Showing results for 
Search instead for 
Did you mean: 
Post a Question

LOM password reset on 5600 and 12400 appliances

Hello Can you please suggest if there is an option for LOM password reset? I hound instructions for setting IP, how about resetting LOM Lights Out Management password? Regards,Serg References:sk97849 - Configuring IP Address for LOM card on 21400 appliance through the System Consolesk94670 - Setting Lights Out Management (LOM) IP address from SecurePlatform OS on Power-1 appliances At the system console port, load the IPMI drivers into Linux memory: [Expert@HostName]# /etc/init.d/ipmi start Should get:Starting ipmi drivers: [ OK ] Note: It takes around 20 seconds to load the drivers. Check if LOM LAN factory default settings are correct. The bold IP addresses indicated by "<----" are the ones that will be modified. [Expert@HostName]# ipmitool lan print 1Set in Progress : Set Complete Auth Type Support : NONE MD2 MD5 OEM Auth Type Enable : Callback : MD2 MD5 OEM : User : MD2 MD5 OEM : Operator : MD2 MD5 OEM : Admin : MD2 MD5 OEM : OEM : IP Address Source : Static Address IP Address : <---- Subnet Mask : <---- MAC Address : XXXXXXXXXXXXXXX SNMP Community String : AMI IP Header : TTL=0x00 Flags=0x00 Precedence=0x00 TOS=0x00 BMC ARP Control : ARP Responses Disabled, Gratuitous ARP Disabled Gratituous ARP Intrvl : 0.0 seconds Default Gateway IP : <----- Default Gateway MAC : 00:00:00:00:00:00 Backup Gateway IP : Backup Gateway MAC : 00:00:00:00:00:00 RMCP+ Cipher Suites : Cipher Suite Priv Max : XXXXXXXXXXXXXXX : X=Cipher Suite Unused : c=CALLBACK : u=USER : o=OPERATOR : a=ADMIN : O=OEMSet the timeout value for the LOM console switch to 59 minutes:
DW inside Enterprise Appliances and Gaia OS yesterday
views 61 5

Firewall Information

I need to know how to find the following information from my Firewalls:Serial NumberMac AddressFirewall NameIs there a CLI command I can use?

ClusterXL Not Automatically Failing Over

Appliances: (2) 5400 16GB RAM Gaia R80.10I have been experiencing this issue for over 18 months and haven't made progress with TAC. I am currently running R80.10 and was experiencing this issue in R77.30 as well (my upgrade to R80.10 was an attempt to resolve this issue).Description: When physical memory approaches 16GB of consumption, traffic begins to drop. Running 'fw ctl zdebug drop' reveals a lot of 'Reason: PSL Drop: TCP segment out of maximum allowed sequence.' errors. If I'm lucky enough to catch things at this point, I can manually fail over to the standby node and the issue is immediately resolved. If I don't catch things at this stage, the primary node will eventually stop passing traffic and does not automatically fail over to the standby node. I cannot get in or out of my network and I cannot remotely manage the gateway without using the lights-out port (I've added lights-out because of this issue). This cluster is in my HQ office and all 26 remote locations are in a VPN community with this cluster (remote locations are 1450 appliances running R77.20.86). When this issue occurs, everyone in the company is impacted.QoS definitely has an impact on this issue. Memory usage climbs by 1GB/day with QoS enabled. With QoS disabled, memory usage climbs by about 100MB/day. So with QoS disabled, the issue occurs much less frequently. With QoS enabled, I've got about a week before this issue occurs. In the past, when I manually fail over, I will reboot the non-active node. I tried something different last week. I failed over to the standby (cpstop && cpstart) and when the primary was showing 'standby' I failed back over. At some point 2 days later after business hours, the primary stopped passing traffic and didn't fail over.I find it hard to believe that I'm the only one experiencing this issue. If anyone has any ideas, I'd greatly appreciate the help.

unable to join another network and internet through the appliance

Hello community, I need your help. in fact I had to deploy a 3200 applicance under GAIA R80.20 to a client who already has an ASA cisco that I have to replace. So after configuring the interfaces, the default route, the DNS and importing the cisco ASA rules, I connected the appliance to the network. But no communication possible through the 3200. attached the existing architecture with the ASA

PBR with VPN

Hi MatesCurrently I am having a case like the following:- We have a 5600 Appliance which has 2 external interfaces, one for Inbound traffic with public IP, one for Outbound traffic with private IP.- We PBR for all DMZ server for Inbound interface, and users access to internet through Outbound interface with normal route.- We want to Remote Access by Inbound inteface, but cannot. If i change default route in "normal" routing table from Outbound to Inbound, we can Remote Access VPN normallyI'm sure the problem is due to PBR, but is there any solution for remote access by Inbound interface?Thank you and Best Regards.

Geo-policy in the following scenario

Hi,I actually wanted to know if I can achieve the following using GEO POLICY in R80.20- BLOCK INCOMING from all countries but one- ALLOW OUTGOING to all countries.Is this possible in a simple way, because the non simple way is too time consuming.I would have to set policy for other countries to Drop and then individually add rules for 250 countries as "allow to" Is there any simpler way of achieving this?

R80.30 3.10 EA Program is now available!

Hi all, We are happy to announce that R80.30 3.10 EA program for Security Gateway and VSX is now available. For production EA path please contact For public EA path login to and go to Try Our Products -> Early Availability Programs. Then register to CPEA-EVAL-R80.30-3.10 public EA program. Release notes for this EA program are available here

Comparing 15000 series appliances against 6000 series

Hello!Check Point released a new appliance line of 6000 series and here comes the new challenge. For a customer who wants NGTP functionality and in the scenario where based on sizing 15600 is a perfect match for them, should we go for it or it is even better to go with 6800 model? You see NGTP performance of 6800 is far better by datasheet and price is much lower too.Enterprise Testing Conditions:6800 Security Gateway- 8.9 Gbps of Threat Prevention15600 Security Gateway- 7.4 Gbps of Threat Prevention2Both numbers are provided with R80.20 Your opinions?BRVato

Can't boot, no inittab file found, enter runlevel

Hello everyone, I really need help urgently from you. in fact, I recently tried to install OS GAIA R80.20 on my checkpoint 3200 appliance but the installation did not really start. And since when I try to start my appliance I get the message:Found volume group "vg_splat" using metadata type lvm24 logical volume(s) in volume group "vg_splat" now activeINIT: No inittab file foundINIT: Entering runlevel: 3INIT: no more processes left in this runleveln 3 seconds] I have already tried a factory and reset several times still nothing.I really rely on you to help me fix this problem as soon as possible because I have to deploy the appliance this Saturday at a customer. I'm waiting thank you

Management IP address after factory reset

Hi,I'm trying to recall if you do a factory reset on a gateway, does the IP address assigned to the mgt port stay intact or does it get reset to Thanks.

PBR and SecureXL issues in R80.20

Hi Guys,Has anyone had any issues with PBR on R80.20 ?I have tried an upgrade from a working R80.10 to R80.20 twice now and found that the PBR is an issue once upgraded to R80.20.This is on JHF 33 and now JHF 73 .One of the troubleshooting steps after seeing sk109741 was to switch off SecureXL - once we did that all worked as it did on R80.10 .<also tried the PBR route lookup option - it made no difference)We have opened a TAC case and have had the environment running succesfully without SecureXL for the entire day - but obviously we want to enable SecureXL ultimately . Just thought I would post in case anyone else is having PBR issues on R80.20 ?(also if you have any ideas on how to fix this - before TAC gets back to me - let me know)
HeikoAnkenbrand inside Enterprise Appliances and Gaia OS a week ago
views 5425 47 32

GAIA - Easy execute CLI commands on all gateways simultaneously

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management. Attention! You can quickly destroy your gateways if you enter the wrong commands! Command syntax: Command Description # gw_detect # gw_detect80 Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". # gw_mbash <command> Execute expert mode command on all gateway simultaneously # gw_mclish <command> Execute clish command on all gateway simultaneously An example! You want see the version of all gateway they are defined in the topology. Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mclish show version os edition -> execute this command on all gateways Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie. The same also works for the expert mode. For example: Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gatewaysManagement# gw_mbash fw ver -> execute this command on all gateways Tip 1 Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀. Tip 2 Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s -> show state table for all gateways Management# gw_mbash fwaccel stat -> show fwaccel state's for all gatewaysManagement# gw_mbash ips stat -> check on witch gateway ips is enabled ... Cppy and paste this lines to the management server or download the script "" and execute the script. echo '#!/bin/bash' > /usr/local/bin/gw_mbash echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo 'while read line' >> /usr/local/bin/gw_mbash echo 'do' >> /usr/local/bin/gw_mbash echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash echo 'then' >> /usr/local/bin/gw_mbash echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash echo 'else' >> /usr/local/bin/gw_mbash echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash echo 'fi' >> /usr/local/bin/gw_mbash chmod +x /usr/local/bin/gw_mbash echo '#!/bin/bash' > /usr/local/bin/gw_mclish echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo 'while read line' >> /usr/local/bin/gw_mclish echo 'do' >> /usr/local/bin/gw_mclish echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish echo 'then' >> /usr/local/bin/gw_mclish echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish echo 'else' >> /usr/local/bin/gw_mclish echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish echo 'fi' >> /usr/local/bin/gw_mclish chmod +x /usr/local/bin/gw_mclish echo '#!/bin/bash' > /usr/local/bin/gw_detect echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect echo 'while read line' >> /usr/local/bin/gw_detect echo 'do' >> /usr/local/bin/gw_detect echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect echo 'then' >> /usr/local/bin/gw_detect echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect echo 'else' >> /usr/local/bin/gw_detect echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect echo 'fi' >> /usr/local/bin/gw_detect echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect chmod +x /usr/local/bin/gw_detect echo '#!/bin/bash' > /usr/local/bin/gw_detect80 echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80 echo 'while read line' >> /usr/local/bin/gw_detect80 echo 'do' >> /usr/local/bin/gw_detect80 echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80 echo 'then' >> /usr/local/bin/gw_detect80 echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80 echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80 echo 'else' >> /usr/local/bin/gw_detect80 echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80 echo 'fi' >> /usr/local/bin/gw_detect80 echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80 chmod +x /usr/local/bin/gw_detect80 Versions:v0.1 - 04-14-2019 - -> betav0.2 - 04-16-2019 - -> remove bugsv0.3 - 04-17-2019 - -> split to two commands (gw_detect and the old commands)v0.4 - 05-05-2019 - -> add command "gw_detect80" Video tutorial: LITHIUM.OoyalaPlayer.addVideo('https:\/\/\/static\/v4\/production\/', 'lia-vid-9wdnRtaDE62K43G6H0BgrmwVXzp0YJzvw822h520r959', '9wdnRtaDE62K43G6H0BgrmwVXzp0YJzv', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"822px","height":"520px"});(view in My Videos) Copyright by Heiko Ankenbrand 1996-2019

OSPF Instances R80.20

Good day Mates I have recently read about the possibility of creating different OSPF instances in R80.20. This feature is really important for us as we have had issue with OSPF before, and we decided to use static routes instead.I would like to know if anyone has already implemented OSPF instances and if it is working as expected.Thanks in Advance

White Paper - Getting out of CPUSE Jumbo Jail

Author @Eric_Oakeson Abstract: This white paper is to address a situation where you are trying to update to a newer HFA, but CPUSE says it is trying to uninstall an older hotfix, and the older one doesn’t exist. CPUSE says it’s there and installed, but cannot uninstall it. This could happen when trying to restore from an older backup. The key is finding the Package Key which is hidden, restoring the repository for that package, then uploading the older package. There is an SK will direct you to TAC, but there is also another way to gather the information you need.

Installing Expansion Interface Cards to a Cluster Gateway

Does anyone have the experience of installing expansion interface cards to a cluster gateway.In a case that we have a cluster object with member GW01 and GW02.As installing expansion interface card requires power off the appliance,GW01: Active, GW02: Standby If we install an interface card for GW02 first (power off, install card and power on), would it be able for GW02 to take the active state from GW01 after GW02 has been installed with expansion card?So that we can do the same for GW01 ? (Power off, install card and power on)I am referencing sk57100 but it seems not the same situation as my case.