Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

Ankur_Datta inside General Topics 31m ago
views 21 2

Installation failed. Reason: Load on Module failed - failed to load security policy

Hi All,we have a environment, where management is on R80 and gateway is on R75.40 SPLAT. We sometime faces following error when we install policy on gateway:"Installation failed. Reason: Load on Module failed - failed to load security policy" clearing the string_dictionary_table resolves the issue, but this time it didn't. We increased the limit of string_dictionary_table from 65,536‬ to 131072 as table was already reached peak limit. After doing this still we are getting same error when installing the policy. We ran cpd debug and debug the process of fetching of the local policy from the temporary directory. we get following error:fetching the local policy: fw_atomic_download: sizeof struct fwatomload 872fw_atomic_download: FWATOMICLOAD 40047a03fw_atomic_download: FWATOMICLOAD done ret=-1fw_atomic_download: FWATOMICLOAD failed: Invalid argumentfw_atomic_download: unlocking mutex: install_policy_mutexFailed to Load Security Policy: Invalid argumentfw_rfetchx_local_ex: failed to load Security Policyupdate_load_connection: no connectionIn fwa_vrfy_db restore = -1logo_directory_restore: dir=/opt/CPsuite-R75.40/fw1/state/__tmp/FW1/Failed to Load Security Policy: Invalid argumentFetching Security Policy Failed CPD logs: [22 Nov 13:21:26] Installing Security Policy XXXXXXX on all.all@XXXXXXX[22 Nov 13:21:26] fwasync_mux_timeout: 281: timed out after 100000 miliseconds[22 Nov 13:21:26] fwasync_mux_timeout: 281: inbuf: 0/12 outbuf: 0/0 state: 77f1f440 1[22 Nov 13:21:26] fwasync_mux_timeout: 281: calling handler 77f1f640[22 Nov 13:21:26] resched timeout to conn_id=281, conn=6d5ea280, comm=6d200738, due to 1 active sessions[22 Nov 13:21:28] opsec_send_datagram_e: SESSION ID:4 is sending DG_ID=4 DG_TYPE=0x1701(???)[22 Nov 13:21:28] pushing dgtype=1701 len=18828 to list=0x8f44adc[22 Nov 13:21:28] pulling dgtype=1701 len=18828 to list=0x8f44adc[22 Nov 13:21:28] demultiplex type=1701 session-id=4[22 Nov 13:21:28] amon_client_handle_reply: return code - 0[22 Nov 13:21:28] opsec_comm_notify: COM 0x8f4adb0 got signal 131074[22 Nov 13:21:30] Failed to Load Security Policy: Invalid argument[22 Nov 13:21:31] ckpSSL_do_read: read 12 bytes[22 Nov 13:21:31] fwasync_conn_get: get max buffer size (1048576) .[22 Nov 13:21:31] ckpSSL_InputPending 1 pending bytes[22 Nov 13:21:31] ckpSSL_InputPending 1 pending bytes[22 Nov 13:21:31] ckpSSL_do_read: read 8 bytes[22 Nov 13:21:31] fwasync_conn_get: get max buffer size (1048576) .[22 Nov 13:21:31] demultiplex type=d session-id=7[22 Nov 13:21:31] opsec_got_ping_peer_request[22 Nov 13:21:31] got_peer_req: sess: 7, peer_dg_id:2, query:0[22 Nov 13:21:31] ckpSSL_do_write: write 20 bytes[22 Nov 13:21:31] opsec_comm_notify: COM 0x6d2af208 got signal 131074[22 Nov 13:21:31] cpd_server_signal_handler: session=0x6d259ba0, event=135683[22 Nov 13:21:31] Failed to Load Security Policy: Invalid argument[22 Nov 13:21:31] Fetching Security Policy Failed[22 Nov 13:21:31][22 Nov 13:21:31] Commit_exec_cb : RTPM_SUCCESS - l_nRetCode = 11[22 Nov 13:21:31] Commit_exec_cb : Executable Failed, returned Load on Module failed - failed to load Security Policy.[22 Nov 13:21:31] sendDatagramOfCommitInstall: policy commit failed[22 Nov 13:21:31] readMessagesFile: file with messages doesn't exist, there are no commit messages[22 Nov 13:21:31] removeMessageFile: Removing file with warnings[22 Nov 13:21:31] removeMessageFile: File doesn't exist, nothing to do[22 Nov 13:21:31] opsec_send_datagram_e: SESSION ID:7 is sending DG_ID=7 DG_TYPE=0x1202(???)[22 Nov 13:21:31] ckpSSL_do_write: write 18 bytes[22 Nov 13:21:31] opsec_comm_notify: COM 0x6d2af208 got signal 131074[22 Nov 13:21:31] cpd_server_signal_handler: session=0x6d259ba0, event=135683[22 Nov 13:21:31] ckpSSL_do_read: read 12 bytes[22 Nov 13:21:31] fwasync_conn_get: get max buffer size (1048576) .[22 Nov 13:21:31] demultiplex type=3 session-id=7[22 Nov 13:21:31] Destroying session (6d259ba0) id 7 (ent=8a82690) reason=PEER_ENDED[22 Nov 13:21:31] SESSION ID:7 already resumed read[22 Nov 13:21:31] All sessions removed from comm 0x6d2af208. Peer may close it.[22 Nov 13:21:31] opsec_send_datagram_e: is sending DG_ID=0 DG_TYPE=0xa(DGTYPE_MAY_CLOSE_COMM)[22 Nov 13:21:31] ckpSSL_do_write: write 12 bytes I checked sk33893 but didn't find any solution that can be applied. Device model - UTM 3070Management - MDS - smart -1 50 any suggestions please, how to resolve this. Thanks 
kb1 inside General Topics 45m ago
views 34 1

I need help with routing

So i need to configure routing on my 1100 firewall and below is the information i have for the configuration- Site subnet:  10.40.3.X/24 Eth LAN2 (vlan20 –secured):; dgw=  (int Gi0/2)Eth LAN5 (vlan 10 - unsecured):, dgw = (int Gi0/1) Source network:216.152.218.X/32 Destination networks:Checkpoint Portal/Blade -                149.122.13.X/32                149.122.13.X/32                149.122.13.X/32 So what would be the command on cli since i only have console access to configure routing? Fo reference below is the routing configuration for another 1100 appliance and i was told that the routing should be similar to this one- # Static routesdelete static-routesadd static-route service Any destination 10.0.0.X/8 nexthop gateway ipv4-address" metric 0set static-route 2 service Any destination 10.0.0.X/8 nexthop gateway ipv4-address metric 0 disabled falseadd static-route service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0"set static-route 3 service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false"add static-route service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0"set static-route 1 service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false" I cannot figure out what the destination network should be as is shown for above configuration, just keeps showing error and so whenever i try out something.
Tiago_Cerqueira inside General Topics yesterday
views 411 11

VPN issue with IKEv2 and Cisco ASA

Hi,Last week we upgraded our security gateway from R77.30 to R80.20. After this upgrade, we lost connectivity with one of our VPNs. This VPN is with a third party gateway, a Cisco ASA and we are using IKEv2.The issue is weird and I've isolated the following things:1)If the negotiation is triggered on the ASA side, everything works as expected (so, as a workaround, they are bouncing the tunnel on their side, generating traffic to us (if we are the first to generate traffic it won't work) and that's allowing us to connect)2)If we initiate the connection, we are unable to reach the other side of the VPN but, they are able to reach our network. So traffic generated on their side of the VPN always reaches us without issues.3)Child SAs are only being negotiated on re-keys, I'm assuming the first time they are created is under the AUTH packet, as per the RFC. I have a case opened with TAC, but so far no meaningful replies. I can also share the vpnd.elg files, as well as the ikev2.xmll files if you are interested in taking a look at that. Thanks
Nelson_Thoms inside General Topics yesterday
views 109 3

R80.30 upgrade of 5000 series appliance - network drop when using SFP interfaces

Hello,We have a pair of 5200-HPP firewalls in a cluster, running R80.20.  We use the SFP interfaces to connect to a layer 2 switch (Cisco).  When we upgrade the firewalls to R80.30, the fiber/SFP interfaces drop and the switch says the ports are not operational.  When we roll the firmware back to R80.20, the ports become operational and traffic passes.  I think this issue is specific to the SFP ports on the Check Point firewall, since if I move the network configuration to the copper ports on the firewall, network operation resumes.  Of course we have valid Check Point branded SFPs on the firewall side, and swapping out transceivers or using different OM4 cable does not make a difference.Any one else run into issues with the SFP ports on Check Point 5000-series firewalls following an upgrade to R80.30?  I've tried raising the issue with the vendor and they are not providing troubleshooting assistance, even though we can consistently demonstrate that a rollback of the firewalls to R80.20 makes the issue go away, and as soon as we complete the upgrade to R80.30 the SFP ports go down.Cheers, hope someone out there has ideas on how to troubleshoot this!
TheRealDiZ inside General Topics yesterday
views 194 8

Failover between different HW with cphacu

Hi wonderful checkmates!I got a quick question for you:I just want to do a zero downtime upgrade.I’m upgrading R77.20 4400 to 5600 brand new appliances with R80.30.Do you think with different HW the cluster will be in Active/Down and cphacu start will work? I’ve never tried it before but I think with the same CoreXL instances it will work.D!Z
mselecky inside General Topics yesterday
views 135 9

site-to-site VPN - Encryption domain issue

Hello,I am facing a strange issue. We have site-to-site VPN with 3rd party. We have Checkpoint, they have Sophos UTM. Tunnel is working only one direction. - Sophos >> Checkpoint - working fine- Checkpoint >> Sophos - not working IkeView tool says Phase1 is ok, Phase2 is failing when Checkpoint initiates the tunnel. Only QM packet 1. After that I receive an error:Notify PayloadNext Payload: NONEReserved: 0Length: 00 0c (12)DOI: 00 00 00 01 (1)ProtID: 1SPI Size: 0Notify Type: 18 (INVALID-ID-INFORMATION) I also noticed in VPNd.ELG this:[] vpn_ipsec_spi_notify: spi 0,, peer x.x.x.x, proto 50, my range, peer range,  However in dashboard I have:My encryption domain: device encryption domain: From CLI I am getting correct enc. domain:5:04:09 x.x.x.x > :(+);From:;,To:;CPTFMT_sep:;;Peer:x.x.x.x;,allowed_peers_table_id:0;,gw_conf:0;,community_id:5;,subnet_support:1;,from:;,to:;product:VPN-1 & FireWall-1;product_family:Network Any ideas/hints on what to check, change to get this working? Thanks indeed.
Rodrigo_Silva inside General Topics yesterday
views 115 2

curl: (60) SSL certificate problem: unable to get local issuer certificate

Hi,I have a problem with HTTPS Inspection to access a site.When I do a curl_cli I get the error "curl: (60) SSL certificate problem: unable to get local issuer certificate".In the dashboard the certificate exists, but when I look inside the bundle certificate via ssh I can't see the root certificate.I tried to insert the certificate by hand, and when I curl with the --cacert $CPDIR/conf/ca-bundle.crt parameter no error is displayed, but when I curl without specifying the path, which should take the default path, I get the same error.Does anyone have any ideas how to resolve this error?
inside General Topics yesterday
views 46

R80.10 Jumbo Hotfix Accumulator - New Ongoing Take 249

A new Ongoing Jumbo Hotfix Accumulator take for R80.10 (take 249) is available. Please refer to sk163473   Release Highlights:  The Gaia restore of Multi-Domain Server fails when using Take 245 of R80.10 Jumbo Hotfix Accumulator. Refer to sk163473 In some scenarios, Gaia restore on Multi-Domain Server fails with error "failed to edit update registry". Refer to sk163312.  PRJ-6781 - Using R80.10 management to manage R80.30 Cluster may lead to a split brain scenario and traffic loss on the Security gateway side Please note the following: The new releases is mentioned in the JHF sk163312 . The new release will be published via CPUSE as a recommended version when it becomes GA. Availability: Will be provided by customer support Available for download via CPUSE by using package identifier.   Thanks, Release Management Group 
jijotms0511 inside General Topics yesterday
views 155 4

ISP Redundancy with PBR

Hi All,Can anyone advise if Checkpoint R80.20 can support ISP redundancy with PBR ( PBR presently configured to connect 2 links for wifi users)Currently ISP redundancy for the main traffic is not configured in the setup and to want to achieve it now? Can anyone advise?Thanks,Jijo 
Tommy_Forrest inside General Topics Wednesday
views 120 4

Pushing policy destroys Skype calls

Does anyone else have issues where when they push policy to their internet edge gateway Skype calls are utterly destroyed for a solid 30-90 seconds?We have a 3 node cluster in HA mode running on 15600 gateways with 80.10 (our 80.30 migration starts in December).  CPUs average around 30% at peak during the day.Connection Persistence is configured for "Keep all connections".It does not matter the time of day (or load) when policy is pushed.  We can push it at 4am and it will disrupt Skype calls.What is the solution for this?  Aside from only pushing policy after hours (which will be an enormous burden to my team).
Di_Junior inside General Topics Wednesday
views 98 2

Publishing a service with multiple DNS records associated with a Single Públic IP using Check Point

Dear MatesWe wish to migrate one of our critical services from TMG to Check point. Most of the services have already been migrated except this one last service.Currently, the service has 4 DNS records associated with a single Public IP, the public IP is then NATed internally to a private IP of the TMG Proxy. Taking into account that this service runs on three machines which where put into a pool of a single DNS record internally.So the Proxy has a rule like: Source: AnyDestination: DNS record (A single DNS record where all the machines where added)Service: http, httpsAction: Accept How can we translate this configuration in Check Point?We are using R80.20. Thanks in advance
Amir_Arama inside General Topics Wednesday
views 132 4

Routing bug

so we have r80.20 cluster gaia, with fw vpn and ia enabled. corexl and securexl also enabled.couple of days ago i added new vlan on empty interface for point to point against remote site FW, which connected through layer 2 line. so far so good. FWs are having vpn sts with each other. no static routes on that line, only encrypted traffic.this GW actually connect HQ with all branches through main isp line on another we had downs at least 7 times between HQ and all branches, each down time was for about 10-20 seconds, and go back up by itlsef., after checking with fw monitor i discovered that instead of routing packets directed to branches through the main isp line, the fw routed those packets through the new vlan interface that i meantioned above. and this is why the packets never arrived to the destination.i thought first that maybe i had some duplicate routes, so i have checked, and there is no single route on this vlan interface except of course the directly connected point to point network which is in completely different subnet.the things occured today before it started:they go to this remote site to install pcs and printers etc..  which i don't believe relevant, and i fwaccel off and back on on this messages i got a lot of :kernel: [fw4_1];fwconn_recover_old_conn: connection is accelerated - cannot set handler.kernel: [fw4_1];fwconn_recover_old_conn: handler (322) VERIFICATION_HANDLER. dropping packetand also a lot from those: kernel: dst_release: dst:ffff8808147852c0 refcnt:-2have no idea what these messages was happening for around 2 hours randomally and stopped about when they left the remote site. which again i don't believe me it looks very like a bug but i'm not sure why it happens just now and why with this new vlan specifically..fwaccel off didn't solve the issue right away, but i just read that in r80.20 it not take effect on all connections as it was before. 
Eric_Kiarie inside General Topics Tuesday
views 278 4

Web pages timing out after upgrade

Good Afternoon team,Would like to inquire i recently upgrade my firewall from R77.30 13500 appliance to R80.20  23000 appliance. Some websites like zimbra email and some internal sites are timing out or are slow to open. What could be the issue that is affecting  my  websites to time out or not be accessible. 
ProxyOps inside General Topics Tuesday
views 83

R80.40 - Identity Awareness Questions

Hello, we are looking forward to the upcoming changes for IA in r80.40 I have two questions about the new things for IA: 1. We are currently using the Identity Broker with a special R80.10 take. How can we migrate from this special R80.10 take to r80.40 ? Will the existing Identity Broker Configuration persist with an inplace upgrade ? 2. We faced many diffrent Issues with the MUH Agent in the past and we are looking forward for the upcoming improvments. Has somebody already some insights, about the mentionend "Enhancements" and "better scaling and compatibility" features ? GreetingsNiklas
sajin inside General Topics Tuesday
views 186 8


HiFound the Checkpoint HTTPS INSPECTION cert is SHA1 and as it is outdated should move forward to SHA256. Followed the sk115894 but when accessing,  the browser is not trusting the certificate. Kindly help on resolving this issue.