Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

JG inside General Topics 52m ago
views 96 8 1

Disable TLS 1.0

I'm asking this question to a vendor as well. However, I will ask here too. I'm trying to disable TLS1.0 globally on a firewall cluster. This is in an effort to completely eliminate all HTTPS weak ciphers. I've been scanning our environment with various tools and found that TLS 1.0 is still a valid cipher when I scan my cluster IP addresses.So far, I haven't been able to find any documentation on how to do this with Checkpoint. On an ASA it's 2 or 3 commands to stop supporting the cipher. The only thing I've seen in forums is that on Checkpoint it's not possible. Is this true?I'm running R80.30 so I would think you would be able to do this but maybe not. Thanks,Jon
Nik_Bloemers inside General Topics 2 hours ago
views 226 15

VPN certificates

Hello CheckMates,Does anyone know how to control which certificate gets sent in a certificate-based site-to-site VPN?There's a nice repository of certificates available on the gateway, but it always seems to send the ICA signed certificate. We only want to use the ICA certificate for CP<->CP VPN's that are managed by the same management. We also have some third-party DAIP gateways we want to use another PKI infrastructure for (that already has CRL publicly available, unlike the CP ICA).Any ideas how to accomplish this? Browsing the documentation and SK's for half a day didn't seem to reveal a solution.Kind regards,Nik
wnascimento inside General Topics 3 hours ago
views 39 2

DPDK on Checkpoint

HelloCheckpoint supports DPDK ?Regards,William 
HeikoAnkenbrand inside General Topics 5 hours ago
views 91 4

Kernel Debug flags PDF - R80.30 / R80.20?

For R80.10 there is a PDF with kernel debug flags available: - Kernel Debug Flags (R80.10)  - SecureXL Debug Flags - FWAccel (R80.10)  - SecureXL Debug Flags - SIM (R80.10)  I need this for debugging R80.20 and R80.30. Where can I find the PDF's for R80.30?
6dd15084-b97a-4 inside General Topics 6 hours ago
views 28 1

object group with multiple ip address

Hey All,I have 1 request from my team to block more than 250 IP address, can you experts help me, to create this or is there any process that i can create this object group by uploading XLS/CSV file  
HeikoAnkenbrand inside General Topics 6 hours ago
views 78 1 3

Top100 - Check Point Terms Overview for Debug

I've been trying to understand all the Check Point terms for the last 25 years. Here is my Top 100 list of terms that might help you. The following terms are used on CLI for firewall debug, processes and daemon: accel                                 SecureXLacct                                   Application Control accountingadvp                                  advanced patterns (signatures over port ranges)APPI                                  Application Controlaspii                                  Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)async                                IA checking known networkav                                      Anti-Virus inspectionavi_del_tmp_files          Shell script that periodically deletes various old temporary Anti-Virus filesbalance                            ConnectControl -logical servers in kernel , load balancingbtime                                browse timecache_tab                        cachetable infrastructureccp                                    Cluster Control Protocol (CCP)cgnat                                Carrier Grade NAT (CGN/CGNAT)chain                                chain moduleschainfwd                          chain forwarding - clusterchainq                              QoS holding and releasing packets during critical actions (policy install / uninstall)CI                                      Content Inspectionci_http_server                HTTP Server for Content Inspectionclishd                               Gaia Clish CLI interface process - general information for all Clish sessionsclish                                 Gaia Clish CLI interfaceclob                                  data classification-Classification Object (CLOB)cloningd                          Cloning Groups daemoncluster                             ClusterXLcmi                                   Context Management Infrastructure cmi_inspect                    cmi_loader - INSPECT codecmi_loader                     CMI loadercmi_module                   cmi_loader module operations -initialization, module loading, calls to module, contexts, etc.confd                               Database and configurationconn                                Connections Table issuesconnstats                       connections statisticsfor Evaluation of Heavy Connectionsin CPView (refer to sk105762)context                            operations on Memory context and CPU contextCPAS                               CPAS (Check Point Active Streaming)cpca                                Check Point Internal Certificate Authority (ICA)cpcode                            Data LossPrevention (DLP) CPcode cpd                                  Check Point processes / daemon cpdiag                             CPDiag operationscp_file_convert              Used to convert various file formats to simple textual format for scanning by the DLP enginecphaconf                         installs cluster configuration or CLI command 🙂cphamcset                     Clustering daemoncphaprob                        Process that lists the state of cluster members or CLI command 🙂cphastart                       Starts the cluster and state synchronization.cphastop                        Stops the cluster and state synchronizationcp_http_server             HTTP Server for Management Portal (SmartPortal) and for OS WebUIcp_http_server             HTTP Server for OS WebUI and Management Portalcplmd                             get the data that should be presented in SmartView Trackercpm                                Check Point management daemon (PostgreSQL and SOLR databases)cposd                              SMB-specific daemon responsible for OS Networking operationscprid                               Check Point Remote Installation Daemoncprid_wd                        WatchDog for Check Point Remote Installation Daemoncpsead                            Responsible for Correlation Unit functionalitycpsemd                          Responsible for logging into the SmartEvent GUIcpsnmpd                        SNMP queries for Check Point OIDs cpstat_monitor             Process is responsible for collecting and sending information to SmartView Monitorcptls                               CRYPTO-PRO Transport Layer Security (HTTPS inspection)cpviewd                          CPView Utility daemon (sk101878)cpview_historyd           CPView Utility History daemon (sk101878).cpwd                              WatchDog  monitors critical processes such as Check Point daemons cpwmd                           Check Point Web Management daemon crypto                             basic information about encryption and decryption cserver                           Check Server that either stops or processes the e-mailctasd                              Commtouch Anti-Spam daemonctipd                               Commtouch IP Reputation                                    Connectivity Upgrade (sk107042)cvpnd                              Back-end daemon of the Mobile Access Software Bladecvpnd                              processingof connections handles by Mobile Access daemoncvpnproc                        Offload blocking commands from cvpndCvpnUMD                      Report SNMP connected users to AMONDAService                     Check Point Upgrade Service Engine (CPUSE) - (sk92449)dbsync                           DBsync enables SmartReporter to synchronize data stored in different parts of the network.dbwriter                        Offload database commands from cvpnd and synchronize with other membersdfa                                  Pattern Matcher (Deterministic Finite Automaton) compilation and executiondf                                    Decision Function -decides, which member will handle each packet in a Load Sharing modedfilter                             debug filteroperationsdhcpd                             DHCP server daemondlpda                              Data LossPrevention (DLP) Download Agentdlp                                  Data Loss Prevention dlp_fingerprint             Used to identify the data according to a unique signature dlpk                                Data LossPrevention (DLP) Kernel Moduledlpu                                DLP process - receives data from Check Point kernel.dlpuk                              Data LossPrevention (DLP) User Modulednstun                            DNS tunnelsdomain                          DNS queriesdos                                 DDoS attack mitigation(part of IPS)dropbear                       Lightweight SSH server on SMB appliancedynlog                            dynamic log enhancement (INSPECT logs)fg                                    FloodGate-1 (QoS)FILEAPP                        File Applicationfilecache                       Content Awareness file cachingflofiler                           Flow profilerfwapp                             information about policy installation for FireWall applicationfwd                                 Firewall processes / daemonfwdlp                             DLP core engine that performs the scanning / inspectionfw                                   Firewallfwm                               Communication between SmartConsole applications and Security Management Serverfwpushd                        Mobile Access Push Notifications daemonfwstats                          FW-1 statisticsfwucd                            DLP UserCheck back-end daemon that sends approval / disapproval requests to userghtab                             multi-threaded safe global hash tablesglue                               glue layer messagesgtp                                 GPRS Tunneling Protocol(GTP)gtp                                 GTP (GPRS Tunneling Protocol)h323                              VoIP H.323htab                               multi-threaded safe hash tablehttpd2                           Web server daemon (Gaia Portal)httpd                             Endpoint Policy Management Serverhttpd                             Front-end daemon of the Mobile Access Software Blade (multi-processes)IA_htab                         IA checking for network IP address, working with kernel tablesICAP_CLIENT              Internet Content Adaptation Protocol clientIDAPI                             Identity Awarenessifnotify                           notification of changes in interface status -up or down (received from OS)in.acapd                        Packet capturing daemon for SmartView Tracker logs in.emaild.mta               E-Mail Security Serverin.emaild.pop3             POP3 Security Server that receives e-mails sent by userin.emaild.smtp            MTP Security Server that receives e-mails sent by user and sends them to their destinations in.geod                          Updates the IPS Geo Protection                           Mail Security Daemon that queries the Commtouch engine for reputation.interpreter                    Process is responsible for Compliance Blade database scan.ioctl IOCTL                    control messages -communication between kernel and daemonipopt                              IP options enforcementjava_solr                       Events are stored in the SOLR database (Jetty Server) part of cpm kbuf                               kernel-bufferkissd                              KISS –used for kernel memory managementkissflow                         Kernel Infrastructure Flowkiss                                Kernel Infrastructurekisspm                          Kernel Infrastructure Pattern Matcherkqstats                          Kernel Worker thread statistics mechanismkw                                  Kernel Worker state and Pattern Matcher inspectionld                                    kernel dynamic tables infrastructure -reads from / writes to the tableslea_session                  LEA OPSEC session lea                                  LEA OPSEC - logsllq                                   QoS low latency queuinglog_consolidator          Log Consolidator for the SmartReporter productlog_indexer                   R80 Log indexerlpd                                  Log Parser Daemon – Search predefined patterns in log filesmab                                Mobile Access handlermachine                         INSPECT Virtual MachineMALWARE                     Malware (Threat Prevention)mem_pool                     memory poolmgcp                              Media Gateway Control Protocolmgr                                policy installationmanagermisc                               miscellaneous helpful informationmisp                               ISP Redundancymmagic                         MAC magic - operations (getting, setting, updating, initializing, dropping,etc.)monitorall                     debug -> fw monitor -p allmonitord                       Hardware monitoring daemonmonitor                         debug -> fw monitorMoveFileDemuxer       Related to MoveFileServer process (moving files between cluster members)MoveFileServer            Move files between cluster members in order to perform database synchronizationmpdaemon                   Apache server (which can have multiple processes for starting these web servers.mrtsync                         synchronization (in kernel) between cluster members of Multicast Routesmsnms                          MSN over MSMS(MSN Messenger protocol)mspi                               information related to creation and destruction of MSA / MSPImtctx                             multi-threaded context -memory allocation, reference countmultik                           CoreXL -> Multi-Kernel Inspectionmutex                            Unified Policy internal mutex operationsnac                                 Network Access Control (NAC) NRB                               Next Rule Basentup                               Non-TCP / Non-UDP traffic policy (traffic parser)om_alloc                       allocationof Office Mode IP addressesosu                                 cluster Optimal Service Upgrade(sk107042)packet_err                    invalid ‎packets,‎ for ‎which‎ dispatching‎ decision‎ can’t ‎be ‎madepackval                          statelessverifications -sequences, fragments, translations and other header verificationsparser                            file parsing or CMI parserparsers_is                     cmi_loader parsers infrastructurepcktdmp                        dumps the encryptedpackets before encryption/ decryptedpackets after decryptionpcre                                Perl Compatible Regular Expressionspdpd                               IA Policy Decision Point daemonpepd                               IA Policy Enforcement Point daemonper_conn                       messages per connection (when a new connection is handled by RTM)per_pckt                        messages per packet (when a new packet arrives is handled by RTM) or "con_conn"Pinger                            Reduce the number of httpd processes performing ActiveSync.pkt_dump                      traffic packet dumppkxld                              Performs asymmetric key operations for HTTPS Inspection PM_compile                  Pattern Matcher -pattern compilationpmdump                        Pattern Matcher - DFA (dumping XMLs)pm                                  Gaia OS Process Manager pmint                             Pattern Matcher compilationpm                                 Pattern Matcher - compilation and executionpnote                             registering and monitoring of critical ClusterXL Devices portscan                       port scanning prevention mechanicspostgres                       PostgreSQL serverprof                                Firewall Priority Queues-connection profiler (refer to sk105762)q                                     driver queue qosaccel                        QoS accelerationqos                                  QoS (FloodGate-1)queue                             Kernel Worker thread queuesquota                              cross-instance quota tableRAD_KERNEL               Resource Advisor Kernelrad                                  Resource Advisorrconfd                             Provisioning daemonrem                                 Regular Expression Matcher-Pattern Matcher 2nd tier (slow path)report_mgr                   report managerrouted                            Routing daemonrtdbd                              Real Time database daemonrtmd                               Real Time traffic statistics.RTM                                Real-Time Monitoringsalloc                              System Memory allocationsam                                 Suspicious Activity Monitoringscanengine_b                Third party engine.scanengine_k                Third party engine.scanengine_s                Third party engine.scrub_cp_file_convertd          Used to convert various file formats to simple textual format scrubd                            Main Threat Extraction daemonscrub                              Main CLI process for Threat Extractionsctp                                 Stream Control Transmission Protocol(SCTP)scv                                   SecureClient Verificationsearchd                          Search indexing daemonsec_rb                            secondary NRB rulebase operationsSFT                                 Stream File Typesfwd                                SMB fwd 🙂SGEN                              Struct Generator shmem                           shared memory allocationsigload                            signatures loader, patterns, rangesskinny                             Skinny Client Control Protocol -Cisco proprietary VoIP protocolsmartlog_server           SmartLog product serviceSmartView                     SmartEvent Web Applicationsms                                 Manages communication with UTM-1 Edge Security                                   String Matcher-Pattern Matcher 1st tier (fast path)sna                                  SnA objects ("Services and Application)snmpd                            SNMP (Linux) daemonSOLR                              CPM databases communicationspan                                mirror port(duplicates the network traffic)spii                                  Stateful Protocol Inspection Infrastructure and INSPECT StreamingInfrastructuresshd                                SSH daemonssl_insp                         HTTPS SSL Inspectionsslt                                  SSL TLS librarystatus_proxy                  Status collection of ROBO Gateways - SmartLSM / SmartProvisioning status proxy.subs                                Subscribermodule -set of APIs, which enable user space processes (by using a DLL)SVRServer                     Controller for the SmartReporter product. Traffic is sent via SSLswblade                         registration of Software Bladessxl_statd                        Allow acquiring statistics information from Host ppak and Falcon cardssynatk                            'SYN Attack' (SYNDefender)IPS protectionsync                                synchronization operations in ClusterXLsyslogd                           Syslog (Linux) daemontcpinfo                            TCP processing messagestcpstr                              TCP streaming mechanismtcpt                                 TCP Tunnel (Visitor mode) related information(FW traversal on port 443)ted                                  Threat Emulation daemon engine temp_conns                  temporary connectionste                                    Threat Emulationtnlmon                           tunnel monitoringtopo                                information about topology and Anti-Spoofingof interfacesua                                   Universal Alcatel "UA" Protocolucd                                 UserCheck connectionsto other cluster membersUC                                  UserCheckuepm                             Endpoint Management Serveruf                                   URL filters and URL cacheuid                                 Cross-instance Unique IDsupapp                            information about policy installation for Unified Policyapplicationupconv                          Unified Policy conversionUPIS                              Unified Policy InfrastructureUP                                  Unified Policyurlf_ssl                          Application Control/ URL Filtering for SSLusrchkd                         Main UserCheck daemon, which deals with UserCheck requestsusrchk                           The CLI client for the UserCheck daemon USRCHKD usrmem                        User Spaceplatform memory usageutf7                                conversion of UTF-7characters to a Unicode charactersutf8                                conversion of UTF-8 characters to a Unicode charactersuuid                               session UUIDvbuf                               virtual buffervm                                 Virtual Machine chain decisions on traffic going through fw_filter_chainVPN_cookie                 virtual de-fragmentation cookievpnd                              VPN processes / daemonvpn_multik                  MultiCore VPN (refer to sk118097)vpn_tagging                sets the VPN policy of a connection according to VPN communities, VPN Policy related infoVPN                               VPNvs                                   Virtual System (VSX)wap                               Multimedia Messaging Service (Wireless Application Protocol)wd                                 WebDefensewire                              wire-mode Virtual Machine chain moduleworker                         Kernel Worker -queuing and dequeuingwsdnsd                        DNS Resolver - activated when Security Gateway is configured as HTTP/HTTPS ProxyWSIS                            Web Intelligence InfrastructureWS_parser                  Web Intelligence HTTP header parser layerWS_pfinder                 Web Intelligence pattern finderWS_regexp                  Web Intelligence regular expression libraryWS_SIP                        Web Intelligence SIP Parserwstlsd                          Handles SSL handshake for HTTPS Inspected connections.WS                               Web Intelligencexl                                  Accelerator cards interactionxlate                            NAT - basic informationxltrc                             NAT - additional information -going through NAT rulebasexpand                          Configuration daemon that processes and validates all user configuration requests,...zeco                            Zero-Copy kernel module memory allocations I think the list can also be extended to Top 1000:-)
Di_Junior inside General Topics 7 hours ago
views 16

Importing certificates in Check Point gateways for authentication

Hi Mates I need a hand.We are currently migrating one of our services (skype for business) from TMG to Check Point. I am using a logical server in order to balance the traffic to our internal servers (3 servers) where the 7 DNS records that serves this application. The problem that we are facing is with mobile devices, currently with TMG when a mobile device tries to connects, TMG presents them our certificate issued by Digicert, and everything works fine.Now that we are migrating to Check Point, we are facing an issue with the certificate. With Check Point, when a mobile device tries to connect, it is presented with self-signed certificate on the internal servers, and the comunication does not work.We requested the certificate that is being used by TMG, and it is a .pfx file. Is there any way we can achieve what is being done by TMG. We are using R80.20. Thanks in advance 
kb1 inside General Topics yesterday
views 163 6

Smartconsole force closes

so below is the lab topology wher i have the mgmt win 10 vm connected to the NY-sms which is the mgmt server-  So the problem is as soon as i open smartconsole from the mgmt win 10 vm it closes after a few minbutes sa im setting it up for the first time with me not being able to proceed with my lab and a while back i was able to complete about 60 percent of the course and did not have any such problems although it was maybe because i was using an older gns3 and vmware versions but anyways right now with the updated and latest versions of the gns3 and vmware im stuck with this smartconsole issue(dont know if it really is because of the updated versions of gns3 and vmware or something else) so yeah i need to proceed fast and need to get this smartconsole to work!! So someone please help!! Have been stuck here for a few days searching for solutions but to no avail with a lot of hours wasted as well!! Below is the error message-  Laptop OS- WIn 10Checkpoint Gaia Version -R80.10Laptop Specs- Msi gs65 with i7-8750h, 32 gb 2666Mhz ram, gtx 1070 mq
Jeff_Gao inside General Topics yesterday
views 64 2

updates of security and security management server

Dear all       I know that ips/app control &url filtering can only update in sms. I have a few questions:       1.What needs a security gateway to update from cloud       2.What needs a SMS to update from cloud       3.What are the effects if just only allow SMS to update and not allow security gateway to update from cloud.thanks!
Danny inside General Topics yesterday
views 71848 183 183

Common Check Point Commands (ccc)

🏆 Code Hub Contribution of the Year 2018!👍 Endorsed by Check Point Support! ccc is an interactive script to run common Check Point CLI tasks without having to crawl for cheat sheets, bookmarks, manuals or admin guides.License: GPL Installation (expert mode) or download:curl_cli -k | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc
Aitor_Carazo inside General Topics yesterday
views 111 1

[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.

Hi Checkmantes,I have read in a newsletter about this Vulnerability.Due to Gaia Runs on RedHat based OS,  I am wondering if Checkpoint Products are affected by this vulnerability and regards
STF inside General Topics yesterday
views 149 5

How to login if mobile phone number has been changed?

Hello,I have another Check Point account using another email address.  My mobile phone number which was linked to that account has been changed so I have no way to receive any SMS.  And I cannot find any backup codes.  So I cannot go pass the 2 step verification for that account.I had written an email to as stated in a web page a week ago but the email got rejected because the address is invalid.  This is the error message in the returned email:I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.For further assistance, please send mail to postmaster.If you do so, please include this problem report. You can delete your own text from the attached returned message.The mail system<>: host[] said: 5505.1.1 <>... User unknown (in reply toRCPT TO command)I really want to use that account but I'm totally stuck.  Please tell me how I can gain access again.
Stefano_Chiesa inside General Topics Wednesday
views 88 2

VPN with Cisco FTD-local subnet natted, key exchange with original IPs

Hello all.On a 2200 R75.40 cluster is configured a L2L VPN with a remote Cisco the VPN configuration the real local subnet (10.39.126.x/23) is not specified  but instead a NAT subnet is used (192.168.123.x/27).On the remote side 4 hosts (/32) are defined as remote networks ( local subnet is manually Hide-Natted behind a single IP NAT-Subnet address ( tunnel is up but sometimes when the key exchange happens the original 10.39.126.x IP is used in the packet instead of nat IP (see below the log records).The key with the wrong IP is installed (why?) but then the traffic fails.Seem a matter of activity sequence (accept rule, nat, negotiate, encrypt..).Does anyone have a suggestion?Thanks in advance.Stefano----------------------------- CORRECT KEY INSTALLNumber: 11768148Date: 11Dec2019Time: 9:12:30Interface: daemonOrigin: FWType: LogAction: Key Install==>Source: VPN-NAT-IP ( <<==== CORRECTDestination: xxxxxxxxxxxxxInformation: IKE: Child SA exchange: Created a child SA successfullyIKE IDs: < -><>Source Key ID: 0x92dddf54Destination Key ID: 0x9ab9283bEncryption Scheme: IKEv2Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFSIKE Initiator Cookie: dbd002e39d8ab5aaIKE Responder Cookie: eb019a4c3f09bd88IKE Phase2 Message ID: 0000000dVPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: IKEProduct: Security Gateway/ManagementProduct Family: Network----------------------------- WRONG KEY INSTALLNumber: 11750404Date: 11Dec2019Time: 9:11:52Interface: daemonOrigin: FWType: LogAction: Key Install==>Source: <<======= WRONG!Destination: xxxxxxxxxxxxxInformation: IKE: Child SA exchange: Created a child SA successfullyIKE IDs: <>Source Key ID: 0x1f571570Destination Key ID: 0xcb0be6faEncryption Scheme: IKEv2Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFSIKE Initiator Cookie: dbd002e39d8ab5aaIKE Responder Cookie: eb019a4c3f09bd88IKE Phase2 Message ID: 0000000cVPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: IKEProduct: Security Gateway/ManagementProduct Family: Network ----------------------------- FAILING HTTPS ACCESSNumber: 11781102Date: 11Dec2019Time: 9:12:52Interface: MgmtOrigin: FWType: LogAction: DropService: https (443)Source Port: 58984Source: tcpRule: 43Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}NAT rule number: 3NAT additional rule number: 1XlateSrc: VPN-NAT-IP ( 14356Community: XXXXXXXXXXXXXXInformation: service_id: httpsencryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more informationEncryption Scheme: IKEData Encryption Methods: ESP: AES-256 + SHA256VPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: VPNProduct: Security Gateway/ManagementLog ID: 404830Product Family: Network------------------------------ WORKING HTTPS ACCESSNumber: 11768149Date: 11Dec2019Time: 9:12:30Interface: MgmtOrigin: FWType: LogAction: EncryptSource: icmpRule: 43Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}NAT rule number: 3NAT additional rule number: 1XlateSrc: VPN-NAT-IP ( XXXXXXXXXXXXXXInformation: service_id: icmp-protoICMP: Echo RequestICMP Type: 8ICMP Code: 0Encryption Scheme: IKEData Encryption Methods: ESP: AES-256 + SHA256VPN Peer Gateway: REMOTE-Peer (X.X.X.X)Subproduct: VPNVPN Feature: VPNProduct: Security Gateway/ManagementProduct Family: Network
HeikoAnkenbrand inside General Topics Tuesday
views 367 6 10

R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Elephant Flow (Heavy Connections) In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows). All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. What typically produces heavy connections: System backups Database backups VMWare sync. Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Evaluation of heavy connections The big question is, how do you found elephat flows on an R80 gateway? Tip 1Evaluation of heavy connections (epehant flows)A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes. Heavy connection flow system definition on Check Point gateways: Specific instance CPU is over 60% Suspected connection lasts more than 10s Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%   CLI Commands Tip 2Enable the monitoring of heavy connections. To enable the monitoring of heavy connections that consume high CPU resources: # fw ctl multik prioq 1 # reboot Tip 3Found heavy connection on the gateway with „print_heavy connections“ On the system itself, heavy connection data is accessible using the command: # fw ctl multik print_heavy_conn Tip 4Found heavy connection on the gateway with cpview # cpview                CPU > Top-Connection > InstancesX   Links sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above    
Aaron_Wrasman inside General Topics Tuesday
views 266 10

Confusion on what is supported in R80.20+ for FQDN.

So we recently moved a few of our firewalls to R80.20+ (i.e. we are still upgrading to R80.30 from R80.20)We are trying to start using the FQDN feature of domain objects for normal firewall traffic.I'm trying to allow access to sftp and not a website.If my destination is something like  and I can create a Domain object and make sure the FQDN feature is checked.Put that as the destination in a normal firewall rule and it works.If I have a site like and I and make sure the FQDN feature is checked.Put that as the destination in a normal firewall rule and it works sometimes.Are only second level domains supported with the FQDN feature? (i.e.  but not )And to be very clear I'm not talking wildcard domain names.