cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Yifat_Chen
inside General Topics 9 hours ago
views 29
Employee+

R80.20 JHF - New Ongoing take #117

Hi, A new Ongoing Jumbo Hotfix Accumulator take for R80.20 (take 117) is available. Please refer to sk137592.   Release Highlight: PRJ-5764 - Server Name Indications (SNI) - Next Generation Bypass - TLS inspection based on Verified Subject Name, Improved TLS implementation for TLS Inspection and categorization 158 fixes , 5 security issues   Please note the following: The new releases is mentioned in the JHF sk137592. The new releases will not be published via CPUSE as a recommended version. Availability: o   Will be provided by customer support o   Available for download via CPUSE by using package identifier. Thanks, Release Management Group 
Tiago_Cerqueira
Tiago_Cerqueira inside General Topics yesterday
views 111 3

VPN issue with IKEv2 and Cisco ASA

Hi,Last week we upgraded our security gateway from R77.30 to R80.20. After this upgrade, we lost connectivity with one of our VPNs. This VPN is with a third party gateway, a Cisco ASA and we are using IKEv2.The issue is weird and I've isolated the following things:1)If the negotiation is triggered on the ASA side, everything works as expected (so, as a workaround, they are bouncing the tunnel on their side, generating traffic to us (if we are the first to generate traffic it won't work) and that's allowing us to connect)2)If we initiate the connection, we are unable to reach the other side of the VPN but, they are able to reach our network. So traffic generated on their side of the VPN always reaches us without issues.3)Child SAs are only being negotiated on re-keys, I'm assuming the first time they are created is under the AUTH packet, as per the RFC. I have a case opened with TAC, but so far no meaningful replies. I can also share the vpnd.elg files, as well as the ikev2.xmll files if you are interested in taking a look at that. Thanks
Longson_Ho1
Longson_Ho1 inside General Topics yesterday
views 521 2

R80.20 Identity Collector Syslog Parser

Hi,We are doing testing of R80.20 Identity Collector with Syslog Parser feature.Is there any guide about how to create Syslog Parsers for Ruckus Zone Director (Version: 10.0.1.0 build 61) to get the identity information from login and logout event?Thank you
Shlomi_Feldman
inside General Topics yesterday
views 35
Employee+

Internet Organized Crime Threat Assessment (IOCTA) 2019 report

Hi Checkmates, I want to share with you all the recently published IOCTA report. 
HS
HS inside General Topics yesterday
views 182 2

VPN Encryption/Decryption failure

Hi,We have VPN to Azure and for some reason we are unable to connect to one of the machines.When we try to connect we got the error on tracker: "Encryption/Decryption failure, failed to resolve SA (VPN Error code 01)" and the traffic it's dropwith zdebug we got the error:dropped by chain_ipsec_methods_ok Reason: vpn_decrypt_methods_ok failed; I'm looking checkpoint documentation and I'm stuck because there are 2 error messages and for that reason 2 sk...Anyone have this issue before?I'm running R77.30 gw and R80.20 MGMThttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122532 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90060 Thank you very much for your help
kapuranirudh
kapuranirudh inside General Topics Friday
views 99 1

Need help in preparing benchmark documents for Checkpoint firewall

Hi All,Can anyone help me and tell me the "RISK factors" for the following benchmark conditions:Ensure Password Minimum length is setEnsure Password Syntax: Character Types is setEnsure Password Syntax: ID within Password is setEnsure Maximun signon attempts is setEnsure Lockout duration is setEnsure Reset account lockout counter afterUser login to system/deviceUser logoout from system/deviceRetention of created log filesConnection matched by SAMVPN packet handling errorsVPN configuration & key exchange errorsIP Options dropFile Transfer Protocol (FTP)Unused Interfaces accessDynamic routing protocolsICMP virtual session timeoutAccept stateful UDP replied for unknown servicesAccept Stateful ICMP repliesAccept Stateful ICMP errorsDrop and log out of state packetsDrop and log out of state ICMP packetsExplicit firewall management rules presentAccept Remote Access Control connectionsAccept outgoing packets originating from GatewayAccept Web and SSH connections for Gateway's administrationAccept incoming traffic to DHCP and DNS services of gatewaysAccept Dynamic Address modules' outgoing Internet connectionsIPsec VPNSSL VPNIPSWeb Security URL FilteringAnti-virus and Anti MalwareAnti-Spam and Email SecurityAcceleration and ClusteringVoice over IPData loss PreventionApplication ControlLogging Sorry, the list is long, but if you could help me I will be grateful to you, thanks..!! 
joseespinoza
joseespinoza inside General Topics Friday
views 273 6

exporting security fw rules +500 issues

we are moving the r77 config to a file from the ckpoint however when we try to export en 2 or 3 files the security rules (more than 500 rules) we are not able to do it.we know that r80 in the command line you can do itbut we weren't able to use the same commands in the R77 to accomplish this task.if we open the exported file in a XML editor we can read  and find the 500 + rules, but we need to squeeze in 2 or 3 files this rules from the CKpoint device in R77. any Ideas mates? cordiallyjose espinoza
Johannes_Schoen
Johannes_Schoen inside General Topics Friday
views 102 2

How to handle core-dumps and crash dumps

Hi Community,I lately got in touch with the wonderful ccc tool and noticed, that in some environments I got notified, that core dumps or crash dumps are present.I figured out, that the core dumps are produced by the individual Check Point processes, if anything bad happens and the are stored at /var/log/dump/usermode.Can anyone explain what the Crash dumps mean and where they are stored?Is there a procedure I should execute after finding a dump? Contacting TAC? Analyzing the files? Are there special tools for it?Looking forward to your feedbacksBest RegardsJohannes
5809265c-0181-3
5809265c-0181-3 inside General Topics Friday
views 68 1

R80.30 with HTTPs interception and Perfect Forward Secrecy with ECDHE/ECDSA cipher suites

Dear Check Mates, is it still necessary to manually configure ECDHE/ECDSA cipher suites in R80.30 as mentioned in sk104717 chapter “Perfect Forward Secrecy (PFS)” to enable these cipher suites and PFS? Thank you in advance.
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Friday
views 618323 32 138

R80.x Architecture and Performance Tuning - Link Collection

I wrote my first article on R80.x firewall architecture a year ago. After many hours in the lab with R80.10, R80.20, R80.30 and R80.40 many long evenings, another approximately 40 articles were added. Because I lost the overview of my articles, here is a list of links to the most interesting articles with the topics:- R80.x performance tuning- R80.x architecture- R80.x new CoreXL, SecureXL and ClusterXL functions I hope I can help you with interesting information about R80.x! Thanks to everyone who contributed to the Checkmates forum and to the Check Point R&D guys as well as the Chackmates team and thanks to all who voted this article as Post of the Year 2019.  Architecture - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Logical Packet Flow) - Update R80.20+- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - Security Gateway Architecture (Acceleration Card Offloading)- R80.x - Ports Used for Communication by Various Check Point Modules- R80.x - How does the Medium Path (PXL) and Content Inspection work with R80- R80.x - ClusterXL CCP Encryption (R80.30+) Performance tuning - R80.x - Gateway Performance Metrics - R80.x - Performance Tuning Tip - Intel Hardware- R80.x - Performance Tuning Tip - AES-NI- R80.x - Performance Tuning Tip - SMT (Hyper Threading)- R80.x - Performance Tuning Tip - Multi Queue- R80.x - Performance Tuning Tip - Connection Table- R80.x - Performance Tuning and Debug Tips - fw monitor- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP- R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.x - High Performance Gateways and Tuning- R80.x - Falcon Modules and R80.20- R80.x - Performance Tuning - Link Collection Cheat sheets - R80.x - cheat sheet - fw monitor- R80.x - cheat sheet - ClusterXL ClusterXL - R80.20 - new ClusterXL commands- R80.20 - More ClusterXL State Information- R80.30 - ClusterXL CCP Encryption SecureXL - R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor CoreXL - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - More then 40 Cores for CoreXL- R80.x - User-Mode Firewall and performance impact Management Server, MDS and SmartConsole - R80.20 - Portable SmartConsole + Tips and Tricks- R80.10 - Syslog Exporter- R80.20 - Multiple SmartConsole sessions- R80.x   - Debug policy installation on gateway- R80.x   - MDS Upgrade failing from R80.10 to R80.30 Sandblast and TEX - Fortigate Firewall ICAP and Sandblast (TEX)- Symantec (Bluecoat) SG ICAP and Sandblast (TEX)- ICAP and Sandblast Appliance R80.10+ - R80.10 - Syslog Exporter- R80.10 - Bash script to show IP ranges for countrys from GeoProtection (new version)- R80.10 - GEO Location Objects in Firewall Policy (with Dynamic Objects)- R80.10 - User-Mode Firewall and performance impact R80.20+ - R80.20 - new interesting commands- R80.20 - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor- R80.20 - SecureXL - new names in "/proc/ppk/statistics"?- R80.20 - Portable SmartConsole + Tips and Tricks- R80.20 - New daemon or processes under R80.20!- R80.20 - New SecureXL path in R80.20 (CPASXL)- R80.20 - More then 40 Cores for CoreXL - R80.20 - Updatable Domain Objects and CLI Commands R80.30+ - R80.30 - new interesting commands- R80.30 - ClusterXL CCP Encryption- R80.30 - Swiss Army Knive IPMITOOL for GAIA R80.40+ - R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue CLI - GAIA - Easy execute CLI commands from management on gateways- GAIA - Easy execute CLI commands on all gateways simultaneously- GAIA - Create snapshots or backups on all gateways with one CLI command.- GAIA - Backup all clish configs from all gateways with one CLI command- CLISH Commands in Expert Mode easier- Show VPN Routing on CLI- Show Address Spoofing Networks via CLI- Interface speed and duplex as list- "fw ctl zdebug" Helpful Command Combinations- Check Inbound and Outbound TCP Sequece Numbers on R80.20+- R80.20 - new interesting commands- R80.30 - new interesting commands- ccp_analyzer - what is it!- Check Point - HEX to IP Converter Tool?- R80.30 - Swiss Army Knive IPMITOOL for GAIA Script - Bash script to show IP ranges for countrys from GeoProtection (new version)- GEO Location Objects in Firewall Policy (with Dynamic Objects) More - Appliance model from CLI and dmidecode with full model list- VoIP Issue and SMB Appliance (600/1000/1200/1400)- Password reset - Collection- One-liner collection- Check and config SSHv1 or SSHv2 on GAIA Copyright by Heiko Ankenbrand  1994-2019
David_Herselman
David_Herselman inside General Topics Friday
views 2548 7

Disable NAT on SIP payload - breaks ICE

How do we disable NAT on SIP and SDP payloads, when using NAT? The ATRG: VoIP documentation states the following:We're running Asterisk with ICE (Interactive Connectivity Establishment), which essentially provides multiple candidates in INVITE or SDP negotiation messages, where each is an IP and port combination. It discovers the public candidates by connecting to STUN servers on the public internet.Why would we not want the security gateway to NAT the payload?We intend on using Bria Stretto as a mobile SIP application. The app works perfectly in all environments, when in the foreground and subsequently registered directly to our office SIP server. The problem we're having is when the app is in the background, becoming completely inactive. Public SIP servers operated by CounterPath essentially register in place of the mobile and send a wake-up push notification when they receive a call. The push appears to provide the app with a copy of the original invite, so it should receive both the higher priority ICE host candidates as well as the lower priority server reflexive (natted IP and port) candidates.The problem with the Check Point overwriting the SIP and SDP payload is that a mobile device connected to either private cellular APN or corporate WiFi will exclusively be provided with the public IP and results in one way audio. Everything works perfectly when the mobile is using LTE or natted through a home WiFi network.What we're after:We would simply like the Check Point to continue applying a NAT policy to the headers but leave the SIP and SDP payloads alone. This is typically accomplished by simply turning off SIP ALG processing.Sample packet leaving SIP server towards CounterPath's public push servers:Sample packet after NAT processing by Check Point:We have not had success in following the following recommendations. Both of these however appear to apply to cases where threat prevention policies were blocking packets, not the Check Point simply natting packets like any other UDP packet and leaving the payload alone:How to disable SIP ALG inspection in a specific rule in Checkpoint? Also Could this be done globally, like Cisco ASA? Tried disabling SIP inspectionfw ctl set int voip_multik_enable_forwarding 0 echo voip_multik_enable_forwarding=0 >> $FWDIR/boot/modules/fwkern.confThe following is an excellent summation of the ICE protocol:Interactive Connectivity Establishment: – IETF Journal 
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Friday
views 435 9 9

R8x - Gateway Performance Metrics

  Intruduction In the last weeks I have been asked again and again how I can increase the performance of my Check Point gateway. Now comes my counter-question. What do you want to reach in Performance Tuning? Therefore, I have created an overview of what the goal is! Chapter Moe interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Performance Metrics In principle, there are several performance metrics: Throughput (Bandwidth) Connection rate Packet rate Concurrent connections Latency There are standardized test procedures according to RFC for this:   Throughput Connection rate Packet rate Concurrent connections Latency RFC RFC3511 5.1.4.1 RFC3511 5.3.1 RFC3511 5.1.4.1 RFC3511 5.2.4.2 RFC2544 26.2 Units Bit/s Connections/s Packets/s Absolute number of connections (m)s Testing conditions Large UDP Small TCP Small UDP Small TCP Small UDP Bottleneck Bus, Interfaces CPU CPU Memory Bus, Interfaces, CPU, Infrastructure   Throughput Description: RFC3511 – 5.1.4.1 Throughput: Maximum offered load, expressed in either bits per second or packets per second, at which no packet loss is detected. The bits to be counted are in the IP packet (header plus payload); other fields, such as link-layer headers and trailers, MUST NOT be included in the measurement. Units: Bits per secondTesting conditions for achieving best results: Large UDPBottleneck: Bus, interfaces Connection Rate Description: RFC3511 – 5.3.1 To determine the maximum TCP connection establishment rate through or with the DUT/SUT, as defined by RFC 2647 [1]. This test is intended to find the maximum rate the DUT/SUT can update its connection table. Units: Connections per second Testing conditions for achieving best results: Small TCP (HTTP 64B) Bottleneck: CPU Packet Rate Description: RFC3511 – 5.1.4.1 Throughput: Maximum offered load, expressed in either bits per second or packets per second, at which no packet loss is detected. The bits to be counted are in the IP packet (header plus payload); other fields, such as link-layer headers and trailers, MUST NOT be included in the measurement. Units: Packets per second Testing conditions for achieving best results: Small UDP Bottleneck: CPU Conncurent Connections Description: RFC3511 – 5.2.4.2 Maximum concurrent connections: Total number of TCP connections open for the last successful iteration performed in the search algorithm. Units: Absolute number (amount) Testing conditions for achieving best results: Small TCP (HTTP 64B) Bottleneck: Memory Latency Description: RFC2544 – 26.2 The latency is timestamp B minus timestamp A as per the relevant definition from RFC 1242, namely latency as defined for store and forward devices or latency as defined for bit forwarding devices. Units: (m)seconds Testing conditions for achieving best results: Small UDP Bottleneck: Interfaces, Infrastructure, CPU, Bus Analysis of metrics   The analysis of the above mentioned parameters is very easy with the command cpview. # cpview On 41K, 44K, 61K, 64K or Maestro systems use:# asg perf -v  
mr_andy
mr_andy inside General Topics Friday
views 669 5

R80.10/R80.20 not displaying correct number of remote access tunnels

Can anyone help with a strange problem we are experiencing. Smartview Monitor has started mis-reporting the number of remote user tunnels.   the actual number of connected users is only 12,  but cluster member A is saying 383,  and cluster member B is showing 208  ?    if the gateways are restarted or cpstop/cpstart the number changes again.it is definitely a gateway issue and not a management/smartconsole issue.    on each gateway if I run the following command -   cpstat -f all vpn    and check the value of  'IPsec number of VPN-1 RA peers" I get the same result shown above, e.g.   383 on the A member.if I run the following command:fw tab -t userc_users -sthis shows the correct number of connected remote access users under the #VALS column.anyone seen this before and know of a fix ?   looks like we need to reset the count somewhere.We have seen this behaviour on two of our clustered gateways and first occurred after upgrade from R77.30.    One pair of clusters is running R80.10 with JHFA 189,  the other is  R80.20 with JHFA 33  and both are exhibiting the same issue.
Nik_Bloemers
Nik_Bloemers inside General Topics Friday
views 119 3

Internet routing through VPN case

Dear Check Mates,I have a use case for which I'm not sure what the right/best solution would be, and I'm hoping your input can help.Currently we have several branch offices that route all traffic (including internet traffic) over a VPN to a Juniper VPN device. The Juniper can put this traffic in a separate routing table so we can set the default gateway towards the internal core router, which then uses it's own default gateway to send the internet traffic through the perimeter Check Point cluster.We are currently replacing this Juniper VPN device with a separate Check Point cluster. This of course has it's own default gateway to internet to establish various VPN's, so when we move the branch office VPN's to this cluster they will go to internet directly from this cluster, rather than the other perimeter CP cluster where we want the traffic to go to (which is a faster platform with HTTPS inspection, more blades enabled, etc).How can we solve this? I haven't been able to think of a good way. I thought we could solve this with PBR easily, however sk100500 states that PBR is not supported for VPNs?Thanks in advance for your insights. 
SPM
SPM inside General Topics Thursday
views 96 1

CPUSE automatic backups

After updating R77.30 to Take345 (from Take338) I've noticed an increased utilization of space in root partitionI don't have much free space left (~3GB, total partition size 18GB). So I don't want to run out of spaceAnalyzing I found out that in /opt/CPda/backup  there are now 3 backupsthe backup in the root of /opt/CPda/backup which was taken when upgrading to previous Take 338and a folder /opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345where there are to more folders "Completely" and "LastTake"So basically now instead of one backup  there are 3 backups, which consume 3 times more spaceI guess something changed in how backups taken during updateBut do I really need all that backups?? is it safe to delete them & (I am not planing to rollback to previous Take) here is a full backup files output [Expert@CP:0]# ls -l /opt/CPda/backup total 562672 drwx------ 4 admin root 4096 Sep 28 02:12 CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345 -rw-r--r-- 1 admin root 7623548 Nov 24 2018 ReportingServer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 14285 Nov 24 2018 SecurePlatform_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 50711598 Nov 24 2018 cvpn_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 502484802 Nov 24 2018 fw1_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 5649235 Nov 24 2018 indexer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 39977 Nov 24 2018 mgmtportal_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 3029451 Nov 24 2018 sim_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 6010542 Nov 24 2018 uepm_backup_HOTFIX_R77_30_JUMBO_HF.tgz [Expert@CP:0]# ls -l /opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345 total 8 drwx------ 2 admin root 4096 Sep 28 02:18 Completely drwx------ 2 admin root 4096 Sep 28 02:18 LastTake [Expert@CP:0]# ls -l /opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345/Completely total 635376 -rw-r--r-- 1 admin root 7622819 Sep 28 02:18 ReportingServer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 16509 Sep 28 02:17 SecurePlatform_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 50711314 Sep 28 02:14 cvpn_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 576853604 Sep 28 02:13 fw1_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 5649319 Sep 28 02:14 indexer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 40274 Sep 28 02:18 mgmtportal_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 3028584 Sep 28 02:18 sim_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 6015114 Sep 28 02:18 uepm_backup_HOTFIX_R77_30_JUMBO_HF.tgz [Expert@CP:0]# ls -l /opt/CPda/backup/CheckPoint#CPUpdates#All#6.0#4#0#BUNDLE_R77_30_JUMBO_HF#345/LastTake total 581224 -rw-r--r-- 1 admin root 7624021 Sep 28 02:18 ReportingServer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 16509 Sep 28 02:14 SecurePlatform_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 148055 Sep 28 02:02 common_backup_file.tgz -rw-r--r-- 1 admin root 52002192 Sep 28 02:14 cvpn_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 519750664 Sep 28 02:10 fw1_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 5920007 Sep 28 02:14 indexer_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 40232 Sep 28 02:18 mgmtportal_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 3040944 Sep 28 02:18 sim_backup_HOTFIX_R77_30_JUMBO_HF.tgz -rw-r--r-- 1 admin root 5996419 Sep 28 02:18 uepm_backup_HOTFIX_R77_30_JUMBO_HF.tgz