Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Just had a fun geeky conversation with Dameon Welch Abernathy (AKA Phoneboy) Jony Fischbein , Jeff Schwartz and Michael Poublon (over 100 accumulated years of experience in Check Point products) , on what are our favorite & most useful commands in a Check Point environment.
Below are my 3 , plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... ).
1) fw ctl zdebug drop
used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....)
2) cpstat fw
quickly see stats of number of connections (accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)
3) fw tab -s -t connections
allowed me to quickly see how much load is (and was i.e "peak" ) on the FW
that's it (i have more , but i want to hear yours ...)
plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... )
Yes and no 
. Your solutions are perfectly correct, true, but ... don't forget that I called it 'List of Administrator's errors...' not Checkpoint product errors . So technical solutions existed long before R80.10,
e.g. wrong Policy install ? ... can't be easier than that - just check relevant gateways in "Policy Targets" menu for this policy and this will never happen.
Removing object in use ? Well, just read the warning and click on the button "Where used" .
And while my list is compiled based on R55 - R77.30 versions, after speaking with thousands of IT guys/gals managing firewalls, I can assure you - they will 'outsmart' any technical safety measures put by bright R&D folks at Checkpoint, no one can beat the 8th layer of OSI, doesn't mean you should never try but ...
About admin errors (not common ones ) there's one story I have to share that took me 24 hours straight to figure out back in the days of February 2004 in one the largest airlines core FW
There was a worm called mydoom that attacked www.sco.com and other IP addresses (https://www.google.com/amp/www.networkworld.com/article/2330164/lan-wan/the-worm-attacks--sco-downed...)
1)The security admin at that company created a rule #2 :any--(group called) bad-ip--http --drop
2)The symptom was downtime of traffic (ping worked ok) , if you reboot the firewall all works great for like 8 minutes and then the same down time of traffic
3)No drops in the logs
4)After troubleshooting with Cisco R&D, check Point R&D no solution found
5)All of the sudden I was hungry and ate a doughnut
6)After the doughnut I drank Diet Coke (to balance the calories )
7)Then I had an epiphany they should invent a doughnut + croissant , this could work (again it was back in 2004 )
8)No sleep
9)I decided to see what's inside the group called bad-ip
10)I see a fuc$!ng domain object of www.sco.com (I.e. The fw tried to reverse DNS every packet )
11)Face palm
12)I deleted it
13)Everything works till today
Lesson of the story : I should have patented cronut
So what you're saying is domain objects caused traffic to fall into the proverbial cronut hole?
Thankfully, they work much better in R80.10
Hahaha , hilarious.
Going down the memory lane I can recall in 10+ years at Netvision how at least 4 times clients downed their network by using this Dynamic Object - all major enterprises (and the newest case with R77.30 some 2 years ago). The user-friendliness of the SmartConsole tricked them:
" Hmm, my users are abusing the whole line to the Internet with Youtube/Facebook traffic, CEO is not happy - all is slow, but no license for URL Filtering, let's see...."
"Wait a minute, what this standing so prominently alone in the Smart DashBoard Dynamic Object does ?? Cool, it allows to enter facebook.com and youtube.com in its name and use it in Security Rules !!! Eureka ! Next pay raise is a done deal, I am genius. Let's create it as a 1st rule, source is all LANs (or any) ,destination this Dynamic Object(s), install policy and nirvana is close... Should "You were disconnected from the Management server" happen after that? Oh, here is CEO calling, probably to thank me."
"All is lost! No internet for the whole company, Checkpoint firewall failed, let me call my CSP and yell at them to fix it ASAP"
Me: "What changes were done just before failure?"
Him:"Nothing unusual, was doing some rules"
Me:" Can you connect to the firewall from LAN by ssh?"
Him:"Not really" [then goes short explanation how to disconnect the whole LAN, or run fw unloadlocal]
Me: "Please let it be a Standalone firewall" [I am happy - it is indeed Standalone so w/o Security policy I can connect to it from the Internet"
Me (after deleting this 1st rule and installing policy with CPU load going from 100% to 3%): "Look, this is not a technical failure this is you doing stuff you have no idea about"
Him:"Really? Ok, sorry for that ..."
Me [wishfully]: "I wish Checkpoint hid this stupid Dynamic Object deep inside Guidbedit cave or not created at all, in all these years I needed this object just once but took care of at least 20 cases of its misuse."
PS. I know what book I can write about Checkpoint - "Diaries of the phone boy or stories from the trenches" [if https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc doesn't mind franchising his handle ]
I'm assuming above you mean Domain Objects, which definitely has some performance implications and had some bugs.
R80.10 has hopefully solved those issues
Dynamic Objects are actually pretty useful in the sense they are basically placeholders in the rulebase.
On the local gateway, you can define what IP addresses those objects resolve to.
The DShield block list was implemented as a Dynamic Object.
You can use the dynamic_objects command to modify the contents of a given dynamic object without doing a policy installation.
A few pre-defined ones exist such as LocalMachine and LocalMachine_All_Interfaces.
The performance impact of Dynamic Objects is not nearly as bad as Domain Objects, though in pre-R80.10 releases, it did disable SecureXL templates on any rule that is used (as well as any rules that follow).
In R80.10, this limitation does not apply.
I did mean Dynamic Object and rest assured - every time you use it in the Rulebase (especially at the top of the Rulebase) in a busy network your firewall will max out CPU load at 100% (true for all gateways up to and included R77.30 as I've seen it close up personally, not stories from someone and never mind the hardware - 16 Gb 8 cores + CoreXL + SecureXL still went down, haven't tried with R80 so can't comment) :
While problem with Domain object is its reverse DNS resolving , with Dynamic Object it is forward IP resolving for each passing session thanks to https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc for clarification : the real reason for Dynamic Object causing trouble is that when configured only via Dashboard and not via CLI it is left undefined..
Domain Object hasn't been so much of a problem (still happened but rarely) because it is hidden from the eye, so you would not stumble upon it as you do with Dynamic Object.
And of course I know what all these objects were meant to be used for, only that end users find more creative ways to utilize them.
General question is not, but my comment is for specific version. It will help to understand were it was deprecated and what to use instead of it.
This community will be in internet cache for a long time and maybe for someone running R100 it will be good to know that starting from version X they need to use different command to find installed jumbo take
