cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

stuart2020
stuart2020 inside General Topics 51m ago
views 105 5

Checkpooint R77.30 High CPU Slow Performance

We have been experiencing intermittent performance issues that causes connectivity through the firewall to run slow. This particularly impacts accessing systems over Site 2 Site VPNs and Remote Access VPN. We are running CheckPoint 15400 R77.30 in ClusterXL active / standby. The firewall has IPSec VPN, Mobile Access, IPS, Anti-Bot, Anti-Virus, URL Filtering and Application Control features enabled.Looking at cpview, the CPU spiked on a particular core and stayed high for 6 hours before returning to normal. This time frame correlates with when the issue was reported and resolved. This issue occurred during a low usage period so doesn't seem to be caused due to high traffic / connections on the firewall.   If anyone has any ideas, thoughts to resolve this issue, please let me know. Thank you.   
PhoneBoy
inside General Topics 4 hours ago
views 87 2 7
Admin

New updatable object for HTTPS Inspection: HTTPS Services Bypass

We are glad to share a new usability enhancement for our HTTPS Inspection customers.Starting from R80.40, HTTPS Inspection customers will be able to consolidate their certificate pinned apps rules using managed updatable objects. We've collected a list of HTTPS services which are known to be used in scenarios where HTTPS Inspection is unable to establish the trust between the client and the Security Gateway and is therefore unable to inspect the traffic.These HTTPS services are part of "HTTPS services - bypass" updatable object. You can choose to add this object to HTTPS Inspection policy as a bypass rule to avoid connectivity issues and/or to the Access policy as a drop rule to block these services explicitly.For further information please refer to sk163595 If you'd like to see some additional services added to this, let us know!
Gaurav_Pandya
Gaurav_Pandya inside General Topics yesterday
views 216 5

Renew external (3rd party) certificate for IPSEC VPN

Hi, I want to renew external certificate in IPSEC VPN TAB as it will expire soon. I have gone thru some docs and came to know that, In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email. Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and ask for the x509/pem versions of your root and intermediate certificates. then generate CSR and give it to vendor for certificate generation. Is this the method I need to follow? Can someone please share step-by-step procedure to renew external certificate for VPN?    
chimda
chimda inside General Topics yesterday
views 37 1

error 27559 no blades were selected

sir I downloaded checkpoint version 82.10 as adviced for window 10 version 10.0.18200.but it popped up error 27559 no blades were selected.I need someone to tell me how to install the software.attach is the error message.
Theo
Theo inside General Topics yesterday
views 68 2

Endpoint Security- Failed to create new site Reason: Site is not responding

Location: ChinaSecurity Gateway: Standalone/ CheckPoint 2200 Appliance/ R80.30Problem: Unable to create site in Endpoint SecurityAction: Verified and compared the settings of gateway object from other working sites with VPN Clients Please refer to settings of my VPN Clients
Theo
Theo inside General Topics Thursday
views 83 2

Access Server from Branch office using Remote Access

VPN Community type: StarHQ1- Center gateway/ Check Point 2200/ R80.30Branch1- Satellite gateway/ Check Point 1100/ R77.20VPN Routing- To center and to other satellites through centerBranch1 Policy Rule- RA range added to access the server over port 8069 VPN client was able to connect to HQ1 gateway, can access services inside the HQ1 office but unable to reach the server in Branch1 office.
PhoneBoy
inside General Topics Thursday
views 228 1
Admin

The R80.x Adoption Experience by the Numbers TechTalk: Q&A, Video, and Slides

How widely has Check Point R80.x been adopted? What was the path people took? What was the experience? With the help with @Jim_MacLeod and our friends from Indeni, we'll answer these questions in this TechTalk! Content available to CheckMates members: Slides Full Video Selected Q&A will be posted in the comments.Excerpt from the session below: (view in My Videos)  
Patricio_Gavila
Patricio_Gavila inside General Topics Thursday
views 2080 10

Messages of mux error on a cluster (active-standby) in r80.20

Hi all,I have a Lenovo System x3650 M5 (compatibility matrix) with GAIA r80.20 (jumboHF take 80) in distributed deployment. The server firmware is updated to the last level, and with the r77.30 version works great. I have many problems with the Internet, for example, images and Office 365 emails take too long to load, even when the user is in an unrestricted rule. This did not happen with r77.30. In active Gateway shows error messages in file /var/log/messages:  Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc20085221670, app_id=1, mux_state=ffffc20092970c00.Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc20092970c00.Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc2008275e530, app_id=1, mux_state=ffffc2005f6a5c00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2005f6a5c00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc2011e77b7b0, app_id=1, mux_state=ffffc200d97bfc00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200d97bfc00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_task_handler: ERROR: Failed to handle task. task=ffffc200a775bfb0, app_id=1, mux_state=ffffc2027cc1a420.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2027cc1a420.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_task_handler: ERROR: Failed to handle task. task=ffffc200aa947b30, app_id=1, mux_state=ffffc200dffa5810.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200dffa5810.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];mux_task_handler: ERROR: Failed to handle task. task=ffffc2007f670b30, app_id=1, mux_state=ffffc200c6950420.Jun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200c6950420.Jun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];mux_task_handler: ERROR: Failed to handle task. task=ffffc20122ccdb70, app_id=1, mux_state=ffffc20068218810.Jun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc20068218810.Jun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:02 2019 FW-NODO1 kernel: [fw4_5];cpas_newconn_ex : called upon something other than tcp SYN. Aborting My question is if anyone knows if it is possible to deactivate the mux?. Otherwise I will rollback to r77.30.My concern is: because Check Point sells a poorly tested product and even more wants to force customers to migrate from r77.30 to r80, knowing that the r77.30 version is the best they have had in many years. The r80 version has too many problems, but even in cluster, the truth is impressive the failures of the product. Thanks,Patricio G.
kobilevi
kobilevi inside General Topics Thursday
views 206 7

smartconsole 80.30 is crashing

helloi install the last version of smartconsole on my computer, my gaia server is installed on vmwork stationafter the installation and compalte the wizard in the web interface the system will reboted and  comes on.. but i lost the connection to the server -the web interface still up, but i cannot ping to the server from my computer - smartconsole is too dont work ping to my computer from the server is fine.. someone know what is the problem?   
David_Herselman
David_Herselman inside General Topics Thursday
views 4025 8

Disable NAT on SIP payload - breaks ICE

How do we disable NAT on SIP and SDP payloads, when using NAT? The ATRG: VoIP documentation states the following:We're running Asterisk with ICE (Interactive Connectivity Establishment), which essentially provides multiple candidates in INVITE or SDP negotiation messages, where each is an IP and port combination. It discovers the public candidates by connecting to STUN servers on the public internet.Why would we not want the security gateway to NAT the payload?We intend on using Bria Stretto as a mobile SIP application. The app works perfectly in all environments, when in the foreground and subsequently registered directly to our office SIP server. The problem we're having is when the app is in the background, becoming completely inactive. Public SIP servers operated by CounterPath essentially register in place of the mobile and send a wake-up push notification when they receive a call. The push appears to provide the app with a copy of the original invite, so it should receive both the higher priority ICE host candidates as well as the lower priority server reflexive (natted IP and port) candidates.The problem with the Check Point overwriting the SIP and SDP payload is that a mobile device connected to either private cellular APN or corporate WiFi will exclusively be provided with the public IP and results in one way audio. Everything works perfectly when the mobile is using LTE or natted through a home WiFi network.What we're after:We would simply like the Check Point to continue applying a NAT policy to the headers but leave the SIP and SDP payloads alone. This is typically accomplished by simply turning off SIP ALG processing.Sample packet leaving SIP server towards CounterPath's public push servers:Sample packet after NAT processing by Check Point:We have not had success in following the following recommendations. Both of these however appear to apply to cases where threat prevention policies were blocking packets, not the Check Point simply natting packets like any other UDP packet and leaving the payload alone:How to disable SIP ALG inspection in a specific rule in Checkpoint? Also Could this be done globally, like Cisco ASA? Tried disabling SIP inspectionfw ctl set int voip_multik_enable_forwarding 0 echo voip_multik_enable_forwarding=0 >> $FWDIR/boot/modules/fwkern.confThe following is an excellent summation of the ICE protocol:Interactive Connectivity Establishment: – IETF Journal 
Czar
Czar inside General Topics Thursday
views 165 5 1

Check Point for Beginners - Part 2 - Preparing the Lab

Thank you Val Loukine (and other admins) for his page CP4B. Really helpful.I am new to Check Point. I changed company and will have to use this technology. In the past I used Cisco, Palo Alto, PfSense. In Part 2 the lab is discussed. I think I might be short in resources to make the lab :-(. I have a mini desktop with Intel(R) Core(TM) i5-8500T CPU @ 2.10GHz, 2112 MHz, 6 core('s) and 12GB ram. I don't have access to a nice ESXI environment with lots of ram and storage. Has someone else experience with a setup like mine using VMware Workstation and only 12GB of ram? Also I try to figure out what the comment of Vladimir means at the end of the page. Should I use Virtual Box instead of VMware Workstation?Last question; I used GNS3 in the past for Cisco labs. Is this an even better option for a lab setup? 
Prince_Sibanda
Prince_Sibanda inside General Topics Thursday
views 2750 3

Check Point Security Gateway as HTTP/HTTPS Proxy

Can Anybody Please help me on this How to configure Check Point Security Gateway as HTTP/HTTPS Proxy because l have enabled to use the gateway as http/https proxy and created the policy but the problem am facing now its that when am trying to browse am getting an error "The proxy server is refusing connections" Thanks In advance
Lillie_Miller
inside General Topics Thursday
views 2751 5 9
Admin

Share your feedback for your chance to WIN new Apple AirPods Pro!

As a valued Check Point customer, your opinion matters to us greatly - and to your peers too! We invite you to review your Check Point Next Generation Firewall experience on Gartner Peer Insights. Watch this short video on how to submit a review. Reviews take approximately 10 minutes to submit and are anonymous. When your review is approved by Gartner, we’ll send you a $25 Amazon gift card and enter you into a raffle to win new Apple AirPods Pro!   What do I need to do?  Click here to submit your review on Check Point Next Generation Firewall Following your submission, you will receive 2 emails from Gartner: “Thank you for your review” "Thank you, your review has been approved!" Send the second email to checkmates@checkpoint.com  Redeem your $25 Amazon Gift Card & enter the raffle to win new Apple AirPods Pro!   What is Gartner Peer Insights? Peer Insights is an online platform of ratings and reviews of IT software and services. The reviews are written and read by IT professionals and technology decision-makers like you. The goal is to help IT leaders make more insightful purchasing decisions and help technology providers improve their products by receiving objective, unbiased feedback from their customers. Reviews take approximately 10 minutes to complete and are completely anonymous.   If you have any questions about Gartner Peer Insights, please email us at checkmates@checkpoint.com we are happy to answer any questions you have.   Thank you for your support!!
Niklas_Davidsso
Niklas_Davidsso inside General Topics Wednesday
views 163 11 1

MAC Address 0000.0000.0101 and 0000.0000.0100

Hey!  So i have a problem, i have 7ish ClusterXL sites.  and when i try to preform a migration on my ISP they get a loop from my Firewalls.after i tracked it i see this problem on every ClusterXL site. They all have the same MAC Address  Site X 0000.0000.0100 dynamic ip,ipx,assigned,other TenGigabitEthernet2/1/4 0000.0000.0101 dynamic ip,ipx,assigned,other TenGigabitEthernet1/1/4 Site Y0000.0000.0100 DYNAMIC Gi0/200000.0000.0101 DYNAMIC Gi0/43 Anyone knows how to disabel this fake address ?  
Sukru_isik
Sukru_isik inside General Topics Wednesday
views 1525 15 2

Https inspection Validation error

Hello  ,I have checkpoint with version R80.20.I have enabled https inspection and using Sophos endpoint agent.Agents are managed on cloud side. When we want to install agent , we are taking a log like below and  we couldnt install it. I have written exception url like "*.sophos.com" on inspection rules, but it is not working.(When I disable https inspection completely, the agents are installed succesfully.)How can I solve this problem?