cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Josh_B
Josh_B inside General Topics 5 hours ago
views 24 3

77.30 to 80.20 - Cluster connectivity upgrade question

I have two 77.30 gateways using ClusterXL in high availability mode. Looking at doing a connectivity upgrade from 77.30 to 80.20.After I upgrade the standby member I'm looking to fail over after hours and test connectivity, but then fail back and leave the 77.30 member running for a few more days. Is this supported? I guess my question is, can you fail back over to the 77.30 member once you fail over to the upgraded 80.20 cluster member? I've read over the R80.20 "Upgrading a Security Gateways and Cluster" section in the Installation and Upgrade Guide, but this part isn't clear.
Dale_Lobb
Dale_Lobb inside General Topics 8 hours ago
views 784 7 2

Loss of functional parity

Why does it seems that every new CheckPoint release is missing some major potion of the functionality that was present in previous versions?We are running an R77.30 cluster for our Internet facing firewall. On that cluster we are running most of the Threat Prevention Suite including HTTPS inspection, Threat Extraction and Threat Emulation. We have been "in the process" of upgrading the cluster since September.Every time we settle on a target version, we get just about up to implementing it, only to discover that the target version is missing some functionality that we really need.We were quite close to taking the cluster live on R80.20 back in February, but ran into some networking problems the night of go-live and reverted back to R77.30. It turns out that was a good thing, as we informed a few days later that the SNI hot fix, which I had already requested, was not available for R80.20 and there was no plan to provide it. We really need the SNI hotfix. We had to turn off Probe Bypass because it does not support SNI sites at all, even if the site does not actually use or need SNI. Without Probe Bypass, HTTPS Inspection is not as nicely implemented, and we suffer a slow roil of frustrated users and automated processes whose first connection to a site fails, since the HTTPS inspection engine must inspect the first connection in a 24 hour period to tell if it should inspect or bypass inspection. If the site is on the bypass list, the first connection fails as it had to be inspected in order to tell.The word in February was that there was no plan to provide the SNI hot fix for R80.20, even though it had been out for some time for R80.10. We were told to either use R80.10 or wait for R80.30, which would be out really soon now. R80.30 would have the SNI hot fix baked in.So, for various reasons, it turned out the next time we could attempt to implement a cluster upgrade would be the end of May. My boss told me to plan for R80.10 for that date, so we could get the SNI hot fix. In the meantime, R80.30 finally was released to GA.The new features list for R80.30 is impressive, and it turns out we really need one of those features: R80.30 finally supports the full gamut of encryption protocols for TLS 1.2. We have been seeing a fair number of sites are configured to only allow these new R80.30 supported encryption protocols. I don't know if the sites are misconfigured, or if they know something that I don't, but I do know that we have had to write a number of HTTPS Inspection Bypass rules because these protocols have not been supported for HTTPS Inspection until now.So crazy me, I read through all the Release Notes and Limitations and a bunch of other R80.30 docs and then convinced my boss that we should move everything to R80.30. I mean, we still had two weeks left until the scheduled upgrade date: Plenty of time to re-image the new servers and use the fail over management system to upgrade to R80.30 management as well.So, I was pretty aghast when I found out yesterday that the Mobile Access Portal hot fix, sk113410, is not available for R80.30. The Mobile Access Portal is the front end to the SSL Network Extender, which we use for external vendor and employee access to our internal network. Over half of those users are using browsers other than Internet Explorer. That's a real problem, because without the sk113410 patch, the Mobile Access Portal only supports IE on Windows. There is no mention of this lack of an sk113410 patch in the R80.30 Limitations document. The SK article for sk113410 was updated yesterday, after my call on the subject to CheckPoint TAC, stating that there would be no hot fix for R80.30 until Q3 or Q4 2019.Look, I understand the software development cycle and the need to fork the code somewhere in order to start on the new version. But when you have added functionality in widely used hot fixes already available for prior releases, it seems to me you should either plan to incorporate the hot fixes into the forked code base, as they did with the SNI hot fix for R80.30, or develop a version of the hot fix for the new version before general release.I am so frustrated with CheckPoint right now.... I had to go back to my boss and explain that we would not be able to go to R80.30 after all. So, now were are back to R80.10 for our end of the month upgrade. I sure look stupid. My boss' comment was: "Why do they keep doing this? I don't remember ever having similar issues with Cisco or Palo Alto firewalls at previous jobs."Why does does CheckPoint keep releasing new versions without functional parity with prior releases?
Vladimir
Vladimir inside General Topics 10 hours ago
views 107 5

0-Phishing functionality on the gateways

Does the URL filtering with IPS and TE enforce 0 Phishing capability on the gateways? I mean, if we have the HTTPS inspection and categorization enabled on R80.30, would the new phishing sites be identified dynamically?
SPM
SPM inside General Topics 13 hours ago
views 23 1

R80.30 and HPE DL 360 Gen10

So in R80.30 EA it stated that HPE DL 360 Gen10 is supportedhttps://usercenter.checkpoint.com/uc/htmls/earlyavailability/R80.30_3.10/requirements.htmlbut now when R80.30 GA was releasedI don't see that HPE DL 360 Gen10 listed in HCL as supportedSo are Gen10 servers supported or not?
Valeri_Loukine
inside General Topics 16 hours ago
views 5771 41 1
Admin

Propose your Idea of the Year!

Yes, this is this time of year, again. Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better: The Idea Of The Year! The rules are the same as before, it is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones. Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game? Tell us NOW! A few disclaimers/notes: There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year", From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on, Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well. "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known! @Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later. Get creative, use your imagination and PROPOSE!
GGiorgakis
GGiorgakis inside General Topics 23 hours ago
views 81 2

Top critical issues for R80.20

Address the top critical issue that you faced for R80.20 ?
Albert_Chang
Albert_Chang inside General Topics yesterday
views 61 2

Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections table

Our security gateway sometimes drops packets from IPSec tunnel. The workaround is usually to reinstall policy and the issue will be fixed for a few days.By using the "fw ctl zdebug drop" to capture the drop message, it says "failed to resolve SA (VPN Error code 01)".But in the kernel debug, it looks like it cannot find the connection in the connections table.Has anyone encounter similar issue and has a solution? Thanks in advance! ;20Jun2019 3:30:27.466084;[cpu_1];[fw4_2];fwconn_lookup: not found in connections table; ;20Jun2019 3:30:27.466088;[cpu_1];[fw4_2];forward_if_not_mine: forwarded to another instance (rc=0); ....;20Jun2019 3:30:27.466102;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn 10.13.1.29:0 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0> not found in connections table; .....;20Jun2019 3:30:27.466268;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn 172.28.0.126:15 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0> not found in connections table; ;20Jun2019 3:30:27.466282;[cpu_1];[fw4_2]; vpnk_conn_log: in the kernel - calling fwchainlog_delayed_rulebase_log with alert -1 ; ;20Jun2019 3:30:27.466284;[cpu_1];[fw4_2]; action = 0 schemename = IKE user = methods = ESP: AES-256 + SHA384 + PFS (group 2) fail_reason = Encryption/Decryption failure, failed to resolve SA (VPN Error code 01) xpo_loghandle = 0 community_loghandle = 0
sysad1929
sysad1929 inside General Topics yesterday
views 81 4

Management IP address after factory reset

Anyone experienced in factory resetting R80.20 to default by both pressing factory button and/or via boot menu but it did not revert admin password to default? Tried factory reset for 5 times but still not luck. Keeps saying Invalid login. I can try boot from USB but weird that this happened. Performed factory reset in a same model 3200 but different device and it works fine.
Chris_Sanduliak
Chris_Sanduliak inside General Topics Friday
views 71 2

CP5600 Memory Exhaustion

We have a couple of CP5600 operating in different locations with very similar configurations. The load is about the same. Each is running r80.10 - T189.Location B is stable and running without issues, but Location A we have to reboot about once every 45 days due to memory issues. Whatever is happening, affects the dataplane. IE, Fw stops forwarding packets. This is the memory output for location A:System Capacity Summary:Memory used: 77% (4455 MB out of 5731 MB) - below watermarkConcurrent Connections: 10410 (Unlimited)Aggressive Aging is enabled, not activeHash kernel memory (hmem) statistics:Total memory allocated: 3737321472 bytes in 912432 (4096 bytes) blocks using 14 poolsInitial memory allocated: 599785472 bytes (Hash memory extended by 3137536000 bytes) - 3.1GB?Memory allocation limit: 4806672384 bytes using 512 poolsTotal memory bytes used: 0 unused: 3737321472 (100.00%) peak: 3426386556Total memory blocks used: 0 unused: 912432 (100%) peak: 861288Allocations: 4163792559 alloc, 0 failed alloc, 4140371486 freeSystem kernel memory (smem) statistics:Total memory bytes used: 4598247500 peak: 4608745920Total memory bytes wasted: 3721660Blocking memory bytes used: 4784944 peak: 9567848Non-Blocking memory bytes used: 4593462556 peak: 4599178072Allocations: 13741524 alloc, 0 failed alloc, 13738637 free, 0 failed freevmalloc bytes used: 4588389496 expensive: noKernel memory (kmem) statistics:Total memory bytes used: 4143730832 peak: 4231943656Allocations: 4177522403 alloc, 0 failed alloc4154099588 free, 0 failed freeExternal Allocations: 16896 for packets, 88628453 for SXLCookies:3778625491 total, 0 alloc, 0 free,150073 dup, 300575262 get, 2794359219 put,2072999334 len, 2707089222 cached len, 0 chain alloc,0 chain freeConnections:388319874 total, 136725382 TCP, 231455561 UDP, 19560665 ICMP,578266 other, 30721 anticipated, 195046 recovered, 10410 concurrent,159214 peak concurrentFragments:1118953332 fragments, 2706956154 packets, 3456 expired, 0 short,0 large, 0 duplicates, 848 failuresNAT:67013/0 forw, 52962/0 bckw, 982 tcpudp,0 icmp, 5906-17579 allocSync: off[Expert@LocationA:0]# free -mtotal used free shared buffers cachedMem: 7744 7580 164 0 333 1837-/+ buffers/cache: 5409 2334Swap: 18394 0 18394 This is Location B:System Capacity Summary:Memory used: 9% (539 MB out of 5731 MB) - below watermarkConcurrent Connections: 8560 (Unlimited)Aggressive Aging is enabled, not activeHash kernel memory (hmem) statistics:Total memory allocated: 599785472 bytes in 146432 (4096 bytes) blocks using 1 poolTotal memory bytes used: 0 unused: 599785472 (100.00%) peak: 27427 7488Total memory blocks used: 0 unused: 146432 (100%) peak: 69627Allocations: 1607331344 alloc, 0 failed alloc, 1607117916 freeSystem kernel memory (smem) statistics:Total memory bytes used: 967638752 peak: 986044552Total memory bytes wasted: 4180014Blocking memory bytes used: 5820820 peak: 14955252Non-Blocking memory bytes used: 961817932 peak: 971089300Allocations: 151132250 alloc, 0 failed alloc, 151129180 free, 0 failed freevmalloc bytes used: 956763424 expensive: noKernel memory (kmem) statistics:Total memory bytes used: 401812380 peak: 640749756Allocations: 1758439658 alloc, 0 failed alloc1758224295 free, 0 failed freeExternal Allocations: 76032 for packets, 89765022 for SXLCookies:1450833429 total, 836424 alloc, 836424 free,251 dup, 433718314 get, 2695578081 put,2263227759 len, 2298121504 cached len, 0 chain alloc,0 chain freeConnections:1628040697 total, 660800638 TCP, 927853823 UDP, 39386225 ICMP,11 other, 288832 anticipated, 441738 recovered, 8560 concurrent,161987 peak concurrentFragments:302418965 fragments, 2297426537 packets, 2476610 expired, 0 short,0 large, 0 duplicates, 1969 failuresNAT:0/0 forw, 0/0 bckw, 0 tcpudp,0 icmp, 0-27257 allocSync: off[Expert@locationB:0]# free -mtotal used free shared buffers cachedMem: 7744 7555 189 0 419 4896-/+ buffers/cache: 2239 5504Swap: 18394 0 18394The only difference I can find between the two is that Location A is using Extended memory hash tables, but I don't know what would cause this behavior?
Maik
Maik inside General Topics Friday
views 2656 19 6

TCP SACK PANIC - Kernel vulnerabilities | Check Point affected?

Hello, Just wanted to ask for a statement from Check Point regarding CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479. As redhat posted a statement and mentioned several releases are affected my guess is, that Check Point with GAiA is affected too (as based on RH Linux...).Details can be read below:https://access.redhat.com/security/vulnerabilities/tcpsack Regards,Maik
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Friday
views 8784 21 23

R80.20 - IP blacklist in SecureXL

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level. For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level. On gateway set the IP 1.2.3.4 to Secure XL blacklist: # fwaccel dos blacklist -a 1.2.3.4 On gateway displays all IP's on the SecureXL blacklist: # fwaccel dos blacklist -s On gateway delete the IP 1.2.3.4 from Secure XL blacklist: # fwaccel dos blacklist -d 1.2.3.4 Very nice new function in R80.20! Furthermore there are also the Penalty Box whitelist in SecureXL. The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address. The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks. More under this link: Command Line Interface R80.20 Reference Guide Regards, Heiko
Oscar_David_Gom
Oscar_David_Gom inside General Topics Friday
views 90 1

VSX VPN with AWS

HI I have a R80.10 VSX cluster, one of my VS is manging our VPNS, today I recevied a request of creating a VPN against AWS, they send us a txt file generated from AWS where indicate the step by step for creating it, the problem started with first step: Creating a Tunnel interface, as we are using VSX, that is not supported, so what we do was: 1. Creating a Star community2. Add as the center my VS and for the satellite the interoperable device configured as usual (Public IP, encryption domain, etc).3. Setting parameters of encryption, etc. as said by txt configuration file from aws. 1. Under Security Policies choose "VPN Communities" and click "New", "Star Community". 2. Choose "General" and provide a name : vpn-0a265dfe8bec93511. 3. For "Center Gateways", add your gateway or cluster. 4. For "Satellite Gateways", add the interoperable devices that you created before. 5. For "Encryption", choose "IKEv1 only". 6. In the "Encryption Suite" section, choose "Custom", "Custom Encryption". 7. Configure the properties as follows: Phase 1 Properties - Internet Key Exchange (IKE) a. Perform key exchange encryption with: aes128 b. Perform data integrity with: sha1 Phase 2 Properties -IPSEC a. Perform IPsec data encryption with: aes128 b. Perform data integrity with: sha1 8. For "Tunnel Management", choose "Set Permanent Tunnels", "On all tunnels in the community". 9. In the "VPN Tunnel Sharing" section, choose "One VPN tunnel per Gateway pair". 10. Expand "Advanced Settings". For "Shared Secret": ************* 11. For "Advanced VPN Properties", configure the properties as follows: IKE (Phase 1) a. Use Diffie-Hellman group: 2 b. IKE SA lifetime: 28800 seconds IPSEC (Phase 2) a. Use Perfect Forward Secrecy: Checked b. IPSEC SA Lifetime: 3600 sec 12. Click OK to close the VPN Window4. Configuring tunnel_keep_alive method for dpd.5. Creating the rule.6. Installing policies.Result: VPN is always Down, so my question is, how to configure a vpn against amazon when i'm using VSX? Thanks.
kobilevi
kobilevi inside General Topics Friday
views 85 1

checking policy creator and history

hello (:can someone know how check in gaia R80.10 who and when someone create a roll in the policy ? Tanks
Di_Junior
Di_Junior inside General Topics Friday
views 3303 17

Check Point Clustering between two Datacenters

Dear Mates We are currently experiencing routing assymetry on our infrastructure, and we are trying to find possible solutions that could help us solve the problem.I would like to know whether there is a limitation in terms of creating a Check Point cluster over two geographically separeted Datacenters (Few Kilometers away from each other). Is there any distance constraints? If there is no a distance constraint, since the current version of GAIA we are using (R80.20) does not support Load-sharing, we do not intend to have 4 appliances in a cluster while only one is taking all the traffic.Can Maestro be used in order to take advantage of the 4 appliances?The rationale for this question is because we are thinking of turning the 4 Check Point Appliances into a single cluster. Thanks in Advance
Wolfgang
Wolfgang inside General Topics Friday
views 793 4

2200 appliacne R80.20 failure

Dear folks,we are running R80.20 on an 2200 appliance since 2 month without problems.This week some problems occurs. We got a lot of errors like these:Jun 13 11:19:25 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=1 flags=1 opcode=15)Jun 13 11:19:26 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=1 flags=1 opcode=15)Jun 13 11:19:26 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=0 flags=1 opcode=15)If we do a restart of the appliance they can't install policy (policy install failed) and default policy is loaded.A manual fw fetch after restart loads the actual policy, but the shown errors occurs again after some minutes.Any ideas or seen this error anywhere?Wolfgang