cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
REconfigure
REconfigure inside General Topics 4 hours ago
views 127 2 5

R80.20 strange behaviour - random TCP session timeout values - fw ctl conntab

Hi Community!after upgrading to R80.20 i verified the session tables of our fw gateways, with the "fw ctl conntab" command.I found out that all upgraded gateways have random TCP session timeouts for a session displayed, and not the actually configured value for the service.I checked it on more than 20 different gw´s it´s always the same. for a global value of 7200 sec, there is sometimes 4642 or even as low as 1058 sec, or higher 7205 etc. in the output next to the TTL - same rule/same service.In older versions like 77.20 it´s always exactly the configured value for example 7200sec in the output.Can anyone verify this, is this only cosmetic or could this lead to sessions falling out of the table to soon?Attached you can find screenshots with example output of a R77.20 and R80.20 gateway. 
dilirium
dilirium inside General Topics 5 hours ago
views 12

Cannot ping remote VPN gateway external IP

This question has already been asked, and I carefully read the answers to it.https://community.checkpoint.com/t5/General-Topics/Cannot-ping-remote-VPN-gateway/td-p/20797.Setting "Accept ICMP requests" -> "First" in the Global Properties causes ping to the external interface to work, but it is not possible to ping the hosts behind the gateway. If you put "Before Last", then we get the opposite picture.In another answer it was written that I need to prescribe rules for ping. Can you give an example of these rules? I tried several variants of the rules, but did not achieve a positive result.Is it generally possible to ping the external interface of the gateway and the hosts behind it?
Nick_Doropoulos
Nick_Doropoulos inside General Topics yesterday
views 135 4

CoreXL limitations on R80.30

Can I just confirm that the existence of route-based VPN does not allow CoreXL to be used even on R80.30? According to the CoreXL limitations as per sk61701 it would appear that that is the case but I wanted to double-check anyway.Thanks.
minhhaivietnam
minhhaivietnam inside General Topics yesterday
views 55 3

ICMP reply does not match a previous request

Hello friends,I have multicast topology like this:Router1(receiver multicast)------>Checkpoint R80------->Router2-----Router3(Multicast sender)All devices run PIM-SM mode.On router1: I join group 239.9.9.9On router2: ping to 239.9.9.9Result: Not successI check log on firewall and see that this error Please help meThanks a alot!!  
minhhaivietnam
minhhaivietnam inside General Topics yesterday
views 48 1

Static Nat seems not working with multicast

Hi all,I have a topology running multicast:router1(multicast receiver)----checkpoint r80----router2(RP)---router3(multicast sender)all devices run pim-sm.above network run fine without nat.but when i set static nat on firewall: IP of router1---> translate to a.b.c.dthen on router1, I send "igmp join" toward to RP(router2). On log , i see that igmp packet is forwarded to firewall, but packet is not nated to a.b.c.d (above ip address). And not forwarded through firewall.So my question is if checkpoint r80 supports multicast nat source? If yes , how i can config it? Thank you!!
Dawei_Ye
Dawei_Ye inside General Topics yesterday
views 15834 12

tcpdump and fw monitor missed packets

We are digging a issue with our application department.Testing by our QA dept. the http connection could be a 5-6s latency occasionally.So we did a packet capture.the normal post and response:the post that occurring latency as follows:You could see the red column should be the POST request but the tcpdump shows "not captured"and we also captured via fw monitor:we can only see the POST request but no reponse:Have you guys meeting this issues before?
Di_Junior
Di_Junior inside General Topics yesterday
views 50 1

ISP IP Blacklist

Dear MatesThis is not a technical question but it is more like a general question in which I would really appreciate your feedback.We are an ISP, and we provide services to many enterprises, we clients are usually finding the IP address we allocate to them in some blacklists, which sometimes prevents them from using certain services on the Internet, until the IPs are removed from the blacklist.Taking into account that we do not have control over what our clients do to get tham blacklisted, I would like to know whether there is something we as the ISP can do in order to minimize the risk of our clients get blacklisted.Thanks in Advance
Jeff_Gao
Jeff_Gao inside General Topics yesterday
views 1981 15 1

Physical memory is high

Dear all      My CP23500 is 16G  memory and traffic is low.but memory is high,as follow:This is why?Thanks!
Albert_Chang
Albert_Chang inside General Topics yesterday
views 185 7

Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections table

Our security gateway sometimes drops packets from IPSec tunnel. The workaround is usually to reinstall policy and the issue will be fixed for a few days.By using the "fw ctl zdebug drop" to capture the drop message, it says "failed to resolve SA (VPN Error code 01)".But in the kernel debug, it looks like it cannot find the connection in the connections table.Has anyone encounter similar issue and has a solution? Thanks in advance! ;20Jun2019  3:30:27.466084;[cpu_1];[fw4_2];fwconn_lookup: not found in connections table; ;20Jun2019  3:30:27.466088;[cpu_1];[fw4_2];forward_if_not_mine: forwarded to another instance (rc=0); ....;20Jun2019  3:30:27.466102;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn 10.13.1.29:0 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>  not found in connections table; .....;20Jun2019  3:30:27.466268;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn 172.28.0.126:15 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>  not found in connections table; ;20Jun2019  3:30:27.466282;[cpu_1];[fw4_2];   vpnk_conn_log: in the kernel  - calling fwchainlog_delayed_rulebase_log with alert -1 ; ;20Jun2019  3:30:27.466284;[cpu_1];[fw4_2]; action = 0  schemename = IKE  user =  methods = ESP: AES-256 + SHA384 + PFS (group 2)  fail_reason = Encryption/Decryption failure, failed to resolve SA (VPN Error code 01)  xpo_loghandle = 0 community_loghandle = 0   
sdjohnson2019
sdjohnson2019 inside General Topics Saturday
views 140 4

Upgrade path from R77.30 to R80.30

Hello All,Can you advise me, i have read various docs on Checkpoints website & various knowledge boards.I my initial understanding is that if i wanted to upgrade from R77.30 to R80.30 i would have to build a new server & run through the upgrade verifier, export & import database steps.But as i have started to read more there seems to be a straightforward upgrade path via CPUSE. Or am i reading the the documentation wrong.Thanks for any advise Extract from Installation and Upgrade Guide R80.30From R7X to R80.30:Upgrade the Primary Security Management Server.Perform a clean install of the Secondary Security Management Server.Connect the Secondary Security Management Server to the Primary Security Management Server.Step 2. Why ???? there is no explanation
Chinmaya_Naik
Chinmaya_Naik inside General Topics Saturday
views 133 2

Configure Gaia with TACACS+ Authentication for SmartCosole (Query)

Hi Team,I refer sk101573 (How to configure Gaia OS to work with a TACACS+ server)Below is the configuration details.VMware:12 ProNOTE: We successfully login with GAIA portal using TACACS user (User define in TACACS+ Server).But unable to login with SmartConsole. Configuration Step Taken :File Name : tac_plus.conf (Location : /etc/tacacs+/tac_plus.conf)Step1Step2Step3Step4Step5Configuration for SmartConsole LoginSTep6STep7Step9Unable to find any logs on messages file.Step10As I know for "Authentication to server failed" logs are not generated in the messages file.Please confirm is this a right configuration because ,  we unable to login with Smartconsole but able to login with GAIA portal.Thank you Regards@Chinmaya_Naik
JosephAviles
inside General Topics Friday
views 138 4
Employee

1GB to 10GB interface upgrade

Hello everyone, I have a task to upgrade a firewall appliance from 1GB to 10GB on their interfaces. The issue I  have is this appliance is running r75.30 on SPLAT. I haven't used SPLAT in a very long time. Does anyone know what the commands even are to do this?  Another question is what is the SPLAT command to get the configuration of the appliance. In GAIA its simply show configuration. Don't know what the command is in SPLAT. Any help is appreciated. Thanks.    Regards!
Anderson_DaSilv
Anderson_DaSilv inside General Topics Friday
views 28

CloudGuard ARM Template

Hi Community,I am trying to deploy cloudguard in Azure via ARM templates, but I am hitting an issue with the artifacts location parameters.As I can see in the template, the artifacts location is no longer hard coded, instead it is using the deployment function to call the artifacts uri.Long store short, when I run the template installation from local files on my computer, I get the error below saying that the templateLink doesn't exist:Apprantly it happens because the deployment function does not respond with the templateLink information if you run the deployment using local templates.Anyone ran into this issue before? Trying to install r80.30 using ARM template version below:"templateVersion": "20190805"thanks in advance.
jfabian
jfabian inside General Topics Friday
views 95 1

Problem with VPN AMAZON(AWS) ​​CHECK POINT

I have several VPNs against AWS, it happens that at random there is no more traffic.   When the fault occurs, there are the following symptoms:  -Up Tunnel -Phase 1 and Phase 2 established   The problem is resolved when we restart Ike at the checkpoint (vpn tu - 7), but after a while it happens again. The configuration of my Tunnel is as follows:  IKv1 Phase I.  -Encryption Algorithm: AES-128 -Data Integrity: SHA1 Diffie-Hellman group: Group 2 (1024bit)  Phase II -AES-128 Data Integrity: SHA1 IKE Security Association (Phase2): Use perfect Forward Secrecy (group 2) Ike Phase I. Renegotiate IKE Security associations every (minutes): 480  IPsec (Phase 2): Renegotiate IPsec security associations every (seconds): 3600 Nat: Disable NAT inside the VPN community DPD configured in the Cluster and AWS Community VPI and Ping interfaces on static routes Tunnel Management -Permanent tunnels: establish permanent tunnels: in all the tunnels of the community.  -VPN Tunnel Sharing: One VPN tunnel per Gateway pair. VPN ROUTING: to center or, even the center, other satellites, the Internet and other VPN objectives DPD configured in the Cluster and AWS Community VPI and Ping interfaces on static routes when I see the records, it's dropping by rule clean up please your support, the tac still does not find the cause
Rajput_Arvind
Rajput_Arvind inside General Topics Friday
views 85 3

Splunk Support with R80.10

Hi All, We are upgrading MDS from R77.30 to R80.10. Currently Splunk is integrated with R77.30 MDS. Do we need to perform any step on R80.10 MDS to make the Splunk work with R80.10 CMA. Some document says Splunk Add-On for Checkpoint needs to be installed on Splunk itself. But some document says Log exporter also needs to be installed on R80.10 MDS. Please share your thoughts. Thanks,Arvind Singh