This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Help
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

Brian_Deutmeyer
Brian_Deutmeyer inside General Topics yesterday
views 76 5 1

What happens to asynchronous fragments on a firewall in bridge mode?

I have a firewall that has two bridges, BR1 and BR2.  These bridges handle traffic for two equal cost links. Packets can route asynchronously without issue all day long (with SXL disabled), but I'm curious about fragments.  What happens when packet #1 is fragmented into 2 parts before it reaches the firewall where packet #1 frag #1 arrives at BR1 and packet #1 frag #2 arrives at BR2? This works: What happens here?  Does the firewall reassemble them or discard them?
Jose_Rivera
Jose_Rivera inside General Topics yesterday
views 51 2

CoreXL disabled by default on AWS Cloudguard (r80.20)

Just noticed CoreXL is disabled on all the CloudGuard instances we deployed (based on R80.20, soon to be R80.30).We do have a ton of route based tunnels configured and want to make sure we are leveraging multi-core VPN.Doesn't multi-core VPN require CoreXL? Is it supported to enable CoreXL on these AWS CloudGuard instances?We have 8 core instances and no blades other than VPN and Identity Awareness enabled at the moment. Thanks.
Dale_Lobb
Dale_Lobb inside General Topics Friday
views 540 3

CheckPoint TLS 1.3 support: When?

  I just finished reading the Gartner 2019 "Magic Quadrant for Network Firewalls", courtesy of CheckPoint Marketing.  One of the specific "Cautions" they called out for CheckPoint is the lack of TLS 1.3 support, something apparently both Fortinet and Palo Alto already have.  BTW: Fortinet and Palo Alto both scored higher and more to the right than CheckPoint in the Leaders quadrant, Palo Alto significantly so.  Does anyone have any knowledge of the timeline for support of TLS 1.3, especially in regards to Threat Prevention / HTTPS inspection?  The only info I can find from the Community is a post that's over a year old: https://community.checkpoint.com/t5/General-Management-Topics/Impact-of-upcoming-ESNI-with-TLS-1-3-on-App-Control-and-URLF/td-p/9521, where Phoneboy said it was to early to say.  Any updates on the topic?
Mazin_D
Mazin_D inside General Topics Friday
views 277 18

upgarde to R80.30 using CPUSE failing

i ma trying to upgrade the management server from R80.10 to R80.30 , the management server is in HA and installed on VM. i have upgarded the stnandby managmnet server without any issue. the primary though keeps failing with error "CPUSE encounter a problem while importing the package to Gaia machine. Try to import the package again. If the issue persist, contact checkpoint technical service"i have tried to upgrade the DA " currently running build 1786" but i got another error "File is not a DA package" any help is highly appreciate it. 
Christian_Koehl
Christian_Koehl inside General Topics Friday
views 246 7

Adding CPUSE agent to isomorphic fails

Dear CheckMate fellows,I need to prepare an USB stick to freshly install some R80.30 gateways.Regarding sk65205 and the linked nice, little video, I tried to add the CPUSE agent to Isomorphic, but this failed. The Isomorphic tool is build 180.When trying to import the CPUSE agent the following error message is shown. Any idea?Best regards and many thanks,Christian
Technical_Servi
Technical_Servi inside General Topics Friday
views 306 4

S2S VPN Problem after Hotfix R80.20 Take_103 on GW

Hi All After installing Take_103 on a GW we are running in strange behaviors with S2S VPNs with 3. party vendors (WatchGuard).The tunnels are up. Traffic goes through (HTTP,RDP .....). But AD authentication doesn't work.We can see packets from the clients through the tunnel to the AD controller:12:49:01.212147 IP xxx.xxx.xxx.41.62985 > 10.xxx.xxx.11.389: UDP, length 21412:49:01.212669 IP 10.xxx.xxx.11.389 > xxx.xxx.xxx.41.62985: UDP, length 195But the don't reach the other site?! No log entries on both sites!Any ideas?Thanx in advanceMarc
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Thursday
views 254 5 8

R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Elephant Flow (Heavy Connections) In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows). All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. What typically produces heavy connections: System backups Database backups VMWare sync. Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Evaluation of heavy connections The big question is, how do you found elephat flows on an R80 gateway? Tip 1Evaluation of heavy connections (epehant flows)A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes. Heavy connection flow system definition on Check Point gateways: Specific instance CPU is over 60% Suspected connection lasts more than 10s Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%   CLI Commands Tip 2Enable the monitoring of heavy connections. To enable the monitoring of heavy connections that consume high CPU resources: # fw ctl multik prioq 1 # reboot Tip 3Found heavy connection on the gateway with „print_heavy connections“ On the system itself, heavy connection data is accessible using the command: # fw ctl multik print_heavy_conn Tip 4Found heavy connection on the gateway with cpview # cpview                CPU > Top-Connection > InstancesX   Links sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above    
Chanatip_Adisak
Chanatip_Adisak inside General Topics Thursday
views 3831 15

When will checkpoint support the Load Sharing mode in either R80.20 and R80.30?

Dear Check Point Team, Regarding the known issue with ClusterXL R80.20 and above does not support Load Sharing mode. Therefore, SmartConsole blocks such a configuration with a warning message. I would like to know when it will be fixed and become to support like an R80.10. Regards,Sarm
fab
fab inside General Topics Thursday
views 160 3

Numbered VTIs with 3rd party

Hi guys.I'd like to create a route based VPN to a 3rd party site. As our Internet facing interface is configured as a bond I need to use numbered VTIs instead of unnumbered.At the moment it is unclear to me what the local and remote IPs are used for and if the 3rd party needs knowledge about those IPs, i.e. if the remote IP of the numbered VTI e.g. is 192.0.2.1/24 do they need to know and and / or do they need to configure the IP on their site somewhere?Hope this makes any sense,Frank.
Tsvika_Akerman
inside General Topics Wednesday
views 7151 61 15
Employee

R80.40 Early Availability Program @ Check Point Update

      R80.40 EA Program  R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.  Enrollment // Production EA     • We are looking for R80.X / R77.X Production environment to evaluate the new version. • Start date: Started    Public EA (for Lab/Sandbox use) is now also available! Log into UserCenter and Select Try Our Products > Early Availability Programs In PartnerMap, it is Learn > Evaluate > Early Availability Programs NOTE: Upgrade from Public EA to GA is not supported   Additional questions? contact us@ EA_SUPPORT@checkpoint.com What's New  IoT Security A new IoT security controller to: Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).  Configure a new IoT dedicated Policy Layer in policy management. Configure and manage security rules that are based on the IoT devices' attributes.                       TLS Inspection HTTP/2 HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.  Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol. Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.                       TLS Inspection Layer This was formerly called HTTPS Inspection. Provides these new capabilities: A new Policy Layer in SmartConsole dedicated to TLS Inspection. Different TLS Inspection layers can be used in different policy packages. Sharing of a TLS Inspection layer across multiple policy packages. API for TLS operations. Threat Prevention Overall efficiency enhancement for Threat Prevention processes and updates. Automatic updates to Threat Extraction Engine. Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects. Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI. Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol. Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols. Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature. Access Control Identity Awareness Support for Captive Portal integration with SAML 2.0 and third party Identity Providers. Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.  Enhancements to Terminal Servers Agent for better scaling and compatibility. IPsec VPN Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:  Improved privacy - Internal networks are not disclosed in IKE protocol negotiations. Improved security and granularity - Specify which networks are accessible in a specified VPN community. Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain). Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles. URL Filtering Improved scalability and resilience. Extended troubleshooting capabilities. NAT Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse. NAT port utilization monitoring in CPView and with SNMP. Voice over IP (VoIP) Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance. Remote Access VPN Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication). Mobile Access Portal Agent Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410. Security Gateway and Gaia CoreX L and Multi-Queue Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot. Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. Clustering Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes. Cluster Control Protocol encryption is now enabled by default. New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses. Support for ClusterXL Cluster Members that run different software versions. Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet. VSX Support for VSX upgrade with CPUSE in Gaia Portal. Support for Active Up mode in VSLS. Support for CPView statistical reports for each Virtual System Zero Touch A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration. Gaia REST API Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612. Advanced Routing Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon. Enhancing route refresh for improved handling of BGP routing inconsistencies. New kernel capabilities Upgraded Linux kernel New partitioning system (gpt): Supports more than 2TB physical/logical drives Faster file system (xfs) Supporting larger system storage (up to 48TB tested) I/O related performance improvements Multi-Queue: Full Gaia Clish support for Multi-Queue commands Automatic "on by default" configuration SMB v2/3 mount support in Mobile Access blade Added NFSv4 (client) support (NFS v4.2 is the default NFS version used) Support of new system tools for debugging, monitoring and configuring the system   CloudGuard Controller Performance enhancements for connections to external Data Centers. Integration with VMware NSX-T. Support for additional API commands to create and edit Data Center Server objects. Security Management Multi-Domain Server Back up and restore an individual Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management. Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server to become a Security Management Server. Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing. SmartTasks and API New Management API authentication method that uses an auto-generated API Key. New Management API commands to create cluster objects. Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy. Deployment Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartEvent Share SmartView views and reports with other administrators. Log Exporter Export logs filtered according to field values. Endpoint Security Support for BitLocker encryption for Full Disk Encryption. Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server. Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment. Policy can now control level of notifications to end users. Support for Persistent VDI environment in Endpoint Policy Management.    
paviflo
paviflo inside General Topics Wednesday
views 85

Allocate secondary IP block on physical interface while using VRRP cluster

Hi there,I'm trying to establish a BGP peering session straight from the external Firewall interface into the Microsoft Edge Routers to establish both a Private and a Microsoft peering session. MS peering requires you to allocate public IP's for this peering to work whilst the Private peering would work with just Private IP addressing.Is it possible to allocate different IP blocks into the same physical interface for this purpose?Each MS peering session requires you to allocate a /30 subnet, so the idea would be to allocate two larger /27 IP blocks (one for Private and one for Public) and break these down into individual, smaller /30 subnets for each of the peering sessions that need to be established (I need 4 private peering sessions and 4 public ones). We will be using the FWs in VRRP cluster mode since I believe Cluster XL wouldn't allow you to have separe virtual IP subnets off the same physical interface. Thanks!
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Wednesday
views 1724 15 20

R80 - Top 20 Gateway Tuning Tips

Tip 1 - SecureXL SecureXL is a software acceleration product installed on Security Gateways. SecureXL network acceleration techniques deliver wire-speed performance for Security Gateways. Performance Pack uses SecureXL technology and other innovative network acceleration techniques to deliver wire-speed performance for Security Gateways. The SecureXL device minimizes the connections that are processed by the INSPECT driver. SecureXL accelerates connections on two ways. SecureXL is implemented either in software or in hardware:       SAM cards on Check Point 21000 appliances       Falcon cards (new in R80.20) on different appliances Tuning Tip: From R80.20 SecureXL is always enabled and can no longer be disabled completely. sk98722 - SecureXL for R80.10 and below sk98348 - Best Practices - Security Gateway Performancesk32578 - SecureXL Mechanism sk153832 - SecureXL for R80.20 and above  R80.x - Security Gateway Architecture (Logical Packet Flow)R80.x - Security Gateway Architecture (Acceleration Card Offloading) Tip 2 - SecureXL Connection Templates Feature that accelerates the speed, at which a connection is established by matching a new connection to a set of attributes. When a new connection matches the Connection Template (old name "Accept Template") , subsequent connections are established without performing a rule match and therefore are accelerated. Connection Templates are generated from active connections according to policy rules. Tuning Tip: Accept Templates are enabled by default. sk32578 - SecureXL MechanismPerformance Tuning R80.30 Administration Guide - Connection Templates R80.x - Security Gateway Architecture (Logical Packet Flow)   Tip 3 - SecureXL NAT Templates Using SecureXL Templates for NAT traffic is critical to achieve high session rate for NAT. SecureXL Templates are supported for Static NAT and Hide NAT using the existing SecureXL Templates mechanism. Tuning Tip: Enable NAT Templates depending on the situation. sk71200 - SecureXL NAT Templates  R80.x - Security Gateway Architecture (Logical Packet Flow)   Tip 4 - SecureXL Drop Templates Optimized Drops feature in R76 and above. Heavy load of traffic that should be dropped causes an increase in the Security Gateway's resource consumption. SecureXL Drop Templates are not created, although this option was checked in SmartDashboard. Tuning Tip: Enable Drop Templates depending on the situation sk90861 - Optimized Drops feature in R76 and above sk66402 - SecureXL Drop Templates  R80.x - Security Gateway Architecture (Logical Packet Flow)   Tip 5 - SecureXL Fast Acceleration The Fast Acceleration (picture 1 green) feature lets you define trusted connections to allow bypassing deep packet inspection on R80.20 JHF103 and above gateways. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption. The CLI of the gateway can be used to create rules that allow you to bypass the SecureXL PSLXL path to route all connections through the fast path. Tuning Tip: Use this function to exclude IP's or networks from deep inspection. sk156672 - SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above R80.x - Performance Tuning Tip - SecureXL Fast Accelerator (fw ctl fast_accel) Tip 6 - SecureXL Penalty Box The SecureXL penalty box is a mechanism that performs an early drop of packets arriving from suspected sources. This mechanism is supported starting in R75.40VS. The purpose of this feature is to allow the Security Gateway to cope better under high load, possibly caused by a DoS/DDoS attack. A client that sends packets that are dropped by the firewall rulebase or performs violations of the IPS policy is reported to this mechanism. If a client is reported frequently, it would be put in a penalty box. Any packet arriving from this IP address would be dropped by the performance pack at a very early stage. Tuning Tip: Use the SecureXL penalty box if you have DDoS attacks sk74520 - What is the SecureXL penalty box mechanism for offending IP addresses?  R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“   Tip 7 - SIM Affinity Association of a particular network interface with a CPU core (either 'Automatic' (default), or 'Static' / 'Manual'). Interfaces are bound to CPU cores via SMP IRQ affinity setting. SIM Affinity in Automatic mode may make poor decisions on multi-core platforms. In addition, some multi-core hardware platforms suffer from an inability to assign IRQs to use all the CPU cores efficiently. Tuning Tip: In special cases the SIM affinity should be set manually.sk61962 - SMP IRQ Affinity on Check Point Security Gateway sk33250 - Automatic SIM Affinity on Multi-Core CPU Systems Performance Tuning R80.30 Administration Guide – Affinity Settings  Tip 8 - CoreXL CoreXL is a performance-enhancing technology for Security Gateways on multi-CPU-core processing platforms. CoreXL enhances Security Gateway performance by enabling the processing CPU cores to concurrently perform multiple tasks. CoreXL provides almost linear scalability of performance, according to the number of processing CPU cores on a single machine. The increase in performance is achieved without requiring any changes to management or to network topology. On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or FW instance, runs on one processing CPU core. These FW instances handle traffic concurrently, and each FW instance is a complete and independent FW inspection kernel. When CoreXL is enabled, all the FW kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy. sk98737 – CoreXL sk98348 - Best Practices - Security Gateway Performance R80.x - Security Gateway Architecture (Logical Packet Flow)R80.x - Security Gateway Architecture (Content Inspection)   Tip 9 - CoreXL - Dynamic split of CoreXL FW and CoreXL SND Dynamic split of CoreXL changes the assignment of  CoreXL SND's and CoreXL firewall workers automatically without reboot in R80.40+.  Now, let's assume the CoreXL SNDs are overloaded, a mathematical formula is used to calculate that a further CoreXL SND is added. In this case a CoreXL firewall worker  will not get any new Connections and the connections are distributed to another CoreXL firewall worker. If there are no more connections running through this CoreXL firewall worker, the core will be used for a new CoreXL SND instance. It also works the other way round. Adding and removing a CoreXL firewall worker Adding and removing a CoreXL SND Balance between CoreXL SND and CoreXL firewall worker GAIA 3.10 kernel only Check Point appliances with 8 cores or more Tuning Tip: Use this function from R80.40 on appliances with 8 cores or more. No SK is available yet. R80.40 - Dynamic split of CoreXL    Tip 10 - MultiCore IPsec VPN R80.10 and above introduced MultiCore support for IPsec VPN. Starting in R80.10 Security Gateway, IPsec VPN MultiCore feature allows CoreXL to inspect VPN traffic on all CoreXL FW instances. This feature is enabled by default, and it is not supported to disable it. Tuning Tip: MultiCore IPsec VPN is enabled by default on R80.x gateways. sk104760 - VPN Core sk105119 - Best Practices - VPN Performance sk118097 - MultiCore Support for IPsec VPN in R80.10 and above  Tip 11 - MultiCore Support for SSL Introduced in R77.20, SSL MultiCore feature improves SSL performance of Security Gateway. SSL MultiCore feature is based on Check Point CoreXL technology, which enhances Security Gateway / VSX Gateway performance by enabling the CPU processing cores to concurrently perform multiple tasks. Tuning Tip: MultiCore SSL is enabled by default on R80.x gateways. sk101223 - MultiCore Support for SSL in R77.20 and above  Tip 12 - AES-NI Intel‘s AES New Instructions AES-NI is a encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in many processor familys. Better throughput can be achieved by selecting a faster encryption algorithm. For a comparison of encryption algorithm speeds. Relative speeds of algorithms for IPsec and SSL. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for: Site-to-Site VPN, Remote Access VPN, Mobile Access, HTTPS Interception The general speed of the system depends on additional parameters. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers. Comprised of seven new instructions, AES-NI gives your environment faster, more affordable data protection and greater security. Tuning Tip: Enable AES-NI in the BIOS. sk73980 - Relative speeds of algorithms for IPsec and SSL R80.x - Performance Tuning Tip - AES-NI   Tip 13 - Firewall Priority Queues Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type (for example, local SSH or connection to Security Management Server server). The Firewall Priority Queues are disabled by default. The Priority Queues (PrioQ) mechanism is intended to prioritize part of the traffic, when we need to drop packets because the Security Gateway is stressed (CPU is fully utilized). Tuning Tip: Use it depending on the situation.sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above  Tip 14 - Multi-Queue By default, each network interface has one traffic queue handled by one CPU. You cannot use more CPU cores for acceleration than the number of interfaces handling traffic. Multi-Queue lets you configure more than one traffic queue for each network interface. For each interface, more than one CPU core is used for acceleration. Multi-Queue is relevant only if SecureXL is enabled. Tuning Tip: Enable multi-queueing on 10/40/100 Gbit/s interfaces. Performance Tuning R80.30 Administration Guide – Multi-Queue R80.x - Performance Tuning Tip - Multi Queue   Tip 15 - Dynamic Dispatcher CoreXL is a performance-enhancing technology for Security Gateways on platforms with multiple CPU cores. CoreXL enhances Security Gateway performance by enabling the processing CPU cores to concurrently perform multiple tasks. On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or Firewall instance, runs on one processing CPU core. These Firewall instances handle traffic concurrently, and each Firewall instance is a complete and independent Firewall inspection kernel. When CoreXL is enabled, all the Firewall kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy. The CoreXL software architecture includes the Secure Network Distributor (SND). The SND is responsible for: Processing incoming traffic from the network interfaces Securely accelerating authorized packets (if SecureXL is running) Distributing non-accelerated packets or Medium Path packets among CoreXL FW kernel instances - this functionality is also referred to as dispatcher Traffic received on network interface cards (NICs) is directed to a processing core running the SND. The dispatcher is executed when a packet should be forwarded to a CoreXL FW instance (in Slow path and Medium path - see sk98737 for details) and is in charge of selecting the CoreXL FW instance that will inspects the packet. In R77.20 and lower versions, traffic distribution between CoreXL FW instances is statically based on Source IP addresses, Destination IP addresses, and the IP 'Protocol' type. Therefore, there are possible scenarios where one or more CoreXL FW instances would handle more connections, or perform more processing on the packets forwarded to them, than the other CoreXL FW instances. This may lead to a situation, where the load is not balanced across the CPU cores, on which the CoreXL FW instances are running. Tuning Tip: Use Dynamic Dispatcher depending on the situation.sk105261 - CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above  Tip 16 - SMT (Hyper Threading) Hyper Threading Technology is a form of Simultaneous Multithreading Technology (SMT) introduced by Intel. Architecturally, a processor with Hyper-Threading technology consists of two logical processors per core, each of which has its own processor architectural state. Each logical processor can be individually halted, interrupted or directed to execute a specified thread, independently from the other logical processor sharing the same physical core. SMT (also called HyperThreading or HT) is a feature that is supported on Check Point appliances running Gaia OS. When enabled, SMT doubles the number of logical CPUs on the Security Gateway, which enhances physical processor utilization. When SMT is disabled, the number of logical CPUs equals the number of physical cores. SMT improves performance up to 30% on NGFW software blades such as IPS, Application & URL Filtering and Threat Prevention by increasing the number of CoreXL FW instances based on the number of logical CPUs. Tuning Tip: Enable SMT on appliances and disable SMT on open server. sk93000 - SMT (HyperThreading) Feature Guide R80.x - Performance Tuning Tip - SMT (Hyper Threading)   Tip 17 - HTTPS Interception vs. SNI With enabled HTTPS interception: If the https interception is enabled, the parameter host from http header can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. CPAS breaks the HTTPS connection and others into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.)  Without enabled HTTPS interception (SNI is used): If the https interception is disabled, SNI is used to recognize the virtual URL for application control and url filtering. It is less resource intensive than HTTPS interception Tuning Tip: Prefer SNI to HTTPS interception, if you only use application control and url filtering. sk108202 - HTTPS Inspection URL Filtering using SNI for HTTPS websites.pdf R80.20 - SNI vs. enabled HTTPS Interception    Tip 18 - Network Interfaces and Server Hardware Only use certified hardware for open server and network cards. Prevent network and packet  errors on the network cards. Tuning Tip: Use supported hardware only and avoid network card issus. HCL R80.x - Performance Tuning Tip - Intel Hardware   Tip 19 - Interface Errors   RX-ERR: Should be zero.  Caused by cabling problem, electrical interference, or a bad port.  Examples: framing errors, short frames/runts, late collisions caused by duplex mismatch.Tuning Tip:  First and easy check duplex mismatch RX-OVR: Should be zero.  Overrun in NIC hardware buffering.  Solved by using a higher-speed NIC, bonding multiple interfaces, or enabling Ethernet Flow Control (controversial).  Tuning Tip:  Use higher speed NIC's or bond interfacesRX-DRP: Should be less than 0.1% of RX-OK.  Caused by a network ring buffer overflow in the Gaia kernel due to the inability of SoftIRQ to empty the ring buffer fast enough.  Solved by allocating more SND/IRQ cores in CoreXL (always the first step), enabling Multi-Queue, or as a last resort increasing the ring buffer size. Tuning Tip:  Use more SND/IRQ cores in CoreXL sk61962 - SMP IRQ Affinity on Check Point Security Gateway sk33250 - Automatic SIM Affinity on Multi-Core CPU Systems Performance Tuning R80.30 Administration Guide – Multi-Queue R80.x - Performance Tuning Tip - Multi Queue   Tip 20 - Elephant Flows (Heavy Connections) n computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows). All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. What typically produces heavy connections: System backups Database backups VMWare sync. Evaluation of heavy connections (epehant flows)A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes. Heavy connection flow system definition on Check Point gateways: Specific instance CPU is over 60% Suspected connection lasts more than 10s Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%   Tuning Tip: Check for heavy connections on the situation sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above R80.x - Performance Tuning Tip - Elephant Flows (Heavy Connections)   
Satdefender
Satdefender inside General Topics Wednesday
views 845 6

Slow SCCM Imaging with R80.20

Since we have upgraded Management and Gateways to R80.20 T101 we've had a lot of latency issues with SCCM imaging our laptops. A 13500 appliance sits between the imaging laptop and the SCCM server.In our packet captures we can see 3 Retransmission packets before a 4th allows traffic through. This behavior happens continuously. We believe this is the cause for the laptops that took 45 mins to image to now take 3.5 hours. The following Blades are active:FW,VPN,IPS,App,URL,AV,ABThe FW policy allows connection to the imaging server using standard TCP and UDP ports. But the rest of the policy in other sections is using Updateable Objects (to support O365) and domain objects. I state that other information because I'm not sure if that will affect performance.We have tried the follow actions to address the issue without success:Rebuilt SCCM Management Point and Distro Points.Failover to the standby cluster memberdisable fwaccelEnsured there were no drops in FW policycreated custom application risk level lowUnchecked "Block requests when web service is unavailable" in Blades - AppControl Advanced SettingsIn Blades - AppControl - Website categorization mode: BackgroundIn Blades - Threat Prevention- Website categorization mode: BackgroundValidated the networking is solid the whole way. The laptop images fine when the gateway isn't in the path.CPU runs less than 10% averageAll errors resolved in a zdebug + drop I would appreciate some suggestions on where to look next.  _Vic_
Carsten_Weber
Carsten_Weber inside General Topics Wednesday
views 318 6

"Give us feedback" ...NOT!

Hi Check Point Secure Knowledge (SK) Website Team,In case no one mentioned it already...The "Give us feedback" section below every SK-article does not work (anymore). I noticed this yesterday beside having to prove me being no robot. I was about to report something not quite right but received an error message (IE,FF,Chrome from different PCs and Networks...yes, I'm persistent): (PS: I encrypted the contents of my "Comment" in this picture, so no one can read it)As this is not customer related but feedback to Check Point, I do not want to open a ticket.Whom can I contact regarding this not working and things like this in general (Website support)?Does anyone else have this kind of problem?Best RegardsCarsten
ProxyOps
ProxyOps inside General Topics Wednesday
views 262 2

R80.40 - Identity Awareness Questions

Hello, we are looking forward to the upcoming changes for IA in r80.40 I have two questions about the new things for IA: 1. We are currently using the Identity Broker with a special R80.10 take. How can we migrate from this special R80.10 take to r80.40 ? Will the existing Identity Broker Configuration persist with an inplace upgrade ? 2. We faced many diffrent Issues with the MUH Agent in the past and we are looking forward for the upcoming improvments. Has somebody already some insights, about the mentionend "Enhancements" and "better scaling and compatibility" features ? GreetingsNiklas
Load More