cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Shurik
Shurik inside General Topics 4 hours ago
views 92 2

Stats/Monitor each VPN Tunnel

Hello guys,We have about 100 VPN tunnels (site-to-site). Would like to accomplish:1. Would to capture statistics (OID) of each VPN tunnel, and see throughput of each tunnel on our monitoring system (not the summary).2. Is there a way we can get alerts (status of VPN) tunnel in case it's down? Looking to get OID - status of each VPN tunnel. I've contacted the support team a few times, unfortunately, didn't get any meaningful answer. Thank you!
Taekyoon-kim
Taekyoon-kim inside General Topics 12 hours ago
views 2288 10

What happens when a license expires?

Hi ..!What happens when a license expires? I just..If the licenses for each device expire, can I use the features I used before?And what features are available and what are not? I wonder.      1. Smart-1      2. Collector     3. TE Thank you for taking the time to ask.
Martin_Oles
Martin_Oles inside General Topics 12 hours ago
views 1324 5 1

Connection rematch after policy installation

Hi,recently a customer started to complain about random traffic disruption. During investigation I have found, that reported time consists with policy installation on VSX R77.30 with HFA 338 gateway with few virtual systems. During debug I have found, that issue is related to connection rematch, which (from my point of view and understanding), does not match correctly existing connection.;[vs_5];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 10.10.10.10:3389 -> 20.20.20.20:61110 dropped by fw_handle_old_conn_recovery Reason: TCP packet that belongs to an old connection;I would expect such message related case, when policy is changed in way, that connection permitted in "old" policy is dropped in "new" policy, like sk140112 . Expected behavior should be, that during policy installation, already established connections are marked as "old". Then next packet will arrive to gateway, will be checked against new policy, when permitted marking in connection table should have status changed back to regular connection. But such has not happened in my case and I would like to know the reason. Further more, I can see this drop only in direction server->client, connection is established as client->server.As one of solution will be to change Connection Persistence to "Keep all connections", but such I do not like due to security concerns. Secondly I do have many VSX clusters R77.30 and only two of them with HFA 338 are subject of this drop. To make it even less clear, on one gateway I can see this behavior on all virtual systems, on second cluster only on few virtual systems. Then for me it looks more like software defect and not design issue.Do you have any tips, how to debug it?Did I miss something?Thank you.
Alexander_Wilke
Alexander_Wilke inside General Topics 13 hours ago
views 6577 14 2

VMAC Mode on R80.10

Hi,what do you think about the fact that R80.10 Gateways in VMAC Mode (ClusterXL, High Availability, Active/Standby) is only publishing its VMAC to clients for ingress traffic but then for egress traffic the Gateway will always use its physical MAC address and not the VMAC?So clients address the firewall using the VMAC of the firewall but all traffic outgoing from the firewall to clients/servers has the physical MAC address as source-address. So it is a kind of "asynchroneous MAC address routing" - clients sends traffic to VMAC, firewalls sends traffic with physical MAC.So is VMAC mode really what it should or should it better be named "VMAC lite" ?What do you think is the reason for not using real "VMAC" for all kind of traffic like e.g. Cisco is doing it with HSRP? Performance issues? Bad internal design?Regards
net-harry
net-harry inside General Topics 19 hours ago
views 69 2

Multiple firewall licenses on the same security gateway

If we have a security gateway running a 2-core firewall-only license (CPSG-2C-FW) and we need additional capacity, could we purchase an additional CPSG-2C-FW and be licensed for 4 cores on the security gateway or do we need to purchase CPSG-4C-NGTP (4 cores with Next Generation Threat Prevention)?Thanks,Harry
Dmitry_Barantse
Dmitry_Barantse inside General Topics yesterday
views 5562 8

clusterxl vmac and proxy arp

Hi team.I have a question about clusterxl vmac option and nat with proxy arp.What mac should be in proxy arp configuration for manual and automatic static nat?I think that in both cases should be a virtual mac.I'm I right?
C_M
C_M inside General Topics yesterday
views 64 1

Ansible

I thought I read that Check Point was going to release more Ansible materials on their github site in October. I haven't seen anything new. Is there a set release date or any additional information?
mbsm
mbsm inside General Topics yesterday
views 110 2

Identity Collector Users unable to browse to internet

Hi,We successfully implement Identity Collector and working on R80.30. But we encounter an problem, the user is connected thru the WiFi and able to browse the internet but when the user disconnect to WiFi then connect thru LAN cable the user unable to browse the internet. By the way, the network of the WiFi is different to the LAN. Our workaround is login thru captive portal or restart the laptop.Is there a solution for this issue? Or is this a limitation of the Identity Collector? Appreciate your answers,
g0t0
g0t0 inside General Topics yesterday
views 62 2

Security Gateway upgrade - From SecurePlatform r77.30 to Gaia r80.10

Hi, First of all, sorry if this topic has been answered before.I will have to do an upgrade on a security gateway cluster from Secureplatform (yeah, I know) to Gaia r80.10 and I will need to clarify some things.I'm planning to do a connectivity upgrade on a 4800 appliance two member cluster as explained below:https://sc1.checkpoint.com/documents/Best_Practices/Cluster_Connectivity_Upgrade/html_frameset.htm So my questions are: - In case of a necessity to rollback after a r80.10 clean install on a member, can I revert to a SPLAT r77.30 snapshot on a r80.10 installation?- I didn't notice anything on the limitations regarding this upgrade. Has anyone aware of any?- Am I missing something? Thanks in advance. Sergio.
Anderson_DaSilv
Anderson_DaSilv inside General Topics yesterday
views 112 2

CloudGuard ARM Template

Hi Community,I am trying to deploy cloudguard in Azure via ARM templates, but I am hitting an issue with the artifacts location parameters.As I can see in the template, the artifacts location is no longer hard coded, instead it is using the deployment function to call the artifacts uri.Long store short, when I run the template installation from local files on my computer, I get the error below saying that the templateLink doesn't exist:Apprantly it happens because the deployment function does not respond with the templateLink information if you run the deployment using local templates.Anyone ran into this issue before? Trying to install r80.30 using ARM template version below:"templateVersion": "20190805"thanks in advance.
Yifat_Chen
inside General Topics yesterday
views 2384 3 2
Employee+

New Jumbo Hotfix (Take 203) Ongoing Release

A new Ongoing Jumbo Hotfix Accumulator take for R80.10 (take 203) is available. Please refer to sk116380.   R80.10 JHF Take #203 content: Issue # Resolved Issue Description MTR-31335 Added support for 6500 and 6800 appliances. Refer to sk139932. PMTR-33029,SMCPOL-195 OSE policy cannot be viewed without installing it on device. PMTR-29497,PRHF-1960 Manual changes in INSPECT files under $FWDIR/lib directory of compatibility packages are not synchronized from active to standby Management servers. Refer to sk143792.  PMTR-29584,PMTR-29856,PMTR-29855 Policy installation fails with "IPv6 addresses domain is not supported for Remote Access VPN community" message when using Domain object in Remote Access encryption domain.Refer to sk142832. PMTR-29921,PMTR-28958,PMTR-29923 "Error retrieving results" message is displayed in SmartConsole after searching for unused objects in Object Explorer.  PMTR-23744, MCFG-80 Unjustified validation error is displayed when installing Threat Prevention policy on Cluster object: "Threat Prevention requires topology to be defined.At least one internal, one external, and no undefined interfaces are required.Incorrectly defined topology impacts performance and security.Please install both Access Control and Threat Prevention policies after fixing the topology." PMTR-28643,PMTR-28557 In some scenarios, running the fwm sic_reset command from Domain fails with "reset_objects: updateMultiple failed" message. Refer to sk142512. PMTR-17991,PRHF-359,PRHF-714 In some scenarios, the Interpreter process stops working. Refer to sk132892. PMTR-21787 CPView is not supported on Multi-Domain Security Management environments. PMTR-8603,PMTR-30286 Multi-Domain Management GUI randomly does not reflect the Domain Management objects change. PMTR-31520,PMTR-31800 When using the "add/set simple-gateway" API command and specifying backup log servers, the input servers are not saved in the same order as listed in the request.  PMTR-34013,API-595 Number of sessions in "Changes" list does not match the value of 'total'.  PMTR-28058,PMTR-31248 When an administrator publishes session for a different administrator, the name of the administrator that invoked the action will be written in the audit logs as the publisher.  PMTR-12448,PMTR-12430 When searching in the SmartConsole main search bar for network groups we can see some number of network groups, but the search inside the Logical Server object shows the different number of Logical server objects groups.  PMTR-30570,IDA-1120 Group update request is sent specifically to the originator LDAP server even if it is down. Refer to sk127833.  PMTR-21207,PMTR-20424 In rare scenarios, Security Gateway runs out of kernel memory and may stop processing traffic, printing "double record of connection" message in /var/log/messages file. Refer to sk143432. PMTR-31314,PRHF-2244 In some scenarios, TCP state information is not displayed in the log despite being enabled in SmartConsole.  PMTR-21080,UP-251 A large number of Time objects used in the rule base may cause rulebase matching failures resulting in connectivity issues. PMTR-17490,PRHF-642 When working with NAT on DNS payload and having disabled NAT rules, NAT on DNS payload may not work. Refer to sk132032. PMTR-28414,PMTR-30657 When X-Forwarded-For (XFF) settings are enabled on one of the policy layers or/and on the Security gateway object, the/var/log/messages file shows errors related to asynchronous identity fetch. Refer to sk145673. PMTR-11999,PMTR-3286 In some scenarios, creation of a new gateway upgrade to R80.10 fails with "An internal error has occurred. (Code: 0x8003001D, Could not access file for write operation)" message.  PMTR-25755 In some scenarios, IPS purge makes a deadlock for some GUI clients, resulting in "Timeout error" error. PMTR-31100 In some scenarios, extracted Microsoft Azure files contain only blank pages. PMTR-24066,PRHF-134 Non-ASCII named files cause the undecoded non-ASCII characters to appear in the Threat Emulation log.  PMTR-27876,AVIR-370 Traffic from the client to the bogus IP address is handled according to the Access Control policy, but not logged as "prevented". Refer to sk141853. PMTR-30608,PMTR-29583 In rare scenarios, when the Log server miscalculates the available disk space, it may stop receiving logs from the connected gateways and cause the logs to accumulate locally on the Security gateway. Refer to sk146152. PMTR-30217,TPM-1378 "A general error has occurred" message appears when trying to edit the IPS Protection settings. PRHF-523,PMTR-16583 Some SMTP-related IPS Core Protections remain enabled despite the IPS is disabled. PMTR-31135,SA-99 Mobile Access Portal Agent installation page is vulnerable for XSS attack in Chrome and Firefox.  PMTR-15461,PMTR-21043,PMTR-28348 Added support for i40evf driver. PMTR-22503,MB-166,PMTR-28064 In some scenarios, virtio_net is not able to run multiqueue.  PMTR-35032 Important security update for IPSec Site-to-Site (S2S) VPN.  PMTR-27144,02657434 Improved connectivity with 3rd party VPN peers using IKEv2. Refer to sk120835. PMTR-30870,PMTR-21587 Connectivity improvements for certain Windows L2TP client versions. Refer to sk145895.  PMTR-19379,PMTR-23292,PMTR-23293,02031663 The CLISH command "show arp table dynamic all" and Bash command "arp -an" show different entries.Refer to sk112753. PMTR-15738,PRHF-270 In some scenarios, routed process stops working when a VPN tunnel interface is deleted without removing the dynamic routing protocols.  PMTR-18254,PMTR-18255EPS-17135 In some scenarios, SmartEndpoint shows different numbers of reported "Anti-Malware signature was not upgraded in the last 72 hours" between the warnings and the Active alerts section. PMTR-32542,PMTR-32187 After new Domain creation, logs from this Domain are not seen in SmartConsole.  PMTR-28470,PMTR-329 Before R80.10 Jumbo Hotfix Accumulator Take 189, the Probing feature is set, by default, to Fail Open. From Take 189, the default behavior is changed to Fail Close. Refer to sk104717.      Thanks  Release Managers Groups
C_M
C_M inside General Topics yesterday
views 50 1

GAIA API

Any set release dates for more commands/options via the GAIA API? last I checked it was quite limited.
Jeff_Gao
Jeff_Gao inside General Topics yesterday
views 2709 21 1

Physical memory is high

Dear all      My CP23500 is 16G  memory and traffic is low.but memory is high,as follow:This is why?Thanks!
shavat_zalpuri
shavat_zalpuri inside General Topics yesterday
views 85 4

Need help in understanding multi core vpn in r 80.x

Hi All, It owuuld be great help if you can help me in providing a document which will give me in detail information of multi core vpn in r80.X. Different vpn types and on different cores. Regards,shavat Zalpuri
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics yesterday
views 1958 1 12

R80.20 - SYN Defender on SecureXL Level

I think the new feature "Accelerated SYN Defender" is a good choice to effectively prevent "SYN Flood Attack" on Check Point Gateways with enabled SecureXL.   A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.   You can find more in the manual under: fwaccel synatk fwaccel6 synatk   Regards, Heiko