cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Philipp_Philipp
Philipp_Philipp inside General Topics 23m ago
views 6113 9 3

Export logs to CSV

Hello, I need to export logs to CSV for one particular firewall rule, but system exports only about 50 rows, which I can see on a screen, instead of several thousands in total. We asked support, they told it is a bug. I akso tried Smartview on Smartevent, but it has a limited amount of columns. Is there a workarounf for this issue?
kevin_t
kevin_t inside General Topics 35m ago
views 9

SmartConsole R80.20 Build Number

Afternoon All,I am trying to find an easy way to verify the build number of our Smart Console installation.  CPUSE is saying the new build of 67 is from when I did it manually, but I am finding nowhere in the Smart Console itself to that effect.  The About page is not showing anything I recognize as a build number.  Basically, we are looking to validate the current version of our software, as we have the Smart Console installed on both a primary and backup server.  Would like to verify they are being updated together.Thanks in advance!
REconfigure
REconfigure inside General Topics 2 hours ago
views 186 7 6

R80.20 strange behaviour - random TCP session timeout values - fw ctl conntab

Hi Community!after upgrading to R80.20 i verified the session tables of our fw gateways, with the "fw ctl conntab" command.I found out that all upgraded gateways have random TCP session timeouts for a session displayed, and not the actually configured value for the service.I checked it on more than 20 different gw´s it´s always the same. for a global value of 7200 sec, there is sometimes 4642 or even as low as 1058 sec, or higher 7205 etc. in the output next to the TTL - same rule/same service.In older versions like 77.20 it´s always exactly the configured value for example 7200sec in the output.Can anyone verify this, is this only cosmetic or could this lead to sessions falling out of the table to soon?Attached you can find screenshots with example output of a R77.20 and R80.20 gateway. 
dilirium
dilirium inside General Topics 2 hours ago
views 57 2

Cannot ping remote VPN gateway external IP

This question has already been asked, and I carefully read the answers to it.https://community.checkpoint.com/t5/General-Topics/Cannot-ping-remote-VPN-gateway/td-p/20797.Setting "Accept ICMP requests" -> "First" in the Global Properties causes ping to the external interface to work, but it is not possible to ping the hosts behind the gateway. If you put "Before Last", then we get the opposite picture.In another answer it was written that I need to prescribe rules for ping. Can you give an example of these rules? I tried several variants of the rules, but did not achieve a positive result.Is it generally possible to ping the external interface of the gateway and the hosts behind it?
marko
marko inside General Topics 2 hours ago
views 50 4

CP FW Begginer

Hi, my company got few CP firewalls, I have to test them and I never had a chance to work on them.Can anyone explane me differences between CP smart dashboard and CP smart console?Is that software free?I want to configure my device from Url https://my_device:4433, but every guide I saw explane configuration from CP dashboard or console?
6dd15084-b97a-4
6dd15084-b97a-4 inside General Topics 6 hours ago
views 24

Log server r80.10

 Hello gents.  we have 4 R77.30 Cluster config gateway's & we wanted to create 1 central log server with r80.10, we wanted to take backup of at least 3 monts or more.   can you please guide me process.to do that. also hardware capability for the server. 
Nick_Doropoulos
Nick_Doropoulos inside General Topics 7 hours ago
views 168 5

CoreXL limitations on R80.30

Can I just confirm that the existence of route-based VPN does not allow CoreXL to be used even on R80.30? According to the CoreXL limitations as per sk61701 it would appear that that is the case but I wanted to double-check anyway.Thanks.
SteveG
SteveG inside General Topics 7 hours ago
views 25

Checkpoint 5600 - Alternative Virtual Appliance options for on premise deployment?

Hi All,We currently have vast numbers of physical CP HW across our estate, a new project has com along where a pair of new FW's are required, our standard pattern would be to deploy two 5600 physical devices. I'd like to understand what the virtual alternative would be in this case, if throughput and performance are equal and I also get some additional flexibility and potentiall at a lower cost it would seem to make sense, I should add this is all on premise so no public cloud deployments.Any suggestions or thoughts from experience and what the alternative virtual products are would be appreciated.Kind regards
JosephAviles
inside General Topics 8 hours ago
views 176 5
Employee

1GB to 10GB interface upgrade

Hello everyone, I have a task to upgrade a firewall appliance from 1GB to 10GB on their interfaces. The issue I  have is this appliance is running r75.30 on SPLAT. I haven't used SPLAT in a very long time. Does anyone know what the commands even are to do this?  Another question is what is the SPLAT command to get the configuration of the appliance. In GAIA its simply show configuration. Don't know what the command is in SPLAT. Any help is appreciated. Thanks.    Regards!
minhhaivietnam
minhhaivietnam inside General Topics yesterday
views 78 3

ICMP reply does not match a previous request

Hello friends,I have multicast topology like this:Router1(receiver multicast)------>Checkpoint R80------->Router2-----Router3(Multicast sender)All devices run PIM-SM mode.On router1: I join group 239.9.9.9On router2: ping to 239.9.9.9Result: Not successI check log on firewall and see that this error Please help meThanks a alot!!  
minhhaivietnam
minhhaivietnam inside General Topics yesterday
views 67 1

Static Nat seems not working with multicast

Hi all,I have a topology running multicast:router1(multicast receiver)----checkpoint r80----router2(RP)---router3(multicast sender)all devices run pim-sm.above network run fine without nat.but when i set static nat on firewall: IP of router1---> translate to a.b.c.dthen on router1, I send "igmp join" toward to RP(router2). On log , i see that igmp packet is forwarded to firewall, but packet is not nated to a.b.c.d (above ip address). And not forwarded through firewall.So my question is if checkpoint r80 supports multicast nat source? If yes , how i can config it? Thank you!!
Dawei_Ye
Dawei_Ye inside General Topics yesterday
views 15853 12

tcpdump and fw monitor missed packets

We are digging a issue with our application department.Testing by our QA dept. the http connection could be a 5-6s latency occasionally.So we did a packet capture.the normal post and response:the post that occurring latency as follows:You could see the red column should be the POST request but the tcpdump shows "not captured"and we also captured via fw monitor:we can only see the POST request but no reponse:Have you guys meeting this issues before?
Di_Junior
Di_Junior inside General Topics yesterday
views 66 1

ISP IP Blacklist

Dear MatesThis is not a technical question but it is more like a general question in which I would really appreciate your feedback.We are an ISP, and we provide services to many enterprises, we clients are usually finding the IP address we allocate to them in some blacklists, which sometimes prevents them from using certain services on the Internet, until the IPs are removed from the blacklist.Taking into account that we do not have control over what our clients do to get tham blacklisted, I would like to know whether there is something we as the ISP can do in order to minimize the risk of our clients get blacklisted.Thanks in Advance
Jeff_Gao
Jeff_Gao inside General Topics yesterday
views 2013 15 1

Physical memory is high

Dear all      My CP23500 is 16G  memory and traffic is low.but memory is high,as follow:This is why?Thanks!
Albert_Chang
Albert_Chang inside General Topics yesterday
views 189 7

Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections table

Our security gateway sometimes drops packets from IPSec tunnel. The workaround is usually to reinstall policy and the issue will be fixed for a few days.By using the "fw ctl zdebug drop" to capture the drop message, it says "failed to resolve SA (VPN Error code 01)".But in the kernel debug, it looks like it cannot find the connection in the connections table.Has anyone encounter similar issue and has a solution? Thanks in advance! ;20Jun2019  3:30:27.466084;[cpu_1];[fw4_2];fwconn_lookup: not found in connections table; ;20Jun2019  3:30:27.466088;[cpu_1];[fw4_2];forward_if_not_mine: forwarded to another instance (rc=0); ....;20Jun2019  3:30:27.466102;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn 10.13.1.29:0 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>  not found in connections table; .....;20Jun2019  3:30:27.466268;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn 172.28.0.126:15 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>  not found in connections table; ;20Jun2019  3:30:27.466282;[cpu_1];[fw4_2];   vpnk_conn_log: in the kernel  - calling fwchainlog_delayed_rulebase_log with alert -1 ; ;20Jun2019  3:30:27.466284;[cpu_1];[fw4_2]; action = 0  schemename = IKE  user =  methods = ESP: AES-256 + SHA384 + PFS (group 2)  fail_reason = Encryption/Decryption failure, failed to resolve SA (VPN Error code 01)  xpo_loghandle = 0 community_loghandle = 0