cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
shavat_zalpuri
shavat_zalpuri inside General Topics 16m ago
views 4

Need help in understanding multi core vpn in r 80.x

Hi All, It owuuld be great help if you can help me in providing a document which will give me in detail information of multi core vpn in r80.X. Different vpn types and on different cores. Regards,shavat Zalpuri
Jeff_Gao
Jeff_Gao inside General Topics 54m ago
views 2650 19 1

Physical memory is high

Dear all      My CP23500 is 16G  memory and traffic is low.but memory is high,as follow:This is why?Thanks!
mbsm
mbsm inside General Topics yesterday
views 53 1

Identity Collector Users unable to browse to internet

Hi,We successfully implement Identity Collector and working on R80.30. But we encounter an problem, the user is connected thru the WiFi and able to browse the internet but when the user disconnect to WiFi then connect thru LAN cable the user unable to browse the internet. By the way, the network of the WiFi is different to the LAN. Our workaround is login thru captive portal or restart the laptop.Is there a solution for this issue? Or is this a limitation of the Identity Collector? Appreciate your answers,
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics yesterday
views 618581 34 140

R80.x Architecture and Performance Tuning - Link Collection

I wrote my first article on R80.x firewall architecture a year ago. After many hours in the lab with R80.10, R80.20, R80.30 and R80.40 many long evenings, another approximately 40 articles were added. Because I lost the overview of my articles, here is a list of links to the most interesting articles with the topics:- R80.x performance tuning- R80.x architecture- R80.x new CoreXL, SecureXL and ClusterXL functions I hope I can help you with interesting information about R80.x! Thanks to everyone who contributed to the Checkmates forum and to the Check Point R&D guys as well as the Chackmates team and thanks to all who voted this article as Post of the Year 2019.  Architecture - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Logical Packet Flow) - Update R80.20+- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - Security Gateway Architecture (Acceleration Card Offloading)- R80.x - Ports Used for Communication by Various Check Point Modules- R80.x - How does the Medium Path (PXL) and Content Inspection work with R80- R80.x - ClusterXL CCP Encryption (R80.30+) Performance tuning - R80.x - Gateway Performance Metrics - R80.x - Performance Tuning Tip - Intel Hardware- R80.x - Performance Tuning Tip - AES-NI- R80.x - Performance Tuning Tip - SMT (Hyper Threading)- R80.x - Performance Tuning Tip - Multi Queue- R80.x - Performance Tuning Tip - Connection Table- R80.x - Performance Tuning and Debug Tips - fw monitor- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP- R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.x - High Performance Gateways and Tuning- R80.x - Falcon Modules and R80.20- R80.x - Performance Tuning - Link Collection Cheat sheets - R80.x - cheat sheet - fw monitor- R80.x - cheat sheet - ClusterXL ClusterXL - R80.20 - new ClusterXL commands- R80.20 - More ClusterXL State Information- R80.30 - ClusterXL CCP Encryption SecureXL - R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor CoreXL - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - More then 40 Cores for CoreXL- R80.x - User-Mode Firewall and performance impact Management Server, MDS and SmartConsole - R80.20 - Portable SmartConsole + Tips and Tricks- R80.10 - Syslog Exporter- R80.20 - Multiple SmartConsole sessions- R80.x   - Debug policy installation on gateway- R80.x   - MDS Upgrade failing from R80.10 to R80.30 Sandblast and TEX - Fortigate Firewall ICAP and Sandblast (TEX)- Symantec (Bluecoat) SG ICAP and Sandblast (TEX)- ICAP and Sandblast Appliance R80.10+ - R80.10 - Syslog Exporter- R80.10 - Bash script to show IP ranges for countrys from GeoProtection (new version)- R80.10 - GEO Location Objects in Firewall Policy (with Dynamic Objects)- R80.10 - User-Mode Firewall and performance impact R80.20+ - R80.20 - new interesting commands- R80.20 - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor- R80.20 - SecureXL - new names in "/proc/ppk/statistics"?- R80.20 - Portable SmartConsole + Tips and Tricks- R80.20 - New daemon or processes under R80.20!- R80.20 - New SecureXL path in R80.20 (CPASXL)- R80.20 - More then 40 Cores for CoreXL - R80.20 - Updatable Domain Objects and CLI Commands R80.30+ - R80.30 - new interesting commands- R80.30 - ClusterXL CCP Encryption- R80.30 - Swiss Army Knive IPMITOOL for GAIA R80.40+ - R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue CLI - GAIA - Easy execute CLI commands from management on gateways- GAIA - Easy execute CLI commands on all gateways simultaneously- GAIA - Create snapshots or backups on all gateways with one CLI command.- GAIA - Backup all clish configs from all gateways with one CLI command- CLISH Commands in Expert Mode easier- Show VPN Routing on CLI- Show Address Spoofing Networks via CLI- Interface speed and duplex as list- "fw ctl zdebug" Helpful Command Combinations- Check Inbound and Outbound TCP Sequece Numbers on R80.20+- R80.20 - new interesting commands- R80.30 - new interesting commands- ccp_analyzer - what is it!- Check Point - HEX to IP Converter Tool?- R80.30 - Swiss Army Knive IPMITOOL for GAIA Script - Bash script to show IP ranges for countrys from GeoProtection (new version)- GEO Location Objects in Firewall Policy (with Dynamic Objects) More - Appliance model from CLI and dmidecode with full model list- VoIP Issue and SMB Appliance (600/1000/1200/1400)- Password reset - Collection- One-liner collection- Check and config SSHv1 or SSHv2 on GAIA Copyright by Heiko Ankenbrand  1994-2019
minhhaivietnam
minhhaivietnam inside General Topics yesterday
views 27

Block file sharing over skype

Hi friends,I have a checkpoint R80.10 like this: User PC------>Firewall--------->internetMy requirement is Allow user to use skype but prevent them from sharing file over it.My question is what blade can I enable for this purpose, and what step to configure after enable blade Thanks a lot!! 
Ned_Stark
Ned_Stark inside General Topics yesterday
views 31

Identity Collector don't receive events from servers AD

Hello, I have installed and configured Identity Collector on server AD, but I don't have any events. That configuration I did it from Admin Guide CheckPoint. The server have active event logs, etc.  The status Identity Source are connected. 
Kunal_Parikh
Kunal_Parikh inside General Topics yesterday
views 16119 4 1

Dynamic Objects (URL)

What is best approach to allow connection to Microsoft Azure/AWS, when destination URL are hosted in cloud and does not have fixed IP. If I don't want traffic to go via proxy, does checkpoint support destination URL's ? I have read about dynamic objects and have also read it causes high CPU but not sure if it is best practice.
KE
KE inside General Topics yesterday
views 53 1

Client authentication user has to re-authenticate after every policy install

Checkpoint Gaia R77.30 ClusterXLClient authentication user has to re-authenticate after every policy install.The client_auth table is cleared after every install.Any idea?Thanks! 
Shurik
Shurik inside General Topics yesterday
views 25

Stats/Monitor each VPN Tunnel

Hello guys,We have about 100 VPN tunnels (site-to-site). Would like to accomplish:1. Would to capture statistics (OID) of each VPN tunnel, and see throughput of each tunnel on our monitoring system (not the summary).2. Is there a way we can get alerts (status of VPN) tunnel in case it's down? Looking to get OID - status of each VPN tunnel. I've contacted the support team a few times, unfortunately, didn't get any meaningful answer. Thank you!
Vengatesh_SR
Vengatesh_SR inside General Topics yesterday
views 906 8 1

Vulerability#CVE-2007-4752

Hi Team,We are getting the below vulnerability for the checkpoint.  Name : OpenSSH X11 Cookie Local Authentication Bypass Vulnerability (openssh-x11-cookie-auth-bypass)    Description :ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.OpenBSD OpenSSH < 4.7Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSHWhile you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.-----------------------------------------------------------------We have the take installed is take_286.From the above description, I can find the CVE associated for the vulnerability is #CVE-2007-4752.From the #sk65269, I can see the comments given is Not vulnerable. So it means checkpoint devices are not vulnerable for this vulnerbaility ??Regards,Vengatesh SR
Wang
Wang inside General Topics yesterday
views 73 5

How to configure QOS based on user?

Hello, engineers, how to configure QOS based on user?Thank you very much for your support.
Gsharma61234
Gsharma61234 inside General Topics yesterday
views 98 3

checkpoint not booting

Hi All, I do have checkpoint 4600.recently it was upgraded successfully from R75.40 to R77.10 then R77.10.From yesterday i am unable to login to the device.its giving me below error.I believe its not booting.Please let me know,how to resolve this issue.Apart from this i am not getting any option on putty CLI.   Reboot and Select proper Boot deviceor Insert Boot Media in selected Boot device and press a keyIntel(R) Boot Agent GE v1.3.53Copyright (C) 1997-2010, Intel CorporationPXE-E61: Media test failure, check cablePXE-M0F: Exiting Intel Boot Agent. 
Niklas_Davidsso
Niklas_Davidsso inside General Topics Tuesday
views 443 19

New Core Switch - Failure

Hey There So we are runing a Old Cisco Nexus 5000K Switch stack, Checkpoint 15000 <> N5KSwitches <> N5KSwitches <> Checkpoint 15000the 15000 is runing VSXWorked pretty good. So this year we got new Cisco Nexus 9000K Switch, and today we tried to move them Moving Firewall, no big issue and we connected it up to the 9000 and it reconncted with the other FIrewall and they connect to eatcher, we move the active firewalls from the firewall connected to the N5K switch to the firewall connected N9K switch.  And everything is working But when we move the Firewall still conncted to N5K switch to the N9K, they start going active  standby down and as soon as Firewall 1 has done this Firewall 2 will go active standby down and so on.  so the network works for 3-4 minutes then highlatancy and then works 3-4 minutes rinse and repeat. Anyone seen this before? //Niklas   
bsb
bsb inside General Topics Tuesday
views 36

header to identify inbound original ip after nat hide nat

Hi, below is the scenarioInternet -- > Checkpoint Firewall (any internet Nat'd to firewall external interface ip hide nat) ---- > Load balancer -- > backend serverNeed to identify the inbound public ip post performing Nat in checkpoint firewall for analysis.Is there a way to see this original inbound public ip in packet captures with different header name like xff etc....thanks BSB  
Raphael_V
Raphael_V inside General Topics Tuesday
views 3603 2

Legacy Auth (User Auth, Client Auth) on R80.10 gateways

Hey everyone,does anybody know if Legacy Authentication (User Auth and Client Auth) is still supported on R80.10 gateways?We updated one of our clusters today from R77.30 to R80.10 and are facing some very strange behaviour.We have a rule with a "Legacy user at location" object (location are all our internal networks) as a source object and User Auth as action.After the upgrade to R80.10 the "Legacy user at location" object in the source is now ignored and seems to behave like "ANY".The release notes from R80.10 does only state that"Session Authentication and UserAuthority are replaced by Identity Awareness."but nothing regarding User Auth or Client Auth.(Yes, we will move away from these authentication methods...)Thanks and best regardsRaphael