cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Wang
Wang inside General Topics 7m ago

How to configure QOS based on user?

Hello, engineers, how to configure QOS based on user?Thank you very much for your support.
Niklas_Davidsso
Niklas_Davidsso inside General Topics yesterday
views 419 19

New Core Switch - Failure

Hey There So we are runing a Old Cisco Nexus 5000K Switch stack, Checkpoint 15000 <> N5KSwitches <> N5KSwitches <> Checkpoint 15000the 15000 is runing VSXWorked pretty good. So this year we got new Cisco Nexus 9000K Switch, and today we tried to move them Moving Firewall, no big issue and we connected it up to the 9000 and it reconncted with the other FIrewall and they connect to eatcher, we move the active firewalls from the firewall connected to the N5K switch to the firewall connected N9K switch.  And everything is working But when we move the Firewall still conncted to N5K switch to the N9K, they start going active  standby down and as soon as Firewall 1 has done this Firewall 2 will go active standby down and so on.  so the network works for 3-4 minutes then highlatancy and then works 3-4 minutes rinse and repeat. Anyone seen this before? //Niklas   
Gsharma61234
Gsharma61234 inside General Topics yesterday
views 48 1

checkpoint not booting

Hi All, I do have checkpoint 4600.recently it was upgraded successfully from R75.40 to R77.10 then R77.10.From yesterday i am unable to login to the device.its giving me below error.I believe its not booting.Please let me know,how to resolve this issue.Apart from this i am not getting any option on putty CLI.   Reboot and Select proper Boot deviceor Insert Boot Media in selected Boot device and press a keyIntel(R) Boot Agent GE v1.3.53Copyright (C) 1997-2010, Intel CorporationPXE-E61: Media test failure, check cablePXE-M0F: Exiting Intel Boot Agent. 
Raphael_V
Raphael_V inside General Topics yesterday
views 3577 2

Legacy Auth (User Auth, Client Auth) on R80.10 gateways

Hey everyone,does anybody know if Legacy Authentication (User Auth and Client Auth) is still supported on R80.10 gateways?We updated one of our clusters today from R77.30 to R80.10 and are facing some very strange behaviour.We have a rule with a "Legacy user at location" object (location are all our internal networks) as a source object and User Auth as action.After the upgrade to R80.10 the "Legacy user at location" object in the source is now ignored and seems to behave like "ANY".The release notes from R80.10 does only state that"Session Authentication and UserAuthority are replaced by Identity Awareness."but nothing regarding User Auth or Client Auth.(Yes, we will move away from these authentication methods...)Thanks and best regardsRaphael
Vladimir
Vladimir inside General Topics yesterday
views 631 1 2

Need for new URL category for "User Awareness Training"

How can we request a creation of the new URL category? In particular, I'd like to have a new general category called "User Awareness Training" to be available and to have an option of bulk URL submits for Check Point to properly categorize the likes of KnowBe4 training phishing URLs. I am sure that my situation is not unique and at least half of my clients using them or similar products. Regards, Vladimir 
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics yesterday
views 618505 33 139

R80.x Architecture and Performance Tuning - Link Collection

I wrote my first article on R80.x firewall architecture a year ago. After many hours in the lab with R80.10, R80.20, R80.30 and R80.40 many long evenings, another approximately 40 articles were added. Because I lost the overview of my articles, here is a list of links to the most interesting articles with the topics:- R80.x performance tuning- R80.x architecture- R80.x new CoreXL, SecureXL and ClusterXL functions I hope I can help you with interesting information about R80.x! Thanks to everyone who contributed to the Checkmates forum and to the Check Point R&D guys as well as the Chackmates team and thanks to all who voted this article as Post of the Year 2019.  Architecture - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Logical Packet Flow) - Update R80.20+- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - Security Gateway Architecture (Acceleration Card Offloading)- R80.x - Ports Used for Communication by Various Check Point Modules- R80.x - How does the Medium Path (PXL) and Content Inspection work with R80- R80.x - ClusterXL CCP Encryption (R80.30+) Performance tuning - R80.x - Gateway Performance Metrics - R80.x - Performance Tuning Tip - Intel Hardware- R80.x - Performance Tuning Tip - AES-NI- R80.x - Performance Tuning Tip - SMT (Hyper Threading)- R80.x - Performance Tuning Tip - Multi Queue- R80.x - Performance Tuning Tip - Connection Table- R80.x - Performance Tuning and Debug Tips - fw monitor- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP- R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.x - High Performance Gateways and Tuning- R80.x - Falcon Modules and R80.20- R80.x - Performance Tuning - Link Collection Cheat sheets - R80.x - cheat sheet - fw monitor- R80.x - cheat sheet - ClusterXL ClusterXL - R80.20 - new ClusterXL commands- R80.20 - More ClusterXL State Information- R80.30 - ClusterXL CCP Encryption SecureXL - R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor CoreXL - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - More then 40 Cores for CoreXL- R80.x - User-Mode Firewall and performance impact Management Server, MDS and SmartConsole - R80.20 - Portable SmartConsole + Tips and Tricks- R80.10 - Syslog Exporter- R80.20 - Multiple SmartConsole sessions- R80.x   - Debug policy installation on gateway- R80.x   - MDS Upgrade failing from R80.10 to R80.30 Sandblast and TEX - Fortigate Firewall ICAP and Sandblast (TEX)- Symantec (Bluecoat) SG ICAP and Sandblast (TEX)- ICAP and Sandblast Appliance R80.10+ - R80.10 - Syslog Exporter- R80.10 - Bash script to show IP ranges for countrys from GeoProtection (new version)- R80.10 - GEO Location Objects in Firewall Policy (with Dynamic Objects)- R80.10 - User-Mode Firewall and performance impact R80.20+ - R80.20 - new interesting commands- R80.20 - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor- R80.20 - SecureXL - new names in "/proc/ppk/statistics"?- R80.20 - Portable SmartConsole + Tips and Tricks- R80.20 - New daemon or processes under R80.20!- R80.20 - New SecureXL path in R80.20 (CPASXL)- R80.20 - More then 40 Cores for CoreXL - R80.20 - Updatable Domain Objects and CLI Commands R80.30+ - R80.30 - new interesting commands- R80.30 - ClusterXL CCP Encryption- R80.30 - Swiss Army Knive IPMITOOL for GAIA R80.40+ - R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue CLI - GAIA - Easy execute CLI commands from management on gateways- GAIA - Easy execute CLI commands on all gateways simultaneously- GAIA - Create snapshots or backups on all gateways with one CLI command.- GAIA - Backup all clish configs from all gateways with one CLI command- CLISH Commands in Expert Mode easier- Show VPN Routing on CLI- Show Address Spoofing Networks via CLI- Interface speed and duplex as list- "fw ctl zdebug" Helpful Command Combinations- Check Inbound and Outbound TCP Sequece Numbers on R80.20+- R80.20 - new interesting commands- R80.30 - new interesting commands- ccp_analyzer - what is it!- Check Point - HEX to IP Converter Tool?- R80.30 - Swiss Army Knive IPMITOOL for GAIA Script - Bash script to show IP ranges for countrys from GeoProtection (new version)- GEO Location Objects in Firewall Policy (with Dynamic Objects) More - Appliance model from CLI and dmidecode with full model list- VoIP Issue and SMB Appliance (600/1000/1200/1400)- Password reset - Collection- One-liner collection- Check and config SSHv1 or SSHv2 on GAIA Copyright by Heiko Ankenbrand  1994-2019
soni_kumari1
soni_kumari1 inside General Topics yesterday
views 567 7 1

How to configure alert for identity collector

How to configure alert for identity collector for below condition. If identity collector got disconnected. if gateway got disconnected . If gateway didn't received last hour events.customer is having both R80.10 and R77.30 version gateway.
Tiago_Cerqueira
Tiago_Cerqueira inside General Topics yesterday
views 201 7

VPN issue with IKEv2 and Cisco ASA

Hi,Last week we upgraded our security gateway from R77.30 to R80.20. After this upgrade, we lost connectivity with one of our VPNs. This VPN is with a third party gateway, a Cisco ASA and we are using IKEv2.The issue is weird and I've isolated the following things:1)If the negotiation is triggered on the ASA side, everything works as expected (so, as a workaround, they are bouncing the tunnel on their side, generating traffic to us (if we are the first to generate traffic it won't work) and that's allowing us to connect)2)If we initiate the connection, we are unable to reach the other side of the VPN but, they are able to reach our network. So traffic generated on their side of the VPN always reaches us without issues.3)Child SAs are only being negotiated on re-keys, I'm assuming the first time they are created is under the AUTH packet, as per the RFC. I have a case opened with TAC, but so far no meaningful replies. I can also share the vpnd.elg files, as well as the ikev2.xmll files if you are interested in taking a look at that. Thanks
SPM
SPM inside General Topics yesterday
views 171 5

CPUSE automatic backups

After updating R77.30 to Take345 (from Take338) I've noticed an increased utilization of space in root partitionI don't have much free space left (~3GB, total partition size 18GB). So I don't want to run out of spaceAnalyzing I found out that in /opt/CPda/backup  there are now 3 backupsthe backup in the root of /opt/CPda/backup which was taken when upgrading to previous Take 338and a folder /opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345where there are to more folders "Completely" and "LastTake"So basically now instead of one backup  there are 3 backups, which consume 3 times more spaceI guess something changed in how backups taken during updateBut do I really need all that backups?? is it safe to delete them & (I am not planing to rollback to previous Take) here is a full backup files output [Expert@CP:0]# ls -l /opt/CPda/backup total 562672 drwx------ 4 admin root 4096 Sep 28 02:12 CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345 -rw-r--r-- 1 admin root 7623548 Nov 24 2018 ReportingServer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 14285 Nov 24 2018 SecurePlatform_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 50711598 Nov 24 2018 cvpn_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 502484802 Nov 24 2018 fw1_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 5649235 Nov 24 2018 indexer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 39977 Nov 24 2018 mgmtportal_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 3029451 Nov 24 2018 sim_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 6010542 Nov 24 2018 uepm_backup_HOTFIX_R77_30_JUMBO_HF.tgz [Expert@CP:0]# ls -l /opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345 total 8 drwx------ 2 admin root 4096 Sep 28 02:18 Completely drwx------ 2 admin root 4096 Sep 28 02:18 LastTake [Expert@CP:0]# ls -l /opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345/Completely total 635376 -rw-r--r-- 1 admin root 7622819 Sep 28 02:18 ReportingServer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 16509 Sep 28 02:17 SecurePlatform_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 50711314 Sep 28 02:14 cvpn_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 576853604 Sep 28 02:13 fw1_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 5649319 Sep 28 02:14 indexer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 40274 Sep 28 02:18 mgmtportal_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 3028584 Sep 28 02:18 sim_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 6015114 Sep 28 02:18 uepm_backup_HOTFIX_R77_30_JUMBO_HF.tgz [Expert@CP:0]# ls -l /opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345/LastTake total 581224 -rw-r--r-- 1 admin root 7624021 Sep 28 02:18 ReportingServer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 16509 Sep 28 02:14 SecurePlatform_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 148055 Sep 28 02:02 common_backup_file.tgz -rw-r--r-- 1 admin root 52002192 Sep 28 02:14 cvpn_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 519750664 Sep 28 02:10 fw1_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 5920007 Sep 28 02:14 indexer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 40232 Sep 28 02:18 mgmtportal_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 3040944 Sep 28 02:18 sim_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 5996419 Sep 28 02:18 uepm_backup_HOTFIX_R77_30_JUMBO_HF.tgz 
Nik_Bloemers
Nik_Bloemers inside General Topics yesterday
views 189 7

Internet routing through VPN case

Dear Check Mates,I have a use case for which I'm not sure what the right/best solution would be, and I'm hoping your input can help.Currently we have several branch offices that route all traffic (including internet traffic) over a VPN to a Juniper VPN device. The Juniper can put this traffic in a separate routing table so we can set the default gateway towards the internal core router, which then uses it's own default gateway to send the internet traffic through the perimeter Check Point cluster.We are currently replacing this Juniper VPN device with a separate Check Point cluster. This of course has it's own default gateway to internet to establish various VPN's, so when we move the branch office VPN's to this cluster they will go to internet directly from this cluster, rather than the other perimeter CP cluster where we want the traffic to go to (which is a faster platform with HTTPS inspection, more blades enabled, etc).How can we solve this? I haven't been able to think of a good way. I thought we could solve this with PBR easily, however sk100500 states that PBR is not supported for VPNs?Thanks in advance for your insights. 
4mon
4mon inside General Topics Monday
views 128 4

Upgrade from R77.30 to R80.30

Hello,I have to upgrade SMS an ClusterXL Security Gateways from R77.30 to R80.30. Probably by fresh install.It's a recommended make an upgrade from R70.30 directly to R80.30?Or maybe it'll be better firstly upgrade from R70.30 to R80.20 and after that from R80.20 to R80.30?The procedure is the same like upgrade from R77.30 to R80.10 for example like this:https://community.checkpoint.com/t5/General-Management-Topics/R77-30-to-R80-10-SMS-Migration/td-p/36384Thank you in advance!
Anderson_DaSilv
Anderson_DaSilv inside General Topics Monday
views 92 1

CloudGuard ARM Template

Hi Community,I am trying to deploy cloudguard in Azure via ARM templates, but I am hitting an issue with the artifacts location parameters.As I can see in the template, the artifacts location is no longer hard coded, instead it is using the deployment function to call the artifacts uri.Long store short, when I run the template installation from local files on my computer, I get the error below saying that the templateLink doesn't exist:Apprantly it happens because the deployment function does not respond with the templateLink information if you run the deployment using local templates.Anyone ran into this issue before? Trying to install r80.30 using ARM template version below:"templateVersion": "20190805"thanks in advance.
pnorman821
pnorman821 inside General Topics Monday
views 75 3

BGP route redistribution

Hi All,I ran into a problem at the weekend where I was going through a change to correct the BGP router ID's on some firewall clusters. I was following a specific procedure to do this and ensured I had full configuration backups of the firewalls  with the output from a 'show configuration'. However, the configuration did not show the route redistribution that was setup using the web GUI on the Gaia firewall. This was an R77.30 Firewall cluster... Is this expected behaviour that the 'show configuration' does not include the config of everything configured on the firewall? Incidentally, the cluster is now 80.20; I wonder if the show configuration includes the route redistribution commands?Thanks, Paul Norman
Taekyoon-kim
Taekyoon-kim inside General Topics Monday
views 2248 8

What happens when a license expires?

Hi ..!What happens when a license expires? I just..If the licenses for each device expire, can I use the features I used before?And what features are available and what are not? I wonder.      1. Smart-1      2. Collector     3. TE Thank you for taking the time to ask.
Longson_Ho1
Longson_Ho1 inside General Topics Saturday
views 539 2

R80.20 Identity Collector Syslog Parser

Hi,We are doing testing of R80.20 Identity Collector with Syslog Parser feature.Is there any guide about how to create Syslog Parsers for Ruckus Zone Director (Version: 10.0.1.0 build 61) to get the identity information from login and logout event?Thank you