Showing results for 
Search instead for 
Did you mean: 
Create a Post
net-harry inside General Topics 4 hours ago
views 52 2

Multiple firewall licenses on the same security gateway

If we have a security gateway running a 2-core firewall-only license (CPSG-2C-FW) and we need additional capacity, could we purchase an additional CPSG-2C-FW and be licensed for 4 cores on the security gateway or do we need to purchase CPSG-4C-NGTP (4 cores with Next Generation Threat Prevention)?Thanks,Harry
C_M inside General Topics yesterday
views 50 1


I thought I read that Check Point was going to release more Ansible materials on their github site in October. I haven't seen anything new. Is there a set release date or any additional information?
Shurik inside General Topics yesterday
views 74 1

Stats/Monitor each VPN Tunnel

Hello guys,We have about 100 VPN tunnels (site-to-site). Would like to accomplish:1. Would to capture statistics (OID) of each VPN tunnel, and see throughput of each tunnel on our monitoring system (not the summary).2. Is there a way we can get alerts (status of VPN) tunnel in case it's down? Looking to get OID - status of each VPN tunnel. I've contacted the support team a few times, unfortunately, didn't get any meaningful answer. Thank you!
mbsm inside General Topics yesterday
views 98 2

Identity Collector Users unable to browse to internet

Hi,We successfully implement Identity Collector and working on R80.30. But we encounter an problem, the user is connected thru the WiFi and able to browse the internet but when the user disconnect to WiFi then connect thru LAN cable the user unable to browse the internet. By the way, the network of the WiFi is different to the LAN. Our workaround is login thru captive portal or restart the laptop.Is there a solution for this issue? Or is this a limitation of the Identity Collector? Appreciate your answers,
g0t0 inside General Topics yesterday
views 45 2

Security Gateway upgrade - From SecurePlatform r77.30 to Gaia r80.10

Hi, First of all, sorry if this topic has been answered before.I will have to do an upgrade on a security gateway cluster from Secureplatform (yeah, I know) to Gaia r80.10 and I will need to clarify some things.I'm planning to do a connectivity upgrade on a 4800 appliance two member cluster as explained below: So my questions are: - In case of a necessity to rollback after a r80.10 clean install on a member, can I revert to a SPLAT r77.30 snapshot on a r80.10 installation?- I didn't notice anything on the limitations regarding this upgrade. Has anyone aware of any?- Am I missing something? Thanks in advance. Sergio.
inside General Topics yesterday
views 2379 3 2

New Jumbo Hotfix (Take 203) Ongoing Release

A new Ongoing Jumbo Hotfix Accumulator take for R80.10 (take 203) is available. Please refer to sk116380.   R80.10 JHF Take #203 content: Issue # Resolved Issue Description MTR-31335 Added support for 6500 and 6800 appliances. Refer to sk139932. PMTR-33029,SMCPOL-195 OSE policy cannot be viewed without installing it on device. PMTR-29497,PRHF-1960 Manual changes in INSPECT files under $FWDIR/lib directory of compatibility packages are not synchronized from active to standby Management servers. Refer to sk143792.  PMTR-29584,PMTR-29856,PMTR-29855 Policy installation fails with "IPv6 addresses domain is not supported for Remote Access VPN community" message when using Domain object in Remote Access encryption domain.Refer to sk142832. PMTR-29921,PMTR-28958,PMTR-29923 "Error retrieving results" message is displayed in SmartConsole after searching for unused objects in Object Explorer.  PMTR-23744, MCFG-80 Unjustified validation error is displayed when installing Threat Prevention policy on Cluster object: "Threat Prevention requires topology to be defined.At least one internal, one external, and no undefined interfaces are required.Incorrectly defined topology impacts performance and security.Please install both Access Control and Threat Prevention policies after fixing the topology." PMTR-28643,PMTR-28557 In some scenarios, running the fwm sic_reset command from Domain fails with "reset_objects: updateMultiple failed" message. Refer to sk142512. PMTR-17991,PRHF-359,PRHF-714 In some scenarios, the Interpreter process stops working. Refer to sk132892. PMTR-21787 CPView is not supported on Multi-Domain Security Management environments. PMTR-8603,PMTR-30286 Multi-Domain Management GUI randomly does not reflect the Domain Management objects change. PMTR-31520,PMTR-31800 When using the "add/set simple-gateway" API command and specifying backup log servers, the input servers are not saved in the same order as listed in the request.  PMTR-34013,API-595 Number of sessions in "Changes" list does not match the value of 'total'.  PMTR-28058,PMTR-31248 When an administrator publishes session for a different administrator, the name of the administrator that invoked the action will be written in the audit logs as the publisher.  PMTR-12448,PMTR-12430 When searching in the SmartConsole main search bar for network groups we can see some number of network groups, but the search inside the Logical Server object shows the different number of Logical server objects groups.  PMTR-30570,IDA-1120 Group update request is sent specifically to the originator LDAP server even if it is down. Refer to sk127833.  PMTR-21207,PMTR-20424 In rare scenarios, Security Gateway runs out of kernel memory and may stop processing traffic, printing "double record of connection" message in /var/log/messages file. Refer to sk143432. PMTR-31314,PRHF-2244 In some scenarios, TCP state information is not displayed in the log despite being enabled in SmartConsole.  PMTR-21080,UP-251 A large number of Time objects used in the rule base may cause rulebase matching failures resulting in connectivity issues. PMTR-17490,PRHF-642 When working with NAT on DNS payload and having disabled NAT rules, NAT on DNS payload may not work. Refer to sk132032. PMTR-28414,PMTR-30657 When X-Forwarded-For (XFF) settings are enabled on one of the policy layers or/and on the Security gateway object, the/var/log/messages file shows errors related to asynchronous identity fetch. Refer to sk145673. PMTR-11999,PMTR-3286 In some scenarios, creation of a new gateway upgrade to R80.10 fails with "An internal error has occurred. (Code: 0x8003001D, Could not access file for write operation)" message.  PMTR-25755 In some scenarios, IPS purge makes a deadlock for some GUI clients, resulting in "Timeout error" error. PMTR-31100 In some scenarios, extracted Microsoft Azure files contain only blank pages. PMTR-24066,PRHF-134 Non-ASCII named files cause the undecoded non-ASCII characters to appear in the Threat Emulation log.  PMTR-27876,AVIR-370 Traffic from the client to the bogus IP address is handled according to the Access Control policy, but not logged as "prevented". Refer to sk141853. PMTR-30608,PMTR-29583 In rare scenarios, when the Log server miscalculates the available disk space, it may stop receiving logs from the connected gateways and cause the logs to accumulate locally on the Security gateway. Refer to sk146152. PMTR-30217,TPM-1378 "A general error has occurred" message appears when trying to edit the IPS Protection settings. PRHF-523,PMTR-16583 Some SMTP-related IPS Core Protections remain enabled despite the IPS is disabled. PMTR-31135,SA-99 Mobile Access Portal Agent installation page is vulnerable for XSS attack in Chrome and Firefox.  PMTR-15461,PMTR-21043,PMTR-28348 Added support for i40evf driver. PMTR-22503,MB-166,PMTR-28064 In some scenarios, virtio_net is not able to run multiqueue.  PMTR-35032 Important security update for IPSec Site-to-Site (S2S) VPN.  PMTR-27144,02657434 Improved connectivity with 3rd party VPN peers using IKEv2. Refer to sk120835. PMTR-30870,PMTR-21587 Connectivity improvements for certain Windows L2TP client versions. Refer to sk145895.  PMTR-19379,PMTR-23292,PMTR-23293,02031663 The CLISH command "show arp table dynamic all" and Bash command "arp -an" show different entries.Refer to sk112753. PMTR-15738,PRHF-270 In some scenarios, routed process stops working when a VPN tunnel interface is deleted without removing the dynamic routing protocols.  PMTR-18254,PMTR-18255EPS-17135 In some scenarios, SmartEndpoint shows different numbers of reported "Anti-Malware signature was not upgraded in the last 72 hours" between the warnings and the Active alerts section. PMTR-32542,PMTR-32187 After new Domain creation, logs from this Domain are not seen in SmartConsole.  PMTR-28470,PMTR-329 Before R80.10 Jumbo Hotfix Accumulator Take 189, the Probing feature is set, by default, to Fail Open. From Take 189, the default behavior is changed to Fail Close. Refer to sk104717.      Thanks  Release Managers Groups
C_M inside General Topics yesterday
views 36 1


Any set release dates for more commands/options via the GAIA API? last I checked it was quite limited.
Jeff_Gao inside General Topics yesterday
views 2700 21 1

Physical memory is high

Dear all      My CP23500 is 16G  memory and traffic is low.but memory is high,as follow:This is why?Thanks!
shavat_zalpuri inside General Topics yesterday
views 70 4

Need help in understanding multi core vpn in r 80.x

Hi All, It owuuld be great help if you can help me in providing a document which will give me in detail information of multi core vpn in r80.X. Different vpn types and on different cores. Regards,shavat Zalpuri
HeikoAnkenbrand inside General Topics yesterday
views 1958 1 12

R80.20 - SYN Defender on SecureXL Level

I think the new feature "Accelerated SYN Defender" is a good choice to effectively prevent "SYN Flood Attack" on Check Point Gateways with enabled SecureXL.   A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.   You can find more in the manual under: fwaccel synatk fwaccel6 synatk   Regards, Heiko
KE inside General Topics yesterday
views 97 2

Client authentication user has to re-authenticate after every policy install

Checkpoint Gaia R77.30 ClusterXLClient authentication user has to re-authenticate after every policy install.The client_auth table is cleared after every install.Any idea?Thanks! 
HeikoAnkenbrand inside General Topics Wednesday
views 618639 34 140

R80.x Architecture and Performance Tuning - Link Collection

I wrote my first article on R80.x firewall architecture a year ago. After many hours in the lab with R80.10, R80.20, R80.30 and R80.40 many long evenings, another approximately 40 articles were added. Because I lost the overview of my articles, here is a list of links to the most interesting articles with the topics:- R80.x performance tuning- R80.x architecture- R80.x new CoreXL, SecureXL and ClusterXL functions I hope I can help you with interesting information about R80.x! Thanks to everyone who contributed to the Checkmates forum and to the Check Point R&D guys as well as the Chackmates team and thanks to all who voted this article as Post of the Year 2019.  Architecture - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Logical Packet Flow) - Update R80.20+- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - Security Gateway Architecture (Acceleration Card Offloading)- R80.x - Ports Used for Communication by Various Check Point Modules- R80.x - How does the Medium Path (PXL) and Content Inspection work with R80- R80.x - ClusterXL CCP Encryption (R80.30+) Performance tuning - R80.x - Gateway Performance Metrics - R80.x - Performance Tuning Tip - Intel Hardware- R80.x - Performance Tuning Tip - AES-NI- R80.x - Performance Tuning Tip - SMT (Hyper Threading)- R80.x - Performance Tuning Tip - Multi Queue- R80.x - Performance Tuning Tip - Connection Table- R80.x - Performance Tuning and Debug Tips - fw monitor- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP- R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.x - High Performance Gateways and Tuning- R80.x - Falcon Modules and R80.20- R80.x - Performance Tuning - Link Collection Cheat sheets - R80.x - cheat sheet - fw monitor- R80.x - cheat sheet - ClusterXL ClusterXL - R80.20 - new ClusterXL commands- R80.20 - More ClusterXL State Information- R80.30 - ClusterXL CCP Encryption SecureXL - R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor CoreXL - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - More then 40 Cores for CoreXL- R80.x - User-Mode Firewall and performance impact Management Server, MDS and SmartConsole - R80.20 - Portable SmartConsole + Tips and Tricks- R80.10 - Syslog Exporter- R80.20 - Multiple SmartConsole sessions- R80.x   - Debug policy installation on gateway- R80.x   - MDS Upgrade failing from R80.10 to R80.30 Sandblast and TEX - Fortigate Firewall ICAP and Sandblast (TEX)- Symantec (Bluecoat) SG ICAP and Sandblast (TEX)- ICAP and Sandblast Appliance R80.10+ - R80.10 - Syslog Exporter- R80.10 - Bash script to show IP ranges for countrys from GeoProtection (new version)- R80.10 - GEO Location Objects in Firewall Policy (with Dynamic Objects)- R80.10 - User-Mode Firewall and performance impact R80.20+ - R80.20 - new interesting commands- R80.20 - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor- R80.20 - SecureXL - new names in "/proc/ppk/statistics"?- R80.20 - Portable SmartConsole + Tips and Tricks- R80.20 - New daemon or processes under R80.20!- R80.20 - New SecureXL path in R80.20 (CPASXL)- R80.20 - More then 40 Cores for CoreXL - R80.20 - Updatable Domain Objects and CLI Commands R80.30+ - R80.30 - new interesting commands- R80.30 - ClusterXL CCP Encryption- R80.30 - Swiss Army Knive IPMITOOL for GAIA R80.40+ - R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue CLI - GAIA - Easy execute CLI commands from management on gateways- GAIA - Easy execute CLI commands on all gateways simultaneously- GAIA - Create snapshots or backups on all gateways with one CLI command.- GAIA - Backup all clish configs from all gateways with one CLI command- CLISH Commands in Expert Mode easier- Show VPN Routing on CLI- Show Address Spoofing Networks via CLI- Interface speed and duplex as list- "fw ctl zdebug" Helpful Command Combinations- Check Inbound and Outbound TCP Sequece Numbers on R80.20+- R80.20 - new interesting commands- R80.30 - new interesting commands- ccp_analyzer - what is it!- Check Point - HEX to IP Converter Tool?- R80.30 - Swiss Army Knive IPMITOOL for GAIA Script - Bash script to show IP ranges for countrys from GeoProtection (new version)- GEO Location Objects in Firewall Policy (with Dynamic Objects) More - Appliance model from CLI and dmidecode with full model list- VoIP Issue and SMB Appliance (600/1000/1200/1400)- Password reset - Collection- One-liner collection- Check and config SSHv1 or SSHv2 on GAIA Copyright by Heiko Ankenbrand  1994-2019
Vato_Chantladze inside General Topics Wednesday
views 2719 11 2

Is CP planning to support Load-Sharing in future releases?

Hi,As you know, MB-30 limitation is set for R80.20:ClusterXL R80.20 Administration Guide: The R80.20 ClusterXL does not support the Load Sharing mode (R80.20 Known Limitation MB-30).I have started thinking about this topic because the Check Point released R80.20 without Load Sharing option. In general, what is your opinion, is CP planning to continue support for Load-Sharing Active-Active state in future releases? BRVato
Kunal_Parikh inside General Topics Wednesday
views 16150 4 1

Dynamic Objects (URL)

What is best approach to allow connection to Microsoft Azure/AWS, when destination URL are hosted in cloud and does not have fixed IP. If I don't want traffic to go via proxy, does checkpoint support destination URL's ? I have read about dynamic objects and have also read it causes high CPU but not sure if it is best practice.
Vengatesh_SR inside General Topics Wednesday
views 912 8 1


Hi Team,We are getting the below vulnerability for the checkpoint.  Name : OpenSSH X11 Cookie Local Authentication Bypass Vulnerability (openssh-x11-cookie-auth-bypass)    Description :ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.OpenBSD OpenSSH < 4.7Download and apply the upgrade from: you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.-----------------------------------------------------------------We have the take installed is take_286.From the above description, I can find the CVE associated for the vulnerability is #CVE-2007-4752.From the #sk65269, I can see the comments given is Not vulnerable. So it means checkpoint devices are not vulnerable for this vulnerbaility ??Regards,Vengatesh SR