW Monitor SuperTool

Downloading CPUSE updates outside of Check Point Cloud

Hello all, Not all companies are allowed to have internet access for their managements and gateways. With internet access, installing the latest Jumbo or even upgrade to Major releases is just one command. What just comes to my mind is the idea that CPUSE can be used in case there is no internet access, but you can choose whether use internet or some internal IP address where will be stored all needed packages.Something like 2 new CPUSE commands:1. set installer source internet2. set installer source local <IP_ADDRESS> In case admin would like to use a local repository, CPUSE will connect to the server over https and download packages from there. I am fully aware that a similar idea is already created by Central Deployment Tool (CDT) or using SmartUpdate.What is even better is to use dedicated API and later UI like was mentioned by @Dorit_Dor.

R80.20 MTU and SecureXL Problem

Hello,we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get the ICMP Fragmentation Packet and start to send packets with smaller MTU.When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.Did anybody had the same problem? Jan

What is the equivalent of cphaprob show_bond for a Standalone Gateway (ClusterXL not running)?

The cphaprob show_bond commands in expert for gateways running ClusterXL is very handy, but this doesn't work for bond interfaces running on a standalone gateway. Is there some other command that would show me similar information for troubleshooting bonded interfaces on a standalone gateway?

Please tell me how to disable 'activate_sw_raid" command

In the past, I entered "activate_sw_raid" command to do testing HDD mirroring.After that, I removed secondary HDD because finished testing HDD mirroring.There is no plan to do HDD mirroring, in the future.So, It is a problem /var/log/messages filled with following messages;-----------------------------Aug 15 11:28:45 2019 12200App cpd: Raid: Failed at getting the rev number for Disk 1Aug 15 11:28:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:28:45 2019 12200App cpd: Raid: Failed at getting the LBA for Disk 1Aug 15 11:28:51 2019 12200App kernel: [fw4_1];fw_send_kmsg: No buffer for tsid 15Aug 15 11:28:58 2019 12200App ntpd[8125]: kernel time sync enabled 0001Aug 15 11:29:06 2019 12200App kernel: [fw4_1];fw_send_kmsg: No buffer for tsid 15Aug 15 11:29:36 2019 12200App last message repeated 2 timesAug 15 11:29:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:29:45 2019 12200App cpd: Raid: Failed at getting the vendor name for Disk 1Aug 15 11:29:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:29:45 2019 12200App cpd: Raid: Failed at getting the product ID for Disk 1Aug 15 11:29:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:29:45 2019 12200App cpd: Raid: Failed at getting the rev number for Disk 1Aug 15 11:29:45 2019 12200App cpd: Problems with getting output from pipeAug 15 11:29:45 2019 12200App cpd: Raid: Failed at getting the LBA for Disk 1-----------------------------I do not want to output these messages.Please tell me solution.

Proxy ARP after upgrade to R80.30

This week we had some clusters upgraded from R80.10 to R80.30, the customer wants the new and improved HTTPS functionality. When we were done, on 2 VRRP clusters we had some automatic NAT and a special Hide NAT (for WiFi guests) After upgrading you install the policy twice, first the acces and then again for the Threat Prevention policy. After some time we were told the Guest WiFi did not work, investigation pointed in the end to the proxy ARP that was not active, so we added the Proxy ARP command for the Hide address, pushed the access policy (the third time). After looking with fw ctl arp we then saw 2 Proxy ARP addresses, the one we added and the other was a automatic NAT. After removing the manual Proxy ARP again, the fw ctl arp kept showing both ARP entries. When we upgraded the other cluster we checked again after 1, 2 and 3 pushes of the access policy and only after the third push the Proxy ARP addresses showed up. It has been reported and R&D will be informed.

Lost access to gaia portal

Hi guys, running R77.30, not long ago we lost the ability to web to our gateway and manager, it used to work (self signed cert) but now the browser throws an error such as: "Can’t connect securely to this page" with no option to continue anyway.Have tried 3 different browsers, and enabled all tls versions and even sslv3 but nothing helps. Wireshark capture shows a client hello requesting, tlsv1.2 then tls v1.0, sslv3.0 then it stops. Anyone got any solution for this? I would be happy just running plain http but it seems not an option.config:set web table-refresh-rate 15set web session-timeout 10set web ssl-port 443set web ssl3-enabled onset web daemon-enable onthanks!
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS Thursday
views 291943 211 320

R80.x Ports Used for Communication by Various Check Point Modules

Introduction This drawing should give you an overview of the used R80 and R77 ports respectively communication flows. It should give you an overview of how different Check Point modules communicate with each other. Furthermore, services that are used for firewall operation are also considered. These firewall services are also partially mapped as implied rules in the set on the firewall. Overview Chapter Architecture:R80.x Security Gateway Architecture (Logical Packet Flow)R80.x Security Gateway Architecture (Content Inspection) R80.x Security Gateway Architecture (Acceleration Card Offloading) R80.x Ports Used for Communication by Various Check Point Modules Performance Tuning:R80.x Performance Tuning Tip - AES-NI R80.x Performance Tuning Tip - SMT (Hyper Threading) R80.x Performance Tuning Tip - Multi Queue R80.x Performance Tuning Tip - Connection Table R80.x Performance Tuning Tip - fw monitorR80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ Cheat Sheet:R80.x cheat sheet - fw monitor R80.x cheat sheet - ClusterXL More interesting articles:Article list (Heiko Ankenbrand) References Support Center: Ports used by Check Point software Versions + v1.4a bug fix, update port 1701 udp L2TP 09.04.2018+ v1.4b bug fix 15.04.2018+ v1.4c CPUSE update 17.04.2018+ v1.4d legend fixed 17.04.2018+ v1.4e add SmartLog and SmartView on port 443 20.04.2018+ v1.4f bug fix 21.05.2018+ v1.4g bug fix 25.05.2018+ v1.4h add Backup ports 21, 22, 69 UDP and ClusterXL full sync port 256 30.05.2018+ v1.4i add port 259 udp VPN link probeing 12.06.2018+ v1.4j bug fix 17.06.2018+ v1.4k add OSPF/BGP route Sync 25.06.2018+ v1.4l bug fix routed 29.06.2018+ v1.4m bug fix tcp/udp ports 03.07.2018+ v1.4n add port 256 13.07.2018+ v1.4o bug fix / add TE ports 27.11.2018+ v1.4p bug fix routed port 2010 23.01.2019+ v1.4q change to new forum format 16.03.2019 old version 1.3:+ v1.3a new designe (blue, gray), bug fix, add netflow, new names 27.03.2018+ v1.3b add routing ports, bug fix designe 28.03.2018+ v1.3c bug fix, rename ports (old) 29.03.2018+ v1.3d bug fix 30.03.2018+ v1.3e fix issue L2TP UDP port 1701 old version 1.1:+ v1.1a - added r80.xx ports 16.03.2018+ v1.1b - bug in drawing fixed 17.03.2018+ v1.1c - add RSA, TACACS, Radius 19.03.2018+ v1.1d - add 900, 259 Client-auth - deleted od 4.0 ports 20.03.2018+ v1.1e - add OPSEC -delete R55 ports 21.03.2018+ v1.1f - bug fix 22.03.2018+ v1.1g - bug fix - add mail smtp -add dhcp - add snmp 25.03.2018 Copyright by Heiko Ankenbrand 1994-2019
Amir_Arama inside Enterprise Appliances and Gaia OS a week ago
views 599 6 1

checkpoint r80.20 gaia os dhcp server option 150

Hi,i want to configure DHCP server on my GAIA os with dhcp server option 150 - tftp for ip phones.i saw sk92473 but it says we can only use the options showed in option 150 isn't there.someone knows if this is supported and how to configure it? thanks
Danny inside Enterprise Appliances and Gaia OS a week ago
views 75 1

Gaia HealthCheck Script v6.16 released

Check Point released v6.16 of it's Gaia HealthCheck Script. Script author: @Nathan_Davieau (LinkedIn profile) What's new: Added additional descriptions for known issues in /var/log/messages What's missing: Script self-update Download Package Link Date script v6.16 13Aug2019
Mardoqueo inside Enterprise Appliances and Gaia OS a week ago
views 80 4 1

PBR and Hide NAT

Good day. I have two links and I have PBR´S configured Link 1 eth1 Link 2 eth2 My default Gateway is: Table 1 X Gateway Provider: Table 2 Y Gateway Provider: And I add a policy source: action: Table 2: Y In smartDashboard I add the host and do a hide behide NAT to ip, this works perfect. But when I do a tracert from Windows to the route tells me that I am leaving for and it is assumed that we have redundancy of interfaces to route the traffic, when the first link falls we lose internet connectivity throughout the organization. Any help is really appreciated. Regards.
Emanuel_Miut inside Enterprise Appliances and Gaia OS a week ago
views 604 13 1

Moving from 4400 (77.30) to 6500 (80.20)

Hi, We have a 4400 cluster(77.30) and planning to move to 6500 cluster (80.20).Management server was already moved to R80.20. New appliances 6500 were installed using isomorphic with R80.20For GW replacement I was thinking at the following steps. 1. Export configuration from 4400 appliances - show configuration and then save configuration to file;2. Import configuration to 6500 appliance - paste commands from 4400 appliances, verification of interfaces ;3. On management server, modify gateway object with 6500 apliance hardware and change software to R80.20;4. Establish SIC with 6500 appliances;5. Install policy on 6500 appliances. Are there any more steps to take into consideration? Regards,

Hardware for home-lab

Hi,I want to run R80.30 in my home lab and get all R80 features. Management will run on another remote server.What are you using? I am thinking on running Gaia on a NUC or other small PC and run vmware, or should I get an 1430 firewall?Any recommentations?