cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Jessie_Rich
Jessie_Rich inside General Topics 9 hours ago
views 169 4

Internal firewall anti-spoofing

I have 2 networks separated by a firewall and then a internet facing firewall. I am getting anti-spoofing alerts on traffic passing through my internal firewall from the internet.Topology looks something like thisNetwork-A >>> InternalFW >>>> Network-B >>>>> internetFW >>>>>> InternetOn the Network-B facing interfaces on both firewalls I have only my Network-B networks defined in the topology. I assume on the InternalFW I need to add the internet to the topology on the interface connected to Network-B? To not mess up anti-spoofing on the internetFW I assume I would create separate network groups for my topology on the internal and internet firewalls?Thank you for any advice you can give.
Muazzam
Muazzam inside General Topics 9 hours ago
views 110 2

NAT Exhaustion - Hide NAT failures

Environment:MDS R80.20, Gateway R77.30 T216, Hardware 13800Cores are not overloaded, stays around 30-60% We see a lot a "hide NAT failure" messages in firewall logs. User reports latency and page not found at that time. Adding additional NAT addresses on the top of existing hide NAT addresses resolves the issue but my concern is the output of these commands that I am using to check the number of times each of my hide NAT is used. [Expert@R77.30GTW]# fw tab -u -t connections | grep -ci bbxxxx0a165032[Expert@R77.30GTW]# fw tab -u -t connections | grep -ci bbxxxx0b184938[Expert@R77.30GTW]# fw tab -u -t connections | grep -ci bbxxxx0c105793Note: No errors messages or user complains at this point. Also note that these numbers have not changed uch in last few days, since the time we had the issues.Are these numbers look real? If we divide the output by 2, still we are talking about 50K to 90K range that is theoretically not possible.Is it possible that some connections got stuck, not getting released or something?
MattDunn
MattDunn inside General Topics 12 hours ago
views 65 3

Thoughts on a random cluster problem?

Hi all,Every now and then a customer (same customer) emails me to say "the firewall has gone down again and killed our replication jobs".  After several weeks with no problem, this happened again twice yesterday.  I found logs in both SmartLog and /var/log/messages which match the times of the connectivity drop.  Interestingly it only seems to moan about VLAN 52, so the physical eth3 interface and the other VLAN's on that interface appear to be OK.  One thing to note is that the cluster members are at different sites, so my initial thought is some kind of networking issue?  Possibly latency if the leased line is being saturated?  I've asked the people that support the network to look in to this.  Does anyone else have any different thoughts on what could be causing VLAN 52 to lose comms between the cluster members?Thanks,Matt Sep 18 16:28:01 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-110305-1: State change: ACTIVE -> ACTIVE(!) | Reason: Interface eth2 is down (Cluster Control Protocol packets are not received)Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-110305-1: State remains: ACTIVE! | Reason: Interface eth3.52 is down (Cluster Control Protocol packets are not received)Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-210300-1: Remote member 2 (state STANDBY -> DOWN) | Reason: Interface is down (Cluster Control Protocol packets are not received)Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];fwldbcast_handle_retrans_request: Updated bchosts_mask to 1Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_0];fwldbcast_handle_retrans_request: Updated bchosts_mask to 1Sep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-214802-1: Remote member 2 (state DOWN -> STANDBY) | Reason: There is already an ACTIVE member in the clusterSep 18 16:28:02 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-100102-1: Failover member 1 -> member 2 | Reason: Interface eth3.52 is down (Cluster Control Protocol packets are not received)Sep 18 16:28:22 2019 xxxxxxxx-fwa kernel: [fw4_1];check_other_machine_activity: Update state of member id 1 to DEAD, didn't hear from it since 930450.9 and now 930453.9Sep 18 16:28:22 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-216400-1: Remote member 2 (state STANDBY -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADSep 18 16:28:48 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-210300-1: Remote member 2 (state LOST -> DOWN) | Reason: Interface is down (Cluster Control Protocol packets are not received)Sep 18 16:28:48 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-114904-1: State change: ACTIVE(!) ->  ACTIVE | Reason: Reason for ACTIVE! alert has been resolvedSep 18 16:28:48 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-214802-1: Remote member 2 (state DOWN -> STANDBY) | Reason: There is already an ACTIVE member in the cluster Sep 18 16:43:30 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-210300-1: Remote member 2 (state STANDBY -> DOWN) | Reason: Interface is down (Cluster Control Protocol packets are not received)Sep 18 16:43:30 2019 xxxxxxxx-fwa kernel: [fw4_1];fwldbcast_handle_retrans_request: Updated bchosts_mask to 1Sep 18 16:43:30 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-110305-1: State change: ACTIVE -> ACTIVE(!) | Reason: Interface eth3.52 is down (Cluster Control Protocol packets are not received)Sep 18 16:43:31 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-214802-1: Remote member 2 (state DOWN -> STANDBY) | Reason: There is already an ACTIVE member in the clusterSep 18 16:43:31 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-100102-1: Failover member 1 -> member 2 | Reason: Interface eth3.52 is down (Cluster Control Protocol packets are not received)Sep 18 16:43:52 2019 xxxxxxxx-fwa kernel: [fw4_1];check_other_machine_activity: Update state of member id 1 to DEAD, didn't hear from it since 931378.3 and now 931381.3Sep 18 16:43:52 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-216400-1: Remote member 2 (state STANDBY -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADSep 18 16:45:25 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-114904-1: State change: ACTIVE(!) ->  ACTIVE | Reason: Reason for ACTIVE! alert has been resolvedSep 18 16:45:25 2019 xxxxxxxx-fwa kernel: [fw4_1];CLUS-214802-1: Remote member 2 (state LOST -> STANDBY) | Reason: There is already an ACTIVE member in the cluster
guesstimation
guesstimation inside General Topics 16 hours ago
views 61 2

Cluster re-sync

Hello, During network maintenance we have to break Sync link between CP HA cluster nodes. After we reconnect our Sync, how do we ensure/verify that cluster nodes are in Sync? Will it recognize that it lost number of Sync packets and will try to resend them or no? Do we need to somehow force re-sync?
VictorPG
VictorPG inside General Topics 16 hours ago
views 84 8

Question about overlapping vpn domain same management

Hello Everybody, I have a little question that has been bothering me for  while. Let's say that I  have management with a VSX with 2 Virtual Systems (VS_A and VS_B) . The VS_A has a VPN site to site with peerA that has the network 172.16.20.0/24(remote domain) and now I want to create a site to site with VS_B with peerB (a total different site that peerA) that has as remote domain 172.16.20.1, 172.16.20.2 (and maybe also the whole 172.16.20.0/24).Would this cause overlapping even though are different Firewalls?If that is the case, is there a way to solve this? (maybe having a multidomain with different CMAs for each VS for example) Thanks in advance
6dd15084-b97a-4
6dd15084-b97a-4 inside General Topics 19 hours ago
views 89 2

Log server r80.10

 Hello gents.  we have 4 R77.30 Cluster config gateway's & we wanted to create 1 central log server with r80.10, we wanted to take backup of at least 3 monts or more.   can you please guide me process.to do that. also hardware capability for the server. 
Valeri_Loukine
inside General Topics 20 hours ago
views 13120 75 2
Admin

Propose your Idea of the Year!

Yes, this is this time of year, again.  Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better: The Idea Of The Year! The rules are the same as before, it is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones. Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game?  Tell us NOW! A few disclaimers/notes: There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year", From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on, Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well.  "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known! @Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later. Get creative, use your imagination and PROPOSE!  
Ravindra_Yadav
Ravindra_Yadav inside General Topics 21 hours ago
views 120 7

Issue with Checkpoint cluster

Dear Team,I am facing connectivity issue for one of my server. When I point Cluster IP as gateway, I am not able to reach the device but when I configure individual cluster member as gateway, It is working perfectly fine. What could be the issue. My Checkpoint cluster is in HA mode.
TG_Mai
TG_Mai inside General Topics yesterday
views 55

Disable CBC mode cipher and enable GCM cipher mode for https inspection

hello we have R80.10 with https inspection on, does anyone know how to disable the CBC mode cipher for TLS_ECDHE_RSA * in the https inspection?There an SK show how to allow specific cipher suites only for VPN in R80.10https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk126613&partition=Advanced&product=Security#10any help would be great, thank you.TG
MattDunn
MattDunn inside General Topics yesterday
views 504 4

VPN Issue - Wrong IP

Hi,I have a gateway with several VPN's on.  Some via the Internet, and some routed internally via MPLS lines.  These all work fine.  Now I'm trying to set up a new site-to-site VPN and it isn't working.  Here's what I'm trying to do:So my peer IP is a DMZ interface - 12.12.12.178.I'm VPNing to remote peer IP 192.168.145.10.On the firewall I'm routing 192.168.145.0/24 via 12.12.12.224.Firewall-A> show route destination 192.168.145.10Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default), O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA), A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed, U - Unreachable, i - InactiveS 192.168.145.0/24 via 12.12.12.224, eth2.105, cost 0, age 279519I have an existing VPN set up in the same way via a different DMZ interface and that works fine - although I'm reminded that we had exactly the same problem when setting that up, and I fixed it on my side.  I just can't remember what I did to fix it, hence asking for help!  The problem is that the remote side is seeing me coming from the gateway's public "main IP" - shown as A.A.A.A on the diagram.  In Ikeview I see IP's 192.168.145.10 and 12.12.12.178 in packets 1 to 5, then in packet 6 I'm sending my public A.A.A.A IP to the remote peer.  I don't understand why?On my gateway I've got VPN link selection set as follows, using the routing table, which is correct.I can't really alter this otherwise existing VPN's will stop working.Does anyone know what else I need to do to stop P1 Packet 6 sending my A.A.A.A IP instead of the correct 12.12.12.178 IP?Thanks,Matt
lsuastegui
lsuastegui inside General Topics yesterday
views 47

Checkpoint Site-to-Site VPN with Opnsense 19.7

Hi there, I'm trying to establish a VPN site to site with an Opnsense 19.7 . The VPN is established, but has a strange behavior (latencia, desconexiones) , both firewalls are in the same Network. I am looking for a VPN Compatibility Matrix where check if this "opnsense" firewall is certified to function with a checkpoint.If anyone knows anything, any help will be helpful.   Thanks for the help
shuangqing_li
shuangqing_li inside General Topics yesterday
views 52 2

ccsm r77 upgrade to ccsm r80

wich exam should i take ? can i directly take the exam 156-115.80 to upgrade ?
Jesus_Vladimir_
Jesus_Vladimir_ inside General Topics yesterday
views 2641 18 1

PBR With Multiple Tracking

Hi, how to configure PBR for redundancy automatic,i try Priority but not functioning.Regards
REconfigure
REconfigure inside General Topics yesterday
views 316 10 6

R80.20 strange behaviour - random TCP session timeout values - fw ctl conntab

Hi Community!after upgrading to R80.20 i verified the session tables of our fw gateways, with the "fw ctl conntab" command.I found out that all upgraded gateways have random TCP session timeouts for a session displayed, and not the actually configured value for the service.I checked it on more than 20 different gw´s it´s always the same. for a global value of 7200 sec, there is sometimes 4642 or even as low as 1058 sec, or higher 7205 etc. in the output next to the TTL - same rule/same service.In older versions like 77.20 it´s always exactly the configured value for example 7200sec in the output.Can anyone verify this, is this only cosmetic or could this lead to sessions falling out of the table to soon?Attached you can find screenshots with example output of a R77.20 and R80.20 gateway. 
Di_Junior
Di_Junior inside General Topics yesterday
views 98 2

ISP IP Blacklist

Dear MatesThis is not a technical question but it is more like a general question in which I would really appreciate your feedback.We are an ISP, and we provide services to many enterprises, we clients are usually finding the IP address we allocate to them in some blacklists, which sometimes prevents them from using certain services on the Internet, until the IPs are removed from the blacklist.Taking into account that we do not have control over what our clients do to get tham blacklisted, I would like to know whether there is something we as the ISP can do in order to minimize the risk of our clients get blacklisted.Thanks in Advance