cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

mselecky
mselecky inside General Topics an hour ago
views 34 2

site-to-site VPN - Encryption domain issue

Hello,I am facing a strange issue. We have site-to-site VPN with 3rd party. We have Checkpoint, they have Sophos UTM. Tunnel is working only one direction. - Sophos >> Checkpoint - working fine- Checkpoint >> Sophos - not working IkeView tool says Phase1 is ok, Phase2 is failing when Checkpoint initiates the tunnel. Only QM packet 1. After that I receive an error:Notify PayloadNext Payload: NONEReserved: 0Length: 00 0c (12)DOI: 00 00 00 01 (1)ProtID: 1SPI Size: 0Notify Type: 18 (INVALID-ID-INFORMATION) I also noticed in VPNd.ELG this:[] vpn_ipsec_spi_notify: spi 0, 127.0.0.1, peer x.x.x.x, proto 50, my range 172.16.16.0-172.16.16.255, peer range 192.168.203.0-192.168.203.255,  However in dashboard I have:My encryption domain: 172.16.16.0/24Interoperable device encryption domain: 192.168.200.0/22 From CLI I am getting correct enc. domain:5:04:09 x.x.x.x > :(+);From:192.168.200.0;,To:192.168.203.255;CPTFMT_sep:;;Peer:x.x.x.x;,allowed_peers_table_id:0;,gw_conf:0;,community_id:5;,subnet_support:1;,from:192.168.200.0;,to:192.168.203.255;product:VPN-1 & FireWall-1;product_family:Network Any ideas/hints on what to check, change to get this working? Thanks indeed.
TheRealDiZ
TheRealDiZ inside General Topics 3 hours ago
views 144 6

Failover between different HW with cphacu

Hi wonderful checkmates!I got a quick question for you:I just want to do a zero downtime upgrade.I’m upgrading R77.20 4400 to 5600 brand new appliances with R80.30.Do you think with different HW the cluster will be in Active/Down and cphacu start will work? I’ve never tried it before but I think with the same CoreXL instances it will work.D!Z
Tommy_Forrest
Tommy_Forrest inside General Topics 4 hours ago
views 67 4

Pushing policy destroys Skype calls

Does anyone else have issues where when they push policy to their internet edge gateway Skype calls are utterly destroyed for a solid 30-90 seconds?We have a 3 node cluster in HA mode running on 15600 gateways with 80.10 (our 80.30 migration starts in December).  CPUs average around 30% at peak during the day.Connection Persistence is configured for "Keep all connections".It does not matter the time of day (or load) when policy is pushed.  We can push it at 4am and it will disrupt Skype calls.What is the solution for this?  Aside from only pushing policy after hours (which will be an enormous burden to my team).
Di_Junior
Di_Junior inside General Topics 8 hours ago
views 59 2

Publishing a service with multiple DNS records associated with a Single Públic IP using Check Point

Dear MatesWe wish to migrate one of our critical services from TMG to Check point. Most of the services have already been migrated except this one last service.Currently, the service has 4 DNS records associated with a single Public IP, the public IP is then NATed internally to a private IP of the TMG Proxy. Taking into account that this service runs on three machines which where put into a pool of a single DNS record internally.So the Proxy has a rule like: Source: AnyDestination: DNS record (A single DNS record where all the machines where added)Service: http, httpsAction: Accept How can we translate this configuration in Check Point?We are using R80.20. Thanks in advance
Amir_Arama
Amir_Arama inside General Topics 16 hours ago
views 99 4

Routing bug

so we have r80.20 cluster gaia, with fw vpn and ia enabled. corexl and securexl also enabled.couple of days ago i added new vlan on empty interface for point to point against remote site FW, which connected through layer 2 line. so far so good. FWs are having vpn sts with each other. no static routes on that line, only encrypted traffic.this GW actually connect HQ with all branches through main isp line on another interface.today we had downs at least 7 times between HQ and all branches, each down time was for about 10-20 seconds, and go back up by itlsef., after checking with fw monitor i discovered that instead of routing packets directed to branches through the main isp line, the fw routed those packets through the new vlan interface that i meantioned above. and this is why the packets never arrived to the destination.i thought first that maybe i had some duplicate routes, so i have checked, and there is no single route on this vlan interface except of course the directly connected point to point network which is in completely different subnet.the things occured today before it started:they go to this remote site to install pcs and printers etc..  which i don't believe relevant, and i fwaccel off and back on on this GW.in messages i got a lot of :kernel: [fw4_1];fwconn_recover_old_conn: connection is accelerated - cannot set handler.kernel: [fw4_1];fwconn_recover_old_conn: handler (322) VERIFICATION_HANDLER. dropping packetand also a lot from those: kernel: dst_release: dst:ffff8808147852c0 refcnt:-2have no idea what these messages means..it was happening for around 2 hours randomally and stopped about when they left the remote site. which again i don't believe related..to me it looks very like a bug but i'm not sure why it happens just now and why with this new vlan specifically..fwaccel off didn't solve the issue right away, but i just read that in r80.20 it not take effect on all connections as it was before. 
Nelson_Thoms
Nelson_Thoms inside General Topics yesterday
views 60 2

R80.30 upgrade of 5000 series appliance - network drop when using SFP interfaces

Hello,We have a pair of 5200-HPP firewalls in a cluster, running R80.20.  We use the SFP interfaces to connect to a layer 2 switch (Cisco).  When we upgrade the firewalls to R80.30, the fiber/SFP interfaces drop and the switch says the ports are not operational.  When we roll the firmware back to R80.20, the ports become operational and traffic passes.  I think this issue is specific to the SFP ports on the Check Point firewall, since if I move the network configuration to the copper ports on the firewall, network operation resumes.  Of course we have valid Check Point branded SFPs on the firewall side, and swapping out transceivers or using different OM4 cable does not make a difference.Any one else run into issues with the SFP ports on Check Point 5000-series firewalls following an upgrade to R80.30?  I've tried raising the issue with the vendor and they are not providing troubleshooting assistance, even though we can consistently demonstrate that a rollback of the firewalls to R80.20 makes the issue go away, and as soon as we complete the upgrade to R80.30 the SFP ports go down.Cheers, hope someone out there has ideas on how to troubleshoot this!
Eric_Kiarie
Eric_Kiarie inside General Topics yesterday
views 278 4

Web pages timing out after upgrade

Good Afternoon team,Would like to inquire i recently upgrade my firewall from R77.30 13500 appliance to R80.20  23000 appliance. Some websites like zimbra email and some internal sites are timing out or are slow to open. What could be the issue that is affecting  my  websites to time out or not be accessible. 
ProxyOps
ProxyOps inside General Topics yesterday
views 47

R80.40 - Identity Awareness Questions

Hello, we are looking forward to the upcoming changes for IA in r80.40 I have two questions about the new things for IA: 1. We are currently using the Identity Broker with a special R80.10 take. How can we migrate from this special R80.10 take to r80.40 ? Will the existing Identity Broker Configuration persist with an inplace upgrade ? 2. We faced many diffrent Issues with the MUH Agent in the past and we are looking forward for the upcoming improvments. Has somebody already some insights, about the mentionend "Enhancements" and "better scaling and compatibility" features ? GreetingsNiklas
sajin
sajin inside General Topics yesterday
views 150 8

HTTPS INSPECTION SHA1 to SHA256

HiFound the Checkpoint HTTPS INSPECTION cert is SHA1 and as it is outdated should move forward to SHA256. Followed the sk115894 but when accessing,  the browser is not trusting the certificate. Kindly help on resolving this issue.
humt
humt inside General Topics yesterday
views 109 4

ISP Compromised - Everything become failure

My ISP has been compromised. And no idea what to do?  ISP has been already compromised few months back but i thought my router is from local company therefore such issue. But i am wrong. I have use the another router and even firewall. All become waste for me. Firewall fail to stop.  I have send the report to Kaspersky. And kaspersky says the problem from router side. And when i search in google. Some developer says it is from ISP side. I have format my system 3 times, reset router , reset firewall. All become failure. 
Gaurav_Pandya
Gaurav_Pandya inside General Topics yesterday
views 1487 10

Route Based VPN

Hi,I am trying to establish route based VPN and I have created numbered VTIs on both firewalls with help of SK113735. But traffic is going in clear text, it is not encrypting traffic. Please let me know if any other setting, creating community etc. needs to be done.
Rene_Rosenkrant
Rene_Rosenkrant inside General Topics yesterday
views 2254 9

Strange behaviour after R80.20 upgrade

I have a problem that occured on R80.20. In the end we had to move a VPN, Can someone explain why you can have an ESP and ARP broadcast at the same time?10:12:10.207381 00:12:c1:ce:90:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: x.x.x.x ^ x.x.x.x: ESP(spi=0x78e02e92,seq=0xb7), length 100 10:12:13.210228 00:12:c1:ce:90:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: x.x.x.x ^ x.x.x.x: ESP(spi=0x78e02e92,seq=0xb8), length 100
armandxhafa
armandxhafa inside General Topics yesterday
views 28

Configuring VTI encrypted tunnel, using OSPF, with 2 ISP links between checkpoints R80.10

Hi group, I'm trying to establish encrypted VTI tunnels between a cluster chkp R80.10  and a remote gateway checkpoint R80.10 , to use them for the primary and the second WAN. I have configured the tunnel interfaces on each gateway and at the cluster, pointing them to the WAN objects i have on the management , using communities by encrypting everything, and blank domains encryption to give the route based VPN the priority. I have try to use link selection, but when i have only the second link up, the ospf on the VTI tunnels goes down. Has anyone any idea about this ? Both the cluster and the remote gateway have the same management. The WAN links are 2 dedicated Vlans assigned by the 2 ISPs.Regards Armand
salila
salila inside General Topics yesterday
views 103 3

Checkpoint Firewall HA Logs

Running show routed cluster-state detailed command on my gateways,it shows below:Cluster Routed Pnote Change HistoryTimestamp Pnote State Event DescriptionAug 15 19:20:49 PNOTE_OK DR Isn't ConfiguredCluster Routed Pnote HistoryTimestamp Pnote State Event DescriptionOct 16 12:45:39 PNOTE_OK Master: Sigquit ReceivedOct 9 20:32:30 PNOTE_OK Master: Sigquit ReceivedOct 9 20:32:05 PNOTE_OK Master: Sigquit ReceivedOct 9 20:32:05 PNOTE_OK Master InitOct 9 20:32:05 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:32 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:32 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:32 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:32 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:32 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:32 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:32 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:32 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:31 PNOTE_OK Master: Sigquit ReceivedOct 9 20:28:31 PNOTE_OK Master: Sigquit Received Can someone please tell me what does Master:Sidquit Received means? I am trying to identify the reason for our firewall failover 
Yifat_Chen
inside General Topics yesterday
views 922 2 16
Employee+

R80.XX Jumbo Hotfix Accumulator - Did You Know?

Hi Everyone, My name is @Yifat_Chen   and I’m part of  the Release Operation group managed by @MeravAlon  Our group is responsible for Check Point major releases (e.g R80.20), minor releases (e.g R80.30) and Jumbo Hotfix Accumulator releases for R80.10, R80.20 & R80.30 trains. Following several recent conversations and questions from customers, I would like to provide some general  information regarding the Jumbo Hotfix (JHF) Accumulator: Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving issues in different products. For more information, see sk98028. Check Point  recommends that you install the latest GA Jumbo take on a regular basis. A new Jumbo take is usually released every 1-2 months. For a complete list of fixes in each Jumbo take, please refer to the following SKs: R80.10 JHF SK, R80.10 SmartConsole SK , R80.20 JHF SK , R80.20 SmartConsole SK , R80.30 JHF SK , R80.30 SmartConsole SK Every new Jumbo take has 2 phases: 1st -  Released as “Ongoing” - The main purpose of the “Ongoing” take is early adoption. 2nd – Published as “GA” - Recommended as a General Availability take. After 3-4 weeks, an “Ongoing” take is moved to GA status. If there is a problem with an “Ongoing” take, a new one will be released. A new JHF on the Management Server can be installed regardless of the Gateway server. There’s no requirement to align the Management and Gateway to use the same JHF take. (Note - All Management machines should have the same JHF take.) SmartConsole Jumbo HF is also released every 1-2 months. Note – there is no dependency between SmartConsole and Jumbo takes. Different takes of Jumbo can be used with each SmartConsole take. However – some features/fixes require an upgrade of both Jumbo and SmartConsole. Installing a JHF is not an upgrade process ! The installation of a JHF is simple  and doesn’t perform any changes in the Management Database. JHF  only replaces specific binaries with new fixes, However - a reboot may require after JHF installation  I’m tagging also: @Tsahi_Etziony  – R&D director of Product operation @MeravAlon  - Release Operation Group manager   Please don’t hesitate to contact us for any further questions regarding the Jumbo releases. Regards, Yifat Chen