Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

Nelson_Thoms inside General Topics 52m ago
views 89 3

R80.30 upgrade of 5000 series appliance - network drop when using SFP interfaces

Hello,We have a pair of 5200-HPP firewalls in a cluster, running R80.20.  We use the SFP interfaces to connect to a layer 2 switch (Cisco).  When we upgrade the firewalls to R80.30, the fiber/SFP interfaces drop and the switch says the ports are not operational.  When we roll the firmware back to R80.20, the ports become operational and traffic passes.  I think this issue is specific to the SFP ports on the Check Point firewall, since if I move the network configuration to the copper ports on the firewall, network operation resumes.  Of course we have valid Check Point branded SFPs on the firewall side, and swapping out transceivers or using different OM4 cable does not make a difference.Any one else run into issues with the SFP ports on Check Point 5000-series firewalls following an upgrade to R80.30?  I've tried raising the issue with the vendor and they are not providing troubleshooting assistance, even though we can consistently demonstrate that a rollback of the firewalls to R80.20 makes the issue go away, and as soon as we complete the upgrade to R80.30 the SFP ports go down.Cheers, hope someone out there has ideas on how to troubleshoot this!
Tiago_Cerqueira inside General Topics 2 hours ago
views 387 9

VPN issue with IKEv2 and Cisco ASA

Hi,Last week we upgraded our security gateway from R77.30 to R80.20. After this upgrade, we lost connectivity with one of our VPNs. This VPN is with a third party gateway, a Cisco ASA and we are using IKEv2.The issue is weird and I've isolated the following things:1)If the negotiation is triggered on the ASA side, everything works as expected (so, as a workaround, they are bouncing the tunnel on their side, generating traffic to us (if we are the first to generate traffic it won't work) and that's allowing us to connect)2)If we initiate the connection, we are unable to reach the other side of the VPN but, they are able to reach our network. So traffic generated on their side of the VPN always reaches us without issues.3)Child SAs are only being negotiated on re-keys, I'm assuming the first time they are created is under the AUTH packet, as per the RFC. I have a case opened with TAC, but so far no meaningful replies. I can also share the vpnd.elg files, as well as the ikev2.xmll files if you are interested in taking a look at that. Thanks
kb1 inside General Topics 3 hours ago
views 4

I need help with routing

So i need to configure routing on my 1100 firewall and below is the information i have for the configuration- Site subnet:  10.40.3.X/24 Eth LAN2 (vlan20 –secured):; dgw=  (int Gi0/2)Eth LAN5 (vlan 10 - unsecured):, dgw = (int Gi0/1) Source network:216.152.218.X/32 Destination networks:Checkpoint Portal/Blade -                149.122.13.X/32                149.122.13.X/32                149.122.13.X/32 So what would be the command on cli since i only have console access to configure routing? Fo reference below is the routing configuration for another 1100 appliance and i was told that the routing should be similar to this one- # Static routesdelete static-routesadd static-route service Any destination 10.0.0.X/8 nexthop gateway ipv4-address" metric 0set static-route 2 service Any destination 10.0.0.X/8 nexthop gateway ipv4-address metric 0 disabled falseadd static-route service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0"set static-route 3 service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false"add static-route service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0"set static-route 1 service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false" I cannot figure out what the destination network should be as is shown for above configuration, just keeps showing error and so whenever i try out something.
TheRealDiZ inside General Topics 6 hours ago
views 183 8

Failover between different HW with cphacu

Hi wonderful checkmates!I got a quick question for you:I just want to do a zero downtime upgrade.I’m upgrading R77.20 4400 to 5600 brand new appliances with R80.30.Do you think with different HW the cluster will be in Active/Down and cphacu start will work? I’ve never tried it before but I think with the same CoreXL instances it will work.D!Z
mselecky inside General Topics 7 hours ago
views 124 9

site-to-site VPN - Encryption domain issue

Hello,I am facing a strange issue. We have site-to-site VPN with 3rd party. We have Checkpoint, they have Sophos UTM. Tunnel is working only one direction. - Sophos >> Checkpoint - working fine- Checkpoint >> Sophos - not working IkeView tool says Phase1 is ok, Phase2 is failing when Checkpoint initiates the tunnel. Only QM packet 1. After that I receive an error:Notify PayloadNext Payload: NONEReserved: 0Length: 00 0c (12)DOI: 00 00 00 01 (1)ProtID: 1SPI Size: 0Notify Type: 18 (INVALID-ID-INFORMATION) I also noticed in VPNd.ELG this:[] vpn_ipsec_spi_notify: spi 0,, peer x.x.x.x, proto 50, my range, peer range,  However in dashboard I have:My encryption domain: device encryption domain: From CLI I am getting correct enc. domain:5:04:09 x.x.x.x > :(+);From:;,To:;CPTFMT_sep:;;Peer:x.x.x.x;,allowed_peers_table_id:0;,gw_conf:0;,community_id:5;,subnet_support:1;,from:;,to:;product:VPN-1 & FireWall-1;product_family:Network Any ideas/hints on what to check, change to get this working? Thanks indeed.
Rodrigo_Silva inside General Topics 9 hours ago
views 108 2

curl: (60) SSL certificate problem: unable to get local issuer certificate

Hi,I have a problem with HTTPS Inspection to access a site.When I do a curl_cli I get the error "curl: (60) SSL certificate problem: unable to get local issuer certificate".In the dashboard the certificate exists, but when I look inside the bundle certificate via ssh I can't see the root certificate.I tried to insert the certificate by hand, and when I curl with the --cacert $CPDIR/conf/ca-bundle.crt parameter no error is displayed, but when I curl without specifying the path, which should take the default path, I get the same error.Does anyone have any ideas how to resolve this error?
inside General Topics 10 hours ago
views 38

R80.10 Jumbo Hotfix Accumulator - New Ongoing Take 249

A new Ongoing Jumbo Hotfix Accumulator take for R80.10 (take 249) is available. Please refer to sk163473   Release Highlights:  The Gaia restore of Multi-Domain Server fails when using Take 245 of R80.10 Jumbo Hotfix Accumulator. Refer to sk163473 In some scenarios, Gaia restore on Multi-Domain Server fails with error "failed to edit update registry". Refer to sk163312.  PRJ-6781 - Using R80.10 management to manage R80.30 Cluster may lead to a split brain scenario and traffic loss on the Security gateway side Please note the following: The new releases is mentioned in the JHF sk163312 . The new release will be published via CPUSE as a recommended version when it becomes GA. Availability: Will be provided by customer support Available for download via CPUSE by using package identifier.   Thanks, Release Management Group 
jijotms0511 inside General Topics 11 hours ago
views 121 4

ISP Redundancy with PBR

Hi All,Can anyone advise if Checkpoint R80.20 can support ISP redundancy with PBR ( PBR presently configured to connect 2 links for wifi users)Currently ISP redundancy for the main traffic is not configured in the setup and to want to achieve it now? Can anyone advise?Thanks,Jijo 
Tommy_Forrest inside General Topics yesterday
views 110 4

Pushing policy destroys Skype calls

Does anyone else have issues where when they push policy to their internet edge gateway Skype calls are utterly destroyed for a solid 30-90 seconds?We have a 3 node cluster in HA mode running on 15600 gateways with 80.10 (our 80.30 migration starts in December).  CPUs average around 30% at peak during the day.Connection Persistence is configured for "Keep all connections".It does not matter the time of day (or load) when policy is pushed.  We can push it at 4am and it will disrupt Skype calls.What is the solution for this?  Aside from only pushing policy after hours (which will be an enormous burden to my team).
Di_Junior inside General Topics yesterday
views 91 2

Publishing a service with multiple DNS records associated with a Single Públic IP using Check Point

Dear MatesWe wish to migrate one of our critical services from TMG to Check point. Most of the services have already been migrated except this one last service.Currently, the service has 4 DNS records associated with a single Public IP, the public IP is then NATed internally to a private IP of the TMG Proxy. Taking into account that this service runs on three machines which where put into a pool of a single DNS record internally.So the Proxy has a rule like: Source: AnyDestination: DNS record (A single DNS record where all the machines where added)Service: http, httpsAction: Accept How can we translate this configuration in Check Point?We are using R80.20. Thanks in advance
Amir_Arama inside General Topics yesterday
views 125 4

Routing bug

so we have r80.20 cluster gaia, with fw vpn and ia enabled. corexl and securexl also enabled.couple of days ago i added new vlan on empty interface for point to point against remote site FW, which connected through layer 2 line. so far so good. FWs are having vpn sts with each other. no static routes on that line, only encrypted traffic.this GW actually connect HQ with all branches through main isp line on another we had downs at least 7 times between HQ and all branches, each down time was for about 10-20 seconds, and go back up by itlsef., after checking with fw monitor i discovered that instead of routing packets directed to branches through the main isp line, the fw routed those packets through the new vlan interface that i meantioned above. and this is why the packets never arrived to the destination.i thought first that maybe i had some duplicate routes, so i have checked, and there is no single route on this vlan interface except of course the directly connected point to point network which is in completely different subnet.the things occured today before it started:they go to this remote site to install pcs and printers etc..  which i don't believe relevant, and i fwaccel off and back on on this messages i got a lot of :kernel: [fw4_1];fwconn_recover_old_conn: connection is accelerated - cannot set handler.kernel: [fw4_1];fwconn_recover_old_conn: handler (322) VERIFICATION_HANDLER. dropping packetand also a lot from those: kernel: dst_release: dst:ffff8808147852c0 refcnt:-2have no idea what these messages was happening for around 2 hours randomally and stopped about when they left the remote site. which again i don't believe me it looks very like a bug but i'm not sure why it happens just now and why with this new vlan specifically..fwaccel off didn't solve the issue right away, but i just read that in r80.20 it not take effect on all connections as it was before. 
Eric_Kiarie inside General Topics Tuesday
views 278 4

Web pages timing out after upgrade

Good Afternoon team,Would like to inquire i recently upgrade my firewall from R77.30 13500 appliance to R80.20  23000 appliance. Some websites like zimbra email and some internal sites are timing out or are slow to open. What could be the issue that is affecting  my  websites to time out or not be accessible. 
ProxyOps inside General Topics Tuesday
views 76

R80.40 - Identity Awareness Questions

Hello, we are looking forward to the upcoming changes for IA in r80.40 I have two questions about the new things for IA: 1. We are currently using the Identity Broker with a special R80.10 take. How can we migrate from this special R80.10 take to r80.40 ? Will the existing Identity Broker Configuration persist with an inplace upgrade ? 2. We faced many diffrent Issues with the MUH Agent in the past and we are looking forward for the upcoming improvments. Has somebody already some insights, about the mentionend "Enhancements" and "better scaling and compatibility" features ? GreetingsNiklas
sajin inside General Topics Tuesday
views 179 8


HiFound the Checkpoint HTTPS INSPECTION cert is SHA1 and as it is outdated should move forward to SHA256. Followed the sk115894 but when accessing,  the browser is not trusting the certificate. Kindly help on resolving this issue.
humt inside General Topics Tuesday
views 134 4

ISP Compromised - Everything become failure

My ISP has been compromised. And no idea what to do?  ISP has been already compromised few months back but i thought my router is from local company therefore such issue. But i am wrong. I have use the another router and even firewall. All become waste for me. Firewall fail to stop.  I have send the report to Kaspersky. And kaspersky says the problem from router side. And when i search in google. Some developer says it is from ISP side. I have format my system 3 times, reset router , reset firewall. All become failure.