cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

Nik_Bloemers
Nik_Bloemers inside General Topics 2 hours ago
views 70 5

VPN certificates

Hello CheckMates,Does anyone know how to control which certificate gets sent in a certificate-based site-to-site VPN?There's a nice repository of certificates available on the gateway, but it always seems to send the ICA signed certificate. We only want to use the ICA certificate for CP<->CP VPN's that are managed by the same management. We also have some third-party DAIP gateways we want to use another PKI infrastructure for (that already has CRL publicly available, unlike the CP ICA).Any ideas how to accomplish this? Browsing the documentation and SK's for half a day didn't seem to reveal a solution.Kind regards,Nik
Tbgaz
Tbgaz inside General Topics 2 hours ago
views 14

Updating ISP Redundancy Settings

Hi all. We're changing our backup ISP provider and I want to double check the process for updating the settings on the firewall. I've had a look at the ISP redundancy document and it seems like a simple change from old IP to the new and obviously the physical cable change between the new router to the external switch.As this is my first time doing this, I just want to see if there will be any less obvious issues. Thanks in advance.
STF
STF inside General Topics 3 hours ago
views 61 1

How to login if mobile phone number has been changed?

Hello,I have another Check Point account using another email address.  My mobile phone number which was linked to that account has been changed so I have no way to receive any SMS.  And I cannot find any backup codes.  So I cannot go pass the 2 step verification for that account.I had written an email to user_center@checkpoint.com as stated in a web page a week ago but the email got rejected because the address is invalid.  This is the error message in the returned email:I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.For further assistance, please send mail to postmaster.If you do so, please include this problem report. You can delete your own text from the attached returned message.The mail system<user_center@michael.checkpoint.com>: host 194.29.34.68[194.29.34.68] said: 5505.1.1 <user_center@michael.checkpoint.com>... User unknown (in reply toRCPT TO command)I really want to use that account but I'm totally stuck.  Please tell me how I can gain access again.
kb1
kb1 inside General Topics 4 hours ago
views 61 3

Smartconsole force closes

so below is the lab topology wher i have the mgmt win 10 vm connected to the NY-sms which is the mgmt server-  So the problem is as soon as i open smartconsole from the mgmt win 10 vm it closes after a few minbutes sa im setting it up for the first time with me not being able to proceed with my lab and a while back i was able to complete about 60 percent of the course and did not have any such problems although it was maybe because i was using an older gns3 and vmware versions but anyways right now with the updated and latest versions of the gns3 and vmware im stuck with this smartconsole issue(dont know if it really is because of the updated versions of gns3 and vmware or something else) so yeah i need to proceed fast and need to get this smartconsole to work!! So someone please help!! Have been stuck here for a few days searching for solutions but to no avail with a lot of hours wasted as well!! Below is the error message- 
Stefano_Chiesa
Stefano_Chiesa inside General Topics 9 hours ago
views 37 2

VPN with Cisco FTD-local subnet natted, key exchange with original IPs

Hello all.On a 2200 R75.40 cluster is configured a L2L VPN with a remote Cisco FTD.in the VPN configuration the real local subnet (10.39.126.x/23) is not specified  but instead a NAT subnet is used (192.168.123.x/27).On the remote side 4 hosts (/32) are defined as remote networks (10.130.200.234/.235/.236/.241).The local subnet is manually Hide-Natted behind a single IP NAT-Subnet address (192.168.123.1).The tunnel is up but sometimes when the key exchange happens the original 10.39.126.x IP is used in the packet instead of 192.168.123.1 nat IP (see below the log records).The key with the wrong IP is installed (why?) but then the traffic fails.Seem a matter of activity sequence (accept rule, nat, negotiate, encrypt..).Does anyone have a suggestion?Thanks in advance.Stefano----------------------------- CORRECT KEY INSTALLNumber: 11768148Date: 11Dec2019Time: 9:12:30Interface: daemonOrigin: FWType: LogAction: Key Install==>Source: VPN-NAT-IP (192.168.123.1) <<==== CORRECTDestination: 10.130.200.235Community: xxxxxxxxxxxxxInformation: IKE: Child SA exchange: Created a child SA successfullyIKE IDs: <192.168.123.0 - 192.168.123.31><10.130.200.235>Source Key ID: 0x92dddf54Destination Key ID: 0x9ab9283bEncryption Scheme: IKEv2Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFSIKE Initiator Cookie: dbd002e39d8ab5aaIKE Responder Cookie: eb019a4c3f09bd88IKE Phase2 Message ID: 0000000dVPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: IKEProduct: Security Gateway/ManagementProduct Family: Network----------------------------- WRONG KEY INSTALLNumber: 11750404Date: 11Dec2019Time: 9:11:52Interface: daemonOrigin: FWType: LogAction: Key Install==>Source: 10.39.126.44 <<======= WRONG!Destination: 10.130.200.234Community: xxxxxxxxxxxxxInformation: IKE: Child SA exchange: Created a child SA successfullyIKE IDs: <10.130.200.234>Source Key ID: 0x1f571570Destination Key ID: 0xcb0be6faEncryption Scheme: IKEv2Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFSIKE Initiator Cookie: dbd002e39d8ab5aaIKE Responder Cookie: eb019a4c3f09bd88IKE Phase2 Message ID: 0000000cVPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: IKEProduct: Security Gateway/ManagementProduct Family: Network ----------------------------- FAILING HTTPS ACCESSNumber: 11781102Date: 11Dec2019Time: 9:12:52Interface: MgmtOrigin: FWType: LogAction: DropService: https (443)Source Port: 58984Source: 10.39.126.44Destination: 10.130.200.234Protocol: tcpRule: 43Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}NAT rule number: 3NAT additional rule number: 1XlateSrc: VPN-NAT-IP (192.168.123.1)XlateSPort: 14356Community: XXXXXXXXXXXXXXInformation: service_id: httpsencryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more informationEncryption Scheme: IKEData Encryption Methods: ESP: AES-256 + SHA256VPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: VPNProduct: Security Gateway/ManagementLog ID: 404830Product Family: Network------------------------------ WORKING HTTPS ACCESSNumber: 11768149Date: 11Dec2019Time: 9:12:30Interface: MgmtOrigin: FWType: LogAction: EncryptSource: 10.39.126.44Destination: 10.130.200.235Protocol: icmpRule: 43Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}NAT rule number: 3NAT additional rule number: 1XlateSrc: VPN-NAT-IP (192.168.123.1)Community: XXXXXXXXXXXXXXInformation: service_id: icmp-protoICMP: Echo RequestICMP Type: 8ICMP Code: 0Encryption Scheme: IKEData Encryption Methods: ESP: AES-256 + SHA256VPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: VPNProduct: Security Gateway/ManagementProduct Family: Network
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics yesterday
views 346 6 9

R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Elephant Flow (Heavy Connections) In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows). All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. What typically produces heavy connections: System backups Database backups VMWare sync. Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Evaluation of heavy connections The big question is, how do you found elephat flows on an R80 gateway? Tip 1Evaluation of heavy connections (epehant flows)A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes. Heavy connection flow system definition on Check Point gateways: Specific instance CPU is over 60% Suspected connection lasts more than 10s Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%   CLI Commands Tip 2Enable the monitoring of heavy connections. To enable the monitoring of heavy connections that consume high CPU resources: # fw ctl multik prioq 1 # reboot Tip 3Found heavy connection on the gateway with „print_heavy connections“ On the system itself, heavy connection data is accessible using the command: # fw ctl multik print_heavy_conn Tip 4Found heavy connection on the gateway with cpview # cpview                CPU > Top-Connection > InstancesX   Links sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above    
Aaron_Wrasman
Aaron_Wrasman inside General Topics yesterday
views 193 10

Confusion on what is supported in R80.20+ for FQDN.

So we recently moved a few of our firewalls to R80.20+ (i.e. we are still upgrading to R80.30 from R80.20)We are trying to start using the FQDN feature of domain objects for normal firewall traffic.I'm trying to allow access to sftp and not a website.If my destination is something like www.vanityname.net  and I can create a Domain object  like:.vanityname.net and make sure the FQDN feature is checked.Put that as the destination in a normal firewall rule and it works.If I have a site like sftp.vanityname.net and I create:.sftp.vanityname.net and make sure the FQDN feature is checked.Put that as the destination in a normal firewall rule and it works sometimes.Are only second level domains supported with the FQDN feature? (i.e. name.com  but not sub.name.com )And to be very clear I'm not talking wildcard domain names. 
Tsvika_Akerman
inside General Topics yesterday
views 7416 62 15
Employee

R80.40 Early Availability Program @ Check Point Update

      R80.40 EA Program  R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.  Enrollment // Production EA     • We are looking for R80.X / R77.X Production environment to evaluate the new version. • Start date: Started    Public EA (for Lab/Sandbox use) is now also available! Log into UserCenter and Select Try Our Products > Early Availability Programs In PartnerMap, it is Learn > Evaluate > Early Availability Programs NOTE: Upgrade from Public EA to GA is not supported   Additional questions? contact us@ EA_SUPPORT@checkpoint.com What's New  IoT Security A new IoT security controller to: Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).  Configure a new IoT dedicated Policy Layer in policy management. Configure and manage security rules that are based on the IoT devices' attributes.                       TLS Inspection HTTP/2 HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.  Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol. Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.                       TLS Inspection Layer This was formerly called HTTPS Inspection. Provides these new capabilities: A new Policy Layer in SmartConsole dedicated to TLS Inspection. Different TLS Inspection layers can be used in different policy packages. Sharing of a TLS Inspection layer across multiple policy packages. API for TLS operations. Threat Prevention Overall efficiency enhancement for Threat Prevention processes and updates. Automatic updates to Threat Extraction Engine. Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects. Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI. Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol. Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols. Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature. Access Control Identity Awareness Support for Captive Portal integration with SAML 2.0 and third party Identity Providers. Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.  Enhancements to Terminal Servers Agent for better scaling and compatibility. IPsec VPN Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:  Improved privacy - Internal networks are not disclosed in IKE protocol negotiations. Improved security and granularity - Specify which networks are accessible in a specified VPN community. Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain). Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles. URL Filtering Improved scalability and resilience. Extended troubleshooting capabilities. NAT Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse. NAT port utilization monitoring in CPView and with SNMP. Voice over IP (VoIP) Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance. Remote Access VPN Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication). Mobile Access Portal Agent Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410. Security Gateway and Gaia CoreX L and Multi-Queue Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot. Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. Clustering Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes. Cluster Control Protocol encryption is now enabled by default. New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses. Support for ClusterXL Cluster Members that run different software versions. Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet. VSX Support for VSX upgrade with CPUSE in Gaia Portal. Support for Active Up mode in VSLS. Support for CPView statistical reports for each Virtual System Zero Touch A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration. Gaia REST API Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612. Advanced Routing Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon. Enhancing route refresh for improved handling of BGP routing inconsistencies. New kernel capabilities Upgraded Linux kernel New partitioning system (gpt): Supports more than 2TB physical/logical drives Faster file system (xfs) Supporting larger system storage (up to 48TB tested) I/O related performance improvements Multi-Queue: Full Gaia Clish support for Multi-Queue commands Automatic "on by default" configuration SMB v2/3 mount support in Mobile Access blade Added NFSv4 (client) support (NFS v4.2 is the default NFS version used) Support of new system tools for debugging, monitoring and configuring the system   CloudGuard Controller Performance enhancements for connections to external Data Centers. Integration with VMware NSX-T. Support for additional API commands to create and edit Data Center Server objects. Security Management Multi-Domain Server Back up and restore an individual Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management. Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server to become a Security Management Server. Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing. SmartTasks and API New Management API authentication method that uses an auto-generated API Key. New Management API commands to create cluster objects. Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy. Deployment Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartEvent Share SmartView views and reports with other administrators. Log Exporter Export logs filtered according to field values. Endpoint Security Support for BitLocker encryption for Full Disk Encryption. Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server. Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment. Policy can now control level of notifications to end users. Support for Persistent VDI environment in Endpoint Policy Management.    
Andrey_Korobko
Andrey_Korobko inside General Topics yesterday
views 5586 11

Problem with 5400 device after firmware upgrade to 80.30

Last sunday (22.09) we upgraded firmware on our Checkpoint 5400 to v.80.30 and this night (26.09) this device has stopped to respond. As we see on our monitoring software the device stopped to respond to Ping at 23:23 (local time), same time it had less than 1% of free physical memory. At 1:00 the device back online by itself with a 7% of free physical memory, and next we manually rebooted it at 2:40 with a 75% of memory free. So, all pointing to a memory leak on this device after the upgrade, because no any problem with any another device part (like CPU or other). Product version Check Point Gaia R80.30OS build 200 OS kernel version 2.6.18-92cpx86_64 OS edition 64-bit Our devices configuration: 1) Two Checkpoint 5400 in HA mode 2) One node has 80.10, another 80.30 3) Node with 80.30 as Active Node4) Services on 80.10 are stopped  In a clip: 1. Information from the monitoring system Have you encountered a similar problem? How did you decide? 2. Logs -/ var/log/messagesSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_get_zone_by_ifnum: Failed to get ifindex for ifnum=-1Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_notify_clob_by_ifnum: network_classifier_get_zone_by_ifnum failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_notify_clob_by_dst_route: network_classifier_notify_clob_by_ifnum failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_notify_clob_for_not_incoming_conn: network_classifier_notify_clob_by_dst_route failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifiers_destination_zone_handle_post_syn_context: network_classifier_notify_clob_for_not_incoming_conn failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: network_classifier_cmi_handler_match_cb: network_classifiers_destination_zone_handle_post_syn_context failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: cmik_loader_fw_context_match_cb: match_cb for CMI APP 20 failed on context 359, executing context 366 and adding the app to apps in exceptionSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: up_manager_cmi_handler_match_cb: connection not foundSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: up_manager_cmi_handler_match_cb: rc FALSE - rejecting conn [192.168.0.122:43493 -> 178.140.2.238:443, IPP 6]Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];[192.168.0.122:43493 -> 178.140.2.238:443] [ERROR]: up_rulebase_should_drop_possible_on_SYN: conn dir 0, 192.168.0.122:43493 -> 178.140.2.238:443, IPP 6 required_4_match = 0x802, not expected required_4_match = 0x800Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_buf_create: ERROR: Failed allocate Mux buf.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_write_raw_data: ERROR: Failed to create Mux buf.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];tls_mux_write: mux_write_raw_data failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_task_handler: ERROR: Failed to handle task. task=ffffc2003cf70e40, app_id=1, mux_state=ffffc20043256a50.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc20043256a50.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];[192.168.218.39:65323 -> 192.168.0.6:53] [ERROR]: cmik_loader_fw_context_match_cb: failed to allocate s_cmik_loader_match_paramsSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];cmi_context_exec_from_non_stream: cmik_loader_fw_context_match_cb(context=352, app_id = -1, context_apps=15c0004) failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];[192.168.218.39:65323 -> 192.168.0.6:53] [ERROR]: up_manager_fw_handle_first_packet: cmi_exec_from_first_packet() failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];[192.168.218.39:65323 -> 192.168.0.6:53] [ERROR]: up_manager_fw_handle_first_packet: failed to execute first packet contextSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_buf_create: ERROR: Failed allocate Mux buf.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_write_raw_data: ERROR: Failed to create Mux buf.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];tls_mux_write: mux_write_raw_data failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_task_handler: ERROR: Failed to handle task. task=ffffc2003cf70e40, app_id=1, mux_state=ffffc2019cbca6f0.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2019cbca6f0.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.Sep 27 00:59:00 2019 CPGW-1 kernel: [fw4_0];FW-1: h_getvals: fw_kmalloc (496) failedSep 27 00:59:00 2019 CPGW-1 kernel: [fw4_1];tcp_input: failed to alloc pkt buf at line :1259Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];FW-1: h_getvals: fw_kmalloc (496) failedSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];pslip_get_buf: failed to alloc packet_bufSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];psl_handle_packet: psl_allocate_packet_buf failed, len=264Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];cpaq_cbuf_alloc_rcv_buf_info: buf_id=88362620 unable to allocate buffer sz=1712Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];cphwd_handle_send_cphwd_stats: NULL cphwd_stats_buf bufferSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_write_raw_data: ERROR: Failed to allocate buf data.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];tls_mux_write: mux_write_raw_data failedSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_task_handler: ERROR: Failed to handle task. task=ffffc2003b40a370, app_id=1, mux_state=ffffc200417ca8a0.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200417ca8a0.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_write_raw_data: ERROR: Failed to allocate buf data.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];tls_mux_write: mux_write_raw_data failedSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_task_handler: ERROR: Failed to handle task. task=ffffc2003b40a4b0, app_id=1, mux_state=ffffc2003822b1e0.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2003822b1e0.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_0];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];mux_write_raw_data: ERROR: Failed to allocate buf data.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];tls_mux_write: mux_write_raw_data failedSep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];mux_task_handler: ERROR: Failed to handle task. task=ffffc20052afe1b0, app_id=1, mux_state=ffffc2001e526c00.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];mux_read_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2001e526c00.Sep 27 00:59:01 2019 CPGW-1 kernel: [fw4_1];mux_active_read_handler_cb: ERROR: Failed to forward data to Mux.
Aitor_Carazo
Aitor_Carazo inside General Topics yesterday
views 41

[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.

Hi Checkmantes,I have read in a newsletter about this Vulnerability.Due to Gaia Runs on RedHat based OS,  I am wondering if Checkpoint Products are affected by this vulnerabilityhttps://seclists.org/oss-sec/2019/q4/122Thanks and regards
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Monday
views 179759 25 38

High Performance Gateways and Tuning

High Performance Gateways and Tuning Timothy Hall  gave a very interesting presentation Security Gateway Performance Optimization with Tim Hall Video   in the last days. Thank you for the pressentation. Now we discuss all in the forum about the possibilities of the tuning. I would like to hear your experiences on this topic in the Checkmates forum.   More Tuning Tips More interesting articles about R80.x performance tuning and architecture can be found here: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand)  
Jin_Zhou
Jin_Zhou inside General Topics Monday
views 99 4

Is there a way to pull a text from a gateway on the management station using established trust (with

I am trying to automate some process and need to get a text file from a gateway on the management station. Is there a way to do it using the established trust? Tried to use run-script to cat the file, but output is garbled text. Thanks. 
paviflo
paviflo inside General Topics Monday
views 174 1

Allocate secondary IP block on physical interface while using VRRP cluster

Hi there,I'm trying to establish a BGP peering session straight from the external Firewall interface into the Microsoft Edge Routers to establish both a Private and a Microsoft peering session. MS peering requires you to allocate public IP's for this peering to work whilst the Private peering would work with just Private IP addressing.Is it possible to allocate different IP blocks into the same physical interface for this purpose?Each MS peering session requires you to allocate a /30 subnet, so the idea would be to allocate two larger /27 IP blocks (one for Private and one for Public) and break these down into individual, smaller /30 subnets for each of the peering sessions that need to be established (I need 4 private peering sessions and 4 public ones). We will be using the FWs in VRRP cluster mode since I believe Cluster XL wouldn't allow you to have separe virtual IP subnets off the same physical interface. Thanks!
Jose_Rivera
Jose_Rivera inside General Topics Monday
views 168 4

CoreXL disabled by default on AWS Cloudguard (r80.20)

Just noticed CoreXL is disabled on all the CloudGuard instances we deployed (based on R80.20, soon to be R80.30).We do have a ton of route based tunnels configured and want to make sure we are leveraging multi-core VPN.Doesn't multi-core VPN require CoreXL? Is it supported to enable CoreXL on these AWS CloudGuard instances?We have 8 core instances and no blades other than VPN and Identity Awareness enabled at the moment. Thanks.
Mazin_D
Mazin_D inside General Topics Monday
views 420 19

upgarde to R80.30 using CPUSE failing

i ma trying to upgrade the management server from R80.10 to R80.30 , the management server is in HA and installed on VM. i have upgarded the stnandby managmnet server without any issue. the primary though keeps failing with error "CPUSE encounter a problem while importing the package to Gaia machine. Try to import the package again. If the issue persist, contact checkpoint technical service"i have tried to upgrade the DA " currently running build 1786" but i got another error "File is not a DA package" any help is highly appreciate it.