Showing results for 
Search instead for 
Did you mean: 
Create a Post
Nikolaos_Tsitso inside General Topics 2 hours ago
views 196 8

Cluster Upgrade 77.30 to 80.20 with traffic handling problems

Hi @all, yesterday we have try to upgrade a cluster from 77.30 to 80.20.The connectivity upgrade works fine without any problems. After the upgrade the web servers behind the cluster was not reachable from the Iinternet.On the tcpdump we can see that the traffic can reach the firewall, but on fw monitor we cannot see any traffic that is handled by the firewall.Also we don't see any drops in the fw ctl zdebug + drop.We have also try to change the nat rules to automatic but the problem still exists.We have revert to prior version 77.30 and everything works again fine.Has anyone a idea?
Mark_Thomasson1 inside General Topics 2 hours ago
views 4269 15 1

6800 stability Issue - R80.10 w\/Take 203 or R80.20 w/ Take 74

Our company  purchased a pair of the new  6800 gateways. We initially applied Take 203 , before it became GA last week,  as we weren't comfortable deploying new hardware without any notifies , supposedly the new 6800s can only run R80.10 and R80.20 ISOs and general release Takes and hot fixes can't be installed. A week after putting them live into production the backup member of 6800 HA Pair  NIC hung twice within a period of 24 hours. the submitted cpinfo indicated issues with the NIC registers and there was a recommendation to RMA the Quad port NIC  card to "fix" the issue. the following sk described what we were seeing in our logs more than 96 hours later the same behavior occurred with the primary member of the 6800 cluster resulting in the failover to backup. again we RMAed the NIC card . on the recommendation of support ,  we changed the timeout for logging from 10 seconds to 2 seconds to better capture in the logs the behavior of the card before it failed. the card failed a 2nd time on what was the primary member , this time the unit flapped over 30 times over a period of 45 minutes before it ended up failing. this time the issue was more severe as the Cisco switch actually shut down the attached ports in a self protection mode due to continued prolonged flapping.we are still waiting a solution from CheckPoint Support and R&D on this issue.we initially thought the problem was isolated to our environment, but later heard the issue occurred in Check Point's  lab environment in Canada on a pair of 4800s after they applied take 203. they initially thought the issue was flow control but the issues persisted after they turned flow control off.It was later conveyed to me that an other customer that purchased 6800s was having the same issues but was on R80.20 and Take 74. This customer had replaced the NIC and was also looking to RMA the entire chassis .   
victor inside General Topics 2 hours ago
views 31 2

I cannot reach my SMart 1 205 SMS via webpage but can reach it on same ip via smart dashboard.

Hi icannot reach my Smart 1 205 SMS via a browser but can reach it on same ip via smart console.I have tried various browsers including internet Explorer to no avail
Chinmaya_Naik inside General Topics 4 hours ago
views 31 1

Threat Prevention policy configuration when HTTP emulation on Private Cloud Appliance

 Hi Team,Pls help me for the configuration.As per the Diagram, we have Gateway with TE Appliance.So basically we are using TE appliance only for emulation, not for extraction, ThreatExtraction happening on Gateway.So for any file we are download from the Internet then first come to the gateway then gateway sends that file to TE for emulation then TE gives the verdict to Gateway then gateway sends the file to the end-user base on the policy. Correct me I am wrong.I need a clear idea about configuration and working.Is this required to set Threat Prevention policy  as Detect mode in TE Policy Package 2 ?If I enable Threat Extraction on TE policy package 2 then?@Chinmaya_Naik   
Isaac_Hamann inside General Topics 4 hours ago
views 3160 4

Having multiple External addresses for IPsec

I have a 4000 series appliance on r77.30 that is our externally facing gateway.Our ISP is forcing us change all of our public IP addresses (yay me).We have quite a few IPsec tunnels for vendors, remote locations, etc... I'd like to find a way to simultaneously use both the old address and the new one for IPsec so that I can transition the tunnels one-by-one and not update every vendor simultaneously. In time, I could remove the old address entirely.I have an external interface configured with the new address and it is able to ping externally.Here's a breakdown: - current address for IPsec2.2.2.2 - new address that will be for IPsecTunnel 1- vendor ABCTunnel 2- vendor XYZCurrent setup-Tunnels 1 and 2 are pointed at setup- Tunnel 1 -> pointed at 2 -> pointed at tunnels running simultaneously without interruption.This is a live environment so the lower the impact, the better.Any advice is appreciated...Thanks! 
Andreas_Falk inside General Topics 5 hours ago
views 40 2

Replace out squid cluster with HTTP/HTTPS proxying on our Gateways?

Hi,We are today running a couple of squids as forwarding proxies for our internal servers.So that they do not have direct access to the internetz. And now we are in the process of replace them with newer ones, then I read that you can enable HTTP/HTTPS proxy on our R80.Do you have any experience to use it as an non-transparent proxy, like in our squid case?It's only for logging and stop connections to bad actors on non http/https ports. I know it's a rather obsolete way beq all c&c and such is using https anyhow 🙂 Thougts?--Regards Falk
inside General Topics 5 hours ago
views 28 1

R80.20: New Jumbo Hotfix (Take 103) GA-Release

R80.20 Jumbo HF Take #103 was released as our GA take (replaced take 91) on Sep 22nd.  This take is available for download to all via CPUSE (as recommended) and via sk137592
Areef inside General Topics 5 hours ago
views 36 2

DHCP Relay configuration

HiI'm new to checkpoint. I just try to configure my checkpoint firewall as DHCP relay agent.My plan is separate my local network and guest WiFi network when providing WiFi connectivity to the uses.Here is the current setup:Local native lan: DHCP and DNS server is in this network.DHCP/DNS server: I create another network(VLAN10) on checkpoint firewall interface 4.VLAN10: on sub-interface 4.After that I create DHCP scope for VLAN10 on my DHCP server and my APs need to get IP address from main DHCP server( how can I configure DHCP relay on checkpoint to forward all the DHCP request to main DHCP server on other network.When I try to configure DHCP relay it ask for interface I just select VLAN10 interface 4. I I'm not sure which IP Address I have to enter on Primary IP address field and add relay field.Can some one please help me to configure DHCP relay based on provided information.Appreciate your help 
s_milidrag inside General Topics 6 hours ago
views 882 6

Protocol Signatures

Kindly ask if someone can explain in more detail "Protocol Signature" option in https/http/dns/telnet/smtp ... service objects. What is the difference in matching between https without protocol signature enable (default option) and with protocol signature enabled. Thanks 
Kamiar_Sh inside General Topics 7 hours ago
views 4113 22 2

Enable DPD on R80.20

Hi everyone,I have upgraded R77.30 to R80.20 recently and I am new with R80.20 , I have 20  IPsec Tunnel terminated to my cluster firewalls and here is my question:1-there is an issue on one IPsec tunnel with 3rd party and I need to enable DPD mode ( the tunnel is not permanent) so if I enable DPD mode is there any impact to other tunnels?and here is the tunnel config:IKEv1Phase 1AES-256SHA-256DH:Group5Renegotiation IKE security  1440 minutesappreciate if someone can assist me to resolve the issue
Khalid_Aftas inside General Topics 9 hours ago
views 286 9

R80.20 Ipsec VPN issues

Hi, After upgrade to r80.20 in multiple gateway, we started having issue with a lot of VPN that were running without problem in 80.10 case 1 : VPN with partner down, i had to make him disable NAT-T option for it to work again.Case 2 (most critical) : Amazon Web Services, once phase 2 proposition from aws come, CP accept it, then decide to propose again another negotiation, during few minutes complete cut out of the traffic. Other cases in other GW with simlar issues. Opened a case in the TAC, they made me install some special hotfix, with no succes. What changed in R80.20 regarding vpn ? i hope there is a solution for these issues. [CPFC]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[MGMT]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[FW1]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87HOTFIX_R80_20_JHF_T87_190_MAINHOTFIX_R80_20_JHF_T87_174_MAINHOTFIX_R80_20_JHF_87_90_002_MAINFW1 build number:This is Check Point's software version R80.20 - Build 100kernel: R80.20 - Build 001[SecurePlatform]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CPinfo]No hotfixes..[DIAG]No hotfixes..[PPACK]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CVPN]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CPUpdates]BUNDLE_R80_20_JUMBO_HF_MAIN Take: 87
Timothy_Fan inside General Topics 12 hours ago
views 56 2

Checkpoint 5400 with secondary internet

How can i config the checkpoint with secondary internet ? The interface part only let me to enter the IP address and subnet. How about the gateway and it's new set of DNS ? I want to set the secondary internet for IPSec-VPN only. I searched for post whole days but in vain. THX
Daniel_Taney inside General Topics 13 hours ago
views 2068 12

Hyperthreading Best Practice Recommendation For Management / SmartEvent Open Servers?

Is there a best practice recommendation for whether Hyperthreading should be enabled on an R80.10 Open Server if it is solely used as a SMS or SmartEvent server? I found lots of tips when it comes to HT on Gateways, but didn't see anything regarding Management.Thank You!
Johan_Rudberg inside General Topics yesterday
views 51 1

The VOIP problems still persists

Hello I´ve tried to make VOIP to function for some time now through our Checkpoint VSX R80.20 gateways now with no luck. Useing Hide NAT works just a littlle for awhile and then it stops working, that is audio in one direction only.  So we want to use Static 1-to-1 NAT.There are two resons why Hide NAT is not a option:1: it does not work properly.2: our ISP does not support the VOIP solution if we use Hide NAT.I was told by our former contractor that the IP Networks we are NATing to has to be on an Interface in the firewall. So ringt now we have 2 interfaces towards the ISP one with the small linknet that we use today and another one with our /14 Static NAT IP Range. We have both interfaces set to external. But I cant get any client traffic through and back, however from the GW cluster its possible to ping from the /14 interface to the ISP.Is this setup even supported in the Checkpoint world? 
Michael_Goessma inside General Topics yesterday
views 86 3

fw monitor and cppcap on VSX R80.20 (JHF 91)

I just want to share my findings on fw monitor and cppcap on a VSX R80.20 JHF 91 environment:fw monitor just segfaults if I use the -v <VSID> switchfw monitor just ignores the VS context if running without -v switch and captures packets in all VScppcap does not work in VSX R80.20 JHF 91 with acceleration enabled, I had to do a fwaccel off in the specific VS to capture trafficI may be wrong. But if not, some documents should be corrected, including Heiko's excellent cheat sheet...