cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics 7 hours ago
views 441 13 10

Update R80.20+ Security Gateway Architecture (Logical Packet Flow)

Flowchart news in R80.20 and above SecureXL has been significantly revised in R80.20. This has also led to some changes in "fw monitor". There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine. Now SecureXL works in part in user space. The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing. The packet flow in R80.20+ is a little bit different from the flow lower than R80.20. Now it is possible to use async SecureXL and other new functions. This figure shows the new features with the reinjection of SecureXL packages. SecureXL supportes now also Async SecureXL with Falcon cards. That's new in acceleration high level architecture (SecureXL on Acceleration Card): Streaming over SecureXL, Lite Parsers, Scalable SecureXL, Acceleration stickiness... More informations here: R80.x Security Gateway Architecture (Logical Packet Flow) Whats new in R80.20+: Now there are several SecureXL instances possible. As a result, packets are reinjected with the new SecureXL ID into the correct SecureXL instance again after they have been allowed by access template or rule set. After the packet has been reinjected, the SecureXL ID is added to the SecureXL connetion table and the packet is forwarded to the correct SecureXL instance. Therefore the flow is slightly different to older version before R80.20. This new mechanism also offers the possibility to transfer packets into a new SecureXL instance on Falcon cards. PXL vs. PSLXL - Technology name for combination of SecureXL and PSL. PXL was renamed to PSLXL in R80.20. This is from my point of view the politically correct better term. For the new acceleration Falcon card architecture with R80.20+ and SecureXL offloading read this article: R80.x Security Gateway Architecture (Acceleration Card Offloading):
PhoneBoy
inside General Topics yesterday
views 3876 17 10
Admin

R80.30 Technical Update TechTalk

Our 12 June 2019 TechTalk on R80.30 covered the following topics: New Check Point Appliances (16000 and 26000 Series) R80.30 OS Kernel 3.10 User Mode Firewall New in SSL Inspection Web Threat Extraction Presentation Materials are available for CheckMates members: Video (excerpt below) R80.30 Technical Overview Presentation Q&A from the session that we did not get answers for will added in the comments in the coming days. LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-Z5eGV5aDE6fnC-Agpm6LnD4j--S7jVhKw1600h900r595', 'Z5eGV5aDE6fnC-Agpm6LnD4j--S7jVhK', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)
Grave_Rose
Grave_Rose inside General Topics yesterday
views 23245 82 45

[tool] - https://tcpdump101.com

Hopefully self-promotion isn't frowned upon but I was suggested to post here. Over the past few years, I've been working on a tool to help people capture packets by allowing users to have a web-based interface to create the commands for them. Today, I've launched the latest version into production which supports "fw monitor" as well as "fw ctl debug" commands. It's located here: https://tcpdump101.comI'm posting this in the hopes that people will find it useful (it supports tcpdump as well as other vendors) and maybe get some feedback from the community. If you use it, let me know if you find it handy, what you'd like to see improved and if you have any other suggestions.Thanks,Sean (Gr@ve_Rose)
Maik
Maik inside General Topics yesterday
views 56 2

Session table sync between different devices or clusters (not running ClusterXL...)

Hello guys,I was wondering if there is a method which can be used to sync single security gateways or clusters that haven't been configured to operate in a cluster. To say it different; I want to sync the session tables of different devices, which have obsolutely nothing in common.The case I am thinking about is the following:Let's say you have to migrate an old IPSO gateway, running R77.30 to a newer R80.20 appliance. The downtime - obviously - should be as limited as possible. You are thinking about setting up the new firewall and also pre-push the configuration to it. The only thing which has to be done now in order to perform the firewall change is to turn down the switch ports which lead to the old fw and enable respective ports for the new device [of course the switch config needs to get adjusted in addition]. But where does that lead us? Well in a quite unstable state.Once you open the "floodgates" and all the traffic is passing via the new device it is also getting immediantly blocked, as no state information is saved in the "new" state table. You see lots of errors and issues in the logging pane and can't be really sure whether the missing session information is the only issue. Some applications are maybe written in such a poor way that they need hours in order to function again and realize that a new session needs to be opened.The current way to ommit this behavior is by disabling the "drop out of state tcp packets" option in the global properties. But this is - at least in my opinion - not a clever solution, as you need to disable a security feature just in order to migrate in a "softer" way.I know that it is possible to see, or kinda export, the session table. But is there a way to manually import it? Maybe if the possibility itself exists it would be possible to script something like a manual failover, for such a specific case? Let me hear your thoughts! Regards,Maik
TheRealDiZ
TheRealDiZ inside General Topics yesterday
views 2708 9 2

SecureXL R80.20 - Issue on ALL High TCP Ports

Hey guys, After upgrade from R77.30 to R80.20, I notice that I got issue on all connections with high TCP ports passing through a VPN tunnel.That was huuuge... Fortunately after the upgrade I have immediately tried to disable SecureXL acceleration as per https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104468 and solved the issue. Anyone has experienced this issue before? I know that in R80.20 SecureXL was moved to Fw_Worker.Anyone can explain to me the difference from R77.30 in detail?I think that probably this mechanism change is causing issue on all connections with high tcp ports. BRLuca
MP
MP inside General Topics yesterday
views 88 6

SmartView Logs Export

Hi, CheckMates, I'm new to checkpoint (3weaks of management now), we migrated from TMGs.We still have rules that we need to tune, I would like to export logs to excel day by day to be more easy to filter and study so I can see what new rules I need, and what rules I don't need. But I'm struggling to get the logs to CSV, I trying vi https://MGMT_IP/SmartView to be able to export up to 1 million log entries.This is what I am doing:-Open SmartView-Create the log range-Export logs to CSV option-And waitAnd it stays like this forever:The problem is I wait forever... I let the all weekend the job of export one day and on Monday it still not finish.What is Iam doing wrong? Can you help me?Thanks all in advance for the help.King Regards
_Daniel_
_Daniel_ inside General Topics Thursday
views 33

Standalone upgrade to R80.20

Hi There, Just trying to get some thoughts about upgrading a standalone cluster in load sharing mode from R77.30 to R80.20 with minimal downtime. We’re fully aware that load sharing is not supported on R80.20 and we need to go to HA mode, also standalone isn’t recommended, though these firewalls are used purely for remote access and they’re on the road map to be replaced in less than a year. We’re planning it as below: Already checked the hardware compatibility and we’re upgrading the firewalls (pair of 4600's) memory to 8GBCopy R80.20 upgrade tools , run a pre upgrade verifier and then do a migrate export –on primary gateway- scp’g it outCopy Gaia configurationTake member 1 (M1) offlineFresh install R80.20, followed by migrate import and latest HFA (based on few experiences, fresh install is still better than using CPUSE), then copy the GAIA config, install the policy (after changing the clusterXL mode and the version, etc.) Here we’re not 100% how to proceed as we’re not sure the 2 members will sync, but we’re thinking ofConnect M1 back to the networkHope that the 2 members will sync (keep an eye on HA status), though we’re not sure as we changed the clustexl modeIn case it’s sync’d, cpstop on M2Take M2 off the network, fresh install (making it as secondary) and then put it back online Have anyone came across this scenario, any input/thoughts are much appreciated Cheers,
B_P
B_P inside General Topics Thursday
views 110 6

Windows Updates Blocked Without Firewall Log

HTTPS Inspection logs an inspectIPS logs a detectFirewall logs nothingClient gets a "couldn't connect" errortcpdump & fwmon shows some communicationHTTPS Inspection has "Bypass HTTPS ... for software update services" checkedR80.30?????
Yoni-Indeni
Yoni-Indeni inside General Topics Thursday
views 355 16

Are you in an R77.30 Upgrade Rush?

A few months ago, the vast majority of Check Point firewalls out there were still running R77.30*. As the time progressed, we slowly saw people upgrading their firewalls to R80.10 and later. However, in the month of August, we saw a massive acceleration in upgrades**, in anticipation of the End of Support for R77.30 in September.This raised a few questions:1. Why are so many people waiting for the last minute to upgrade? Some may even go beyond the Sep 30th date.2. What can be done to avoid this from happening again in the future? ---------------------------------* Our data comes from Indeni Insight, which receives non-confidential data about the devices in use by our customers. These are mostly large enterprises in North America, with deployments of at least 100 firewalls.** Massive acceleration: 40% of all upgrades to R80.20, up to Aug 15 2019, occurred in the first two weeks of August. Again, this is based on just our data.
Dave
Dave inside General Topics Thursday
views 162 9

Whatsapp taking long time "Connecting" and not receiving new notifications

We are providing guest wifi access and do application and url filtering.Most of the stuff we want to allow is working, only Whatsapp exhibits not fully functional behaviour.Every time you open the app on your phone, it will be "Connection" for quite some time, after being patient for a while you can start sending messages, but because of this behaviour users are not receiving any notifications when new messages arrive.This leads me to believe the connection gets cut when you push the app to the background or lock your phone and it needs to reestablished.Users now only see new messages when they are actively using Whatsapp.Is there a way to go around this and solve so new messages will pop up on your screen when arriving?
Khalid_Aftas
Khalid_Aftas inside General Topics Thursday
views 110 4

R80.20 Ipsec VPN issues

Hi, After upgrade to r80.20 in multiple gateway, we started having issue with a lot of VPN that were running without problem in 80.10 case 1 : VPN with partner down, i had to make him disable NAT-T option for it to work again.Case 2 (most critical) : Amazon Web Services, once phase 2 proposition from aws come, CP accept it, then decide to propose again another negotiation, during few minutes complete cut out of the traffic. Other cases in other GW with simlar issues. Opened a case in the TAC, they made me install some special hotfix, with no succes. What changed in R80.20 regarding vpn ? i hope there is a solution for these issues. [CPFC]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[MGMT]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[FW1]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87HOTFIX_R80_20_JHF_T87_190_MAINHOTFIX_R80_20_JHF_T87_174_MAINHOTFIX_R80_20_JHF_87_90_002_MAINFW1 build number:This is Check Point's software version R80.20 - Build 100kernel: R80.20 - Build 001[SecurePlatform]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CPinfo]No hotfixes..[DIAG]No hotfixes..[PPACK]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CVPN]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CPUpdates]BUNDLE_R80_20_JUMBO_HF_MAIN Take: 87
Nikolaos_Tsitso
Nikolaos_Tsitso inside General Topics Thursday
views 88 5

Cluster Upgrade 77.30 to 80.20 with traffic handling problems

Hi @all, yesterday we have try to upgrade a cluster from 77.30 to 80.20.The connectivity upgrade works fine without any problems. After the upgrade the web servers behind the cluster was not reachable from the Iinternet.On the tcpdump we can see that the traffic can reach the firewall, but on fw monitor we cannot see any traffic that is handled by the firewall.Also we don't see any drops in the fw ctl zdebug + drop.We have also try to change the nat rules to automatic but the problem still exists.We have revert to prior version 77.30 and everything works again fine.Has anyone a idea?
Valeri_Loukine
inside General Topics Thursday
views 6631 20 9
Admin

White Paper - URL Filtering using SNI for HTTPS websites

Author @Kevin_Jones Abstract The document describes how to leverage Server Name Indication (SNI) when using URL Filtering Software Blade. For the full list of White Papers, go here.
Klapesh_3477
Klapesh_3477 inside General Topics Wednesday
views 71 2

CheckPoint VPN Ipse VPN

Hi All, we have CheckPOint NXG 5400 Device With Cluster, we are Configure IPsec Vpn in Checkpoint With Dynamic ID Settings ( Email OTP ) , we are Successfully Getting Email OTP When We try to Connect From Windows Machin, but When we try to Connect Client With MAC OS 10.14 Version that Time User Will Directly Authentication Without asking OTP, is any Solution for that please guide me, Waiting for your appreciated Reaplys..
Marcelo_Fontana
Marcelo_Fontana inside General Topics Wednesday
views 77 2

CheckPoint VE connectivity issues with standby cluster member

After migrating from cluster 80.10 (VSX) to 80.10 (VE), we have identified the following issue with the standby member.- Zabbix can't collect information.- Standby member cannot go to internet- Tacacs authentication does not work.- Does not receive routes via OSPFIn contact with our SE he reported that another customer who migrated from 77.30 (VE) to 80.10 (VE), started to have this same problem.We can solve almost all problems by creating no-NAT rules for interface IPs, the only problem that remains is OSPF.On the active member OSPF works normally, if we fail over the standby member works normally and the standby member has the above problems.I have already called calling with TAC, and this other client has also called but so far no answers.Has anyone faced this problem and managed to solve the problem with OSPF?The error you are experiencing on routerD cluster is due to OSPF.NOTE :::Everything works normally on either member since it was active in the cluster. fw verThis is Check Point's software version R80.10 - Build 068---------------------------------------------------------------------------------------------cphaprob statCluster Mode: High Availability (Active Up) with IGMP MembershipNumber Unique Address Assigned Load State1 172.29.47.2 100% Active2 (local) 10.172.232.154 0% DownLocal member is in current state since Wed Aug 21 08:48:55 2019---------------------------------------------------------------------------------------------cphaprob -l listDevice Name: routedRegistration number: 2Timeout: noneCurrent state: problemTime since last report: 2670.7 sec---------------------------------------------------------------------------------------------fw ctl pstatSystem Capacity Summary:Memory used: 10% (1561 MB out of 14950 MB) - below watermarkConcurrent Connections: 30 (Unlimited)Aggressive Aging is enabled, not activeHash kernel memory (hmem) statistics:Total memory allocated: 1564475392 bytes in 381952 (4096 bytes) blocks using 1 poolTotal memory bytes used: 0 unused: 1564475392 (100.00%) peak: 556701100Total memory blocks used: 0 unused: 381952 (100%) peak: 140227Allocations: 233296966 alloc, 0 failed alloc, 230282398 freeSystem kernel memory (smem) statistics:Total memory bytes used: 2672499956 peak: 2974774852Total memory bytes wasted: 5024683Blocking memory bytes used: 5970872 peak: 7632000Non-Blocking memory bytes used: 2666529084 peak: 2967142852Allocations: 449971 alloc, 0 failed alloc, 445902 free, 0 failed freevmalloc bytes used: 2660849364 expensive: noKernel memory (kmem) statistics:Total memory bytes used: 1372718648 peak: 1911725536Allocations: 233739921 alloc, 0 failed alloc230722602 free, 0 failed freeExternal Allocations: 0 for packets, 78677423 for SXLCookies:2052132 total, 0 alloc, 0 free,1827 dup, 1793398 get, 6635 put,3263543 len, 0 cached len, 0 chain alloc,0 chain freeConnections:25630 total, 7377 TCP, 17328 UDP, 3 ICMP,922 other, 0 anticipated, 0 recovered, 30 concurrent,6443 peak concurrentFragments:0 fragments, 0 packets, 0 expired, 0 short,0 large, 0 duplicates, 0 failuresNAT:5/0 forw, 0/0 bckw, 2 tcpudp,0 icmp, 2-167 allocSync:Version: newStatus: Able to Send/Receive sync packetsSync packets sent:total : 87662, retransmitted : 0, retrans reqs : 0, acks : 0Sync packets received:total : 0, were queued : 0, dropped by net : 0retrans reqs : 0, received 0 acksretrans reqs for illegal seq : 0dropped updates as a result of sync overload: 0Callback statistics: handled 6 cb, average delay : 2, max delay : 4 ---------------------------------------------------------------------------------------------show ospf summaryOSPF Router with ID 10.173.30.40 Instance defaultSPF schedule delay: 2 secsHold time between two SPFs: 5 secsNumber of Areas in this router: 1Normal: 1 Stub: 0 NSSA: 0RFC1583 compability mode is onNumber of Virtual Links in this router: 0Number of UpEvents: 1 Number of DownEvents: 0Default ASE Cost: 1Default ASE Type: 1Area: backboneNumber of Interfaces in this area: 1Number of ABRs: 0 Number of ASBRs: 0Number of times SPF Algorithm executed: 2No Area Ranges ConfiguredNo Area Stubnets Configured ---------------------------------------------------------------------------------------------show ospf interfacesName IP Address Area ID State NC DR Address BDR Address Errorseth0.3346 10.173.17.30 0.0.0.0 DR 0 10.173.17.30 N/A 0 --------------------------------------------------------------------------------------------- show ospf errorsHello Protocol ErrorsBad Size 0 Network Mask Mismatch 0Dead Interval Mismatch 0 Hello Duplicate Router ID 0External Option Mismatch 0 NSSA Option Mismatch 0Runt 0 Hello Timer Mismatch 0Link State Update ErrorsRunt 0 LSU Duplicate Router ID 0LSU TooLow 0 BadCSum 0BadLSType 0 ASEinStub 0Type7inNonNSSA 0 LSU TooNew 0BadLSReq 0 SeqNumWrap 0Invalid SeqNum 0 SummaryinTotalStub 0BadRouterLSASize 0 BadNetworkLSASize 0BadSummaryLSASize 0 BadASELSASize 0BadType7LSASize 0Link State ACK ErrorsLSAck Duplicate Router ID 0 LSAck TooLow 0BadSize 0 QuestionAck 0BadLSType 0Link State Request ErrorsLSR Duplicate Router ID 0 BadSize 0BadState 0 Empty Request 0Database Description ErrorsASEinStub 0 Type7inNonNSSA 0MTU 0 BadLSType 0NotDuplicate 0 BadSize 0OptionsMismatch 0 DuplicateLSA 0DD Duplicate Router ID 0 InitSet 0Runt 0 MasterMismatch 0SlaveSeq 0 MasterSeq 0DD TooLow 0Protocol ErrorsBad Area ID 0 Area ID Mismatch 0AuthCryptoSeq 0 AuthKey 0AuthKeyId 0 AuthKeyTime 0AuthKeyType 0 BadDestination 0Checksum 0 NoNeighbor 0NoOspf 0 Size 0Version 0 NonLocal 0VirtualLink 0 NoVirtualNeighbor 0IfDown 0 PacketType 0Passive Interface 0 TX 0ZeroRID 0IP ErrorsProtocol 0 BadSource 0BadDestination 0 Size 0NoSuchIndex 0 OwnPacket 0