cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

ws_mux errors in /var/log/messages

Hello,we have R80.20 version in production: two physical Security Gateways nodes in cluster (Open Server) and on virtual Management.I noticed /var/log/messages contains these entries:May 21 09:10:29 2019 kernel: [fw4_4];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:10:29 2019 kernel: [fw4_4];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:10:30 2019 kernel: [fw4_3];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:10:30 2019 kernel: [fw4_3];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:10:30 2019 kernel: [fw4_3];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:11:00 2019 kernel: [fw4_2];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:11:00 2019 kernel: [fw4_2];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:11:00 2019 kernel: [fw4_2];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:11:21 2019 kernel: [fw4_1];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:11:21 2019 kernel: [fw4_1];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:11:21 2019 kernel: [fw4_1];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:11:39 2019 kernel: [fw4_3];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:11:39 2019 kernel: [fw4_3];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:11:39 2019 kernel: [fw4_3];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:11:48 2019 kernel: [fw4_3];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:11:48 2019 kernel: [fw4_3];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:11:48 2019 kernel: [fw4_3];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:12:11 2019 kernel: [fw4_2];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:12:11 2019 kernel: [fw4_2];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:12:11 2019 kernel: [fw4_2];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:13:28 2019 kernel: [fw4_0];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:13:28 2019 kernel: [fw4_0];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:13:28 2019 kernel: [fw4_0];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:13:33 2019 kernel: [fw4_1];CLUS-120200-1: Starting CUL mode because CPU usage (82%) on the local member increased above the configured threshold (80%).May 21 09:13:37 2019 kernel: [fw4_2];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:13:37 2019 kernel: [fw4_2];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:13:37 2019 kernel: [fw4_2];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:14:06 2019 kernel: [fw4_5];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:14:06 2019 kernel: [fw4_5];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:14:06 2019 kernel: [fw4_5];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:14:13 2019 kernel: [fw4_1];CLUS-120202-1: Stopping CUL mode after 10 sec (short CUL timeout), because no member reported CPU usage above the configured threshold (80%) during the last 10 sec.May 21 09:15:03 2019 kernel: [fw4_1];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:15:03 2019 kernel: [fw4_1];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:15:03 2019 kernel: [fw4_1];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.Any suggestion ?Bye,Luca
Rafael_Lima1
Rafael_Lima1 inside General Management Topics yesterday
views 372 8

Legitimate traffic being blocked - R80.20

After migration to R80.20 we are having a legitimate traffic being blocked, filtering via "fw ctl zdebug drop", we receive the following log:@;2731325746;[cpu_9];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:45242 -> y.y.y.y:443 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabledWe opened a SR and passed us the SK33328, which was done but did not work, we still have connection problems sometimes.The traffic is from an apache server to an nginx, TCP / 443Anyone else went through this and could help?
Kevin_Werner
Kevin_Werner inside General Management Topics yesterday
views 1442 8 1

80.10 to 80.20 Pre-Upgrade Verifier

I'm attempting to run the 80.20 pre-upgrade verification script on my 80.10 management server, but nothing appears to be happening when I execute it. I've run the tool in the past with no issues so I am assuming there is a problem with my syntax. I'm running ./pre_upgrade_verifier -p $FWDIR -c R80 -t R80.20 and am not getting an output. The help doesn't list 80.10 as a possibility for the currently installed version so I'm partially wondering if its not supported.where the Currently installed version is one of the following:NGX_R65 (aliases: 6.0.1.0)R70 (aliases: R70_R70, 6.0.1.6)R71 (aliases: R71_R71, 6.0.1.7)R75 (aliases: R75_R75, 6.0.2.0)R75.20 (aliases: R75.20_R75.20, 6.0.2.1)R75.40 (aliases: R75.40_R75.40, 6.0.2.5)R75.40VS (aliases: R75.40VS_R75.40VS, 6.0.3.0)R76 (aliases: R76_R76, 6.0.3.5)R77 (aliases: R77_R77, 6.0.4.0)R80 (aliases: R80_R80, 6.0.4.8)The file permissions for the entire upgrade pack are below-rw-r----- 1 admin root 19141755 Jan 22 10:00 Check_Point_R80.20_Gaia_SecurePlatform_Migration_Tools.tgz-rwxr-xr-x 1 105 80 893915 Dec 6 03:52 gtar-rwxr-xr-x 1 105 80 241318 Dec 6 03:52 gzip-rwxr-xr-x 1 105 80 9210256 Dec 6 03:52 ips_upgrade_tool-rwxr-xr-x 1 105 80 4636 Dec 6 03:52 mgmt_puv.sh-rwxr-xr-x 1 105 80 14529536 Dec 6 03:52 migrate-rw-r--r-- 1 105 80 70783 Dec 6 03:52 migrate.conf-rw-r--r-- 1 105 80 107 Dec 6 03:52 plugin_pack.conf-rwxr-xr-x 1 105 80 8388116 Dec 6 03:52 plugin_upgrade_matcher-rwxr--r-- 1 105 80 19175 Dec 6 03:52 ppidb.conf-rwxr-xr-x 1 105 80 20965372 Dec 6 03:52 pre_upgrade_verifier-rwxr-xr-x 1 105 80 1468920 Dec 6 03:52 puv_report_generator

r80.10 FQDN allow rule not being picked up in DMZ zone.

TL;DRHave rules for cylance.com being allowed on the application layer (All traffic regardless of zones.) However, the DMZ network is not seeing all their AWS instances as "cylance.com"Okay fine I'll create a network rule (Seeing its traffic get blocked by last catch-all block/drop) for the DMZ to wildcard *.cylance.com <--- But you can't do that so I did .*\.cylance.com (FQDN domain object.)Still nada. The odd thing is DMZ stuff isn't resolving their AWS addresses as standard traffic does.Does anyone know where I've gone wrong? Thanks in advance.
Sergio_Afonso_C
Sergio_Afonso_C inside General Management Topics yesterday
views 3488 6 2

IPSec ikev2

Have someone configured a lan2lan tunnel with just ikev2? I have a problem with IDi that presents in the remote peer (it presents private IP) and I do not know if it can be changed / forced to be public IP, without changing the main IP of the cluster. I can nota disable the NAT-T because I have other IPSec tunnels working well with ikev1.This issue is only with V2.Thank you!
liamc95
inside General Management Topics yesterday
views 52 2
Employee

SmartProvisioning Management HA

Can anyone please advise if Management HA is supported if Smart Provisioning is being used? There is no official documentation I can find for this.

Change to Existing NAT Configuration

We have what I would consider to be a fairly standard firewall configuration. We have a firewall that connects to a vendor. The firewall is a 3200 running R80.10. The inside address of the firewall is 10.1.1.1/24 (for example) and the outside IP Address of the firewall is 10.34.1.1/28 (again, for example) and leads to the vendor's router interface (10.34.1.2). We NAT traffic from an internal host (10.1.1.8) to a host that's accessed via the firewall (192.168.1.1 for example). It's an automatic NAT configuration with the NAT being configured in the firewall object. The NAT for that object is 10.34.1.10.The vendor is needing to replace their routers and in doing so, they want to change the IP Addresses of the interfaces that lead to us. They want to change the 10.34.1.X subnet to a 10.35.1.X/24 subnet but they want to keep the NAT configuration the same. They want us to continue to NAT the 10.1.1.8 host to the 10.34.1.10 address and send it through the firewall to the 10.35.1.X interface. Because of ARP issues, I'm not certain how we would NAT to a subnet that doesn't exist on the firewall. We do that with Cisco ASAs when configuring a VPN connection but that's completely and totally virtual so ARP doesn't necessarily come into play.To hopefully make this a bit more clear, here's an ascii render of what we're being asked to do;CurrentServer (10.1.1.8) -> (FW inside - 10.1.1.1) - (NAT source address to 10.34.1.10) - (FW outside - 10.34.1.1) -> Vendor Router (10.34.1.2)RequestedServer (10.1.1.8) -> (FW inside - 10.1.1.1) - (NAT source address to 10.34.1.10) - (FW outside - 10.35.1.1) -> Vendor Router (10.35.1.2)With the source IP addresses being NATed from an IP Address that isn't on the interface talking to the vendor's router, how would we configure the NAT? Would we just leave it as automatic and change the IP Addresses of the outside interface of the firewall (changing the static route to the vendor's host at the same time)?Thanks!

Alert via Email (Authentication - O365)

Hi, I'm trying to setup Alert via Email within a O365 environement.If I'm not wrong native commands don't support the authentication so how are you handling that kind of alerts?Do you use a custom script?Thank youNicolas

R80.10 Management Database Merge

Hi Everyone,Our Organization is at the process of shutting down unnecssary security gateways while merging Management database between our main Clusters of Management servers.Right now we are focusing on moving some policies along with it's functional gateways to the main management server which was recently upgraded to R80.10 , our older management server (which will be shutted down in a few months , still at R77.30) contains 2 gateways that we wish to upgrade to R80.10 As Well , so they need to be managed under the R80.10 SMS.FYI, We completed several steps to reach our target:1. Exported and Imported the Old SMS DB into a NSX Managed R77.30 SMS.2. Removed any policies/rules that are not related to those two cluster SG.3. performed a PUV on the NSX SMS , fixed the errors shown and upgraded that SMS to R80.10 Succesfully along with its corresponding DB.The next step was to add the DB (literally left all we wanted to transfer) from R80.10 NSX SMS to Our Main Environment SMS (not in place of).That's where we are struggling , we tried to export the policy through the actions window as a CSV file and to import as a bulk adding to the other DB with the API command mgmt_cli --batch file.csv .Should we try contact Checkpoint Support PS to run SmartOptimize or use a python script?Is there any other known solution?Best Regards,MOD.
Marcel_Wildenbe
Marcel_Wildenbe inside General Management Topics Sunday
views 1457 28 3

upgrade to R80.20 failed

Hi CheckMates,Last night, I have tried to upgrade our MDS from R80.10 to R80.20.I have ran into a few issues, but the most aggravating was when the installer got stuck and I had to reboot in order to get any further, the snapshot that was made by the installer was not removed and a new attempt is telling me there is no free space enough.CP support tells me to run MDS export, do a fresh install en import, but I would like to avoid the hassle and just remove the LV.Can I remove this Logical Volume and if so, how do I do that?It is GAIA running on VMware 5.5. So it is using LVM for Snapshots. "show snapshots" is showing no snapshots, but lvm_manager shows me lv_fcd_new of 300 GB, non configurable, containing: Factory defaults volume, which was not present prior to the upgrade.
Phil_Haddy
Phil_Haddy inside General Management Topics Saturday
views 44 2

Rule Base Search Error

HiAny help appreciated, all rule base searches in SmartConsole (R80.10) report "An error occurred while searching".
asif
asif inside General Management Topics Friday
views 64 2

MDS in smart-1 405

Is it 'Multi-Domain Server' option is available in Smart-1 405 checkpoint device ?? I'm unable to find the option to enable MDS in first time configuration or in smart-console. Please clarify. As of now, I configured and deployed single-domain (refer attached)
carl_t
carl_t inside General Management Topics Friday
views 39 1

How to I allow access to Office 365 servers that constantly update the list of IPs

Hi AllWe currently use a cloud based web proxy for all our users web traffic, on the Firewalls we have rules only permitting users to access these proxies, all other web traffic is blocked.We want to bypass the proxy for Office 365, however the IP and URL list is exhaustive and also constantly changes, without doing dynamic object rules which do dns lookups and cause issues with the firewall, is there any other way we can achieve this?For example using application control?If we did do app control, would we still need the rule in the security policy? Does the Firewall look at the security policy first, then the app control second?cheers
MP
MP inside General Management Topics Friday
views 39 2

Smartconsole service with multiple port ranges

Hi, CheckMates, I'm currently migrating a TMG to Checkpoint with GAIA R80.20.In TMG we have custom services/protocols for our applications that need specific ports, and in a few of them, we have more than one port or more than one port range.It is possible to do the same in custom services on the SmartConsole, or I need to create one custom service for each port/range for the same application?Example (dummy) for application Skype I have a custom service/protocol called "Skype_Service", with the port ranges "10-20", "30-40 and "50-60" specified.When I try to do this in the SmartConsole, I can only specify one port, one range or any, don't give me the option to have multiple ports or multiple port ranges.Do I need to create a service for each port/range?Thank you in advance.

"encounterred an improper argument" when sear source or destination object

I can't search source or destination IP address or user name, when try it console prompt "encounterred an improper argument."Gaia version is R77.30 and hotfix is 345.