Showing results for 
Search instead for 
Did you mean: 
Create a Post
Dave_Taylor1 inside General Topics 3 hours ago
views 6

DHCP Relay. Cluster VIP

We currently have R80.20 on our gateways with JHF 87We encountered an issue recently with DHCP and it was suggested that we change the Relay interface to use the VIP.The issue was resolved and was actually related to an SVI configuration on the Cisco deviceAlthough the issue wasn’t on the firewall it is requested that I change the gateways to use the VIP since they believe this is the correct configuration.I've not been able to find any documentation stating this.I'm looking for clarification please.Thanks
Prabulingam_N1 inside General Topics yesterday
views 1852 9

VPN with 3rdParty DAIP Gateway

Dear Team,I have run into below situation. Anyone had come across - need your suggestion.Site-to-Site VPN between CheckPoint and SonicWallCheckPoint has static External IP. But SonicWall is DAIP - so they have DynDNS.When we configure Interoperable object in CheckPoint Dashboard - it is mandatory to tag the Certificate received from SonicWall or not.Because, without this Matching Criteria in Interoperable Object_IPSecVPN Tab - unable to configure their object.When discussed with SonicWall Team they said - they will not give any certificate - use only DynDNS with Aggressive mode with IKeV2.Anyone have successfully established 3rdParty DAIP VPN with CheckPoint?Regards, N.Prabulingam
KE inside General Topics yesterday
views 138 3

Client authentication user has to re-authenticate after every policy install

Checkpoint Gaia R77.30 ClusterXLClient authentication user has to re-authenticate after every policy install.The client_auth table is cleared after every install.Any idea?Thanks! 
Shurik inside General Topics Friday
views 118 2 1

Stats/Monitor each VPN Tunnel

Hello guys,We have about 100 VPN tunnels (site-to-site). Would like to accomplish:1. Would to capture statistics (OID) of each VPN tunnel, and see throughput of each tunnel on our monitoring system (not the summary).2. Is there a way we can get alerts (status of VPN) tunnel in case it's down? Looking to get OID - status of each VPN tunnel. I've contacted the support team a few times, unfortunately, didn't get any meaningful answer. Thank you!
Taekyoon-kim inside General Topics Friday
views 2298 10

What happens when a license expires?

Hi ..!What happens when a license expires? I just..If the licenses for each device expire, can I use the features I used before?And what features are available and what are not? I wonder.      1. Smart-1      2. Collector     3. TE Thank you for taking the time to ask.
Martin_Oles inside General Topics Friday
views 1337 5 1

Connection rematch after policy installation

Hi,recently a customer started to complain about random traffic disruption. During investigation I have found, that reported time consists with policy installation on VSX R77.30 with HFA 338 gateway with few virtual systems. During debug I have found, that issue is related to connection rematch, which (from my point of view and understanding), does not match correctly existing connection.;[vs_5];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 -> dropped by fw_handle_old_conn_recovery Reason: TCP packet that belongs to an old connection;I would expect such message related case, when policy is changed in way, that connection permitted in "old" policy is dropped in "new" policy, like sk140112 . Expected behavior should be, that during policy installation, already established connections are marked as "old". Then next packet will arrive to gateway, will be checked against new policy, when permitted marking in connection table should have status changed back to regular connection. But such has not happened in my case and I would like to know the reason. Further more, I can see this drop only in direction server->client, connection is established as client->server.As one of solution will be to change Connection Persistence to "Keep all connections", but such I do not like due to security concerns. Secondly I do have many VSX clusters R77.30 and only two of them with HFA 338 are subject of this drop. To make it even less clear, on one gateway I can see this behavior on all virtual systems, on second cluster only on few virtual systems. Then for me it looks more like software defect and not design issue.Do you have any tips, how to debug it?Did I miss something?Thank you.
Alexander_Wilke inside General Topics Friday
views 6591 14 2

VMAC Mode on R80.10

Hi,what do you think about the fact that R80.10 Gateways in VMAC Mode (ClusterXL, High Availability, Active/Standby) is only publishing its VMAC to clients for ingress traffic but then for egress traffic the Gateway will always use its physical MAC address and not the VMAC?So clients address the firewall using the VMAC of the firewall but all traffic outgoing from the firewall to clients/servers has the physical MAC address as source-address. So it is a kind of "asynchroneous MAC address routing" - clients sends traffic to VMAC, firewalls sends traffic with physical MAC.So is VMAC mode really what it should or should it better be named "VMAC lite" ?What do you think is the reason for not using real "VMAC" for all kind of traffic like e.g. Cisco is doing it with HSRP? Performance issues? Bad internal design?Regards
net-harry inside General Topics Friday
views 83 2

Multiple firewall licenses on the same security gateway

If we have a security gateway running a 2-core firewall-only license (CPSG-2C-FW) and we need additional capacity, could we purchase an additional CPSG-2C-FW and be licensed for 4 cores on the security gateway or do we need to purchase CPSG-4C-NGTP (4 cores with Next Generation Threat Prevention)?Thanks,Harry
Dmitry_Barantse inside General Topics Thursday
views 5570 8

clusterxl vmac and proxy arp

Hi team.I have a question about clusterxl vmac option and nat with proxy arp.What mac should be in proxy arp configuration for manual and automatic static nat?I think that in both cases should be a virtual mac.I'm I right?
C_M inside General Topics Thursday
views 81 1


I thought I read that Check Point was going to release more Ansible materials on their github site in October. I haven't seen anything new. Is there a set release date or any additional information?
mbsm inside General Topics Thursday
views 125 2

Identity Collector Users unable to browse to internet

Hi,We successfully implement Identity Collector and working on R80.30. But we encounter an problem, the user is connected thru the WiFi and able to browse the internet but when the user disconnect to WiFi then connect thru LAN cable the user unable to browse the internet. By the way, the network of the WiFi is different to the LAN. Our workaround is login thru captive portal or restart the laptop.Is there a solution for this issue? Or is this a limitation of the Identity Collector? Appreciate your answers,
g0t0 inside General Topics Thursday
views 78 2

Security Gateway upgrade - From SecurePlatform r77.30 to Gaia r80.10

Hi, First of all, sorry if this topic has been answered before.I will have to do an upgrade on a security gateway cluster from Secureplatform (yeah, I know) to Gaia r80.10 and I will need to clarify some things.I'm planning to do a connectivity upgrade on a 4800 appliance two member cluster as explained below: So my questions are: - In case of a necessity to rollback after a r80.10 clean install on a member, can I revert to a SPLAT r77.30 snapshot on a r80.10 installation?- I didn't notice anything on the limitations regarding this upgrade. Has anyone aware of any?- Am I missing something? Thanks in advance. Sergio.
Anderson_DaSilv inside General Topics Thursday
views 112 2

CloudGuard ARM Template

Hi Community,I am trying to deploy cloudguard in Azure via ARM templates, but I am hitting an issue with the artifacts location parameters.As I can see in the template, the artifacts location is no longer hard coded, instead it is using the deployment function to call the artifacts uri.Long store short, when I run the template installation from local files on my computer, I get the error below saying that the templateLink doesn't exist:Apprantly it happens because the deployment function does not respond with the templateLink information if you run the deployment using local templates.Anyone ran into this issue before? Trying to install r80.30 using ARM template version below:"templateVersion": "20190805"thanks in advance.
inside General Topics Thursday
views 2385 3 2

New Jumbo Hotfix (Take 203) Ongoing Release

A new Ongoing Jumbo Hotfix Accumulator take for R80.10 (take 203) is available. Please refer to sk116380.   R80.10 JHF Take #203 content: Issue # Resolved Issue Description MTR-31335 Added support for 6500 and 6800 appliances. Refer to sk139932. PMTR-33029,SMCPOL-195 OSE policy cannot be viewed without installing it on device. PMTR-29497,PRHF-1960 Manual changes in INSPECT files under $FWDIR/lib directory of compatibility packages are not synchronized from active to standby Management servers. Refer to sk143792.  PMTR-29584,PMTR-29856,PMTR-29855 Policy installation fails with "IPv6 addresses domain is not supported for Remote Access VPN community" message when using Domain object in Remote Access encryption domain.Refer to sk142832. PMTR-29921,PMTR-28958,PMTR-29923 "Error retrieving results" message is displayed in SmartConsole after searching for unused objects in Object Explorer.  PMTR-23744, MCFG-80 Unjustified validation error is displayed when installing Threat Prevention policy on Cluster object: "Threat Prevention requires topology to be defined.At least one internal, one external, and no undefined interfaces are required.Incorrectly defined topology impacts performance and security.Please install both Access Control and Threat Prevention policies after fixing the topology." PMTR-28643,PMTR-28557 In some scenarios, running the fwm sic_reset command from Domain fails with "reset_objects: updateMultiple failed" message. Refer to sk142512. PMTR-17991,PRHF-359,PRHF-714 In some scenarios, the Interpreter process stops working. Refer to sk132892. PMTR-21787 CPView is not supported on Multi-Domain Security Management environments. PMTR-8603,PMTR-30286 Multi-Domain Management GUI randomly does not reflect the Domain Management objects change. PMTR-31520,PMTR-31800 When using the "add/set simple-gateway" API command and specifying backup log servers, the input servers are not saved in the same order as listed in the request.  PMTR-34013,API-595 Number of sessions in "Changes" list does not match the value of 'total'.  PMTR-28058,PMTR-31248 When an administrator publishes session for a different administrator, the name of the administrator that invoked the action will be written in the audit logs as the publisher.  PMTR-12448,PMTR-12430 When searching in the SmartConsole main search bar for network groups we can see some number of network groups, but the search inside the Logical Server object shows the different number of Logical server objects groups.  PMTR-30570,IDA-1120 Group update request is sent specifically to the originator LDAP server even if it is down. Refer to sk127833.  PMTR-21207,PMTR-20424 In rare scenarios, Security Gateway runs out of kernel memory and may stop processing traffic, printing "double record of connection" message in /var/log/messages file. Refer to sk143432. PMTR-31314,PRHF-2244 In some scenarios, TCP state information is not displayed in the log despite being enabled in SmartConsole.  PMTR-21080,UP-251 A large number of Time objects used in the rule base may cause rulebase matching failures resulting in connectivity issues. PMTR-17490,PRHF-642 When working with NAT on DNS payload and having disabled NAT rules, NAT on DNS payload may not work. Refer to sk132032. PMTR-28414,PMTR-30657 When X-Forwarded-For (XFF) settings are enabled on one of the policy layers or/and on the Security gateway object, the/var/log/messages file shows errors related to asynchronous identity fetch. Refer to sk145673. PMTR-11999,PMTR-3286 In some scenarios, creation of a new gateway upgrade to R80.10 fails with "An internal error has occurred. (Code: 0x8003001D, Could not access file for write operation)" message.  PMTR-25755 In some scenarios, IPS purge makes a deadlock for some GUI clients, resulting in "Timeout error" error. PMTR-31100 In some scenarios, extracted Microsoft Azure files contain only blank pages. PMTR-24066,PRHF-134 Non-ASCII named files cause the undecoded non-ASCII characters to appear in the Threat Emulation log.  PMTR-27876,AVIR-370 Traffic from the client to the bogus IP address is handled according to the Access Control policy, but not logged as "prevented". Refer to sk141853. PMTR-30608,PMTR-29583 In rare scenarios, when the Log server miscalculates the available disk space, it may stop receiving logs from the connected gateways and cause the logs to accumulate locally on the Security gateway. Refer to sk146152. PMTR-30217,TPM-1378 "A general error has occurred" message appears when trying to edit the IPS Protection settings. PRHF-523,PMTR-16583 Some SMTP-related IPS Core Protections remain enabled despite the IPS is disabled. PMTR-31135,SA-99 Mobile Access Portal Agent installation page is vulnerable for XSS attack in Chrome and Firefox.  PMTR-15461,PMTR-21043,PMTR-28348 Added support for i40evf driver. PMTR-22503,MB-166,PMTR-28064 In some scenarios, virtio_net is not able to run multiqueue.  PMTR-35032 Important security update for IPSec Site-to-Site (S2S) VPN.  PMTR-27144,02657434 Improved connectivity with 3rd party VPN peers using IKEv2. Refer to sk120835. PMTR-30870,PMTR-21587 Connectivity improvements for certain Windows L2TP client versions. Refer to sk145895.  PMTR-19379,PMTR-23292,PMTR-23293,02031663 The CLISH command "show arp table dynamic all" and Bash command "arp -an" show different entries.Refer to sk112753. PMTR-15738,PRHF-270 In some scenarios, routed process stops working when a VPN tunnel interface is deleted without removing the dynamic routing protocols.  PMTR-18254,PMTR-18255EPS-17135 In some scenarios, SmartEndpoint shows different numbers of reported "Anti-Malware signature was not upgraded in the last 72 hours" between the warnings and the Active alerts section. PMTR-32542,PMTR-32187 After new Domain creation, logs from this Domain are not seen in SmartConsole.  PMTR-28470,PMTR-329 Before R80.10 Jumbo Hotfix Accumulator Take 189, the Probing feature is set, by default, to Fail Open. From Take 189, the default behavior is changed to Fail Close. Refer to sk104717.      Thanks  Release Managers Groups
C_M inside General Topics Thursday
views 64 1


Any set release dates for more commands/options via the GAIA API? last I checked it was quite limited.