cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Vladimir
Vladimir inside General Topics 6 hours ago
views 1224 11

Default and maximum memory per VS in VSX R80.10

Since R80.10 virtual systems are 64 bit, how is the memory allocation per VS instance works in it and could the amount of RAM for VS's be configured either globally or per VS?
Emanuel_Miut
Emanuel_Miut inside General Topics 12 hours ago
views 9

IA terminal servers and identity agents

Hello, We are currently using IA with identity agents on Gaia 77.30 and the need was to enable IA terminal servers. Will this impact in any way the identity agents we are already running?Can both solutions be enabled at the same time? Identity agents will probably be removed once the terminal server solution is fully functional. Thank you!
Federico-M
Federico-M inside General Topics 17 hours ago
views 106 2 4

Outbound SSL Inspection: A war story

Hello everyone,I'm looking to share my experience and concerns regarding the current state of SSL Inspection in general and with Check Point, I'm also looking to see what is your approach in this matter.Important: This post is strictly to Outbound SSL Inspection, my experience with inbound is limited with Check Point.I'll start by making a vendor agnostic statement: One of the things that bothers me most about this subject is that there are many people that states that they have this technology implemented in their organizations and have no issues at all, after I met those organizations I found one of the following:They have 10 users at most.Their SSL Inspection technology is shady: SSL Inspection is enabled but there is a working and HUGE fail open at the bottom of the engine, if there's something that may cause issues, the connection is accepted, the log shows that the packet was "Inspected" and everyone is happy.They think they have SSL Inspection but they don't have it enabled, instead they have a feature similar to Categorize HTTPS sites.My personal experienceWe all know the importance to inspect HTTPS traffic in our network due to visibility and security, but I times I feel like this way of thinking is my InfoSec persona speaking that only gives woo woo advices to the business regarding security and doesn't even know how to install an antivirus software. Why? Because properly implementing this solution is just painful. I also know that most customers don't even want to dive into this matter and prefer to lay this layer of security into their endpoint solutions, even if it's not the same I respect that.Within our customers we have one in particular that is very tech savvy with a 900+ users and likes to turn on all the features in their NGFW and one of the requirements was to enable full outgoing ssl inspection in the Check Point firewall. We started with this customer years ago with R77.30 in gateways so you can imagine that I've been through all kinds of fun experiences with SSL Inspection.We have fully tested SSL Inspection in the following versions: R77.30 / R80.10 / R80.30During this journey we went through a lot of information, there are many awesome posts here in Check Mates, SKs, SRs with the TAC, you name it.Issues that we facedThe following is a summarized list of issues that we had.Heavy performance issues in R77.30 (Fixed in R80.10+)There are many pages that fail to load or load sometimes.There are many pages that work but after you enter a specific section just a login page, they fail.Sophos Antivirus solution doesn't work, either install or updates: There are some post about this issueAWS Connectors failing: (Solved in R80.30)The issue with Check Point and Outbound SSL inspectionI really like Check Point firewalls, but sometimes I feel that they take control from the administrator. One of the first thing that we did was to disable all the options regarding dropping connections that don't follow the RFC line by line, allowing connections to not trusted certificates, we have tried it all, and still we faced a lot of issues.Bypassing the connection? Good luck with that, Check Point firewalls always inspect the first packet and only by that there are many connections that fail.Probe bypass to mitigate the previous issue? Sure, be prepared to have other issues due to SNI verification.Fail open in probe bypass? This was a huge surprise after it was changed in Take 189, but we still had a lot of issues after enabling this flag.WSTLSD debug? Many times, good luck not taking down the firewall with it and be prepared to wait a long time for the TAC to inspect it, not their fault, it's just really hard to troubleshoot these issues.The only way that we found to properly bypass connections was to exclude it COMPLETELY from the SSL policy. Example: Let's say that you have two network segments and you only want to inspect traffic in one of them:What most people doIn this example all traffic from 10.0.0.0 will be inspected, however you probably will have some issues in the 192.168.0.0 network as well since the bypass action enforces to inspect the first packet of the SSL Handshake.Only way do nothing with the connectionsIn our research we found that the only way to properly bypass a connection was excluding it completely from the policy. Obviously this approach is not scalable and somewhat utopic in a big network.The most stable scenario that we reachedWe reached a state of stability in R80.10 with the JHF prior to 189 and by enabling the following flags and features:appi_urlf_ssl_cn_allow_not_rfc_ssl_protocols=1 (Don't know where I get this, also there is not documentation about it)enhanced_ssl_inspection 1 (Probe bypass)bypass_on_enhanced_ssl_inspection 1 (Fail open probe bypass)Almost all features that drop packets turned off in SSL Inspection.HTTPS Categorization was turned on.Sophos antivirus worked fine, issues with web pages went down to a minimum.The journey to R80.30We decided to migrate one of the cluster members to R80.30 to test the new SSL Inspection engine and to solve some issues that we had with UserCheck. After the deployment we had some issues regarding Proxy ARP:https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Proxy-ARP-after-upgrade-to-R80-30/m-p/58315/highlight/trueSome Inspection Settings that started to cause issues in R80.30 and not previously.We sorted them all and the first impression was just great:AWS Connectors worked flawesly without enabling any of the previously stated kernel flags.Sophos Antivirus could get updated without enabling any of the previously stated kernel flags.All the services detailed in the preliminary testing document worked great.The next day a waterfall of user complains started to appear:Sophos Antivirus could not be installed: Updates worked fine but installation failed. After looking into the logs no traffic was dropped (Logs and output from fw ctl zdebug). The only log was a Detect regarding untrusted certificates which we configured to accept it in the SSL settings. We tried the flags, setting up a FQDN object just for *.sophos.com and setting this up in the SSL Inspection policy and still failed.The main billing service of the company stopped working, again, no logs or possible leads why. We even looked at PCAPs and all seemed fine in the firewall perspective. At soon as we routed this traffic through the pfSense everything worked flawlessly.Another invoice service stopped working: Again, no leads whatsoever, after we routed this traffic through pfSense all started to work.Webpages that did not load properly or have some functions affected.We tried everything, perform captures by turning off SecureXL, even the bypass flags could not solve these issues in R80.30, we had these issues in R80.10 and after turning on the different flags all worked, but not in this new version.At this point there were many issues impacting production, we blocked one hole and another 10 appeared. It was just impossible to properly troubleshoot each issue, we had no other option but to go back to our most stable version.Future plansThere is no way to deploy SSL Inspection without issues, problem is that these issues will probably affect your production environment heavily, there is no way that you can test all your organization use cases, also there is no way to properly assure functionality in a lab enviroment.Our main concern now is the remote possibility that we will have to live for life in R80.10, we know that we will have to update sooner or later that's why no we are implementing a parallel CHKP Frontier such as we have our failback pfSense, this new gateway will have R80.30 with the same features, thing of it as a hybrid testing/production enviroment.The main idea is to route certain subnets to the R80.30 gateway and study their behaviour and troubleshoot without all the user complaining.Concerns regarding the current state of SSL InspectionCheck Point firewalls don't provide a proper solution to bypass desired SSL Traffic, therefore is really hard to deploy this solution on a big environment.Lab tests are not representative, only way to test is in production.Really difficult to troubleshoot: Many times there are no leads and everything seems fine in the firewall, forcing you to perform PCAPs on different parts of the network and debugging.Check Point current approach on SSL Inspection impacts image perception of the brand: I heard it all the time "I have a friend who inspects SSL traffic with YYY and has no issues". Most people don't know that it's more of a technology issue in general regarding SSL/TLS instead of a Check Point fault, but other vendors offer this functionality and have fail backs mechanism that works without the user knowing, it's less secure but at the end of the day the main metric is functionality and not security in most cases.Hope this post helps you in implementing this feature in a harmless way.Regards,
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics yesterday
views 147222 37 144

R80.30 cheat sheet - ClusterXL

Introduction This overview gives you an view of the changes in R80.30 ClusterXL. All R80.10 and R80.20 changes are contained in this command overview (cheat sheet). You could download the cheat sheet at the end of this article as a PDF file. Cheat Sheet Chapter Architecture:R80.x Security Gateway Architecture (Logical Packet Flow)R80.x Security Gateway Architecture (Content Inspection) R80.x Security Gateway Architecture (Acceleration Card Offloading) R80.x Ports Used for Communication by Various Check Point Modules Performance Tuning:R80.x Performance Tuning Tip - AES-NI R80.x Performance Tuning Tip - SMT (Hyper Threading) R80.x Performance Tuning Tip - Multi Queue R80.x Performance Tuning Tip - Connection Table R80.x Performance Tuning Tip - fw monitorR80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ Cheat Sheet:R80.x cheat sheet - fw monitor R80.x cheat sheet - ClusterXL More interesting articles:Article list (Heiko Ankenbrand) References sk56202 - How to troubleshoot failovers in ClusterXL sk62570 - How to troubleshoot failovers in ClusterXL - Advanced Guide sk92723 - Cluster flapping prevention sk43984 - Interface flapping when cluster interfaces are connected through several switches sk83220 - How to collect ClusterXL debug during boot sk31499 - How to find out the Multicast MAC Addresses that are associated with Cluster Virtual interfaces sk92909 - How to debug ClusterXL to understand why a connection is not synchronized sk55081 - Best practice for manual fail-over in ClusterXL sk92723 - Cluster flapping prevention sk32578 - SecureXL Mechanism sk33781 - Performance analysis for Security Gateway NGX R65 / R7x
jc332
jc332 inside General Topics Friday
views 113 6

Zoom Meeting Issues with SecureXL

Hi there,We're having issues with zoom meetings when SecureXL is turned on. The meeting connects and runs fine for ~15 mins before one end will appear to freeze (video and audio) and eventually disconnect (although users usually notice first and restart it themsleves before it disconnects. This will repeat itself until we turn SecureXL off.The thing is, SecureXL can be turned on for a number of days or even weeks with multiple zoom meetings happening per day before we see any issues. We saw this issue in R77.30 and it remains even since we've migrated to R80.30. I suppose it could still be unrelated or there may of course be something else at play.Hardware is a pair of 15400 applianes (ClusterXL).I have a TAC case open but obviously they want logs etc. from the time the issue is occuring which are hard to provide as the focus was on turning off SecureXL at the time to get the meeting running smoothly and we can't really turn it back on and risk breaking more meetings due to the nature of them.I have been trying to reproduce the issue through a pair of 3100s running R80.30 with SecureXL turned on without success. But obviously there are many differences here (it could be speific to that hardware...).Obviously we'd rather have it turned on, so I was just wondering if anyone had seen any similar issues and had any advice?Many thanks in advance.Josh
Rick_Rodrix
Rick_Rodrix inside General Topics Friday
views 43 1

To prevent VPN access from internal network

Hello there!I´ve been asked to prevent users to connect VPN from internal network. Some coworkers rather than solve a internal software bug, they discovered that the software worked if they connect through VPN from internal network. Yes, it happens.Is there a way to prevent this happen? I don´t want allow people using Endpoint Security VPN from internal network.Thanks.
Maik
Maik inside General Topics Friday
views 3777 31 6

TCP SACK PANIC - Kernel vulnerabilities | Check Point affected?

Hello, Just wanted to ask for a statement from Check Point regarding CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479. As redhat posted a statement and mentioned several releases are affected my guess is, that Check Point with GAiA is affected too (as based on RH Linux...).Details can be read below:https://access.redhat.com/security/vulnerabilities/tcpsack Regards,Maik
Sushil_Kumar
Sushil_Kumar inside General Topics Friday
views 50 2

Traffic is not passing through correct rule in case of route based vpn with third party device

Hi All,I have set up a route based VPN between checkpoint R8.10 and fortigate firewall. both tunnel are up. but traffic is not passing through the rule that i have created for VPN.Please help to resolve this issue.With Regards,Sushil Kumar
Moti
inside General Topics Friday
views 271661 192 108
Admin

My Top 3 Check Point CLI commands

Just had a fun geeky conversation with Dameon Welch Abernathy (AKA Phoneboy) Jony Fischbein , Jeff Schwartz and Michael Poublon (over 100 accumulated years of experience in Check Point products) , on what are our favorite & most useful commands in a Check Point environment.Below are my 3 , plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... ). 1) fw ctl zdebug drop used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....) 2) cpstat fwquickly see stats of number of connections (accepted,denied,logged) with a breakdownif the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this) 3) fw tab -s -t connections allowed me to quickly see how much load is (and was i.e "peak" ) on the FW that's it (i have more , but i want to hear yours ...)plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... )
Chanatip_Adisak
Chanatip_Adisak inside General Topics Friday
views 96 2

When will checkpoint support the Load Sharing mode in either R80.20 and R80.30?

Dear Check Point Team, Regarding the known issue with ClusterXL R80.20 and above does not support Load Sharing mode. Therefore, SmartConsole blocks such a configuration with a warning message. I would like to know when it will be fixed and become to support like an R80.10. Regards,Sarm
Philip_W
Philip_W inside General Topics Friday
views 281 9 1

high cpu allowed but unknown trafic

Hi Checkmates,For the second week in a row, over the weekend we have been experiencing heavy (allowed) trafic through our VSX (R77.30) toward servers located behind our load balancers. This causes high CPU usage on 2 cores and now we are fearing some targetted DDOS or reconnaissance action is taking place.We received no complaints from users or server admins. We know which VS is impacted but are having difficulties identifiying exactly what is happening. To this end I used:fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head -10from 'My top 3 CLI commands' ( where Timothy shared a way of showing the top ten source IPs hogging slots in the connection table). This gave us some IPs, but basically we could see that in Smartlog tooHow could we investigate this any deeper? Taking a .cap wouldn't help a lot, or would it?Any ideas?
Timo_Laufer
Timo_Laufer inside General Topics Friday
views 69 3 1

multi queue compatible 10 Gbit/s networc cards

Is there a list of multi queueing compatible 10 Gbit/s network cards?
Danny
Danny inside General Topics Friday
views 64327 176 171

Common Check Point Commands (ccc)

ccc is an interactive script to run common Check Point CLI tasks without having to crawl for cheat sheets, bookmarks, manuals or admin guides. GPL licensed. Installation (expert mode) or download: curl_cli http://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc Spoiler (Highlight to read) Changelog 0.1 - Initial Release - Inspired by Moti Sagey's Top 3 Check Point CLI commands thread 0.2 - Added more commands 0.3 - Interactive Mode added by Marko Keca‌ 0.4 - Added more commands, removed a bug with the 'View all commands' option, Interface Cleanups 0.5 - Added advanced interface summary developed in this thread 0.6 - Implemented enhancements as suggested by Günther W. Albrecht and Martin Heim, added SIC status check for gateways, general code cleanup 0.7 - Added more Security Management commands and CPU + memory statistics 0.8 - Added IPS/Threat Prevention 'Panic Button' as described in this presentation by Timothy Hall and a command suggested by Maarten Sjouw‌ plus more MDS/VSX commands 0.9 - Implemented enhancements as suggested by Mikael Johnsson‌ and Sven Glock‌, added commands to enable/disable SecureXL 1.0 - Colors added for better user experience, dropping for out-of-state packets can now be turned on/off thanks to Dameon Welch Abernathy's thread, IPS Update Time is now shown on R80.x systems thanks to Jerom van den Hoek's thread and many other little adjustments to make this a real 1.x release 1.1 - Added system info to Main Menu (props to: Rosemarie Rodriguez & Nathan Davieau for their Healthcheck script), started a Threat Emulation & Extraction section, improved command coloring 1.2 - Enhanced system info as suggested by Martin Heim, improved system information for cluster status 1.3 - Code improvements, replaced several sed with faster tr and cut commands, added more cluster info to Main Menu, corrected checking routines as suggested by Günther W. Albrecht 1.4 - Added Identity Awareness commands, ability to check the postfix email queue (sk114034), MDS additions as suggested by Maarten Sjouw‌ and output optimizations as suggested by Sven Glock‌ 1.5 - Changed interactive mode to support arrow keys for navigation, added usage information, general performance improvements via Bash's builtin parameter substitution, various fixes 1.6 - Added self-update functionality as requested by Vladimir Yakovlev in this thread, implemented more tests to avoid calls to non-existing ressources as mentioned by Günther W. Albrecht 1.7 - Fixed a nasty bug discovered by Aleksei Shelepov and Günther W. Albrecht 1.8 - Added commands to start/stop the ICA Management Tool, fixed a typo discovered by Ty King 1.9 - Added cpconfig and mdsconfig utilities, added ipassignment.conf integrity check, improved Multi-Core Performance Tuning commands 2.0 - Improved detection for supported OS as suggested by cciesec2006 at CPUG, added commands for CoreXL Dynamic Dispatcher and Firewall Priority Queue handling 2.1 - Added more details to system info (memory, CPU cores, CoreXL & SecureXL statistics), added migrate export command to Firewall Management section, improved several checks 2.2 - Fixed Firewall Management commands as suggested by Günther W. Albrecht 2.3 - Added more commands for mail handling tasks within Check Point Threat Emulation & code optimization as suggested by Maciej Maczka‌ 2.4 - Added Threat Extraction Bypass commands as suggested by Niels van Sluis, added command to show calculated interface topology for easier address spoofing troubleshooting, general code and interface cleanup 2.5 - Added command to check the LOM of Check Point Appliances, improved Address Spoofing commands as suggested Norbert Bohusch 2.6 - Improved system information as suggested by Michael Asher, added VPN routing information as developed in Heiko Ankenbrand's thread 2.7 - Added IA command as suggested by Hans Hartung. Introduced a QoS Troubleshooting section and several code improvements as suggested by Alexander Wilke 2.8 - Improved system info (new: SMT, CPU Load, Multi-Queue Interfaces and Dynamic Dispatcher), added more performance tuning commands, minor script code fixes 2.9 - Added more system info (new: Policy, Blades), improved check for number of Multi-Queue interfaces, added Postfix queue message distribution commands as suggested by Benoit Verove 3.0 - Improved script starting time, added status dots to script starting routine, added Jumbo Hotfix take number and free RAM to system info 3.1 - Added performance troubleshooting commands (sar, iotop etc.), added check for licensed cores and OS edition to system info, fixed a parameter gone in R80.20 as mentioned by Günther W. Albrecht 3.2 - Added more details to system info as suggested by Rolf Peeters and Jozko Mrkvicka, improved script code, added user confirmation before executing commands 3.3 - Added Endpoint Management support, improved check for number of permitted cores as discussed in this thread 3.4 - Added more warning markup to system info, added core & crash dump checks, added commands to view and edit the malware policy on Threat Prevention gateways 3.5 - Fixed a syntax error spotted by Kaloyan Metodiev, improved crash dump location check, added max power script command 3.6 - Replaced a Non-Standard ASCII character spotted by Martin Heim, added red warning label to SecureXL and CoreXL when disabled, minor code improvements 3.7 - Added Tim Hall's "Super Seven" performance assessment commands from this TechTalk session 3.8 - Added more commands to MDS Troubleshooting, fixed Multi-Domain Server OS string handling, improved error handling 3.9 - Revised the self-update mechanism to support user control, added more commands to Firewall Management and MDS Troubleshooting, minor code fixes 4.0 - Added support for t, f, g, h keys (when arrow keys don't work) as suggested by Vladimir Yakovlev 4.1 - Added blade update status, added Management server status as discussed in this thread, revised command to show VPN routes as suggested by Alibi in this post, added firewall inspection, address spoofing and IPS mode checks, added Geo Policy check as suggested in Tim Hall's presentation 4.2 - Added disk usage check, fixed CoreXL check, grouped VPN routes by peer, improved cpvinfo syntax as suggested by Günther W. Albrecht 4.3 - Added API status and version to menu info, added check for Any host access, added commands for CPUSE Deployment Agent handling, fixed syntax for disk usage check 4.4 - Added more VPN commands, added Geo Policy One-liner from this thread, added VSX-capabilities as requested by Kaspars Zibarts in this thread, added checks for NTP sync status, SNMP version and GUI clients, added info for dynamic objects, general code improvements Planned Advanced checks for Sync interface MDS Support for easy +/- navigation between mdsenv's SMB appliance support Secure self-update routine GAiA cleanup tasks ($CPDIR/tmp/ cleanups, log compression etc.) Changelog 0.1 - Initial Release - Inspired by Moti Sagey's Top 3 Check Point CLI commands thread 0.2 - Added more commands 0.3 - Interactive Mode added by Marko Keca‌ 0.4 - Added more commands, removed a bug with the 'View all commands' option, Interface Cleanups 0.5 - Added advanced interface summary developed in this thread 0.6 - Implemented enhancements as suggested by Günther W. Albrecht and Martin Heim, added SIC status check for gateways, general code cleanup 0.7 - Added more Security Management commands and CPU + memory statistics 0.8 - Added IPS/Threat Prevention 'Panic Button' as described in this presentation by Timothy Hall and a command suggested by Maarten Sjouw‌ plus more MDS/VSX commands 0.9 - Implemented enhancements as suggested by Mikael Johnsson‌ and Sven Glock‌, added commands to enable/disable SecureXL 1.0 - Colors added for better user experience, dropping for out-of-state packets can now be turned on/off thanks to Dameon Welch Abernathy's thread, IPS Update Time is now shown on R80.x systems thanks to Jerom van den Hoek's thread and many other little adjustments to make this a real 1.x release 1.1 - Added system info to Main Menu (props to: Rosemarie Rodriguez & Nathan Davieau for their Healthcheck script), started a Threat Emulation & Extraction section, improved command coloring 1.2 - Enhanced system info as suggested by Martin Heim, improved system information for cluster status 1.3 - Code improvements, replaced several sed with faster tr and cut commands, added more cluster info to Main Menu, corrected checking routines as suggested by Günther W. Albrecht 1.4 - Added Identity Awareness commands, ability to check the postfix email queue (sk114034), MDS additions as suggested by Maarten Sjouw‌ and output optimizations as suggested by Sven Glock‌ 1.5 - Changed interactive mode to support arrow keys for navigation, added usage information, general performance improvements via Bash's builtin parameter substitution, various fixes 1.6 - Added self-update functionality as requested by Vladimir Yakovlev in this thread, implemented more tests to avoid calls to non-existing ressources as mentioned by Günther W. Albrecht 1.7 - Fixed a nasty bug discovered by Aleksei Shelepov and Günther W. Albrecht 1.8 - Added commands to start/stop the ICA Management Tool, fixed a typo discovered by Ty King 1.9 - Added cpconfig and mdsconfig utilities, added ipassignment.conf integrity check, improved Multi-Core Performance Tuning commands 2.0 - Improved detection for supported OS as suggested by cciesec2006 at CPUG, added commands for CoreXL Dynamic Dispatcher and Firewall Priority Queue handling 2.1 - Added more details to system info (memory, CPU cores, CoreXL & SecureXL statistics), added migrate export command to Firewall Management section, improved several checks 2.2 - Fixed Firewall Management commands as suggested by Günther W. Albrecht 2.3 - Added more commands for mail handling tasks within Check Point Threat Emulation & code optimization as suggested by Maciej Maczka‌ 2.4 - Added Threat Extraction Bypass commands as suggested by Niels van Sluis, added command to show calculated interface topology for easier address spoofing troubleshooting, general code and interface cleanup 2.5 - Added command to check the LOM of Check Point Appliances, improved Address Spoofing commands as suggested Norbert Bohusch 2.6 - Improved system information as suggested by Michael Asher, added VPN routing information as developed in Heiko Ankenbrand's thread 2.7 - Added IA command as suggested by Hans Hartung. Introduced a QoS Troubleshooting section and several code improvements as suggested by Alexander Wilke 2.8 - Improved system info (new: SMT, CPU Load, Multi-Queue Interfaces and Dynamic Dispatcher), added more performance tuning commands, minor script code fixes 2.9 - Added more system info (new: Policy, Blades), improved check for number of Multi-Queue interfaces, added Postfix queue message distribution commands as suggested by Benoit Verove 3.0 - Improved script starting time, added status dots to script starting routine, added Jumbo Hotfix take number and free RAM to system info 3.1 - Added performance troubleshooting commands (sar, iotop etc.), added check for licensed cores and OS edition to system info, fixed a parameter gone in R80.20 as mentioned by Günther W. Albrecht 3.2 - Added more details to system info as suggested by Rolf Peeters and Jozko Mrkvicka, improved script code, added user confirmation before executing commands 3.3 - Added Endpoint Management support, improved check for number of permitted cores as discussed in this thread 3.4 - Added more warning markup to system info, added core & crash dump checks, added commands to view and edit the malware policy on Threat Prevention gateways 3.5 - Fixed a syntax error spotted by Kaloyan Metodiev, improved crash dump location check, added max power script command 3.6 - Replaced a Non-Standard ASCII character spotted by Martin Heim, added red warning label to SecureXL and CoreXL when disabled, minor code improvements 3.7 - Added Tim Hall's "Super Seven" performance assessment commands from this TechTalk session 3.8 - Added more commands to MDS Troubleshooting, fixed Multi-Domain Server OS string handling, improved error handling 3.9 - Revised the self-update mechanism to support user control, added more commands to Firewall Management and MDS Troubleshooting, minor code fixes 4.0 - Added support for t, f, g, h keys (when arrow keys don't work) as suggested by Vladimir Yakovlev 4.1 - Added blade update status, added Management server status as discussed in this thread, revised command to show VPN routes as suggested by Alibi in this post, added firewall inspection, address spoofing and IPS mode checks, added Geo Policy check as suggested in Tim Hall's presentation 4.2 - Added disk usage check, fixed CoreXL check, grouped VPN routes by peer, improved cpvinfo syntax as suggested by Günther W. Albrecht 4.3 - Added API status and version to menu info, added check for Any host access, added commands for CPUSE Deployment Agent handling, fixed syntax for disk usage check 4.4 - Added more VPN commands, added Geo Policy One-liner from this thread, added VSX-capabilities as requested by Kaspars Zibarts in this thread, added checks for NTP sync status, SNMP version and GUI clients, added info for dynamic objects, general code improvements Planned Advanced checks for Sync interface MDS Support for easy +/- navigation between mdsenv's SMB appliance support Secure self-update routine GAiA cleanup tasks ($CPDIR/tmp/ cleanups, log compression etc.)
Ryan_St__Germai
Ryan_St__Germai inside General Topics Thursday
views 94 5

Intel X540-T2 on OpenServer running R80.20 3.10?

Is anyone aware of issues using the 10GB Intel X540-T2 network card with the 3.10 Kernel version of R80.20 or above? The HCL doesn't have a check mark for R80.20 3.10 kernel but wasn't sure if that is because the card hasn't officially been tested yet. Thanks, Ryan
carl_t
carl_t inside General Topics Thursday
views 62 1

Multiple VPN domains - when will it be supported?

Hi AllA few months back I posted a questions around the support for Multiple VPN domains on the R80 Gateway, someone said this was on the roadmap for R80.30?Is this still the case?I have heard nothing for a whileMany thanks