Showing results for 
Search instead for 
Did you mean: 
Create a Post
Rob_Napholz inside General Topics 8m ago
views 15 2

Delete trail license

How can the first temp/30 day trial license be deleted ?cplic print -xtrial 14Jul2019 axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcplic del axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Failed to delete licenseI had a ticket open with support, with no luck.I prefer not to have a box in production with a trial license and don't want to wait the 30 daysThe FW does have the actual/correct license,Thanks Rob
Diego_Javier_Me inside General Topics 3 hours ago
views 6

Static Routes CheckPoint 1450 clish permanent

Hello:I'd like to know if anybody knows how to set a static default route over clish or bash on a 1450 Checkpoint R77.20.86 (990172855) permanently. Try to follow suggestions and examples for 1470 and 1490, but didn't work.Then I added it with:ip route add default via <aDefaultGW> metric 50. (I need a metric less than 100).But after reboot it goes away. Is there any rc file where I can add this? Thanks.Bests.
Alexandre_Cipri inside General Topics 5 hours ago
views 24 1

Checkpoint OSPF loosing comunication

I have a cluster of 5900 using Bounds with Vlans, and OSPF routing, I am migrating network to network, and came across a problem, where OSPF routing drops for a few instants and back, in the image one can see a ping from the checkpoint , where you can see the fall. Does anyone know or have been through this, or any idea of what it might be?
GGiorgakis inside General Topics 9 hours ago
views 38 2

Scenario to R80.20

I have the below scenario and i am looking for the best way to implement it. The first point is that I have a standalone R77.30 which we would like to upgrade it to R80.20 . Secondly we would like to add it in an existing R80.20 MGMT . What is the best way to achieve to add it to an existing Management?
Milk_Ng inside General Topics 16 hours ago
views 42 1 1

R80.10 cannot download Identtity collector agent

I had enabled the Identity Collector and finish the setting, I publish successfully to click the download agent that was failed, it loops to log out my admin account for GUI portal and nothing install the package to download when I try to click the download agent in the Identity collector. anyone can give me some suggestion?
Darren_Phang inside General Topics yesterday
views 16

Check Point Comparison Chart

Hi All,Would like to clarify if Check Point Comparison Chart published performance figure were tested with HTTPS Inspection enabled?Regards,Darren
David_Won inside General Topics yesterday
views 71

Cool project for somebody smarter than myself

Now that I'm on R80.10 I've always thought it would be cool to use something like logstalgia along with Checkpoint. Just something nice and graphical to run on an extra monitor and visualize the traffic based on logs. We have used this in the past to find issues with http servers and whatnot here at work many times. Sometimes it takes a visual approach to see what is going on. Here is the link to the software. Anybody feel like taking a stab getting it to work with Checkpoint? If I remember correctly you can now export logs from the command line with R80. Am I right?"apt install logstalgia" for anybody that wants to play.
Josh_B inside General Topics yesterday
views 92 5

77.30 to 80.20 - Cluster connectivity upgrade question

I have two 77.30 gateways using ClusterXL in high availability mode. Looking at doing a connectivity upgrade from 77.30 to 80.20.After I upgrade the standby member I'm looking to fail over after hours and test connectivity, but then fail back and leave the 77.30 member running for a few more days. Is this supported? I guess my question is, can you fail back over to the 77.30 member once you fail over to the upgraded 80.20 cluster member? I've read over the R80.20 "Upgrading a Security Gateways and Cluster" section in the Installation and Upgrade Guide, but this part isn't clear.
Vladimir inside General Topics yesterday
views 123 6

0-Phishing functionality on the gateways

Does the URL filtering with IPS and TE enforce 0 Phishing capability on the gateways? I mean, if we have the HTTPS inspection and categorization enabled on R80.30, would the new phishing sites be identified dynamically?
HeikoAnkenbrand inside General Topics yesterday
views 129490 35 124

R80.30 cheat sheet - ClusterXL

Introduction This overview gives you an view of the changes in R80.30 ClusterXL. All R80.10 and R80.20 changes are contained in this command overview (cheat sheet). You could download the cheat sheet at the end of this article as a PDF file. Cheat Sheet Chapter Architecture:R80.x Security Gateway Architecture (Logical Packet Flow)R80.x Security Gateway Architecture (Content Inspection) R80.x Security Gateway Architecture (Acceleration Card Offloading) R80.x Ports Used for Communication by Various Check Point Modules Performance Tuning:R80.x Performance Tuning Tip - AES-NI R80.x Performance Tuning Tip - SMT (Hyper Threading) R80.x Performance Tuning Tip - Multi Queue R80.x Performance Tuning Tip - Connection Table R80.x Performance Tuning Tip - fw monitorR80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ Cheat Sheet:R80.x cheat sheet - fw monitor R80.x cheat sheet - ClusterXL More interesting articles:Article list (Heiko Ankenbrand) References sk56202 - How to troubleshoot failovers in ClusterXL sk62570 - How to troubleshoot failovers in ClusterXL - Advanced Guide sk92723 - Cluster flapping prevention sk43984 - Interface flapping when cluster interfaces are connected through several switches sk83220 - How to collect ClusterXL debug during boot sk31499 - How to find out the Multicast MAC Addresses that are associated with Cluster Virtual interfaces sk92909 - How to debug ClusterXL to understand why a connection is not synchronized sk55081 - Best practice for manual fail-over in ClusterXL sk92723 - Cluster flapping prevention sk32578 - SecureXL Mechanism sk33781 - Performance analysis for Security Gateway NGX R65 / R7x
Martin_Sykora inside General Topics yesterday
views 246 2

Down tunnels are not displayed

In R80.10. In SmartView Monitor in the Tunnels on Gateway view I only see tunnels that are up and tunnels that I know that are down are not displayed. In the Query Properties I have the State filter set to Any. Yet no down tunnels are shown.When I check in the down tunnel's respective Tunnels on Community view I only see "No data".At first I thought that this is just the way it is - tunnels that are down are not presented - but than I found this screenshot in a Tunnels on Gateway on the Internet where there are all kinds of states in the the view.I am thinking that something is not right on my side. Did anybody ran across such behavior?
Dave_Taylor1 inside General Topics yesterday
views 58

R80.20 Supernetting per community

Just an FYI per lessons learned today. We upgraded our gateways from R77.30 to R80.20 and one of our VPN Communities would not work. Error was Invalid ID for P2. Following SK108600 it says to make sure the Global settings in GUIDBedit are True for ike_enable_supernet, then per community change the ike_p2_enable_supernet_from_R80.20 parameter from "by_global" to "false.Well My settings for this community didn't show anything for the enable supernet. I was told by my SE to just make a change to the comment section of the community object for this in DashBoard and publish.By doing this it added the ike_p2_enable_supernet_from_R80.20 and set it to False by global.So all I had to do was push policy.
Herzelc inside General Topics yesterday
views 37

Migrate from pfsense to checkpoint 770

Hi Is there any tool that can help me to migrate from pfsense FW to Checkpoint appliance ?Thanks
MattDunn inside General Topics yesterday
views 59 1

Stateful Inspection Override

A customer has a video conference system which keeps disconnecting. At the time of the disconnections, the firewall logs show a couple of "out of state" drops, then it carries on normally again for a while, then a few more "out of state" drops.The drops are always only on port TCP 2776.There is also tons of working/allowed traffic between the SRC and DST on TCP 2776.I've created a custom service for TCP 2776 and extended the Virtual Session Timeout to the max of 86400. This hasn't fixed it.Next, in an attempt to prove the point that it is actually out of state I've tried to turn off stateful inspection for the video conference IP's. I've inserted the following in to $FWDIR/conf/user.def.FW:/* Start of INSPECT modification - sk11088 */ deffunc user_accept_non_syn() { (src= or (src= and (dport = 2776) }; /* End of INSPECT modification */ This hasn't fixed it either. Same disconnections and drops in the log.Does anyone have any other ideas to try before I tell the customer there's nothing else I can do on the firewall (e.g. go fix your VC system!)?(I haven't disabled SecureXL yet - maybe I should try that?)Thanks,Matt
GGiorgakis inside General Topics yesterday
views 131 3

Top critical issues for R80.20

Address the top critical issue that you faced for R80.20 ?