cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

JG
JG inside General Topics 2 hours ago
views 34 3 1

Disable TLS 1.0

I'm asking this question to a vendor as well. However, I will ask here too. I'm trying to disable TLS1.0 globally on a firewall cluster. This is in an effort to completely eliminate all HTTPS weak ciphers. I've been scanning our environment with various tools and found that TLS 1.0 is still a valid cipher when I scan my cluster IP addresses.So far, I haven't been able to find any documentation on how to do this with Checkpoint. On an ASA it's 2 or 3 commands to stop supporting the cipher. The only thing I've seen in forums is that on Checkpoint it's not possible. Is this true?I'm running R80.30 so I would think you would be able to do this but maybe not. Thanks,Jon
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics 4 hours ago
views 23 2

Top100 - Check Point Terms Overview for Debug

I've been trying to understand all the Check Point terms for the last 25 years. Here is my Top 100 list of terms that might help you. The following terms are used on CLI for firewall debug, processes and daemon: accel                                 SecureXLacct                                   Application Control accountingadvp                                  advanced patterns (signatures over port ranges)APPI                                  Application Controlaspii                                  Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)async                                IA checking known networkav                                      Anti-Virus inspectionavi_del_tmp_files          Shell script that periodically deletes various old temporary Anti-Virus filesbalance                            ConnectControl -logical servers in kernel , load balancingbtime                                browse timecache_tab                        cachetable infrastructureccp                                    Cluster Control Protocol (CCP)cgnat                                Carrier Grade NAT (CGN/CGNAT)chain                                chain moduleschainfwd                          chain forwarding - clusterchainq                              QoS holding and releasing packets during critical actions (policy install / uninstall)CI                                      Content Inspectionci_http_server                HTTP Server for Content Inspectionclishd                               Gaia Clish CLI interface process - general information for all Clish sessionsclish                                 Gaia Clish CLI interfaceclob                                  data classification-Classification Object (CLOB)cloningd                          Cloning Groups daemoncluster                             ClusterXLcmi                                   Context Management Infrastructure cmi_inspect                    cmi_loader - INSPECT codecmi_loader                     CMI loadercmi_module                   cmi_loader module operations -initialization, module loading, calls to module, contexts, etc.confd                               Database and configurationconn                                Connections Table issuesconnstats                       connections statisticsfor Evaluation of Heavy Connectionsin CPView (refer to sk105762)context                            operations on Memory context and CPU contextCPAS                               CPAS (Check Point Active Streaming)cpca                                Check Point Internal Certificate Authority (ICA)cpcode                            Data LossPrevention (DLP) CPcode cpd                                  Check Point processes / daemon cpdiag                             CPDiag operationscp_file_convert              Used to convert various file formats to simple textual format for scanning by the DLP enginecphaconf                         installs cluster configuration or CLI command 🙂cphamcset                     Clustering daemoncphaprob                        Process that lists the state of cluster members or CLI command 🙂cphastart                       Starts the cluster and state synchronization.cphastop                        Stops the cluster and state synchronizationcp_http_server             HTTP Server for Management Portal (SmartPortal) and for OS WebUIcp_http_server             HTTP Server for OS WebUI and Management Portalcplmd                             get the data that should be presented in SmartView Trackercpm                                Check Point management daemon (PostgreSQL and SOLR databases)cposd                              SMB-specific daemon responsible for OS Networking operationscprid                               Check Point Remote Installation Daemoncprid_wd                        WatchDog for Check Point Remote Installation Daemoncpsead                            Responsible for Correlation Unit functionalitycpsemd                          Responsible for logging into the SmartEvent GUIcpsnmpd                        SNMP queries for Check Point OIDs cpstat_monitor             Process is responsible for collecting and sending information to SmartView Monitorcptls                               CRYPTO-PRO Transport Layer Security (HTTPS inspection)cpviewd                          CPView Utility daemon (sk101878)cpview_historyd           CPView Utility History daemon (sk101878).cpwd                              WatchDog  monitors critical processes such as Check Point daemons cpwmd                           Check Point Web Management daemon crypto                             basic information about encryption and decryption cserver                           Check Server that either stops or processes the e-mailctasd                              Commtouch Anti-Spam daemonctipd                               Commtouch IP Reputation daemon.cu                                    Connectivity Upgrade (sk107042)cvpnd                              Back-end daemon of the Mobile Access Software Bladecvpnd                              processingof connections handles by Mobile Access daemoncvpnproc                        Offload blocking commands from cvpndCvpnUMD                      Report SNMP connected users to AMONDAService                     Check Point Upgrade Service Engine (CPUSE) - (sk92449)dbsync                           DBsync enables SmartReporter to synchronize data stored in different parts of the network.dbwriter                        Offload database commands from cvpnd and synchronize with other membersdfa                                  Pattern Matcher (Deterministic Finite Automaton) compilation and executiondf                                    Decision Function -decides, which member will handle each packet in a Load Sharing modedfilter                             debug filteroperationsdhcpd                             DHCP server daemondlpda                              Data LossPrevention (DLP) Download Agentdlp                                  Data Loss Prevention dlp_fingerprint             Used to identify the data according to a unique signature dlpk                                Data LossPrevention (DLP) Kernel Moduledlpu                                DLP process - receives data from Check Point kernel.dlpuk                              Data LossPrevention (DLP) User Modulednstun                            DNS tunnelsdomain                          DNS queriesdos                                 DDoS attack mitigation(part of IPS)dropbear                       Lightweight SSH server on SMB appliancedynlog                            dynamic log enhancement (INSPECT logs)fg                                    FloodGate-1 (QoS)FILEAPP                        File Applicationfilecache                       Content Awareness file cachingflofiler                           Flow profilerfwapp                             information about policy installation for FireWall applicationfwd                                 Firewall processes / daemonfwdlp                             DLP core engine that performs the scanning / inspectionfw                                   Firewallfwm                               Communication between SmartConsole applications and Security Management Serverfwpushd                        Mobile Access Push Notifications daemonfwstats                          FW-1 statisticsfwucd                            DLP UserCheck back-end daemon that sends approval / disapproval requests to userghtab                             multi-threaded safe global hash tablesglue                               glue layer messagesgtp                                 GPRS Tunneling Protocol(GTP)gtp                                 GTP (GPRS Tunneling Protocol)h323                              VoIP H.323htab                               multi-threaded safe hash tablehttpd2                           Web server daemon (Gaia Portal)httpd                             Endpoint Policy Management Serverhttpd                             Front-end daemon of the Mobile Access Software Blade (multi-processes)IA_htab                         IA checking for network IP address, working with kernel tablesICAP_CLIENT              Internet Content Adaptation Protocol clientIDAPI                             Identity Awarenessifnotify                           notification of changes in interface status -up or down (received from OS)in.acapd                        Packet capturing daemon for SmartView Tracker logs in.emaild.mta               E-Mail Security Serverin.emaild.pop3             POP3 Security Server that receives e-mails sent by userin.emaild.smtp            MTP Security Server that receives e-mails sent by user and sends them to their destinations in.geod                          Updates the IPS Geo Protection Databasein.msd                           Mail Security Daemon that queries the Commtouch engine for reputation.interpreter                    Process is responsible for Compliance Blade database scan.ioctl IOCTL                    control messages -communication between kernel and daemonipopt                              IP options enforcementjava_solr                       Events are stored in the SOLR database (Jetty Server) part of cpm kbuf                               kernel-bufferkissd                              KISS –used for kernel memory managementkissflow                         Kernel Infrastructure Flowkiss                                Kernel Infrastructurekisspm                          Kernel Infrastructure Pattern Matcherkqstats                          Kernel Worker thread statistics mechanismkw                                  Kernel Worker state and Pattern Matcher inspectionld                                    kernel dynamic tables infrastructure -reads from / writes to the tableslea_session                  LEA OPSEC session lea                                  LEA OPSEC - logsllq                                   QoS low latency queuinglog_consolidator          Log Consolidator for the SmartReporter productlog_indexer                   R80 Log indexerlpd                                  Log Parser Daemon – Search predefined patterns in log filesmab                                Mobile Access handlermachine                         INSPECT Virtual MachineMALWARE                     Malware (Threat Prevention)mem_pool                     memory poolmgcp                              Media Gateway Control Protocolmgr                                policy installationmanagermisc                               miscellaneous helpful informationmisp                               ISP Redundancymmagic                         MAC magic - operations (getting, setting, updating, initializing, dropping,etc.)monitorall                     debug -> fw monitor -p allmonitord                       Hardware monitoring daemonmonitor                         debug -> fw monitorMoveFileDemuxer       Related to MoveFileServer process (moving files between cluster members)MoveFileServer            Move files between cluster members in order to perform database synchronizationmpdaemon                   Apache server (which can have multiple processes for starting these web servers.mrtsync                         synchronization (in kernel) between cluster members of Multicast Routesmsnms                          MSN over MSMS(MSN Messenger protocol)mspi                               information related to creation and destruction of MSA / MSPImtctx                             multi-threaded context -memory allocation, reference countmultik                           CoreXL -> Multi-Kernel Inspectionmutex                            Unified Policy internal mutex operationsnac                                 Network Access Control (NAC) NRB                               Next Rule Basentup                               Non-TCP / Non-UDP traffic policy (traffic parser)om_alloc                       allocationof Office Mode IP addressesosu                                 cluster Optimal Service Upgrade(sk107042)packet_err                    invalid ‎packets,‎ for ‎which‎ dispatching‎ decision‎ can’t ‎be ‎madepackval                          statelessverifications -sequences, fragments, translations and other header verificationsparser                            file parsing or CMI parserparsers_is                     cmi_loader parsers infrastructurepcktdmp                        dumps the encryptedpackets before encryption/ decryptedpackets after decryptionpcre                                Perl Compatible Regular Expressionspdpd                               IA Policy Decision Point daemonpepd                               IA Policy Enforcement Point daemonper_conn                       messages per connection (when a new connection is handled by RTM)per_pckt                        messages per packet (when a new packet arrives is handled by RTM) or "con_conn"Pinger                            Reduce the number of httpd processes performing ActiveSync.pkt_dump                      traffic packet dumppkxld                              Performs asymmetric key operations for HTTPS Inspection PM_compile                  Pattern Matcher -pattern compilationpmdump                        Pattern Matcher - DFA (dumping XMLs)pm                                  Gaia OS Process Manager pmint                             Pattern Matcher compilationpm                                 Pattern Matcher - compilation and executionpnote                             registering and monitoring of critical ClusterXL Devices portscan                       port scanning prevention mechanicspostgres                       PostgreSQL serverprof                                Firewall Priority Queues-connection profiler (refer to sk105762)q                                     driver queue qosaccel                        QoS accelerationqos                                  QoS (FloodGate-1)queue                             Kernel Worker thread queuesquota                              cross-instance quota tableRAD_KERNEL               Resource Advisor Kernelrad                                  Resource Advisorrconfd                             Provisioning daemonrem                                 Regular Expression Matcher-Pattern Matcher 2nd tier (slow path)report_mgr                   report managerrouted                            Routing daemonrtdbd                              Real Time database daemonrtmd                               Real Time traffic statistics.RTM                                Real-Time Monitoringsalloc                              System Memory allocationsam                                 Suspicious Activity Monitoringscanengine_b                Third party engine.scanengine_k                Third party engine.scanengine_s                Third party engine.scrub_cp_file_convertd          Used to convert various file formats to simple textual format scrubd                            Main Threat Extraction daemonscrub                              Main CLI process for Threat Extractionsctp                                 Stream Control Transmission Protocol(SCTP)scv                                   SecureClient Verificationsearchd                          Search indexing daemonsec_rb                            secondary NRB rulebase operationsSFT                                 Stream File Typesfwd                                SMB fwd 🙂SGEN                              Struct Generator shmem                           shared memory allocationsigload                            signatures loader, patterns, rangesskinny                             Skinny Client Control Protocol -Cisco proprietary VoIP protocolsmartlog_server           SmartLog product serviceSmartView                     SmartEvent Web Applicationsms                                 Manages communication with UTM-1 Edge Security Gateways.sm                                   String Matcher-Pattern Matcher 1st tier (fast path)sna                                  SnA objects ("Services and Application)snmpd                            SNMP (Linux) daemonSOLR                              CPM databases communicationspan                                mirror port(duplicates the network traffic)spii                                  Stateful Protocol Inspection Infrastructure and INSPECT StreamingInfrastructuresshd                                SSH daemonssl_insp                         HTTPS SSL Inspectionsslt                                  SSL TLS librarystatus_proxy                  Status collection of ROBO Gateways - SmartLSM / SmartProvisioning status proxy.subs                                Subscribermodule -set of APIs, which enable user space processes (by using a DLL)SVRServer                     Controller for the SmartReporter product. Traffic is sent via SSLswblade                         registration of Software Bladessxl_statd                        Allow acquiring statistics information from Host ppak and Falcon cardssynatk                            'SYN Attack' (SYNDefender)IPS protectionsync                                synchronization operations in ClusterXLsyslogd                           Syslog (Linux) daemontcpinfo                            TCP processing messagestcpstr                              TCP streaming mechanismtcpt                                 TCP Tunnel (Visitor mode) related information(FW traversal on port 443)ted                                  Threat Emulation daemon engine temp_conns                  temporary connectionste                                    Threat Emulationtnlmon                           tunnel monitoringtopo                                information about topology and Anti-Spoofingof interfacesua                                   Universal Alcatel "UA" Protocolucd                                 UserCheck connectionsto other cluster membersUC                                  UserCheckuepm                             Endpoint Management Serveruf                                   URL filters and URL cacheuid                                 Cross-instance Unique IDsupapp                            information about policy installation for Unified Policyapplicationupconv                          Unified Policy conversionUPIS                              Unified Policy InfrastructureUP                                  Unified Policyurlf_ssl                          Application Control/ URL Filtering for SSLusrchkd                         Main UserCheck daemon, which deals with UserCheck requestsusrchk                           The CLI client for the UserCheck daemon USRCHKD usrmem                        User Spaceplatform memory usageutf7                                conversion of UTF-7characters to a Unicode charactersutf8                                conversion of UTF-8 characters to a Unicode charactersuuid                               session UUIDvbuf                               virtual buffervm                                 Virtual Machine chain decisions on traffic going through fw_filter_chainVPN_cookie                 virtual de-fragmentation cookievpnd                              VPN processes / daemonvpn_multik                  MultiCore VPN (refer to sk118097)vpn_tagging                sets the VPN policy of a connection according to VPN communities, VPN Policy related infoVPN                               VPNvs                                   Virtual System (VSX)wap                               Multimedia Messaging Service (Wireless Application Protocol)wd                                 WebDefensewire                              wire-mode Virtual Machine chain moduleworker                         Kernel Worker -queuing and dequeuingwsdnsd                        DNS Resolver - activated when Security Gateway is configured as HTTP/HTTPS ProxyWSIS                            Web Intelligence InfrastructureWS_parser                  Web Intelligence HTTP header parser layerWS_pfinder                 Web Intelligence pattern finderWS_regexp                  Web Intelligence regular expression libraryWS_SIP                        Web Intelligence SIP Parserwstlsd                          Handles SSL handshake for HTTPS Inspected connections.WS                               Web Intelligencexl                                  Accelerator cards interactionxlate                            NAT - basic informationxltrc                             NAT - additional information -going through NAT rulebasexpand                          Configuration daemon that processes and validates all user configuration requests,...zeco                            Zero-Copy kernel module memory allocations I think the list can also be extended to Top 1000:-)
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics 5 hours ago
views 44 2

Kernel Debug flags PDF - R80.30 / R80.20?

For R80.10 there is a PDF with kernel debug flags available: - Kernel Debug Flags (R80.10)  - SecureXL Debug Flags - FWAccel (R80.10)  - SecureXL Debug Flags - SIM (R80.10)  I need this for debugging R80.20 and R80.30. Where can I find the PDF's for R80.30?
kb1
kb1 inside General Topics 7 hours ago
views 141 5

Smartconsole force closes

so below is the lab topology wher i have the mgmt win 10 vm connected to the NY-sms which is the mgmt server-  So the problem is as soon as i open smartconsole from the mgmt win 10 vm it closes after a few minbutes sa im setting it up for the first time with me not being able to proceed with my lab and a while back i was able to complete about 60 percent of the course and did not have any such problems although it was maybe because i was using an older gns3 and vmware versions but anyways right now with the updated and latest versions of the gns3 and vmware im stuck with this smartconsole issue(dont know if it really is because of the updated versions of gns3 and vmware or something else) so yeah i need to proceed fast and need to get this smartconsole to work!! So someone please help!! Have been stuck here for a few days searching for solutions but to no avail with a lot of hours wasted as well!! Below is the error message-  Laptop OS- WIn 10Checkpoint Gaia Version -R80.10Laptop Specs- Msi gs65 with i7-8750h, 32 gb 2666Mhz ram, gtx 1070 mq
Jeff_Gao
Jeff_Gao inside General Topics 7 hours ago
views 43 2

updates of security and security management server

Dear all       I know that ips/app control &url filtering can only update in sms. I have a few questions:       1.What needs a security gateway to update from cloud       2.What needs a SMS to update from cloud       3.What are the effects if just only allow SMS to update and not allow security gateway to update from cloud.thanks!
Danny
Danny inside General Topics 8 hours ago
views 71825 183 183

Common Check Point Commands (ccc)

🏆 Code Hub Contribution of the Year 2018!👍 Endorsed by Check Point Support! ccc is an interactive script to run common Check Point CLI tasks without having to crawl for cheat sheets, bookmarks, manuals or admin guides.License: GPL Installation (expert mode) or download:curl_cli -k https://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc
Aitor_Carazo
Aitor_Carazo inside General Topics 9 hours ago
views 95 1

[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.

Hi Checkmantes,I have read in a newsletter about this Vulnerability.Due to Gaia Runs on RedHat based OS,  I am wondering if Checkpoint Products are affected by this vulnerabilityhttps://seclists.org/oss-sec/2019/q4/122Thanks and regards
Nik_Bloemers
Nik_Bloemers inside General Topics 12 hours ago
views 187 9

VPN certificates

Hello CheckMates,Does anyone know how to control which certificate gets sent in a certificate-based site-to-site VPN?There's a nice repository of certificates available on the gateway, but it always seems to send the ICA signed certificate. We only want to use the ICA certificate for CP<->CP VPN's that are managed by the same management. We also have some third-party DAIP gateways we want to use another PKI infrastructure for (that already has CRL publicly available, unlike the CP ICA).Any ideas how to accomplish this? Browsing the documentation and SK's for half a day didn't seem to reveal a solution.Kind regards,Nik
STF
STF inside General Topics 12 hours ago
views 135 5

How to login if mobile phone number has been changed?

Hello,I have another Check Point account using another email address.  My mobile phone number which was linked to that account has been changed so I have no way to receive any SMS.  And I cannot find any backup codes.  So I cannot go pass the 2 step verification for that account.I had written an email to user_center@checkpoint.com as stated in a web page a week ago but the email got rejected because the address is invalid.  This is the error message in the returned email:I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.For further assistance, please send mail to postmaster.If you do so, please include this problem report. You can delete your own text from the attached returned message.The mail system<user_center@michael.checkpoint.com>: host 194.29.34.68[194.29.34.68] said: 5505.1.1 <user_center@michael.checkpoint.com>... User unknown (in reply toRCPT TO command)I really want to use that account but I'm totally stuck.  Please tell me how I can gain access again.
Stefano_Chiesa
Stefano_Chiesa inside General Topics yesterday
views 76 2

VPN with Cisco FTD-local subnet natted, key exchange with original IPs

Hello all.On a 2200 R75.40 cluster is configured a L2L VPN with a remote Cisco FTD.in the VPN configuration the real local subnet (10.39.126.x/23) is not specified  but instead a NAT subnet is used (192.168.123.x/27).On the remote side 4 hosts (/32) are defined as remote networks (10.130.200.234/.235/.236/.241).The local subnet is manually Hide-Natted behind a single IP NAT-Subnet address (192.168.123.1).The tunnel is up but sometimes when the key exchange happens the original 10.39.126.x IP is used in the packet instead of 192.168.123.1 nat IP (see below the log records).The key with the wrong IP is installed (why?) but then the traffic fails.Seem a matter of activity sequence (accept rule, nat, negotiate, encrypt..).Does anyone have a suggestion?Thanks in advance.Stefano----------------------------- CORRECT KEY INSTALLNumber: 11768148Date: 11Dec2019Time: 9:12:30Interface: daemonOrigin: FWType: LogAction: Key Install==>Source: VPN-NAT-IP (192.168.123.1) <<==== CORRECTDestination: 10.130.200.235Community: xxxxxxxxxxxxxInformation: IKE: Child SA exchange: Created a child SA successfullyIKE IDs: <192.168.123.0 - 192.168.123.31><10.130.200.235>Source Key ID: 0x92dddf54Destination Key ID: 0x9ab9283bEncryption Scheme: IKEv2Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFSIKE Initiator Cookie: dbd002e39d8ab5aaIKE Responder Cookie: eb019a4c3f09bd88IKE Phase2 Message ID: 0000000dVPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: IKEProduct: Security Gateway/ManagementProduct Family: Network----------------------------- WRONG KEY INSTALLNumber: 11750404Date: 11Dec2019Time: 9:11:52Interface: daemonOrigin: FWType: LogAction: Key Install==>Source: 10.39.126.44 <<======= WRONG!Destination: 10.130.200.234Community: xxxxxxxxxxxxxInformation: IKE: Child SA exchange: Created a child SA successfullyIKE IDs: <10.130.200.234>Source Key ID: 0x1f571570Destination Key ID: 0xcb0be6faEncryption Scheme: IKEv2Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFSIKE Initiator Cookie: dbd002e39d8ab5aaIKE Responder Cookie: eb019a4c3f09bd88IKE Phase2 Message ID: 0000000cVPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: IKEProduct: Security Gateway/ManagementProduct Family: Network ----------------------------- FAILING HTTPS ACCESSNumber: 11781102Date: 11Dec2019Time: 9:12:52Interface: MgmtOrigin: FWType: LogAction: DropService: https (443)Source Port: 58984Source: 10.39.126.44Destination: 10.130.200.234Protocol: tcpRule: 43Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}NAT rule number: 3NAT additional rule number: 1XlateSrc: VPN-NAT-IP (192.168.123.1)XlateSPort: 14356Community: XXXXXXXXXXXXXXInformation: service_id: httpsencryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more informationEncryption Scheme: IKEData Encryption Methods: ESP: AES-256 + SHA256VPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: VPNProduct: Security Gateway/ManagementLog ID: 404830Product Family: Network------------------------------ WORKING HTTPS ACCESSNumber: 11768149Date: 11Dec2019Time: 9:12:30Interface: MgmtOrigin: FWType: LogAction: EncryptSource: 10.39.126.44Destination: 10.130.200.235Protocol: icmpRule: 43Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}NAT rule number: 3NAT additional rule number: 1XlateSrc: VPN-NAT-IP (192.168.123.1)Community: XXXXXXXXXXXXXXInformation: service_id: icmp-protoICMP: Echo RequestICMP Type: 8ICMP Code: 0Encryption Scheme: IKEData Encryption Methods: ESP: AES-256 + SHA256VPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: VPNProduct: Security Gateway/ManagementProduct Family: Network
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Tuesday
views 365 6 10

R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Elephant Flow (Heavy Connections) In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows). All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. What typically produces heavy connections: System backups Database backups VMWare sync. Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Evaluation of heavy connections The big question is, how do you found elephat flows on an R80 gateway? Tip 1Evaluation of heavy connections (epehant flows)A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes. Heavy connection flow system definition on Check Point gateways: Specific instance CPU is over 60% Suspected connection lasts more than 10s Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%   CLI Commands Tip 2Enable the monitoring of heavy connections. To enable the monitoring of heavy connections that consume high CPU resources: # fw ctl multik prioq 1 # reboot Tip 3Found heavy connection on the gateway with „print_heavy connections“ On the system itself, heavy connection data is accessible using the command: # fw ctl multik print_heavy_conn Tip 4Found heavy connection on the gateway with cpview # cpview                CPU > Top-Connection > InstancesX   Links sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above    
Aaron_Wrasman
Aaron_Wrasman inside General Topics Tuesday
views 254 10

Confusion on what is supported in R80.20+ for FQDN.

So we recently moved a few of our firewalls to R80.20+ (i.e. we are still upgrading to R80.30 from R80.20)We are trying to start using the FQDN feature of domain objects for normal firewall traffic.I'm trying to allow access to sftp and not a website.If my destination is something like www.vanityname.net  and I can create a Domain object  like:.vanityname.net and make sure the FQDN feature is checked.Put that as the destination in a normal firewall rule and it works.If I have a site like sftp.vanityname.net and I create:.sftp.vanityname.net and make sure the FQDN feature is checked.Put that as the destination in a normal firewall rule and it works sometimes.Are only second level domains supported with the FQDN feature? (i.e. name.com  but not sub.name.com )And to be very clear I'm not talking wildcard domain names. 
Tsvika_Akerman
inside General Topics Tuesday
views 7541 62 15
Employee

R80.40 Early Availability Program @ Check Point Update

      R80.40 EA Program  R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.  Enrollment // Production EA     • We are looking for R80.X / R77.X Production environment to evaluate the new version. • Start date: Started    Public EA (for Lab/Sandbox use) is now also available! Log into UserCenter and Select Try Our Products > Early Availability Programs In PartnerMap, it is Learn > Evaluate > Early Availability Programs NOTE: Upgrade from Public EA to GA is not supported   Additional questions? contact us@ EA_SUPPORT@checkpoint.com What's New  IoT Security A new IoT security controller to: Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).  Configure a new IoT dedicated Policy Layer in policy management. Configure and manage security rules that are based on the IoT devices' attributes.                       TLS Inspection HTTP/2 HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.  Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol. Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.                       TLS Inspection Layer This was formerly called HTTPS Inspection. Provides these new capabilities: A new Policy Layer in SmartConsole dedicated to TLS Inspection. Different TLS Inspection layers can be used in different policy packages. Sharing of a TLS Inspection layer across multiple policy packages. API for TLS operations. Threat Prevention Overall efficiency enhancement for Threat Prevention processes and updates. Automatic updates to Threat Extraction Engine. Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects. Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI. Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol. Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols. Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature. Access Control Identity Awareness Support for Captive Portal integration with SAML 2.0 and third party Identity Providers. Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.  Enhancements to Terminal Servers Agent for better scaling and compatibility. IPsec VPN Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:  Improved privacy - Internal networks are not disclosed in IKE protocol negotiations. Improved security and granularity - Specify which networks are accessible in a specified VPN community. Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain). Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles. URL Filtering Improved scalability and resilience. Extended troubleshooting capabilities. NAT Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse. NAT port utilization monitoring in CPView and with SNMP. Voice over IP (VoIP) Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance. Remote Access VPN Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication). Mobile Access Portal Agent Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410. Security Gateway and Gaia CoreX L and Multi-Queue Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot. Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. Clustering Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes. Cluster Control Protocol encryption is now enabled by default. New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses. Support for ClusterXL Cluster Members that run different software versions. Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet. VSX Support for VSX upgrade with CPUSE in Gaia Portal. Support for Active Up mode in VSLS. Support for CPView statistical reports for each Virtual System Zero Touch A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration. Gaia REST API Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612. Advanced Routing Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon. Enhancing route refresh for improved handling of BGP routing inconsistencies. New kernel capabilities Upgraded Linux kernel New partitioning system (gpt): Supports more than 2TB physical/logical drives Faster file system (xfs) Supporting larger system storage (up to 48TB tested) I/O related performance improvements Multi-Queue: Full Gaia Clish support for Multi-Queue commands Automatic "on by default" configuration SMB v2/3 mount support in Mobile Access blade Added NFSv4 (client) support (NFS v4.2 is the default NFS version used) Support of new system tools for debugging, monitoring and configuring the system   CloudGuard Controller Performance enhancements for connections to external Data Centers. Integration with VMware NSX-T. Support for additional API commands to create and edit Data Center Server objects. Security Management Multi-Domain Server Back up and restore an individual Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management. Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server to become a Security Management Server. Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing. SmartTasks and API New Management API authentication method that uses an auto-generated API Key. New Management API commands to create cluster objects. Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy. Deployment Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartEvent Share SmartView views and reports with other administrators. Log Exporter Export logs filtered according to field values. Endpoint Security Support for BitLocker encryption for Full Disk Encryption. Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server. Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment. Policy can now control level of notifications to end users. Support for Persistent VDI environment in Endpoint Policy Management.    
Andrey_Korobko
Andrey_Korobko inside General Topics Tuesday
views 5741 11

Problem with 5400 device after firmware upgrade to 80.30

Last sunday (22.09) we upgraded firmware on our Checkpoint 5400 to v.80.30 and this night (26.09) this device has stopped to respond. As we see on our monitoring software the device stopped to respond to Ping at 23:23 (local time), same time it had less than 1% of free physical memory. At 1:00 the device back online by itself with a 7% of free physical memory, and next we manually rebooted it at 2:40 with a 75% of memory free. So, all pointing to a memory leak on this device after the upgrade, because no any problem with any another device part (like CPU or other). Product version Check Point Gaia R80.30OS build 200 OS kernel version 2.6.18-92cpx86_64 OS edition 64-bit Our devices configuration: 1) Two Checkpoint 5400 in HA mode 2) One node has 80.10, another 80.30 3) Node with 80.30 as Active Node4) Services on 80.10 are stopped  In a clip: 1. Information from the monitoring system Have you encountered a similar problem? How did you decide? 2. Logs -/ var/log/messagesSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_get_zone_by_ifnum: Failed to get ifindex for ifnum=-1Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_notify_clob_by_ifnum: network_classifier_get_zone_by_ifnum failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_notify_clob_by_dst_route: network_classifier_notify_clob_by_ifnum failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_notify_clob_for_not_incoming_conn: network_classifier_notify_clob_by_dst_route failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifiers_destination_zone_handle_post_syn_context: network_classifier_notify_clob_for_not_incoming_conn failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_cmi_handler_match_cb: network_classifiers_destination_zone_handle_post_syn_context failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: cmik_loader_fw_context_match_cb: match_cb for CMI APP 20 failed on context 359, executing context 366 and adding the app to apps in exceptionSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: up_manager_cmi_handler_match_cb: connection not foundSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: up_manager_cmi_handler_match_cb: rc FALSE - rejecting conn [192.168.0.122:43493 -> 178.140.2.238:443, IPP 6]Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: up_rulebase_should_drop_possible_on_SYN: conn dir 0, 192.168.0.122:43493 -> 178.140.2.238:443, IPP 6 required_4_match = 0x802, not expected required_4_match = 0x800Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_buf_create: ERROR: Failed allocate Mux buf.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_write_raw_data: ERROR: Failed to create Mux buf.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];tls_mux_write: mux_write_raw_data failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_task_handler: ERROR: Failed to handle task. task=ffffc2003cf70e40, app_id=1, mux_state=ffffc20043256a50.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc20043256a50.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];[192.168.218.39:65323 -> 192.168.0.6:53] [ERROR]: cmik_loader_fw_context_match_cb: failed to allocate s_cmik_loader_match_paramsSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];cmi_context_exec_from_non_stream: cmik_loader_fw_context_match_cb(context=352, app_id = -1, context_apps=15c0004) failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];[192.168.218.39:65323 -> 192.168.0.6:53] [ERROR]: up_manager_fw_handle_first_packet: cmi_exec_from_first_packet() failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];[192.168.218.39:65323 -> 192.168.0.6:53] [ERROR]: up_manager_fw_handle_first_packet: failed to execute first packet contextSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_buf_create: ERROR: Failed allocate Mux buf.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_write_raw_data: ERROR: Failed to create Mux buf.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];tls_mux_write: mux_write_raw_data failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_task_handler: ERROR: Failed to handle task. task=ffffc2003cf70e40, app_id=1, mux_state=ffffc2019cbca6f0.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2019cbca6f0.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];FW-1: h_getvals: fw_kmalloc (496) failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];tcp_input: failed to alloc pkt buf at line :1259Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];FW-1: h_getvals: fw_kmalloc (496) failedSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];pslip_get_buf: failed to alloc packet_bufSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];psl_handle_packet: psl_allocate_packet_buf failed, len=264Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];cpaq_cbuf_alloc_rcv_buf_info: buf_id=88362620 unable to allocate buffer sz=1712Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];cphwd_handle_send_cphwd_stats: NULL cphwd_stats_buf bufferSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_write_raw_data: ERROR: Failed to allocate buf data.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];tls_mux_write: mux_write_raw_data failedSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_task_handler: ERROR: Failed to handle task. task=ffffc2003b40a370, app_id=1, mux_state=ffffc200417ca8a0.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200417ca8a0.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_write_raw_data: ERROR: Failed to allocate buf data.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];tls_mux_write: mux_write_raw_data failedSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_task_handler: ERROR: Failed to handle task. task=ffffc2003b40a4b0, app_id=1, mux_state=ffffc2003822b1e0.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2003822b1e0.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];mux_write_raw_data: ERROR: Failed to allocate buf data.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];tls_mux_write: mux_write_raw_data failedSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];mux_task_handler: ERROR: Failed to handle task. task=ffffc20052afe1b0, app_id=1, mux_state=ffffc2001e526c00.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2001e526c00.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Monday
views 179824 25 38

High Performance Gateways and Tuning

High Performance Gateways and Tuning Timothy Hall  gave a very interesting presentation Security Gateway Performance Optimization with Tim Hall Video   in the last days. Thank you for the pressentation. Now we discuss all in the forum about the possibilities of the tuning. I would like to hear your experiences on this topic in the Checkmates forum.   More Tuning Tips More interesting articles about R80.x performance tuning and architecture can be found here: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand)