Showing results for 
Search instead for 
Did you mean: 
Create a Post
minhhaivietnam inside General Topics 26m ago
views 35 3

ICMP reply does not match a previous request

Hello friends,I have multicast topology like this:Router1(receiver multicast)------>Checkpoint R80------->Router2-----Router3(Multicast sender)All devices run PIM-SM mode.On router1: I join group router2: ping to Not successI check log on firewall and see that this error Please help meThanks a alot!!  
minhhaivietnam inside General Topics 27m ago
views 26 1

Static Nat seems not working with multicast

Hi all,I have a topology running multicast:router1(multicast receiver)----checkpoint r80----router2(RP)---router3(multicast sender)all devices run pim-sm.above network run fine without nat.but when i set static nat on firewall: IP of router1---> translate to a.b.c.dthen on router1, I send "igmp join" toward to RP(router2). On log , i see that igmp packet is forwarded to firewall, but packet is not nated to a.b.c.d (above ip address). And not forwarded through firewall.So my question is if checkpoint r80 supports multicast nat source? If yes , how i can config it? Thank you!!
Dawei_Ye inside General Topics 4 hours ago
views 15809 12

tcpdump and fw monitor missed packets

We are digging a issue with our application department.Testing by our QA dept. the http connection could be a 5-6s latency occasionally.So we did a packet capture.the normal post and response:the post that occurring latency as follows:You could see the red column should be the POST request but the tcpdump shows "not captured"and we also captured via fw monitor:we can only see the POST request but no reponse:Have you guys meeting this issues before?
Di_Junior inside General Topics 5 hours ago
views 37 1

ISP IP Blacklist

Dear MatesThis is not a technical question but it is more like a general question in which I would really appreciate your feedback.We are an ISP, and we provide services to many enterprises, we clients are usually finding the IP address we allocate to them in some blacklists, which sometimes prevents them from using certain services on the Internet, until the IPs are removed from the blacklist.Taking into account that we do not have control over what our clients do to get tham blacklisted, I would like to know whether there is something we as the ISP can do in order to minimize the risk of our clients get blacklisted.Thanks in Advance
Nick_Doropoulos inside General Topics 5 hours ago
views 103 3

CoreXL limitations on R80.30

Can I just confirm that the existence of route-based VPN does not allow CoreXL to be used even on R80.30? According to the CoreXL limitations as per sk61701 it would appear that that is the case but I wanted to double-check anyway.Thanks.
Jeff_Gao inside General Topics 6 hours ago
views 1956 15 1

Physical memory is high

Dear all      My CP23500 is 16G  memory and traffic is low.but memory is high,as follow:This is why?Thanks!
Albert_Chang inside General Topics 6 hours ago
views 181 7

Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections table

Our security gateway sometimes drops packets from IPSec tunnel. The workaround is usually to reinstall policy and the issue will be fixed for a few days.By using the "fw ctl zdebug drop" to capture the drop message, it says "failed to resolve SA (VPN Error code 01)".But in the kernel debug, it looks like it cannot find the connection in the connections table.Has anyone encounter similar issue and has a solution? Thanks in advance! ;20Jun2019  3:30:27.466084;[cpu_1];[fw4_2];fwconn_lookup: not found in connections table; ;20Jun2019  3:30:27.466088;[cpu_1];[fw4_2];forward_if_not_mine: forwarded to another instance (rc=0); ....;20Jun2019  3:30:27.466102;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>  not found in connections table; .....;20Jun2019  3:30:27.466268;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>  not found in connections table; ;20Jun2019  3:30:27.466282;[cpu_1];[fw4_2];   vpnk_conn_log: in the kernel  - calling fwchainlog_delayed_rulebase_log with alert -1 ; ;20Jun2019  3:30:27.466284;[cpu_1];[fw4_2]; action = 0  schemename = IKE  user =  methods = ESP: AES-256 + SHA384 + PFS (group 2)  fail_reason = Encryption/Decryption failure, failed to resolve SA (VPN Error code 01)  xpo_loghandle = 0 community_loghandle = 0   
sdjohnson2019 inside General Topics yesterday
views 132 4

Upgrade path from R77.30 to R80.30

Hello All,Can you advise me, i have read various docs on Checkpoints website & various knowledge boards.I my initial understanding is that if i wanted to upgrade from R77.30 to R80.30 i would have to build a new server & run through the upgrade verifier, export & import database steps.But as i have started to read more there seems to be a straightforward upgrade path via CPUSE. Or am i reading the the documentation wrong.Thanks for any advise Extract from Installation and Upgrade Guide R80.30From R7X to R80.30:Upgrade the Primary Security Management Server.Perform a clean install of the Secondary Security Management Server.Connect the Secondary Security Management Server to the Primary Security Management Server.Step 2. Why ???? there is no explanation
Chinmaya_Naik inside General Topics yesterday
views 130 2

Configure Gaia with TACACS+ Authentication for SmartCosole (Query)

Hi Team,I refer sk101573 (How to configure Gaia OS to work with a TACACS+ server)Below is the configuration details.VMware:12 ProNOTE: We successfully login with GAIA portal using TACACS user (User define in TACACS+ Server).But unable to login with SmartConsole. Configuration Step Taken :File Name : tac_plus.conf (Location : /etc/tacacs+/tac_plus.conf)Step1Step2Step3Step4Step5Configuration for SmartConsole LoginSTep6STep7Step9Unable to find any logs on messages file.Step10As I know for "Authentication to server failed" logs are not generated in the messages file.Please confirm is this a right configuration because ,  we unable to login with Smartconsole but able to login with GAIA portal.Thank you Regards@Chinmaya_Naik
inside General Topics Friday
views 124 4

1GB to 10GB interface upgrade

Hello everyone, I have a task to upgrade a firewall appliance from 1GB to 10GB on their interfaces. The issue I  have is this appliance is running r75.30 on SPLAT. I haven't used SPLAT in a very long time. Does anyone know what the commands even are to do this?  Another question is what is the SPLAT command to get the configuration of the appliance. In GAIA its simply show configuration. Don't know what the command is in SPLAT. Any help is appreciated. Thanks.    Regards!
REconfigure inside General Topics Friday
views 112 1 5

fw ctl conntab - R80.20 strange behaviour - random TCP session timeout values

Hi Community!after upgrading to R80.20 i verified the session tables of our fw gateways, with the "fw ctl conntab" command.I found out that all upgraded gateways have random TCP session timeouts for a session displayed, and not the actually configured value for the service.I checked it on more than 20 different gw´s it´s always the same. for a global value of 7200 sec, there is sometimes 4642 or even as low as 1058 sec, or higher 7205 etc. in the output next to the TTL - same rule/same service.In older versions like 77.20 it´s always exactly the configured value for example 7200sec in the output.Can anyone verify this, is this only cosmetic or could this lead to sessions falling out of the table to soon?Attached you can find screenshots with example output of a R77.20 and R80.20 gateway. 
Anderson_DaSilv inside General Topics Friday
views 20

CloudGuard ARM Template

Hi Community,I am trying to deploy cloudguard in Azure via ARM templates, but I am hitting an issue with the artifacts location parameters.As I can see in the template, the artifacts location is no longer hard coded, instead it is using the deployment function to call the artifacts uri.Long store short, when I run the template installation from local files on my computer, I get the error below saying that the templateLink doesn't exist:Apprantly it happens because the deployment function does not respond with the templateLink information if you run the deployment using local templates.Anyone ran into this issue before? Trying to install r80.30 using ARM template version below:"templateVersion": "20190805"thanks in advance.
jfabian inside General Topics Friday
views 92 1


I have several VPNs against AWS, it happens that at random there is no more traffic.   When the fault occurs, there are the following symptoms:  -Up Tunnel -Phase 1 and Phase 2 established   The problem is resolved when we restart Ike at the checkpoint (vpn tu - 7), but after a while it happens again. The configuration of my Tunnel is as follows:  IKv1 Phase I.  -Encryption Algorithm: AES-128 -Data Integrity: SHA1 Diffie-Hellman group: Group 2 (1024bit)  Phase II -AES-128 Data Integrity: SHA1 IKE Security Association (Phase2): Use perfect Forward Secrecy (group 2) Ike Phase I. Renegotiate IKE Security associations every (minutes): 480  IPsec (Phase 2): Renegotiate IPsec security associations every (seconds): 3600 Nat: Disable NAT inside the VPN community DPD configured in the Cluster and AWS Community VPI and Ping interfaces on static routes Tunnel Management -Permanent tunnels: establish permanent tunnels: in all the tunnels of the community.  -VPN Tunnel Sharing: One VPN tunnel per Gateway pair. VPN ROUTING: to center or, even the center, other satellites, the Internet and other VPN objectives DPD configured in the Cluster and AWS Community VPI and Ping interfaces on static routes when I see the records, it's dropping by rule clean up please your support, the tac still does not find the cause
Rajput_Arvind inside General Topics Friday
views 78 3

Splunk Support with R80.10

Hi All, We are upgrading MDS from R77.30 to R80.10. Currently Splunk is integrated with R77.30 MDS. Do we need to perform any step on R80.10 MDS to make the Splunk work with R80.10 CMA. Some document says Splunk Add-On for Checkpoint needs to be installed on Splunk itself. But some document says Log exporter also needs to be installed on R80.10 MDS. Please share your thoughts. Thanks,Arvind Singh
sdjohnson2019 inside General Topics Friday
views 58 3


Hello All,I have a task of upgrading some Checkpoint firewalls none of the firewalls have internet connectivity from the CPUSE software, but i have managed to download the updated software to my laptop & then import to the firewalls.But one firewall is not playing ball, in the CPUSE GUI it doesnt even have the IMPORT option. R77.30 Deployment Agent build 1677.But i can import the software via the backup software panel, so the software is on the firewall in the following path/var/log/CPbackup/backups/Check_Point_R77_30_JUMBO_HF_1_Bundle_T345_FULL.tgz &/var/log/CPbackup/backups/Check_Point_R77_30_JUMBO_HF_1_Bundle_T345_FULL.tarSo i am now trying too follow the document below.> lock database overrideImport the package from the hard disk:Note: When import completes, this package is deleted from the original location.Import package from hard disk ???????? How ?? To me this doc bypasses the most import bit of info ???I will keep looking for info aswell. TaAny ideas, Thanks anyone.